I already had some success with sops-nix but I am not really sure what would be the best way for this problem of creating secret containing files after rebuild.
The Codeberg token should be configured something like that from the documentation.
This file needs to be build after the rebuild because in the configuration I can only specify the path to where this file is located:
{
services.hydra.extraConfig = ''
Include /path/to/secret/file
'';
}
I have the path to the token available through config.sops.codeberg-token.path and I can configure who can read that file. But I am not sure about the best way to create the config file that can be included.
I was failing in writing a systemd service to create that file.
Can’t you just make the snippet itself the entire secret, and include that path from your Hydra configuration? That’s likely the path of least resistance here.