fix(lock): Add missing lockfile update

configuration/services/battery-manager.nix

@@ -13,4 +13,9 @@
       log_level = "DEBUG";
     };
   };
+
+  sops.secrets = {
+    "battery-manager/email" = { };
+    "battery-manager/password" = { };
+  };
 }

configuration/services/conduit/default.nix

@@ -179,4 +179,11 @@ in
   systemd.services.coturn.serviceConfig.SupplementaryGroups = [
     config.security.acme.certs."tlater.net".group
   ];
+
+  sops.secrets = {
+    "turn/env" = { };
+    "turn/secret" = {
+      owner = "turnserver";
+    };
+  };
 }

configuration/services/conduit/heisenbridge.nix

@@ -75,4 +75,10 @@ in
         # AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
       };
     };
+
+  sops.secrets = {
+    # Accessed via systemd cred through /run/secrets/heisebridge
+    "heisenbridge/as-token" = { };
+    "heisenbridge/hs-token" = { };
+  };
 }

configuration/services/conduit/matrix-hookshot.nix

@@ -163,4 +163,10 @@ in
       metrics.enabled = true;
     };
   };
+
+  sops.secrets = {
+    # Accessed via systemd cred through /run/secrets/matrix-hookshot
+    "matrix-hookshot/as-token" = { };
+    "matrix-hookshot/hs-token" = { };
+  };
 }

configuration/services/metrics/grafana.nix

@@ -67,4 +67,15 @@ in
       };
     };
   };
+
+  sops.secrets = {
+    "grafana/adminPassword" = {
+      owner = "grafana";
+      group = "grafana";
+    };
+    "grafana/secretKey" = {
+      owner = "grafana";
+      group = "grafana";
+    };
+  };
 }

configuration/services/metrics/victoriametrics.nix

@@ -96,4 +96,10 @@ in
       victorialogs.targets = [ config.services.victorialogs.bindAddress ];
     };
   };
+
+  sops.secrets."forgejo/metrics-token" = {
+    owner = "forgejo";
+    group = "metrics";
+    mode = "0440";
+  };
 }

configuration/services/nextcloud.nix

@@ -100,4 +100,9 @@ in
 
   # Ensure that this service doesn't start before postgres is ready
   systemd.services.nextcloud-setup.after = [ "postgresql.service" ];
+
+  sops.secrets."nextcloud/tlater" = {
+    owner = "nextcloud";
+    group = "nextcloud";
+  };
 }

configuration/services/starbound.nix

@@ -114,4 +114,7 @@ in
     paths = [ "/var/lib/private/starbound/storage/universe/" ];
     pauseServices = [ "starbound.service" ];
   };
+
+  # Accessed via systemd cred through /run/secrets/steam
+  sops.secrets."steam/tlater" = { };
 }

configuration/services/wireguard.nix

@@ -62,4 +62,10 @@
       };
     };
   };
+
+  sops.secrets."wireguard/server-key" = {
+    owner = "root";
+    group = "systemd-network";
+    mode = "0440";
+  };
 }

configuration/sops.nix

@@ -3,41 +3,6 @@
     defaultSopsFile = ../keys/production.yaml;
 
     secrets = {
-      "battery-manager/email" = { };
-
-      "battery-manager/password" = { };
-
-      # Gitea
-      "forgejo/metrics-token" = {
-        owner = "forgejo";
-        group = "metrics";
-        mode = "0440";
-      };
-
-      # Grafana
-      "grafana/adminPassword" = {
-        owner = "grafana";
-        group = "grafana";
-      };
-      "grafana/secretKey" = {
-        owner = "grafana";
-        group = "grafana";
-      };
-
-      # Heisenbridge
-      "heisenbridge/as-token" = { };
-      "heisenbridge/hs-token" = { };
-
-      # Matrix-hookshot
-      "matrix-hookshot/as-token" = { };
-      "matrix-hookshot/hs-token" = { };
-
-      # Nextcloud
-      "nextcloud/tlater" = {
-        owner = "nextcloud";
-        group = "nextcloud";
-      };
-
       # Restic
       "restic/local-backups" = {
         owner = "root";
@@ -45,27 +10,13 @@
         mode = "0440";
       };
 
-      # Steam
-      "steam/tlater" = { };
-
       # Turn
-      "turn/env" = { };
-      "turn/secret" = {
-        owner = "turnserver";
-      };
       "turn/ssl-key" = {
         owner = "turnserver";
       };
       "turn/ssl-cert" = {
         owner = "turnserver";
       };
-
-      # Wireguard
-      "wireguard/server-key" = {
-        owner = "root";
-        group = "systemd-network";
-        mode = "0440";
-      };
     };
   };
 }