make letsencrypt use sops for secret

docs/examples/vaultwarden/.sops.yaml

@@ -0,0 +1,18 @@
+# This example uses YAML anchors which allows reuse of multiple keys 
+# without having to repeat yourself.
+# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
+# for a more complex example.
+keys:
+  - &me age1nj0ulq6863y9tdk0pkwjx4ltuyjpx6gftwy27mk3gkwja6k325esgaerlr
+  - &machine1 age16yraj9xdpjqazwakcy4fs9gcxu75el3yefpzudhv7zu9pn6jsvtqeee23r
+
+creation_rules:
+  - path_regex: secrets/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *me
+  - path_regex: secrets/machine1/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *me
+      - *machine1

docs/examples/vaultwarden/README.md

@@ -11,7 +11,13 @@ When that's done, explore the files in this folder.
 To try it out locally, follow [deploy to staging](/docs/tutorials/deploystaging.md).
 
 ```bash
-nixops set-args --arg domain '"dev.mydomain.com"' --network dev
+nixops set-args  --network dev \
+  --arg domain '"dev.mydomain.com"' \
+  --arg sopsKeyFile '"$HOME/.config/sops/age/keys.txt"'
+```
+
+You can use the `info` subcommand to print the values of the arguments:
+```bash
 nixops info --network dev
 ```
 
@@ -26,5 +32,5 @@ nixops create ./network-virtualbox.nix -d vaultwarden-staging
 nixops deploy --network dev
 nixops reboot
 
-disnixos-env -s services.nix -n network-virtualbox.nix -d distribution.nix
+disnixos-env -s services.nix -n dev/nixops.nix -d distribution.nix
 ```

docs/examples/vaultwarden/dev/nixops.nix

@@ -1,5 +1,6 @@
 {
   domain ? "dev.mydomain.com",
+  sopsKeyFile ? "",
 }:
 
 {
@@ -24,6 +25,9 @@
         ["--natpf1" "${name},${protocol},,${toString host},,${toString guest}"];
     in
       recursiveUpdate base {
+        imports = [
+          <sops-nix/modules/sops>
+        ];
         deployment.targetEnv = "virtualbox";
         deployment.virtualbox = {
           memorySize = 1024;
@@ -31,5 +35,18 @@
           headless = true;
           vmFlags = concatMap mkPortMapping vbox.portMappings;
         };
+
+        # This will add secrets.yml to the nix store
+        # You can avoid this by adding a string to the full path instead, i.e.
+        # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
+        sops.defaultSopsFile = ../secrets/linode.yaml;
+        # This will automatically import SSH keys as age keys
+        sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+        # This is using an age key that is expected to already be in the filesystem
+        sops.age.keyFile = /. + sopsKeyFile;
+        # This will generate a new key if the key specified above does not exist
+        sops.age.generateKey = true;
+        # This is the actual specification of the secrets.
+        sops.secrets.linode = {};
       };
 }

docs/examples/vaultwarden/network.nix

@@ -83,13 +83,6 @@ rec {
         };
 
         # deployment.keys = {
-        #   linode.text = ''
-        #     LINODE_HTTP_TIMEOUT=10
-        #     LINODE_POLLING_INTERVAL=10
-        #     LINODE_PROPAGATION_TIMEOUT=240
-        #     LINODE_TOKEN=383525f4d58919d43506e6ab43a549a6eda6491eccb8e384d43013f0bcf45d47
-        #   '';
-
         #   keycloakdbpassword.text = ''
         #     KC_DB_PASSWORD="${secret "${domain}/keycloakdbpassword"}"
         #   '';
@@ -129,7 +122,15 @@ rec {
             email = "ibizapeanut@gmail.com";
             dnsProvider = "linode";
             dnsResolver = "8.8.8.8";
-            credentialsFile = "/run/keys/linode";
+
+            # For example, to use Linode to prove the dns challenge,
+            # the content of the file should be the following, with
+            # XXX replaced by your Linode API token.
+            # LINODE_HTTP_TIMEOUT=10
+            # LINODE_POLLING_INTERVAL=10
+            # LINODE_PROPAGATION_TIMEOUT=240
+            # LINODE_TOKEN=XXX
+            credentialsFile = "/run/secrets/linode";
             enableDebugLogs = true;
           };
         };

docs/examples/vaultwarden/secrets/linode.yaml

@@ -0,0 +1,21 @@
+linode: ENC[AES256_GCM,data:Rg/k/gmBJ8iBP9KW8Zom7gGecNG404v9oQ85MuXPB+fjKowmm36YJ61tiVhUADPsFMWezulJG3RpvpoqZLPU+8cCX1KPsfJgUN77MlQRjjdraqVMq/opcEXfwIs3g76y9hDvbTMVIGpKCVE8hl7N5XTRPkQPSpracj+papL0bdFLhmsDgGi/vmaH7zs9K6gwYQv/mzz2oy6oZh8NoAlF,iv:2Z4NLAQmf/m5oemdM7Z+MAAyVUBVZoA4Zia/bqcW8u0=,tag:WeVnU4swvvQdA7QU9Ax4Xg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1nj0ulq6863y9tdk0pkwjx4ltuyjpx6gftwy27mk3gkwja6k325esgaerlr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAweERHTXJWU1BWNXJJUVNM
+            WUZObm82a0JHSWM2cWdBQTI2ckRvMnRGMDIwCm9TZWtTTUlaTTRuYVcvd1J3TnVF
+            dUN0NFdtaTZWL2IraE5BcE43WWdXcmMKLS0tIDFyQ3FGT1F4dkVtU0U5R2FNNlRa
+            dXB5OEx1clZiMktxdkFVUVpWOUtleU0Kb4E+x2cxcOayFigQDo9dv3e/si9a19YJ
+            mw2PUTb1Tm3PQ/ZXW6R6y5CfzFf7FhBTpRas84sPDg9MrOrWLygUgw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-04-09T05:03:49Z"
+    mac: ENC[AES256_GCM,data:t03zcu+puxqs6bqb+7MJDY67UXJVN4RP48VSY2aBYtzRp4tcZ0zKpqGDJ2y9sFkLkUu5Mvha68g5Bd6uylQFwVyks2HQyyT0UFsQWJfpk9WGXElmJ+BeU4m51QFLK17rAFGSqvlHjbo3U47IgySlr4vViIyikOxY/UAUI0r2jsQ=,iv:Q5QgjDszLKbcqN415YLdqMGLa0b3Cy4WbXOtkT4HKBs=,tag:Cgpox1V73/UU4kg+dLgyWA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3