From 6ded6f7d2840d3592d363920a8edbdda84fbe66f Mon Sep 17 00:00:00 2001
From: vhaudiquet <vhaudiquet343@hotmail.fr>
Date: Tue, 16 Sep 2025 21:22:00 +0200
Subject: [PATCH] Add SOPS encryption for env files (and decryption with
 SwarmCD)

---
 .gitignore                                    |  2 --
 .post-commit-sops.sh                          |  2 +-
 .pre-commit-sops.sh                           |  2 +-
 .sops.yaml                                    |  3 +++
 .swarmcd/stacks.yaml                          | 14 +++++++++++++
 docker/gitea-actions/.env                     | 11 ++++++++++
 docker/home/ha-linky/.env                     |  8 ++++++++
 .../personal/media/youtube/tubearchivist/.env | 10 ++++++++++
 docker/personal/tandoor/.env                  | 18 +++++++++++++++++
 docker/tools/hedgedoc/.env                    | 11 ++++++++++
 docker/tools/notesnook/.env                   | 20 +++++++++++++++++++
 generate-docker-swarmcd.sh                    | 10 +++++++++-
 infra/pve/docker.tf                           |  1 +
 13 files changed, 107 insertions(+), 5 deletions(-)
 create mode 100644 docker/gitea-actions/.env
 create mode 100644 docker/home/ha-linky/.env
 create mode 100644 docker/personal/media/youtube/tubearchivist/.env
 create mode 100644 docker/personal/tandoor/.env
 create mode 100644 docker/tools/hedgedoc/.env
 create mode 100644 docker/tools/notesnook/.env

diff --git a/.gitignore b/.gitignore
index 7751b51..e25fa4d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,5 +9,3 @@ terraform.tfstate.backup
 kubeconfig
 talosconfig
 
-# Ignore docker environment files (contains secrets)
-.env
diff --git a/.post-commit-sops.sh b/.post-commit-sops.sh
index b90750f..b861c77 100755
--- a/.post-commit-sops.sh
+++ b/.post-commit-sops.sh
@@ -3,7 +3,7 @@ readarray f < <(git diff-tree --no-commit-id --name-only HEAD -r)
 for filepath in "${f[@]}"; do
     filepath=$(echo "${filepath}" | tr -d '\n')
     filename=$(basename ${filepath})
-    if [[ "${filename}" =~ values.ya?ml$ ]] || [[ "${filename}" =~ secrets?.ya?ml$ ]]; then
+    if [[ "${filename}" =~ values.ya?ml$ ]] || [[ "${filename}" =~ secrets?.ya?ml$ ]] || [[ "${filename}" = ".env" ]]; then
         sops -d -i "${filepath}"
     fi
 done
diff --git a/.pre-commit-sops.sh b/.pre-commit-sops.sh
index 5d40aa1..111f4a6 100755
--- a/.pre-commit-sops.sh
+++ b/.pre-commit-sops.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 for filename in "$@"; do
-    if [[ "${filename}" =~ values.ya?ml$ ]] || [[ "${filename}" =~ secrets?.ya?ml$ ]]; then
+    if [[ "${filename}" =~ values.ya?ml$ ]] || [[ "${filename}" =~ secrets?.ya?ml$ ]] || [[ "${filename}" =~ .env$ ]]; then
         sops -e -i "${filename}"
         git add "${filename}"
     fi
diff --git a/.sops.yaml b/.sops.yaml
index fcf550b..fe37738 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -5,3 +5,6 @@ creation_rules:
   - path_regex: .*.yaml
     encrypted_regex: ^(data|stringData)$
     pgp: DC6910268E657FF70BA7EC289974494E76938DDC
+  - path_regex: .*.env$
+    input_type: dotenv
+    pgp: DC6910268E657FF70BA7EC289974494E76938DDC
diff --git a/.swarmcd/stacks.yaml b/.swarmcd/stacks.yaml
index 91980d6..fb007d2 100644
--- a/.swarmcd/stacks.yaml
+++ b/.swarmcd/stacks.yaml
@@ -2,6 +2,8 @@ gitea-actions:
   repo: homeprod
   branch: main
   compose_file: docker/gitea-actions/docker-compose.yml
+  sops_files:
+    - docker/gitea-actions/.env
 
 esphome:
   repo: homeprod
@@ -12,6 +14,8 @@ ha-linky:
   repo: homeprod
   branch: main
   compose_file: docker/home/ha-linky/docker-compose.yml
+  sops_files:
+    - docker/home/ha-linky/.env
 
 home-assistant:
   repo: homeprod
@@ -107,11 +111,15 @@ tubearchivist:
   repo: homeprod
   branch: main
   compose_file: docker/personal/media/youtube/tubearchivist/docker-compose.yml
+  sops_files:
+    - docker/personal/media/youtube/tubearchivist/.env
 
 paperless:
   repo: homeprod
   branch: main
   compose_file: docker/personal/paperless/docker-compose.yml
+  sops_files:
+    - docker/personal/paperless/.env
 
 radicale:
   repo: homeprod
@@ -127,6 +135,8 @@ tandoor:
   repo: homeprod
   branch: main
   compose_file: docker/personal/tandoor/docker-compose.yml
+  sops_files:
+    - docker/personal/tandoor/.env
 
 alexscript:
   repo: homeprod
@@ -152,11 +162,15 @@ hedgedoc:
   repo: homeprod
   branch: main
   compose_file: docker/tools/hedgedoc/docker-compose.yml
+  sops_files:
+    - docker/tools/hedgedoc/.env
 
 notesnook:
   repo: homeprod
   branch: main
   compose_file: docker/tools/notesnook/docker-compose.yml
+  sops_files:
+    - docker/tools/notesnook/.env
 
 stirling-pdf:
   repo: homeprod
diff --git a/docker/gitea-actions/.env b/docker/gitea-actions/.env
new file mode 100644
index 0000000..5361106
--- /dev/null
+++ b/docker/gitea-actions/.env
@@ -0,0 +1,11 @@
+GITEA_INSTANCE_URL=ENC[AES256_GCM,data:PYjmpgDEvPEC1S7MrN6d91IUBnGbFA9Xag==,iv:m7YQOMnuEoT5wDyy47aaTqjJG+dhqTJKf5i3hQs6GwY=,tag:2ldKTNRqdJEXTxr3uAyLLQ==,type:str]
+GITEA_RUNNER_REGISTRATION_TOKEN=ENC[AES256_GCM,data:RDnENtxQw80C7SwmMZV2DTlEx4+uvzVMy95leGb/1RR6egc6S4xWnQ==,iv:wThZ2+qukJqC+ApvXC9GBdneXJ00jkkTyq+2VXSDG+w=,tag:KygPnxauOpaI1goZ4+uf3g==,type:str]
+GITEA_RUNNER_NAME=ENC[AES256_GCM,data:HvNmmQyKxk16WQV8dRfPOfCO39w=,iv:z1YuNWvglBYaXQwZXjMzXD4ZN2d7c3eD9GdSaG1maNY=,tag:FtX6wG47uTGjTQ8UNvGfcg==,type:str]
+GITEA_RUNNER_LABELS=
+sops_lastmodified=2025-09-16T19:22:00Z
+sops_mac=ENC[AES256_GCM,data:JIp7wyaIsy2Jg9p3ybHAljkDn8vpDRHtf7Zm2/M4exe6CbWCRn1jGMle+SnKBv2DKVciquQ9B9cKtKnVCpEAQOceZ1WakwS/mCmjYTIHqcvm8/vst1BYiL1Ovbw2dDstzWo8g+UTKAmVC7E0TJ01vAbsOab+fVacKLHF97pBqW8=,iv:5tcuJntPXrWCeNTGQbXzLaGZnCc8rr+gKG+UTRBNUaY=,tag:g7EYMAaOmwjKFYfz1ID5xQ==,type:str]
+sops_pgp__list_0__map_created_at=2025-09-16T19:22:00Z
+sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ//c0J+b0XwnMbLlQku3tAEutXuEkQPMMrdOpPYwrua9nNu\nSVPBSiamnTeoaP2kM5lcaQ7HUaRLiS1qjXNVPsnAdkGPPID3SxUJzUo7Ca/JOq7e\n39ihqetWAcn9dNDofTxVKyvKXhXKGaDFy2LhaKugj4tkx6qdMA/XAldvRD6ik1jK\nAZjl2xGYTvZ+XgTGtFs6u3Z9ugD6Q3yPjKRSfeIO8NPT5OFFzY70wqlZflxcpupD\npnsvXQkAK1Rnz6F9+dh6jJYYijTdEe9Q0i+0Uy3q+wMsf8KRWs4ARD05DpgIOnUA\nG0s2kdOOlvqoJ/m2fSV7vkIcCvCwhEirn5kfrdUGi3ENazh0g3vpppAfE0ynZdSo\nDiXI7dzCwMxYi8edieOhK3RrOn8bx7B8F1WE+mHL6StQmD2G+xfvgtKlsEJGY2Ed\n1CpMZSQ0TwFx58fYiK+HsZrwAw/3YVzPWryaYvJ6P8QnY3oJOJihSYGRMmyH5WRo\nle1Rxd+Lrt1UnWyZQ7rpqMsYiIzihsNgNix/2wS1R9R1wRFXPdNDfzjrv1BGm/aJ\nOOqUFo6Hd3jEwYcSsG7mbe+hCAAXoJjZSU43dVzeZ0k5ls/lpOjqjQrZZLgz33uF\nNVNRAKTYD2y+/mQ4vpDUsHhu5rtjxh8u1CJf0++q1W/w+Z4ooq5hcNm3ud3DHYjS\nXgF1JA9ThTS+Hs1fV5SFzGMyFMFGeiTVJeww26R+1Vws7fFwbyAYugOqAgkiNkIf\nS2dsxlH1TRjBq1XD4GYk6P3VDUU5UyxG/5XiOexGEVSxBL/wg6TwpyL1hjvgc9k=\n=fmOe\n-----END PGP MESSAGE-----
+sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.10.2
diff --git a/docker/home/ha-linky/.env b/docker/home/ha-linky/.env
new file mode 100644
index 0000000..2682517
--- /dev/null
+++ b/docker/home/ha-linky/.env
@@ -0,0 +1,8 @@
+SUPERVISOR_TOKEN=ENC[AES256_GCM,data:jcW++S0qsqO3EqIHb8pP9UVtj6lAfJc2rPV5tkrOG+pxI+cCrr4BsJhMnzN4MBoUa0XbCvXlhkdo1/x3dUEcqsg4T25IaC72n7IkW/Wy3bwiVYB19y0Znl64hxHZkjFY00XbVBj6LXhtT40T72c4qAm5uzeBK4be2fomIB4FS9M1XKLL27BoH3q3IxoT04KrDUO/aReOUBCGEgGaK7zfeRj6Gm97lRNpkotxuPm0sma0bqsnGu+o,iv:Q0mD4wj2qv+k8sWntiIYe7LzTm6CaQ4QGgyG83YpyPc=,tag:yZrvtAL/+B0RYboTzGmwRA==,type:str]
+sops_lastmodified=2025-09-16T19:22:03Z
+sops_mac=ENC[AES256_GCM,data:LH5UglnUv7urj92vEukJXlF2bU4HyTeUPxtkGjLu9hB/mw7bRjV2f3BpbJqsOlPPDihQY2mxSJYYEVG5Y0DLYEfHhRy5pzMP6xKCMOAt2bH9fmYlGtdQK/FqoETK2WbB0yt66UGy2cOkYDgyRBzugyh/NpscOheKB+m7A2b4fDc=,iv:7uelheh5cbmVaZ78QIoWmbWJTCA6gscvtk1/qBCEW58=,tag:k75QaO0IRS98LJJCJdQljg==,type:str]
+sops_pgp__list_0__map_created_at=2025-09-16T19:22:00Z
+sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ//aaSjU182qGrX5Dc+t2H/EAx3CYMIevjMjWZh2jPqSOP0\nhqd3HFic8gc5ZvYNB1SdqlZI/yqlDcbkuEyCqpOikifsic8j2u6Z3GhtkJWrhtFr\n4mkO3BF9tA+F45P07RRP3Jr5tCct36AjClaziEvM1EJctSgDpVmyqbvyRpDXmtFz\n58jzmZCIxKKajGeQ0aERlnRsMa2PrgtfQS77ewUDDq2Lgkf5wSZ8Yg91U7qfEzDE\nEqDKYuy3dJNI5FIQaK1dAeHikf47fZ8hT+YVfaY85OwJh+ojGHIJ1L9DI99DxYa+\nPTO+rswNkrPxHnRfu1eQkLZLnXMS914iW0Na8/+T0zLWrcWcnMWdDx054e3Fe/Gi\n3zTpRDTQAo69J24TYP2NNoF6pF97jVEXz9NY0gdngjM6WDLLc9N6l3ReWfwaFAD5\nZQh6w21vmseroRMgXFnddUlTJE2/8evKJS7+uR+Z86SAojlWXTXjYnJqqj29KlEw\npeSJ+Q+ZdAUWjYtRLS3afwhYnum1hbfWBWRdDgAVhYcD1Yyri37qjSA8Mr086y0S\nW+MriV2jzmtUiSyo0efYqCm+BguWgkeqQlL7YLzg4UHG0J8ZME0qV/vSbFATSzbL\ncPdv6UZY8dw1LNwCLeH9eeNrpPKItasK/pID7H1u6r+4lRFStfFta9XrWeXtZnXS\nXgHdsbBzxhFBxrHEtj2Fn4r9QdjDZhTw59Mnaf3IVp5nbDngPwMMUc9NDgZp5WGh\nqcOeIdI9nGWt6PRTLSPSJZSry/G8tqbJGHjED2imMEdXGWtf5aHy4Z2iKBTfUPw=\n=Xe2o\n-----END PGP MESSAGE-----
+sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.10.2
diff --git a/docker/personal/media/youtube/tubearchivist/.env b/docker/personal/media/youtube/tubearchivist/.env
new file mode 100644
index 0000000..8b3cdfa
--- /dev/null
+++ b/docker/personal/media/youtube/tubearchivist/.env
@@ -0,0 +1,10 @@
+ELASTIC_PASSWORD=ENC[AES256_GCM,data:44mLZgddN6W39D0B67Z4arzKZ8wxHIxq6QTiHfzxnWLArDdhbMoO7g==,iv:kDrz+WaUb9+GP0veWQ8uTmD+Q94qvwgEi1JSbM2OSEY=,tag:IGBPe7UgymMB/ZuA0Bpblg==,type:str]
+TA_USERNAME=ENC[AES256_GCM,data:Nk4Te3w/HT/jXw==,iv:YkgffT/7w82yEs9c7Qy3EwEGzNBoblrh0ljWXf+hMcw=,tag:zpDrTFR1/wSE1vsD8CpqnQ==,type:str]
+TA_PASSWORD=ENC[AES256_GCM,data:GF4CicUmFdnSY94uK2OFrGvzlKRjEZRUJIeKE3Uoph/mKfKvF5uP0Q==,iv:JU2iVbqBMRPOUqZjl2TIBp0xqTzLQibJvCdGRKEgAUQ=,tag:sz+Bq2B33vEhS9TK82/xIA==,type:str]
+sops_lastmodified=2025-09-16T19:22:00Z
+sops_mac=ENC[AES256_GCM,data:XZgtrMHlwjQw5FafASypw+Bi3ZwKDlheDhVrjA9EbSM+YdVWH/AiyRFkwlYMU2HAO3DSIeU5EiZZxTubgpqdAgVtjYBkjokUY31soos32+lGmGNHzqi/YuHavl2olcfdyI2bCpqZny7Lo4AR+pNAWN81R32AKBSmVp7oFtM4irU=,iv:F+sqQLSkS3Ls5evxFrQlV0EOikKEv+Zw3f2qamyjxcI=,tag:iHYnNEX4rLT99DUL/ThuAA==,type:str]
+sops_pgp__list_0__map_created_at=2025-09-16T19:22:00Z
+sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ/7BjTf43cdERSkpFGxdiCbxHH5IQh5ZHpa8YI7Jc0zq5Lt\ncKgCgjpSweHjJ4hzwMEalplNZaSiGEe+I8sDBx8ivtPU5i1BsEcDdtp2w9SawPm6\nSG7N1deYg8RBElVFxrA00LBo/DvfikmFLmEUPa1Z5dHC9sTBDNLgafHY0NH4uJsf\nTM61UQmSaYJRlTEWIfWbVN32ULmHjodufmxq2VP1vV+4zP2wu4t/cQ5LGvVr3em6\nFSpGsQT7L/DdERgkCJKEGmq+JiQd0v1j90+Slgg308JfWxfZbd6s3B7XXi0T8p+N\nm6A4zLRpei07H0rujT47jRP9nMxZNYynG69DdvQGScIrwa2lrLKqzHEYh/wW1i22\nx/9Oweco0B7Fw8U/y7F1OxIMH/TAp22/RuoBLx+DyUSs3eJX8aEkQF3ml/I0n3eL\nT58DJ/iH6IZT7Ywmy6uNgcAiV5xYmEwvPeh85gL1DlSPfiCPNb8mMqQc7MLSxXru\n6ZMXwD5MV7s5saAsQ0WdFI/Bdn2O2Fh0tCEMNWMH1mN2GQ2Eb3sfwa+2P4X1tUKz\nIWQT9iMvDkAMWJo/XHH0Na86C7Ki06VpBfLH22QBENA8IzdDWu30S/TLn6jQqng3\nlRxC9vPuq29JM1SndzeaR9c74oTEHzQe7jxIvU4VEehHH7Jw6jJyxzJrozpLMwjS\nXgEr6dHCkg2tgRFq6auh0duJoeglRu0fuJqPYq0GIYA+BTPxjkVaI2LBn8ENt67Z\nVhygz9MUKe802vhwPZr+SXSdrZnNvf93n8CEP8bdg+3n4FsVOTDBrfviCZUIJxQ=\n=4mgE\n-----END PGP MESSAGE-----
+sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.10.2
diff --git a/docker/personal/tandoor/.env b/docker/personal/tandoor/.env
new file mode 100644
index 0000000..ce999f0
--- /dev/null
+++ b/docker/personal/tandoor/.env
@@ -0,0 +1,18 @@
+#ENC[AES256_GCM,data:McLrgYcpS7p3ms96atDIdQz1EvRTTrxnjgg3+niZezmHtn5c7vDHaECBhDI8cLsbJkSEncyGK4oFgrb54OGn8tFY1cxHY4hiL+FNigIHkhXap+xNwg==,iv:LPffOvVa+J0nDjUz0B2eDIsTB41SCuASX536xxwTtRg=,tag:TfSaqdB48O5D80CYhb2bAw==,type:comment]
+SECRET_KEY=ENC[AES256_GCM,data:BUvuXiJPZJV56ALUeKWq5gmDY2Hve9tD6hXlqFZXKzJRRAp1oybwOZqXr7HfVtHjgTM=,iv:FydKIi3gx/5F+vOxd6GvqCLnCfV9+xpesSUoGyKV0D0=,tag:v+1ojpS3UoHK6CTEb4PFiA==,type:str]
+#ENC[AES256_GCM,data:t2BD8Nj3mOD/pYOjdwShOqSDAYN/mdQ7yv43DzIpOKfaydq6whD7TCUYPNLXpTSNqaY+QSED17eUDUCSKT7gp11d1OTpIkKtbOoKle5D94jgRCS6HUka84qVc720TUw6uBWdIqi5qoZcYNppSqGdzeFjXBu+xny4Gg==,iv:NCF934MP0sB4l1X45T2DyUApNTWISUSDPlAT4MIf7Xo=,tag:YqU362U4QLlKLKy0xpgDdA==,type:comment]
+#ENC[AES256_GCM,data:kYEb3ObKEpFnjE6mV97TJw1Jz8AzV+uIp2W7oQ==,iv:4gskHM+6K+4qT+YPVenobKJmrmZwtZ8tpw2QsOXbGRA=,tag:tXE5v+enpEmGsgq9Lx81Lg==,type:comment]
+#ENC[AES256_GCM,data:WdV87OWsjDOrdDPyt28AD546dXxpyfmnQtBROns+Hfccn+WSpywbFfkkFvFOThT7fXOnSJy/oqIHCNx/UNgWH0fVJ2KB6O2YaBpH8ugHMWA6QU5RLbhQ+IPxbEbFb6+QHyLhskkvv0THXZpFS9vwy8k=,iv:81XF3gyUlCxlHE5NQek2BFUeLgYz5JoDCdJitzyegUM=,tag:vZ8VCPw/GH1Cqom6GLmXdw==,type:comment]
+DB_ENGINE=ENC[AES256_GCM,data:63kZARUuU/Yx6btpGO60wBpqRa9YVvlr2yuC2GI=,iv:7jKuMPAbqekalQBdLIJnsJgKP4Pqw6MuPF0BZ4xPNVA=,tag:URaQKLQMw6+I65PBXgn6aQ==,type:str]
+POSTGRES_HOST=ENC[AES256_GCM,data:nAtp1R6ZtJSiSg==,iv:CaVg+y7NAoWB5eZGo/EICR0HG6b82SzbSzfSVPsVOUI=,tag:DaCDvht1J0qjNv7F7WdWQg==,type:str]
+POSTGRES_DB=ENC[AES256_GCM,data:kA1G1L6Euv0=,iv:Ryd0ofaJvfC+Cm+X359SW/UfZ327sVRsALnJnbcf+nw=,tag:PNsUvAO1p4mBjHiuuZLmXQ==,type:str]
+POSTGRES_PORT=ENC[AES256_GCM,data:UdiRTw==,iv:U9sK0KbJ4dXxkZO60icqWAmhZRrqM2KWFesC/rJ1jcQ=,tag:JbNEq5J773SoFYLpruOfHw==,type:str]
+POSTGRES_USER=ENC[AES256_GCM,data:q6/Q8q2dU+qeag==,iv:RdiUcZGMAJh5F8+M1vWsyrLYa8t7O0W0Y0YRnr//SFk=,tag:TsM2YxnUqIjPeLJHEVHm/w==,type:str]
+POSTGRES_PASSWORD=ENC[AES256_GCM,data:iG1AO16KopJBAo/qk7rA3g==,iv:DIEwEDPhiOX90ihg8geE4HysdxTMLVDuXpJ4w1haWek=,tag:OyrlrkHM041NmkP9i/7kEQ==,type:str]
+sops_lastmodified=2025-09-16T19:22:01Z
+sops_mac=ENC[AES256_GCM,data:o4Vlo1V71CJzxsav8k7J2lxWO6awChXmMb3j7HQAp/MLtm8oRLz1ydHHIVpd59stDJjqIHsuMjI8KC/YkmzyX6tbC+9pHMO+nNSzENLW3x4g57VW30iZlwnObZ9Ba+80GtLdpYWxITW6cyvZtpGSVCIR6Wizm/20hEbld+FxDqI=,iv:/rCSPqnEfD+dZic6L2/6L+sO45QWcplUIzzLIQzYXCE=,tag:aP06jS4XP0tB2pT4GUKzPA==,type:str]
+sops_pgp__list_0__map_created_at=2025-09-16T19:22:01Z
+sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiARAAuaBJNq58CixpaNV/WbzeOTsI8/KibO6LtpEAh9vvtqax\nmEj/E1q8lKU7vRaFLcYHr2hxbHgA0Cg6wpuf6l2i1okJ2aWtXuY/Niuk3GXWxFhX\n/PO/cX5M00XVGS/BS/RUaeG+Pv8LHaguGxB3w7a6zvPyvl5bm9RUv0Ns1U8XKNVZ\nWAt4WDwsu+71401jmGcIKk6e5k9og8oTM8oxCPrEy2lnvEf8Vt+MgEMVQP85MSYI\nbXsfONKE9NPW3YePG8bAlEGEZrwGhM1Qnr57rDdGL6QeAiX8F0aMEi2RpN3gNuL8\nDKjlSvdy3Pge+JMaQmcCYm+bluiZzYj3zGwyJQW+VXrOaOWelNMoUHk8tNNGPFyg\nD5bFSLl+6et4vWhxZxiliGxlxMtm+nF3uhnTZxdzOZL+34lNQO++FKCtaRFYtn4c\naRN1cjdqIXbqdRFvjkBjjwGY6c4YnsMJnktDOkYX0kK48iyxmF7tMcO5fIMV3vQA\neH95Qvzo5UZZG4iNQ0n4OVKdFq/0fCRbgKPbvkX1ECqINQuXxEbpnWf+z3TaUCzS\ncfp9HSGlxa3AOtlmVyf+tSblwYNKxpsYvZO0w2091jpakovIe4QT7xFQhJ4z9Iyn\nPi89EtKOTLd9MxFGu9vq1rKmzpp14Lc69LzlTh3dOSrgeeyBVW6XH+BLYFwrdg7S\nXgHZlLvUNTj3cBiaDYDiyUZH9x3SPRLAw3abcxx1G3XrPZBxbHC0TNKMWSZ5edzN\njjPj2/wh5mtzmPwTs7VFeIhIO/zvEMe0HI5W4ptv2gX7jZur+mMkOr1PvcrJhRo=\n=XyaE\n-----END PGP MESSAGE-----
+sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.10.2
diff --git a/docker/tools/hedgedoc/.env b/docker/tools/hedgedoc/.env
new file mode 100644
index 0000000..709c6b6
--- /dev/null
+++ b/docker/tools/hedgedoc/.env
@@ -0,0 +1,11 @@
+POSTGRES_PASSWORD=ENC[AES256_GCM,data:naUGUVMbgkNSbblt,iv:ao/NeYM62PnViWtNfWlobLcgZrf/K2cQV3FXJR+TidQ=,tag:MGILTlnyfy8itf1cjHkfMA==,type:str]
+POSTGRES_USER=ENC[AES256_GCM,data:kXeEALbz,iv:VgUHRsrMQoMxhPMTrbteNGbfSFSuKR0VZkdeWY7eqZM=,tag:t2Q4I0wIGsaYiHcQkZpnRA==,type:str]
+CMD_DB_URL=ENC[AES256_GCM,data:Z4gMf/68p4vNL9zv5ygAUHENAhO51lJEnN5xhEsr1yv5nQQUCcrgNwE6swxV8EhMSKweuaiIt93ybgbu,iv:rOM6DJp+z31sEYapFPuhfOL5C+Ot7PDR2GnvQkIiTuY=,tag:lC5AkC/i8/a0Q3Ou/GcByw==,type:str]
+CMD_SESSION_SECRET=ENC[AES256_GCM,data:2k+ctM/7j/JhXMzLaI+x4QMzyyHf6tJpjrQ7rLRn896h0g+5P3AB6DfUbcmdWbE0ab6AkSuUm7wKcEKFwZrDwg==,iv:JdLg/9yUstUaeoaMvPknTYInq+t+AjqhP36olCKVeXg=,tag:3dIGzKgNOJu8xX6vR4ruqw==,type:str]
+sops_lastmodified=2025-09-16T19:22:00Z
+sops_mac=ENC[AES256_GCM,data:TLX5aj8DkvlLcub8oLgYzpPM3/JkSejZzc96NVB/loOvPmbe+JWEHs4ZHWhxLW9diL8cP5a6hfRAlIsXknXG7I8TN/s11+z77h0wwVQjKk25WH5rZ5REJrz3UCa/QNkMCozFARM/rQH1WoNBHKqKqnj3z6OlntNdWC4y/E2PpDA=,iv:JZ6yVv+Rjda6KBh6Ubdggq+vmrGE4AOBMZPKPYqOwLY=,tag:bO5NgxkeSksqqiho27BoHg==,type:str]
+sops_pgp__list_0__map_created_at=2025-09-16T19:22:00Z
+sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ/+MKdgjEQ9YAAK/6cvFuSSHwkLCiGhwhQyYuL/N4PEQ4hi\nanMMlvsAY5R691OMGi1hmSrmtm5DJuO5Ol9/Q3v4nPLuF4cvTApA6t0uhEmqPrWu\nKQc0vvakPUoxbi6RuiCiUujyh/kVaJbNpOjqGPiTAdpHxfqjTRwT7qGwOKFKLqcE\nwotXc9zCMu8tj1X2hpku5kIL2b3b6yt5tSNtrua/hjo05Q9SJmO1qOa3YRo8g5/R\nbwlqMDe5qzaASV5Tsu//P1uTpq0/MI8qhrJmYOdCY9swkYAOzpap6UGhvjbxLHwk\nd8g4YNEt+UcoIHVGn3rdLWvRo7UJS9ewTQq5UAU9ahCGzzbz9dqHSk7preO06cWG\nVsA9uCZ55UfkHqE8ucEqADPx6erduV5VPie4aakwbFUlYklwllvyc3s3NQJkorAn\nZpkI6vXBvCD3adF4JdiULUh9agRKIVfV/zDOcBdPv5bvhAr8EPmk2fU53al1ULkz\n9SMHVVl/97OJ8seMHbYbmPbsQLzChhtgFFqnhoBbPYgh1z5XSiCgxCzVUUWjub7S\nTAKxDbxOCfEn3n6h/ITdRU+LCFoc0zZi2k9dOqtXtZWQpO2RyL04pxPcS3QgMXqN\nKPtC6sY57ii6m118vBuaY9W0u+YADVJCfxSiCaQRHgVBhSV3hZUXlcMn1iGBrq/S\nXgFC4jpm+cZi7UsExMLwDUjmqlMGFUAD1IPoXymWrgZeBeeMrJ3BRpifNKYxS9Ps\no5q1Tuyslwot4XBPr/YRCcw+rEYosSUaRahYZav02FPWVuVZw1rdeKwjBiUfBFw=\n=QSUX\n-----END PGP MESSAGE-----
+sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.10.2
diff --git a/docker/tools/notesnook/.env b/docker/tools/notesnook/.env
new file mode 100644
index 0000000..1bee793
--- /dev/null
+++ b/docker/tools/notesnook/.env
@@ -0,0 +1,20 @@
+INSTANCE_NAME=ENC[AES256_GCM,data:GLnSjEj0NhKzccTJpjIN7o48LiSiIIg=,iv:ku2w/xVEhyYVsf6KQFypFK4y6154nLvgEt2XaqRcOOI=,tag:rzjxIxjyMNNfurUuD1zpMg==,type:str]
+NOTESNOOK_API_SECRET=ENC[AES256_GCM,data:97xTiLFM9pL/bUM3,iv:gSlpqmsZyIzf7jpugc0ueGVmwCrauIuo+64gmlwzZaY=,tag:zVECG8LUGTVQJfH1tsXYTA==,type:str]
+DISABLE_SIGNUPS=ENC[AES256_GCM,data:An/cGA==,iv:jQhnSXSxDaTZ847tDZ7nUeqhgNpdYu3I7Q2oqqjkO3U=,tag:l7cu2AUgUlqrckNgCIg9ng==,type:str]
+SMTP_USERNAME=ENC[AES256_GCM,data:cke9ITC/naUhfoOr19FakMOmgkk=,iv:lgJOnpPwfYyPdEPn/8zhgPM++sKQHjM2lwnqj3/349k=,tag:TfWixgwuhvdvAfYkPT+anA==,type:str]
+SMTP_PASSWORD=ENC[AES256_GCM,data:otmIJtB9wYOu5weVLgw=,iv:Cz8IgIjtQJtePNOYrIE8UE4Ey0kmLFIgql5M6co/D84=,tag:aDMvWzACfrOsqBqUQ+D2zA==,type:str]
+SMTP_HOST=ENC[AES256_GCM,data:LYUUxNHABmeHbv7tFbOeZn4n,iv:PBPZhQNseoG0CXUZ3d3ECG04aWpw/QA2wA5sToMJ7EQ=,tag:m9VlE3eWnOtmyzTV0eBgOg==,type:str]
+SMTP_PORT=ENC[AES256_GCM,data:qqQK,iv:99/i7zKxt6KAVCeIB/7TMvz2CqomwQZNIY+TeJqcgAY=,tag:/g9Kt49YkawKc8d0UBHPcA==,type:str]
+NOTESNOOK_APP_PUBLIC_URL=ENC[AES256_GCM,data:KWK12glgITh0h8at2RuUzsrfY1DzusIDSg==,iv:Z/H3NbIWjz6T1/7sC2SuBYvMJn7ltQEHwBT5e2RGm3o=,tag:2t60j9gPPOY7bqM2QqsLNw==,type:str]
+AUTH_SERVER_PUBLIC_URL=ENC[AES256_GCM,data:+bLyA0ucfycLLc4iGkWb9WisMr5wskAZK07QVCcM5oj2eTMmxfQ2Mw==,iv:Bp4JoLgxgRJMG98/QWRBTQnIpihgHp1+izCgOr1UoNI=,tag:uSPnZPEWU5QC0CTLeRCldw==,type:str]
+NOTESNOOK_APP_PUBLIC_URL=ENC[AES256_GCM,data:u/8oFwLF1ZtuiIvM/bOM0XH3ibQYvyVPIA==,iv:p/ECEwrchuqaU2MRCUZdGJGTRE/mTkglPIX+nMZQ4J4=,tag:5cBC8D+MIya1vQa3kSXHtg==,type:str]
+MONOGRAPH_PUBLIC_URL=ENC[AES256_GCM,data:uoiC69IAyraujhwVdpVQQEGM0b78tJh6VG2bLRtqoAUTBGp6bUGkABE=,iv:5UpUJKBjHaUzRFyUySI6Wyjich6E5JNmQqIVjsxOhkE=,tag:UP9NQzlX8CaB5oACMTqqtg==,type:str]
+ATTACHMENTS_SERVER_PUBLIC_URL=ENC[AES256_GCM,data:i0nNFgcLVgJI2fU72x7z0JciE3Rld10GhOdEo3p5YlGvcA==,iv:JpXfO+VfruKjbP3pkMUYQMlX4xsfts6PQ0brUK3abzQ=,tag:Jd/laba8yfEbswP3bN/UJg==,type:str]
+NOTESNOOK_CORS_ORIGINS=ENC[AES256_GCM,data:XF+aOoB9JjV1CaI0tdERfOO/TQNvaIVfZGEaRPgpzaWNjKNAaTDVN6ZffgVI+RD3pY5R03c2GBpWYYu7zwxyF7XF6fSmazGfI6bhKuk8+A==,iv:mR5v1V2npqwx7KMzps7RFy3u//SllTTxLWabG+b17ms=,tag:1myD72i/0zX79/TVOTWfGw==,type:str]
+sops_lastmodified=2025-09-16T19:22:01Z
+sops_mac=ENC[AES256_GCM,data:Nl320cxMzRHaZ0H0tfUaHb4jtZb8AadWOIEVJCFcmDA7YRofKnRkmt3xFc3cNKJj3FoDri6AflCFTSvG7FaY66FYjaQBUjz5566YHw/tng1ctHgxGjW4tyDS8NRFPEyugFm7d6QPiLAIeKSbJEGKbCfDVdQm57gptxpA2XNWc+Q=,iv:LuehCTAxGPCfnw6zg9BpqfzuJObKU6gB7MSNr51eNZI=,tag:hU0Nm1OD4V4w9nvTpQXtSA==,type:str]
+sops_pgp__list_0__map_created_at=2025-09-16T19:22:00Z
+sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA7uy4qQr71wiAQ//dbVRD62HBACKEDwmCYgfYyKQk9RGgxBhBodXGmyFP31k\nqDms2E8+9V3QHr13mw840XcTpE8g9XL0IqQYHU3+wrNafo/hDgGPrfpw+7AtVhtk\nBv5VCeULBxkPJjWEv9Tv/T/ZDP5qKAsllaqvdw0ZliuBug6viXdq1U3GOTsIprZf\nh5TyW7Y1I3zQ4w/CmzRJVJUF1Vp6eBRFzuKndGIrjOAQrlqwhd1SyCUxrJ6LW6N6\nEmpuoOvhFvGnbRnhfNwRzDU6m6yLG8VjJeKWOHxLmeQe3DcxY+/Q4tFbWtRGtrWJ\nqoqxDw5CuqdnvlDlf3TE2REbFIoZphJNibtsMVMGNZyDY93NUmfMRCg9WGmHym2o\na76jZfQhb5voRMVsdKSqdb+jNd5WfSl5u+30JWw7m5BfvXCWpL5hECFP9qn/piDl\n2bVQVRQ10VZJp6D3S8y5zHiEuCHbYtZtUZXektKjWCJBQVYTh0c+cME6Pm6oDp8E\nQIflT+QwVtrXPCulwFbl/IMMtR+/BXFFMzmyxHc7JQfItavcEu2xWYYqV8jrymqJ\nntAYlTdop9kSdn7PxGba9YxcWvcAMSox9aMeol4IJ+IAfJXCV+MCTajrmFQeyRDb\nI2draPx8VjSC5Mf0FeXDQmnRwmkcdBdZiwuHvte2xBQyIeQi2whdq/zNvOk5RFrS\nXgErWrMWM0lAZPVk/gnDCcUhdojMTn+Pz1uwLGS201D94fADXN0nhSXstqlDO5tN\naM/XJItjToWRrRc12JYXFemNIbCTvbP6kfBvt8z4pFc9OtnvNWxbSvL7mOvWUiw=\n=2MC3\n-----END PGP MESSAGE-----
+sops_pgp__list_0__map_fp=DC6910268E657FF70BA7EC289974494E76938DDC
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.10.2
diff --git a/generate-docker-swarmcd.sh b/generate-docker-swarmcd.sh
index 20a56d1..25c45e6 100755
--- a/generate-docker-swarmcd.sh
+++ b/generate-docker-swarmcd.sh
@@ -17,8 +17,16 @@ find docker -name 'docker-compose.yml' -print0 \
   | sort \
   | while read -r dir; do
       file="$dir/docker-compose.yml"
+      
+      # Discover env file if it exists, and add it to secret list
+      if [ -f "$dir/.env" ]; then
+        env="  sops_files:\n    - $dir/.env\n"
+      else
+        env=""
+      fi
+
       name=$(basename "$dir")
-      echo -e "$name:\n  repo: homeprod\n  branch: main\n  compose_file: $file\n" >> "$tmpfile"
+      echo -e "$name:\n  repo: homeprod\n  branch: main\n  compose_file: $file\n$env" >> "$tmpfile"
     done
 
 # Overwrite file on change
diff --git a/infra/pve/docker.tf b/infra/pve/docker.tf
index ebe861c..bd552f8 100644
--- a/infra/pve/docker.tf
+++ b/infra/pve/docker.tf
@@ -40,6 +40,7 @@ resource "proxmox_virtual_environment_file" "docker-machine-cloud-config" {
       - mkdir /app
       - echo "truenas.local:/mnt/fast_app_data/docker-homeprod      /app     nfs     defaults,_netdev    0 0" >>/etc/fstab
       - mount -t nfs truenas.local:/mnt/fast_app_data/docker-homeprod /app
+      - echo "${var.sops_private_key}" | gpg --import
     EOF
     file_name = "docker-machine-cloud-config.yaml"
   }