[gitea] Moves database password into an sops secret

system/hosts/mcp/configuration.nix

@@ -6,6 +6,12 @@
     ./containers.nix
   ];
 
+  # Enable flakes
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+
   # Bootloader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
@@ -107,6 +113,19 @@
   # networking.firewall.allowedUDPPorts = [ ... ];
   # Or disable the firewall altogether.
   # networking.firewall.enable = false;
+  
+  ### Secrets
+  sops = {
+    defaultSopsFile = ../../../secrets/mcp.yaml;
+    age = {
+      # Use the host key for sops
+      sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      # Where to store the key
+      keyFile = "/var/lib/sops-nix/key.txt";
+      # Generate the key if it doesn't exit
+      generateKey = true;
+    };
+  };
 
   ### State version
   # This value determines the NixOS release from which the default