From 29a1702c3909d1886ffefc046b65ad3f05e90e78 Mon Sep 17 00:00:00 2001
From: soraefir <soraefir+git@helcel>
Date: Wed, 6 May 2026 01:33:48 +0200
Subject: [PATCH] Add sops

---
 modules/server/sops/default.nix | 12 +++++++++++-
 modules/server/sops/server.yaml | 11 ++++-------
 systems/sandbox/cfg.nix         |  1 +
 3 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/modules/server/sops/default.nix b/modules/server/sops/default.nix
index fb7379f..d61bd2f 100644
--- a/modules/server/sops/default.nix
+++ b/modules/server/sops/default.nix
@@ -1,5 +1,15 @@
-{ config, lib, pkgs, ... }: {
+{ config, lib, pkgs, ... }:
+let
+ listNames = config.syscfg.server.db;
+  containerNames = lib.mapAttrsToList (name: cfg: name) 
+    (lib.filterAttrs (name: cfg: cfg.db or false) config.syscfg.server.containers);
+  allApps = lib.unique (listNames ++ containerNames);
+in{
   config = lib.mkIf (config.syscfg.server.sops) {
     sops.secrets.INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; };
+
+    sops.secrets = lib.genAttrs (map (name: "${name}_pass") allApps) (name: {
+      owner = "postgres";
+    });
   };
 }
diff --git a/modules/server/sops/server.yaml b/modules/server/sops/server.yaml
index ed7673c..2ccf25d 100644
--- a/modules/server/sops/server.yaml
+++ b/modules/server/sops/server.yaml
@@ -1,9 +1,6 @@
 INFOMANIAK_API_KEY: ENC[AES256_GCM,data:QhjQoCMxogXAPtvUbf/EWkqsFAndn73LBuTqj5essjruekynH287D/CYN/cwfcnDqZoh6Z4A9p08uUmXzqmTiralAhsCoc+Ljb/monmsruc=,iv:8rMGNc9398jnFXZm34fOht6fMNDAcDZ68B1jwoQPn2Q=,tag:ZlQnPaxkCktpwiC6HzmFVg==,type:str]
+AUTHENTIK_PASS: ENC[AES256_GCM,data:cwx2,iv:R38eXeY9Wm1J2PN4i2gQ4Nw9n3jRknnneBTW0Mc0ctM=,tag:WdMzcMoXidz74XpiSS6Jkg==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
           enc: |
@@ -41,8 +38,8 @@ sops:
             VW83cnd2TnQwWlVCUnpzZ29NRE1SekUKBGVCaijugxR6eSxvk19nncR9X6bmSSUq
             VoxtHBkJbz/4mcQ/SUb4Wv1Rt5875tLWygS7qKmh8jzoP7JI4E9qWQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-08T16:05:46Z"
-    mac: ENC[AES256_GCM,data:X6AUVWJRcwH45W9NoQxI8Lp6l+5RFpgCNB6cdUZZODHDdTUMt9a6wr9YfU56C7QkdlxXdj6xCOCscJtw/WY2Y+XchWXaUVZZsoZ9xUo28aksUtHSyE9WJBHCeSqss79IW6k/GeDPiDOfz4om+udDvtdpyKbtvbw2a+K5st+62d4=,iv:REGTavU8DkalUbfO1J2+VccYnRRrOqstSFq/RU7Co5Q=,tag:2t8mwqa76kVQyeWS85zXsA==,type:str]
+    lastmodified: "2026-05-05T23:33:31Z"
+    mac: ENC[AES256_GCM,data:0pxpHFw6HsslDORMH2vPxn+3MxFQovVzZRyAz3FxyC4WKkvCTEmjUS/hze39NqqQ+DO/ugx7YD3IyKgFNHa6JjLD3QmFcX2lUqpyfJjE9K6CIFUUSaEB3zza+1F1EvYazlqfSYA/SaxMFZ6saKEZz+SqOjlzfIK5bMomSl9eJt8=,iv:InePglgMgAXoBBUpepFBRNGAI3okwkdu0jZcCtoV07A=,tag:D7BEME8acPCeZ+H3q1WJog==,type:str]
     pgp:
         - created_at: "2024-05-08T15:46:52Z"
           enc: |-
@@ -65,4 +62,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 4E241635F8EDD2919D2FB44CA362EA0491E2EEA0
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.12.1
diff --git a/systems/sandbox/cfg.nix b/systems/sandbox/cfg.nix
index 0cf75e3..ec1a3e2 100644
--- a/systems/sandbox/cfg.nix
+++ b/systems/sandbox/cfg.nix
@@ -21,6 +21,7 @@
     server = {
       openssh = true;
       web = true;
+      sops = true;
 
       hostDomain = "test.helcel.net";
       shortName = "testcel";