feat: sentinella: update

nixos/module/hectic/service/sentinèlla.nix

@@ -100,10 +100,18 @@ in {
         };
         environmentFile = lib.mkOption {
           type    = with lib.types; nullOr path;
-          default = null;
+          default = config.sops.secrets."sentinèlla/watcher/environment".path;
+          defaultText = lib.literalExpression
+            "config.sops.secrets.\"sentinèlla/watcher/environment\".path";
           example = "config.sops.secrets.\"sentinella-watcher-env\".path";
           description = ''
-            Optional environment file for secrets. Supported variables:
+            Environment file for secrets. Defaults to the auto-declared SOPS
+            secret sentinèlla/watcher/environment (resolved from
+            sus/sentinella-default.yaml in the flake). Override the sopsFile
+            via sops.secrets."sentinèlla/watcher/environment".sopsFile if you
+            need a host-specific file instead.
+
+            Supported variables:
               TG_TOKEN=
               TG_CHAT_ID=
               PEERS_TOKEN=   # Basic Auth token sent to all peers
@@ -148,6 +156,10 @@ in {
     })
 
     (lib.mkIf cfg.watcher.enable {
+      sops.secrets."sentinèlla/watcher/environment" = lib.mkDefault {
+        sopsFile = "${flake}/sus/sentinella-default.yaml";
+      };
+
       systemd.services."sentinella-watcher" = {
         description = "sentinèlla watcher — p2p peer monitor";
         after       = [ "network.target" ];

nixos/system/hectic-lab/sentinèlla.nix

@@ -5,7 +5,7 @@
   domain,
   sslOpts,
   ...
-}: { config, ... }: let
+}: { ... }: let
   port = 5869;
 in {
   hectic.services."sentinèlla" = {
@@ -18,17 +18,11 @@ in {
       peersDns            = "peers.${domain}";
       peersPort           = port;
       pollingIntervalSec  = 60;
-      # TG_TOKEN= and TG_CHAT_ID= are set via this environment file
-      # Add the following to sus/hectic-lab.yaml under sentinèlla/watcher/:
-      #   environment: |
-      #     TG_TOKEN=<bot-token>
-      #     TG_CHAT_ID=<chat-id>
-      environmentFile = config.sops.secrets."sentinèlla/watcher/environment".path;
+      # TG_TOKEN= and TG_CHAT_ID= are read from sus/sentinella-default.yaml
+      # (auto-declared by the module as sops.secrets."sentinèlla/watcher/environment")
     };
   };
 
-  sops.secrets."sentinèlla/watcher/environment" = {};
-
   services.nginx = {
     virtualHosts."probe.${domain}" = sslOpts // {
       forceSSL = true;