My nix-darwin and NixOS config
3
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix: use environmentFile for ACME Cloudflare credentials

credentialFiles enforces _FILE suffix but lego reads CF_DNS_API_TOKEN
directly from the environment. Switch to environmentFile with a
dotenv-format secret containing CLOUDFLARE_DNS_API_TOKEN=<token>.

+13 -23
+4 -5
modules/caddy.nix
··· 51 51 # *.ewancroft.uk tailnet services (Nextcloud, Immich, Jellyfin, Cockpit). 52 52 # 53 53 # Prerequisite: create and sops-encrypt secrets/cloudflare-acme.env 54 - # containing just the raw token value (no KEY= prefix). 54 + # containing: CLOUDFLARE_DNS_API_TOKEN=<token> 55 55 # The token needs Zone.DNS edit permission for ewancroft.uk. 56 56 sops.secrets."cloudflare-acme.env" = lib.mkIf hasTailnet { 57 57 sopsFile = ../secrets/cloudflare-acme.env; 58 - format = "binary"; 58 + format = "dotenv"; 59 59 owner = "acme"; 60 60 mode = "0440"; 61 61 }; ··· 68 68 dnsProvider = "cloudflare"; 69 69 # Explicitly disable HTTP challenge — DNS-01 only. 70 70 webroot = null; 71 - credentialFiles = { 72 - "CF_DNS_API_TOKEN" = config.sops.secrets."cloudflare-acme.env".path; 73 - }; 71 + # environmentFile is a dotenv-format file: CLOUDFLARE_DNS_API_TOKEN=<token> 72 + environmentFile = config.sops.secrets."cloudflare-acme.env".path; 74 73 # Emit verbose lego output so failures are diagnosable in the journal. 75 74 enableDebugLogs = true; 76 75 # Let Caddy read the cert files.
+9 -18
secrets/cloudflare-acme.env
··· 1 - { 2 - "data": "ENC[AES256_GCM,data:Rq/ADd4JgfKITNEzjwZUMQW8qaEXbMjyN9w62W0dEAsmkIVOvgLzxtRnEzHYIeJFxnAvLkgujdXhfX3BxusZqsdkMtpnyOG0XIE=,iv:RUVnSHJ5DqM1TVj6np+wHU2cqyOalLnY0xzXPcvYYGk=,tag:HUtC+QpkRQ8CwK6MYyf3BA==,type:str]", 3 - "sops": { 4 - "age": [ 5 - { 6 - "recipient": "age17ulnk7akn9zfwtc87vsexrr809xj6gkkcp2rkez6xtzyrqclpshqfew5wy", 7 - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQ2JmVElWNHFYdUpBLy9q\nc0lqbHU2bFRFZGNTVlBIaEJGbGlueUR5eWxJCmxQY0VwcGpGbldKTzNmVUJROU5q\nLzJiTU5qSjV1bWlyWWlBTnRMM05ud3cKLS0tIGkyRnpNRGRsRnJSNzZhRUpvdG5l\nOUh6eFpKdzZWTjFBSlhFVXlWM3RQc2cKfSCi90/hYJ8FarflE6XHD1DA8zAX9BJh\nr27iwBXrHhYz1VnZykMfQ7RKutHjn5mgH2zWRT08Bj4NBtDhfv9szQ==\n-----END AGE ENCRYPTED FILE-----\n" 8 - }, 9 - { 10 - "recipient": "age1xvny7h8cahajamj4lz9cew5w0dqlge0yy6tys7szj42grcrl95jqsrutsu", 11 - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzc1pTU2pQUWtVQjduM05G\ncUJsbTBZS3lzWVM1RDBjTWhpYkVZVGUzY3hBCkdZT2gvK1JiNXNBL3JhbEFPdXBH\nMEM0VklVUXpEQ1dGT2txTTQyLyt2cXMKLS0tIGJrajJGdmdjQ0NKSlBkdDQ5ckNY\nRVNrSU45U3JsNGZubGc0UlFuaHFoZzQKXIZxRgJnmbmLgwadohJtta+p+exmMvLl\npWv3JunXlJD/Wne4p8ENmHIJJKH3a/rHSvVezenr0b45O5+DMrUt7Q==\n-----END AGE ENCRYPTED FILE-----\n" 12 - } 13 - ], 14 - "lastmodified": "2026-02-25T09:20:58Z", 15 - "mac": "ENC[AES256_GCM,data:l8mnr1ZtJDYQWOExTGrdq1beYI1MuWodj6wObM4f3ZCAN8tUZK66EHaJkPHzDq1ryI9eXn7WomeY/U+La7qbYhQ9mvNY7QbzUpscOhu5AfM1ehxqUOI40GbOeAebdVold1/12ORi7V048W3LVVbEd0U60Y4a4n8tyV7F/p3thWw=,iv:96bNKdtVL4SQ3r3Y7IwSQ/cFvRPE5+Kd+a8/xo20iXw=,tag:bIuGaaNDJRxlequMm0kJQA==,type:str]", 16 - "version": "3.12.0" 17 - } 18 - } 1 + CLOUDFLARE_DNS_API_TOKEN=ENC[AES256_GCM,data:wyUCVa3OLG8nqr0s1vHU6dXVWS/1nyQTFjB+8E/k+uzkiL51l8dk0B7wx6cJsSQrPnadAAVgtM2wZPAy7nMgXyOjnWXp4zx+LQ==,iv:VVg1bOhAtIm2h6crY0EQmasp04zbInOw0lpDzdszinM=,tag:YK0BwVm/LFed/7UerBUlNg==,type:str] 2 + sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhRm16Z0tJUmVBQXZJUVR4\ncm5xTnE2SFgzdkZjRlhhaW9OanZiVndpaUNBCktyNXJBWUlORWtXVFNoaFJzQ3Rn\nb3hiaUh6N2E1S3NGSXVTdjFyamNETEkKLS0tIHBIY1l3Ty9rVXZHQ01PbUQ0aFhS\najh3cWNmZ3BrMVl6SlJ1bUdxTUZrNm8KsB9ZuH4x2fXDtTWzQPrCZ6s2WDmHe9md\nta9wuIlK4u7Lh0kHpm4Q1zHl4hTuwY5N9wx9+OYIaDphJ+U+uKviWg==\n-----END AGE ENCRYPTED FILE-----\n 3 + sops_age__list_0__map_recipient=age17ulnk7akn9zfwtc87vsexrr809xj6gkkcp2rkez6xtzyrqclpshqfew5wy 4 + sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYYmdvbloycUxKbFJXM21v\nTWVrYlE4eEJwOVlXK2ljZXg3TmVtTHcrVDNRCkNpYkhHc3lNemVUVVYyQzFEMFdO\nV2g3QkFSVEs0UU9uUUovM2dONXU0YkkKLS0tIFpaRnZtMjl0dmhrYXNZeDE2RU1l\ndmdManE5MnhBaENGaTgzaEJRUzlrWXcK/VxRC9neIooKmmJaYxNlNtl1cBHV5UOW\n/+egF7+HxzTYHi4nlqYzZiV1v74re/MCMdwFu21LQC/Ky5qgpAAaHQ==\n-----END AGE ENCRYPTED FILE-----\n 5 + sops_age__list_1__map_recipient=age1xvny7h8cahajamj4lz9cew5w0dqlge0yy6tys7szj42grcrl95jqsrutsu 6 + sops_lastmodified=2026-02-25T17:24:43Z 7 + sops_mac=ENC[AES256_GCM,data:q1imPdsiSmKIm1kP/uXpjwVlT/qOP+r/0X1wTLl02PswEiawOuywZqPT7onIShdc/IjcRO++mcJy1YI1XxJ5pNWZ8S+A9I2qn118ARH4O8q7T5sTnXjX5JFRotIiYLaP4ISh0JwFs4YpUSuJQJLJxCTAWQohsCmcXhj3P9Bf9MY=,iv:8KuHm5HxAd1Eg+ZIYydcF4vWIMNv82JRSYt3i8H7irI=,tag:P11bBblYbDdcTlZ+MZvaQw==,type:str] 8 + sops_unencrypted_suffix=_unencrypted 9 + sops_version=3.12.0