diff --git a/modules/nixos/services/nextcloud/default.nix b/modules/nixos/services/nextcloud/default.nix index e51bbff..ce7bce6 100755 --- a/modules/nixos/services/nextcloud/default.nix +++ b/modules/nixos/services/nextcloud/default.nix @@ -107,7 +107,6 @@ in }) [ "pass" - "smtp" ] ); }; diff --git a/modules/nixos/services/opencloud/default.nix b/modules/nixos/services/opencloud/default.nix index 38ef7d4..899171c 100644 --- a/modules/nixos/services/opencloud/default.nix +++ b/modules/nixos/services/opencloud/default.nix @@ -1,4 +1,4 @@ -{ flake, ... }: +{ config, flake, ... }: let inherit (flake.config.machines.devices) ceres; inherit (flake.config.services.instances) opencloud web; @@ -17,6 +17,7 @@ in environment = { OC_INSECURE = "false"; }; + environmentFile = config.sops.secrets."${service.name}-pass".path; }; caddy = { virtualHosts = { @@ -30,6 +31,29 @@ in }; }; }; + + sops = + let + sopsPath = secret: { + path = "${service.sops.path0}/${service.name}-${secret}"; + owner = service.name; + mode = "600"; + }; + in + { + secrets = builtins.listToAttrs ( + map + (secret: { + name = "${service.name}-${secret}"; + value = sopsPath secret; + }) + [ + "smtp" + "database" + ] + ); + }; + fileSystems."/var/lib/${service.name}" = { device = service.paths.path0; fsType = "none"; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index a682cf8..592834e 100755 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -47,6 +47,7 @@ kanboard-smtp: ENC[AES256_GCM,data:eOIEGwJZlvbJaTfDRU3IFQ==,iv:Jex01WlHG3uxqUnTS podgrab-pass: ENC[AES256_GCM,data:DVmJDb4VqcZDKNcedSaRA5dqKOzx1tSzDiK3i23+a6v3nK+4Kh7n8EA=,iv:SiiUjJLHkCOO1VKCmubftKx06laFqNv79tIPnkVYrJU=,tag:kdkT+03DemlNAsuzps8fnw==,type:str] firefly-iii-key: ENC[AES256_GCM,data:tLJfwB8De1vdGeccr4SxifU7KYAfnasoXISvz5mSR28=,iv:vknG+h2D04lECHE/PPA53aZqWk4ouYcH+WfP7WooPYU=,tag:HKma2cydw58pAnvOFH53fA==,type:str] firefly-iii-pass: ENC[AES256_GCM,data:eJwIM4YHnXTqTOUfU/0CKMSS534VEZIxkBviI1pd7R4=,iv:pUv8ok5nLDGeCcP2hsTculk+MPPAjkupidQO0Jkc3Wc=,tag:zq7+lFjdOr5ORpthqXW8EA==,type:str] +opencloud-pass: ENC[AES256_GCM,data:NWdv0aPdimCl3UUz1SBkWo1FjFJv9LkZEwWhsvvU40NdAvRwpLdY7cTUcP2Rigs=,iv:iDk/67ifxDkoiYP4MncsVNCXJck27mPzBtRBqnzc7Co=,tag:Ma3nBAL0X08241AtZE41DA==,type:str] sops: age: - recipient: age19dpncsdphdt2tmknjs99eghk527pvdrw0m29qjn2z2gg3et5tdtqycqhl0 @@ -58,7 +59,7 @@ sops: bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-04T00:40:18Z" - mac: ENC[AES256_GCM,data:N2BwAzga2/Ig96p49rqNhhZ2udYWt7mQ9JD8DFXuxa3HOh3gtx7FWeWpGjvLnLWCgGcT4R61RKmgZQZRADNxYPE3vtdpPOFz0XvgcYSDlwslzBdSsVc08sh77P0LDgZsCzE1MxYynQ6nzFcc6gW5sorInLarsHoCCBC+Z5YpOVg=,iv:H6d3VrERM02/1zI5boFemEpMYD3greYZRqlSpBqROzM=,tag:TEakUvOlKoZYo/XPS6HVnA==,type:str] + lastmodified: "2025-07-07T18:59:54Z" + mac: ENC[AES256_GCM,data:Lk5YZ6dt0A1sVfz3dw6ATdm0sGQAV/6I2lN0wYtw3ZiILqzPe9Sr2yLxAmvoSWP9MzERGd7WXKZXa0+bKCsJlYYSElx+CBfabKMxj3CFxpy+SZnwdKUU3PMWIsD6TW0G0+gFGS/r8iBMmgY6uL5lN6cK2vAAR7zU2UB33S6RLCA=,iv:dXIvA6rp/F/Y1v6FdI4DFKb2bsP0kWWQ1j1wDnAhNSo=,tag:uthcpHfn/7SIzPAiQq1LWA==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2