diff --git a/hosts/nas/default.nix b/hosts/nas/default.nix index 8599cff..a8beb12 100644 --- a/hosts/nas/default.nix +++ b/hosts/nas/default.nix @@ -1,29 +1,64 @@ -{ self, ... }: +{ config, self, ... }: { imports = [ self.nixosModules.server-profile ]; system.stateVersion = "25.11"; - custom = { - boot.loader.grub.enable = true; + custom = + let + privateDomain = config.custom.networking.overlay.domain; + in + { + boot.loader.grub.enable = true; - networking = { - overlay.address = "10.254.250.6"; - underlay = { - interface = "enp2s0"; - cidr = "192.168.0.64/24"; - gateway = "192.168.0.1"; + networking = { + overlay.address = "10.254.250.6"; + underlay = { + interface = "enp2s0"; + cidr = "192.168.0.64/24"; + gateway = "192.168.0.1"; + }; + }; + + services = { + dns.enable = true; + + syncthing = { + enable = true; + isServer = true; + gui.domain = "syncthing.${privateDomain}"; + doBackups = true; + }; + + atuin = { + enable = true; + domain = "atuin.${privateDomain}"; + }; + }; + + web-services = { + filebrowser = { + enable = true; + domain = "files.${privateDomain}"; + doBackups = true; + }; + + radicale = { + enable = true; + domain = "dav.${privateDomain}"; + doBackups = true; + }; + + actualbudget = { + enable = true; + domain = "budget.${privateDomain}"; + doBackups = true; + }; + + karakeep = { + enable = true; + domain = "bookmarks.${privateDomain}"; + }; }; }; - - services = { - dns.enable = true; - - syncthing = { - enable = true; - isServer = true; - gui.domain = "syncthing.nas.splitleaf.de"; - }; - }; - }; } diff --git a/hosts/nas/secrets.json b/hosts/nas/secrets.json index 07c5340..b0c9251 100644 --- a/hosts/nas/secrets.json +++ b/hosts/nas/secrets.json @@ -11,6 +11,22 @@ "cert": "ENC[AES256_GCM,data:NFw/g8RKE69K7cS087Lo58AIDCOD3kNG9IFY15T+ELoeS9R1RNurrqVgQPo44ATfkMFm5I7jeB5zTLvnx1AUQPzc/HaMVMtUXG2ZabBjgIeIAZKLcdiO2Uidi6SsoBS/zKOQNd94hSPXTHpLH3ev0ARK0SwWHnv106VwXGaTO+qEskG8se/P2BUVLJB6P1r7GQQVVvODRSr2sbVOv3laSNRC1n3lodDpmn2gqwDQaawnmVgN1vk0eDOOv3bYZx04P3v17M92Zj1eKGN4YPt6tWkvbgBkFKG7Ob2a/tStNVPbL545tuD45NJoFqRQ0A23qh/1sWs/fn9VXMOdC2N+HApA2cMJoPGMG3XSbDHDsk3deJrhTYA+3t+LGa/+AMm7zIc1ouh8j44ShORWwXeeW72UaZBzDum6w+KdWyN300mprCwgvuF3N+LQGNzr2hWFGZccampoUD5vVE7y8iqF+423Ws7YdJt+i6mCeetCE0jlFFCcfEtCJ2/DUZ31Wss2fjFrZtmYVuz9MstaQMdA33zBWKaxeH/OuqEp82F53F9NiaKL7321iRd+ksrR3wmpF2kw1synxeMEPyalqnIm8pn6/u86Jlvzj1d3DkzghTi+Nqm4GctSR1iSrxkeR/h+a/4z576k5Bi4iT7YyYDvk4qLDT7LCDORNaJBJSZ7COjfJivtRozb8jVTryFjdoqDtsCFpZiVD0XGcLqaTu4X5uZBy1Wp31XBH1nt7T/qSbYVAnR96XbHeK2+F/0pfox6LshUNNpnzi/OqgPfvYG/DnIpfW3EaDukZ9Hra8woZ2VrU05Z2UK1Bxz4z4pBEOg=,iv:qYF05ihkcOYvHlnWcFiQdR0ksRledIFO4c301+bZMjQ=,tag:EnnNJ7QiFokqFlJ7hFzUfA==,type:str]", "key": "ENC[AES256_GCM,data:uRx7whj5NKflCZqMk9C4canBmnOfDTcMPA+CTQHA/ndmVzliIIf9t8y6pssgYuEVM76N4AcdEo1rER3IsL5WWUlSAmrgz25brMINJXAf73oppz+Wx2sUb0h7vD4JQ5E+B0JvfHM1WtE6YkVPnjlVeWkZaRgzGaU=,iv:nySmQBrgCEp9QxAIpe/jP7DQ5F9XlFGotAa2oVrNzPk=,tag:znl6EdK1jWG2eCbqVezYPA==,type:str]" }, + "restic": { + "password": "ENC[AES256_GCM,data:Ggop4acLfi5CcrSR62gMKxKngSXFTxRO5eRV6/jo,iv:1wwA2V5kvbls/qmKMh8q8ZrXkpL6SqJqEntAMMMBuTI=,tag:znPTdekGqW9/p59OgOwLEA==,type:str]" + }, + "backblaze": { + "key-id": "ENC[AES256_GCM,data:U2hevwbsSPsjawx7lQRqb2ekFr0393UB9g==,iv:QjazfXiKHxUBb8VqI5VWFoc/uHmr4gdSLSInMvHHp2w=,tag:ROiS2uica1w43Q2EL/5IwQ==,type:str]", + "application-key": "ENC[AES256_GCM,data:Jdux7MycXY5XuWUhMM7qQ7r3LPuMPj+eDBpYPZ+Spg==,iv:b93FmfupzWk9KFWgFJ9XE8EAA0KJ6ffGBqlKok4Zgsk=,tag:E50id5PE5gzshDmPqE5Ucg==,type:str]" + }, + "healthchecks": { + "ping-key": "ENC[AES256_GCM,data:PNjkk96vDUnqIrvk5+ZksJ/xnu0g0A==,iv:M//QQIQG/xtpSddXqtj2lejMmN1x3HjhPrYl0L9jcYU=,tag:SzMtuJcmSFIzqtSNVZXAfA==,type:str]" + }, + "karakeep": { + "openai-api-key": "ENC[AES256_GCM,data:n469mFZgT7d9e3r6G4agcK1mrSEVVheZ604e4YPQAA+vW2m7+bmNSBQHSPsqSTAfkmEc8wJKu4sED+Yd1dDug7hkLlOztHfVrvpkfEgEp5vZ6kpjamZd5A1j0Y+cwJqp2cwYH+39+FKB1FL5gS2GILTjjuXFiTbyZOf0l/oXYrcno5gT9tGUXtA0qFzlKadq57m/WzlqxFMuxQS41m6wJX9GMYs6cWA=,iv:xpsnjcRX1RMC8GzL1XqvsxO5jxJrLYy9DxVh7A0ByWE=,tag:IUjDTH8UoBZIJW34wUlLTQ==,type:str]" + }, + "radicale": { + "htpasswd": "ENC[AES256_GCM,data:SuVrYk3BP3Hds9sKwiuEOgAA5RPBR3f3RW16xtpO6w9aUjZR37jPKPOPluHxBUIulap2p/Oj5VZvyyeDP2MxQw==,iv:sANgLVPRrZEjlC7n/r5zVma/qIDCraLxi88o/sVgayQ=,tag:KbUM7hTRM0Z9iiiQFUfp/w==,type:str]" + }, "sops": { "age": [ { @@ -22,8 +38,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXOVRQU1R4VlBhdEFUdnR6\nZFNuNldaSkxJL3ptOVVscjRBNkQ4dFBmQUVBCmZrQmFMV0hWbTBQcm1FS3JrR0ZC\nbktvT04xczd6VkdCUWk2NnVVZHNFWkUKLS0tIGUwOHJSMHVsNTEyZEU2VWJFNGVy\nMVFDVThrRGQwZEtPeFYzZUVQYi80ZjAKUd/XzyzqMkMowvyeCnQDbOGJDKbuAUQb\nFClQuiH5iSQQrVPw7SHBNgdqbcdtC+hZ4tpPaV/wWtlpcqpr5mBJSA==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2026-02-27T12:04:30Z", - "mac": "ENC[AES256_GCM,data:uoyMH07F4cLytsf3umOw/E2yiGEl//+FlhYMeHGV6kWM6odDPx/rkoY6AIN1Ajb7S88PBKkOIA63GKNYsIiD9kBMpyRIOjnpEYjQd8Ghwk+2RfxxXuvWKUemy0NcYSRaU7odvxEcxjFcjXrGWLZoFrhnrldpUbZfiott9P1F7Us=,iv:bthEr2k2RaJjGJAd9AsgshLNbFeBwOhSVSrnT1COqPI=,tag:NYXcg1Z1yAfiff+kPAEwdA==,type:str]", + "lastmodified": "2026-02-27T21:25:33Z", + "mac": "ENC[AES256_GCM,data:kvP/sCIqs4Ic/IwEn1FwZOc71N6zAuyn7NDQWF78EW9HFfPjqUwN3z5PJOmEc1U74KbJB1gHIFMfteLx547IhGHn45oHlju7gco8jCdFhX9XL40Hp72B2px3MaG8UXp2DmDel9n7wQYCjNK1W6aOcQnpids/5uZu2gb/sV4/IIM=,iv:mlgEoRieeL/qc9rTZ8tYFrTdOkqph8GdAe2zJydjMIU=,tag:7czP2+PRO/RXZaBanW12tg==,type:str]", "unencrypted_suffix": "_unencrypted", "version": "3.11.0" } diff --git a/hosts/vps-private/default.nix b/hosts/vps-private/default.nix deleted file mode 100644 index 19f30cd..0000000 --- a/hosts/vps-private/default.nix +++ /dev/null @@ -1,68 +0,0 @@ -{ config, self, ... }: -{ - imports = [ self.nixosModules.server-profile ]; - - system.stateVersion = "25.11"; - - custom = - let - privateDomain = config.custom.networking.overlay.domain; - in - { - boot.loader.systemd-boot.enable = true; - - networking = { - overlay = { - address = "10.254.250.2"; - isLighthouse = true; - }; - underlay = { - interface = "enp1s0"; - cidr = "49.13.231.235/32"; - isPublic = true; - gateway = "172.31.1.1"; - }; - }; - - services = { - dns.enable = true; - - syncthing = { - enable = true; - isServer = true; - gui.domain = "syncthing.${privateDomain}"; - doBackups = true; - }; - - atuin = { - enable = true; - domain = "atuin.${privateDomain}"; - }; - }; - - web-services = { - filebrowser = { - enable = true; - domain = "files.${privateDomain}"; - doBackups = true; - }; - - radicale = { - enable = true; - domain = "dav.${privateDomain}"; - doBackups = true; - }; - - actualbudget = { - enable = true; - domain = "budget.${privateDomain}"; - doBackups = true; - }; - - karakeep = { - enable = true; - domain = "bookmarks.${privateDomain}"; - }; - }; - }; -} diff --git a/hosts/vps-private/disko.nix b/hosts/vps-private/disko.nix deleted file mode 100644 index 800ecba..0000000 --- a/hosts/vps-private/disko.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ - disko.devices = { - disk.main = { - device = "/dev/sda"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; - }; - ESP = { - size = "512M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "umask=0077" ]; - }; - }; - nix = { - size = "20G"; - content = { - type = "filesystem"; - format = "xfs"; - extraArgs = [ - "-m" - "reflink=1" - ]; - mountpoint = "/nix"; - mountOptions = [ "noatime" ]; - }; - }; - persist = { - size = "100%"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/persist"; - mountOptions = [ "noatime" ]; - }; - }; - }; - }; - }; - nodev."/" = { - fsType = "tmpfs"; - mountOptions = [ - "defaults" - "mode=755" - ]; - }; - }; -} diff --git a/hosts/vps-private/hardware.nix b/hosts/vps-private/hardware.nix deleted file mode 100644 index 073f92f..0000000 --- a/hosts/vps-private/hardware.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ modulesPath, ... }: -{ - imports = [ "${modulesPath}/profiles/qemu-guest.nix" ]; - - nixpkgs.hostPlatform = "x86_64-linux"; - - boot.initrd.availableKernelModules = [ - "ahci" - "xhci_pci" - "virtio_pci" - "virtio_scsi" - "sd_mod" - "sr_mod" - ]; -} diff --git a/hosts/vps-private/keys/age.pub b/hosts/vps-private/keys/age.pub deleted file mode 100644 index 2ae777a..0000000 --- a/hosts/vps-private/keys/age.pub +++ /dev/null @@ -1 +0,0 @@ -age1e9a0jj0t5mwep4zgaplsuw57750g0sv5uujvx56ad0te0rle0e0q6ywu69 diff --git a/hosts/vps-private/keys/nebula.crt b/hosts/vps-private/keys/nebula.crt deleted file mode 100644 index 84ee04a..0000000 --- a/hosts/vps-private/keys/nebula.crt +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN NEBULA CERTIFICATE V2----- -MIG/oFmAC3Zwcy1wcml2YXRloQcEBQr++gIYoxMMBnNlcnZlcgwJc3luY3RoaW5n -hQRphR5bhgRrKH30hyAVQ/4ZW6re1yzFagxOA4SEMyUQWl7UCMJuYEUyO3NFaIIg -xxdwQe3CJkEjhN6lB0dWCNqjNug5oIN9KQTTTCp0dguDQIfEL9VOzRXRvfIYqQIE -N17rITJJXUIV0zV1JY/GF2xuxGYnwqRbdpbzjwWiZn3kBvj3j/q2jC9ciA3+nnoc -iwE= ------END NEBULA CERTIFICATE V2----- diff --git a/hosts/vps-private/keys/nebula.pub b/hosts/vps-private/keys/nebula.pub deleted file mode 100644 index c835b45..0000000 --- a/hosts/vps-private/keys/nebula.pub +++ /dev/null @@ -1,3 +0,0 @@ ------BEGIN NEBULA X25519 PUBLIC KEY----- -xxdwQe3CJkEjhN6lB0dWCNqjNug5oIN9KQTTTCp0dgs= ------END NEBULA X25519 PUBLIC KEY----- diff --git a/hosts/vps-private/keys/syncthing.id b/hosts/vps-private/keys/syncthing.id deleted file mode 100644 index a93bac7..0000000 --- a/hosts/vps-private/keys/syncthing.id +++ /dev/null @@ -1 +0,0 @@ -5R2MH7T-Q2ZZS2P-ZMSQ2UJ-B6VBHES-XYLNMZ6-7FYC27L-4P7MGJ2-FY4ITQD \ No newline at end of file diff --git a/hosts/vps-private/secrets.json b/hosts/vps-private/secrets.json deleted file mode 100644 index afaf6dc..0000000 --- a/hosts/vps-private/secrets.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "seb-password": "ENC[AES256_GCM,data:Q+yRIOJCUzHmCZ5n0OAGyCkePVh0VJfeFYmgG2fh8Wwy6IKyG9c3/3qcMEIRSvG6Qm9KFGahuIR2md5bz7//pTRfPcu1GdIsMA==,iv:GpBQNm1jspU8PCN+SzfAUKSps3YySg6JJVYOLOFetOI=,tag:pOLRjWZKL2+GkMgV435FMw==,type:str]", - "restic": { - "password": "ENC[AES256_GCM,data:AERasH4M/uP3aUELnggUmH6NzAx6v4Uqjg+ymF5X,iv:q5qJkB3+feZyEm778hKI8ikNz9/9dj+Z1hda6M4eHfQ=,tag:adI4AwzXp63SRSA8uAjRZw==,type:str]" - }, - "backblaze": { - "key-id": "ENC[AES256_GCM,data:vfw2c+rDyT2bEg6QjJZLGfcxbe56FyrtQg==,iv:TEtsDdGmB5MVuIOPVr6UxOaLAfbGKOeZxXwaW86X+t8=,tag:lFrapoEAOJ7ma+/BhuIVQA==,type:str]", - "application-key": "ENC[AES256_GCM,data:OdcLprjm4WdBrUF6tRJyn6gvQuHK/2jmnxh3QIM6XQ==,iv:UTn1iz3fTCVleFSe1yP6fOJB4DKKQJEG7naZclJ+i2M=,tag:vGtZ4NYVasQ4GP1IL6dvdQ==,type:str]" - }, - "healthchecks": { - "ping-key": "ENC[AES256_GCM,data:40galLLarXCva762hm+CfZ8fULDEYg==,iv:caY1tuMTxNyl8USsgKiSuAOIczvn/Xdx6Taj7BQRCyE=,tag:y2Zw/EuuY1M2JFEcskQqgg==,type:str]" - }, - "syncthing": { - "cert": "ENC[AES256_GCM,data:/l5a/ml9XjTPCG2dUjHbIbrWZ0W/Br2EBCTj0eIWQZNMXlc5Fkv/zgLdFHRME0W4FMGXv9i7QP/Kt1po4ucX/kNTYeV92kubxognXH/8mhQynBfrgdyiYeexiIv23GYwwpp8PiY4eYttQZ3VMNqrVBH3wVM6li/iDfNdWMPT57W4xCaRlVgpHQJVe1moqYY1enSOhzhDkbL+X0ApezBeMX+wjZgJOfUjCYRKtr/ZIv6PaXB8z0L9ZzAyyctYi0A5sOOW6Vss5u4Zug3kOUZvxwRWMz8zDhqJR5OqO+fO7iysA/Jp7Me6w9ptqmUE02p1w0wtNwKLuD7kbE2BbAsbGCeoBMxjy8zGgdrjAqnLdYXFtwSP0EL4RgmiVMfDL9rdEP6L3hmbL/bpkhIUbdMDta0jtSUJKxEcd9Zt99meHh4hfVLoqlYVed49XxtzQkBtGyhNRqKSja+yHPCY1NDzc7D5+Jeeq0vEPpLWJ7OKpLOoZri5a0xGCQ0OZeM+rvYyVDdKU4+FETnTtXbWphXS3D0HVSF0Kyx9AQYGq5LwTdPgtQJrsSZs4/9+0M5dAZvfmXlXAnEPiFvbJMnn8MW0gCb2z5s1YXaABgn45Xv/lSZNyzk69NKRKZZgk5Hl3DDlGXUK+Vhe5OW7iXhF/BDwjxKt0jsotP3F/hwX2KDfOvaLgkgKBNn1axMZSmEdgFnFeBRtpeEgfOWBJY2KT972rFVV5G2tNV+4Uv1VIrW8oksnxMzQdlt6rERBTUNJPFeQrcjWGse3P+h32/ziqk1Jv9UUXEw3hvCnVaimZ7sX/dZMrX9mKqC3Bt8mIk6bJEjPyva1VViand/E5FvnSo/d0tlEDhjNMJfLXSDYuJClsFSbVy9xyvRZBHy3dCg+TCmSJi2rk7V9k5Z9YEAV25y8Qq15llnMQVfUsOcI5JCQXeIYRbfuiCX/FxR5cONppoGjUOl1Gmxaq0u5k9DriFvlbpZMACjgHQneUNIKkEnadMjrAe3yyVcm8nYlUrlxX/Usot59P74Ln5V886bt0iQhkFft55w0yiDUwYY=,iv:bJfo1JZ8muYmxoZfCx3x40DOrnstSChjUnzF+ZJjc2s=,tag:JTOYgWwot9/zwdWwVWvSUw==,type:str]", - "key": "ENC[AES256_GCM,data:PkL8Bh0pRnFfH0l1AhJdUl6LvRytJW4JTjNtGviORklxEfnh2SR9Fnsl4ftDE78+EwvVw9Fd71L16BFObp5rH3zMImSnVthj8AoBw0OpVOenhzVNnHcPX4ncOm7IPIx1X0VmtqjzO6FTW3opamt2VB3kORZhzybInaY63PlLgU1f0c7wt9wIsefQvsooVm8OS3kvMRlkeaeIqtu7ok/TpyssygALY/6TUWvImvh2Uro4LE6Ue4IzZTnq7CmSywTASwr95YqenIL0nu7cr4EG7kfGWS3/lWJf4BTNUTvfSs6PmHVEigFMBQIILo+juJC4MLdpGP+Bk2rWx1B8rZTyyrKLgS4Nl/HoCFaICOy8PjHyjTgUBlzZMwgj8cEGcwe5,iv:IXlcy7FmBJHf6fP0B/HhkcGZxKUu3VivhFm8u3jYxkc=,tag:1GaPMxFXeSKlB/dJjQUgaw==,type:str]" - }, - "nebula": { - "host-key": "ENC[AES256_GCM,data:dS3tXWUK+POzTZ98wLETaWz4ief/yFULCfI5Y3EbK26KQpwxzw6cpLXUNOSZeUwz9brN/4JcwUgewJR08Uq3HZhKZKoMPZfPRtZMDe51I4RYg4hZd1mMWXQn82KmSytZCiDIL/9qCwYvObVRiNCpAOKRj6JBpgpoQ1u5hgn1EA==,iv:G25EpAnvoLfYXAdPyJVqS3ocUPg5LQlUoi7fA+XFOZ8=,tag:/BNhuxJCunM85H9DnPF5Kg==,type:str]" - }, - "porkbun": { - "api-key": "ENC[AES256_GCM,data:RV/+aEQRcfQ9LMjZjxGNvCeiso51VqvqrOBRRrR/dXhmBvyoGuh2LaAjyoDoWEjWy5kIStStR+jXZEFWZ8KXvnmEnoU=,iv:j3sYW85Vf88EfeOfezlspDxEms6YqZYnzy5JAiES3+U=,tag:0M9vDvsirc6ze3Ut+yMSoA==,type:str]", - "secret-api-key": "ENC[AES256_GCM,data:SUngZ65fBmC9WlPkmJMjyBb6sHREKhqyRj9fsBGkj5IyjtGDfQ1b7Iv0VNeSY//bWv0VZruwT48a320BUlg1xiNCKU8=,iv:glUaArlHJsxCP5z3y7JnWvmtsdRzszXhYydpd1YaX5U=,tag:185iAkQ/J9CfKkTsgPP6lA==,type:str]" - }, - "karakeep": { - "openai-api-key": "ENC[AES256_GCM,data:ZOVkdDWpSJ98spHm3XUuGZ4vrRBEUyCBE4Nnpm/zVwKSi6yDbbKyZffc4jwOiffUVhwM5HKmUEosI2Qdn7Z7yjJHSHgrn9mN/e7mKIrPkzZx+FNsVfPx6RAzstgbxkBjBshGiGEPcamevAMEhPlnhucqwanDk65OSn6ohQ+RCsQvKe9HsgvVq6ERPGWkHKPAAaop5asZ3ljjQ4ZEla/Q3K7/HjC6hqg=,iv:Dmx6C3jyNk4lFlv220Dkp4+UFQEushPgEwN9hexbZtU=,tag:8w55PPnbrysohj1kUztADA==,type:str]" - }, - "radicale": { - "htpasswd": "ENC[AES256_GCM,data:izITzHpuEP07w7hQPKiD4Fs3Tqq8UCXf12Bn0/8WJeCTkMRSsywrD37QgWd0Kw+YPu5Oe+Muo/tWPvWQXH2pSA==,iv:ppsakiYkrL44NRGRtV9lCgQyJ+C4n8OE7I754AYA/uc=,tag:Gi/FXGOLGcAewIGFFJqKmQ==,type:str]" - }, - "sops": { - "age": [ - { - "recipient": "age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3clZ2RDgvVWJXMUdsWVdk\nclBwc0dEQ1Y3cUt0QVpkTHNYdENnRkJQOUNrClFhM2R2L2laQ1N4cDltMElBeTY3\nOWt3VndlZHBONVdUelptM0dRTUdBd1kKLS0tIEtmOGhJUTJ2Z29JQzBsWVdUa3A5\nUWFZUkVOK1Z4bmVoOFhkY09XbU1ZbWsKgDNEjb6goOoCig73u1E8Ew7MDXIMWYx1\nzg6TRt46Ouk51tNgJ1BRMm+LO2B7PFp0Zs/KcazHmBEG9r2EeoC3kA==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1e9a0jj0t5mwep4zgaplsuw57750g0sv5uujvx56ad0te0rle0e0q6ywu69", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqU01heng3NHdrYnZFZmZn\nZlJtUUIyd1ExTmhzeU5iZFZadFcwR25GOEVZCmxHOXNWQVh1ZlJSRHJtaDVHNVUv\nbTY0TlNmZ2hESDkzS2M3WHdlamxwclkKLS0tIEEvOFd3TDFkQmQwbjBodHhpb1BD\nZ2NvTnNqQmtrLy9aVDdGRGxZbVgrZG8KdnnjJWcjZFu3R8fVKToj6THHHRCFou9k\njQoedCZAML2A2FZIhHugH9wnDUPQQjG86WbcCBuFWcOTGiTF2gN+Qg==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2026-02-11T17:18:57Z", - "mac": "ENC[AES256_GCM,data:UNJZ69D1FOP4tA2uNJCJtQ/i0kLINml3hL4fAjXrumt3mfbROyZez3H4xX/V7a7Rb//fm3ZShcafoWinMdwFHyu1b4xW2ugpJrkutMLZCKLow3k6ySwnFQ3M4UItW69Z6ZBauzvyiTbiI+ot/9SZ0HW3CehitetMUdIeS7Zf2RE=,iv:E5ZJ0TCIgnJHYYX8WaHd8bOCppTY4zXRk76LeBk4ZHo=,tag:fTugOh+V0Uc91QhJ/oX42w==,type:str]", - "unencrypted_suffix": "_unencrypted", - "version": "3.11.0" - } -} diff --git a/modules/nixos/sops.nix b/modules/nixos/sops.nix index 4add3a9..760fceb 100644 --- a/modules/nixos/sops.nix +++ b/modules/nixos/sops.nix @@ -34,5 +34,13 @@ in ]; defaultSopsFile = cfg.secretsFile; }; + + assertions = + config.sops.secrets + |> lib.attrNames + |> lib.map (secretPath: { + assertion = cfg.secrets |> lib.hasAttrByPath (secretPath |> lib.splitString "/"); + message = "Sops secret `${secretPath}` must be defined in secrets.json"; + }); }; }