cc-ci/modules/secrets.nix

# sops-nix wiring (D6 infra secrets). cc-ci decrypts secrets at activation using its own
# ed25519 SSH host key as the age identity (no separate key file to manage on the box).
# Encrypted material lives in ../secrets/*.yaml, committed and readable only by recipients
# listed in /.sops.yaml (host key + off-box master recovery key).
{ config, ... }:
{
  sops = {
    defaultSopsFile = ../secrets/secrets.yaml;
    # Decrypt using the host's SSH host key (converted to an age identity by sops-nix).
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    # Do not also look for a GPG key.
    gnupg.sshKeyPaths = [ ];

    # M0 proof secret — confirms the decrypt path works end to end.
    secrets.test_secret = { };

    # M2 Drone (A2 internal secrets). drone_rpc_secret is shared between the swarm-deployed
    # Drone server (inserted as the `rpc_secret` swarm secret by scripts/deploy-drone.sh) and
    # the host exec runner (read via the env template below). drone_gitea_client_secret is the
    # Gitea OAuth app secret, inserted as the server's `client_secret` swarm secret.
    secrets.drone_rpc_secret = { };
    secrets.drone_gitea_client_secret = { };

    # M3 comment-bridge (A2). Read by modules/bridge.nix's reconcile oneshot, which copies them
    # into swarm secrets the bridge container mounts. webhook_hmac is also set on the Gitea webhook.
    secrets.bridge_webhook_hmac = { };
    secrets.bridge_drone_token = { };
    secrets.bridge_gitea_token = { };

    # EnvironmentFile for the host exec runner: DRONE_RPC_SECRET rendered from the sops secret.
    templates."drone-runner.env".content = ''
      DRONE_RPC_SECRET=${config.sops.placeholder.drone_rpc_secret}
    '';
  };
}