sops: federate sops secret configs

2025-10-04 13:39:05 -04:00 · 2025-10-04 13:39:05 -04:00 · 943e9d4cb7
commit 943e9d4cb7
parent bf9992a5a6
8 changed files with 38 additions and 34 deletions
--- a/modules/nixos/homeserver/authentik.nix
+++ b/modules/nixos/homeserver/authentik.nix
@ -7,6 +7,8 @@
    trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];
  };

+  sops.secrets."authentik/secrets.env".restartUnits = [ "authentik.service" ];
+
  services.authentik = {
    enable = true;
    environmentFile = config.sops.secrets."authentik/secrets.env".path;
--- a/modules/nixos/homeserver/caddy.nix
+++ b/modules/nixos/homeserver/caddy.nix
@ -1,6 +1,21 @@
 { config, pkgs, ... }:

 {
+  sops.secrets = {
+    "caddy/secrets.env" = {};
+
+    "caddy/wo2wz.fyi.crt" = {
+      owner = "caddy";
+      group = "caddy";
+      reloadUnits = [ "caddy.service" ];
+    };
+    "caddy/wo2wz.fyi.key" = {
+      owner = "caddy";
+      group = "caddy";
+      reloadUnits = [ "caddy.service" ];
+    };
+  };
+
  services = {
    caddy = {
      enable = true;
--- a/modules/nixos/homeserver/cloudflared.nix
+++ b/modules/nixos/homeserver/cloudflared.nix
@ -1,6 +1,8 @@
 { config, ... }:

 {
+  sops.secrets."cloudflared/8af2892d-d534-4e32-b867-5b79308a99d5.json" = {};
+
  services.cloudflared = {
    enable = true;
    tunnels."8af2892d-d534-4e32-b867-5b79308a99d5" = {
--- a/modules/nixos/homeserver/nextcloud.nix
+++ b/modules/nixos/homeserver/nextcloud.nix
@ -1,6 +1,15 @@
 { config, pkgs, ... }:

 {  
+  sops.secrets = {
+    "nextcloud/adminpass" = {};
+
+    "onlyoffice/jwt" = {
+      owner = "onlyoffice";
+      group = "onlyoffice";
+    };
+  };
+
  services.nginx.enable = false; # disable to use caddy instead
  users.users.nginx = {
    group = "nginx";
@ -27,7 +36,7 @@
      };
      settings = {
        trusted_domains = [ "nextcloud.wo2wz.fyi" ];
-        trusted_proxies = [ "127.0.0.1" ];
+        trusted_proxies = [ "127.0.0.1" "::1" ];
      };

      maxUploadSize = "200G";
--- a/modules/nixos/homeserver/restic.nix
+++ b/modules/nixos/homeserver/restic.nix
@ -1,6 +1,11 @@
 { config, pkgs, ... }:

 {
+  sops.secrets = {
+    "restic/password" = {};
+    "restic/rclone/offsite" = {};
+  };
+
  # for use as rclone backend
  environment.systemPackages = [ pkgs.rclone ];

--- a/modules/nixos/homeserver/sops.nix
+++ b/modules/nixos/homeserver/sops.nix
@ -9,38 +9,5 @@
    validateSopsFiles = false;

    age.keyFile = "/root/.config/sops/age/keys.txt";
-
-    secrets = {
-      "authentik/secrets.env".restartUnits = [ "authentik.service" ];
-
-      "caddy/secrets.env" = {};
-
-      "caddy/wo2wz.fyi.crt" = {
-        owner = "caddy";
-        group = "caddy";
-        reloadUnits = [ "caddy.service" ];
-      };
-      "caddy/wo2wz.fyi.key" = {
-        owner = "caddy";
-        group = "caddy";
-        reloadUnits = [ "caddy.service" ];
-      };
-
-      "cloudflared/8af2892d-d534-4e32-b867-5b79308a99d5.json" = {};
-
-      "nextcloud/adminpass" = {};
-
-      "onlyoffice/jwt" = {
-        owner = "onlyoffice";
-        group = "onlyoffice";
-      };
-
-      "restic/password" = {};
-      "restic/rclone/offsite" = {};
-
-      "vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ];
-
-      "zipline/secrets.env".restartUnits = [ "zipline.service" ];
-    };
  };
 }
--- a/modules/nixos/homeserver/vaultwarden.nix
+++ b/modules/nixos/homeserver/vaultwarden.nix
@ -1,6 +1,8 @@
 { config, ... }:

 {
+  sops.secrets."vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ];
+
  services.vaultwarden = {
    enable = true;
    backupDir = "/var/backups/vaultwarden";
--- a/modules/nixos/homeserver/zipline.nix
+++ b/modules/nixos/homeserver/zipline.nix
@ -1,6 +1,8 @@
 { config, ... }:

 {
+  sops.secrets."zipline/secrets.env".restartUnits = [ "zipline.service" ];
+
  users.users.zipline = {
    group = "zipline";
    isSystemUser = true;