diff --git a/.sops.yaml b/.sops.yaml index a45dd9a..6def226 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -6,11 +6,6 @@ keys: - &inspiron age1jl9s4vp78wuwymjxaje6fg4ax0gg5aq8pn8khfmtn5rvap0d83tqfr05dv - &stratus age1pryafed9elaea6zk5gnf6drjt4nznc02385y973lwt9t2s7j7vmsfnggkp - # Containers - - &forgejo age12k607dpdjt5dyq0w3hpgyfdyfrrfuutxgra0tgt8qja30er7cupsfps60n - - &nextcloud age1jutruntzdaqs26mpe68pafje23m9n4klm04fva05fcdyvyqnaamsvqf3jr - - &paperless age1y82j460w5fh0fpquatqar0zqet0vzzfzjnegrp686na3gejapdtsc37vuh - # Users - &seb-north age1p32cyzakxtcx346ej82ftln4r2aw2pcuazq3583s85nzsan4ygqsj32hjf - &seb-inspiron age1s9h9hh8f0vudwn4awr90mj0ka2xh9gppwus0jmvmaz3j3uckz94s36gzkz @@ -33,23 +28,6 @@ creation_rules: - *admin - *stratus - # Containers - - path_regex: hosts/stratus/containers/nspawn/forgejo/secrets.yaml$ - key_groups: - - age: - - *admin - - *forgejo - - path_regex: hosts/stratus/containers/nspawn/nextcloud/secrets.yaml$ - key_groups: - - age: - - *admin - - *nextcloud - - path_regex: hosts/stratus/containers/nspawn/paperless/secrets.yaml$ - key_groups: - - age: - - *admin - - *paperless - # Users - path_regex: users/seb/@north/secrets.yaml$ key_groups: diff --git a/hosts/stratus/containers/docker/default.nix b/hosts/stratus/containers/docker/default.nix index e650e58..4b520ac 100644 --- a/hosts/stratus/containers/docker/default.nix +++ b/hosts/stratus/containers/docker/default.nix @@ -5,9 +5,7 @@ in { imports = lib.mapAttrsToList (name: _: ./${name}) containers; - sops.secrets = lib.mapAttrs' ( - name: _: lib.nameValuePair "container/${name}/tailscale-auth-key" { } - ) containers; + sops.secrets."container/tailscale-auth-key" = { }; virtualisation.oci-containers = { backend = "docker"; @@ -23,7 +21,7 @@ in }; environmentFiles = [ # Contains "TS_AUTHKEY=" - config.sops.secrets."container/${name}/tailscale-auth-key".path + config.sops.secrets."container/tailscale-auth-key".path ]; volumes = [ "/var/lib/tailscale-${name}:/var/lib/tailscale" ]; extraOptions = [ "--network=container:${name}" ]; diff --git a/hosts/stratus/containers/nspawn/default.nix b/hosts/stratus/containers/nspawn/default.nix index 0dc7563..9e881bc 100644 --- a/hosts/stratus/containers/nspawn/default.nix +++ b/hosts/stratus/containers/nspawn/default.nix @@ -12,9 +12,12 @@ in { imports = lib.mapAttrsToList (name: _: ./${name}) containers; - sops.secrets = lib.mapAttrs' ( - name: _: lib.nameValuePair "container/${name}/ssh-key" { } - ) containers; + sops.secrets = { + "container/tailscale-auth-key" = { }; + "restic/environment" = { }; + "restic/password" = { }; + "healthchecks-ping-key" = { }; + }; systemd.tmpfiles.rules = lib.flatten ( lib.mapAttrsToList (name: _: [ @@ -44,7 +47,11 @@ in hostBridge = "br0"; bindMounts = { - "/etc/ssh/ssh_host_ed25519_key".hostPath = config.sops.secrets."container/${name}/ssh-key".path; + "/run/secrets/container/tailscale-auth-key" = { }; + "/run/secrets/container/${name}" = { }; + "/run/secrets/restic" = { }; + "/run/secrets/healthchecks-ping-key" = { }; + ${dataDirOf name}.isReadOnly = false; "/var/lib/tailscale" = { hostPath = "/var/lib/tailscale-${name}"; @@ -79,12 +86,6 @@ in }; services.resolved.enable = true; - myConfig.sops = { - enable = true; - defaultSopsFile = ./${name}/secrets.yaml; - }; - - sops.secrets."tailscale-auth-key" = { }; myConfig.tailscale.enable = true; }; }) containers; diff --git a/hosts/stratus/containers/nspawn/forgejo/default.nix b/hosts/stratus/containers/nspawn/forgejo/default.nix index a80dad0..757bf49 100644 --- a/hosts/stratus/containers/nspawn/forgejo/default.nix +++ b/hosts/stratus/containers/nspawn/forgejo/default.nix @@ -4,6 +4,8 @@ let subdomain = "git"; in { + sops.secrets."container/forgejo/admin-password" = { }; + containers.${serviceName}.config = { config, @@ -18,12 +20,8 @@ in { imports = [ ./backup.nix ]; - sops.secrets."admin-password" = { - owner = userName; - group = groupName; - }; - systemd.tmpfiles.rules = [ + "z /run/secrets/container/forgejo/admin-password - ${userName} ${groupName} -" "d ${dataDir}/home 750 ${userName} ${groupName} -" "d ${dataDir}/postgresql 700 postgres postgres -" ]; @@ -47,14 +45,13 @@ in systemd.services.forgejo.preStart = '' create="${lib.getExe config.services.forgejo.package} admin user create" - $create --admin --email "sebastian.stork@pm.me" --username seb --password "$(cat ${ - config.sops.secrets."admin-password".path - })" || true + $create --admin --email "sebastian.stork@pm.me" --username seb --password "$(cat /run/secrets/container/forgejo/admin-password)" || true ''; myConfig.tailscale = { inherit subdomain; serve = "3000"; + }; }; } diff --git a/hosts/stratus/containers/nspawn/forgejo/secrets.yaml b/hosts/stratus/containers/nspawn/forgejo/secrets.yaml deleted file mode 100644 index 2e900e1..0000000 --- a/hosts/stratus/containers/nspawn/forgejo/secrets.yaml +++ /dev/null @@ -1,35 +0,0 @@ -tailscale-auth-key: ENC[AES256_GCM,data:9jqpLTuBWvonEsTuzxxtgOnw4bvjQG49wu6VrxwdnrwI7VmLcTcVzotyU+Vqsmys5dTMR5JtMLkN+OOw6zg=,iv:HM819F8A2W+5oBi+QLaRW//4kPKzmqG4EQicWm9aGKc=,tag:XzFSLI4WNGmgPBiffv4rXQ==,type:str] -admin-password: ENC[AES256_GCM,data:f7rbPet7zkNQWZZ1r1zf4Yi+rBLbAypv/mxhK6d0,iv:MrMWa9tm32PIrM/k9/Qd+VsxGXjKQuqVEvZcn4bfy48=,tag:yjrgnPUWE33GMlzKVsbL+g==,type:str] -restic: - environment: ENC[AES256_GCM,data:il37oo0OywyZR+YpculEzkdzDwE0eZ+X21oX2yZ7hDa/91a+bn3Y/HJVpnh0qaxraupoL9OQJeGevI6xW6MSmpjiutofUSPzqg0dbXuw4/lE54y1CZUn1rRNoTeUja8zcyA=,iv:irIAnO7tizrgkdvZLFJGbL5HYgLee1DHDrqsiCJFxSE=,tag:a7hLwMLtmtCZDm7vrdgZJg==,type:str] - password: ENC[AES256_GCM,data:tmzBte5NDAzTfqakXlNn8cctwfWq6xzOzoRJ7cAi,iv:R4wGPjQPV42p+i7lp6Q2LDThv8OKKCO462eOVMnlyO8=,tag:owA+MdJ0pEf+0cuAzHdUwA==,type:str] -healthchecks-ping-key: ENC[AES256_GCM,data:oax0Kk4AYPnjMmZpSuWMvm0+6yPYzQ==,iv:CjrJ8ZdcB4MVzYPmeb2YB8FbEzm159koeaYmzTKo9q8=,tag:fj9Oo16FiX5D9UkkL94cKQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZejdhUzZyQ1RROGZmZUdX - UFR6NlBsbVZDMjJwM3pidi8waWNWVS9id2tnClBxQ3J6N0IwOGZ5eFZFZHU1ZEN3 - YUh2c3VUd2xLa3NEdWUzdE1aOUZONFUKLS0tIHpGM1pMeUFQYytoQmdncHJWUHlz - L003dzV4Z0lTRllkVDJlSm16S1crMlUKtW70ZGOCC9iwfQ7kxzx+DT7l2qSub9Bf - VfdlHP1XHXhEw3Don3OLrzwaIzXBbfqGGtpd0rWIoxISqjguBulR9g== - -----END AGE ENCRYPTED FILE----- - - recipient: age12k607dpdjt5dyq0w3hpgyfdyfrrfuutxgra0tgt8qja30er7cupsfps60n - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdVFCOUt0TDdOZnA1c3NZ - UDVJcUNUS3dqVmJMOVIra0tEVEJ5cjVNYnljCkcxMXF2SGJFRDVDeEFFTEh5dUdV - MkEzQXE3TjhHcUJjdXhGSHZyanpVZ1UKLS0tIERlVXNXNjV5OHdyeG5LdCtIVWNG - YzNSUG5HWStBemtRZ0s4NzNOOTZRWDAKJHKjfzIPOQUoizt5SffPP/n4d+hOfGLg - bXsKSa99E5JMxskzYZQGH0G4OLZrJEMzegRW0DsJtEFwj8YORmn6iw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-18T17:47:10Z" - mac: ENC[AES256_GCM,data:SgCb2jDxUztO5PuhoHmcz9wn35f0vpGs/Qx7LJpTbfjtVNJ3UMAq1MCyZmOg2NS3kvqpiE7a32HC0Y+froLU3LgoEXwtRYdg1jrzgur5sjFgEWXKhhR3Ly2JVKJdb+L6iJH0AnoTBR0ufGdPQZ8Y4OYbrFUZ0WtI07fF4umfE2A=,iv:sU6c55msG5epdZzCdp/MFCFg6NJrtFmrBAzd4VUXysE=,tag:9H2KFubRTRnSs+G6eocbqQ==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.0 diff --git a/hosts/stratus/containers/nspawn/nextcloud/default.nix b/hosts/stratus/containers/nspawn/nextcloud/default.nix index 1a685f0..dfa8681 100644 --- a/hosts/stratus/containers/nspawn/nextcloud/default.nix +++ b/hosts/stratus/containers/nspawn/nextcloud/default.nix @@ -4,6 +4,11 @@ let subdomain = "cloud"; in { + sops.secrets = { + "container/nextcloud/admin-password" = { }; + "container/nextcloud/gmail-password" = { }; + }; + containers.${serviceName}.config = { config, @@ -22,12 +27,8 @@ in ./backup.nix ]; - sops.secrets."admin-password" = { - owner = userName; - group = groupName; - }; - systemd.tmpfiles.rules = [ + "z /run/secrets/container/nextcloud/admin-password - ${userName} ${groupName} -" "d ${dataDir}/home 750 ${userName} ${groupName} -" "d ${dataDir}/postgresql 700 postgres postgres -" ]; @@ -44,7 +45,7 @@ in config = { dbtype = "pgsql"; adminuser = "admin"; - adminpassFile = config.sops.secrets."admin-password".path; + adminpassFile = "/run/secrets/container/nextcloud/admin-password"; }; https = true; diff --git a/hosts/stratus/containers/nspawn/nextcloud/email-server.nix b/hosts/stratus/containers/nspawn/nextcloud/email-server.nix index 604a7ef..16c4380 100644 --- a/hosts/stratus/containers/nspawn/nextcloud/email-server.nix +++ b/hosts/stratus/containers/nspawn/nextcloud/email-server.nix @@ -1,7 +1,4 @@ -{ config, ... }: { - sops.secrets."gmail-password" = { }; - services.nextcloud.settings = { mail_smtpmode = "sendmail"; mail_sendmailmode = "pipe"; @@ -16,7 +13,7 @@ port = "587"; user = "nextcloud.stork"; from = "nextcloud.stork@gmail.com"; - passwordeval = "cat ${config.sops.secrets."gmail-password".path}"; + passwordeval = "cat /run/secrets/container/nextcloud/gmail-password"; }; }; } diff --git a/hosts/stratus/containers/nspawn/nextcloud/secrets.yaml b/hosts/stratus/containers/nspawn/nextcloud/secrets.yaml deleted file mode 100644 index 29973c8..0000000 --- a/hosts/stratus/containers/nspawn/nextcloud/secrets.yaml +++ /dev/null @@ -1,36 +0,0 @@ -tailscale-auth-key: ENC[AES256_GCM,data:HLRjtK6MXLSlzEsu76mUye9V9gAD4Grxbd0UU1RySEGekG4StMeO3yo+wHYHNU2UcRdZEW4OKaZyLbRCHpg=,iv:Kbey9sU5tCqH9pnas30bns1HyTGYlAL0pR3WcVeVvrY=,tag:NiFLtMWJ1FCN+EYR/ZHrrg==,type:str] -admin-password: ENC[AES256_GCM,data:E1BSDKAeInmXTW1zuTL4LJZTtsP0Dd/Bfz20VQLV,iv:ilZgom7Ka+Wsv8Nwemb2C6j+kHovqHe7Xa5S5rzo5Zk=,tag:BYb9K8wWG9zWPuQScVJKjg==,type:str] -gmail-password: ENC[AES256_GCM,data:E3kxSudXdE4uH9qB1wVJWm+tGsc=,iv:h49oGGfNJpU6RKPPP0RKDZ3NILb9FsuWTuS82yxxe/k=,tag:mY1OREVPyWHpL1YpaNE9/w==,type:str] -restic: - environment: ENC[AES256_GCM,data:bYC7JBKvOMUdqB3X/Z9Nh4g8mhSJpqo63vU3zIrdSO+zlRF+PT+n4yofZe8D47Wz46YGAfwnKXGvAy2WQwHsDcMfdWW85e/1ttV5eESWMotSBM7WzpyFRjNDg+vCy4nWkWI=,iv:RVBMlsOwJCehMuJ2Hzls+gnzUIJM8MjdLu5uMJczugw=,tag:hds43pJX/hpBLwXTujiJ8w==,type:str] - password: ENC[AES256_GCM,data:yMs1EG39X1+RYcgeM3SFi38ypOU=,iv:vsEl9jLR3DcqRxJmH5cpIe1+I2W49Hj12oOfwrymznI=,tag:uevinZPEfj0J4KFkTLsV5g==,type:str] -healthchecks-ping-key: ENC[AES256_GCM,data:3bLMIixDXZpCWfkuf8UbCovRvbtlIw==,iv:0G7oIezhyNDl7U9EXw2auvTvdxng6CAbAViXQSbzo+c=,tag:u1QWKdszu9dDLb6LZdAShA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKWFVKV0IzbVVTV1g1c3o1 - ZnpwMTFyZ0RhcmhhNk8vd1dYWGdWZHZhNFVRCjE3MG9Wd0ZXNEtrRS84M3hMRVdk - T1BOczN0VmoybUs3dXJUR3FNc2swdlkKLS0tIEFXam96UGlJWnphVzVpRittSXNS - SDU0U0IwTTh6NHI2enZZTEwwd2lkQXMKsHAwayLHW3GfRc90sq0xhN1rF4RkvXSS - +WGyhmI0fik6NPyVN7DNaYhte2IoVJe3RTH2vJigpTLIIziMgTPgFQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1jutruntzdaqs26mpe68pafje23m9n4klm04fva05fcdyvyqnaamsvqf3jr - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwSExmaW9CUGo0WWloZDha - c3ZUNy9xVXgvVkdzRHRjWFZERllycG41RENzCnZuazR2RW41VlJNWk9TZjcwcGpM - dnZQQTNSbDBieGhmOW5xU24xeVhpYjQKLS0tIHAzTDV2dHdDNnQ4ZC9ielM3Qyt1 - aWFqYXYrMmJBbEQwQWxza1lrdmU4bmMKm0QbJP1QiNVOA7slpocaPxkq9orE8jrP - xxrDtRUZhvEOEZuCD61wWTfgdeI7SFWaSJkN6MgPlvRyuYQ+3TZh3Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-18T18:38:36Z" - mac: ENC[AES256_GCM,data:YJDQWeSHOuYZ5WieOJ18t0G6Lh3YFPR4RKPN+vA4gmFJp43frnwwXa70IbTcRd1hYQJfiKA5JjZ5rWKZnZOFEKoYUNDhDl39zFxLRv4h9ie6lspXI9ZnpeWfKX0KO6lE30lPVZLSwkdDg7PAntz0+Cp/eK0O2r8zrJ99VWxkJFw=,iv:QGZlAqs7UAJg5TL+qatMUzpau5iu54n86Dr0hgIMUlM=,tag:GL+NphBCkOQITXKJBY2i8g==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.0 diff --git a/hosts/stratus/containers/nspawn/paperless/default.nix b/hosts/stratus/containers/nspawn/paperless/default.nix index 297ecfb..1f5060f 100644 --- a/hosts/stratus/containers/nspawn/paperless/default.nix +++ b/hosts/stratus/containers/nspawn/paperless/default.nix @@ -4,21 +4,17 @@ let subdomain = "paper"; in { + sops.secrets."container/paperless/admin-password" = { }; + containers.${serviceName}.config = - { - config, - dataDir, - ... - }: + { dataDir, ... }: { imports = [ ./backup.nix ]; - sops.secrets."admin-password" = { }; - services.paperless = { enable = true; inherit dataDir; - passwordFile = config.sops.secrets."admin-password".path; + passwordFile = "/run/secrets/container/paperless/admin-password"; settings.PAPERLESS_OCR_LANGUAGE = "deu+eng"; }; diff --git a/hosts/stratus/containers/nspawn/paperless/secrets.yaml b/hosts/stratus/containers/nspawn/paperless/secrets.yaml deleted file mode 100644 index 6ae40f0..0000000 --- a/hosts/stratus/containers/nspawn/paperless/secrets.yaml +++ /dev/null @@ -1,35 +0,0 @@ -tailscale-auth-key: ENC[AES256_GCM,data:qXVu6U3gcDUq0+eWAtgFn8CZja9Dc4r3z7qZoaAqDm7r8uqpZsZ7JaX3AIBeipvRrBG11IDabP5DM38D8PQ=,iv:FKf7duFw+cV1wH2fd2oDNkbuokuQxgOW0gHgR+oSc7U=,tag:1aOb8XOL61cn/ESW3I/ocQ==,type:str] -admin-password: ENC[AES256_GCM,data:cHi+UfaxyLGBxJKjV3M/4js/Nmc=,iv:zmTrC9Icy8D1Wlw0sL7lO1ft8BlXk3AsnNmUyAqANTI=,tag:pMXE0844vwbdPN0wWw6BnQ==,type:str] -restic: - environment: ENC[AES256_GCM,data:JRwMFhbVLg4hkmJsNw+yNdCBX3Cud5ADbGL+nkRFUjpMkF1c3JubWnNI4lG/ehfJ0GJmHveOyMD304XEykPWuK89KVNNmqTuaa2hGUIykQPyqAqvkChOsOZAfGA/gHrC8tY=,iv:xsXanfAtI8ppOxwtsu89+3KWwNXtXPyT1k+Toe6f6Vw=,tag:hUO7jaTgzX+z4eiLK9CQ7g==,type:str] - password: ENC[AES256_GCM,data:txtSW2r1HTFeZXEmkkMBYhPkdms=,iv:kTI52zpI7vUU6IxO/qwzoAtdNZnHrhU69WovA1dBYi0=,tag:6XF1BUOA2Brao/qR3DNe0g==,type:str] -healthchecks-ping-key: ENC[AES256_GCM,data:HihujYrVxFEXF5PnPscigc7vXWM8kg==,iv:T6JmbIjcMjfHKssR5tJrlfQGivqGDWz5d80PQORNLH4=,tag:2Gkddfksi5QPnFK1JFip2g==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWTmZLR2JOM1p2S2lxYkts - WTE2OFlRUXJ0a01EOUd3Mythc3R1d3llTTNrCkJQWVY1bGlFbThaL0plTWhwYUJK - WDlQNjFzZGhIS3ZlaHZiYytQdFo5WWMKLS0tIGZ3VDRTQlFHT2IwVkFIb0lwOXhT - dm9QRndWZXE0L0drS3JzMGF0c2x1S1kKXuxMaVAcbRwR4/QZnIUdb3wyRujYAy2I - 8/FYL5r9PuNwhEv1Ene+dj8nkx1G+stTZmgepOS9Z0AyIvfDW6FS8g== - -----END AGE ENCRYPTED FILE----- - - recipient: age1y82j460w5fh0fpquatqar0zqet0vzzfzjnegrp686na3gejapdtsc37vuh - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNMVVzZUl5WVc3VVZudmVj - UkVDd2pYUU50MDBHRnZ4Sis5K28wV1RwNlQ4CmhONVd3Wkh5ZHlYSDYzeHlLMGdF - VUxiS2JWS2lwQVY2OHYwSk1UdGNSeUkKLS0tIGRSZVJ2U1J6azQveHJkRmViVnNs - cmFJeFpHdnRzMFA2a1NML1A1RFB6clEK+FH8x1dccz8TnUuEFc0EkTSzG6Ody0IF - tCNrHN2h3AzqYxKFYucquMmnE9WGJuzShijIXAv1W7JE2JZw9XnS4w== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-18T18:26:53Z" - mac: ENC[AES256_GCM,data:/WomZ6f0OUXtLTXRsTkugr9GQBE3Cb6b9t40BZRT0d4zq9CmYDqw9S4UZJRyB1TZFermsqZ4yjPiw4hQL/1g87ds9l9N+GOnxl/nhRZ166fl61hpe6SUEhuiFMDG3RBx0LbyYgZF8yi6gRAZOyIWPnCa6L0g1WIvcu5txbzXZ9U=,iv:gT2ik8izbHMFys0XCWotHWb+U+C243PG70Q7R6Sc9lo=,tag:3NHjEbt89aTKlK2/3oeQAg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.0 diff --git a/hosts/stratus/secrets.yaml b/hosts/stratus/secrets.yaml index b50cd83..a0a375d 100644 --- a/hosts/stratus/secrets.yaml +++ b/hosts/stratus/secrets.yaml @@ -1,23 +1,20 @@ seb-password: ENC[AES256_GCM,data:N3w7niUZsyFmF2gF+gMhlDb6XfoYZ8yNrZvv2J0Cb3zDhstW7LsgYZVcM3+MXPbTDE9xJ00VGBayOT7fW+5IYYWdGgbRWvOH0w==,iv:rLCKJ9wUL+3sjIaqwV89pYJtt/ERuoR4AAgbt9H4oHg=,tag:nuh9rT0W500w8+y76MqC1Q==,type:str] tailscale-auth-key: ENC[AES256_GCM,data:vwFTBVQr7T8/Wrc3jOCF3TeQhuEpFyJ0M9yES2g+hSmoc4kraq+QfXmpbz9ciw5dk3mZoZycZFPKU2HJig==,iv:1Ca6tOhQNRw3jxnl3+IoKSJpRuy4jHy9HC/Dj2xOsmQ=,tag:ZqZPqBOF5GZoRLLO1Iq2Iw==,type:str] +container: + tailscale-auth-key: ENC[AES256_GCM,data:bGWXOYfbHeG4Qy1ZOfKFEZeMI+H65zp7Frqt3MnGx2JnoVWD/Ih73XG4Nj+EfzZVrq4zWGhx0G5H6LKkUQ==,iv:L0KqAxsGuRZcRPzypG/hLo5zSCELNlLK+TEcX+NpMS8=,tag:Af04U0pHJSiiaebgS73ySg==,type:str] + onlyoffice: + jwt-secret: ENC[AES256_GCM,data:cLEV5yTwzrcUWjS+RSOy4QGmB+yP24j/Bo51LCS+2yX9fpeeJ+tPAuA=,iv:4R/1YcVQjLTcEKJbQ5oq1/vUM+dc4zBLkFLSgH4wq0w=,tag:i0ub07cM9FwV2ryu+XTLbQ==,type:str] + forgejo: + admin-password: ENC[AES256_GCM,data:vwFxyLQkU2rzkkgQX7ACEeVHLVbrci9kPUk9L4yD,iv:2gmdO1dImo3fZWRaO3oyt3/IfD3zscHwxgv0iwgAMgQ=,tag:fu1ZYeG183nJH18DqVmTtQ==,type:str] + nextcloud: + admin-password: ENC[AES256_GCM,data:SJxRKv+i+WK8u8f3kqlaxmTqOxmQ7510E9sEpyXV,iv:4Nja7A+VyPPBiJP42fhDTWe93MmBo4/X8IMTR5PGo3s=,tag:Z32bryhJ73IA9ig53epVzQ==,type:str] + gmail-password: ENC[AES256_GCM,data:dL1Kag8U5UoNbLOHNbu6dpdJ0GQ=,iv:5oVZRC/L9//pA/vqlk79WNoAdHO+c8CVhywYFRC15eA=,tag:67zXXYMYW7FKR521NM6sYA==,type:str] + paperless: + admin-password: ENC[AES256_GCM,data:NtQGomRO2uGW+kVybFhIwPvbXWE=,iv:rfPMMiCCYxgQa5k+9RWRKpIkkLWamzBg1cIrsGun9G8=,tag:ltgfGSI4FqUnTGULs+p2cA==,type:str] restic: environment: ENC[AES256_GCM,data:f6on7t1no/jPtnxQ6b7CYd1YyrdRyhuPa2H0z8ytGeCb4aIIrPDvKBjEUx8fvUKNk00Nf8Z2Vi+ZmuSz0gMHA7nQTvPhejU0VZvNT0X1AmUhahehDz4m0cylM8ZmtXklWl4=,iv:+ohpmCKu/KIEn4gcBn3hNDTF7qybQAe3uDWiQ8GAIVw=,tag:5FSZXr7t1VEC8xnlQrVyyQ==,type:str] password: ENC[AES256_GCM,data:ERm1OwndSGhT7aTUyBW5E0z2l9gQhGy6LQbi+rDv,iv:XPPs61l6KWGA06uhRZid6rAgNfbHtcJWYjrD5QJrnlI=,tag:AmAdsNRqtjvGmQ0G44s9Fw==,type:str] healthchecks-ping-key: ENC[AES256_GCM,data:F7XBp/zPuIxnIEmQX3+BHDPO0VBwJQ==,iv:c+/jK+4SiCby3yKdjXq69PEyfCOhua9quGCj7OK0Nhc=,tag:sjIAAuk8DY9VFHy0/p60WQ==,type:str] -container: - actualbudget: - tailscale-auth-key: ENC[AES256_GCM,data:n6sxwHbhKyvk1gubSIg6qXyDONob2LJOWOUCvLwmZDe3tCVxkq62vwfgiqAA5is2HEaLi72JdgdYMFQNoggwEnZ5X1YcS8WC,iv:0rJJiL+T9y45nZqRqpMobP1XmVYHeLfZei7jQoofMLE=,tag:RKPj2JwBlhNMvYH27lGsaQ==,type:str] - onlyoffice: - tailscale-auth-key: ENC[AES256_GCM,data:nxNiy9AKzspdPx3OfdT1WFjO+De1k9xHMaITZZ0y/gYCj6hsOnF9cOq1A+YV5N/zYB5RbPd9Hg77kLwfPeHYgnJklNbVMNfs,iv:ruk+riD2BVlv+gTsRDBhMB7+trvxioq7M8rUlyrG2fk=,tag:RCtXHI16EWOnl+cljqQyxg==,type:str] - jwt-secret: ENC[AES256_GCM,data:cLEV5yTwzrcUWjS+RSOy4QGmB+yP24j/Bo51LCS+2yX9fpeeJ+tPAuA=,iv:4R/1YcVQjLTcEKJbQ5oq1/vUM+dc4zBLkFLSgH4wq0w=,tag:i0ub07cM9FwV2ryu+XTLbQ==,type:str] - stirling-pdf: - tailscale-auth-key: ENC[AES256_GCM,data:7V+9/D60QxsxRxGMLtgGBqrha7OEx3T7jxUmw9MOuA8l9fxqiqsbneAXRJeTfcY1acafmfweOcwcF6y+/2znQdKHEk/HSrGO,iv:eSpyPUkpOC66mT40siVJ2FcE1pDML+3q1Jpt/Zzoaac=,tag:8EuaXQV0n1VoO95O9wr3PA==,type:str] - forgejo: - ssh-key: ENC[AES256_GCM,data:PbPRioKPPE/sv8jceAzuV5NFSVSBNOZAejCfUJUYmhLblLSuDsZ7fdgk5+TFjf7baVPhWasUGAo588z7fqzMlTgHfT/RtwDJ4QUMaPXts68CxdZemdjVa8LbV96i9UNlCJP8Sz/7Wvc8axnmyIApAhcLBA7d9KTQn/7lXgaGs9QtDDpSSmJluQHDe1t4QG2UqV73ZZ4I1MY9nVYO9lmaKBej43247cnw8FrkeCQLx4nXuArCp88rBug0CpgY8z15eK4RWXonBjBe5TDoCOWpENyD/6uVFeQIow5TSJgKlkh1w+dj9IiCBfYBllH5xQxjsjlVpDba4A+hfoBhah+EWhK3J765UGn4ufslVMNTQeL9yD87WMa1EkYwGSCVgCTD+/BfgP4HjzgGbM0OuU2Z5t2WV/R9Dm69w+wISbcjTmqqk+q6hle0RR5SkY9bOax2AKsOkcp/k6BS9QmNnajD7qnIVgGTLEwqgWjbQJGFLEE5mSNmZU5oV2gatrbPnN609LbaH6d6Zj28l7Hwr6jH,iv:fgUklpj946AqYe5hh3gwII4CUoUXsrrk3cW2TVugm0c=,tag:ypVvK3K/lSunq2g/LFIWRA==,type:str] - nextcloud: - ssh-key: ENC[AES256_GCM,data:HXCYEpNL6Y5GOLp5bhQY9M6NTLV0+e8DiQz2PbnCskvMSiZSp4yHr3wcAzgZttWhLmAydY4moelGzsmkvH8O/DiR2Gkw9Ex4uFEffS2HjlEzTwi7qL70Av6ZbF395NCP82M34Gnnl143+y7wZiJjCPL/oY5QZSzbgg3FgHrqo7f1xcSPcv4LukZ33zcsn4irOGRi2KktiDgcvAdVMLiChWxO0snqS+h7zPIaX4NIcNFW3BgOmUJ42cAoKcsR2ORDDbq0FmSSePh67pKqQJPbBoya6OzfYufNKek0nuwfWVkIjnQbqi0sicx4lks4WXYWMj1WapbIFzPkabfVysfHXcYPpt6OXNqnXTN9bn9Ww/dgEeQyyO+Qc7MHjfXxcLZd8p4bmiP+9bVJ6/ed0YHdCUkt14IxTOiXu0n5lI8/NMam4YLaGiMbRyYAGN6q8W7UYurFBOoKajVByUPTa7FK4H8rZDsNd6HYtTc4lqyeqzKYA9EU/99P9GCmMhrkQYMcoF77tLAAsDdn74OfS2AY86z7xGHCRg67ROMb,iv:pj3P1p5wBn67wGyguLFHJs2+Qhz1X7U9EoD8OsdNTKc=,tag:lKogFelSJIXugKYm/gVy8w==,type:str] - paperless: - ssh-key: ENC[AES256_GCM,data:9A82GwjT+6Vf9uVGUcgkZZZtbVD7Fqc7C4TtGZ97WaTSNDku9LDRZN/qwk2neHrUb5s3V4Ag4hoszvfe9Hqz+1wDLHu6DyDZNhz9awdZbRD6y7ZavB67cTQtj/qjR5sfqWABVHOFaJxH74+cxvUZjBNOaUEhYBmnKow4AL4CpXjkF+DfT0WcpCWJCBagUA2tfvdScASShbu2bA3+NouY/KR54nOrHTI9cqio+3NNs0Ux1R8D1tzzKj1B4oM8u7e5AFyX7E7W9dJmIFEW9JkfqyToZwX9KxkLJG4T12tuReXLHy1HJtsll1OVytznDp4//pHOC64TFvRgcuHrdldXhUtILqd6we5Lt2Cg+HdITie0Veuvce8V9vVnNX8j7I4Wr6z1HHwWFhcRp/JgVCBOInRVGByF0IA5j4lG3XZ5WZgXKVHgLHN1mqkyPJC8pu7ZL57rdDUOCuSZxKT6aG54glD/PtqayFS0+8G0zeZ6xQ6UYSVCvD1VjDGKWDsZgeLHMV+IE2tTdzp0+AahhgW0RmCXh/FCgrMDfnJk,iv:I65+PTiDG2z8k1kE1ngp3kI/dD3bevIug8/CV5TqKPQ=,tag:fAwumpJkO66Uune9i0e3ug==,type:str] sops: kms: [] gcp_kms: [] @@ -42,8 +39,8 @@ sops: aW00MUpGdXpYam5LYVFUenh2VndzcE0KT6Hfx1CYJFseFaEZxwi4Fds4v1HEFzBo FdSC6pzpZkfXso8EtSftq0lPx10GfJ6GZXYb+bCB2S9ROvUMPYDH3A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-20T22:17:19Z" - mac: ENC[AES256_GCM,data:PCZldOy6JE6qqJ2NcdXzhFjTEezH1k7UZWNng/s+FGMRH1qtDZRHbXDtZ5oX/0pY+a6LafZpdi20YozrrZGZzSJKxC3m/p9NTR09PpuunNqzNQ7kRQnQklkiD/pirIHj6c7Fp+c6se0f3odurd/kwPtPHeGs7xT/qgxkI98alRE=,iv:lIvE0p+kqfSUzkbS4Tt+PEuQLKVjt5sELc0PfVrUunY=,tag:tcp14+fRxBqpbQzSn5r+uA==,type:str] + lastmodified: "2024-09-22T15:20:15Z" + mac: ENC[AES256_GCM,data:vnajGY3wqVFm6i9GwmCklse4o8Q9wQxvFlA3hayLmuqLbDBPkycnx8nTr0xnJzp/HXcTpPMa8CyBpCcL5MAWlAa1ClmgT26MHt0kEGGHZOe7ph8KJSIIja8GiRI/Ik4HL8bGsUyv1P/SWsxXf41sqNAAAMDm0djkYMsf76HsBko=,iv:u0wYU6WDh9Msl7jfFdrTwAYq7h1JPKbKU1cax3A/EHA=,tag:ewSDASC024Hee6eDoZ+MoA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/modules/system/restic-backup.nix b/modules/system/restic-backup.nix index 33c6236..cc1c954 100644 --- a/modules/system/restic-backup.nix +++ b/modules/system/restic-backup.nix @@ -6,6 +6,8 @@ }: let cfg = lib.filterAttrs (_: value: value.enable) config.myConfig.resticBackup; + + healthchecksEnable = (lib.filterAttrs (_: value: value.healthchecks.enable) cfg) != { }; in { options.myConfig.resticBackup = lib.mkOption { @@ -35,7 +37,7 @@ in users.groups.backup.members = lib.mapAttrsToList (_: value: value.user) cfg; - sops.secrets = + sops.secrets = lib.optionalAttrs config.myConfig.sops.enable ( let resticPermissions = { mode = "440"; @@ -45,11 +47,9 @@ in { "restic/environment" = resticPermissions; "restic/password" = resticPermissions; - - "healthchecks-ping-key" = lib.mkIf ( - (lib.filterAttrs (_: value: value.healthchecks.enable) cfg) != { } - ) resticPermissions; - }; + "healthchecks-ping-key" = lib.mkIf healthchecksEnable resticPermissions; + } + ); services.restic.backups = lib.mapAttrs ( name: value: @@ -57,8 +57,9 @@ in inherit (value) user; initialize = true; repository = "s3:https://s3.eu-central-003.backblazeb2.com/stork-atlas/${name}"; - environmentFile = config.sops.secrets."restic/environment".path; - passwordFile = config.sops.secrets."restic/password".path; + environmentFile = + config.sops.secrets."restic/environment".path or "/run/secrets/restic/environment"; + passwordFile = config.sops.secrets."restic/password".path or "/run/secrets/restic/password"; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" @@ -79,14 +80,14 @@ in } ) (lib.filterAttrs (_: value: value.healthchecks.enable) cfg)) - (lib.mkIf ((lib.filterAttrs (_: value: value.healthchecks.enable) cfg) != { }) { + (lib.mkIf healthchecksEnable { "healthcheck-ping@" = { description = "Pings healthcheck (%i)"; serviceConfig.Type = "oneshot"; scriptArgs = "%i"; script = '' ${lib.getExe pkgs.curl} -fsS -m 10 --retry 5 https://hc-ping.com/$(cat ${ - config.sops.secrets."healthchecks-ping-key".path + config.sops.secrets."healthchecks-ping-key".path or "/run/secrets/healthchecks-ping-key" })/$(echo $1 | tr _ /) ''; }; diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix index 2cae16c..f3576fd 100644 --- a/modules/system/tailscale.nix +++ b/modules/system/tailscale.nix @@ -23,11 +23,13 @@ in }; config = lib.mkIf cfg.enable { - sops.secrets."tailscale-auth-key" = { }; + sops.secrets = lib.optionalAttrs config.myConfig.sops.enable { + "tailscale-auth-key" = { }; + }; services.tailscale = { enable = true; - authKeyFile = config.sops.secrets."tailscale-auth-key".path; + authKeyFile = config.sops.secrets."tailscale-auth-key".path or "/run/secrets/tailscale-auth-key"; openFirewall = true; useRoutingFeatures = if (cfg.exitNode.enable || (cfg.serve != null)) then "server" else "client"; extraUpFlags = [ "--reset=true" ];