tdpeuter/bos55-nix-config-cicd
1
Fork 0
forked from Bos55/nix-config
Code Pull requests 1 Releases Packages Activity Actions

refactor(security): migrate hardcoded credentials and SSH keys to sops-nix
Some checks failed
Build / build (Development) (push) Has been cancelled
Details
Build / Determining hosts to build (push) Failing after 13m25s
Details
Build / build (Testing) (push) Has been cancelled
Details

Browse source
This commit is contained in:
Tibo De Peuter 2026-03-17 21:45:56 +01:00
parent cbb70ab8bb
commit ccfa328771
Signed by: tdpeuter
GPG key ID: 38297DE43F75FFE2
10 changed files with 47 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

3
modules/apps/gitea/default.nix
View file

@ -496,7 +496,8 @@ in {
#FORGEJO__mailer__CLIENT_KEY_FILE = "custom/mailer/key.pem";
# Mail from address, RFC 5322. This can be just an email address, or the
# `"Name" <email@example.com>` format.
FORGEJO__mailer__FROM = ''"${title}" <git@depeuter.dev>'';
# TODO Hugo: Populate 'gitea_mailer_from' in sops.
FORGEJO__mailer__FROM = config.sops.placeholder.gitea_mailer_from or "git@example.com";
# Sometimes it is helpful to use a different address on the envelope. Set this to use
# ENVELOPE_FROM as the from on the envelope. Set to `<>` to send an empty address.
#FORGEJO__mailer__ENVELOPE_FROM = "";

2
modules/apps/traefik/default.nix
View file

@ -72,7 +72,7 @@ in {
# Certificates
"--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
"--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
"--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be"
"--certificatesresolvers.letsencrypt.acme.email=${config.sops.placeholder.acme_email or "acme-email@example.com"}"
"--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
];
volumes = [

3
modules/apps/vaultwarden/default.nix
View file

@ -344,6 +344,7 @@ in {
# ORG_CREATION_USERS=none
## A comma-separated list means only those users can create orgs:
# ORG_CREATION_USERS=admin1@example.com,admin2@example.com
# TODO Hugo: Redact org creation users if needed.
## Invitations org admins to invite users, even when signups are disabled
# INVITATIONS_ALLOWED=true
@ -590,7 +591,7 @@ in {
## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
SMTP_HOST = "smtp.gmail.com";
SMTP_FROM = "vault@depeuter.dev";
SMTP_FROM = config.sops.placeholder.vaultwarden_smtp_from or "vaultwarden@example.com";
SMTP_FROM_NAME = cfg.name;
# SMTP_USERNAME=username
# SMTP_PASSWORD=password