diff --git a/capytal/analytics.nix b/capytal/analytics.nix index 16a9897..f723f7d 100644 --- a/capytal/analytics.nix +++ b/capytal/analytics.nix @@ -24,7 +24,7 @@ in { METRICS_BIND_NETWORK = "tcp"; SERVE_ROBOTS_TXT = true; TARGET = "http://localhost:${toString cfg.port}"; - ED25519_PRIVATE_KEY_HEX_FILE = config.sops.secrets."medama/anubis/hexFile".path; + ED25519_PRIVATE_KEY_HEX_FILE = config.sops.secrets."anubis/medama/hex_file".path; }; }; diff --git a/capytal/forgejo.nix b/capytal/forgejo.nix index d980598..f21b5f7 100644 --- a/capytal/forgejo.nix +++ b/capytal/forgejo.nix @@ -104,7 +104,7 @@ in { METRICS_BIND_NETWORK = "tcp"; SERVE_ROBOTS_TXT = true; TARGET = "http://localhost:${toString cfg.settings.server.HTTP_PORT}"; - ED25519_PRIVATE_KEY_HEX_FILE = config.sops.secrets."forgejo/anubis/hexFile".path; + ED25519_PRIVATE_KEY_HEX_FILE = config.sops.secrets."anubis/forgejo/hex_file".path; }; }; diff --git a/capytal/websites.nix b/capytal/websites.nix index 145ca17..102a053 100644 --- a/capytal/websites.nix +++ b/capytal/websites.nix @@ -24,7 +24,7 @@ in { services.keikos.web = { enable = true; port = 9910; - envFile = config.sops.secrets."keiko/env-file".path; + envFile = config.sops.secrets."keiko/env_file".path; }; services.caddy.virtualHosts.":${toString (cfg-keikos.port + 1)}" = { extraConfig = '' diff --git a/common/cloudflared.nix b/common/cloudflared.nix index 6a467bb..f58cd79 100644 --- a/common/cloudflared.nix +++ b/common/cloudflared.nix @@ -11,7 +11,7 @@ "run" ]; environmentFiles = [ - config.sops.secrets."cloudflared/tunnel-env".path + config.sops.secrets."cloudflared/tunnel_env".path ]; }; } diff --git a/secrets.nix b/secrets.nix index 74c7a02..95facd7 100644 --- a/secrets.nix +++ b/secrets.nix @@ -17,67 +17,60 @@ with lib; { sops.defaultSopsFile = ./secrets.yaml; sops.defaultSopsFormat = "yaml"; - sops.secrets = { - "cloudflared/tunnel-env" = {}; + sops.secrets = + concatMapAttrs (owner: secrets: + listToAttrs (map (s: { + name = s; + value = optionalAttrs (owner != "") {inherit owner;}; + }) + secrets)) + { + "" = [ + # Cloudflared + "cloudflared/tunnel_env" + ]; - "forgejo/anubis/hexFile" = { - owner = config.services.anubis.instances."forgejo".user; - }; - "forgejo/git-password" = mkIf config.services.forgejo.enable { - owner = config.services.forgejo.user; - }; - "forgejo/s3/key" = mkIf config.services.forgejo.enable { - owner = config.services.forgejo.user; - }; - "forgejo/s3/secret" = mkIf config.services.forgejo.enable { - owner = config.services.forgejo.user; - }; - "forgejo/actions/token" = mkIf config.services.forgejo.enable { - owner = config.services.forgejo.user; - }; + # Anubis + ${config.services.anubis.defaultOptions.user} = [ + "anubis/forgejo/hex_file" + "anubis/medama/hex_file" + ]; - "garage/admin_key" = mkIf config.services.garage.enable { - owner = config.systemd.services.garage.serviceConfig.User; - }; - "garage/admin_secret" = mkIf config.services.garage.enable { - owner = config.systemd.services.garage.serviceConfig.User; - }; - "garage/admin_token" = mkIf config.services.garage.enable { - owner = config.systemd.services.garage.serviceConfig.User; - }; - "garage/metrics_token" = mkIf config.services.garage.enable { - owner = config.systemd.services.garage.serviceConfig.User; - }; - "garage/rpc_secret" = mkIf config.services.garage.enable { - owner = config.systemd.services.garage.serviceConfig.User; - }; + # Forgejo + ${config.services.forgejo.user} = [ + "forgejo/actions/token" + "forgejo/git_password" + "forgejo/s3/key" + "forgejo/s3/secret" + ]; - "guz/password" = { - owner = config.users.users."guz".name; - }; + # Garage + "garage" = [ + "garage/admin_key" + "garage/admin_secret" + "garage/admin_token" + "garage/metrics_token" + "garage/rpc_secret" + ]; - "keiko/env-file" = { - owner = config.services.keikos.web.user; - }; - "nextcloud/adminpass" = mkIf config.services.nextcloud.enable { - owner = "nextcloud"; - }; - "nextcloud/s3/secret" = mkIf config.services.nextcloud.enable { - owner = "nextcloud"; - }; - "nextcloud/s3/sseC" = mkIf config.services.nextcloud.enable { - owner = "nextcloud"; - }; + # keikos.work + ${config.services.keikos.web.user} = [ + "keiko/env_file" + ]; - "pgadmin/password" = mkIf config.services.pgadmin.enable { - owner = config.systemd.services.pgadmin.serviceConfig.User; - }; + # Nextcloud + ${config.services.phpfpm.pools.nextcloud.user} = [ + "nextcloud/adminpass" + "nextcloud/s3/secret" + "nextcloud/s3/sseC" + ]; - "medama/anubis/hexFile" = { - owner = config.services.anubis.instances."medama".user; + # Users + ${config.users.users."guz".name} = [ + "guz/password" + ]; }; - }; sops.age.keyFile = "/home/guz/.config/sops/age/keys.txt"; } diff --git a/secrets.yaml b/secrets.yaml index b709579..d819eaf 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -1,8 +1,11 @@ +anubis: + forgejo: + hex_file: ENC[AES256_GCM,data:UlFkdy1MfwaQqDnxtMtg4kH/dMJVl8sk4DMfdaCczHGaPtPuP4ADxcBxqpNkzYnQPxbv5ZXqR4qz8Ur5QHWxUg==,iv:WQHkSMiJEV0IWMVvfxC/EuE/e8QabhJinRHADm7kdSg=,tag:1JRwMp94APRszgBuQ0yaQQ==,type:str] + medama: + hex_file: ENC[AES256_GCM,data:wLRw34+uPWpR5GJuI8Q+nlX4hEx3sMn5mSl/lF5kX0Z8N99Eb6Qj4Emx2mK4dNukYNO8j9blw1/RAL94I+QCjQ==,iv:/dW5Z+S14dByXIUyOyEIxxRFl7e4lZZfBKtukV4s68M=,tag:fELbLVzwIgMJUjhNJw4kYg==,type:str] cloudflared: - tunnel-env: ENC[AES256_GCM,data:jYtDMez3w5BzSH3/xwqEsAtPo6EMxx6dBcd3bnfdCOm/eZzampXPyUfPsqkO4mtL2dGmjT7W+3prGxrEQtC/Eu9R7ojCflbJBFyH8+BDusomQdqjr5d0Utur/oK7ElKgpl0OF17n8sOngxEXZBtWHTbKoL+v50QzHEO07hPHjhrF5n/P+0I78rXPn9OEvJ1B5u0dg3XxXg3l4rtmkYdSwu+2+cUh6pe0AWNTigkkwy70hwKKaz+5Lb5mAp1mpl4r7xaCUqvP,iv:PVmrMzTq2upZXgu5fHPQMis0cXNipMbXahevF1/zJSU=,tag:F75o8plR7XMAv1ngL65ntQ==,type:str] + tunnel_env: ENC[AES256_GCM,data:2DYmoNJYIUAgbDzwJO4I4CSEMVoQredhDfiAWkzNTJBzNEuWc3PgYlonr+FwCnu1wU6aep5iNascpscMtN1Y8ef2m4S1p+mef872pBoElgMG1S2suLvwKdwXPafWHaQdxmEbRxMJjWhLGxmbnlExq8w88/VKm6V0TG183bPOjATU+empoGpHWKT6dNoIBOJnjdoeDjoP4fSIW1UVmYWYAePBuwsr6d4y/TjXyoBuCRG02WbCzELFMnkKY3PwamIn0PXs5ifg,iv:vfgzOn4Oo10Uk3gdm3LDo96vBZ87NuILaDjht9btAHA=,tag:Awwx3DdD0BU0H7lsjJQPug==,type:str] forgejo: - anubis: - hexFile: ENC[AES256_GCM,data:6hMIQUiSYYNkhrGGHHHIF6Ur+dQeXDuUTHZR4Tnl3O/T/phC7q881Gta6LCUJVvgQJ8hF2aKafggTUDsjcaI3g==,iv:3aGmqM8gV5YsdFNGCgZ4L9t8r9c0zubqZOE1eDBAong=,tag:/nB357mXDJJMRNoQ4E/KQQ==,type:str] git-password: ENC[AES256_GCM,data:SDyFBCwTxnZ1E6R/8HZCBIBj4AREYfqWrgzSEQ6SA3BDGPFsHghiVmF+Jt4omdzUQSoCCblMBsAx0NQBbBJrCbEoBWtybRM7Cg==,iv:KbtjXW1F8YJeapVpEkf8AdXhojmhOQKxG8nCZv7vW4k=,tag:odrL53KeKLVD5AoQB14veA==,type:str] s3: key: ENC[AES256_GCM,data:kdzRs/3kBXJt+jOVlFAm5EaRHNWq5XnK/Ts=,iv:qcqXQsxJXX9JlJwCuoz9y6izR9b1gs3xhnhO3tTpwK0=,tag:ikx95iSB/kGZ6/RFL+rvjg==,type:str] @@ -22,15 +25,12 @@ garage: guz: password: ENC[AES256_GCM,data:zlO5xSFho7TXjFv62lgFir9SAgn+UE6XjdNEvIAgmQG9oDkthfgxO84wYdI0mQDwRIIs2PmSdBRfo0DPc3hji+ySCrItolPL8g==,iv:MZfhTxwfcbmXh5C6DkQhnY9NQGdE8zEwwvFOHQiUgKY=,tag:JjJN2bYcSXNN3ueGj5RNLg==,type:str] keiko: - env-file: ENC[AES256_GCM,data:up0VMFlG92ZAmnDk1b3DNrGJ9zUoyu3pi5poP1cgaYMAaVotRtrQkDAWLPdMKrRaXZlMFhmR0Vmy4n5wauZwiUN6nhMQOEkLZ5QOa8wiyA93JTmu0982bvMeZ+dk1HTy7nU1UI1OaejjEoGFlFV5g06qGfXnC1CFHyqwM1WeTgI6Syv431q0wutz2J6lcDvyxOU8zem3zSOpf5fg,iv:hxixIs/OoUS8Cntr7yJXZxeo5PpyPGfQLfDROQ07mr4=,tag:YUgrrP/C0ZY/SIs/wszW/w==,type:str] + env_file: ENC[AES256_GCM,data:dgHWczdwDxz3yV66F+4lMTRIMvHDBYZ6ycVARQPVT7GcYhelA/5uNks3Sdn1n8vgie7TmZBT9mGv+ePtP4+GMyHo/bOJqvjcXyU9dB30CwxuYOCPefitbKxHwIJxkMJqmXvNr3pl2u0mZWUu3mdGMLI9fF3z8/Tk0xM/g4ZezLGaXcRhUSdQPDiOFt2VKA5IrERnpRP0ey5Jx3tf,iv:gpLQdIBGgMCgR0B7jEZDF+3t85nsOVkdxubBUR+QOWA=,tag:eTgQ2uvWsGPEXkpzj/3Szw==,type:str] nextcloud: adminpass: ENC[AES256_GCM,data:RY2BsFDSttpr,iv:Mv22/Ht4Uq0miQjKgbnu37UCk/wZMyc6t9jrWkyXsxI=,tag:ScYTA46R0ZpkeqjhRsYzYg==,type:str] s3: secret: ENC[AES256_GCM,data:GrkETHYY8OMGazKWvnvG1CYiRc/5O01WAof0YIhbJ+U0wSxSYJBVGqV55WVurtzR9F5VxiVpHRRs3cPvtdC8eQ==,iv:a0fMz3NtQX43VWtOfIp9mXZ/R1MCD7y/LBGuWvoxhgQ=,tag:4FjaAQTHNEBfI5q1kLw/Kg==,type:str] sseC: ENC[AES256_GCM,data:VMrZoC1zvK+7aQ1nfpF0Az9OxmGAqMSFRTgz04jbj3rKkWnGFzi3wTzrfFg=,iv:Vy86k6Yz3Thn7/zqbIp1xV9j1Yi+k6x2qG4vyGHP0IQ=,tag:SnDkc2jfq4gy7OCaT4oFhg==,type:str] -medama: - anubis: - hexFile: ENC[AES256_GCM,data:INM0j8uPSV60nEyGJ2/+nH1IDVL08hvBzTULBHPbChQVdYO+Z/UCI1aKCLoCwad0NAp+rAljYotZ0NxlxfjnmQ==,iv:y9F70r7erFOBe94rvv3/3P+N8SwFgW39hRcfP2SjFMA=,tag:PnjbQcCDbB/8XPJc+hM5dA==,type:str] sops: age: - recipient: age1sseqwwa7fc0ftry8njyuagdg28fkmtdwmj6m7p3etjsj83suee3shfzjyz @@ -42,7 +42,7 @@ sops: amRmVkVoS2RqeEs3OXZVeTlsZUVEV28K1WcbGJHT8LMah5b7NN1psiucTl1OfZYO 4T3RDSQMB3qj1TGQSdixjwRRKbMGtL3LXnvkNd+caVi5Z9OkF1O9Yg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-09-25T17:46:20Z" - mac: ENC[AES256_GCM,data:hhpkjsatbdCW/8Bdh4wy94IOoNBQjOqlVxlcVgi6QktDEJl53Dsti1zbsAD7H8Jes4gdl6zHQwaNIvbZlPtzKsm2ZkyIS20ylu+U/NS1PtzkKkKRFPwViEoDcykGPKvSl+9kITL9tkC5IyFIBrc23+w15csCGf5W+S/0E8tGMhg=,iv:HveYGhCDPOexZJzbbTdN+0WcwsbA6vS+qRed+NvEaeg=,tag:i0Q9IbFwRd4a0YIBM6Qfqw==,type:str] + lastmodified: "2025-10-10T02:06:29Z" + mac: ENC[AES256_GCM,data:/FSwyA7AfbRZgCPfn0MbUaW+OduFpluWX5RntzjJMieJzfdix+NAwFnOThr+vtN24VybepvlayXzfTlf9lWlfotozit/jdZMoPipEifEiO8LoXDrmNUZow8AOJ9cmCOKNx8YdcN0K28mE0nTTkP8aXPumcyWKuLa8+faLEgPs0Q=,iv:uQIHkfTbuM7dy34S4mpYEmLG3B2ff003IaSp07rN50g=,tag:qkFwvjxojtksfEDVpsFAYw==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2