tor: declare fuwnme onion secret key

4 files changed, 8 insertions, 1 deletions

diff --git a/.sops.yaml b/.sops.yaml
index a60d1d3..f85775d 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -21,7 +21,7 @@ creation_rules:
     key_groups:
       - age:
           - *kansai
-  - path_regex: secrets/himeji.ya?ml$
+  - path_regex: secrets/((himeji.ya?ml)|fuwnme_hs_ed25519_secret_key.bin)$
     key_groups:
       - age:
           - *himeji
diff --git a/modules/server/networking/tor.nix b/modules/server/networking/tor.nix
index 05e7fb7..ab3dc9f 100644
--- a/modules/server/networking/tor.nix
+++ b/modules/server/networking/tor.nix
@@ -1,3 +1,4 @@
+{ config, ... }:
 {
   services = {
     caddy.virtualHosts."fuwnme4wbs5x36jjf2usedw2zscozwhazykhyfkjsmudtb7egs3mb7yd.onion".extraConfig = "reverse_proxy localhost:8084";
@@ -9,6 +10,7 @@
       relay.onionServices = {
         "fuwn.me" = {
           version = 3;
+          secretKey = config.sops.secrets."fuwnme_onion_secret_key".path;
 
           map = [
             {
diff --git a/modules/server/sops.nix b/modules/server/sops.nix
index 8c2549a..a2b5e78 100644
--- a/modules/server/sops.nix
+++ b/modules/server/sops.nix
@@ -9,6 +9,11 @@
       tailscale_authentication_key = { };
       finnhub_token = { };
       caddy_environment_file = { };
+
+      fuwnme_onion_secret_key = {
+        format = "binary";
+        sopsFile = "${self}/secrets/fuwnme_hs_ed25519_secret_key.bin";
+      };
     };
   };
 }
diff --git a/secrets/fuwnme_hs_ed25519_secret_key.bin b/secrets/fuwnme_hs_ed25519_secret_key.bin
new file mode 100644
index 0000000..9aef2c1
--- /dev/null
+++ b/secrets/fuwnme_hs_ed25519_secret_key.bin