6 files changed, 18 insertions, 16 deletions

diff --git a/modules/core/security/sops.nix b/modules/core/security/sops.nix
index b2e6524..0bb1f6d 100644
--- a/modules/core/security/sops.nix
+++ b/modules/core/security/sops.nix
@@ -7,7 +7,6 @@
   sops = {
     defaultSopsFile = ../../../secrets/secrets.yaml;
     gnupg.sshKeyPaths = [ ];
-    secrets.openai_api_key.owner = "ebisu";
 
     age = {
       sshKeyPaths = [ ];
diff --git a/modules/desktop/default.nix b/modules/desktop/default.nix
new file mode 100644
index 0000000..9d0345f
--- /dev/null
+++ b/modules/desktop/default.nix
@@ -0,0 +1,3 @@
+{
+  sops.secrets.openai_api_key.owner = "ebisu";
+}
diff --git a/modules/server/default.nix b/modules/server/default.nix
index c81450d..5ada608 100644
--- a/modules/server/default.nix
+++ b/modules/server/default.nix
@@ -2,8 +2,10 @@
 {
   imports = [
     ../core/networking/vpn/tailscale.nix
+    ../core/security/sops.nix
     ../core/nix
     ./networking
+    ./sops.nix
     ./system.nix
     ./systemd.nix
     ./users.nix
diff --git a/modules/server/sops.nix b/modules/server/sops.nix
new file mode 100644
index 0000000..1c12ca5
--- /dev/null
+++ b/modules/server/sops.nix
@@ -0,0 +1,6 @@
+{
+  sops.secrets = {
+    "ghcr/user" = { };
+    "ghcr/password" = { };
+  };
+}
diff --git a/modules/server/systemd.nix b/modules/server/systemd.nix
index 8d0b118..3ad7f06 100644
--- a/modules/server/systemd.nix
+++ b/modules/server/systemd.nix
@@ -1,7 +1,4 @@
-{ secrets, config, ... }:
-let
-  inherit (config.modules.server) containerEngine;
-in
+{ secrets, ... }:
 {
   systemd.services.tailscale-up = {
     after = [ "tailscaled.service" ];
@@ -13,15 +10,4 @@ in
       Restart = "on-failure";
     };
   };
-
-  systemd.services.ghcr-login = {
-    after = [ "${containerEngine}.service" ];
-    requires = [ "${containerEngine}.service" ];
-    wantedBy = [ "multi-user.target" ];
-
-    serviceConfig = {
-      ExecStart = "/run/current-system/sw/bin/${containerEngine} login ghcr.io -u ${secrets.ghcr.username} -p ${secrets.ghcr.token}";
-      Restart = "on-failure";
-    };
-  };
 }
diff --git a/modules/server/virtualisation.nix b/modules/server/virtualisation.nix
index bfdb4a9..38027e4 100644
--- a/modules/server/virtualisation.nix
+++ b/modules/server/virtualisation.nix
@@ -69,6 +69,12 @@ in
             FINNHUB_TOKEN = secrets.finnhub_token;
             HEADER_IMAGE = "https://ruu.neocities.org/images/animeHeader.gif";
           };
+
+          login = {
+            registry = "ghcr.io";
+            username = config.sops.secrets."ghcr/user".path;
+            passwordFile = config.sops.secrets."ghcr/password".path;
+          };
         };
 
         bin = {