nix-conf/system/dev/dn-server/sops/sops-conf.nix

{ config, lib, ... }:
let
  inherit (lib) mkIf;
in
{
  sops.secrets = {
    "wireguard/privateKey" = { };
    "step_ca/password" = { };
    "oauth/password" = { };
    "oauth/adminEnv" = { };
    "ldap/password" = lib.mkIf config.mail-server.enable {
      mode = "0660";
      owner = config.services.openldap.user;
      group = config.services.openldap.group;
    };
    "ldap/env" = lib.mkIf config.mail-server.enable {
      mode = "0660";
      group = config.users.groups.docker.name;
    };
    rspamd-trainer = {
    };
    rspamd = mkIf config.services.rspamd.enable {
      owner = config.services.rspamd.user;
    };
    "postsrsd/secret" = mkIf config.services.postsrsd.enable {
      mode = "0660";
      owner = config.services.postsrsd.user;
      group = config.services.postsrsd.group;
    };
    "grafana/password" = mkIf config.services.grafana.enable {
      mode = "0660";
      owner = "grafana";
      group = "grafana";
    };
    "grafana/client_secret" = mkIf config.services.grafana.enable {
      mode = "0660";
      owner = "grafana";
      group = "grafana";
    };
    "prometheus/powerdns/password" = mkIf config.services.prometheus.enable {
      mode = "0660";
      owner = "prometheus";
      group = config.users.users.prometheus.group;
    };
    "paperless/adminPassword" = mkIf config.services.paperless.enable {
      owner = config.services.paperless.user;
    };
    "paperless/envFile" = mkIf config.services.paperless.enable {
      owner = config.services.paperless.user;
    };
    "atticd/secret" = mkIf config.services.atticd.enable { };
    "docmost" = { };
    "crowdsec/lapi.yaml" = mkIf config.services.crowdsec.enable {
      owner = "crowdsec";
      mode = "0600";
    };
    "crowdsec/capi.yaml" = mkIf config.services.crowdsec.enable {
      owner = "crowdsec";
      mode = "0600";
    };
    "crowdsec/consoleToken" = mkIf config.services.crowdsec.enable {
      owner = "crowdsec";
      mode = "0600";
    };
    "opencloud" = mkIf config.services.opencloud.enable {
      owner = config.services.opencloud.user;
      group = config.services.opencloud.group;
      mode = "0600";
    };
    "ntfy" = mkIf config.services.ntfy-sh.enable {
      owner = config.services.ntfy-sh.user;
      mode = "0600";
    };
  };
}