My nix-darwin and NixOS config
3
fork

Configure Feed

Select the types of activity you want to include in your feed.

chore: rotate cloudflare api token

+31 -20
+7 -4
modules/caddy.nix
··· 51 51 # *.ewancroft.uk tailnet services (Nextcloud, Immich, Jellyfin, Cockpit). 52 52 # 53 53 # Prerequisite: create and sops-encrypt secrets/cloudflare-acme.env 54 - # containing: CLOUDFLARE_DNS_API_TOKEN=<token> 54 + # containing the raw token value only (no KEY= prefix, no trailing newline). 55 55 # The token needs Zone.DNS edit permission for ewancroft.uk. 56 56 sops.secrets."cloudflare-acme.env" = lib.mkIf hasTailnet { 57 57 sopsFile = ../secrets/cloudflare-acme.env; 58 - format = "dotenv"; 58 + format = "binary"; 59 59 owner = "acme"; 60 60 mode = "0440"; 61 61 }; ··· 68 68 dnsProvider = "cloudflare"; 69 69 # Explicitly disable HTTP challenge — DNS-01 only. 70 70 webroot = null; 71 - # environmentFile is a dotenv-format file: CLOUDFLARE_DNS_API_TOKEN=<token> 72 - environmentFile = config.sops.secrets."cloudflare-acme.env".path; 71 + credentialFiles = { 72 + # CF_DNS_API_TOKEN_FILE: lego reads the file contents as the token. 73 + # Secret is binary (raw token, no KEY= prefix, no trailing newline). 74 + "CF_DNS_API_TOKEN_FILE" = config.sops.secrets."cloudflare-acme.env".path; 75 + }; 73 76 # Emit verbose lego output so failures are diagnosable in the journal. 74 77 enableDebugLogs = true; 75 78 # Let Caddy read the cert files.
+18 -9
secrets/cloudflare-acme.env
··· 1 - CLOUDFLARE_DNS_API_TOKEN=ENC[AES256_GCM,data:wyUCVa3OLG8nqr0s1vHU6dXVWS/1nyQTFjB+8E/k+uzkiL51l8dk0B7wx6cJsSQrPnadAAVgtM2wZPAy7nMgXyOjnWXp4zx+LQ==,iv:VVg1bOhAtIm2h6crY0EQmasp04zbInOw0lpDzdszinM=,tag:YK0BwVm/LFed/7UerBUlNg==,type:str] 2 - sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhRm16Z0tJUmVBQXZJUVR4\ncm5xTnE2SFgzdkZjRlhhaW9OanZiVndpaUNBCktyNXJBWUlORWtXVFNoaFJzQ3Rn\nb3hiaUh6N2E1S3NGSXVTdjFyamNETEkKLS0tIHBIY1l3Ty9rVXZHQ01PbUQ0aFhS\najh3cWNmZ3BrMVl6SlJ1bUdxTUZrNm8KsB9ZuH4x2fXDtTWzQPrCZ6s2WDmHe9md\nta9wuIlK4u7Lh0kHpm4Q1zHl4hTuwY5N9wx9+OYIaDphJ+U+uKviWg==\n-----END AGE ENCRYPTED FILE-----\n 3 - sops_age__list_0__map_recipient=age17ulnk7akn9zfwtc87vsexrr809xj6gkkcp2rkez6xtzyrqclpshqfew5wy 4 - sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYYmdvbloycUxKbFJXM21v\nTWVrYlE4eEJwOVlXK2ljZXg3TmVtTHcrVDNRCkNpYkhHc3lNemVUVVYyQzFEMFdO\nV2g3QkFSVEs0UU9uUUovM2dONXU0YkkKLS0tIFpaRnZtMjl0dmhrYXNZeDE2RU1l\ndmdManE5MnhBaENGaTgzaEJRUzlrWXcK/VxRC9neIooKmmJaYxNlNtl1cBHV5UOW\n/+egF7+HxzTYHi4nlqYzZiV1v74re/MCMdwFu21LQC/Ky5qgpAAaHQ==\n-----END AGE ENCRYPTED FILE-----\n 5 - sops_age__list_1__map_recipient=age1xvny7h8cahajamj4lz9cew5w0dqlge0yy6tys7szj42grcrl95jqsrutsu 6 - sops_lastmodified=2026-02-25T17:24:43Z 7 - sops_mac=ENC[AES256_GCM,data:q1imPdsiSmKIm1kP/uXpjwVlT/qOP+r/0X1wTLl02PswEiawOuywZqPT7onIShdc/IjcRO++mcJy1YI1XxJ5pNWZ8S+A9I2qn118ARH4O8q7T5sTnXjX5JFRotIiYLaP4ISh0JwFs4YpUSuJQJLJxCTAWQohsCmcXhj3P9Bf9MY=,iv:8KuHm5HxAd1Eg+ZIYydcF4vWIMNv82JRSYt3i8H7irI=,tag:P11bBblYbDdcTlZ+MZvaQw==,type:str] 8 - sops_unencrypted_suffix=_unencrypted 9 - sops_version=3.12.0 1 + { 2 + "data": "ENC[AES256_GCM,data:gwwUdfjNrrvY8tGKZb5CJ8MVCfYSTAN8vJ7fay45j8wOy5yguSH3wA==,iv:ncCk/Bg+mlrJ8NkR5TlGNQB+xiMTF0ejxJb0nUlIMJY=,tag:HoW7GKGhwDdSXjXNJsDEaA==,type:str]", 3 + "sops": { 4 + "age": [ 5 + { 6 + "recipient": "age17ulnk7akn9zfwtc87vsexrr809xj6gkkcp2rkez6xtzyrqclpshqfew5wy", 7 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUlJYU1k0MWhmSTBDclVM\nUmpYcVcxcTBCQ0dSRGtUMXB1YmxpdTVKcW44CkFIQlhodjkxbzRWZ0ptTy9JV1Ay\nU2d5WTFTckRQWWl4cXQrM3hlMVFGUmMKLS0tIEgyVGNka1YzY3k2eStnVWgxeVRJ\nY2RXdVIwNGNDVUVzT0FyWEN0RXM3cFkKnzT6ecLsoTtGfG/PPh/NsMKAnPCo4wkL\nZLo7omxIbwGt0ucsCLew2ig8EvWUvrEEAW1txDm66pYdFO8+Kj+YJg==\n-----END AGE ENCRYPTED FILE-----\n" 8 + }, 9 + { 10 + "recipient": "age1xvny7h8cahajamj4lz9cew5w0dqlge0yy6tys7szj42grcrl95jqsrutsu", 11 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsWjZndmdubGthSzVsbXNj\nUGpoN0dZUmF6N3NuaDZnV3JDeFRneG9PblRrCmNnUHR0N1l3a0t1WGhUREhmZW80\nOE9JWFRzMWl6RU5QZ3Q5YWtZTXp3Tm8KLS0tIEpIaXVUbjJpbDF3M2hwdzByNmZy\nZ1FmSXVkWXVKM0UvSjN4RWYwS1duWHMKN+4z5eKogPZNe12nxhJ2a6y5loBFerrv\n/QDrP7/o7b9IUcOdXPxU4Y61aQC1lCh0w0NQLehh5D+swy3LniqGIw==\n-----END AGE ENCRYPTED FILE-----\n" 12 + } 13 + ], 14 + "lastmodified": "2026-02-25T17:55:21Z", 15 + "mac": "ENC[AES256_GCM,data:RjHrFXBWbjDzKa9zMtqNEBR0qE4B8l3bW9JaNkleSCiZ0i9CP1g4x+I9teeDVd+355RTQTdKyZIWabyZhizq+Y38om1ZKD157bjAqigNuDoRFlVyWkBPNwKGLmYsxO5r3VnFx1LbiUrUT2VAImUd4A+XbUeV0OhMnfm6W0ejLEQ=,iv:EIgnNI7RLdo+zuDg8Z7olqJSPG3S2M4LfLhTEu1zFAc=,tag:N68nEPrdxJ/WhKo84LHBaQ==,type:str]", 16 + "version": "3.12.0" 17 + } 18 + }
+6 -7
secrets/cloudflare.token
··· 1 1 { 2 - "data": "ENC[AES256_GCM,data:wliA7Pi/Sgh7v+IqycH2U9WYj6lufrKQBDUvcvBbb329qraRJ1Nbzzt1D+oJN0X7Jdf+fRJmAVTL5f1hAcNOZB72E2MwD8ul/zY=,iv:qMuENjW+qxMdQMaSykXo5c5n/1dKiQc5C+sHAjh7NY8=,tag:W/nnZGDQOBfMPKACBF/1Vg==,type:str]", 2 + "data": "ENC[AES256_GCM,data:KVKxwvGWJF7JIiFWa7q/ivf59S9xiqiHGnXwpq2m2yStUQIFb3xZWA==,iv:cUuUYHyY2eDuVuKrIMm9zX96k5WqpATR5+NZtPeE9wU=,tag:yV8KO2uI+w42gEu/w3+KPg==,type:str]", 3 3 "sops": { 4 4 "age": [ 5 5 { 6 6 "recipient": "age17ulnk7akn9zfwtc87vsexrr809xj6gkkcp2rkez6xtzyrqclpshqfew5wy", 7 - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2VGdmL3daT2M3emRUSlN1\nOTdTTGFXZTlKdlFzeHYzT1JKUXJub0UxK2dRCmtNVUtZNEFWWXcxUjhCVkxIaVhi\nVDkrV0VoakVaM2dDQmdSdWswL25kYjQKLS0tIGZzYXFuVnZrVWpsaVhhQXhCYjJ1\nNXJYMnFmUzZzSkZ0ZE0wc3VJWFJRQWcKHEicpBu7+tp61nj8huNCKxZ28eiltjMZ\nk9lSnAx2P6oNY1EY/JvddHeEr3cSMoPYqNFQYdNBVq3V8s7w/M5Ttw==\n-----END AGE ENCRYPTED FILE-----\n" 7 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhbTlFMG9QeGV0b25xNit2\nNDNnV01zRktTWGZpK2RxdzUvZFV6N0p5aHdBCnRTRnNHY01PSFVpcmtOWm1sdFBD\ncVlKYmxTb0I1WURjc1hUZnRpek52alkKLS0tIEF3N25Gd3JDVGhFQkJkUTYrZDUx\nWjBSUDIzYnJwZU04MXhzc21NS3lZdzAKk7Og7Gcf4jstmO9w1ymU1uBa31nUTiEm\n/7cN4EBEQtJ+nct+CCjrupAMPyPds9fQq09ZtcueWG66poBotwsSDA==\n-----END AGE ENCRYPTED FILE-----\n" 8 8 }, 9 9 { 10 10 "recipient": "age1xvny7h8cahajamj4lz9cew5w0dqlge0yy6tys7szj42grcrl95jqsrutsu", 11 - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCOG5tWUJod2NNWE5pN2xD\nNnUyNUI4cGpNTk9CRkhrNkYwRkphdFFIT3hRCjdMajlmVFhNMjFQU3RaeHZCWXBU\nVnVvaC9IcE1kK2FlUCtyN2l4ajJ6YWcKLS0tIEV3eWdrVnlCSE9hUFdMQmltM2tr\nZTZEUXN3ZWViVlBIWVE3MmJNc3RLVW8KDTKJl5ObXJ06e/dUs0oZfAs6O3+tH5/Q\n0hwwNKdoZx+sX6G6JHgZDSC7YjjeM6h4vvpnChd3ebztKzT7EN71Rw==\n-----END AGE ENCRYPTED FILE-----\n" 11 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3V05QTmkwaHlKY2lrdjBv\nUk5jYWk0QzZIUTFqNlg0aE8xZnYzWGRMYXhFCkpPbHpQeWdtbWcrKytJc0N2THc4\nOTFLakhkK1dHSnRoSS90QmtLYXBJL0UKLS0tIHVBMVNLWmJqelozQ2JVekxPT2h4\nQXN4QXM5cUZxM2VvSWpNeE9RVG9BbUEKzlb8jkaq8YWUTB+KMqO1nUsbolntyntc\nQpZTfUeiwcYrt8K66veeu2vVLKnURWAfR05ijvXd1HbcLpF0JoJORQ==\n-----END AGE ENCRYPTED FILE-----\n" 12 12 } 13 13 ], 14 - "lastmodified": "2026-02-19T03:57:40Z", 15 - "mac": "ENC[AES256_GCM,data:uZhCizJOcLLmIKmMvsEyTYJ48B3Jp3TMcp33XErdlrWV3kryZale5/Yx3ac6senyvc3lRgFjIWQZWBkJ7fzEJQseNj0ba1rZ8HyojZMpqSojDy2gJ9ga5V8DLoEnXHb/O8BOMaudGilT4ueTVVDigLg381SqdFk9FKbHd1XH95k=,iv:/44pfm4s44ilqzErR+fXjg/7eHTDVHCrrOUFb9rueAA=,tag:vmq9LdPjhC/VUDci/G8GZw==,type:str]", 16 - "unencrypted_suffix": "_unencrypted", 17 - "version": "3.11.0" 14 + "lastmodified": "2026-02-25T17:55:20Z", 15 + "mac": "ENC[AES256_GCM,data:UEqqO49Q/v4ezBa7BrGyU91U2dTtWZNysYNh9Y4XylpJRn+kRBfyekzScyZEY9FZYPPUGgU400ZLI9d8yZn/A4A9q3eaiV+bGmK+73PGWXr7vrJi3IthV2JohoAPwC+WagO7naVHQSw58T0rMp93hi25a7RrVNILZnPtVauAJl4=,iv:UBwG8RwvIJdF0VR1ujbL2Yw3VU7LXONsd2agjbH38aM=,tag:NDKgjbs4gR9hX99gfeaotQ==,type:str]", 16 + "version": "3.12.0" 18 17 } 19 18 }