ewancroft.uk / nix
My nix-darwin and NixOS config
3
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix(sharkey): Meilisearch master key secret format

Ewan Croft 097b92e3 c8a26b3b

+28 -17
+1
.gitignore
··· 28 28 !/secrets/nextcloud-smtp-pass 29 29 !/secrets/forgejo-user-token 30 30 !/secrets/smartd-smtp-pass 31 + !/secrets/meilisearch-master-key 31 32 32 33 # 2.1 will need to re-auth on 29 May, 2026 as per Tailscale maximum 90-day window. 33 34 !/secrets/tailscale-auth-key
+1 -1
.sops.yaml
··· 27 27 creation_rules: 28 28 # ── Secrets available on all machines ────────────────────────────────────── 29 29 # ── Server-only secrets ───────────────────────────────────────────────────── 30 - - path_regex: secrets/(pds\.env|cloudflare\.token|cloudflare-acme\.env|cloudflare-acme-croft-click\.env|cf-tunnel\.json|forgejo\.env|nextcloud-admin-pass|nextcloud-smtp-pass|vaultwarden\.env|sharkey\.env|meilisearch-master-key\.env)$ 30 + - path_regex: secrets/(pds\.env|cloudflare\.token|cloudflare-acme\.env|cloudflare-acme-croft-click\.env|cf-tunnel\.json|forgejo\.env|nextcloud-admin-pass|nextcloud-smtp-pass|vaultwarden\.env|sharkey\.env|meilisearch-master-key)$ 31 31 key_groups: 32 32 - age: 33 33 - *ewan
+8 -7
modules/server/sharkey.nix
··· 49 49 }; 50 50 users.groups.sharkey = { }; 51 51 52 - # Meilisearch master key — file must contain: MEILI_MASTER_KEY=<value> 53 - # Generate: openssl rand -base64 32 54 - # Then: echo "MEILI_MASTER_KEY=$(openssl rand -base64 32)" | sops --encrypt --input-type dotenv --output-type dotenv /dev/stdin > secrets/meilisearch-master-key.env 55 - sops.secrets."meilisearch-master-key.env" = { 56 - sopsFile = ../../secrets/meilisearch-master-key.env; 57 - format = "dotenv"; 52 + # Meilisearch master key — file must contain the raw key value only (no KEY= prefix). 53 + # Generate and encrypt: 54 + # openssl rand -base64 32 > secrets/meilisearch-master-key 55 + # SOPS_AGE_KEY_FILE=~/.config/age/keys.txt sops --encrypt --in-place --input-type binary --output-type binary secrets/meilisearch-master-key 56 + sops.secrets."meilisearch-master-key" = { 57 + sopsFile = ../../secrets/meilisearch-master-key; 58 + format = "binary"; 58 59 owner = "meilisearch"; 59 60 group = "meilisearch"; 60 61 mode = "0400"; 61 62 }; 62 63 63 64 services.meilisearch = { 64 - masterKeyEnvironmentFile = config.sops.secrets."meilisearch-master-key.env".path; 65 + masterKeyFile = config.sops.secrets."meilisearch-master-key".path; 65 66 environment = "production"; 66 67 listenAddress = "127.0.0.1"; 67 68 noAnalytics = true;
+18
secrets/meilisearch-master-key
··· 1 + { 2 + "data": "ENC[AES256_GCM,data:Py8U65PWF5ZGHsYg422Brew/dhaMcqIK5XqY5UFezxJZe+IDvbnY4vfyevvM,iv:kRhELm5RZ5wL3fFPUPz+kizNYUmQSXSpK1PcmdZrwSg=,tag:D3Rxp2mxUWFcuepSA0iUzg==,type:str]", 3 + "sops": { 4 + "age": [ 5 + { 6 + "recipient": "age17ulnk7akn9zfwtc87vsexrr809xj6gkkcp2rkez6xtzyrqclpshqfew5wy", 7 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyU1NiU2lCcGxFODZZYjJ3\nbG0zYTlONXZzRi9jRFFIVUJzcnhFeWpSMFZNCkdOa2VkZHE3ZWFqOUdueEZGdnRp\naDBQRzQ5b2xmcVdaNzN4VHFkTGNDNVkKLS0tIEtnMUpXbWZaM1N0WDY2YlVhWlZu\ncExoM2dDZXBpV0NRSHdiZzM5b3lVamMKgciQ2Y2lk+/xJ+KUVfazRsvet/R3gAlc\n1Y+P7p8dTuSPfV+uPJVuRKraKHQZ4fR0If+mt6AJ0/rLHZ0/AL4GSg==\n-----END AGE ENCRYPTED FILE-----\n" 8 + }, 9 + { 10 + "recipient": "age1xvny7h8cahajamj4lz9cew5w0dqlge0yy6tys7szj42grcrl95jqsrutsu", 11 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvbHoycUkrRjFYL3dGWUVJ\nY2padjROSzhKZzROSE8vUk1wQ1hxQ3V3eWxNCnZNSWtRZzVPTUdGSDRvNGRYWWtr\nZUd1ZFVDYzAyT3NmdlFJY0JCZU5Da0EKLS0tIDVqSWJGem94Wm5TRm43MzVmdzBN\nTDNIaHY0TVVKRjFkV0JRakJTUE9DYXcKzZtvXXH9r+HoVT5oGXkzdsDQcE3LYFa6\n5jfk5G87i5Tz9De1LPu+sNR/DoSS18Tu1xgosFMr5KRvgYchhkcfcg==\n-----END AGE ENCRYPTED FILE-----\n" 12 + } 13 + ], 14 + "lastmodified": "2026-03-20T21:06:11Z", 15 + "mac": "ENC[AES256_GCM,data:Q/OyXakVtwRQxZ+oQZR30XXkQyfbGZZTc32PrM7llcLxt/q31ar0f+0F3Lav4eSkE+MHN2RZMx6+OW8jG4w2RCnLe4+hQbKvH7ZWEBukgXHvjHeu0Cv054f8ppe6ixmx5xzrQnIdLpT0vBBpvyDxKx6UiqIU1dBdmajP+P+BBXg=,iv:6QQhpbtWwpsWABhX5x1MdNhBt7aXtl2dI7T3vu6kyO4=,tag:6xGEAA6aSoFIRrMlVl60RQ==,type:str]", 16 + "version": "3.12.1" 17 + } 18 + }
-9
secrets/meilisearch-master-key.env
··· 1 - MEILI_MASTER_KEY=ENC[AES256_GCM,data:6CDrCEr3HQjJd+Bkg7axzP91lRyYGPfFVJ9AVsJsmYD5lpnn3qzXk9DTjYU=,iv:k31bulPpARGM6BFv0ZZEPW7V6TS45Foremw69JqcGjw=,tag:C4jScN9fLQLry/Ni5t0OuA==,type:str] 2 - sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2K0ZRR2p3em9aTCtFeHRV\nMDA4elgydzRuM1RDRjV5c3MwTHlaQlhWV1JvCjgraFdoek14Wlg0Zi9SbVNhRmw1\nODdrVmN0S2QzVyszOUdDallramswcDgKLS0tIERxRitnUFdOa2pUeFlBeTg4RmY0\nbHM4OXJZamtNRmZ4dERDYVZRcXNFQ00KX2Nn5bHwG373Df8wDZ+vyzSEeQd33BUA\nhsbyesskF3Pv9nBC+We1pTAtPNMENkNJsTNUrGVXUtkFXUZesWHbRQ==\n-----END AGE ENCRYPTED FILE-----\n 3 - sops_age__list_0__map_recipient=age17ulnk7akn9zfwtc87vsexrr809xj6gkkcp2rkez6xtzyrqclpshqfew5wy 4 - sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxYS9NdFhaNnJVTU5RS09B\nRndKTTRKSWw0ZHlUaFdHcHQ1eHhnMGZnbW1rCm1xVEZSQjN6MEplNmhJZms4VFpr\ncWpuMmZjQmVIdnFlUTdjdS9nK0tBNDQKLS0tIFY4VkM5TkMwdm0zelZxRVZraHl5\nMmRUTmY3RTE0NjFuejEwN2pSUU5veXMK6rRQIiVTBTDJ4woAAW3ngu4cWYAJ5PCO\nCtTTavbig2b14KihWRufbKYYlyIlOrfKHVyzH55kjISLvFwnlVl4MA==\n-----END AGE ENCRYPTED FILE-----\n 5 - sops_age__list_1__map_recipient=age1xvny7h8cahajamj4lz9cew5w0dqlge0yy6tys7szj42grcrl95jqsrutsu 6 - sops_lastmodified=2026-03-20T21:01:36Z 7 - sops_mac=ENC[AES256_GCM,data:mIJm2VhsN001/+6D9JlEtGfaDbcVU9ixIm9wThVTF0nluyeoj7KdBAoIKeFS38FmEzCKlUUpoKyuDn13OO2wDW6kBIWNJVrBH6cjBpGQP5ESO4nhjJ6BlOeCHPdyLbhiIRmS9CgUFrevMPVYiPB+BJDANi1CT50/IAt9XCJcIeQ=,iv:+yP4JHMd2jfVtews/l3dDdGvFqDoF/yEy2PK7Yn4N14=,tag:mfVx0B18Qer+2uJjZvSz1A==,type:str] 8 - sops_unencrypted_suffix=_unencrypted 9 - sops_version=3.12.1