integrate sops-nix for secret management

modules/system/homelab/auth.nix

@@ -1,7 +1,7 @@
-{ homelab, ... }: {
+{ config, homelab, ... }: {
   services.pocket-id = {
     enable = true;
-    credentials.ENCRYPTION_KEY = "/mnt/data/pocketid/encryption-key";
+    credentials.ENCRYPTION_KEY = config.sops.secrets.pocketid_encryption_key.path;
     dataDir = "/mnt/data/pocketid/data";
     settings = {
       PORT = "1411";

modules/system/homelab/dash.nix

@@ -1,4 +1,4 @@
-{ timezone, homelab, ... }: let 
+{ config, timezone, homelab, ... }: let 
   rss = [
     "https://www.raspberrypi.com/news/feed/"
     "https://www.jeffgeerling.com/blog.xml"
@@ -96,7 +96,7 @@ in {
   };
   services.glance = {
     enable = true;
-    environmentFile = "/var/lib/glance/.env";
+    environmentFile = config.sops.secrets.glance_env.path;
     settings = {
       server = {
         host = "127.0.0.1";

modules/system/homelab/pass.nix

@@ -1,9 +1,9 @@
-{ homelab, ... }: {
+{ config, homelab, ... }: {
   services.vaultwarden = {
     enable = true;
     domain = "pass.proxy.${homelab.domain}";
     backupDir = "/mnt/data/vaultwarden/backups";
-    environmentFile = "/mnt/data/vaultwarden/.env";
+    environmentFile = config.sops.secrets.vaultwarden_env.path;
     config = {
       ROCKET_PORT = 8060;
       ROCKET_ADDRESS = "127.0.0.1";

modules/system/homelab/proxy.nix

@@ -1,4 +1,4 @@
-{ homelab, lib, ... }: let
+{ config, homelab, lib, ... }: let
   base = "proxy.${homelab.domain}";
   hosts = {
     "server"     = { dest = "https://server.dns.${homelab.domain}:8006"; auth = false; };
@@ -45,8 +45,7 @@ in {
       domain = "*.${base}";
       extraDomainNames = [ base ];
       dnsProvider = "cloudflare";
-      environmentFile = "/var/lib/acme/cloudflare.env";
-      # ^^^contents: CLOUDFLARE_DNS_API_TOKEN=XXXXX
+      environmentFile = config.sops.templates."cloudflare.env".path;
     };
   };
   
@@ -81,7 +80,7 @@ in {
         locations."/" = {
           proxyPass = cfg.dest;
           proxyWebsockets = true;
-          basicAuthFile = if cfg.auth then "/var/lib/nginx/.htpasswd" else null;
+          basicAuthFile = if cfg.auth then config.sops.secrets.nginx_htpasswd.path else null;
           extraConfig = exta-conf;
         };
       }) hosts;

modules/system/homelab/sops.nix

@@ -0,0 +1,59 @@
+{ config, ... }: {
+  sops = {
+    defaultSopsFile = ../../../secrets/homelab.yaml;
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+    secrets = {
+      cloudflare_dns_api_token = {
+        owner = "acme";
+        group = "acme";
+      };
+
+      cloudflared_tunnel_credentials = {
+        owner = "cloudflared";
+        group = "cloudflared";
+      };
+
+      cloudflared_cert = {
+        owner = "cloudflared";
+        group = "cloudflared";
+      };
+
+      vaultwarden_env = {
+        owner = "vaultwarden";
+        group = "vaultwarden";
+        restartUnits = [ "vaultwarden.service" ];
+      };
+
+      glance_env = {
+        owner = "glance";
+        group = "glance";
+        restartUnits = [ "glance.service" ];
+      };
+
+      pocketid_encryption_key = {
+        owner = "root";
+        group = "root";
+        restartUnits = [ "pocket-id.service" ];
+      };
+
+      tailscale_authkey = {
+        owner = "root";
+        group = "root";
+        restartUnits = [ "tailscaled.service" ];
+      };
+
+      nginx_htpasswd = {
+        owner = "nginx";
+        group = "nginx";
+        restartUnits = [ "nginx.service" ];
+      };
+    };
+
+    templates."cloudflare.env" = {
+      owner = "acme";
+      group = "acme";
+      content = "CLOUDFLARE_DNS_API_TOKEN=${config.sops.placeholder.cloudflare_dns_api_token}";
+    };
+  };
+}

modules/system/homelab/tunnels.nix

@@ -1,4 +1,4 @@
-{ pkgs, lib, homelab, ... }: let
+{ config, pkgs, lib, homelab, ... }: let
   routes = {
     "git.${homelab.domain}"     = "http://localhost:5080";
     "auth.${homelab.domain}"    = "http://localhost:1411";
@@ -10,8 +10,8 @@ in {
   services.cloudflared = {
     enable = true;
     tunnels.homelab = {
-      credentialsFile = "/mnt/data/cloudflared/homelab.json";
-      certificateFile = "/mnt/data/cloudflared/cert.pem";
+      credentialsFile = config.sops.secrets.cloudflared_tunnel_credentials.path;
+      certificateFile = config.sops.secrets.cloudflared_cert.path;
       default = "http_status:404";
       ingress = routes;
     };
@@ -31,7 +31,7 @@ in {
 
     script = lib.concatMapStringsSep "\n" (domain: ''
       echo "Ensuring DNS route for ${domain}..."
-      ${pkgs.cloudflared}/bin/cloudflared tunnel --origincert /mnt/data/cloudflared/cert.pem route dns ${homelab.cf-tunnel-id} ${domain} || true
+      ${pkgs.cloudflared}/bin/cloudflared tunnel --origincert ${config.sops.secrets.cloudflared_cert.path} route dns ${homelab.cf-tunnel-id} ${domain} || true
     '') (builtins.attrNames routes);
   };
 }