From 0cc7c804074ccc05d6f42223ab76913f3841a80a Mon Sep 17 00:00:00 2001
From: SebastianStork <sebastian.stork@pm.me>
Date: Wed, 27 Aug 2025 15:17:29 +0200
Subject: [PATCH] sops: Make secrets root owned when possible

---
 modules/system/services/hedgedoc.nix | 14 +++++---------
 modules/system/services/radicale.nix |  2 +-
 2 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/modules/system/services/hedgedoc.nix b/modules/system/services/hedgedoc.nix
index 04279d5..2ff2ea9 100644
--- a/modules/system/services/hedgedoc.nix
+++ b/modules/system/services/hedgedoc.nix
@@ -27,17 +27,13 @@ in
       ports.list = [ cfg.port ];
     };
 
-    sops =
-      let
+    sops = {
+      secrets."hedgedoc/gitlab-auth-secret" = { };
+      templates."hedgedoc/environment" = {
         owner = config.users.users.hedgedoc.name;
-      in
-      {
-        secrets."hedgedoc/gitlab-auth-secret".owner = owner;
-        templates."hedgedoc/environment" = {
-          inherit owner;
-          content = "GITLAB_CLIENTSECRET=${config.sops.placeholder."hedgedoc/gitlab-auth-secret"}";
-        };
+        content = "GITLAB_CLIENTSECRET=${config.sops.placeholder."hedgedoc/gitlab-auth-secret"}";
       };
+    };
 
     services.hedgedoc = {
       enable = true;
diff --git a/modules/system/services/radicale.nix b/modules/system/services/radicale.nix
index f343e13..d4e57d0 100644
--- a/modules/system/services/radicale.nix
+++ b/modules/system/services/radicale.nix
@@ -22,7 +22,7 @@ in
     };
 
     sops = {
-      secrets."radicale/admin-password".owner = config.users.users.radicale.name;
+      secrets."radicale/admin-password" = { };
       templates."radicale/htpasswd" = {
         owner = config.users.users.radicale.name;
         content = "seb:${config.sops.placeholder."radicale/admin-password"}";