refactor: centralize SOPS configuration in separate file

2025-09-03 14:22:01 +05:30
parent 3d2f53e8f5
commit be5b646ece
12 changed files with 39 additions and 30 deletions
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -20,7 +20,6 @@
          inputs.sops-nix.nixosModules.sops
          inputs.disko.nixosModules.disko
          {nixpkgs.overlays = overlays;}
-          ./${device.name}/configuration.nix
          home-manager.nixosModules.home-manager
          inputs.arion.nixosModules.arion
          # inputs.command-runner.nixosModules.command-runner
@@ -43,6 +42,8 @@
              ];
            };
          }
+          ../sops.nix
+          ./${device.name}/configuration.nix
        ];
      }
  )
--- a/nixos/mirai/configuration.nix
+++ b/nixos/mirai/configuration.nix
@@ -24,9 +24,6 @@

  security.sudo.wheelNeedsPassword = false;
  sops = {
-    defaultSopsFile = ../../secrets/secrets.yaml;
-    defaultSopsFormat = "yaml";
-    age.keyFile = "/home/fs0c131y/.config/sops/age/keys.txt";
    secrets."builder/mirai/cache/private" = {};
    secrets.users = {
      sopsFile = ../../secrets/users.yaml;
--- a/nixos/mirai/services/flaresolverr.nix
+++ b/nixos/mirai/services/flaresolverr.nix
@@ -1,7 +1,8 @@
-{...}: {
+{stablePkgs, ...}: {
  services = {
    flaresolverr = {
      enable = true;
+      package = stablePkgs.flaresolverr;
    };
  };
 }
--- a/nixos/mirai/services/llama.nix
+++ b/nixos/mirai/services/llama.nix
@@ -43,7 +43,7 @@
      };
    };
    open-webui = {
-      enable = true;
+      enable = false;
      port = 7070;
      environment = {
        SCARF_NO_ANALYTICS = "True";
--- a/nixos/mirai/services/lldap.nix
+++ b/nixos/mirai/services/lldap.nix
@@ -13,8 +13,8 @@
      http_port = 5090;
      ldap_port = 389;
      ldap_host = "::";
+      ldap_user_pass_file = config.sops.secrets."lldap/admin".path;
      environmentFile = ''
-        LLDAP_LDAP_USER_PASS_FILE = ${config.sops.secrets."lldap/admin".path};
        LLDAP_JWT_SECRET_FILE = ${config.sops.secrets."lldap/jwt".path};
        LLDAP_KEY_SEED_FILE = ${config.sops.secrets."lldap/seed".path};
      '';
--- a/nixos/ryu/configuration.nix
+++ b/nixos/ryu/configuration.nix
@@ -11,11 +11,11 @@
    ./containers
  ];

-  sops = {
-    defaultSopsFile = ../../secrets/secrets.yaml;
-    defaultSopsFormat = "yaml";
-    age.keyFile = "/home/${device.user}/.config/sops/age/keys.txt";
-  };
+  # sops = {
+  #   defaultSopsFile = ../../secrets/secrets.yaml;
+  #   defaultSopsFormat = "yaml";
+  #   age.keyFile = "/home/${device.user}/.config/sops/age/keys.txt";
+  # };

  security.tpm2 = {
    enable = true;
--- a/nixos/tsuba/configuration.nix
+++ b/nixos/tsuba/configuration.nix
@@ -13,11 +13,6 @@

  nixpkgs.config.allowUnfree = true;
  security.sudo.wheelNeedsPassword = false;
-  sops = {
-    defaultSopsFile = ../../secrets/secrets.yaml;
-    defaultSopsFormat = "yaml";
-    age.keyFile = "/home/servius/.config/sops/age/keys.txt";
-  };
  nix = {
    settings = {
      auto-optimise-store = true;
--- a/nixos/tsuba/default.nix
+++ b/nixos/tsuba/default.nix
@@ -49,6 +49,7 @@
          ./services
          ./disk-config.nix
          ./${name}.nix
+          ../../sops.nix
        ];
      }
  )
--- a/nixos/tsuba/services/caddy.nix
+++ b/nixos/tsuba/services/caddy.nix
@@ -31,11 +31,11 @@
            }
        }
      '';
-      # package = pkgs.caddy.withPlugins {
-      #   plugins = ["github.com/caddy-dns/hetzner@v1.0.0"];
-      #   hash = "sha256-9ea0CfOHG7JhejB73HjfXQpnonn+ZRBqLNz1fFRkcDQ=";
-      # };
-      package = pkgs.caddyWithHetzner;
+      package = pkgs.caddy.withPlugins {
+        plugins = ["github.com/caddy-dns/hetzner@v1.0.0"];
+        hash = "sha256-9ea0CfOHG7JhejB73HjfXQpnonn+ZRBqLNz1fFRkcDQ=";
+      };
+      # package = pkgs.caddyWithHetzner;
    };
  };
  systemd.services.caddy = {