From e01fd902eb431fae9f9411ec2be3889fe35c5f3f Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Mon, 26 Jan 2026 17:48:53 +0900
Subject: [PATCH] bekkalokk/mediawiki: move `secret.key` to sops

---
 .../bekkalokk/services/mediawiki/default.nix  | 23 ++++++++++++++++---
 secrets/bekkalokk/bekkalokk.yaml              |  7 +++---
 2 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/hosts/bekkalokk/services/mediawiki/default.nix b/hosts/bekkalokk/services/mediawiki/default.nix
index 18e33b2..045127e 100644
--- a/hosts/bekkalokk/services/mediawiki/default.nix
+++ b/hosts/bekkalokk/services/mediawiki/default.nix
@@ -34,6 +34,7 @@ in {
   services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
 
   sops.secrets = lib.pipe [
+    "mediawiki/secret-key"
     "mediawiki/password"
     "mediawiki/postgres_password"
     "mediawiki/simplesamlphp/postgres_password"
@@ -179,15 +180,15 @@ in {
 
   # Cache directory for simplesamlphp
   # systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
-  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
+  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = lib.mkIf cfg.enable {
     user = "mediawiki";
     group = "mediawiki";
     mode = "0770";
   };
 
-  users.groups.mediawiki.members = [ "nginx" ];
+  users.groups.mediawiki.members = lib.mkIf cfg.enable [ "nginx" ];
 
-  services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
+  services.nginx.virtualHosts."wiki.pvv.ntnu.no" = lib.mkIf cfg.enable {
     kTLS = true;
     forceSSL = true;
     enableACME = true;
@@ -233,4 +234,20 @@ in {
     };
 
   };
+
+  systemd.services.mediawiki-init = lib.mkIf cfg.enable {
+    after = [ "sops-install-secrets.service" ];
+    serviceConfig = {
+      BindReadOnlyPaths = [ "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key" ];
+      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
+    };
+  };
+
+  systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable {
+    after = [ "sops-install-secrets.service" ];
+    serviceConfig = {
+      BindReadOnlyPaths = [ "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key" ];
+      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
+    };
+  };
 }
diff --git a/secrets/bekkalokk/bekkalokk.yaml b/secrets/bekkalokk/bekkalokk.yaml
index 4ffb615..ea139dc 100644
--- a/secrets/bekkalokk/bekkalokk.yaml
+++ b/secrets/bekkalokk/bekkalokk.yaml
@@ -9,6 +9,7 @@ gitea:
     ssh-known-hosts: ENC[AES256_GCM,data:zlRLoelQeumMxGqPmgMTB69X1RVWXIs2jWwc67lk0wrdNOHUs5UzV5TUA1JnQ43RslBU92+js7DkyvE5enGzw7zZE5F1ZYdGv/eCgvkTMC9BoLfzHzP6OzayPLYEt3xJ5PRocN8JUAD55cuu4LgsuebuydHPi2oWOfpbSUBKSeCh6dvk5Pp1XRDprPS5SzGLW8Xjq98QlzmfGv50meI9CDJZVF9Wq/72gkyfgtb3YVdr,iv:AF06TBitHegfWk6w07CdkHklh4ripQCmA45vswDQgss=,tag:zKh7WVXMJN2o9ZIwIkby3Q==,type:str]
     import-user-env: ENC[AES256_GCM,data:wArFwTd0ZoB4VXHPpichfnmykxGxN8y2EQsMgOPHv7zsm6A+m2rG9BWDGskQPr5Ns9o=,iv:gPUzYFSNoALJb1N0dsbNlgHIb7+xG7E9ANpmVNZURQ0=,tag:JghfRy2OcDFWKS9zX1XJ9A==,type:str]
 mediawiki:
+    secret-key: ENC[AES256_GCM,data:ixG9vGifYcz44y/copU+eHIjWLcxJ4v7pi8l1P3YHIdGwAk5DNZQWlaA/L3w0g50zM0ESEXL9k2r3jNI1nLGJw==,iv:fwHV4hYDEjP9f/8Bw74EhYDUN8UV+qIwqd6yXa5KtFs=,tag:3c9J/lVoJeRE1b/TTWJNZw==,type:str]
     password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
     postgres_password: ENC[AES256_GCM,data:XIOmrOVXWvMMcPJtmovhdyZvLlhmrsrwjuMMkdEY1NIXWjevj5XEkp6Cpw==,iv:KMPTRzu3H/ewfEhc/O0q3o230QNkABfPYF/D1SYL2R8=,tag:sFZiFPHWxwzD9HndPmH3pQ==,type:str]
     simplesamlphp:
@@ -99,8 +100,8 @@ sops:
             SU5zanlva1p2QjVndVJwUnlkdkFuTDAKbQRrSfG9MGsGvF2ywoGhDSuriDsbQ+k2
             29mxere0efSSGGq8y9YrPC8UX5hZRfqg/dfbL+PFc4NHfbxB/oSzQw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-09T21:18:23Z"
-    mac: ENC[AES256_GCM,data:scdduZPcJZgeT9LarRgxVr/obYsGrJAbMoLGJPPPp19qxOJMTdvYfMz8bxPjCikB4MacEgVZmcnKIn5aCzHJAnCI/7F2wm1DDtW9ZI5qbhDJKSSld+m2leOSPfR8VY/0qj6UNgGnwkwx7dfcAlv8cP2Sp3o1M2oyQxeXPr5FWEg=,iv:JEAwkCewMp0ERmYU62kZkbl7+FET1ZeRr6xeEwt6ioM=,tag:jxvli935X3JyZYe7fFbnLg==,type:str]
+    lastmodified: "2026-01-26T08:40:13Z"
+    mac: ENC[AES256_GCM,data:ppgpARft/YDKP24QF4bLYVhxN4nRrCsf4wBug3UD4MXgQwdFyWPAHn086uONeMbVOvH8IdwlaNBc8h36I7M66cqwK1VsRc/vf9Ud2VnD/WkWijMSrJ80frIvuvREp7aMNlYbD20bjrp4sYohjcJ8KPqyPUFPj71dA+9LZvXJthQ=,iv:lr3R14lRx7RzclknKbOa/bHa6axGbMPqj1FRTjx34xE=,tag:pBHzSArxYs4bqq355T4yog==,type:str]
     pgp:
         - created_at: "2026-01-16T06:34:44Z"
           enc: |-
@@ -123,4 +124,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.11.0