refactor(sops): Move secret definitions to specific modules

2025-11-14 10:54:51 +08:00 · 2025-11-14 10:54:51 +08:00 · 7fcaa34b28
commit 7fcaa34b28
parent 767a14ab6e
15 changed files with 81 additions and 105 deletions
--- a/configuration/services/conduit/default.nix
+++ b/configuration/services/conduit/default.nix
@ -179,4 +179,11 @@ in
  systemd.services.coturn.serviceConfig.SupplementaryGroups = [
    config.security.acme.certs."tlater.net".group
  ];
+
+  sops.secrets = {
+    "turn/env" = { };
+    "turn/secret" = {
+      owner = "turnserver";
+    };
+  };
 }
--- a/configuration/services/conduit/heisenbridge.nix
+++ b/configuration/services/conduit/heisenbridge.nix
@ -75,4 +75,10 @@ in
        # AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
      };
    };
+
+  sops.secrets = {
+    # Accessed via systemd cred through /run/secrets/heisebridge
+    "heisenbridge/as-token" = { };
+    "heisenbridge/hs-token" = { };
+  };
 }
--- a/configuration/services/conduit/matrix-hookshot.nix
+++ b/configuration/services/conduit/matrix-hookshot.nix
@ -163,4 +163,10 @@ in
      metrics.enabled = true;
    };
  };
+
+  sops.secrets = {
+    # Accessed via systemd cred through /run/secrets/matrix-hookshot
+    "matrix-hookshot/as-token" = { };
+    "matrix-hookshot/hs-token" = { };
+  };
 }