Feature: Implement sops-nix for Traefik, send stacks:

- Init stack.nix files.
  - Delete .env files, move into stack.nix.
  - Rotate traefik's secrets.env.

homelab/stacks/send/.env

@@ -1 +0,0 @@
-DOCKER_DATA=/mnt/iscsi/barbarian/send

homelab/stacks/send/stack.nix

@@ -0,0 +1,16 @@
+{ sys, ... }: let stack = "send"; in {
+  home-manager.users."${sys.username}".home.file = {
+    "${stack}" = {
+      enable = true;
+      recursive = true;
+      source = ./.;
+      target = "stacks/${stack}/";
+    };
+    "${stack}/.env" = {
+      enable = true;
+      text = ''DOCKER_DATA=${sys.dockerData}'';
+      target = "stacks/${stack}/.env";
+    };
+  };
+  #home-manager.users."${sys.username}".systemd.user.services."${stack}" = {};
+}

homelab/stacks/traefik/.env

@@ -1 +0,0 @@
-DOCKER_DATA=/home/admin/data/traefik

homelab/stacks/traefik/docker-compose.yml

@@ -18,7 +18,7 @@ services:
       - $DOCKER_DATA/acme.json:/acme.json
       - $DOCKER_DATA/acme-dns01.json:/acme-dns01.json
     env_file:
-      - path: ./secrets.env
+      - path: /run/secrets/traefik
         required: true
 
 networks:

homelab/stacks/traefik/secrets.env

@@ -1,60 +1,22 @@
 {
-	"CLOUDFLARE_DNS_API_TOKEN": "ENC[AES256_GCM,data:SzH8xKkDNnFkuTTTnxZL25lett7w6xzA16UXEKHhIDCU5exOQ8pUBQ==,iv:ADAVsoUNfDXlCS3dP9uMWRzhJhnnB3sv3mpxW2+Qhug=,tag:Xe9Nr0/3iCp5cZd6P4XX7A==,type:str]",
+	"CLOUDFLARE_DNS_API_TOKEN": "ENC[AES256_GCM,data:DYBR3w6UEypTD1gjnH7033bXI6IBDYtaQjd11VyyjkikYKRo8Cc1vA==,iv:q/5ET+wiXj67DyV7JSZzkth3Tkbbuhq71UPSedL1aHA=,tag:fRTIiV8YcBnktd+KKpAVtA==,type:str]",
 	"sops": {
-		"shamir_threshold": 2,
-		"key_groups": [
-			{
-				"hc_vault": null,
-				"age": [
-					{
-						"recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00",
-						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzUmdKYmlhQklLbHNTNVZH\nUGxEWDcycDh2WUUxUlhOaEdvWi9LaTdpNFJnCm9QRzRLbVJyNzcvSUlzMjJSbElV\nZ0dZNC8yc2VJZ1d2Q0JQRHdjYXZyYncKLS0tIDFhY0k2eGd0YVBZS1JzOW54cTV0\nUHdHdVFpYy95OUdXdEcwSWNlUUZxdGsKNn0yEjupv/F87C1PuFAUcUPIOrD4ofmP\nHPW2KKLYRETT/DdVvgeKSOY1BaFcsp4Yq8qtSQwuM6fE3TLc6VSC0bw=\n-----END AGE ENCRYPTED FILE-----\n"
-					}
-				]
-			},
-			{
-				"hc_vault": null,
-				"age": [
-					{
-						"recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00",
-						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFRnJnaHFIVGp1dnVndExk\na3gxZFNMUHQ2VC9UQ09JZDNNa0M5d1JWRHdZCldVWVl4RWMvdFRBTlBEYmI5YlZ1\nME1ySnhFYmRCOE1SeGxaWnpvYWJIZ1EKLS0tIGRiMmJacmI5Ly94TVJHU0NrNGQx\naFdva3F3alJWczhoM1p2QjJKMTdBRUkKBipt8gcSIHIyDztXlZUMLtnRCs9tCx5e\nNGVceOAKz/7bNrBZGktDcXhZhRYCRGe+N/nsJv9ZXIe6PCfqPzZZAXI=\n-----END AGE ENCRYPTED FILE-----\n"
-					}
-				]
-			},
-			{
-				"hc_vault": null,
-				"age": [
-					{
-						"recipient": "age193t908fjxl8ekl77p5xqnpj4xmw3y0khvyzlrw22hdzjduk6l53q05spq3",
-						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxdmdGUTY5Mlpjb1J6Lzd3\nczBHSmVuLzV1SHBlOUxUaTd3NkZtMTdNU3dNCkZ2dTBCQzlSV1NxYnNxYlJuZHlr\nRzdGNVRXeXRIbi9uOHJZZXBmd3pXSkkKLS0tIDl6ejJzTUNNSE5rWW1sZXNEVi9R\nTTBWVmZoZnkwbEdKSmVDOFd4dFM4dE0KlzV3ZFPhboBAaO9BasR8+YaYsTOJwdvJ\nPVU68jqTyXXJ2gp27GafUFeAXbriEUH4W2PTUbn2TePdPYubLFeV8I0=\n-----END AGE ENCRYPTED FILE-----\n"
-					}
-				]
-			},
-			{
-				"hc_vault": null,
-				"age": [
-					{
-						"recipient": "age13prhyye2jy3ysa6ltnjgkrqtxrxgs0035d86jyn4ltgk3wxtqgrqgav855",
-						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzK0c4TitEVFNLSUtTR3hi\nM2pCMHEvWng1ZnB5c3U0UGNUN1dQSXMwZ2pFCllqRG9GQTJwbDZ5WHhpMkRDN0NZ\nVHRKUElySjd2dHZaSlViRWtEeS85WTgKLS0tIHJpVnM3azJzalp0cG96a3JESVZs\nbWVZbURIR1B1ajlrRFJ4UThuSk56S00KKystxd83yLUM6TGrN5Z7Oh7yFvx479DJ\nFWlc306/LRGUooopc1GNidokk6DKybumTxbwUcHmgc3DlgJrhG4Mv04=\n-----END AGE ENCRYPTED FILE-----\n"
-					},
-					{
-						"recipient": "age1n20krynrj75jqfy2muvhrygvzd4ee8ngamljqavsrk033zwx0ses2tdtfe",
-						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6NHhUMTFUYTlzaFU3c1F4\neHZSTXhmbFpNNmZKWm0rQk1XdTllZ1EyeDM4CnBDRkZxRENOcDdjR0dRS1B4OTU1\naVd6eG9aTXQ0aFlhK1czdklDZm9Pak0KLS0tIHBrbU1lNjhkMlNhSCt0Qk1mWlho\nV2JRVmZqbTRkNXNkeWlvM0FzdVUzRWcKVtmlpyVvQSObTIg+Ih4rQ56lEFMVAVK1\nK2TJPMICIMzY+7qjpn5JqNvteVkgYEvSgEzspc5e5MqX65mOjVevrKo=\n-----END AGE ENCRYPTED FILE-----\n"
-					},
-					{
-						"recipient": "age1m0jpnk4t7hph5tdva3y9ap7scl8vfly9ufazr0h3cuwpcytlsulqjrt58y",
-						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaQTQ1TnNJUDhrbmJRblFU\nV1FNSXQ5eFBMWjRKQmxqaG5KTGJQTWdaalI4CjM1aElKbjdsV0x1QTdiTnhHRUpp\nemJMR09jUmtSYWJqUmRHZzU3ZTJJSlEKLS0tIGFScUdvYkZ0R0lHRHh6SnRNTERN\nODc2MXFLMGtUb2VXamljU0pIdGt0Z2MKzjgZ4YR7nOKvGoXHvI9CaYGENd0Rlh9Q\nz0zbCNMY0s2boNiYA5B1xgs/JHgRoOAqTYJI6+PtVGO19VH8d9NSksc=\n-----END AGE ENCRYPTED FILE-----\n"
-					}
-				]
-			}
-		],
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
-		"age": null,
+		"age": [
-		"lastmodified": "2025-01-27T07:51:11Z",
+			{
-		"mac": "ENC[AES256_GCM,data:k65tv1ICZgoEWYsvU3RJaTWjlfkWCmop85kmolJTDJ9IaQUifooVdXGcCPyyFWbKoOrT/GxZony6Atr1DTAorauc+6iG8KUQq25WmM2eIMB8uPpqcoWeJazMwoxc+6l43iWwIrrV3tYiiQQSoEgssAp+EQaQx63IQqI/1blyq0s=,iv:sgK6aWS2j3qQQaKD3z2/Ym1+9N4tcVTITW+7rzoM/kY=,tag:4Z7Clv8cBDjAyHE8b3+fYw==,type:str]",
+				"recipient": "age1v5wy7epv5mm8ddf3cfv8m0e9w4s693dw7djpuytz9td8ycha5f0sv2se9n",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyU01POWhYTUFZYzM5MVQ2\nV1hGS2Q3dER5ZjBFWWlpL08zalM3ek9BSzNNClFhK2tsWVY2dVJKYUllaWIyKzlx\nd0YxbDI5WFVGdWVmbmlONEoydGhHWnMKLS0tIE1uV3Ztb1Fnb0pWQlJkcHhGdUU1\nMWVYdHpISGNkRlJyVnNSdnlGR0NkdXcK0I2RYSAFcfjeoCyU7sx+KtZGrczfReBc\n/fvfWx9CrA1BgCV7OPgYrF/ewzYNY2ZNBzFGuiHnCzNGyXcf+ec9xw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMK1Uvc0ZJTXpRNTZwQ29D\nOTRSblJTc3pPRTdVUG8yMFl3UWFiUUhOWEVJCmhUdHNsM1RtRUlKNUNtZHgyZU5u\nZlpYNUd2ck1NSkJ3OEVneUZwenFEb1EKLS0tIFN2R3ROaDMvUENlK3U1ZFhQb29B\nL09xV1IvKy9pbW1RNHZqL3RFQThSRzAK3GyvcjCiIBOCKpZgZ2DReVBatY3/jYRl\nuXm7PyGM8JH9EeVfKlHxVtBJ0mWN2gfqIu7t8sn70y1x95Hr3GTEvw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-01-30T21:36:05Z",
+		"mac": "ENC[AES256_GCM,data:RFlLGMrLm7vwGXiApW5ba7snC8mF0gfElHCyDVQLCeJMfR0Y/CqMXY7zEIsOo7xA60Fa6DrXMu9ZCm17yErNh8PhucZfdhYGR/VwP0Nl5ouyleh2CF2o9gwptPMnhFJHndCLdqmaJLNYk7ncktrsbxX642jFw9UBehiWad8+xWM=,iv:Cj7oxW9rRKaIv923cNZVgeaKw40gXjjuxCgdImBxMX8=,tag:WC6F/K8UucFYLo0/7/6nWQ==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.9.2"

homelab/stacks/traefik/stack.nix

@@ -0,0 +1,30 @@
+{ sys, inputs, ... }: let stack = "traefik"; in {
+  home-manager.users."${sys.username}".home.file = {
+    "${stack}" = {
+      enable = true;
+      recursive = true;
+      source = ./.;
+      target = "stacks/${stack}/";
+    };
+    "${stack}/.env" = {
+      enable = true;
+      text = ''DOCKER_DATA=${sys.dockerData}'';
+      target = "stacks/${stack}/.env";
+    };
+  };
+
+  imports = [ inputs.sops-nix.nixosModules.sops ]; 
+  sops.secrets."${stack}" = { 
+    sopsFile = ./secrets.env;
+    key = "";
+    mode = "0440";
+    owner = sys.username;
+    # Access this secrets file in Nix expressions via: 
+    #   config.sops.secrets.traefik.path
+    # Or in sops-nix templates via:
+    #   config.sops.placeholder.traefik.path
+    # Or in the shell via:
+    #   cat /run/secrets/traefik
+  };
+  #home-manager.users."${sys.username}".systemd.user.services."${stack}" = {};
+}