WIP/backup: Deployment batch antigravity

2026-03-17 18:18:19 +01:00 · 2026-03-17 18:18:19 +01:00 · 711dc677ec
commit 711dc677ec
parent 5a031b48ed
29 changed files with 575 additions and 97 deletions
--- a/modules/apps/gitea/default.nix
+++ b/modules/apps/gitea/default.nix
@ -496,7 +496,8 @@ in {
          #FORGEJO__mailer__CLIENT_KEY_FILE = "custom/mailer/key.pem";
          # Mail from address, RFC 5322. This can be just an email address, or the
          # `"Name" <email@example.com>` format.
-          FORGEJO__mailer__FROM = ''"${title}" <git@depeuter.dev>'';
+          # TODO Hugo: Populate 'gitea_mailer_from' in sops.
+          FORGEJO__mailer__FROM = config.sops.placeholder.gitea_mailer_from or "git@example.com";
          # Sometimes it is helpful to use a different address on the envelope. Set this to use
          # ENVELOPE_FROM as the from on the envelope. Set to `<>` to send an empty address.
          #FORGEJO__mailer__ENVELOPE_FROM = "";
--- a/modules/apps/traefik/default.nix
+++ b/modules/apps/traefik/default.nix
@ -72,7 +72,7 @@ in {
        # Certificates
        "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
        "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
-        "--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be"
+        "--certificatesresolvers.letsencrypt.acme.email=${config.sops.placeholder.acme_email or "acme-email@example.com"}"
        "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
      ];
      volumes = [
--- a/modules/apps/vaultwarden/default.nix
+++ b/modules/apps/vaultwarden/default.nix
@ -344,6 +344,7 @@ in {
          # ORG_CREATION_USERS=none
          ## A comma-separated list means only those users can create orgs:
          # ORG_CREATION_USERS=admin1@example.com,admin2@example.com
+          # TODO Hugo: Redact org creation users if needed.
          
          ## Invitations org admins to invite users, even when signups are disabled
          # INVITATIONS_ALLOWED=true
@ -590,7 +591,7 @@ in {
          ## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
          ## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
          SMTP_HOST = "smtp.gmail.com";
-          SMTP_FROM = "vault@depeuter.dev";
+          SMTP_FROM = config.sops.placeholder.vaultwarden_smtp_from or "vaultwarden@example.com";
          SMTP_FROM_NAME = cfg.name;
          # SMTP_USERNAME=username
          # SMTP_PASSWORD=password
--- a/modules/common/default.nix
+++ b/modules/common/default.nix
@ -1,4 +1,9 @@
 {
+  imports = [
+    ./networking.nix
+    ./secrets.nix
+  ];
+
  config = {
    homelab = {
      services.openssh.enable = true;
--- a/modules/common/networking.nix
+++ b/modules/common/networking.nix
@ -0,0 +1,19 @@
+{ config, lib, ... }:
+
+{
+  options.homelab.networking = {
+    hostIp = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = ''
+        The primary IP address of the host. 
+        Used for automated deployment and internal service discovery.
+      '';
+    };
+  };
+
+  config = lib.mkIf (config.homelab.networking.hostIp != null) {
+    # If a hostIp is provided, we can potentially use it to configure 
+    # networking interfaces or firewall rules automatically here in the future.
+  };
+}
--- a/modules/common/secrets.nix
+++ b/modules/common/secrets.nix
@ -0,0 +1,18 @@
+{ config, lib, ... }:
+
+{
+  sops.secrets = {
+    # -- User Public Keys (Anti-Fingerprinting) --
+    "user_keys_admin" = { neededForUsers = true; };
+    "user_keys_deploy" = { neededForUsers = true; };
+    "user_keys_backup" = { neededForUsers = true; };
+
+    # -- Infrastructure Metadata --
+    # Hugo TODO: Populate these in your .sops.yaml / secrets file
+    "acme_email" = {};
+    "cloudflare_dns_token" = {};
+    "pgadmin_email" = {};
+    "gitea_mailer_from" = {};
+    "vaultwarden_smtp_from" = {};
+  };
+}