sops: federate sops secret configs

2025-10-04 13:39:05 -04:00 · 2025-10-04 13:39:05 -04:00 · 943e9d4cb7
commit 943e9d4cb7
parent bf9992a5a6
8 changed files with 38 additions and 34 deletions
--- a/modules/nixos/homeserver/authentik.nix
+++ b/modules/nixos/homeserver/authentik.nix
@ -7,6 +7,8 @@
    trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];
  };
  sops.secrets."authentik/secrets.env".restartUnits = [ "authentik.service" ];
  services.authentik = {
    enable = true;
    environmentFile = config.sops.secrets."authentik/secrets.env".path;
--- a/modules/nixos/homeserver/caddy.nix
+++ b/modules/nixos/homeserver/caddy.nix
@ -1,6 +1,21 @@
 { config, pkgs, ... }:
 {
  sops.secrets = {
    "caddy/secrets.env" = {};
    "caddy/wo2wz.fyi.crt" = {
      owner = "caddy";
      group = "caddy";
      reloadUnits = [ "caddy.service" ];
    };
    "caddy/wo2wz.fyi.key" = {
      owner = "caddy";
      group = "caddy";
      reloadUnits = [ "caddy.service" ];
    };
  };
  services = {
    caddy = {
      enable = true;
--- a/modules/nixos/homeserver/cloudflared.nix
+++ b/modules/nixos/homeserver/cloudflared.nix
@ -1,6 +1,8 @@
 { config, ... }:
 {
  sops.secrets."cloudflared/8af2892d-d534-4e32-b867-5b79308a99d5.json" = {};
  services.cloudflared = {
    enable = true;
    tunnels."8af2892d-d534-4e32-b867-5b79308a99d5" = {
--- a/modules/nixos/homeserver/nextcloud.nix
+++ b/modules/nixos/homeserver/nextcloud.nix
@ -1,6 +1,15 @@
 { config, pkgs, ... }:
 {  
  sops.secrets = {
    "nextcloud/adminpass" = {};
    "onlyoffice/jwt" = {
      owner = "onlyoffice";
      group = "onlyoffice";
    };
  };
  services.nginx.enable = false; # disable to use caddy instead
  users.users.nginx = {
    group = "nginx";
@ -27,7 +36,7 @@
      };
      settings = {
        trusted_domains = [ "nextcloud.wo2wz.fyi" ];
-        trusted_proxies = [ "127.0.0.1" ];
+        trusted_proxies = [ "127.0.0.1" "::1" ];
      };
      maxUploadSize = "200G";
--- a/modules/nixos/homeserver/restic.nix
+++ b/modules/nixos/homeserver/restic.nix
@ -1,6 +1,11 @@
 { config, pkgs, ... }:
 {
  sops.secrets = {
    "restic/password" = {};
    "restic/rclone/offsite" = {};
  };
  # for use as rclone backend
  environment.systemPackages = [ pkgs.rclone ];
--- a/modules/nixos/homeserver/sops.nix
+++ b/modules/nixos/homeserver/sops.nix
@ -9,38 +9,5 @@
    validateSopsFiles = false;
    age.keyFile = "/root/.config/sops/age/keys.txt";
    secrets = {
      "authentik/secrets.env".restartUnits = [ "authentik.service" ];
      "caddy/secrets.env" = {};
      "caddy/wo2wz.fyi.crt" = {
        owner = "caddy";
        group = "caddy";
        reloadUnits = [ "caddy.service" ];
      };
      "caddy/wo2wz.fyi.key" = {
        owner = "caddy";
        group = "caddy";
        reloadUnits = [ "caddy.service" ];
      };
      "cloudflared/8af2892d-d534-4e32-b867-5b79308a99d5.json" = {};
      "nextcloud/adminpass" = {};
      "onlyoffice/jwt" = {
        owner = "onlyoffice";
        group = "onlyoffice";
      };
      "restic/password" = {};
      "restic/rclone/offsite" = {};
      "vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ];
      "zipline/secrets.env".restartUnits = [ "zipline.service" ];
    };
  };
 }
--- a/modules/nixos/homeserver/vaultwarden.nix
+++ b/modules/nixos/homeserver/vaultwarden.nix
@ -1,6 +1,8 @@
 { config, ... }:
 {
  sops.secrets."vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ];
  services.vaultwarden = {
    enable = true;
    backupDir = "/var/backups/vaultwarden";
--- a/modules/nixos/homeserver/zipline.nix
+++ b/modules/nixos/homeserver/zipline.nix
@ -1,6 +1,8 @@
 { config, ... }:
 {
  sops.secrets."zipline/secrets.env".restartUnits = [ "zipline.service" ];
  users.users.zipline = {
    group = "zipline";
    isSystemUser = true;