feat(secret): add bomba specific secrets

.sops.yaml

@@ -2,8 +2,12 @@ keys:
   - &katana age18ujjw92tm6vpcpgqqky7dzg3yvzm9nytgzeptkfhtz5jhdskcdpsgmv0vs
   - &bomba age1ynu6zhhy84rr5xqce0flp25x5tnfgskesxfe39u7ewsk900fvagq9sq0lx
 creation_rules:
-  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: secrets/default.sops.yaml
     key_groups:
       - age:
         - *katana
         - *bomba
+  - path_regex: secrets/bomba.sops.yaml
+    key_groups:
+      - age:
+        - *bomba

machines/bomba/default.nix

@@ -4,6 +4,7 @@
     ./configuration.nix
     ./hardware.nix
     ./networking.nix
+    ./secrets.nix
     ./services
     ./virtualisation.nix
   ];

machines/bomba/secrets.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  sops.secrets = {
+    nextcloud_password.sopsFile = ../../secrets/bomba.sops.yaml;
+  };
+}

secrets/bomba.sops.yaml

@@ -0,0 +1,16 @@
+nextcloud_password: ENC[AES256_GCM,data:lMavQvl4grki9c5AgaKE8Q==,iv:jJ0/Wka5/2TBD4C739HBeiVzxujWC4WL6FDLqov6FVA=,tag:1skCLwSr6VSzZWthtzaxwg==,type:str]
+sops:
+    age:
+        - recipient: age1ynu6zhhy84rr5xqce0flp25x5tnfgskesxfe39u7ewsk900fvagq9sq0lx
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsOC9xeExzN2VzT2NmZS9I
+            TEVxamNYOWZDWUJvYnpjL2JpMHJRbTlOV1Y4CmFGaXhEd0pRWU1tRTBMdDVPU2Fr
+            RVRrNkpCa3VNUWd0dzFDR004M005d1kKLS0tIDUxSUYzTkJLK3Y0dVNkVGNqTmxT
+            YjVvSDV1TGExYUJGUk00MTF4bXNFVTQKG/GueSmnuA23L42X6AvAWZgBbJuCGLw1
+            ZQ17gIIOjhKHlGx8Lo5t/PekzFyQKCKdijS7caq74dVib1vO3tk+uQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-13T07:59:07Z"
+    mac: ENC[AES256_GCM,data:xJWtKkpQuAPXcToLfWuEshInHIBG59uKoQAh3+SmKu/UAkvMDNywMZbBhrxn/cF/xo8TKkaPxd4luXsdw+Z0YvVezn43jKNyXsIrUNtd5hMlE4hbAuAf/ifb3t2AVg1s/R6GZWMZvc0rmSePTWyowHgceaxTqHPr6vvHEVHt0oM=,iv:UXYUS/sn1+TcUOAWAQC1y+TtDIayNez6ssYh+Qt5AmI=,tag:YgWujpGrzwtjnEsLoKm3ig==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1