fix: isolate secret

configurations/nixos/observer-tofu/default.nix

@@ -0,0 +1,41 @@
+{
+  flake,
+  modulesPath,
+  # config,
+  ...
+}:
+
+let
+  inherit (flake) inputs;
+  inherit (inputs) self;
+in
+{
+  imports = [
+    self.nixosModules.default
+    "${modulesPath}/virtualisation/lxc-container.nix"
+  ];
+  services = {
+    tty-ips.enable = true;
+    uptime-kuma = {
+      enable = true;
+      settings = {
+        DATA_DIR = "/var/lib/uptime-kuma/";
+        UPTIME_KUMA_HOST = "127.0.0.1";
+        PORT = "3001";
+      };
+    };
+  };
+  networking = {
+    firewall.enable = false;
+    yggdrasil = {
+      enable = true;
+      AllowedPublicKeys = [
+        "d0e265fcf663451ae9bc048dc1297749819ce9d48042a986f2866c15a779a074"
+      ];
+    };
+    hostName = "observer-tofu";
+  };
+  environment.systemPackages = [
+  ];
+  system.stateVersion = "25.05";
+}

configurations/nixos/tofu/default.nix

@@ -16,6 +16,14 @@ in
     self.nixosModules.default
     "${modulesPath}/virtualisation/lxc-container.nix"
   ];
+  sops.secrets = {
+    otfenv = {
+      owner = "otf";
+      group = "otf";
+      mode = "0550";
+    };
+  };
+
   services = {
     tty-ips.enable = true;
     otf = {

modules/nixos/common/sops.nix

@@ -11,12 +11,6 @@
   ];
   sops = {
     defaultSopsFile = ../../../secrets.yaml;
-    secrets = {
-      otfenv = {
-        owner = "otf";
-        group = "otf";
-        mode = "0550";
-      };
-    };
+
   };
 }