From ed38402eecf607d2de8be69a3427ea3ca017a240 Mon Sep 17 00:00:00 2001
From: Winzlieb <winzlieb@c3d2.de>
Date: Tue, 28 Jun 2022 20:35:02 +0200
Subject: [PATCH] add secret keys from SOPS

---
 hosts/containers/mediawiki/default.nix | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/hosts/containers/mediawiki/default.nix b/hosts/containers/mediawiki/default.nix
index 77cc8212..2e8304df 100644
--- a/hosts/containers/mediawiki/default.nix
+++ b/hosts/containers/mediawiki/default.nix
@@ -50,6 +50,21 @@ in {
 
    system.stateVersion = "22.05";
 
+   sops.secrets = {
+     "mediawiki/adminPassword" =  {
+        owner = config.systemd.services.mediawiki.serviceConfig.User;
+     };
+     "mediawiki/upgradeKey" =  {
+        owner = config.systemd.services.mediawiki.serviceConfig.User;
+     };
+     "mediawiki/secretKey" = {
+        owner = config.systemd.services.mediawiki.serviceConfig.User;
+        path = "/var/lib/mediawiki/secret.key";
+     };
+   };
+
+   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
    services.logrotate.checkConfig = false;
 
    services.mediawiki = let
@@ -135,6 +150,8 @@ in {
       $wgUseAjax = true;
       $wgEnableMWSuggest = true;
 
+      //TODO what about $wgUpgradeKey ?
+
       $wgScribuntoDefaultEngine = 'luastandalone';
    '';
    # see https://extdist.wmflabs.org/dist/extensions/ for list of extensions
@@ -181,7 +198,7 @@ in {
        sha256 = "sha256-YCYsjh/3g2P8oT6IomP3UWjOoggH7jYjiiix7poOYnA=";
      };
     };
-   passwordFile = pkgs.writeText "password" "topSecretF0rAll!!!!";
+   passwordFile = config.sops.secrets."mediawiki/adminPassword".path;
    database = {
      type = "postgres";
      socket = "/run/postgresql";