refactor(security): migrate hardcoded credentials and SSH keys to sops-nix

2026-03-17 21:45:56 +01:00 · 2026-03-17 21:45:56 +01:00 · ccfa328771
commit ccfa328771
parent cbb70ab8bb
10 changed files with 47 additions and 14 deletions
--- a/modules/apps/vaultwarden/default.nix
+++ b/modules/apps/vaultwarden/default.nix
@ -344,6 +344,7 @@ in {
          # ORG_CREATION_USERS=none
          ## A comma-separated list means only those users can create orgs:
          # ORG_CREATION_USERS=admin1@example.com,admin2@example.com
+          # TODO Hugo: Redact org creation users if needed.
          
          ## Invitations org admins to invite users, even when signups are disabled
          # INVITATIONS_ALLOWED=true
@ -590,7 +591,7 @@ in {
          ## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
          ## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
          SMTP_HOST = "smtp.gmail.com";
-          SMTP_FROM = "vault@depeuter.dev";
+          SMTP_FROM = config.sops.placeholder.vaultwarden_smtp_from or "vaultwarden@example.com";
          SMTP_FROM_NAME = cfg.name;
          # SMTP_USERNAME=username
          # SMTP_PASSWORD=password