fixes

modules/nixos/services/matrix/default.nix

@@ -91,14 +91,14 @@ let
             }
           ];
 
-          # Database configuration
+          # Database configuration — connect via Unix socket (peer auth via identMap)
           database = {
             name = "psycopg2";
             allow_unsafe_locale = true;
             args = {
               user = "synapse";
               database = "synapse";
-              host = "localhost";
+              host = "/run/postgresql";
               cp_min = 5;
               cp_max = 10;
             };

modules/nixos/services/sparky-fitness/default.nix

@@ -5,7 +5,7 @@
   ...
 }:
 let
-  inherit (lib.${namespace}) mkContainerService;
+  inherit (lib.${namespace}) mkContainerService mkSopsEnvFile;
 
   serverName = "sparky-fitness-server";
   frontendName = "sparky-fitness";
@@ -17,6 +17,27 @@ let
 in
 {
   imports = [
+    # Sops env-file for sparky-fitness-server secrets
+    {
+      config = lib.mkIf serverCfg.enable (mkSopsEnvFile {
+        name = "sparky-fitness-server.env";
+        restartUnit = "podman-sparky-fitness-server.service";
+        secrets = {
+          "jallen-nas/sparky-fitness/db-password" = { };
+          "jallen-nas/sparky-fitness/api-encryption-key" = { };
+          "jallen-nas/sparky-fitness/auth-secret" = { };
+        };
+        content = ''
+          SPARKY_FITNESS_DB_PASSWORD=${config.sops.placeholder."jallen-nas/sparky-fitness/db-password"}
+          SPARKY_FITNESS_APP_DB_PASSWORD=${config.sops.placeholder."jallen-nas/sparky-fitness/db-password"}
+          SPARKY_FITNESS_API_ENCRYPTION_KEY=${
+            config.sops.placeholder."jallen-nas/sparky-fitness/api-encryption-key"
+          }
+          BETTER_AUTH_SECRET=${config.sops.placeholder."jallen-nas/sparky-fitness/auth-secret"}
+        '';
+      });
+    }
+
     (mkContainerService {
       inherit config;
       name = serverName;
@@ -26,6 +47,7 @@ in
         "${serverCfg.configDir}/sparky-fitness/server/backup:/app/SparkyFitnessServer/backup"
         "${serverCfg.configDir}/sparky-fitness/server/uploads:/app/SparkyFitnessServer/uploads"
       ];
+      environmentFiles = [ config.sops.templates."sparky-fitness-server.env".path ];
       environment = {
         SPARKY_FITNESS_LOG_LEVEL = "0";
         ALLOW_PRIVATE_NETWORK_CORS = "false";
@@ -33,13 +55,8 @@ in
         SPARKY_FITNESS_DB_USER = "sparkyfitness";
         SPARKY_FITNESS_DB_HOST = "10.0.1.3";
         SPARKY_FITNESS_DB_NAME = "sparkyfitness";
-        # TODO: move DB password and secrets to sops
-        SPARKY_FITNESS_DB_PASSWORD = "sparkyfitness";
         SPARKY_FITNESS_APP_DB_USER = "sparkyfitness";
-        SPARKY_FITNESS_APP_DB_PASSWORD = "sparkyfitness";
         SPARKY_FITNESS_DB_PORT = "${toString dbCfg.port}";
-        SPARKY_FITNESS_API_ENCRYPTION_KEY = "088ab2c6487ca1048c1fe74a4d8bd906e88db56953406769426b615d6df2407b";
-        BETTER_AUTH_SECRET = "a0304bda5a9efd0d92595c8d46526e33d58f436408f6b70ea37c2b84308d9abe";
         SPARKY_FITNESS_FRONTEND_URL = "http://10.0.1.3:${toString frontendCfg.port}";
         SPARKY_FITNESS_DISABLE_SIGNUP = "false";
         SPARKY_FITNESS_ADMIN_EMAIL = "jalle008@proton.me";
@@ -67,7 +84,7 @@ in
         "${dbCfg.configDir}/sparky-fitness/db:/var/lib/postgresql/data"
       ];
       environment = {
-        POSTGRES_DB = "sparkyfitness-db";
+        POSTGRES_DB = "sparkyfitness";
         POSTGRES_USER = "sparkyfitness";
         # TODO: move POSTGRES_PASSWORD to sops
         POSTGRES_PASSWORD = "sparkyfitness";