From 7d506a74fd883b91d748b1729a9d76f5fdafc167 Mon Sep 17 00:00:00 2001
From: Joey Hafner <joey@jafner.net>
Date: Thu, 30 Jan 2025 15:02:34 -0800
Subject: [PATCH] Feature: Implement sops-nix for Traefik, send stacks:   -
 Init stack.nix files.   - Delete .env files, move into stack.nix.   - Rotate
 traefik's secrets.env.

---
 homelab/stacks/send/.env                  |  1 -
 homelab/stacks/send/stack.nix             | 16 ++++++
 homelab/stacks/traefik/.env               |  1 -
 homelab/stacks/traefik/docker-compose.yml |  2 +-
 homelab/stacks/traefik/secrets.env        | 64 +++++------------------
 homelab/stacks/traefik/stack.nix          | 30 +++++++++++
 6 files changed, 60 insertions(+), 54 deletions(-)
 delete mode 100644 homelab/stacks/send/.env
 create mode 100644 homelab/stacks/send/stack.nix
 delete mode 100644 homelab/stacks/traefik/.env
 create mode 100644 homelab/stacks/traefik/stack.nix

diff --git a/homelab/stacks/send/.env b/homelab/stacks/send/.env
deleted file mode 100644
index 3ea61967..00000000
--- a/homelab/stacks/send/.env
+++ /dev/null
@@ -1 +0,0 @@
-DOCKER_DATA=/mnt/iscsi/barbarian/send
diff --git a/homelab/stacks/send/stack.nix b/homelab/stacks/send/stack.nix
new file mode 100644
index 00000000..eafd7a1a
--- /dev/null
+++ b/homelab/stacks/send/stack.nix
@@ -0,0 +1,16 @@
+{ sys, ... }: let stack = "send"; in {
+  home-manager.users."${sys.username}".home.file = {
+    "${stack}" = {
+      enable = true;
+      recursive = true;
+      source = ./.;
+      target = "stacks/${stack}/";
+    };
+    "${stack}/.env" = {
+      enable = true;
+      text = ''DOCKER_DATA=${sys.dockerData}'';
+      target = "stacks/${stack}/.env";
+    };
+  };
+  #home-manager.users."${sys.username}".systemd.user.services."${stack}" = {};
+}
\ No newline at end of file
diff --git a/homelab/stacks/traefik/.env b/homelab/stacks/traefik/.env
deleted file mode 100644
index d6797ef5..00000000
--- a/homelab/stacks/traefik/.env
+++ /dev/null
@@ -1 +0,0 @@
-DOCKER_DATA=/home/admin/data/traefik
diff --git a/homelab/stacks/traefik/docker-compose.yml b/homelab/stacks/traefik/docker-compose.yml
index 0200a999..5c2f145a 100644
--- a/homelab/stacks/traefik/docker-compose.yml
+++ b/homelab/stacks/traefik/docker-compose.yml
@@ -18,7 +18,7 @@ services:
       - $DOCKER_DATA/acme.json:/acme.json
       - $DOCKER_DATA/acme-dns01.json:/acme-dns01.json
     env_file:
-      - path: ./secrets.env
+      - path: /run/secrets/traefik
         required: true
 
 networks:
diff --git a/homelab/stacks/traefik/secrets.env b/homelab/stacks/traefik/secrets.env
index 9160f741..6666ad8a 100644
--- a/homelab/stacks/traefik/secrets.env
+++ b/homelab/stacks/traefik/secrets.env
@@ -1,60 +1,22 @@
 {
-	"CLOUDFLARE_DNS_API_TOKEN": "ENC[AES256_GCM,data:SzH8xKkDNnFkuTTTnxZL25lett7w6xzA16UXEKHhIDCU5exOQ8pUBQ==,iv:ADAVsoUNfDXlCS3dP9uMWRzhJhnnB3sv3mpxW2+Qhug=,tag:Xe9Nr0/3iCp5cZd6P4XX7A==,type:str]",
+	"CLOUDFLARE_DNS_API_TOKEN": "ENC[AES256_GCM,data:DYBR3w6UEypTD1gjnH7033bXI6IBDYtaQjd11VyyjkikYKRo8Cc1vA==,iv:q/5ET+wiXj67DyV7JSZzkth3Tkbbuhq71UPSedL1aHA=,tag:fRTIiV8YcBnktd+KKpAVtA==,type:str]",
 	"sops": {
-		"shamir_threshold": 2,
-		"key_groups": [
-			{
-				"hc_vault": null,
-				"age": [
-					{
-						"recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00",
-						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzUmdKYmlhQklLbHNTNVZH\nUGxEWDcycDh2WUUxUlhOaEdvWi9LaTdpNFJnCm9QRzRLbVJyNzcvSUlzMjJSbElV\nZ0dZNC8yc2VJZ1d2Q0JQRHdjYXZyYncKLS0tIDFhY0k2eGd0YVBZS1JzOW54cTV0\nUHdHdVFpYy95OUdXdEcwSWNlUUZxdGsKNn0yEjupv/F87C1PuFAUcUPIOrD4ofmP\nHPW2KKLYRETT/DdVvgeKSOY1BaFcsp4Yq8qtSQwuM6fE3TLc6VSC0bw=\n-----END AGE ENCRYPTED FILE-----\n"
-					}
-				]
-			},
-			{
-				"hc_vault": null,
-				"age": [
-					{
-						"recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00",
-						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFRnJnaHFIVGp1dnVndExk\na3gxZFNMUHQ2VC9UQ09JZDNNa0M5d1JWRHdZCldVWVl4RWMvdFRBTlBEYmI5YlZ1\nME1ySnhFYmRCOE1SeGxaWnpvYWJIZ1EKLS0tIGRiMmJacmI5Ly94TVJHU0NrNGQx\naFdva3F3alJWczhoM1p2QjJKMTdBRUkKBipt8gcSIHIyDztXlZUMLtnRCs9tCx5e\nNGVceOAKz/7bNrBZGktDcXhZhRYCRGe+N/nsJv9ZXIe6PCfqPzZZAXI=\n-----END AGE ENCRYPTED FILE-----\n"
-					}
-				]
-			},
-			{
-				"hc_vault": null,
-				"age": [
-					{
-						"recipient": "age193t908fjxl8ekl77p5xqnpj4xmw3y0khvyzlrw22hdzjduk6l53q05spq3",
-						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxdmdGUTY5Mlpjb1J6Lzd3\nczBHSmVuLzV1SHBlOUxUaTd3NkZtMTdNU3dNCkZ2dTBCQzlSV1NxYnNxYlJuZHlr\nRzdGNVRXeXRIbi9uOHJZZXBmd3pXSkkKLS0tIDl6ejJzTUNNSE5rWW1sZXNEVi9R\nTTBWVmZoZnkwbEdKSmVDOFd4dFM4dE0KlzV3ZFPhboBAaO9BasR8+YaYsTOJwdvJ\nPVU68jqTyXXJ2gp27GafUFeAXbriEUH4W2PTUbn2TePdPYubLFeV8I0=\n-----END AGE ENCRYPTED FILE-----\n"
-					}
-				]
-			},
-			{
-				"hc_vault": null,
-				"age": [
-					{
-						"recipient": "age13prhyye2jy3ysa6ltnjgkrqtxrxgs0035d86jyn4ltgk3wxtqgrqgav855",
-						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzK0c4TitEVFNLSUtTR3hi\nM2pCMHEvWng1ZnB5c3U0UGNUN1dQSXMwZ2pFCllqRG9GQTJwbDZ5WHhpMkRDN0NZ\nVHRKUElySjd2dHZaSlViRWtEeS85WTgKLS0tIHJpVnM3azJzalp0cG96a3JESVZs\nbWVZbURIR1B1ajlrRFJ4UThuSk56S00KKystxd83yLUM6TGrN5Z7Oh7yFvx479DJ\nFWlc306/LRGUooopc1GNidokk6DKybumTxbwUcHmgc3DlgJrhG4Mv04=\n-----END AGE ENCRYPTED FILE-----\n"
-					},
-					{
-						"recipient": "age1n20krynrj75jqfy2muvhrygvzd4ee8ngamljqavsrk033zwx0ses2tdtfe",
-						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6NHhUMTFUYTlzaFU3c1F4\neHZSTXhmbFpNNmZKWm0rQk1XdTllZ1EyeDM4CnBDRkZxRENOcDdjR0dRS1B4OTU1\naVd6eG9aTXQ0aFlhK1czdklDZm9Pak0KLS0tIHBrbU1lNjhkMlNhSCt0Qk1mWlho\nV2JRVmZqbTRkNXNkeWlvM0FzdVUzRWcKVtmlpyVvQSObTIg+Ih4rQ56lEFMVAVK1\nK2TJPMICIMzY+7qjpn5JqNvteVkgYEvSgEzspc5e5MqX65mOjVevrKo=\n-----END AGE ENCRYPTED FILE-----\n"
-					},
-					{
-						"recipient": "age1m0jpnk4t7hph5tdva3y9ap7scl8vfly9ufazr0h3cuwpcytlsulqjrt58y",
-						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaQTQ1TnNJUDhrbmJRblFU\nV1FNSXQ5eFBMWjRKQmxqaG5KTGJQTWdaalI4CjM1aElKbjdsV0x1QTdiTnhHRUpp\nemJMR09jUmtSYWJqUmRHZzU3ZTJJSlEKLS0tIGFScUdvYkZ0R0lHRHh6SnRNTERN\nODc2MXFLMGtUb2VXamljU0pIdGt0Z2MKzjgZ4YR7nOKvGoXHvI9CaYGENd0Rlh9Q\nz0zbCNMY0s2boNiYA5B1xgs/JHgRoOAqTYJI6+PtVGO19VH8d9NSksc=\n-----END AGE ENCRYPTED FILE-----\n"
-					}
-				]
-			}
-		],
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
-		"age": null,
-		"lastmodified": "2025-01-27T07:51:11Z",
-		"mac": "ENC[AES256_GCM,data:k65tv1ICZgoEWYsvU3RJaTWjlfkWCmop85kmolJTDJ9IaQUifooVdXGcCPyyFWbKoOrT/GxZony6Atr1DTAorauc+6iG8KUQq25WmM2eIMB8uPpqcoWeJazMwoxc+6l43iWwIrrV3tYiiQQSoEgssAp+EQaQx63IQqI/1blyq0s=,iv:sgK6aWS2j3qQQaKD3z2/Ym1+9N4tcVTITW+7rzoM/kY=,tag:4Z7Clv8cBDjAyHE8b3+fYw==,type:str]",
+		"age": [
+			{
+				"recipient": "age1v5wy7epv5mm8ddf3cfv8m0e9w4s693dw7djpuytz9td8ycha5f0sv2se9n",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyU01POWhYTUFZYzM5MVQ2\nV1hGS2Q3dER5ZjBFWWlpL08zalM3ek9BSzNNClFhK2tsWVY2dVJKYUllaWIyKzlx\nd0YxbDI5WFVGdWVmbmlONEoydGhHWnMKLS0tIE1uV3Ztb1Fnb0pWQlJkcHhGdUU1\nMWVYdHpISGNkRlJyVnNSdnlGR0NkdXcK0I2RYSAFcfjeoCyU7sx+KtZGrczfReBc\n/fvfWx9CrA1BgCV7OPgYrF/ewzYNY2ZNBzFGuiHnCzNGyXcf+ec9xw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMK1Uvc0ZJTXpRNTZwQ29D\nOTRSblJTc3pPRTdVUG8yMFl3UWFiUUhOWEVJCmhUdHNsM1RtRUlKNUNtZHgyZU5u\nZlpYNUd2ck1NSkJ3OEVneUZwenFEb1EKLS0tIFN2R3ROaDMvUENlK3U1ZFhQb29B\nL09xV1IvKy9pbW1RNHZqL3RFQThSRzAK3GyvcjCiIBOCKpZgZ2DReVBatY3/jYRl\nuXm7PyGM8JH9EeVfKlHxVtBJ0mWN2gfqIu7t8sn70y1x95Hr3GTEvw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-01-30T21:36:05Z",
+		"mac": "ENC[AES256_GCM,data:RFlLGMrLm7vwGXiApW5ba7snC8mF0gfElHCyDVQLCeJMfR0Y/CqMXY7zEIsOo7xA60Fa6DrXMu9ZCm17yErNh8PhucZfdhYGR/VwP0Nl5ouyleh2CF2o9gwptPMnhFJHndCLdqmaJLNYk7ncktrsbxX642jFw9UBehiWad8+xWM=,iv:Cj7oxW9rRKaIv923cNZVgeaKw40gXjjuxCgdImBxMX8=,tag:WC6F/K8UucFYLo0/7/6nWQ==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.2"
diff --git a/homelab/stacks/traefik/stack.nix b/homelab/stacks/traefik/stack.nix
new file mode 100644
index 00000000..8805c50e
--- /dev/null
+++ b/homelab/stacks/traefik/stack.nix
@@ -0,0 +1,30 @@
+{ sys, inputs, ... }: let stack = "traefik"; in {
+  home-manager.users."${sys.username}".home.file = {
+    "${stack}" = {
+      enable = true;
+      recursive = true;
+      source = ./.;
+      target = "stacks/${stack}/";
+    };
+    "${stack}/.env" = {
+      enable = true;
+      text = ''DOCKER_DATA=${sys.dockerData}'';
+      target = "stacks/${stack}/.env";
+    };
+  };
+
+  imports = [ inputs.sops-nix.nixosModules.sops ]; 
+  sops.secrets."${stack}" = { 
+    sopsFile = ./secrets.env;
+    key = "";
+    mode = "0440";
+    owner = sys.username;
+    # Access this secrets file in Nix expressions via: 
+    #   config.sops.secrets.traefik.path
+    # Or in sops-nix templates via:
+    #   config.sops.placeholder.traefik.path
+    # Or in the shell via:
+    #   cat /run/secrets/traefik
+  };
+  #home-manager.users."${sys.username}".systemd.user.services."${stack}" = {};
+}
\ No newline at end of file