refactor(secrets): make secrets casing and declaration consistent

2025-10-09 21:51:59 -03:00
parent 565afe9df8
commit 3eec62eb21
6 changed files with 59 additions and 66 deletions
--- a/capytal/analytics.nix
+++ b/capytal/analytics.nix
@@ -24,7 +24,7 @@ in {
      METRICS_BIND_NETWORK = "tcp";
      SERVE_ROBOTS_TXT = true;
      TARGET = "http://localhost:${toString cfg.port}";
-      ED25519_PRIVATE_KEY_HEX_FILE = config.sops.secrets."medama/anubis/hexFile".path;
+      ED25519_PRIVATE_KEY_HEX_FILE = config.sops.secrets."anubis/medama/hex_file".path;
    };
  };

--- a/capytal/forgejo.nix
+++ b/capytal/forgejo.nix
@@ -104,7 +104,7 @@ in {
      METRICS_BIND_NETWORK = "tcp";
      SERVE_ROBOTS_TXT = true;
      TARGET = "http://localhost:${toString cfg.settings.server.HTTP_PORT}";
-      ED25519_PRIVATE_KEY_HEX_FILE = config.sops.secrets."forgejo/anubis/hexFile".path;
+      ED25519_PRIVATE_KEY_HEX_FILE = config.sops.secrets."anubis/forgejo/hex_file".path;
    };
  };

--- a/capytal/websites.nix
+++ b/capytal/websites.nix
@@ -24,7 +24,7 @@ in {
  services.keikos.web = {
    enable = true;
    port = 9910;
-    envFile = config.sops.secrets."keiko/env-file".path;
+    envFile = config.sops.secrets."keiko/env_file".path;
  };
  services.caddy.virtualHosts.":${toString (cfg-keikos.port + 1)}" = {
    extraConfig = ''
--- a/common/cloudflared.nix
+++ b/common/cloudflared.nix
@@ -11,7 +11,7 @@
      "run"
    ];
    environmentFiles = [
-      config.sops.secrets."cloudflared/tunnel-env".path
+      config.sops.secrets."cloudflared/tunnel_env".path
    ];
  };
 }
--- a/secrets.nix
+++ b/secrets.nix
@@ -17,67 +17,60 @@ with lib; {
  sops.defaultSopsFile = ./secrets.yaml;
  sops.defaultSopsFormat = "yaml";

-  sops.secrets = {
-    "cloudflared/tunnel-env" = {};
+  sops.secrets =
+    concatMapAttrs (owner: secrets:
+      listToAttrs (map (s: {
+          name = s;
+          value = optionalAttrs (owner != "") {inherit owner;};
+        })
+        secrets))
+    {
+      "" = [
+        # Cloudflared
+        "cloudflared/tunnel_env"
+      ];

-    "forgejo/anubis/hexFile" = {
-      owner = config.services.anubis.instances."forgejo".user;
-    };
-    "forgejo/git-password" = mkIf config.services.forgejo.enable {
-      owner = config.services.forgejo.user;
-    };
-    "forgejo/s3/key" = mkIf config.services.forgejo.enable {
-      owner = config.services.forgejo.user;
-    };
-    "forgejo/s3/secret" = mkIf config.services.forgejo.enable {
-      owner = config.services.forgejo.user;
-    };
-    "forgejo/actions/token" = mkIf config.services.forgejo.enable {
-      owner = config.services.forgejo.user;
-    };
+      # Anubis
+      ${config.services.anubis.defaultOptions.user} = [
+        "anubis/forgejo/hex_file"
+        "anubis/medama/hex_file"
+      ];

-    "garage/admin_key" = mkIf config.services.garage.enable {
-      owner = config.systemd.services.garage.serviceConfig.User;
-    };
-    "garage/admin_secret" = mkIf config.services.garage.enable {
-      owner = config.systemd.services.garage.serviceConfig.User;
-    };
-    "garage/admin_token" = mkIf config.services.garage.enable {
-      owner = config.systemd.services.garage.serviceConfig.User;
-    };
-    "garage/metrics_token" = mkIf config.services.garage.enable {
-      owner = config.systemd.services.garage.serviceConfig.User;
-    };
-    "garage/rpc_secret" = mkIf config.services.garage.enable {
-      owner = config.systemd.services.garage.serviceConfig.User;
-    };
+      # Forgejo
+      ${config.services.forgejo.user} = [
+        "forgejo/actions/token"
+        "forgejo/git_password"
+        "forgejo/s3/key"
+        "forgejo/s3/secret"
+      ];

-    "guz/password" = {
-      owner = config.users.users."guz".name;
-    };
+      # Garage
+      "garage" = [
+        "garage/admin_key"
+        "garage/admin_secret"
+        "garage/admin_token"
+        "garage/metrics_token"
+        "garage/rpc_secret"
+      ];

-    "keiko/env-file" = {
-      owner = config.services.keikos.web.user;
-    };

-    "nextcloud/adminpass" = mkIf config.services.nextcloud.enable {
-      owner = "nextcloud";
-    };
-    "nextcloud/s3/secret" = mkIf config.services.nextcloud.enable {
-      owner = "nextcloud";
-    };
-    "nextcloud/s3/sseC" = mkIf config.services.nextcloud.enable {
-      owner = "nextcloud";
-    };
+      # keikos.work
+      ${config.services.keikos.web.user} = [
+        "keiko/env_file"
+      ];

-    "pgadmin/password" = mkIf config.services.pgadmin.enable {
-      owner = config.systemd.services.pgadmin.serviceConfig.User;
-    };
+      # Nextcloud
+      ${config.services.phpfpm.pools.nextcloud.user} = [
+        "nextcloud/adminpass"
+        "nextcloud/s3/secret"
+        "nextcloud/s3/sseC"
+      ];

-    "medama/anubis/hexFile" = {
-      owner = config.services.anubis.instances."medama".user;
+      # Users
+      ${config.users.users."guz".name} = [
+        "guz/password"
+      ];
    };
-  };

  sops.age.keyFile = "/home/guz/.config/sops/age/keys.txt";
 }
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -1,8 +1,11 @@
+anubis:
+    forgejo:
+        hex_file: ENC[AES256_GCM,data:UlFkdy1MfwaQqDnxtMtg4kH/dMJVl8sk4DMfdaCczHGaPtPuP4ADxcBxqpNkzYnQPxbv5ZXqR4qz8Ur5QHWxUg==,iv:WQHkSMiJEV0IWMVvfxC/EuE/e8QabhJinRHADm7kdSg=,tag:1JRwMp94APRszgBuQ0yaQQ==,type:str]
+    medama:
+        hex_file: ENC[AES256_GCM,data:wLRw34+uPWpR5GJuI8Q+nlX4hEx3sMn5mSl/lF5kX0Z8N99Eb6Qj4Emx2mK4dNukYNO8j9blw1/RAL94I+QCjQ==,iv:/dW5Z+S14dByXIUyOyEIxxRFl7e4lZZfBKtukV4s68M=,tag:fELbLVzwIgMJUjhNJw4kYg==,type:str]
 cloudflared:
-    tunnel-env: ENC[AES256_GCM,data:jYtDMez3w5BzSH3/xwqEsAtPo6EMxx6dBcd3bnfdCOm/eZzampXPyUfPsqkO4mtL2dGmjT7W+3prGxrEQtC/Eu9R7ojCflbJBFyH8+BDusomQdqjr5d0Utur/oK7ElKgpl0OF17n8sOngxEXZBtWHTbKoL+v50QzHEO07hPHjhrF5n/P+0I78rXPn9OEvJ1B5u0dg3XxXg3l4rtmkYdSwu+2+cUh6pe0AWNTigkkwy70hwKKaz+5Lb5mAp1mpl4r7xaCUqvP,iv:PVmrMzTq2upZXgu5fHPQMis0cXNipMbXahevF1/zJSU=,tag:F75o8plR7XMAv1ngL65ntQ==,type:str]
+    tunnel_env: ENC[AES256_GCM,data:2DYmoNJYIUAgbDzwJO4I4CSEMVoQredhDfiAWkzNTJBzNEuWc3PgYlonr+FwCnu1wU6aep5iNascpscMtN1Y8ef2m4S1p+mef872pBoElgMG1S2suLvwKdwXPafWHaQdxmEbRxMJjWhLGxmbnlExq8w88/VKm6V0TG183bPOjATU+empoGpHWKT6dNoIBOJnjdoeDjoP4fSIW1UVmYWYAePBuwsr6d4y/TjXyoBuCRG02WbCzELFMnkKY3PwamIn0PXs5ifg,iv:vfgzOn4Oo10Uk3gdm3LDo96vBZ87NuILaDjht9btAHA=,tag:Awwx3DdD0BU0H7lsjJQPug==,type:str]
 forgejo:
-    anubis:
-        hexFile: ENC[AES256_GCM,data:6hMIQUiSYYNkhrGGHHHIF6Ur+dQeXDuUTHZR4Tnl3O/T/phC7q881Gta6LCUJVvgQJ8hF2aKafggTUDsjcaI3g==,iv:3aGmqM8gV5YsdFNGCgZ4L9t8r9c0zubqZOE1eDBAong=,tag:/nB357mXDJJMRNoQ4E/KQQ==,type:str]
    git-password: ENC[AES256_GCM,data:SDyFBCwTxnZ1E6R/8HZCBIBj4AREYfqWrgzSEQ6SA3BDGPFsHghiVmF+Jt4omdzUQSoCCblMBsAx0NQBbBJrCbEoBWtybRM7Cg==,iv:KbtjXW1F8YJeapVpEkf8AdXhojmhOQKxG8nCZv7vW4k=,tag:odrL53KeKLVD5AoQB14veA==,type:str]
    s3:
        key: ENC[AES256_GCM,data:kdzRs/3kBXJt+jOVlFAm5EaRHNWq5XnK/Ts=,iv:qcqXQsxJXX9JlJwCuoz9y6izR9b1gs3xhnhO3tTpwK0=,tag:ikx95iSB/kGZ6/RFL+rvjg==,type:str]
@@ -22,15 +25,12 @@ garage:
 guz:
    password: ENC[AES256_GCM,data:zlO5xSFho7TXjFv62lgFir9SAgn+UE6XjdNEvIAgmQG9oDkthfgxO84wYdI0mQDwRIIs2PmSdBRfo0DPc3hji+ySCrItolPL8g==,iv:MZfhTxwfcbmXh5C6DkQhnY9NQGdE8zEwwvFOHQiUgKY=,tag:JjJN2bYcSXNN3ueGj5RNLg==,type:str]
 keiko:
-    env-file: ENC[AES256_GCM,data:up0VMFlG92ZAmnDk1b3DNrGJ9zUoyu3pi5poP1cgaYMAaVotRtrQkDAWLPdMKrRaXZlMFhmR0Vmy4n5wauZwiUN6nhMQOEkLZ5QOa8wiyA93JTmu0982bvMeZ+dk1HTy7nU1UI1OaejjEoGFlFV5g06qGfXnC1CFHyqwM1WeTgI6Syv431q0wutz2J6lcDvyxOU8zem3zSOpf5fg,iv:hxixIs/OoUS8Cntr7yJXZxeo5PpyPGfQLfDROQ07mr4=,tag:YUgrrP/C0ZY/SIs/wszW/w==,type:str]
+    env_file: ENC[AES256_GCM,data:dgHWczdwDxz3yV66F+4lMTRIMvHDBYZ6ycVARQPVT7GcYhelA/5uNks3Sdn1n8vgie7TmZBT9mGv+ePtP4+GMyHo/bOJqvjcXyU9dB30CwxuYOCPefitbKxHwIJxkMJqmXvNr3pl2u0mZWUu3mdGMLI9fF3z8/Tk0xM/g4ZezLGaXcRhUSdQPDiOFt2VKA5IrERnpRP0ey5Jx3tf,iv:gpLQdIBGgMCgR0B7jEZDF+3t85nsOVkdxubBUR+QOWA=,tag:eTgQ2uvWsGPEXkpzj/3Szw==,type:str]
 nextcloud:
    adminpass: ENC[AES256_GCM,data:RY2BsFDSttpr,iv:Mv22/Ht4Uq0miQjKgbnu37UCk/wZMyc6t9jrWkyXsxI=,tag:ScYTA46R0ZpkeqjhRsYzYg==,type:str]
    s3:
        secret: ENC[AES256_GCM,data:GrkETHYY8OMGazKWvnvG1CYiRc/5O01WAof0YIhbJ+U0wSxSYJBVGqV55WVurtzR9F5VxiVpHRRs3cPvtdC8eQ==,iv:a0fMz3NtQX43VWtOfIp9mXZ/R1MCD7y/LBGuWvoxhgQ=,tag:4FjaAQTHNEBfI5q1kLw/Kg==,type:str]
        sseC: ENC[AES256_GCM,data:VMrZoC1zvK+7aQ1nfpF0Az9OxmGAqMSFRTgz04jbj3rKkWnGFzi3wTzrfFg=,iv:Vy86k6Yz3Thn7/zqbIp1xV9j1Yi+k6x2qG4vyGHP0IQ=,tag:SnDkc2jfq4gy7OCaT4oFhg==,type:str]
-medama:
-    anubis:
-        hexFile: ENC[AES256_GCM,data:INM0j8uPSV60nEyGJ2/+nH1IDVL08hvBzTULBHPbChQVdYO+Z/UCI1aKCLoCwad0NAp+rAljYotZ0NxlxfjnmQ==,iv:y9F70r7erFOBe94rvv3/3P+N8SwFgW39hRcfP2SjFMA=,tag:PnjbQcCDbB/8XPJc+hM5dA==,type:str]
 sops:
    age:
        - recipient: age1sseqwwa7fc0ftry8njyuagdg28fkmtdwmj6m7p3etjsj83suee3shfzjyz
@@ -42,7 +42,7 @@ sops:
            amRmVkVoS2RqeEs3OXZVeTlsZUVEV28K1WcbGJHT8LMah5b7NN1psiucTl1OfZYO
            4T3RDSQMB3qj1TGQSdixjwRRKbMGtL3LXnvkNd+caVi5Z9OkF1O9Yg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-09-25T17:46:20Z"
-    mac: ENC[AES256_GCM,data:hhpkjsatbdCW/8Bdh4wy94IOoNBQjOqlVxlcVgi6QktDEJl53Dsti1zbsAD7H8Jes4gdl6zHQwaNIvbZlPtzKsm2ZkyIS20ylu+U/NS1PtzkKkKRFPwViEoDcykGPKvSl+9kITL9tkC5IyFIBrc23+w15csCGf5W+S/0E8tGMhg=,iv:HveYGhCDPOexZJzbbTdN+0WcwsbA6vS+qRed+NvEaeg=,tag:i0Q9IbFwRd4a0YIBM6Qfqw==,type:str]
+    lastmodified: "2025-10-10T02:06:29Z"
+    mac: ENC[AES256_GCM,data:/FSwyA7AfbRZgCPfn0MbUaW+OduFpluWX5RntzjJMieJzfdix+NAwFnOThr+vtN24VybepvlayXzfTlf9lWlfotozit/jdZMoPipEifEiO8LoXDrmNUZow8AOJ9cmCOKNx8YdcN0K28mE0nTTkP8aXPumcyWKuLa8+faLEgPs0Q=,iv:uQIHkfTbuM7dy34S4mpYEmLG3B2ff003IaSp07rN50g=,tag:qkFwvjxojtksfEDVpsFAYw==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2