add secret keys from SOPS

hosts/containers/mediawiki/default.nix

@@ -50,6 +50,21 @@ in {
 
    system.stateVersion = "22.05";
 
+   sops.secrets = {
+     "mediawiki/adminPassword" =  {
+        owner = config.systemd.services.mediawiki.serviceConfig.User;
+     };
+     "mediawiki/upgradeKey" =  {
+        owner = config.systemd.services.mediawiki.serviceConfig.User;
+     };
+     "mediawiki/secretKey" = {
+        owner = config.systemd.services.mediawiki.serviceConfig.User;
+        path = "/var/lib/mediawiki/secret.key";
+     };
+   };
+
+   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
    services.logrotate.checkConfig = false;
 
    services.mediawiki = let
@@ -135,6 +150,8 @@ in {
       $wgUseAjax = true;
       $wgEnableMWSuggest = true;
 
+      //TODO what about $wgUpgradeKey ?
+
       $wgScribuntoDefaultEngine = 'luastandalone';
    '';
    # see https://extdist.wmflabs.org/dist/extensions/ for list of extensions
@@ -181,7 +198,7 @@ in {
        sha256 = "sha256-YCYsjh/3g2P8oT6IomP3UWjOoggH7jYjiiix7poOYnA=";
      };
     };
-   passwordFile = pkgs.writeText "password" "topSecretF0rAll!!!!";
+   passwordFile = config.sops.secrets."mediawiki/adminPassword".path;
    database = {
      type = "postgres";
      socket = "/run/postgresql";