-8

.sops.yaml

reviewed

··· 26 26 27 27 creation_rules: 28 28 # ── Secrets available on all machines ────────────────────────────────────── 29 29 - - path_regex: secrets/(wifi-home|ssh-passphrase|docker-config\.json|claude\.json)$ 30 30 - key_groups: 31 31 - - age: 32 32 - - *ewan 33 33 - - *macmini 34 34 - - *laptop 35 35 - - *server 36 36 - 37 29 # ── Server-only secrets ───────────────────────────────────────────────────── 38 30 - path_regex: secrets/(pds\.env|cloudflare\.token|cf-tunnel\.json|forgejo\.env|nextcloud-admin-pass|nextcloud-smtp-pass)$ 39 31 key_groups:

-18

home/default.nix

reviewed

··· 213 213 # Tell the home-manager sops module to decrypt using the host's SSH ed25519 214 214 # key as an age key — same source as the system-level sops in common.nix. 215 215 sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; 216 216 - sops.secrets = lib.mkMerge [ 217 217 - (lib.mkIf cfg.secrets.docker.enable { 218 218 - "docker-config" = { 219 219 - sopsFile = ../secrets/docker-config.json; 220 220 - path = "${config.home.homeDirectory}/.docker/config.json"; 221 221 - mode = "0600"; 222 222 - }; 223 223 - }) 224 224 - 225 225 - (lib.mkIf cfg.secrets.claude.enable { 226 226 - "claude-config" = { 227 227 - sopsFile = ../secrets/claude.json; 228 228 - path = "${config.home.homeDirectory}/.claude.json"; 229 229 - mode = "0600"; 230 230 - }; 231 231 - }) 232 232 - 233 233 - ]; 234 216 }

-12

modules/options.nix

reviewed

··· 389 389 }; 390 390 }; 391 391 392 392 - # ── Secrets ─────────────────────────────────────────────────────────────── 393 393 - secrets = { 394 394 - docker.enable = mkOption { 395 395 - type = bool; 396 396 - default = false; 397 397 - }; 398 398 - claude.enable = mkOption { 399 399 - type = bool; 400 400 - default = false; 401 401 - }; 402 402 - }; 403 403 - 404 392 # ── Server service toggles ──────────────────────────────────────────────── 405 393 services = { 406 394 forgejo.enable = mkOption {