sops: Improve secrets provisioning to split out staging

configuration/default.nix

@@ -10,6 +10,7 @@
     ./services/webserver.nix
     ./services/starbound.nix
     ./ids.nix
+    ./sops.nix
   ];
 
   nix = {
@@ -25,11 +26,6 @@
   nixpkgs.config.allowUnfreePredicate = pkg:
     builtins.elem (lib.getName pkg) ["steam-runtime" "steamcmd"];
 
-  sops = {
-    defaultSopsFile = ../keys/external.yaml;
-    secrets.steam = {};
-  };
-
   # Optimization for minecraft servers, see:
   # https://bugs.mojang.com/browse/MC-183518
   boot.kernelParams = ["highres=off" "nohz=off"];

configuration/services/starbound.nix

@@ -16,7 +16,7 @@ in {
 
       # Credential loading for steam auth (if necessary; prefer
       # anonymous login wherever possible).
-      LoadCredential = "steam:/run/secrets/steam";
+      LoadCredential = "steam:/run/secrets/steam/tlater";
 
       # Security settings
       DynamicUser = true;

configuration/sops.nix

@@ -0,0 +1,10 @@
+{
+  sops = {
+    defaultSopsFile = ../keys/production.yaml;
+    secrets."nextcloud/tlater" = {
+      owner = "nextcloud";
+      group = "nextcloud";
+    };
+    secrets."steam/tlater" = {};
+  };
+}