Add sops

2026-05-06 01:33:48 +02:00
parent 226a1baaa1
commit 29a1702c39
3 changed files with 16 additions and 8 deletions
--- a/modules/server/sops/default.nix
+++ b/modules/server/sops/default.nix
@@ -1,5 +1,15 @@
-{ config, lib, pkgs, ... }: {
+{ config, lib, pkgs, ... }:
+let
+ listNames = config.syscfg.server.db;
+  containerNames = lib.mapAttrsToList (name: cfg: name) 
+    (lib.filterAttrs (name: cfg: cfg.db or false) config.syscfg.server.containers);
+  allApps = lib.unique (listNames ++ containerNames);
+in{
  config = lib.mkIf (config.syscfg.server.sops) {
    sops.secrets.INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; };
+
+    sops.secrets = lib.genAttrs (map (name: "${name}_pass") allApps) (name: {
+      owner = "postgres";
+    });
  };
 }
--- a/modules/server/sops/server.yaml
+++ b/modules/server/sops/server.yaml
@@ -1,9 +1,6 @@
 INFOMANIAK_API_KEY: ENC[AES256_GCM,data:QhjQoCMxogXAPtvUbf/EWkqsFAndn73LBuTqj5essjruekynH287D/CYN/cwfcnDqZoh6Z4A9p08uUmXzqmTiralAhsCoc+Ljb/monmsruc=,iv:8rMGNc9398jnFXZm34fOht6fMNDAcDZ68B1jwoQPn2Q=,tag:ZlQnPaxkCktpwiC6HzmFVg==,type:str]
+AUTHENTIK_PASS: ENC[AES256_GCM,data:cwx2,iv:R38eXeY9Wm1J2PN4i2gQ4Nw9n3jRknnneBTW0Mc0ctM=,tag:WdMzcMoXidz74XpiSS6Jkg==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
    age:
        - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
          enc: |
@@ -41,8 +38,8 @@ sops:
            VW83cnd2TnQwWlVCUnpzZ29NRE1SekUKBGVCaijugxR6eSxvk19nncR9X6bmSSUq
            VoxtHBkJbz/4mcQ/SUb4Wv1Rt5875tLWygS7qKmh8jzoP7JI4E9qWQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-08T16:05:46Z"
-    mac: ENC[AES256_GCM,data:X6AUVWJRcwH45W9NoQxI8Lp6l+5RFpgCNB6cdUZZODHDdTUMt9a6wr9YfU56C7QkdlxXdj6xCOCscJtw/WY2Y+XchWXaUVZZsoZ9xUo28aksUtHSyE9WJBHCeSqss79IW6k/GeDPiDOfz4om+udDvtdpyKbtvbw2a+K5st+62d4=,iv:REGTavU8DkalUbfO1J2+VccYnRRrOqstSFq/RU7Co5Q=,tag:2t8mwqa76kVQyeWS85zXsA==,type:str]
+    lastmodified: "2026-05-05T23:33:31Z"
+    mac: ENC[AES256_GCM,data:0pxpHFw6HsslDORMH2vPxn+3MxFQovVzZRyAz3FxyC4WKkvCTEmjUS/hze39NqqQ+DO/ugx7YD3IyKgFNHa6JjLD3QmFcX2lUqpyfJjE9K6CIFUUSaEB3zza+1F1EvYazlqfSYA/SaxMFZ6saKEZz+SqOjlzfIK5bMomSl9eJt8=,iv:InePglgMgAXoBBUpepFBRNGAI3okwkdu0jZcCtoV07A=,tag:D7BEME8acPCeZ+H3q1WJog==,type:str]
    pgp:
        - created_at: "2024-05-08T15:46:52Z"
          enc: |-
@@ -65,4 +62,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: 4E241635F8EDD2919D2FB44CA362EA0491E2EEA0
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.12.1
--- a/systems/sandbox/cfg.nix
+++ b/systems/sandbox/cfg.nix
@@ -21,6 +21,7 @@
    server = {
      openssh = true;
      web = true;
+      sops = true;

      hostDomain = "test.helcel.net";
      shortName = "testcel";