From 6cca1db3b364136864dace8c0ef09fd72b19e147 Mon Sep 17 00:00:00 2001
From: Vegard Bieker Matthey <VegardMatthey@protonmail.com>
Date: Fri, 22 May 2026 20:21:24 +0200
Subject: [PATCH] bekkalokk: fix permissions for mediawiki secrets

---
 hosts/bekkalokk/services/mediawiki/default.nix | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/hosts/bekkalokk/services/mediawiki/default.nix b/hosts/bekkalokk/services/mediawiki/default.nix
index ec37d89..3fe4c91 100644
--- a/hosts/bekkalokk/services/mediawiki/default.nix
+++ b/hosts/bekkalokk/services/mediawiki/default.nix
@@ -210,6 +210,8 @@ in {
 
       # EXT:WikiEditor
       $wgWikiEditorRealtimePreview = true;
+
+      $wgSecretKey = file_get_contents("${config.sops.secrets."mediawiki/secret-key".path}");
     '';
   };
 
@@ -273,8 +275,6 @@ in {
   systemd.services.mediawiki-init = lib.mkIf cfg.enable {
     after = [ "sops-install-secrets.service" ];
     serviceConfig = {
-      BindReadOnlyPaths = [ "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key" ];
-      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
       UMask = lib.mkForce "0007";
     };
   };
@@ -282,8 +282,6 @@ in {
   systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable {
     after = [ "sops-install-secrets.service" ];
     serviceConfig = {
-      BindReadOnlyPaths = [ "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key" ];
-      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
       UMask = lib.mkForce "0007";
     };
   };