From 5b32b947de3ac1adb4317e9c92094d67561d1230 Mon Sep 17 00:00:00 2001 From: sinanmohd Date: Sat, 27 Dec 2025 09:01:13 +0530 Subject: chore(os/kay): refactor sops --- os/kay/modules/services/alina.nix | 30 ----- os/kay/modules/services/alina/default.nix | 30 +++++ os/kay/modules/services/alina/secrets.yaml | 26 ++++ os/kay/modules/services/mail.nix | 173 ------------------------- os/kay/modules/services/mail/default.nix | 173 +++++++++++++++++++++++++ os/kay/modules/services/mail/secrets.yaml | 28 ++++ os/kay/modules/services/matrix/default.nix | 2 +- os/kay/modules/services/matrix/dendrite.nix | 2 +- os/kay/modules/services/matrix/secrets.yaml | 27 ++++ os/kay/modules/services/nix-cache.nix | 12 -- os/kay/modules/services/nix-cache/default.nix | 12 ++ os/kay/modules/services/nix-cache/secrets.yaml | 26 ++++ 12 files changed, 324 insertions(+), 217 deletions(-) delete mode 100644 os/kay/modules/services/alina.nix create mode 100644 os/kay/modules/services/alina/default.nix create mode 100644 os/kay/modules/services/alina/secrets.yaml delete mode 100644 os/kay/modules/services/mail.nix create mode 100644 os/kay/modules/services/mail/default.nix create mode 100644 os/kay/modules/services/mail/secrets.yaml create mode 100644 os/kay/modules/services/matrix/secrets.yaml delete mode 100644 os/kay/modules/services/nix-cache.nix create mode 100644 os/kay/modules/services/nix-cache/default.nix create mode 100644 os/kay/modules/services/nix-cache/secrets.yaml (limited to 'os/kay/modules/services') diff --git a/os/kay/modules/services/alina.nix b/os/kay/modules/services/alina.nix deleted file mode 100644 index c567953..0000000 --- a/os/kay/modules/services/alina.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ config, alina, ... }: -let - domain = "alinafs.com"; -in -{ - imports = [ alina.nixosModules.alina ]; - - sops.secrets."misc/alina" = { }; - - services.postgresql = { - ensureDatabases = [ "alina" ]; - ensureUsers = [ - { - name = "alina"; - ensureDBOwnership = true; - } - ]; - }; - - services.alina = { - enable = true; - port = 8006; - environmentFile = config.sops.secrets."misc/alina".path; - settings.server = { - data = "/hdd/alina"; - file_size_limit = 1024 * 1024 * 1024; # 1GB - public_url = "https://${domain}"; - }; - }; -} diff --git a/os/kay/modules/services/alina/default.nix b/os/kay/modules/services/alina/default.nix new file mode 100644 index 0000000..a2a18dd --- /dev/null +++ b/os/kay/modules/services/alina/default.nix @@ -0,0 +1,30 @@ +{ config, alina, ... }: +let + domain = "alinafs.com"; +in +{ + imports = [ alina.nixosModules.alina ]; + + sops.secrets."misc/alina".sopsFile = ./secrets.yaml; + + services.postgresql = { + ensureDatabases = [ "alina" ]; + ensureUsers = [ + { + name = "alina"; + ensureDBOwnership = true; + } + ]; + }; + + services.alina = { + enable = true; + port = 8006; + environmentFile = config.sops.secrets."misc/alina".path; + settings.server = { + data = "/hdd/alina"; + file_size_limit = 1024 * 1024 * 1024; # 1GB + public_url = "https://${domain}"; + }; + }; +} diff --git a/os/kay/modules/services/alina/secrets.yaml b/os/kay/modules/services/alina/secrets.yaml new file mode 100644 index 0000000..b56b3ed --- /dev/null +++ b/os/kay/modules/services/alina/secrets.yaml @@ -0,0 +1,26 @@ +misc: + alina: ENC[AES256_GCM,data:wLxE9pcr+m3XVtHjraZvSSgUWpH+JggTUPedUtRwD/KtR6Ic1miRwqOLudlHrR9OH8dTE96nZ+DYbj1b0Nkf8iITeC+3OCFZ7SSAdF5B11squQc=,iv:XkJU0nuCShGxj92hEsUo9648WfcUssXuHWXLQMrhBC8=,tag:ygpcXyDRaUNJ5g26SV+yqQ==,type:str] +sops: + age: + - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuSGwzd1J5aFRQZTlFb2Z4 + bHN0WkVTYVEwMkRsSmZ5bi9rQnoySDdqRmdBCm82Q0xzVnZySVoyZjZNbWRhNkdH + eHhsL01KMkZlM004cmpEcjRVRExIV2sKLS0tIDd4UTlrSStpQnJlVTBZL3JkcEVO + Z0lQckhtajgxM0M4ZUhZU2VDRm1CTm8KuGXWhWLI1bL/y7xGaWyKX0Ku3oqCYqHj + 6i4cW2x/4tRWqjNE2kzAPTRYlWlKq4P3Db+AUnwONbcOVvvW+HWy1g== + -----END AGE ENCRYPTED FILE----- + - recipient: age15989j5lkkf2kn5wa2p6qc8wlxjjksc63k5ync8rz8t4e87394pzqm7h4rm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVRjhnZWZhWnV4YlRMNHMy + aS9LRmVlZGhwTUtnWGdESGY4RUIvMDBuV2tJCkxmVC9nY2h6RmZTeS9UT3VEMVVK + UTJWdCtrd2pWTkFYSXdoUnhaR0ZTblUKLS0tIGxLL3p5eWVJZUNWM2JXc0tZYmJC + ZFI3c0Z5VzBqYTBVRncvcHpCVXZqemMKQ6hJqsPvGXvzDe2jGy4fGZjTjHZLRdqZ + teGkXgxrTBmoAwt8EnFCeORzzxe27JteG6Yyjh/bLqqmND9Za4w2kA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-12-27T03:26:57Z" + mac: ENC[AES256_GCM,data:z5Lt2boUz8BTGV79gkO5VRfN2htlc54PcbSmMJiJp1IrIV+PUtnr0CtZDK6/SY83Wl947ECKJBLHlJ2pFfEK97joDDyKmwEKX+51hyoSAcDJ1ldEzHQ7TGZtxGTG2yTSSJl15hW3twF7bn3IQtSp0xzHfYJd1+5rGhtzh+RlCoE=,iv:kTtQbFxDCnbic9wLu8tFx5TroMkVUTlvK/0rE+u3aHQ=,tag:SxvowKnokavo3aXBkF6eRA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/os/kay/modules/services/mail.nix b/os/kay/modules/services/mail.nix deleted file mode 100644 index 685461f..0000000 --- a/os/kay/modules/services/mail.nix +++ /dev/null @@ -1,173 +0,0 @@ -{ config, pkgs, ... }: -let - ipv6 = "2001:470:ee65::1337"; - domain = config.global.userdata.domain; - username = config.global.userdata.name; - email = [ - "${username}@${domain}" - - # used by github automation - # https://github.com/nocodb/nocodb/blob/32826d4b24e9285b898bb3547fdf550f81c930bb/nix/bumper/bumper.sh#L5 - "auto@${domain}" - # used by mail.sinanmohd.com - "postmaster@${domain}" - # used by ns1.sinanmohd.com - "hostmaster@${domain}" - ]; - - credentials_directory = "/run/credentials/stalwart-mail.service"; -in -{ - security.acme.certs.${domain}.postRun = "systemctl restart stalwart-mail.service"; - sops.secrets = { - "mail.${domain}/dkim_rsa" = { }; - "mail.${domain}/dkim_ed25519" = { }; - "mail.${domain}/password" = { }; - }; - - systemd.services.stalwart-mail.serviceConfig.LoadCredential = [ - "password:${config.sops.secrets."mail.${domain}/password".path}" - - "dkim_rsa:${config.sops.secrets."mail.${domain}/dkim_rsa".path}" - "dkim_ed25519:${config.sops.secrets."mail.${domain}/dkim_ed25519".path}" - - "cert:${config.security.acme.certs.${domain}.directory}/fullchain.pem" - "key:${config.security.acme.certs.${domain}.directory}/key.pem" - ]; - - services.postgresql = { - ensureDatabases = [ "stalwart" ]; - ensureUsers = [ - { - name = "stalwart"; - ensureDBOwnership = true; - } - ]; - }; - - services.stalwart-mail = { - enable = true; - openFirewall = true; - - settings = { - queue.outbound = { - ip-strategy = "ipv6_then_ipv4"; - source-ip.v6 = "['${ipv6}']"; - tls.starttls = "optional"; - }; - http.url = "'https://stalwart.${domain}'"; - - server = { - hostname = "mail.${domain}"; - listener = { - smtp = { - bind = [ - "[${ipv6}]:25" - "0.0.0.0:25" - ]; - protocol = "smtp"; - }; - submission = { - bind = "[::]:587"; - protocol = "smtp"; - }; - submissions = { - bind = "[::]:465"; - protocol = "smtp"; - tls.implicit = true; - }; - imaptls = { - bind = "[::]:993"; - protocol = "imap"; - tls.implicit = true; - }; - http = { - bind = "[::]:8085"; - protocol = "http"; - }; - }; - }; - - signature = { - rsa = { - private-key = "%{file:${credentials_directory}/dkim_rsa}%"; - inherit domain; - selector = "rsa"; - headers = [ - "From" - "To" - "Date" - "Subject" - "Message-ID" - ]; - algorithm = "rsa-sha-256"; - canonicalization = "simple/simple"; - - set-body-length = true; - expire = "2d"; - report = true; - }; - ed25519 = { - private-key = "%{file:${credentials_directory}/dkim_ed25519}%"; - inherit domain; - selector = "ed25519"; - headers = [ - "From" - "To" - "Date" - "Subject" - "Message-ID" - ]; - algorithm = "ed25519-sha256"; - canonicalization = "simple/simple"; - - set-body-length = true; - expire = "2d"; - report = true; - }; - }; - - certificate."default" = { - cert = "%{file:${credentials_directory}/cert}%"; - private-key = "%{file:${credentials_directory}/key}%"; - }; - - storage = { - data = "postgresql"; - fts = "postgresql"; - blob = "postgresql"; - lookup = "postgresql"; - directory = "memory"; - }; - store.postgresql = { - type = "postgresql"; - host = "localhost"; - database = "stalwart"; - user = "stalwart"; - timeout = "15s"; - tls.enable = false; - pool.max-connections = 10; - }; - - directory."memory" = { - type = "memory"; - - principals = [ - { - class = "admin"; - name = "${username}@${domain}"; - secret = "%{file:${credentials_directory}/password}%"; - inherit email; - } - { - # for mta-sts & dmarc reports - class = "individual"; - name = "reports@${domain}"; - secret = "%{file:${credentials_directory}/password}%"; - email = [ "reports@${domain}" ]; - } - ]; - }; - }; - }; -} diff --git a/os/kay/modules/services/mail/default.nix b/os/kay/modules/services/mail/default.nix new file mode 100644 index 0000000..01f44bb --- /dev/null +++ b/os/kay/modules/services/mail/default.nix @@ -0,0 +1,173 @@ +{ config, ... }: +let + ipv6 = "2001:470:ee65::1337"; + domain = config.global.userdata.domain; + username = config.global.userdata.name; + email = [ + "${username}@${domain}" + + # used by github automation + # https://github.com/nocodb/nocodb/blob/32826d4b24e9285b898bb3547fdf550f81c930bb/nix/bumper/bumper.sh#L5 + "auto@${domain}" + # used by mail.sinanmohd.com + "postmaster@${domain}" + # used by ns1.sinanmohd.com + "hostmaster@${domain}" + ]; + + credentials_directory = "/run/credentials/stalwart-mail.service"; +in +{ + security.acme.certs.${domain}.postRun = "systemctl restart stalwart-mail.service"; + sops.secrets = { + "mail.${domain}/dkim_rsa".sopsFile = ./secrets.yaml; + "mail.${domain}/dkim_ed25519".sopsFile = ./secrets.yaml; + "mail.${domain}/password".sopsFile = ./secrets.yaml; + }; + + systemd.services.stalwart-mail.serviceConfig.LoadCredential = [ + "password:${config.sops.secrets."mail.${domain}/password".path}" + + "dkim_rsa:${config.sops.secrets."mail.${domain}/dkim_rsa".path}" + "dkim_ed25519:${config.sops.secrets."mail.${domain}/dkim_ed25519".path}" + + "cert:${config.security.acme.certs.${domain}.directory}/fullchain.pem" + "key:${config.security.acme.certs.${domain}.directory}/key.pem" + ]; + + services.postgresql = { + ensureDatabases = [ "stalwart" ]; + ensureUsers = [ + { + name = "stalwart"; + ensureDBOwnership = true; + } + ]; + }; + + services.stalwart-mail = { + enable = true; + openFirewall = true; + + settings = { + queue.outbound = { + ip-strategy = "ipv6_then_ipv4"; + source-ip.v6 = "['${ipv6}']"; + tls.starttls = "optional"; + }; + http.url = "'https://stalwart.${domain}'"; + + server = { + hostname = "mail.${domain}"; + listener = { + smtp = { + bind = [ + "[${ipv6}]:25" + "0.0.0.0:25" + ]; + protocol = "smtp"; + }; + submission = { + bind = "[::]:587"; + protocol = "smtp"; + }; + submissions = { + bind = "[::]:465"; + protocol = "smtp"; + tls.implicit = true; + }; + imaptls = { + bind = "[::]:993"; + protocol = "imap"; + tls.implicit = true; + }; + http = { + bind = "[::]:8085"; + protocol = "http"; + }; + }; + }; + + signature = { + rsa = { + private-key = "%{file:${credentials_directory}/dkim_rsa}%"; + inherit domain; + selector = "rsa"; + headers = [ + "From" + "To" + "Date" + "Subject" + "Message-ID" + ]; + algorithm = "rsa-sha-256"; + canonicalization = "simple/simple"; + + set-body-length = true; + expire = "2d"; + report = true; + }; + ed25519 = { + private-key = "%{file:${credentials_directory}/dkim_ed25519}%"; + inherit domain; + selector = "ed25519"; + headers = [ + "From" + "To" + "Date" + "Subject" + "Message-ID" + ]; + algorithm = "ed25519-sha256"; + canonicalization = "simple/simple"; + + set-body-length = true; + expire = "2d"; + report = true; + }; + }; + + certificate."default" = { + cert = "%{file:${credentials_directory}/cert}%"; + private-key = "%{file:${credentials_directory}/key}%"; + }; + + storage = { + data = "postgresql"; + fts = "postgresql"; + blob = "postgresql"; + lookup = "postgresql"; + directory = "memory"; + }; + store.postgresql = { + type = "postgresql"; + host = "localhost"; + database = "stalwart"; + user = "stalwart"; + timeout = "15s"; + tls.enable = false; + pool.max-connections = 10; + }; + + directory."memory" = { + type = "memory"; + + principals = [ + { + class = "admin"; + name = "${username}@${domain}"; + secret = "%{file:${credentials_directory}/password}%"; + inherit email; + } + { + # for mta-sts & dmarc reports + class = "individual"; + name = "reports@${domain}"; + secret = "%{file:${credentials_directory}/password}%"; + email = [ "reports@${domain}" ]; + } + ]; + }; + }; + }; +} diff --git a/os/kay/modules/services/mail/secrets.yaml b/os/kay/modules/services/mail/secrets.yaml new file mode 100644 index 0000000..e3b4c5d --- /dev/null +++ b/os/kay/modules/services/mail/secrets.yaml @@ -0,0 +1,28 @@ +mail.sinanmohd.com: + dkim_rsa: ENC[AES256_GCM,data:i1UuddRDoIxa+4rHq9v86gY7BSxWkL6F+WOTwrgLeMwmNkCzoko4X8RjlbPKLpqAD4ZOBCet+d6cnGdNjjaaubKD/RdUOqo90fpuyxDnMe7sOGY5iL19CpeK2ksTVBHGAyX61/qBXJwvUT/qFY5BKDqx3h/9FQu5miNzCyHihqiFmjxQ+F5SvnQ9zCU+Lgn8saPcSUA79mUFNyzzCoMExnoMNQXMPtnqdc3cOeTE3w3/0H//LH2auTgGB/BW+/wflDNGk9kpiNO2ElzHfaU7RR22dw8/cfcedU7VnABZngtUu115WlIi2WkDT4ChF+noZHJQhdMn64SpmDRMVsL04LBZpMWShGvBzBg8ypioBl8ze+OLdel/hnizYjL8dV+/Bp3CM8muGA26H9Et6LDZjP5kSvMU585+lvGFABMBPrJTkHuHykU5mL7vTf9YGuCqqvYRqZ8pbvQxmlNS9722278Jq5URinVcQoojzqfqTFJUFHcQMt4/mByxJgaylzsZKYDlQkwNvIp4hoFu8VEyJbdZbJ/xusiQ5PEPw74UaUCxxTuNPYPNnuVjRB2zE5m9qe0uBwyZHJ/gZqpOvzAmVeqxOL4HlliIcqD697oN+m7RCTw5MIeLHNCf0/e7x6pTS8XhYAlZq6hzXK9InEexojwqLCIE/G2W2yhK05+7RdyB498rxQEb/fGIjtrQ/zqOnUpzsVzXAtzI2DWHpy805CWfeouhpbQdRdl4MPNjWhCOXYWsuI/FKtfPNMXpO0OoNEK8WENRKRMQjIO62tMZ4FjYVEB9wJzulmBf5FrMeZs9GsPbk+rhonCOrIPECUe4tUfJ3Epp1JeVqJfyuG6XA8OpfUi91lRWk9qofjZDiHr03oPXk3+KUU+na9k5kJ5AboCTvRFRNTCTD92P1rYMgkFVQX931ByC5tUi4Rjc90NGpy6/uxgxElVkjwa+uRA35gWbth93w5ETYfsa5w6N+Qnh1xqQ+kSQBGkMeTl7AcGkJYimfGAETJJBSatruWGj8cIMP0zof6e+Fb/pv0qzBPB9y1u5NM9A68bJdNQGu+vyBBklsNvm8dBFOKcMXvdHsrvH+Tx2gDzeIWhS7ptcSahjpzIIX2SR5c0JC6tR+gYE1uoqjCFYX87NY6jD+fHWVMi2qbO1iaaiOCo+Gs6ndiPheQnRbEtJVDlrMwogwv19DBFuWQjQ7J3Z940aX+aj7mfXfMAusyKMSx96rCLiT2+/3bS/mcj9KEptzQPQxHv+7qDELKNAhb2U2gz/bjQVKfWMmbF6lCFH+nBahJh1xXWo5gnVjGb4ABwhr8NhaFuMP4HUwvI50CWNHLGjbWGdkNgl6osmvDnmyX5BEzcnbsA8Jb07qOKWt9TlqtDlKVpbmBd1bxKrxIIjPHLuW9ccQdD/NI1fnVL8MPpHAgWQa26oTbV80IlATeQUtklzwfVR1o32ZYRXxkP3XJsTNHMUAKRWiMtLp/A1GnqPncgW7if/VUp2T4BsPgV/3/lqYuZKfmqvTLOvOsivdvsexbEp6lReoIyrq3CwaqqbvJzt4OJaLU26KQIbUuH419s5HcEfB6dFZ7+t5SiqNBnKD6Qv45wmVdu/LUu3fxm6CKLgTRWss/m/M43IXvca3mkCNyCjwiXkZ3yxu/NHTyzjYPw0Kzdeci7dplz+VVS8kBoqCUZbVoK7WVrBM/7QcxnlsCAf4PaFpr4uGvcWF8jj8jz6Il4iipwsyA9353MO0wLfBhrLofWUhBaiCxvtBr4GIninWuZW/DW+O7Rfzr0SDXQgn1l991S/1RpPw8RTICj/NBuVVht7rxo/CG1l/zBXQ6Zd45mfP7i4lmPZLtUajqm3I4DUUGVDsn434cc4xGcftj5XoRP2Zc73sTJ0tru1XdM2g8Tscd7O4b6thf+iA6CgzbsFejFjL5W/t1ePzqnK8sZ2gDFTt/YqmdBuyIjn1nrYBrGLQMb4x4Ujbzd/JWiQwV0rzbVlUXUznpHW4PINxf5eHXuM08RTkougDCe//XBdsmQ8TVl0mLbKLJ1xLOaFtCf2fMBf5MWK9v8pQbSCB2u/M7UTS4y4QA9fzvGxZarwC9NTRAjFDNtuw6bhea2h+2zs2A5XV8otE0pF3sau/ZaNrYPBNDF1fQycJIY81k/o8SPUTTBavV9CCuZnpMFFtf1AzjI3s3dIWsbGApnOFlRCNFVDTpAHZR7GTIC15NQyjEzijN+Hsh3htm2pSH1BH0skFqLA+7WHPDOnGd0x6rxtViPMIug=,iv:W8YAldq0KjrNe7WhGSUNI2+bq2CJrLhq+XPQVR9QsBo=,tag:LRfmBBFuFR8QR8pCj8OzSw==,type:str] + dkim_ed25519: ENC[AES256_GCM,data:gmI789Z7c9QZMRWOD300cDw0vLNLv4VMhV2jF4M/1roraLqKE/2cA4qv9i8qFmBMJjsq3iUKJBUJ+tBLsUkIR9UnwplQDjAyNaMZsxg0eT3HyssUZ2w2Dnd+EdJb+n/fGwsezHizYORz5qVU/ZUuSiCtuE4LEg==,iv:eAmJgIu++veapN1M3sYkYPAMP8CROFWdDIBmkXuzofw=,tag:hkCDPDDCBxE7DXSuSBFsGg==,type:str] + password: ENC[AES256_GCM,data:LJi8+a1dGus+XLt3k/K/3Mb0tNUJj7HDpPdqfYhU,iv:Iurz9YegxJ/coDQ6PbezeSni2DWYzpzlju6mJ90WLe8=,tag:2HgYlwDGqaklpdc+LOA0bQ==,type:str] +sops: + age: + - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2MVBCNE45ZFFBeVVrSHpU + UnJSTlk0TyttQlg1R1BnK2plYm5uMm95NnkwCmFjNmhxRFBNQVMzNzlJeFcva0Q4 + cUtzZjF2RnJMd1JLUTMxU1YxQXJOR2sKLS0tIFpBamM5MktOYWwwaS9lcHhFWDVM + YlpwKzd1MkNlcXdmNDhpb3lXSjFKS28KngLhoabp4GBdfsGkMwTkClddEI6LgKet + EXTJ1PrLm3+5mp/2Ypgo325Cp9xIQKi7BYF9C6783mfN+dpbZ0QcbA== + -----END AGE ENCRYPTED FILE----- + - recipient: age15989j5lkkf2kn5wa2p6qc8wlxjjksc63k5ync8rz8t4e87394pzqm7h4rm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwb3d4R0dORXZXOENUSDha + bWh3N1lYYVpNVTk2WE4xdXBSVzhrWTJHL0R3Ck1GbU5iTDVVaUpZVm9YK05rNzhs + c1dtQmVNSWlCNjg5SENHR3c1TGhwUkkKLS0tIFE0MzlRSkk3T0YyRVptdEpwak1T + enJZVFAxdEprdTVzbC8yWGJyWnFNREkK3/OgnLjS/sj4MzZPLH3QhEWd6WKiu4nM + wRNvhl7nDe1IwLoHbNSqTwEkalyEA3yIVlst3KyEpKb5q9H2+avqAQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-12-27T03:23:15Z" + mac: ENC[AES256_GCM,data:vlks8inOi7qmCKmx1SsCf1ipbwMNFfHsJGny4YGCUr+GWvvtdsLXsf8+AGUfoDa/2fBp7Wv2h1HIx1QY1JX3JgzKoyjEa1rRczJyWW9C/sR5UjyjUa0/t1MNMB7X1l9GGZObDQj9lrWm1e9JUIR6+63mESeykUzh3Wt8qhEgBAo=,iv:l1JWmFqR3lvsyYbPzHzCT6/Yj5qAvMv18jhhXdh2Ex4=,tag:JgXSqfeFVHzg5SeP/5bE+g==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/os/kay/modules/services/matrix/default.nix b/os/kay/modules/services/matrix/default.nix index 1b9564d..811539d 100644 --- a/os/kay/modules/services/matrix/default.nix +++ b/os/kay/modules/services/matrix/default.nix @@ -8,7 +8,7 @@ in ./matrix-sliding-sync.nix ]; - sops.secrets."matrix-${domain}/sliding_sync" = { }; + sops.secrets."matrix-${domain}/sliding_sync".sopsFile = ./secrets.yaml; services.matrix-sliding-sync-dirty = { enable = true; diff --git a/os/kay/modules/services/matrix/dendrite.nix b/os/kay/modules/services/matrix/dendrite.nix index e66c5a5..5b05c97 100644 --- a/os/kay/modules/services/matrix/dendrite.nix +++ b/os/kay/modules/services/matrix/dendrite.nix @@ -10,7 +10,7 @@ let }; in { - sops.secrets."matrix-${domain}/key" = { }; + sops.secrets."matrix-${domain}/key".sopsFile = ./secrets.yaml; systemd.services.dendrite.after = [ "postgresql.service" ]; services = { diff --git a/os/kay/modules/services/matrix/secrets.yaml b/os/kay/modules/services/matrix/secrets.yaml new file mode 100644 index 0000000..fc53c35 --- /dev/null +++ b/os/kay/modules/services/matrix/secrets.yaml @@ -0,0 +1,27 @@ +matrix-sinanmohd.com: + key: ENC[AES256_GCM,data:9GOvsuZLCvSLXXFhJCBE5eTb9nLk4S5SYGuAFx3Mz8jmqweC3AwQWYIobAg4dKWfI170/kC1mqPe3BdRrUSVw/j9AKRr8wQfucOk1StMhV/50x0hKJ40RyAmO1b4enzn21cBbLdromgn5ScXPY+Dzp932wrwuIEltL+uhrfoxI/jDHsJ1AZdBg==,iv:L5NszYBM/9CSj7RtTXj/7DS59MmueVZBXI7xZ3kB8yg=,tag:RAHWcpy7iv1ZYtImsTE+Rg==,type:str] + sliding_sync: ENC[AES256_GCM,data:XcypFVl0Lgw7dEJ68cSygR5XFV+CRV1wWWTU0PAyLQR4QiYk1tG1TCHoR+99nCT8Rhmq2oH8ifvjJ10h7StJKOm0dmA0jKrcHJFp/30/,iv:0mLPUKqfUZoHnoCdR4gjQtViFu8Z7WqdDbhGsygl/5A=,tag:ZTnf61BmZcjf2IYfJ1+6bw==,type:str] +sops: + age: + - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpc3ZrNVVLZmtGdHc1WUMw + STFSekNWRVl4aGdOajc5SXowTFRaMnhBcENNClpCUnA0cXUveFhRRTRKSS9iUEtJ + WEZRejcxcStHSEtJWm8vWTc0U0NWaFkKLS0tIDFxelpxQzloVTAyWVZOOCtNOWl2 + RHN5bXlNRVRWMzkxNXJYMlo2SFVXazgKEbvi/uJ1JZF1VYqLeVaWqWMZkDOC1fUU + lQRnT3wMqiYt0s5apBBbQ1HnZ7F7TsM11xG2D3miboCrzLRcz1sbkQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age15989j5lkkf2kn5wa2p6qc8wlxjjksc63k5ync8rz8t4e87394pzqm7h4rm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaSWJ0UmJvdlNaRC9YMXNu + T01sem12MzZPbnVXS1NLSTA0QStoaWE0U0dFCkY0eDlvbE9aajlpT1V0RVJFZFhE + VEJkOWorMk1aa1BSUXA4RDQ4NnpDbHcKLS0tIEhIRXpNUkxPdC84cy93SnZKNHRH + U0NOaC9hSVlicEs0dnl1VEp0ZlBneFkKaY/9eux5tBo1r6LbAkoWDhWv47AuwWtH + 8uOaPUu2wHNm1s8DjwyCeOXeN0BzX+8U/Rjh9/p4px1O0Z9ARUR9mg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-12-27T03:21:22Z" + mac: ENC[AES256_GCM,data:QDzTSUUyy59c2gMjut2z8qyQGXlcWHnwHxOxFN5N5yy6k1yFgZxPpxsKeyY2yltOSE+qeduy5NLbLon1Exp9kMoXQomutYO4wlZrbXJFGoB4Mobhjv9WbE0FDwHeNAYLeRDF5GUZGxSnDg3i5mAM4kvXItXKYuKe331WCrKCvoQ=,iv:MN4ey+QDUMcAoqAkXAFXKraXs+gcGMuHZwsmCs0CuI0=,tag:Sfkzgv6bjlhD2Z8MVpw3eg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/os/kay/modules/services/nix-cache.nix b/os/kay/modules/services/nix-cache.nix deleted file mode 100644 index 9c81b56..0000000 --- a/os/kay/modules/services/nix-cache.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, ... }: -let - keyname = "misc/nixbin.${config.global.userdata.domain}"; -in -{ - sops.secrets.${keyname} = { }; - - services.nix-serve = { - enable = true; - secretKeyFile = config.sops.secrets.${keyname}.path; - }; -} diff --git a/os/kay/modules/services/nix-cache/default.nix b/os/kay/modules/services/nix-cache/default.nix new file mode 100644 index 0000000..483240e --- /dev/null +++ b/os/kay/modules/services/nix-cache/default.nix @@ -0,0 +1,12 @@ +{ config, ... }: +let + keyname = "misc/nixbin.${config.global.userdata.domain}"; +in +{ + sops.secrets.${keyname}.sopsFile = ./secrets.yaml; + + services.nix-serve = { + enable = true; + secretKeyFile = config.sops.secrets.${keyname}.path; + }; +} diff --git a/os/kay/modules/services/nix-cache/secrets.yaml b/os/kay/modules/services/nix-cache/secrets.yaml new file mode 100644 index 0000000..bf5c2c4 --- /dev/null +++ b/os/kay/modules/services/nix-cache/secrets.yaml @@ -0,0 +1,26 @@ +misc: + nixbin.sinanmohd.com: ENC[AES256_GCM,data:kep0jdkItABm/rLVcllq/K3/P3eP/3MCNhTTV+E5Oh2nfhbQFxaon1iVzq48CzuSk0I0viOelLIiPNZk9ALIqMKBTva0lU3GD/QO/7zjUC2YQ39bDRpraftRk1wHBz0qMWk+2PnwYDn61XkiKQ==,iv:Ue56rg0w0t6AlEOV2KDhZ34yV23Zy+3zIlkMf4m2+Cs=,tag:O4h1Nfi1VJWn+HJJrMTrGQ==,type:str] +sops: + age: + - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmcjBBYmZOQkRsVlRWcWpE + cUpkVlVSQndnQ2NmVURVNnpsNjA3RHBsbXpRCjZOaVlnaEVTVW5SWGZGZFpWejJ3 + RjlGK0VVT3hwcVlOQldGWVZKM1B6bE0KLS0tIGdZdVpPYWpQS0tIUWhYV3p1V1pK + VUwrTDlBSEd1WFJCazhuVTNsNk1NNGsK2kTSv9l9nEO0td57TghhklEFVQSaynPE + uUrdVnPantk9vPQDtpuYTKPhBBSxjgiUfBflKKhAaG54Yh0ckwhXsg== + -----END AGE ENCRYPTED FILE----- + - recipient: age15989j5lkkf2kn5wa2p6qc8wlxjjksc63k5ync8rz8t4e87394pzqm7h4rm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBST2I3RlJsRGEyTWpNVUFl + OFRpemw4WWJPcDhYcGNhb282SVFVK2FpMmhBCmZoT0ZCZktRM0t2aGxCd0J4R0lF + TkNSRWhaYmRJQjI5dFc0NHBMTUhyTFEKLS0tIHdwRXJGWUtUd3pxOXZ2UzErVlpU + SWVRbVNZWFRzOWNFb0lqdnJOVlBoZ1kKzu5Hr+peARgyU0AmUfxLqam7BgxEHyJS + yCJN0AJrQF7zgv/NQDELcphN5SNbkTZdVU90tiYohKw8wgGTTobTSQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-12-27T03:27:58Z" + mac: ENC[AES256_GCM,data:G0fEhc1V6udu0QcaMLc4iGIDelIcpXiSTIJPKl2O3faUGZzwWN+pJ9xKiBKAgA3KLIxJARlidwVl4LQK1cE+quMrK2ln/VjxwJBAJumalpZaQtYHQYVXDUreNy7NnUeqIr+fsD7baAXvi2V4DlY9tQg6rhqmb7YZyx1YL0gIaXc=,iv:TfCS4d/2k91B901nJ+kiOEqL2JuQoMyokAKFDF/r0Ls=,tag:th2ntLcU5dXugGYez7Bs2g==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0 -- cgit v1.2.3