refactor(security): migrate hardcoded credentials and SSH keys to sops-nix

2026-03-17 21:45:56 +01:00 · 2026-03-17 21:45:56 +01:00 · ccfa328771
commit ccfa328771
parent cbb70ab8bb
10 changed files with 47 additions and 14 deletions
--- a/hosts/Isabel/default.nix
+++ b/hosts/Isabel/default.nix
@ -165,7 +165,7 @@ providers:
            # Certificates
            "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
            "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
-            "--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be"
+            "--certificatesresolvers.letsencrypt.acme.email=${config.sops.placeholder.acme_email or "acme-email@example.com"}"
            "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"

            # Additional routes
@ -176,8 +176,8 @@ providers:
            # "8080:8080/tcp" # The Web UI (enabled by --api.insecure=true)
          ];
          environment = {
-            # TODO Hide this!
-            "CLOUDFLARE_DNS_API_TOKEN" = "6Vz64Op_a6Ls1ljGeBxFoOVfQ-yB-svRbf6OyPv2";
+            # TODO Hugo: Populate 'cloudflare_dns_token' in sops.
+            "CLOUDFLARE_DNS_API_TOKEN" = config.sops.placeholder.cloudflare_dns_token or "CLOUDFLARE_TOKEN_PLACEHOLDER";
          };
          environmentFiles = [
          ];