SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-03-23 18:58:28 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: SebastianStork:0da43226ed830ba2177a6526aa5f18613d377c99
Branches Tags
SebastianStork:main
SebastianStork:dependabot/github_actions/cachix/cachix-action-17
SebastianStork:deploy
SebastianStork:deployed/srv-core
SebastianStork:deployed/vps-ns
SebastianStork:deployed/vps-www
SebastianStork:testing-srv-core
..
compare: SebastianStork:d793f747148194cb54c6de1c51b6b6fe365a18ff
Branches Tags
SebastianStork:dependabot/github_actions/cachix/cachix-action-17
SebastianStork:deploy
SebastianStork:deployed/srv-core
SebastianStork:deployed/vps-ns
SebastianStork:deployed/vps-www
SebastianStork:main
SebastianStork:testing-srv-core

5 commits
0da43226ed ... d793f74714

Author SHA1 Message Date
SebastianStork
d793f74714
vps-private: Remove host 2026-02-27 23:08:44 +01:00
SebastianStork
508353d748
nas: Add missing secrets 2026-02-27 22:27:18 +01:00
SebastianStork
87de9e1c4e
sops: Add assertions to validate secret existence at eval time 2026-02-27 22:26:15 +01:00
SebastianStork
dab77776f9
Transfer vps-private's services to the nas 2026-02-27 22:17:12 +01:00
SebastianStork
213abf4c5e
vps-private: Disable syncthing 2026-02-27 22:14:41 +01:00
11 changed files with 81 additions and 219 deletions
Download patch file Download diff file Expand all files Collapse all files

41
hosts/nas/default.nix
View file

@ -1,10 +1,14 @@
{ self, ... }: { config, self, ... }:
{ {
imports = [ self.nixosModules.server-profile ]; imports = [ self.nixosModules.server-profile ];
system.stateVersion = "25.11"; system.stateVersion = "25.11";
custom = { custom =
let
privateDomain = config.custom.networking.overlay.domain;
in
{
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
networking = { networking = {
@ -22,7 +26,38 @@
syncthing = { syncthing = {
enable = true; enable = true;
isServer = true; isServer = true;
gui.domain = "syncthing.nas.splitleaf.de"; gui.domain = "syncthing.${privateDomain}";
doBackups = true;
};
atuin = {
enable = true;
domain = "atuin.${privateDomain}";
};
};
web-services = {
filebrowser = {
enable = true;
domain = "files.${privateDomain}";
doBackups = true;
};
radicale = {
enable = true;
domain = "dav.${privateDomain}";
doBackups = true;
};
actualbudget = {
enable = true;
domain = "budget.${privateDomain}";
doBackups = true;
};
karakeep = {
enable = true;
domain = "bookmarks.${privateDomain}";
}; };
}; };
}; };

20
hosts/nas/secrets.json
View file

@ -11,6 +11,22 @@
"cert": "ENC[AES256_GCM,data:NFw/g8RKE69K7cS087Lo58AIDCOD3kNG9IFY15T+ELoeS9R1RNurrqVgQPo44ATfkMFm5I7jeB5zTLvnx1AUQPzc/HaMVMtUXG2ZabBjgIeIAZKLcdiO2Uidi6SsoBS/zKOQNd94hSPXTHpLH3ev0ARK0SwWHnv106VwXGaTO+qEskG8se/P2BUVLJB6P1r7GQQVVvODRSr2sbVOv3laSNRC1n3lodDpmn2gqwDQaawnmVgN1vk0eDOOv3bYZx04P3v17M92Zj1eKGN4YPt6tWkvbgBkFKG7Ob2a/tStNVPbL545tuD45NJoFqRQ0A23qh/1sWs/fn9VXMOdC2N+HApA2cMJoPGMG3XSbDHDsk3deJrhTYA+3t+LGa/+AMm7zIc1ouh8j44ShORWwXeeW72UaZBzDum6w+KdWyN300mprCwgvuF3N+LQGNzr2hWFGZccampoUD5vVE7y8iqF+423Ws7YdJt+i6mCeetCE0jlFFCcfEtCJ2/DUZ31Wss2fjFrZtmYVuz9MstaQMdA33zBWKaxeH/OuqEp82F53F9NiaKL7321iRd+ksrR3wmpF2kw1synxeMEPyalqnIm8pn6/u86Jlvzj1d3DkzghTi+Nqm4GctSR1iSrxkeR/h+a/4z576k5Bi4iT7YyYDvk4qLDT7LCDORNaJBJSZ7COjfJivtRozb8jVTryFjdoqDtsCFpZiVD0XGcLqaTu4X5uZBy1Wp31XBH1nt7T/qSbYVAnR96XbHeK2+F/0pfox6LshUNNpnzi/OqgPfvYG/DnIpfW3EaDukZ9Hra8woZ2VrU05Z2UK1Bxz4z4pBEOg=,iv:qYF05ihkcOYvHlnWcFiQdR0ksRledIFO4c301+bZMjQ=,tag:EnnNJ7QiFokqFlJ7hFzUfA==,type:str]", "cert": "ENC[AES256_GCM,data:NFw/g8RKE69K7cS087Lo58AIDCOD3kNG9IFY15T+ELoeS9R1RNurrqVgQPo44ATfkMFm5I7jeB5zTLvnx1AUQPzc/HaMVMtUXG2ZabBjgIeIAZKLcdiO2Uidi6SsoBS/zKOQNd94hSPXTHpLH3ev0ARK0SwWHnv106VwXGaTO+qEskG8se/P2BUVLJB6P1r7GQQVVvODRSr2sbVOv3laSNRC1n3lodDpmn2gqwDQaawnmVgN1vk0eDOOv3bYZx04P3v17M92Zj1eKGN4YPt6tWkvbgBkFKG7Ob2a/tStNVPbL545tuD45NJoFqRQ0A23qh/1sWs/fn9VXMOdC2N+HApA2cMJoPGMG3XSbDHDsk3deJrhTYA+3t+LGa/+AMm7zIc1ouh8j44ShORWwXeeW72UaZBzDum6w+KdWyN300mprCwgvuF3N+LQGNzr2hWFGZccampoUD5vVE7y8iqF+423Ws7YdJt+i6mCeetCE0jlFFCcfEtCJ2/DUZ31Wss2fjFrZtmYVuz9MstaQMdA33zBWKaxeH/OuqEp82F53F9NiaKL7321iRd+ksrR3wmpF2kw1synxeMEPyalqnIm8pn6/u86Jlvzj1d3DkzghTi+Nqm4GctSR1iSrxkeR/h+a/4z576k5Bi4iT7YyYDvk4qLDT7LCDORNaJBJSZ7COjfJivtRozb8jVTryFjdoqDtsCFpZiVD0XGcLqaTu4X5uZBy1Wp31XBH1nt7T/qSbYVAnR96XbHeK2+F/0pfox6LshUNNpnzi/OqgPfvYG/DnIpfW3EaDukZ9Hra8woZ2VrU05Z2UK1Bxz4z4pBEOg=,iv:qYF05ihkcOYvHlnWcFiQdR0ksRledIFO4c301+bZMjQ=,tag:EnnNJ7QiFokqFlJ7hFzUfA==,type:str]",
"key": "ENC[AES256_GCM,data:uRx7whj5NKflCZqMk9C4canBmnOfDTcMPA+CTQHA/ndmVzliIIf9t8y6pssgYuEVM76N4AcdEo1rER3IsL5WWUlSAmrgz25brMINJXAf73oppz+Wx2sUb0h7vD4JQ5E+B0JvfHM1WtE6YkVPnjlVeWkZaRgzGaU=,iv:nySmQBrgCEp9QxAIpe/jP7DQ5F9XlFGotAa2oVrNzPk=,tag:znl6EdK1jWG2eCbqVezYPA==,type:str]" "key": "ENC[AES256_GCM,data:uRx7whj5NKflCZqMk9C4canBmnOfDTcMPA+CTQHA/ndmVzliIIf9t8y6pssgYuEVM76N4AcdEo1rER3IsL5WWUlSAmrgz25brMINJXAf73oppz+Wx2sUb0h7vD4JQ5E+B0JvfHM1WtE6YkVPnjlVeWkZaRgzGaU=,iv:nySmQBrgCEp9QxAIpe/jP7DQ5F9XlFGotAa2oVrNzPk=,tag:znl6EdK1jWG2eCbqVezYPA==,type:str]"
}, },
"restic": {
"password": "ENC[AES256_GCM,data:Ggop4acLfi5CcrSR62gMKxKngSXFTxRO5eRV6/jo,iv:1wwA2V5kvbls/qmKMh8q8ZrXkpL6SqJqEntAMMMBuTI=,tag:znPTdekGqW9/p59OgOwLEA==,type:str]"
},
"backblaze": {
"key-id": "ENC[AES256_GCM,data:U2hevwbsSPsjawx7lQRqb2ekFr0393UB9g==,iv:QjazfXiKHxUBb8VqI5VWFoc/uHmr4gdSLSInMvHHp2w=,tag:ROiS2uica1w43Q2EL/5IwQ==,type:str]",
"application-key": "ENC[AES256_GCM,data:Jdux7MycXY5XuWUhMM7qQ7r3LPuMPj+eDBpYPZ+Spg==,iv:b93FmfupzWk9KFWgFJ9XE8EAA0KJ6ffGBqlKok4Zgsk=,tag:E50id5PE5gzshDmPqE5Ucg==,type:str]"
},
"healthchecks": {
"ping-key": "ENC[AES256_GCM,data:PNjkk96vDUnqIrvk5+ZksJ/xnu0g0A==,iv:M//QQIQG/xtpSddXqtj2lejMmN1x3HjhPrYl0L9jcYU=,tag:SzMtuJcmSFIzqtSNVZXAfA==,type:str]"
},
"karakeep": {
"openai-api-key": "ENC[AES256_GCM,data:n469mFZgT7d9e3r6G4agcK1mrSEVVheZ604e4YPQAA+vW2m7+bmNSBQHSPsqSTAfkmEc8wJKu4sED+Yd1dDug7hkLlOztHfVrvpkfEgEp5vZ6kpjamZd5A1j0Y+cwJqp2cwYH+39+FKB1FL5gS2GILTjjuXFiTbyZOf0l/oXYrcno5gT9tGUXtA0qFzlKadq57m/WzlqxFMuxQS41m6wJX9GMYs6cWA=,iv:xpsnjcRX1RMC8GzL1XqvsxO5jxJrLYy9DxVh7A0ByWE=,tag:IUjDTH8UoBZIJW34wUlLTQ==,type:str]"
},
"radicale": {
"htpasswd": "ENC[AES256_GCM,data:SuVrYk3BP3Hds9sKwiuEOgAA5RPBR3f3RW16xtpO6w9aUjZR37jPKPOPluHxBUIulap2p/Oj5VZvyyeDP2MxQw==,iv:sANgLVPRrZEjlC7n/r5zVma/qIDCraLxi88o/sVgayQ=,tag:KbUM7hTRM0Z9iiiQFUfp/w==,type:str]"
},
"sops": { "sops": {
"age": [ "age": [
{ {
@ -22,8 +38,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXOVRQU1R4VlBhdEFUdnR6\nZFNuNldaSkxJL3ptOVVscjRBNkQ4dFBmQUVBCmZrQmFMV0hWbTBQcm1FS3JrR0ZC\nbktvT04xczd6VkdCUWk2NnVVZHNFWkUKLS0tIGUwOHJSMHVsNTEyZEU2VWJFNGVy\nMVFDVThrRGQwZEtPeFYzZUVQYi80ZjAKUd/XzyzqMkMowvyeCnQDbOGJDKbuAUQb\nFClQuiH5iSQQrVPw7SHBNgdqbcdtC+hZ4tpPaV/wWtlpcqpr5mBJSA==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXOVRQU1R4VlBhdEFUdnR6\nZFNuNldaSkxJL3ptOVVscjRBNkQ4dFBmQUVBCmZrQmFMV0hWbTBQcm1FS3JrR0ZC\nbktvT04xczd6VkdCUWk2NnVVZHNFWkUKLS0tIGUwOHJSMHVsNTEyZEU2VWJFNGVy\nMVFDVThrRGQwZEtPeFYzZUVQYi80ZjAKUd/XzyzqMkMowvyeCnQDbOGJDKbuAUQb\nFClQuiH5iSQQrVPw7SHBNgdqbcdtC+hZ4tpPaV/wWtlpcqpr5mBJSA==\n-----END AGE ENCRYPTED FILE-----\n"
} }
], ],
"lastmodified": "2026-02-27T12:04:30Z", "lastmodified": "2026-02-27T21:25:33Z",
"mac": "ENC[AES256_GCM,data:uoyMH07F4cLytsf3umOw/E2yiGEl//+FlhYMeHGV6kWM6odDPx/rkoY6AIN1Ajb7S88PBKkOIA63GKNYsIiD9kBMpyRIOjnpEYjQd8Ghwk+2RfxxXuvWKUemy0NcYSRaU7odvxEcxjFcjXrGWLZoFrhnrldpUbZfiott9P1F7Us=,iv:bthEr2k2RaJjGJAd9AsgshLNbFeBwOhSVSrnT1COqPI=,tag:NYXcg1Z1yAfiff+kPAEwdA==,type:str]", "mac": "ENC[AES256_GCM,data:kvP/sCIqs4Ic/IwEn1FwZOc71N6zAuyn7NDQWF78EW9HFfPjqUwN3z5PJOmEc1U74KbJB1gHIFMfteLx547IhGHn45oHlju7gco8jCdFhX9XL40Hp72B2px3MaG8UXp2DmDel9n7wQYCjNK1W6aOcQnpids/5uZu2gb/sV4/IIM=,iv:mlgEoRieeL/qc9rTZ8tYFrTdOkqph8GdAe2zJydjMIU=,tag:7czP2+PRO/RXZaBanW12tg==,type:str]",
"unencrypted_suffix": "_unencrypted", "unencrypted_suffix": "_unencrypted",
"version": "3.11.0" "version": "3.11.0"
} }

68
hosts/vps-private/default.nix
View file

@ -1,68 +0,0 @@
{ config, self, ... }:
{
imports = [ self.nixosModules.server-profile ];
system.stateVersion = "25.11";
custom =
let
privateDomain = config.custom.networking.overlay.domain;
in
{
boot.loader.systemd-boot.enable = true;
networking = {
overlay = {
address = "10.254.250.2";
isLighthouse = true;
};
underlay = {
interface = "enp1s0";
cidr = "49.13.231.235/32";
isPublic = true;
gateway = "172.31.1.1";
};
};
services = {
dns.enable = true;
syncthing = {
enable = true;
isServer = true;
gui.domain = "syncthing.${privateDomain}";
doBackups = true;
};
atuin = {
enable = true;
domain = "atuin.${privateDomain}";
};
};
web-services = {
filebrowser = {
enable = true;
domain = "files.${privateDomain}";
doBackups = true;
};
radicale = {
enable = true;
domain = "dav.${privateDomain}";
doBackups = true;
};
actualbudget = {
enable = true;
domain = "budget.${privateDomain}";
doBackups = true;
};
karakeep = {
enable = true;
domain = "bookmarks.${privateDomain}";
};
};
};
}

56
hosts/vps-private/disko.nix
View file

@ -1,56 +0,0 @@
{
disko.devices = {
disk.main = {
device = "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02";
};
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
nix = {
size = "20G";
content = {
type = "filesystem";
format = "xfs";
extraArgs = [
"-m"
"reflink=1"
];
mountpoint = "/nix";
mountOptions = [ "noatime" ];
};
};
persist = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/persist";
mountOptions = [ "noatime" ];
};
};
};
};
};
nodev."/" = {
fsType = "tmpfs";
mountOptions = [
"defaults"
"mode=755"
];
};
};
}

15
hosts/vps-private/hardware.nix
View file

@ -1,15 +0,0 @@
{ modulesPath, ... }:
{
imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
nixpkgs.hostPlatform = "x86_64-linux";
boot.initrd.availableKernelModules = [
"ahci"
"xhci_pci"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
}

1
hosts/vps-private/keys/age.pub
View file

@ -1 +0,0 @@
age1e9a0jj0t5mwep4zgaplsuw57750g0sv5uujvx56ad0te0rle0e0q6ywu69

7
hosts/vps-private/keys/nebula.crt
View file

@ -1,7 +0,0 @@
-----BEGIN NEBULA CERTIFICATE V2-----
MIG/oFmAC3Zwcy1wcml2YXRloQcEBQr++gIYoxMMBnNlcnZlcgwJc3luY3RoaW5n
hQRphR5bhgRrKH30hyAVQ/4ZW6re1yzFagxOA4SEMyUQWl7UCMJuYEUyO3NFaIIg
xxdwQe3CJkEjhN6lB0dWCNqjNug5oIN9KQTTTCp0dguDQIfEL9VOzRXRvfIYqQIE
N17rITJJXUIV0zV1JY/GF2xuxGYnwqRbdpbzjwWiZn3kBvj3j/q2jC9ciA3+nnoc
iwE=
-----END NEBULA CERTIFICATE V2-----

3
hosts/vps-private/keys/nebula.pub
View file

@ -1,3 +0,0 @@
-----BEGIN NEBULA X25519 PUBLIC KEY-----
xxdwQe3CJkEjhN6lB0dWCNqjNug5oIN9KQTTTCp0dgs=
-----END NEBULA X25519 PUBLIC KEY-----

1
hosts/vps-private/keys/syncthing.id
View file

@ -1 +0,0 @@
5R2MH7T-Q2ZZS2P-ZMSQ2UJ-B6VBHES-XYLNMZ6-7FYC27L-4P7MGJ2-FY4ITQD

46
hosts/vps-private/secrets.json
View file

@ -1,46 +0,0 @@
{
"seb-password": "ENC[AES256_GCM,data:Q+yRIOJCUzHmCZ5n0OAGyCkePVh0VJfeFYmgG2fh8Wwy6IKyG9c3/3qcMEIRSvG6Qm9KFGahuIR2md5bz7//pTRfPcu1GdIsMA==,iv:GpBQNm1jspU8PCN+SzfAUKSps3YySg6JJVYOLOFetOI=,tag:pOLRjWZKL2+GkMgV435FMw==,type:str]",
"restic": {
"password": "ENC[AES256_GCM,data:AERasH4M/uP3aUELnggUmH6NzAx6v4Uqjg+ymF5X,iv:q5qJkB3+feZyEm778hKI8ikNz9/9dj+Z1hda6M4eHfQ=,tag:adI4AwzXp63SRSA8uAjRZw==,type:str]"
},
"backblaze": {
"key-id": "ENC[AES256_GCM,data:vfw2c+rDyT2bEg6QjJZLGfcxbe56FyrtQg==,iv:TEtsDdGmB5MVuIOPVr6UxOaLAfbGKOeZxXwaW86X+t8=,tag:lFrapoEAOJ7ma+/BhuIVQA==,type:str]",
"application-key": "ENC[AES256_GCM,data:OdcLprjm4WdBrUF6tRJyn6gvQuHK/2jmnxh3QIM6XQ==,iv:UTn1iz3fTCVleFSe1yP6fOJB4DKKQJEG7naZclJ+i2M=,tag:vGtZ4NYVasQ4GP1IL6dvdQ==,type:str]"
},
"healthchecks": {
"ping-key": "ENC[AES256_GCM,data:40galLLarXCva762hm+CfZ8fULDEYg==,iv:caY1tuMTxNyl8USsgKiSuAOIczvn/Xdx6Taj7BQRCyE=,tag:y2Zw/EuuY1M2JFEcskQqgg==,type:str]"
},
"syncthing": {
"cert": "ENC[AES256_GCM,data:/l5a/ml9XjTPCG2dUjHbIbrWZ0W/Br2EBCTj0eIWQZNMXlc5Fkv/zgLdFHRME0W4FMGXv9i7QP/Kt1po4ucX/kNTYeV92kubxognXH/8mhQynBfrgdyiYeexiIv23GYwwpp8PiY4eYttQZ3VMNqrVBH3wVM6li/iDfNdWMPT57W4xCaRlVgpHQJVe1moqYY1enSOhzhDkbL+X0ApezBeMX+wjZgJOfUjCYRKtr/ZIv6PaXB8z0L9ZzAyyctYi0A5sOOW6Vss5u4Zug3kOUZvxwRWMz8zDhqJR5OqO+fO7iysA/Jp7Me6w9ptqmUE02p1w0wtNwKLuD7kbE2BbAsbGCeoBMxjy8zGgdrjAqnLdYXFtwSP0EL4RgmiVMfDL9rdEP6L3hmbL/bpkhIUbdMDta0jtSUJKxEcd9Zt99meHh4hfVLoqlYVed49XxtzQkBtGyhNRqKSja+yHPCY1NDzc7D5+Jeeq0vEPpLWJ7OKpLOoZri5a0xGCQ0OZeM+rvYyVDdKU4+FETnTtXbWphXS3D0HVSF0Kyx9AQYGq5LwTdPgtQJrsSZs4/9+0M5dAZvfmXlXAnEPiFvbJMnn8MW0gCb2z5s1YXaABgn45Xv/lSZNyzk69NKRKZZgk5Hl3DDlGXUK+Vhe5OW7iXhF/BDwjxKt0jsotP3F/hwX2KDfOvaLgkgKBNn1axMZSmEdgFnFeBRtpeEgfOWBJY2KT972rFVV5G2tNV+4Uv1VIrW8oksnxMzQdlt6rERBTUNJPFeQrcjWGse3P+h32/ziqk1Jv9UUXEw3hvCnVaimZ7sX/dZMrX9mKqC3Bt8mIk6bJEjPyva1VViand/E5FvnSo/d0tlEDhjNMJfLXSDYuJClsFSbVy9xyvRZBHy3dCg+TCmSJi2rk7V9k5Z9YEAV25y8Qq15llnMQVfUsOcI5JCQXeIYRbfuiCX/FxR5cONppoGjUOl1Gmxaq0u5k9DriFvlbpZMACjgHQneUNIKkEnadMjrAe3yyVcm8nYlUrlxX/Usot59P74Ln5V886bt0iQhkFft55w0yiDUwYY=,iv:bJfo1JZ8muYmxoZfCx3x40DOrnstSChjUnzF+ZJjc2s=,tag:JTOYgWwot9/zwdWwVWvSUw==,type:str]",
"key": "ENC[AES256_GCM,data:PkL8Bh0pRnFfH0l1AhJdUl6LvRytJW4JTjNtGviORklxEfnh2SR9Fnsl4ftDE78+EwvVw9Fd71L16BFObp5rH3zMImSnVthj8AoBw0OpVOenhzVNnHcPX4ncOm7IPIx1X0VmtqjzO6FTW3opamt2VB3kORZhzybInaY63PlLgU1f0c7wt9wIsefQvsooVm8OS3kvMRlkeaeIqtu7ok/TpyssygALY/6TUWvImvh2Uro4LE6Ue4IzZTnq7CmSywTASwr95YqenIL0nu7cr4EG7kfGWS3/lWJf4BTNUTvfSs6PmHVEigFMBQIILo+juJC4MLdpGP+Bk2rWx1B8rZTyyrKLgS4Nl/HoCFaICOy8PjHyjTgUBlzZMwgj8cEGcwe5,iv:IXlcy7FmBJHf6fP0B/HhkcGZxKUu3VivhFm8u3jYxkc=,tag:1GaPMxFXeSKlB/dJjQUgaw==,type:str]"
},
"nebula": {
"host-key": "ENC[AES256_GCM,data:dS3tXWUK+POzTZ98wLETaWz4ief/yFULCfI5Y3EbK26KQpwxzw6cpLXUNOSZeUwz9brN/4JcwUgewJR08Uq3HZhKZKoMPZfPRtZMDe51I4RYg4hZd1mMWXQn82KmSytZCiDIL/9qCwYvObVRiNCpAOKRj6JBpgpoQ1u5hgn1EA==,iv:G25EpAnvoLfYXAdPyJVqS3ocUPg5LQlUoi7fA+XFOZ8=,tag:/BNhuxJCunM85H9DnPF5Kg==,type:str]"
},
"porkbun": {
"api-key": "ENC[AES256_GCM,data:RV/+aEQRcfQ9LMjZjxGNvCeiso51VqvqrOBRRrR/dXhmBvyoGuh2LaAjyoDoWEjWy5kIStStR+jXZEFWZ8KXvnmEnoU=,iv:j3sYW85Vf88EfeOfezlspDxEms6YqZYnzy5JAiES3+U=,tag:0M9vDvsirc6ze3Ut+yMSoA==,type:str]",
"secret-api-key": "ENC[AES256_GCM,data:SUngZ65fBmC9WlPkmJMjyBb6sHREKhqyRj9fsBGkj5IyjtGDfQ1b7Iv0VNeSY//bWv0VZruwT48a320BUlg1xiNCKU8=,iv:glUaArlHJsxCP5z3y7JnWvmtsdRzszXhYydpd1YaX5U=,tag:185iAkQ/J9CfKkTsgPP6lA==,type:str]"
},
"karakeep": {
"openai-api-key": "ENC[AES256_GCM,data:ZOVkdDWpSJ98spHm3XUuGZ4vrRBEUyCBE4Nnpm/zVwKSi6yDbbKyZffc4jwOiffUVhwM5HKmUEosI2Qdn7Z7yjJHSHgrn9mN/e7mKIrPkzZx+FNsVfPx6RAzstgbxkBjBshGiGEPcamevAMEhPlnhucqwanDk65OSn6ohQ+RCsQvKe9HsgvVq6ERPGWkHKPAAaop5asZ3ljjQ4ZEla/Q3K7/HjC6hqg=,iv:Dmx6C3jyNk4lFlv220Dkp4+UFQEushPgEwN9hexbZtU=,tag:8w55PPnbrysohj1kUztADA==,type:str]"
},
"radicale": {
"htpasswd": "ENC[AES256_GCM,data:izITzHpuEP07w7hQPKiD4Fs3Tqq8UCXf12Bn0/8WJeCTkMRSsywrD37QgWd0Kw+YPu5Oe+Muo/tWPvWQXH2pSA==,iv:ppsakiYkrL44NRGRtV9lCgQyJ+C4n8OE7I754AYA/uc=,tag:Gi/FXGOLGcAewIGFFJqKmQ==,type:str]"
},
"sops": {
"age": [
{
"recipient": "age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3clZ2RDgvVWJXMUdsWVdk\nclBwc0dEQ1Y3cUt0QVpkTHNYdENnRkJQOUNrClFhM2R2L2laQ1N4cDltMElBeTY3\nOWt3VndlZHBONVdUelptM0dRTUdBd1kKLS0tIEtmOGhJUTJ2Z29JQzBsWVdUa3A5\nUWFZUkVOK1Z4bmVoOFhkY09XbU1ZbWsKgDNEjb6goOoCig73u1E8Ew7MDXIMWYx1\nzg6TRt46Ouk51tNgJ1BRMm+LO2B7PFp0Zs/KcazHmBEG9r2EeoC3kA==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1e9a0jj0t5mwep4zgaplsuw57750g0sv5uujvx56ad0te0rle0e0q6ywu69",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqU01heng3NHdrYnZFZmZn\nZlJtUUIyd1ExTmhzeU5iZFZadFcwR25GOEVZCmxHOXNWQVh1ZlJSRHJtaDVHNVUv\nbTY0TlNmZ2hESDkzS2M3WHdlamxwclkKLS0tIEEvOFd3TDFkQmQwbjBodHhpb1BD\nZ2NvTnNqQmtrLy9aVDdGRGxZbVgrZG8KdnnjJWcjZFu3R8fVKToj6THHHRCFou9k\njQoedCZAML2A2FZIhHugH9wnDUPQQjG86WbcCBuFWcOTGiTF2gN+Qg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2026-02-11T17:18:57Z",
"mac": "ENC[AES256_GCM,data:UNJZ69D1FOP4tA2uNJCJtQ/i0kLINml3hL4fAjXrumt3mfbROyZez3H4xX/V7a7Rb//fm3ZShcafoWinMdwFHyu1b4xW2ugpJrkutMLZCKLow3k6ySwnFQ3M4UItW69Z6ZBauzvyiTbiI+ot/9SZ0HW3CehitetMUdIeS7Zf2RE=,iv:E5ZJ0TCIgnJHYYX8WaHd8bOCppTY4zXRk76LeBk4ZHo=,tag:fTugOh+V0Uc91QhJ/oX42w==,type:str]",
"unencrypted_suffix": "_unencrypted",
"version": "3.11.0"
}
}

8
modules/nixos/sops.nix
View file

@ -34,5 +34,13 @@ in
]; ];
defaultSopsFile = cfg.secretsFile; defaultSopsFile = cfg.secretsFile;
}; };
assertions =
config.sops.secrets
|> lib.attrNames
|> lib.map (secretPath: {
assertion = cfg.secrets |> lib.hasAttrByPath (secretPath |> lib.splitString "/");
message = "Sops secret `${secretPath}` must be defined in secrets.json";
});
}; };
} }