Serives: Use sops for service secrets (heidi, kopia)

system/services/kopia.nix

@@ -14,7 +14,7 @@
 
       # DockerHub Credentials
       username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-pasword.path}";
     };
 
     dependsOn = [];
@@ -65,9 +65,17 @@
     environment = {
       TZ = "Europe/Berlin";
       USER = "christoph";
-      KOPIA_PASSWORD = builtins.readFile config.age.secrets.kopia-user-password.path;
     };
 
+    # If we need to pass secrets to containers we can't use plain env variables.
+    sops.templates."kopia_secrets.env".content = ''
+      KOPIA_PASSWORD=${config.sops.placeholder.kopia-user-password}
+    '';
+
+    environmentFiles = [
+      config.sops.templates."kopia_secrets.env".path
+    ];
+
     entrypoint = "/bin/kopia";
 
     cmd = [
@@ -76,8 +84,8 @@
       "--disable-csrf-token-checks"
       "--insecure"
       "--address=0.0.0.0:51515"
-      "--server-username=${builtins.readFile config.age.secrets.kopia-server-username.path}"
-      "--server-password=${builtins.readFile config.age.secrets.kopia-server-password.path}"
+      "--server-username=$(cat ${config.sops.secrets.kopia-server-username.path})"
+      "--server-password=$(cat ${config.sops.secrets.kopia-server-password.path})"
     ];
 
     extraOptions = [