vocard: use sops templating

nixosConfigurations/gerg-desktop/services/vocard/application.yml

@@ -18,7 +18,7 @@ plugins:
       - WEBEMBEDDED 
     oauth:
       enabled: true
-      refreshToken: ""
+      refreshToken: "@refresh_token@"
 #  name: # Name of the plugin
 #    some_key: some_value # Some key-value pair for the plugin
 #    another_key: another_value
@@ -35,7 +35,7 @@ lavalink:
 #  defaultPluginRepository: "https://maven.lavalink.dev/releases" # optional, defaults to the Lavalink release repository
 #  defaultPluginSnapshotRepository: "https://maven.lavalink.dev/snapshots" # optional, defaults to the Lavalink snapshot repository
   server:
-    password: "youshallnotpass"
+    password: "@password@"
     sources:
       # The default Youtube source is now deprecated and won't receive further updates. Please use https://github.com/lavalink-devs/youtube-source#plugin instead.
       youtube: false

nixosConfigurations/gerg-desktop/services/vocard/secrets.yaml

@@ -1,5 +1,11 @@
-vocard: ENC[AES256_GCM,data:5tMsCU3eI9oTcbJf53paVi82TlEOTgAEUF0hYgnee97x/DZsoiCg5xhsedlp7vwJgWv+em3qiOah47EopR9x4uL8O/WFYAVrx6b03tUTzzk31NZMQ1xxSzbdJ+5BsheB2UYhpt99sHweVTjHsyy1gICa3zfk7W+SfzNJqTk1Sz2u+o9MS2y7UH+lddK/IEF9QlPI3pUJPKCjd2fjZaz/LS4ih3Hq0whpdeLpJ7G4NK2l50hRwDU0vuQgmMJZvEH/Mx7E7n7nHar//9nueE2JxPaKPkAJ7MnZ6GQppLX3zwExe4BEW3H449dVPV94eFcTCYO9QBE=,iv:5ieW16/MCK3BJshihfoeFfPcH83RmaAvy/kF4921zjk=,tag:t5ouiAwmVLl0SbRUEl8CnA==,type:str]
-lavalink: ENC[AES256_GCM,data:p6FMF2uXwHqg9bGiU1/8TRCToGyDR3t0Kz4J1mCHu2beSpLZWV0Cy9BcwsE2rFMKh5bxzffh8FrMDJJ8cnLpBqCNDDdyHpRub9zuREiJ0yPUEvG6GhAQpvhMOQYAkDe2fVmSIWdF+s+v514rj7mjEkHpdNov7pEL,iv:9OYomvSLszkTYuDReRUyHauPwaZrzlZC6VvJ1sI6rhw=,tag:X2RpZxwnxU6ofo+19Q/DYQ==,type:str]
+vocard:
+    token: ENC[AES256_GCM,data:CCu4yOw4Fvwyx0KkYIikiz3VY2xTPbBx1q92W7FBTp+5fU+UP7yuAwZMWWZtzKdEyypzlk5uJ4tJRwUHqq62EnJqYj4wCVcr,iv:/Nxr9QPjEa67Xxn+tz3TRrcNG+cqEPVsqdjjxLp7R+k=,tag:LcVRrGorxvljJqpgs2bSoA==,type:str]
+    client_id: ENC[AES256_GCM,data:yd9vcUVxMpAKiPzl1hDI9EJhzA==,iv:dzB8ls0k5kWd+qtbSAkSfAXO0dxIUwdjppGYMkc+OHg=,tag:l1M4XTs79fszfNcFXSzVVg==,type:str]
+    spotify_client_id: ENC[AES256_GCM,data:uwqtWL7JZnN6FsPfTxtBjEgjE7qwGcKbDnloO6SNWs4=,iv:HMZ42J2oXavE4NZCmP1MUVZ+s9Px4XBDRWIbCcl6dYs=,tag:iO8hn8mlNGS1dcLBwwl/AQ==,type:str]
+    spotify_client_secret: ENC[AES256_GCM,data:YnfLj7RPTaucpZCqnel2gStd8oBcbWnL4/+KnkyT4u0=,iv:W6gXch7jH5jFp0PJy0LZ7vq1yCtO1NLbCTR3N6r47nQ=,tag:ct5Y786N6qVkZCts6pZniQ==,type:str]
+lavalink:
+    refresh_token: ENC[AES256_GCM,data:t40tbR2FrGTQCmuGsQ0AXJyjKLBYpOs52aIVaYtZnYWYa2pEm+c8K2pDT33uWe2WA0YSV5z5Qe+YEeryudaLALGB/hnGpnRqPDiS4msiPQMD+5dFnrelYIXCFz8kTlCPdsaDW33F5w==,iv:pk+V85B+t3gYFm2zYWqACwRh0q4W86UvcaNnzhbzztU=,tag:gjC4ADv9hNhk85niT3P75g==,type:str]
+    password: ENC[AES256_GCM,data:boIoVKGcXWAaKx6rOH1w1awTGfc=,iv:mX8WaaeeQXqyVuM5oA5tUUG7h7C0rV9QAVoHW/InyPc=,tag:Q/P3T5o1CMlbxe+UWyOP3A==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -15,8 +21,8 @@ sops:
             WC9NVmdtWjlWSWN6dUwwMFdPRmpxWG8Ka0i27kBbA4p835RWsEPIghFTwxo4elOz
             PL0TnuMNnl66TJiD0x6oRMn8tb6wQIAqGxBt9Jb2lj24eXCtzfGbEg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-06T17:07:08Z"
-    mac: ENC[AES256_GCM,data:jVVU4F6GK8mf8lvH5BNbbU9UHJu/od4Y+jTTSBkFcH9SBy9AWlwm6YjNmotSH3IMuxUWe3vyLLoga2pLgla2TJlScDpok9ZTcZTmSybacrTfT2r3Xyt++R+v+i5fnhlnN7MfnPYx33tofoxpIKdvM0VCaBi+dY1EXXNQOSRdOiA=,iv:bz8+UdBJXSLI+/C48pFoYIHGF6CMaJIonvRMNmJhy7I=,tag:0DCcq2t7wcvzrXqtnAeXeg==,type:str]
+    lastmodified: "2025-02-07T03:01:32Z"
+    mac: ENC[AES256_GCM,data:T7z3iKsPZ6AiAf+ogcUfbBCLpXWgb76KKkpfXjHIkvoovHIil8diyWSPogj0eD6a7i4mTjvaan7VoFsNS76KjVezGrEUlMcmck/JgSYkyxZmKtw0Yt/V4G8z7BodG7uWCo37eG7XZopi+Oy1+EWku6OzfXXi9vi27BtyDqAju6Y=,iv:b8mqxYPMUBhPyk+wkcNJXGX32GulRZMR+iSVOOePs9E=,tag:qTRumh4WEICrubw0gi91YA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.3
+    version: 3.9.4

nixosConfigurations/gerg-desktop/services/vocard/settings.json

@@ -1,8 +1,8 @@
 {
-  "token": "",
-  "client_id": "",
-  "spotify_client_id": "",
-  "spotify_client_secret": "",
+  "token": "@token@",
+  "client_id": "@client_id@",
+  "spotify_client_id": "@spotify_client_id@",
+  "spotify_client_secret": "@spotify_client_secret@",
   "genius_token": "YOUR_GENIUS_TOKEN",
   "mongodb_url": "0.0.0.0",
   "mongodb_name": "vocard",
@@ -10,7 +10,7 @@
     "DEFAULT": {
       "host": "0.0.0.0",
       "port": 2333,
-      "password": "youshallnotpass",
+      "password": "@password@",
       "secure": false,
       "identifier": "DEFAULT"
     }

nixosConfigurations/gerg-desktop/services/vocard/vocard.nix

@@ -1,11 +1,71 @@
 {
   self',
   lib,
+  config,
 }:
 {
+  sops = {
+    secrets =
+      builtins.mapAttrs
+        (
+          _: v:
+          v
+          // {
+            sopsFile = ./secrets.yaml;
+          }
+        )
+        {
+          "vocard/token" = { };
+          "vocard/client_id" = { };
+          "vocard/spotify_client_id" = { };
+          "vocard/spotify_client_secret" = { };
+          "lavalink/refresh_token" = { };
+          "lavalink/password" = { };
+
+        };
+    templates = {
+      vocard.content =
+        builtins.replaceStrings
+          [
+            "@token@"
+            "@client_id@"
+            "@spotify_client_id@"
+            "@spotify_client_secret@"
+            "@password@"
+          ]
+          [
+            config.sops.placeholder."vocard/token"
+            config.sops.placeholder."vocard/client_id"
+            config.sops.placeholder."vocard/spotify_client_id"
+            config.sops.placeholder."vocard/spotify_client_secret"
+            config.sops.placeholder."lavalink/password"
+
+          ]
+          (builtins.readFile ./settings.json);
+
+      lavalink.content =
+        builtins.replaceStrings
+          [
+            "@refresh_token@"
+
+            "@password@"
+          ]
+          [
+            config.sops.placeholder."lavalink/refresh_token"
+
+            config.sops.placeholder."lavalink/password"
+
+          ]
+          (builtins.readFile ./application.yml);
+    };
+  };
+
   systemd.tmpfiles.rules = [
     "d /persist/services/vocard - - - - -"
     "d /persist/services/lavalink - - - - -"
+
+    "L+ /persist/services/vocard/settings.json - - - - ${config.sops.templates.vocard.path}"
+    "L+ /persist/services/lavalink/application.yml - - - - ${config.sops.templates.lavalink.path}"
   ];
 
   systemd.services = {