link sops secrets through the volume

hosts/uranus/jupyter-container.nix

@@ -42,8 +42,6 @@ pkgs.dockerTools.buildImage {
           c.Spawner.default_url='/lab'
         '';
 
-      copy-passwords = lib.concatStringsSep "\n" (builtins.map (u: "cp ${u.userPasswordFile} /pw/") jupyterUsers);
-
       entrypoint = pkgs.writeScriptBin "entrypoint.sh" ''
         #!${cont-interpreter}
         set -ex
@@ -60,9 +58,6 @@ pkgs.dockerTools.buildImage {
         # create all the users
         ${create-all-users-script}
 
-        # remove supplied passwords
-        rm -r /pw
-
         # install the python environ
         conda install -c conda-forge mamba
 
@@ -82,10 +77,6 @@ pkgs.dockerTools.buildImage {
       # make temp store for pw hashes
       mkdir -p /pw
 
-      ${copy-passwords}
-
-      # populate with temp pw's
-
       cp ${jupyterhub-config} /jupyterhub-config.py
       cp ${entrypoint}/bin/entrypoint.sh /entrypoint.sh
     '';

hosts/uranus/stateful-jupyter.nix

@@ -9,7 +9,9 @@ let
   ];
 in
 {
-  sops.secrets.hashed-password-0xa = { };
+  sops.secrets.hashed-password-0xa = {
+    path = "/var/lib/pw/hashed-password-0xa";
+  };
 
   virtualisation.docker = {
     enable = true;
@@ -29,7 +31,7 @@ in
       volumes = [
         "/var/lib/jupyter-volume:/workdir"
         "/var/lib/root-home:/root"
-        # "/var/lib/conda-persist:/opt/conda"
+        "/var/lib/pw:/pw"
       ];
       imageFile =
         let