update: system update & refactor

# Breaking Changes - sops location movod to "system/dev/<dev-name>/sops/sops-conf.nix" - flake devices declaration changes - whole flake update
2025-10-14 16:49:03 +08:00 · 2025-10-14 16:49:03 +08:00 · 6a71b601f5
commit 6a71b601f5
parent 321f740af0
116 changed files with 2576 additions and 3634 deletions
--- a/system/dev/dn-server/sops/default.nix
+++ b/system/dev/dn-server/sops/default.nix
@ -0,0 +1,5 @@
+{
+  imports = [
+    ./sops-conf.nix
+  ];
+}
--- a/system/dev/dn-server/sops/secret.yaml
+++ b/system/dev/dn-server/sops/secret.yaml
--- a/system/dev/dn-server/sops/sops-conf.nix
+++ b/system/dev/dn-server/sops/sops-conf.nix
@ -0,0 +1,85 @@
+{ config, lib, ... }:
+let
+  inherit (lib) mkIf;
+in
+{
+  sops.secrets = {
+    "wireguard/privateKey" = { };
+    "nextcloud/adminPassword" = { };
+    "step_ca/password" = { };
+    vaultwarden = { };
+    "oauth/password" = { };
+    "oauth/adminEnv" = { };
+    "ldap/password" = lib.mkIf config.mail-server.enable {
+      mode = "0660";
+      owner = config.services.openldap.user;
+      group = config.services.openldap.group;
+    };
+    "ldap/env" = lib.mkIf config.mail-server.enable {
+      mode = "0660";
+      group = config.users.groups.docker.name;
+    };
+    "powerdns-admin/secret" = {
+      mode = "0660";
+      owner = "powerdnsadmin";
+      group = "powerdnsadmin";
+    };
+    "powerdns-admin/salt" = {
+      mode = "0660";
+      owner = "powerdnsadmin";
+      group = "powerdnsadmin";
+    };
+    powerdns = {
+      mode = "0660";
+      owner = "pdns";
+      group = "pdns";
+    };
+    rspamd-trainer = {
+    };
+    rspamd = mkIf config.services.rspamd.enable {
+      owner = config.services.rspamd.user;
+    };
+    "acme/env" = mkIf config.security.acme.acceptTerms {
+      mode = "0660";
+      owner = "acme";
+      group = "acme";
+    };
+    "postsrsd/secret" = mkIf config.services.postsrsd.enable {
+      mode = "0660";
+      owner = config.services.postsrsd.user;
+      group = config.services.postsrsd.group;
+    };
+    "grafana/password" = mkIf config.services.grafana.enable {
+      mode = "0660";
+      owner = "grafana";
+      group = "grafana";
+    };
+    "grafana/client_secret" = mkIf config.services.grafana.enable {
+      mode = "0660";
+      owner = "grafana";
+      group = "grafana";
+    };
+    "prometheus/powerdns/password" = mkIf config.services.prometheus.enable {
+      mode = "0660";
+      owner = "prometheus";
+      group = config.users.users.prometheus.group;
+    };
+    "paperless/adminPassword" = mkIf config.services.paperless.enable {
+      owner = config.services.paperless.user;
+    };
+    "atticd/secret" = mkIf config.services.atticd.enable { };
+    "docmost" = { };
+    "crowdsec/lapi.yaml" = mkIf config.services.crowdsec.enable {
+      owner = "crowdsec";
+      mode = "0600";
+    };
+    "crowdsec/capi.yaml" = mkIf config.services.crowdsec.enable {
+      owner = "crowdsec";
+      mode = "0600";
+    };
+    "crowdsec/consoleToken" = mkIf config.services.crowdsec.enable {
+      owner = "crowdsec";
+      mode = "0600";
+    };
+  };
+}