From 3db98dd2b9360ff80da451f1947aae15ffacd321 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Fri, 14 Nov 2025 10:54:51 +0800 Subject: [PATCH 1/2] refactor(sops): Move secret definitions to specific modules --- configuration/nginx/ssl.nix | 5 ++ configuration/services/backups.nix | 13 ++++ configuration/services/battery-manager.nix | 5 ++ configuration/services/conduit/default.nix | 7 ++ .../services/conduit/heisenbridge.nix | 6 ++ .../services/conduit/matrix-hookshot.nix | 6 ++ configuration/services/metrics/grafana.nix | 11 +++ .../services/metrics/victoriametrics.nix | 6 ++ configuration/services/nextcloud.nix | 5 ++ configuration/services/starbound.nix | 3 + configuration/services/wireguard.nix | 6 ++ configuration/sops.nix | 67 ------------------- 12 files changed, 73 insertions(+), 67 deletions(-) diff --git a/configuration/nginx/ssl.nix b/configuration/nginx/ssl.nix index 4cea508..7abc38e 100644 --- a/configuration/nginx/ssl.nix +++ b/configuration/nginx/ssl.nix @@ -64,5 +64,10 @@ in ''${pkgs.runtimeShell} -c '${confirm}' ''; }; + + sops.secrets = { + "porkbun/api-key".owner = "acme"; + "porkbun/secret-api-key".owner = "acme"; + }; }; } diff --git a/configuration/services/backups.nix b/configuration/services/backups.nix index 688f5f9..0ae8abf 100644 --- a/configuration/services/backups.nix +++ b/configuration/services/backups.nix @@ -265,5 +265,18 @@ in }; groups.backup = { }; }; + + sops.secrets = { + "restic/storagebox-backups" = { + owner = "root"; + group = "backup"; + mode = "0440"; + }; + "restic/storagebox-ssh-key" = { + owner = "backup"; + group = "backup"; + mode = "0040"; + }; + }; }; } diff --git a/configuration/services/battery-manager.nix b/configuration/services/battery-manager.nix index 9da7e32..0c58c7b 100644 --- a/configuration/services/battery-manager.nix +++ b/configuration/services/battery-manager.nix @@ -13,4 +13,9 @@ log_level = "DEBUG"; }; }; + + sops.secrets = { + "battery-manager/email" = { }; + "battery-manager/password" = { }; + }; } diff --git a/configuration/services/conduit/default.nix b/configuration/services/conduit/default.nix index 4ba5271..6e01e81 100644 --- a/configuration/services/conduit/default.nix +++ b/configuration/services/conduit/default.nix @@ -179,4 +179,11 @@ in systemd.services.coturn.serviceConfig.SupplementaryGroups = [ config.security.acme.certs."tlater.net".group ]; + + sops.secrets = { + "turn/env" = { }; + "turn/secret" = { + owner = "turnserver"; + }; + }; } diff --git a/configuration/services/conduit/heisenbridge.nix b/configuration/services/conduit/heisenbridge.nix index f0f7e49..5441639 100644 --- a/configuration/services/conduit/heisenbridge.nix +++ b/configuration/services/conduit/heisenbridge.nix @@ -75,4 +75,10 @@ in # AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; }; }; + + sops.secrets = { + # Accessed via systemd cred through /run/secrets/heisebridge + "heisenbridge/as-token" = { }; + "heisenbridge/hs-token" = { }; + }; } diff --git a/configuration/services/conduit/matrix-hookshot.nix b/configuration/services/conduit/matrix-hookshot.nix index 6b788b2..c1fec82 100644 --- a/configuration/services/conduit/matrix-hookshot.nix +++ b/configuration/services/conduit/matrix-hookshot.nix @@ -163,4 +163,10 @@ in metrics.enabled = true; }; }; + + sops.secrets = { + # Accessed via systemd cred through /run/secrets/matrix-hookshot + "matrix-hookshot/as-token" = { }; + "matrix-hookshot/hs-token" = { }; + }; } diff --git a/configuration/services/metrics/grafana.nix b/configuration/services/metrics/grafana.nix index b30806c..f4b6956 100644 --- a/configuration/services/metrics/grafana.nix +++ b/configuration/services/metrics/grafana.nix @@ -67,4 +67,15 @@ in }; }; }; + + sops.secrets = { + "grafana/adminPassword" = { + owner = "grafana"; + group = "grafana"; + }; + "grafana/secretKey" = { + owner = "grafana"; + group = "grafana"; + }; + }; } diff --git a/configuration/services/metrics/victoriametrics.nix b/configuration/services/metrics/victoriametrics.nix index f37b8b0..d02b3a7 100644 --- a/configuration/services/metrics/victoriametrics.nix +++ b/configuration/services/metrics/victoriametrics.nix @@ -96,4 +96,10 @@ in victorialogs.targets = [ config.services.victorialogs.bindAddress ]; }; }; + + sops.secrets."forgejo/metrics-token" = { + owner = "forgejo"; + group = "metrics"; + mode = "0440"; + }; } diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix index 4af77a9..ef2a6ac 100644 --- a/configuration/services/nextcloud.nix +++ b/configuration/services/nextcloud.nix @@ -100,4 +100,9 @@ in # Ensure that this service doesn't start before postgres is ready systemd.services.nextcloud-setup.after = [ "postgresql.service" ]; + + sops.secrets."nextcloud/tlater" = { + owner = "nextcloud"; + group = "nextcloud"; + }; } diff --git a/configuration/services/starbound.nix b/configuration/services/starbound.nix index f5b23c3..609d4c0 100644 --- a/configuration/services/starbound.nix +++ b/configuration/services/starbound.nix @@ -114,4 +114,7 @@ in paths = [ "/var/lib/private/starbound/storage/universe/" ]; pauseServices = [ "starbound.service" ]; }; + + # Accessed via systemd cred through /run/secrets/steam + sops.secrets."steam/tlater" = { }; } diff --git a/configuration/services/wireguard.nix b/configuration/services/wireguard.nix index a6b7763..d4ab090 100644 --- a/configuration/services/wireguard.nix +++ b/configuration/services/wireguard.nix @@ -62,4 +62,10 @@ }; }; }; + + sops.secrets."wireguard/server-key" = { + owner = "root"; + group = "systemd-network"; + mode = "0440"; + }; } diff --git a/configuration/sops.nix b/configuration/sops.nix index 0337438..ff84452 100644 --- a/configuration/sops.nix +++ b/configuration/sops.nix @@ -3,87 +3,20 @@ defaultSopsFile = ../keys/production.yaml; secrets = { - "battery-manager/email" = { }; - - "battery-manager/password" = { }; - - # Gitea - "forgejo/metrics-token" = { - owner = "forgejo"; - group = "metrics"; - mode = "0440"; - }; - - # Grafana - "grafana/adminPassword" = { - owner = "grafana"; - group = "grafana"; - }; - "grafana/secretKey" = { - owner = "grafana"; - group = "grafana"; - }; - - # Heisenbridge - "heisenbridge/as-token" = { }; - "heisenbridge/hs-token" = { }; - - # Matrix-hookshot - "matrix-hookshot/as-token" = { }; - "matrix-hookshot/hs-token" = { }; - - # Nextcloud - "nextcloud/tlater" = { - owner = "nextcloud"; - group = "nextcloud"; - }; - - # Porkbub/ACME - "porkbun/api-key" = { - owner = "acme"; - }; - "porkbun/secret-api-key" = { - owner = "acme"; - }; - # Restic "restic/local-backups" = { owner = "root"; group = "backup"; mode = "0440"; }; - "restic/storagebox-backups" = { - owner = "root"; - group = "backup"; - mode = "0440"; - }; - "restic/storagebox-ssh-key" = { - owner = "backup"; - group = "backup"; - mode = "0040"; - }; - - # Steam - "steam/tlater" = { }; # Turn - "turn/env" = { }; - "turn/secret" = { - owner = "turnserver"; - }; "turn/ssl-key" = { owner = "turnserver"; }; "turn/ssl-cert" = { owner = "turnserver"; }; - - # Wireguard - "wireguard/server-key" = { - owner = "root"; - group = "systemd-network"; - mode = "0440"; - }; }; }; } From b8b5a64485f130461fd1cf20defb05d2e411e7e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Tue, 18 Nov 2025 15:49:18 +0800 Subject: [PATCH 2/2] fix(lock): Add missing lockfile update --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 705d87c..ad4903f 100644 --- a/flake.lock +++ b/flake.lock @@ -136,11 +136,11 @@ "pyproject-nix": "pyproject-nix" }, "locked": { - "lastModified": 1754978539, - "narHash": "sha256-nrDovydywSKRbWim9Ynmgj8SBm8LK3DI2WuhIqzOHYI=", + "lastModified": 1763413832, + "narHash": "sha256-dkqBwDXiv8MPoFyIvOuC4bVubAP+TlVZUkVMB78TTSg=", "owner": "nix-community", "repo": "dream2nix", - "rev": "fbec3263cb4895ac86ee9506cdc4e6919a1a2214", + "rev": "5658fba3a0b6b7d5cb0460b949651f64f644a743", "type": "github" }, "original": { @@ -356,11 +356,11 @@ ] }, "locked": { - "lastModified": 1762868777, - "narHash": "sha256-QqS72GvguP56oKDNUckWUPNJHjsdeuXh5RyoKz0wJ+E=", + "lastModified": 1763319842, + "narHash": "sha256-YG19IyrTdnVn0l3DvcUYm85u3PaqBt6tI6VvolcuHnA=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "c5c3147730384576196fb5da048a6e45dee10d56", + "rev": "7275fa67fbbb75891c16d9dee7d88e58aea2d761", "type": "github" }, "original": {