My nix-darwin and NixOS config
sharkey: add Meilisearch master key secret
+28
-1
+1
-1
.sops.yaml
+1
-1
.sops.yaml
···
27
27
creation_rules:
28
28
# ── Secrets available on all machines ──────────────────────────────────────
29
29
# ── Server-only secrets ─────────────────────────────────────────────────────
30
-
- path_regex: secrets/(pds\.env|cloudflare\.token|cloudflare-acme\.env|cloudflare-acme-croft-click\.env|cf-tunnel\.json|forgejo\.env|nextcloud-admin-pass|nextcloud-smtp-pass|vaultwarden\.env|sharkey\.env)$
30
+
- path_regex: secrets/(pds\.env|cloudflare\.token|cloudflare-acme\.env|cloudflare-acme-croft-click\.env|cf-tunnel\.json|forgejo\.env|nextcloud-admin-pass|nextcloud-smtp-pass|vaultwarden\.env|sharkey\.env|meilisearch-master-key\.env)$
31
31
key_groups:
32
32
- age:
33
33
- *ewan
+18
modules/server/sharkey.nix
+18
modules/server/sharkey.nix
···
49
49
};
50
50
users.groups.sharkey = { };
51
51
52
+
# Meilisearch master key — file must contain: MEILI_MASTER_KEY=<value>
53
+
# Generate: openssl rand -base64 32
54
+
# Then: echo "MEILI_MASTER_KEY=$(openssl rand -base64 32)" | sops --encrypt --input-type dotenv --output-type dotenv /dev/stdin > secrets/meilisearch-master-key.env
55
+
sops.secrets."meilisearch-master-key.env" = {
56
+
sopsFile = ../../secrets/meilisearch-master-key.env;
57
+
format = "dotenv";
58
+
owner = "meilisearch";
59
+
group = "meilisearch";
60
+
mode = "0400";
61
+
};
62
+
63
+
services.meilisearch = {
64
+
masterKeyEnvironmentFile = config.sops.secrets."meilisearch-master-key.env".path;
65
+
environment = "production";
66
+
listenAddress = "127.0.0.1";
67
+
noAnalytics = true;
68
+
};
69
+
52
70
sops.secrets."sharkey.env" = {
53
71
sopsFile = ../../secrets/sharkey.env;
54
72
format = "dotenv";
+9
secrets/meilisearch-master-key.env
+9
secrets/meilisearch-master-key.env
···
1
+
MEILI_MASTER_KEY=ENC[AES256_GCM,data:6CDrCEr3HQjJd+Bkg7axzP91lRyYGPfFVJ9AVsJsmYD5lpnn3qzXk9DTjYU=,iv:k31bulPpARGM6BFv0ZZEPW7V6TS45Foremw69JqcGjw=,tag:C4jScN9fLQLry/Ni5t0OuA==,type:str]
2
+
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2K0ZRR2p3em9aTCtFeHRV\nMDA4elgydzRuM1RDRjV5c3MwTHlaQlhWV1JvCjgraFdoek14Wlg0Zi9SbVNhRmw1\nODdrVmN0S2QzVyszOUdDallramswcDgKLS0tIERxRitnUFdOa2pUeFlBeTg4RmY0\nbHM4OXJZamtNRmZ4dERDYVZRcXNFQ00KX2Nn5bHwG373Df8wDZ+vyzSEeQd33BUA\nhsbyesskF3Pv9nBC+We1pTAtPNMENkNJsTNUrGVXUtkFXUZesWHbRQ==\n-----END AGE ENCRYPTED FILE-----\n
3
+
sops_age__list_0__map_recipient=age17ulnk7akn9zfwtc87vsexrr809xj6gkkcp2rkez6xtzyrqclpshqfew5wy
4
+
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxYS9NdFhaNnJVTU5RS09B\nRndKTTRKSWw0ZHlUaFdHcHQ1eHhnMGZnbW1rCm1xVEZSQjN6MEplNmhJZms4VFpr\ncWpuMmZjQmVIdnFlUTdjdS9nK0tBNDQKLS0tIFY4VkM5TkMwdm0zelZxRVZraHl5\nMmRUTmY3RTE0NjFuejEwN2pSUU5veXMK6rRQIiVTBTDJ4woAAW3ngu4cWYAJ5PCO\nCtTTavbig2b14KihWRufbKYYlyIlOrfKHVyzH55kjISLvFwnlVl4MA==\n-----END AGE ENCRYPTED FILE-----\n
5
+
sops_age__list_1__map_recipient=age1xvny7h8cahajamj4lz9cew5w0dqlge0yy6tys7szj42grcrl95jqsrutsu
6
+
sops_lastmodified=2026-03-20T21:01:36Z
7
+
sops_mac=ENC[AES256_GCM,data:mIJm2VhsN001/+6D9JlEtGfaDbcVU9ixIm9wThVTF0nluyeoj7KdBAoIKeFS38FmEzCKlUUpoKyuDn13OO2wDW6kBIWNJVrBH6cjBpGQP5ESO4nhjJ6BlOeCHPdyLbhiIRmS9CgUFrevMPVYiPB+BJDANi1CT50/IAt9XCJcIeQ=,iv:+yP4JHMd2jfVtews/l3dDdGvFqDoF/yEy2PK7Yn4N14=,tag:mfVx0B18Qer+2uJjZvSz1A==,type:str]
8
+
sops_unencrypted_suffix=_unencrypted
9
+
sops_version=3.12.1