update secret contract and add sops module

CHANGELOG.md

@@ -40,6 +40,7 @@
   - `shb.forgejo.databasePasswordFile` -> `shb.forgejo.databasePassword.result.path`.
 - Backup:
   - `shb.restic.instances` options has been split between `shb.restic.instances.request` and `shb.restic.instances.settings`, matching better with contracts.
+- Use of secret contract everywhere.
 
 
 ## User Facing Backwards Compatible Changes

README.md

@@ -69,7 +69,7 @@ SHB's first goal is to provide unified [building blocks](#available-blocks)
 and by extension configuration interface, for self-hosting.
 
 Compare the configuration for Nextcloud and Forgejo in Self Host Blocks.
-The following snippets focus on similitudes and assume the relevant blocks are configured off-screen.
+The following snippets focus on similitudes and assume the relevant blocks - like secrets - are configured off-screen.
 It also does not show specific options for each service.
 These are still complete snippets that configure HTTPS,
 subdomain serving the service, LDAP and SSO integration.
@@ -87,14 +87,14 @@ shb.nextcloud = {
     host = "127.0.0.1";
     port = config.shb.ldap.ldapPort;
     dcdomain = config.shb.ldap.dcdomain;
-    adminPasswordFile = config.sops.secrets."nextcloud/ldap_admin_password".path;
+    adminPassword.result = config.shb.sops.secrets."nextcloud/ldap/admin_password".result;
   };
   apps.sso = {
     enable = true;
     endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
 
-    secretFile = config.sops.secrets."nextcloud/sso/secret".path;
-    secretFileForAuthelia = config.sops.secrets."authelia/nextcloud_sso_secret".path;
+    secret.result = config.shb.sops.secrets."nextcloud/sso/secret".result;
+    secretForAuthelia.result = config.shb.sops.secrets."nextcloud/sso/secretForAuthelia".result;
   };
 };
 ```
@@ -112,15 +112,15 @@ shb.forgejo = {
     host = "127.0.0.1";
     port = config.shb.ldap.ldapPort;
     dcdomain = config.shb.ldap.dcdomain;
-    adminPasswordFile = config.sops.secrets."forgejo/ldap_admin_password".path;
+    adminPassword.result = config.shb.sops.secrets."nextcloud/ldap/admin_password".result;
   };
 
   sso = {
     enable = true;
     endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
 
-    secretFile = config.sops.secrets."forgejo/ssoSecret".path;
-    secretFileForAuthelia = config.sops.secrets."forgejo/authelia/ssoSecret".path;
+    secret.result = config.shb.sops.secrets."forgejo/sso/secret".result;
+    secretForAuthelia.result = config.shb.sops.secrets."forgejo/sso/secretForAuthelia".result;
   };
 };
 ```

demo/homeassistant/README.md

@@ -60,7 +60,7 @@ chmod 600 sshkey
 
 This is only needed because git mangles with the permissions. You will not even see this change in
 `git status`.
-### Deploy with Colmena {#demo-homeassitant-deploy-colmena}
+### Deploy with Colmena {#demo-homeassistant-deploy-colmena}
 
 If you deploy with Colmena, you must first build the VM and start it:
 

demo/nextcloud/README.md

@@ -112,7 +112,7 @@ ssh -F ssh_config example
 
 :::: {.note}
 This section corresponds to the `basic` section of the [Nextcloud
-manual](services-nextcloud.html#services-nextcloud-server-usage-basic).
+manual](services-nextcloud.html#services-nextcloudserver-usage-basic).
 ::::
 
 Assuming you already deployed the `basic` demo, now you must add the following entry to the
@@ -143,7 +143,7 @@ This is the admin user of Nextcloud and that's the end of the `basic` demo.
 
 :::: {.note}
 This section corresponds to the `ldap` section of the [Nextcloud
-manual](services-nextcloud.html#services-nextcloud-server-usage-ldap).
+manual](services-nextcloud.html#services-nextcloudserver-usage-ldap).
 ::::
 
 Assuming you already deployed the `ldap` demo, now you must add the following entry to the
@@ -182,7 +182,7 @@ This is the end of the `ldap` demo.
 
 :::: {.note}
 This section corresponds to the `sso` section of the [Nextcloud
-manual](services-nextcloud.html#services-nextcloud-server-usage-oidc).
+manual](services-nextcloud.html#services-nextcloudserver-usage-oidc).
 ::::
 
 At this point, it is assumed you already deployed the `sso` demo. There is no host to add to

docs/blocks.md

@@ -30,6 +30,10 @@ services you already have deployed.
 Not all blocks are yet documented. You can find all available blocks [in the repository](@REPO@/modules/blocks).
 :::
 
+```{=include=} chapters html:into-file=//blocks-sops.html
+modules/blocks/sops/docs/default.md
+```
+
 ```{=include=} chapters html:into-file=//blocks-ssl.html
 modules/blocks/ssl/docs/default.md
 ```

docs/contracts.md

@@ -148,11 +148,14 @@ Provided contracts are:
 - [SSL generator contract](contracts-ssl.html) to generate SSL certificates.
   Two providers are implemented: self-signed and Let's Encrypt.
 - [Backup contract](contracts-backup.html) to backup directories.
-  One provider is implemented: Restic.
+  One provider is implemented: [Restic][].
 - [Database Backup contract](contracts-databasebackup.html) to backup database dumps.
-  One provider is implemented: Restic.
+  One provider is implemented: [Restic][].
 - [Secret contract](contracts-secret.html) to provide secrets that are deployed outside of the Nix store.
-  One provider is implemented: SOPS.
+  One provider is implemented: [SOPS][].
+
+[restic]: blocks-restic.html
+[sops]: blocks-sops.html
 
 ```{=include=} chapters html:into-file=//contracts-ssl.html
 modules/contracts/ssl/docs/default.md

docs/default.nix

@@ -142,6 +142,11 @@ in stdenv.mkDerivation {
         '@OPTIONS_JSON@' \
         ${individualModuleOptionsDocs [ ../modules/blocks/restic.nix ]}/share/doc/nixos/options.json
 
+    substituteInPlace ./modules/blocks/sops/docs/default.md \
+      --replace \
+        '@OPTIONS_JSON@' \
+        ${individualModuleOptionsDocs [ ../modules/blocks/sops.nix ]}/share/doc/nixos/options.json
+
     substituteInPlace ./modules/services/nextcloud-server/docs/default.md \
       --replace \
         '@OPTIONS_JSON@' \
@@ -190,6 +195,7 @@ in stdenv.mkDerivation {
 
     nixos-render-docs manual html \
       --manpage-urls ${manpage-urls} \
+      --redirects ./redirects.json \
       --media-dir media \
       --revision ${lib.trivial.revisionWithDefault release} \
       --stylesheet static/style.css \

docs/demos.md

@@ -7,6 +7,6 @@ your local machine with minimal manual steps.
 demo/homeassistant/README.md
 ```
 
-```{=include=} chapters html:into-file=//demo-nextcloud-server.html
+```{=include=} chapters html:into-file=//demo-nextcloud.html
 demo/nextcloud/README.md
 ```

docs/options.md

@@ -1,4 +1,4 @@
-# All Options {#ch-options}
+# All Options {#all-options}
 
 ```{=include=} options
 id-prefix: opt-

docs/preface.md

@@ -39,14 +39,14 @@ shb.nextcloud = {
     host = "127.0.0.1";
     port = config.shb.ldap.ldapPort;
     dcdomain = config.shb.ldap.dcdomain;
-    adminPasswordFile = config.sops.secrets."nextcloud/ldap_admin_password".path;
+    adminPassword.result = config.shb.sops.secrets."nextcloud/ldap/admin_password".result;
   };
   apps.sso = {
     enable = true;
     endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
 
-    secretFile = config.sops.secrets."nextcloud/sso/secret".path;
-    secretFileForAuthelia = config.sops.secrets."authelia/nextcloud_sso_secret".path;
+    secret.result = config.shb.sops.secrets."nextcloud/sso/secret".result;
+    secretForAuthelia.result = config.shb.sops.secrets."nextcloud/sso/secretForAuthelia".result;
   };
 };
 ```
@@ -64,15 +64,15 @@ shb.forgejo = {
     host = "127.0.0.1";
     port = config.shb.ldap.ldapPort;
     dcdomain = config.shb.ldap.dcdomain;
-    adminPasswordFile = config.sops.secrets."forgejo/ldap_admin_password".path;
+    adminPassword.result = config.shb.sops.secrets."nextcloud/ldap/admin_password".result;
   };
 
   sso = {
     enable = true;
     endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
 
-    secretFile = config.sops.secrets."forgejo/ssoSecret".path;
-    secretFileForAuthelia = config.sops.secrets."forgejo/authelia/ssoSecret".path;
+    secret.result = config.shb.sops.secrets."forgejo/sso/secret".result;
+    secretForAuthelia.result = config.shb.sops.secrets."forgejo/sso/secretForAuthelia".result;
   };
 };
 ```