From 4b51890e0ab213f95b1903b68058f986f7d9a777 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Fri, 14 Nov 2025 10:54:51 +0800 Subject: [PATCH 1/2] refactor(sops): Move secret definitions to specific modules --- configuration/nginx/ssl.nix | 5 +++++ configuration/services/backups.nix | 13 +++++++++++++ configuration/sops.nix | 18 ------------------ 3 files changed, 18 insertions(+), 18 deletions(-) diff --git a/configuration/nginx/ssl.nix b/configuration/nginx/ssl.nix index 4cea508..7abc38e 100644 --- a/configuration/nginx/ssl.nix +++ b/configuration/nginx/ssl.nix @@ -64,5 +64,10 @@ in ''${pkgs.runtimeShell} -c '${confirm}' ''; }; + + sops.secrets = { + "porkbun/api-key".owner = "acme"; + "porkbun/secret-api-key".owner = "acme"; + }; }; } diff --git a/configuration/services/backups.nix b/configuration/services/backups.nix index 688f5f9..0ae8abf 100644 --- a/configuration/services/backups.nix +++ b/configuration/services/backups.nix @@ -265,5 +265,18 @@ in }; groups.backup = { }; }; + + sops.secrets = { + "restic/storagebox-backups" = { + owner = "root"; + group = "backup"; + mode = "0440"; + }; + "restic/storagebox-ssh-key" = { + owner = "backup"; + group = "backup"; + mode = "0040"; + }; + }; }; } diff --git a/configuration/sops.nix b/configuration/sops.nix index 0337438..a5b19f6 100644 --- a/configuration/sops.nix +++ b/configuration/sops.nix @@ -38,30 +38,12 @@ group = "nextcloud"; }; - # Porkbub/ACME - "porkbun/api-key" = { - owner = "acme"; - }; - "porkbun/secret-api-key" = { - owner = "acme"; - }; - # Restic "restic/local-backups" = { owner = "root"; group = "backup"; mode = "0440"; }; - "restic/storagebox-backups" = { - owner = "root"; - group = "backup"; - mode = "0440"; - }; - "restic/storagebox-ssh-key" = { - owner = "backup"; - group = "backup"; - mode = "0040"; - }; # Steam "steam/tlater" = { }; From 0662908d7e1eb80c380370a385b61cd22828e51e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Tue, 18 Nov 2025 15:49:18 +0800 Subject: [PATCH 2/2] fix(lock): Add missing lockfile update --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 705d87c..ad4903f 100644 --- a/flake.lock +++ b/flake.lock @@ -136,11 +136,11 @@ "pyproject-nix": "pyproject-nix" }, "locked": { - "lastModified": 1754978539, - "narHash": "sha256-nrDovydywSKRbWim9Ynmgj8SBm8LK3DI2WuhIqzOHYI=", + "lastModified": 1763413832, + "narHash": "sha256-dkqBwDXiv8MPoFyIvOuC4bVubAP+TlVZUkVMB78TTSg=", "owner": "nix-community", "repo": "dream2nix", - "rev": "fbec3263cb4895ac86ee9506cdc4e6919a1a2214", + "rev": "5658fba3a0b6b7d5cb0460b949651f64f644a743", "type": "github" }, "original": { @@ -356,11 +356,11 @@ ] }, "locked": { - "lastModified": 1762868777, - "narHash": "sha256-QqS72GvguP56oKDNUckWUPNJHjsdeuXh5RyoKz0wJ+E=", + "lastModified": 1763319842, + "narHash": "sha256-YG19IyrTdnVn0l3DvcUYm85u3PaqBt6tI6VvolcuHnA=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "c5c3147730384576196fb5da048a6e45dee10d56", + "rev": "7275fa67fbbb75891c16d9dee7d88e58aea2d761", "type": "github" }, "original": {