secrets.nix

{
  config,
  inputs,
  lib,
  pkgs,
  ...
}:
with lib; {
  imports = [
    inputs.sops-nix.nixosModules.sops
  ];

  environment.systemPackages = with pkgs; [
    sops
  ];

  sops.defaultSopsFile = ./secrets.yaml;
  sops.defaultSopsFormat = "yaml";

  sops.secrets =
    concatMapAttrs (owner: secrets:
      listToAttrs (map (s: {
          name = s;
          value = optionalAttrs (owner != "") {inherit owner;};
        })
        secrets))
    {
      "" = [
        # Cloudflared
        "cloudflared/tunnel_env"
      ];

      # Anubis
      ${config.services.anubis.defaultOptions.user} = [
        "anubis/gitea/hex_file"
        "anubis/peertube/hex_file"
        "anubis/medama/hex_file"
      ];

      # Garage
      "garage" = [
        "garage/admin_key"
        "garage/admin_secret"
        "garage/admin_token"
        "garage/metrics_token"
        "garage/rpc_secret"
      ];

      # Gitea
      ${config.services.gitea.user} = [
        "gitea/actions/token"
        "gitea/oauth2/jwt_secret"
        "gitea/security/internal_token"
        "gitea/security/secret_key"
        "gitea/server/lfs_jwt_secret"
        "gitea/storage/access_key_id"
        "gitea/storage/secret_access_key"
      ];

      # keikos.work
      ${config.services.keikos.web.user} = [
        "keiko/env_file"
      ];

      # Peertube
      ${config.services.peertube.user} = [
        "peertube/database/password"
        "peertube/environment"
        "peertube/secretsFile"
      ];

      # PostgreSQL
      ${config.users.users.postgres.name} = [
        "postgresql/initialScript"
      ];

      # Nextcloud
      ${config.services.phpfpm.pools.nextcloud.user} = [
        "nextcloud/adminpass"
        "nextcloud/s3/secret"
        "nextcloud/s3/sseC"
      ];

      # Users
      ${config.users.users."guz".name} = [
        "guz/password"
      ];
    };

  sops.age.keyFile = "/home/guz/.config/sops/age/keys.txt";
}
feat: initial commit, migrate main config from dot013/.nix 2024-06-15 18:29:36 -03:00			`{`
			`config,`
			`inputs,`
			`lib,`
			`pkgs,`
			`...`
refactor: remove lesser secrets 2025-09-13 11:29:15 -03:00			`}:`
			`with lib; {`
feat: initial commit, migrate main config from dot013/.nix 2024-06-15 18:29:36 -03:00			`imports = [`
			`inputs.sops-nix.nixosModules.sops`
			`];`

refactor: remove lesser secrets 2025-09-13 11:29:15 -03:00			`environment.systemPackages = with pkgs; [`
			`sops`
			`];`
feat: initial commit, migrate main config from dot013/.nix 2024-06-15 18:29:36 -03:00
refactor: remove lesser secrets 2025-09-13 11:29:15 -03:00			`sops.defaultSopsFile = ./secrets.yaml;`
			`sops.defaultSopsFormat = "yaml";`
feat: initial commit, migrate main config from dot013/.nix 2024-06-15 18:29:36 -03:00
refactor(secrets): make secrets casing and declaration consistent 2025-10-09 21:51:59 -03:00			`sops.secrets =`
			`concatMapAttrs (owner: secrets:`
			`listToAttrs (map (s: {`
			`name = s;`
			`value = optionalAttrs (owner != "") {inherit owner;};`
			`})`
			`secrets))`
			`{`
			`"" = [`
			`# Cloudflared`
			`"cloudflared/tunnel_env"`
			`];`
fix: missing envFile secret definition 2025-04-01 10:07:35 -03:00
refactor(secrets): make secrets casing and declaration consistent 2025-10-09 21:51:59 -03:00			`# Anubis`
			`${config.services.anubis.defaultOptions.user} = [`
feat(capytal,gitea)!: migrate from https://forge.capytal.company to https://code.capytal.cc A new forge is now used, it is pretty much equal to before, but now we are using (a fork of) Gitea instead of Forgejo. Gitea was choosen because provides more features that we need compared to Forgejo and it has a more modern codebase to fork and customize. The fork can be found at https://code.capytal.cc/loreddev/gitea, it mostly provides a new default theme and custom UI changes. 2025-10-11 09:21:21 -03:00			`"anubis/gitea/hex_file"`
feat(capytal,peertube): capytal's peertube instance 2025-11-30 20:39:31 -03:00			`"anubis/peertube/hex_file"`
refactor(secrets): make secrets casing and declaration consistent 2025-10-09 21:51:59 -03:00			`"anubis/medama/hex_file"`
			`];`
fix: set hex file for anubis instances 2025-04-05 17:22:44 -03:00
refactor(secrets): make secrets casing and declaration consistent 2025-10-09 21:51:59 -03:00			`# Garage`
			`"garage" = [`
			`"garage/admin_key"`
			`"garage/admin_secret"`
			`"garage/admin_token"`
			`"garage/metrics_token"`
			`"garage/rpc_secret"`
			`];`
feat: initial commit, migrate main config from dot013/.nix 2024-06-15 18:29:36 -03:00
feat(capytal,gitea)!: migrate from https://forge.capytal.company to https://code.capytal.cc A new forge is now used, it is pretty much equal to before, but now we are using (a fork of) Gitea instead of Forgejo. Gitea was choosen because provides more features that we need compared to Forgejo and it has a more modern codebase to fork and customize. The fork can be found at https://code.capytal.cc/loreddev/gitea, it mostly provides a new default theme and custom UI changes. 2025-10-11 09:21:21 -03:00			`# Gitea`
			`${config.services.gitea.user} = [`
			`"gitea/actions/token"`
			`"gitea/oauth2/jwt_secret"`
			`"gitea/security/internal_token"`
			`"gitea/security/secret_key"`
			`"gitea/server/lfs_jwt_secret"`
			`"gitea/storage/access_key_id"`
			`"gitea/storage/secret_access_key"`
			`];`
feat: refactor network configuration and add TLS support 2024-10-03 16:24:14 -03:00
refactor(secrets): make secrets casing and declaration consistent 2025-10-09 21:51:59 -03:00			`# keikos.work`
			`${config.services.keikos.web.user} = [`
			`"keiko/env_file"`
			`];`
feat(abaduh): setup nextcloud instance 2025-09-16 16:18:06 -03:00
feat(capytal,peertube): capytal's peertube instance 2025-11-30 20:39:31 -03:00			`# Peertube`
			`${config.services.peertube.user} = [`
			`"peertube/database/password"`
			`"peertube/environment"`
			`"peertube/secretsFile"`
			`];`

			`# PostgreSQL`
			`${config.users.users.postgres.name} = [`
			`"postgresql/initialScript"`
			`];`

refactor(secrets): make secrets casing and declaration consistent 2025-10-09 21:51:59 -03:00			`# Nextcloud`
			`${config.services.phpfpm.pools.nextcloud.user} = [`
			`"nextcloud/adminpass"`
			`"nextcloud/s3/secret"`
			`"nextcloud/s3/sseC"`
			`];`
feat(abaduh): setup nextcloud instance 2025-09-16 16:18:06 -03:00
refactor(secrets): make secrets casing and declaration consistent 2025-10-09 21:51:59 -03:00			`# Users`
			`${config.users.users."guz".name} = [`
			`"guz/password"`
			`];`
refactor: remove lesser secrets 2025-09-13 11:29:15 -03:00			`};`

			`sops.age.keyFile = "/home/guz/.config/sops/age/keys.txt";`
feat: initial commit, migrate main config from dot013/.nix 2024-06-15 18:29:36 -03:00			`}`