# ============================================================================= # Homey secrets — managed by sops-nix # # THIS FILE MUST BE ENCRYPTED WITH SOPS BEFORE COMMITTING. # It is shown here as a plaintext template so you know what to fill in. # # Workflow: # 1. Complete the .sops.yaml age key setup. # 2. Fill in the values below. # 3. Run: sops -e -i secrets/secrets.yaml # This encrypts the file in-place. The encrypted version is safe to commit. # 4. To edit later: sops secrets/secrets.yaml # # Ports from old deployment: # - openldap/admin_password ← from k8s secret openldap-admin # - openldap/config_password ← from k8s secret openldap-config # - openldap/ro_password ← from k8s secret openldap-ro # - gitea/admin_password ← from k8s secret gitea-admin-pass # - nextcloud/admin_password ← from k8s secret nextcloud-admin-pass # - nextcloud/postgres_password← from k8s secret nextcloud-postgres-pass # The remaining secrets (authelia JWT, session key, encryption key, gitea # LFS/OAuth2/internal tokens) are regenerated fresh — see notes below. # ============================================================================= # --- OpenLDAP --- openldap/admin_password: "REPLACE-WITH-OLD-VALUE" openldap/config_password: "REPLACE-WITH-OLD-VALUE" openldap/ro_password: "REPLACE-WITH-OLD-VALUE" # --- Authelia (regenerated fresh — these are random strings) --- authelia/jwt_secret: "GENERATE-random-64-chars" authelia/session_secret: "GENERATE-random-64-chars" authelia/storage_encryption_key: "GENERATE-random-64-chars" # --- Gitea --- gitea/admin_password: "REPLACE-WITH-OLD-VALUE" # These three are regenerated — gitea will re-derive on first start: gitea/lfs_jwt_secret: "GENERATE-random-43-chars-base64url" gitea/oauth2_jwt_secret: "GENERATE-random-43-chars-base64url" gitea/internal_token: "GENERATE-random-100-alphanum" # --- Nextcloud --- nextcloud/admin_password: "REPLACE-WITH-OLD-VALUE" nextcloud/postgres_password: "REPLACE-WITH-OLD-VALUE" # --- Cloudflare (DNS-01 ACME + tunnel) --- cloudflare/api_token: "REPLACE-WITH-CF-DNS-EDIT-TOKEN" cloudflare/tunnel_token: "REPLACE-WITH-CF-TUNNEL-TOKEN" # --- Restic backup --- restic/password: "GENERATE-random-passphrase" # Repository destination — e.g. "sftp:user@nas:/backups/homey" # or "b2:bucketname:homey" for Backblaze B2 # Set the actual repo URL in modules/backup.nix or override per-host.