starhaven.dev
nixos server configurations
papermario-dx-build: flatten sops keys (no nesting)
bates64.com
+23
-44
+9
-11
secrets/kuribo/papermario-dx-build.json
+9
-11
secrets/kuribo/papermario-dx-build.json
···
1
1
{
2
-
"baseromUrl": "ENC[AES256_GCM,data:GQ8LVJL17pJ8kzdxU7YEnus3ZX7gBO95xdcAGJGMq043fnURqRb21++CAWTFm+/XICm+DfiuFA8pHMKEp0MvNlD5mIGDFBtmzTIaPn11QCM=,iv:+EHYAWbGl1bTemYluxDAO4E0a4SbDHbMwuA+k2+iIbI=,tag:o0BvKJO1Zp6graujgHWv9Q==,type:str]",
3
-
"sccache": {
4
-
"endpoint": "ENC[AES256_GCM,data:Lc7hXbrtT6j35iS9sNgPUwnEhsP8snvQVtoq,iv:H2QpjDD90+Q+T814OFPwUn621k90udGqTGpEDIZcjXE=,tag:qiG4+dwxkMJzO/vJ64vj9g==,type:str]",
5
-
"bucket": "ENC[AES256_GCM,data:MkQxbbWDpQ==,iv:DPDVjzgn0YbWrPouFTlFVOz/ghersSBSr7HzQB6+IZ0=,tag:y0NJvelED0c1fzX9Ypx8HQ==,type:str]",
6
-
"accessKey": "ENC[AES256_GCM,data:PgxncgfKg71JpvNI3zcDVsLxfbQ=,iv:XwlfbtxievXT0GDQBUOWvcW/dX1nt/VJaFVKCKLRuSc=,tag:q9GedCxhCKV3ex9UvxdCNA==,type:str]",
7
-
"secretKey": "ENC[AES256_GCM,data:zUHw1WEZSLOb9N/5eKIp/q0kjtxgWXzNv7dQVClQ0wvzT4TOwe5olg==,iv:lZ8t8hio9vuWmMaqU75VLQyiq4G0Mi0DSdo3Ma3oLDc=,tag:LDi7HDQ5HV2tevL3sXJ8Qw==,type:str]"
8
-
},
2
+
"baseromUrl": "ENC[AES256_GCM,data:Rvz4QAM3+vhOnjXigLZpTtFwQBqxTZxwQV8a0LmvS6rGqgQoLEImCF5AuS7/LNJD1zVcMQ+tUGmxWrlCKFh9EmwIgjXtO/2X7AtMQB4/vzA=,iv:+pNH/y+vNbrg1VOCjH5xlfaJ/1TwMlEGhom7Yh1ztbQ=,tag:HBF5crT/r4d8nKY3motYlg==,type:str]",
3
+
"sccacheEndpoint": "ENC[AES256_GCM,data:5EwK11OLGVDMIJitmbNkTRFLLUutMC02K1wk,iv:QHgnIX/oz5IVZibgBYy939h/DtKNJmRf9U3GBSb7Z7U=,tag:c5G0lUgTkxfXKPLrnNiCxw==,type:str]",
4
+
"sccacheBucket": "ENC[AES256_GCM,data:+GQebwoUEw==,iv:GsNm7zdjSIuStAzr8TAcDPk/dkf0gc5iDEQetFJROv8=,tag:fe59PhK+du6KnNrpXgvlRQ==,type:str]",
5
+
"sccacheAccessKey": "ENC[AES256_GCM,data:/6wxo3WFtcVYIDFGLCfKGQ/ozCE=,iv:YVSRbYAsaJjg3ZlqSlhVWeAGsy1JxgzD938ImMyRAd8=,tag:p1Evvitk9RjOgnYbl//Xmw==,type:str]",
6
+
"sccacheSecretKey": "ENC[AES256_GCM,data:Ebaixpbx2CvrTLyjekSLbdxoJ+8YGiIGAOKDUJn53jJ24ihUntwsdw==,iv:owd//U6fPAvlcI3uIDXEB0hBVrPcKZrB/894HV9Q1e8=,tag:d74I/IGHyr6mrTYJr4a5BA==,type:str]",
9
7
"sops": {
10
8
"age": [
11
9
{
12
10
"recipient": "age1h08rnd0jeddf55l6l3rf6dlwwh7mngcxy92tyz0hfysjqx4wvgrq6vmah2",
13
-
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZWGwyd2pUL2hNU1VYMVEy\nT0p1ZEpML1dOK1ZoK3Bscks5RldteFJtMUdNCjFhcXFjR01IVEE4d0p1K2k3c2lN\nTnM3Vm91dGEwaEVTRkhodUZINEtmdVEKLS0tIDY1cTR0OXJzeSs1LzNLbXdLMDdR\na1VneTZlOXlTVXppMGF5OUZZckpGaVUKMRGVmtHhfHs4c8Qnv7cntCRccrh4kHLI\ns+Xu4KSiqW+xTgBB6QKeDypRoDWUk3Jzm6uYqZdfWbCFxbSURrkZow==\n-----END AGE ENCRYPTED FILE-----\n"
11
+
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1aVpIOE5qbDUrWmRhZUdN\nY1NhNldUK2tkRmh4NXRpL3VFaFFwTTJyQmtNCkZZeUo1bzFLT3J6bDVMNzl3Z2N6\nOXFnK1N4b2tCbWpGa2l2dnVHUHZiNlkKLS0tIE1jRGRPRnkrSlRRN0FWT3dlL2JQ\nR0FvZjA3REc0M3RHU0k4TFpXMEpmTGsKiCRQnOwUcHJESGTy/nsp9tFOv9ftE3RU\n4rARMjTsfy+er0RW/TfY3kwrFD1xPZ2znhFb0JPz3c/E8Mht9BTmNw==\n-----END AGE ENCRYPTED FILE-----\n"
14
12
},
15
13
{
16
14
"recipient": "age1dhxleu7puseq4fz5gprzdssprdd452kjry2n47xaqfh22p5eyqfs68zysl",
17
-
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3VDVPSDFrdzYxTHJYTkZM\nTTF0Yk1WWDJVbllwaU5tdjhtb2VyYWhiemxNCjRvVHB4YjRHNXlYU1VSanEyUW4y\nUnlUbTdxZEM5dkNMTFpPOVlJbEozS1UKLS0tIGxoRTNxbVVJTWFuOVdPRmU0VmNE\nc0IrQ01LNzFRaklsRWI1THlBSDA4Y1UKVJvM77yd9kp0Q6nOkcrxq6aTANEo898W\nAphZshPVi9wG3AdZnAtkXbhB5V0nnsv098RYgt0u70WYADjw5BVPkQ==\n-----END AGE ENCRYPTED FILE-----\n"
15
+
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5UlFSdW1pb2UyNUdsQ1No\nS3lsaVhzUHowcmV5SkxqeVZCOE1KQkcvcGxZCjdLUnFCZ2xvb3NWaklCSzYyaDM4\nTWlReGU0UEtPdHEvWGxEL0RBdmVzVVUKLS0tIHQ0VTVBN0lISXp4cVBuaWFmVjlV\nWWowdlFZclRuN3o4V1FXdERrdWFKZ3MKoWkHY44xnWMQcWgDwsjbE+8w9SCm/T6h\nDYc07yFbs1KebLZ+fXghB1Nfn7hBdiroUmPzG23QoszGx5FYw84aZQ==\n-----END AGE ENCRYPTED FILE-----\n"
18
16
}
19
17
],
20
-
"lastmodified": "2026-03-22T16:44:04Z",
21
-
"mac": "ENC[AES256_GCM,data:W9PQ84hRNsFl8aBZ7UN09kackvj9k3HIY7o3JGmO2GjEP6tlO5/4Pr9xPQHn5MiPLsO15ghYl5nVkgcoBpOZCuePbzqZtv44SSW4+/DfygpfrT/yhE/UkkeHfifZzbLM09tOnxQEuOFto+oBttPJo9UzFUMXBmnleXZvqv4fr7U=,iv:7hybudHPn5PU7Rq9WqGMEf/MQ3gplyshSCZfMLqcIuY=,tag:VdhS0wewnaRqarwWdXmQeQ==,type:str]",
18
+
"lastmodified": "2026-03-22T18:42:54Z",
19
+
"mac": "ENC[AES256_GCM,data:WFCYbLVTE32Hj9BnlT7MFHvx3bMC/u4GnfOhgc8HO1XzZbGZOIJ3Rk9eC9E2cMCf+v+8Mt8Igl7T4BRWJJzEm11QxKwWcAPILq8yxLupuDVuy0D1nAXUq1YOy5akmky9/YEUlN7Bmg7rSNrUa3ZiDL9msI8GUbu7Ton6hNJ+arc=,iv:z38pX+2yWAnQX149GD2/zM0H3+7aA9eMts1SAXPfTeE=,tag:+IycTH+5Tjp+MSf0TCfWUg==,type:str]",
22
20
"unencrypted_suffix": "_unencrypted",
23
21
"version": "3.11.0"
24
22
}
+14
-33
servers/kuribo/papermario-dx-build.nix
+14
-33
servers/kuribo/papermario-dx-build.nix
···
1
1
{ config, pkgs, ... }:
2
+
let
3
+
sopsFile = ../../secrets/kuribo/papermario-dx-build.json;
4
+
s = name: config.sops.secrets."papermario-dx/${name}".path;
5
+
in
2
6
{
3
-
sops.secrets."papermario-dx/baseromUrl" = {
4
-
sopsFile = ../../secrets/kuribo/papermario-dx-build.json;
5
-
format = "json";
6
-
key = ''["baseromUrl"]'';
7
-
};
8
-
sops.secrets."papermario-dx/sccache/endpoint" = {
9
-
sopsFile = ../../secrets/kuribo/papermario-dx-build.json;
10
-
format = "json";
11
-
key = ''["sccache"]["endpoint"]'';
12
-
};
13
-
sops.secrets."papermario-dx/sccache/bucket" = {
14
-
sopsFile = ../../secrets/kuribo/papermario-dx-build.json;
15
-
format = "json";
16
-
key = ''["sccache"]["bucket"]'';
17
-
};
18
-
sops.secrets."papermario-dx/sccache/accessKey" = {
19
-
sopsFile = ../../secrets/kuribo/papermario-dx-build.json;
20
-
format = "json";
21
-
key = ''["sccache"]["accessKey"]'';
22
-
};
23
-
sops.secrets."papermario-dx/sccache/secretKey" = {
24
-
sopsFile = ../../secrets/kuribo/papermario-dx-build.json;
25
-
format = "json";
26
-
key = ''["sccache"]["secretKey"]'';
27
-
};
7
+
sops.secrets."papermario-dx/baseromUrl".sopsFile = sopsFile;
8
+
sops.secrets."papermario-dx/sccacheEndpoint".sopsFile = sopsFile;
9
+
sops.secrets."papermario-dx/sccacheBucket".sopsFile = sopsFile;
10
+
sops.secrets."papermario-dx/sccacheAccessKey".sopsFile = sopsFile;
11
+
sops.secrets."papermario-dx/sccacheSecretKey".sopsFile = sopsFile;
28
12
29
13
systemd.services.papermario-dx-build-json = {
30
14
description = "Generate papermario-dx build.json from sops secrets";
···
35
19
Type = "oneshot";
36
20
RemainAfterExit = true;
37
21
};
38
-
script = let
39
-
s = name: config.sops.secrets."papermario-dx/${name}".path;
40
-
in ''
22
+
script = ''
41
23
mkdir -p /run/papermario-dx
42
24
cat > /run/papermario-dx/build.json <<ENDJSON
43
25
{
44
26
"baseromUrl": "$(cat ${s "baseromUrl"})",
45
27
"sccache": {
46
-
"endpoint": "$(cat ${s "sccache/endpoint"})",
47
-
"bucket": "$(cat ${s "sccache/bucket"})",
48
-
"accessKey": "$(cat ${s "sccache/accessKey"})",
49
-
"secretKey": "$(cat ${s "sccache/secretKey"})"
28
+
"endpoint": "$(cat ${s "sccacheEndpoint"})",
29
+
"bucket": "$(cat ${s "sccacheBucket"})",
30
+
"accessKey": "$(cat ${s "sccacheAccessKey"})",
31
+
"secretKey": "$(cat ${s "sccacheSecretKey"})"
50
32
}
51
33
}
52
34
ENDJSON
···
54
36
'';
55
37
};
56
38
57
-
# Serve the decrypted build.json at papermario-dx.starhaven.dev
58
39
starhaven.caddy.extraHandles = ''
59
40
@papermario-dx host papermario-dx.starhaven.dev
60
41
handle @papermario-dx {