cluster/services/sso: use patroni incandescence

cluster/services/sso/default.nix

@@ -1,4 +1,4 @@
-{ depot, ... }:
+{ config, depot, ... }:
 
 {
   services.sso = {
@@ -18,4 +18,12 @@
     login.target = ssoAddr;
     account.target = ssoAddr;
   };
+
+  patroni = config.lib.forService "sso" {
+    databases.keycloak = {};
+    users.keycloak.locksmith = {
+      nodes = config.services.sso.nodes.host;
+      format = "raw";
+    };
+  };
 }

cluster/services/sso/host.nix

@@ -8,12 +8,10 @@ in
 {
   links.keycloak.protocol = "http";
 
-  age.secrets.keycloak-dbpass = {
+  services.locksmith.waitForSecrets.keycloak = [
-    file = ../../../secrets/keycloak-dbpass.age;
+    "patroni-keycloak"
-    owner = "root";
+  ];
-    group = "root";
+
-    mode = "0400";
-  };
   services.nginx.virtualHosts = { 
     "${login}" = lib.recursiveUpdate (vhosts.proxy kc.url) {
       locations = {
@@ -36,7 +34,7 @@ in
       host = patroni.ipv4;
       inherit (patroni) port;
       useSSL = false;
-      passwordFile = config.age.secrets.keycloak-dbpass.path;
+      passwordFile = "/run/locksmith/patroni-keycloak";
     };
     settings = {
       http-host = kc.ipv4;