SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-01-21 19:51:34 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Move secrets decryption from containers to server

Browse source
This commit is contained in:
SebastianStork 2024-09-22 19:10:52 +02:00
parent a4abd033cc
commit a7e1ced2a2
13 changed files with 58 additions and 196 deletions
Download patch file Download diff file Expand all files Collapse all files

21
hosts/stratus/containers/nspawn/default.nix
View file

@ -12,9 +12,12 @@ in
{
imports = lib.mapAttrsToList (name: _: ./${name}) containers;
sops.secrets = lib.mapAttrs' (
name: _: lib.nameValuePair "container/${name}/ssh-key" { }
) containers;
sops.secrets = {
"container/tailscale-auth-key" = { };
"restic/environment" = { };
"restic/password" = { };
"healthchecks-ping-key" = { };
};
systemd.tmpfiles.rules = lib.flatten (
lib.mapAttrsToList (name: _: [
@ -44,7 +47,11 @@ in
hostBridge = "br0";
bindMounts = {
"/etc/ssh/ssh_host_ed25519_key".hostPath = config.sops.secrets."container/${name}/ssh-key".path;
"/run/secrets/container/tailscale-auth-key" = { };
"/run/secrets/container/${name}" = { };
"/run/secrets/restic" = { };
"/run/secrets/healthchecks-ping-key" = { };
${dataDirOf name}.isReadOnly = false;
"/var/lib/tailscale" = {
hostPath = "/var/lib/tailscale-${name}";
@ -79,12 +86,6 @@ in
};
services.resolved.enable = true;
myConfig.sops = {
enable = true;
defaultSopsFile = ./${name}/secrets.yaml;
};
sops.secrets."tailscale-auth-key" = { };
myConfig.tailscale.enable = true;
};
}) containers;

13
hosts/stratus/containers/nspawn/forgejo/default.nix
View file

@ -4,6 +4,8 @@ let
subdomain = "git";
in
{
sops.secrets."container/forgejo/admin-password" = { };
containers.${serviceName}.config =
{
config,
@ -18,12 +20,8 @@ in
{
imports = [ ./backup.nix ];
sops.secrets."admin-password" = {
owner = userName;
group = groupName;
};
systemd.tmpfiles.rules = [
"z /run/secrets/container/forgejo/admin-password - ${userName} ${groupName} -"
"d ${dataDir}/home 750 ${userName} ${groupName} -"
"d ${dataDir}/postgresql 700 postgres postgres -"
];
@ -47,14 +45,13 @@ in
systemd.services.forgejo.preStart = ''
create="${lib.getExe config.services.forgejo.package} admin user create"
$create --admin --email "sebastian.stork@pm.me" --username seb --password "$(cat ${
config.sops.secrets."admin-password".path
})" || true
$create --admin --email "sebastian.stork@pm.me" --username seb --password "$(cat /run/secrets/container/forgejo/admin-password)" || true
'';
myConfig.tailscale = {
inherit subdomain;
serve = "3000";
};
};
}

35
hosts/stratus/containers/nspawn/forgejo/secrets.yaml
View file

@ -1,35 +0,0 @@
tailscale-auth-key: ENC[AES256_GCM,data:9jqpLTuBWvonEsTuzxxtgOnw4bvjQG49wu6VrxwdnrwI7VmLcTcVzotyU+Vqsmys5dTMR5JtMLkN+OOw6zg=,iv:HM819F8A2W+5oBi+QLaRW//4kPKzmqG4EQicWm9aGKc=,tag:XzFSLI4WNGmgPBiffv4rXQ==,type:str]
admin-password: ENC[AES256_GCM,data:f7rbPet7zkNQWZZ1r1zf4Yi+rBLbAypv/mxhK6d0,iv:MrMWa9tm32PIrM/k9/Qd+VsxGXjKQuqVEvZcn4bfy48=,tag:yjrgnPUWE33GMlzKVsbL+g==,type:str]
restic:
environment: ENC[AES256_GCM,data:il37oo0OywyZR+YpculEzkdzDwE0eZ+X21oX2yZ7hDa/91a+bn3Y/HJVpnh0qaxraupoL9OQJeGevI6xW6MSmpjiutofUSPzqg0dbXuw4/lE54y1CZUn1rRNoTeUja8zcyA=,iv:irIAnO7tizrgkdvZLFJGbL5HYgLee1DHDrqsiCJFxSE=,tag:a7hLwMLtmtCZDm7vrdgZJg==,type:str]
password: ENC[AES256_GCM,data:tmzBte5NDAzTfqakXlNn8cctwfWq6xzOzoRJ7cAi,iv:R4wGPjQPV42p+i7lp6Q2LDThv8OKKCO462eOVMnlyO8=,tag:owA+MdJ0pEf+0cuAzHdUwA==,type:str]
healthchecks-ping-key: ENC[AES256_GCM,data:oax0Kk4AYPnjMmZpSuWMvm0+6yPYzQ==,iv:CjrJ8ZdcB4MVzYPmeb2YB8FbEzm159koeaYmzTKo9q8=,tag:fj9Oo16FiX5D9UkkL94cKQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZejdhUzZyQ1RROGZmZUdX
UFR6NlBsbVZDMjJwM3pidi8waWNWVS9id2tnClBxQ3J6N0IwOGZ5eFZFZHU1ZEN3
YUh2c3VUd2xLa3NEdWUzdE1aOUZONFUKLS0tIHpGM1pMeUFQYytoQmdncHJWUHlz
L003dzV4Z0lTRllkVDJlSm16S1crMlUKtW70ZGOCC9iwfQ7kxzx+DT7l2qSub9Bf
VfdlHP1XHXhEw3Don3OLrzwaIzXBbfqGGtpd0rWIoxISqjguBulR9g==
-----END AGE ENCRYPTED FILE-----
- recipient: age12k607dpdjt5dyq0w3hpgyfdyfrrfuutxgra0tgt8qja30er7cupsfps60n
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdVFCOUt0TDdOZnA1c3NZ
UDVJcUNUS3dqVmJMOVIra0tEVEJ5cjVNYnljCkcxMXF2SGJFRDVDeEFFTEh5dUdV
MkEzQXE3TjhHcUJjdXhGSHZyanpVZ1UKLS0tIERlVXNXNjV5OHdyeG5LdCtIVWNG
YzNSUG5HWStBemtRZ0s4NzNOOTZRWDAKJHKjfzIPOQUoizt5SffPP/n4d+hOfGLg
bXsKSa99E5JMxskzYZQGH0G4OLZrJEMzegRW0DsJtEFwj8YORmn6iw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-18T17:47:10Z"
mac: ENC[AES256_GCM,data:SgCb2jDxUztO5PuhoHmcz9wn35f0vpGs/Qx7LJpTbfjtVNJ3UMAq1MCyZmOg2NS3kvqpiE7a32HC0Y+froLU3LgoEXwtRYdg1jrzgur5sjFgEWXKhhR3Ly2JVKJdb+L6iJH0AnoTBR0ufGdPQZ8Y4OYbrFUZ0WtI07fF4umfE2A=,iv:sU6c55msG5epdZzCdp/MFCFg6NJrtFmrBAzd4VUXysE=,tag:9H2KFubRTRnSs+G6eocbqQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

13
hosts/stratus/containers/nspawn/nextcloud/default.nix
View file

@ -4,6 +4,11 @@ let
subdomain = "cloud";
in
{
sops.secrets = {
"container/nextcloud/admin-password" = { };
"container/nextcloud/gmail-password" = { };
};
containers.${serviceName}.config =
{
config,
@ -22,12 +27,8 @@ in
./backup.nix
];
sops.secrets."admin-password" = {
owner = userName;
group = groupName;
};
systemd.tmpfiles.rules = [
"z /run/secrets/container/nextcloud/admin-password - ${userName} ${groupName} -"
"d ${dataDir}/home 750 ${userName} ${groupName} -"
"d ${dataDir}/postgresql 700 postgres postgres -"
];
@ -44,7 +45,7 @@ in
config = {
dbtype = "pgsql";
adminuser = "admin";
adminpassFile = config.sops.secrets."admin-password".path;
adminpassFile = "/run/secrets/container/nextcloud/admin-password";
};
https = true;

5
hosts/stratus/containers/nspawn/nextcloud/email-server.nix
View file

@ -1,7 +1,4 @@
{ config, ... }:
{
sops.secrets."gmail-password" = { };
services.nextcloud.settings = {
mail_smtpmode = "sendmail";
mail_sendmailmode = "pipe";
@ -16,7 +13,7 @@
port = "587";
user = "nextcloud.stork";
from = "nextcloud.stork@gmail.com";
passwordeval = "cat ${config.sops.secrets."gmail-password".path}";
passwordeval = "cat /run/secrets/container/nextcloud/gmail-password";
};
};
}

36
hosts/stratus/containers/nspawn/nextcloud/secrets.yaml
View file

@ -1,36 +0,0 @@
tailscale-auth-key: ENC[AES256_GCM,data:HLRjtK6MXLSlzEsu76mUye9V9gAD4Grxbd0UU1RySEGekG4StMeO3yo+wHYHNU2UcRdZEW4OKaZyLbRCHpg=,iv:Kbey9sU5tCqH9pnas30bns1HyTGYlAL0pR3WcVeVvrY=,tag:NiFLtMWJ1FCN+EYR/ZHrrg==,type:str]
admin-password: ENC[AES256_GCM,data:E1BSDKAeInmXTW1zuTL4LJZTtsP0Dd/Bfz20VQLV,iv:ilZgom7Ka+Wsv8Nwemb2C6j+kHovqHe7Xa5S5rzo5Zk=,tag:BYb9K8wWG9zWPuQScVJKjg==,type:str]
gmail-password: ENC[AES256_GCM,data:E3kxSudXdE4uH9qB1wVJWm+tGsc=,iv:h49oGGfNJpU6RKPPP0RKDZ3NILb9FsuWTuS82yxxe/k=,tag:mY1OREVPyWHpL1YpaNE9/w==,type:str]
restic:
environment: ENC[AES256_GCM,data:bYC7JBKvOMUdqB3X/Z9Nh4g8mhSJpqo63vU3zIrdSO+zlRF+PT+n4yofZe8D47Wz46YGAfwnKXGvAy2WQwHsDcMfdWW85e/1ttV5eESWMotSBM7WzpyFRjNDg+vCy4nWkWI=,iv:RVBMlsOwJCehMuJ2Hzls+gnzUIJM8MjdLu5uMJczugw=,tag:hds43pJX/hpBLwXTujiJ8w==,type:str]
password: ENC[AES256_GCM,data:yMs1EG39X1+RYcgeM3SFi38ypOU=,iv:vsEl9jLR3DcqRxJmH5cpIe1+I2W49Hj12oOfwrymznI=,tag:uevinZPEfj0J4KFkTLsV5g==,type:str]
healthchecks-ping-key: ENC[AES256_GCM,data:3bLMIixDXZpCWfkuf8UbCovRvbtlIw==,iv:0G7oIezhyNDl7U9EXw2auvTvdxng6CAbAViXQSbzo+c=,tag:u1QWKdszu9dDLb6LZdAShA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKWFVKV0IzbVVTV1g1c3o1
ZnpwMTFyZ0RhcmhhNk8vd1dYWGdWZHZhNFVRCjE3MG9Wd0ZXNEtrRS84M3hMRVdk
T1BOczN0VmoybUs3dXJUR3FNc2swdlkKLS0tIEFXam96UGlJWnphVzVpRittSXNS
SDU0U0IwTTh6NHI2enZZTEwwd2lkQXMKsHAwayLHW3GfRc90sq0xhN1rF4RkvXSS
+WGyhmI0fik6NPyVN7DNaYhte2IoVJe3RTH2vJigpTLIIziMgTPgFQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jutruntzdaqs26mpe68pafje23m9n4klm04fva05fcdyvyqnaamsvqf3jr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwSExmaW9CUGo0WWloZDha
c3ZUNy9xVXgvVkdzRHRjWFZERllycG41RENzCnZuazR2RW41VlJNWk9TZjcwcGpM
dnZQQTNSbDBieGhmOW5xU24xeVhpYjQKLS0tIHAzTDV2dHdDNnQ4ZC9ielM3Qyt1
aWFqYXYrMmJBbEQwQWxza1lrdmU4bmMKm0QbJP1QiNVOA7slpocaPxkq9orE8jrP
xxrDtRUZhvEOEZuCD61wWTfgdeI7SFWaSJkN6MgPlvRyuYQ+3TZh3Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-18T18:38:36Z"
mac: ENC[AES256_GCM,data:YJDQWeSHOuYZ5WieOJ18t0G6Lh3YFPR4RKPN+vA4gmFJp43frnwwXa70IbTcRd1hYQJfiKA5JjZ5rWKZnZOFEKoYUNDhDl39zFxLRv4h9ie6lspXI9ZnpeWfKX0KO6lE30lPVZLSwkdDg7PAntz0+Cp/eK0O2r8zrJ99VWxkJFw=,iv:QGZlAqs7UAJg5TL+qatMUzpau5iu54n86Dr0hgIMUlM=,tag:GL+NphBCkOQITXKJBY2i8g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

12
hosts/stratus/containers/nspawn/paperless/default.nix
View file

@ -4,21 +4,17 @@ let
subdomain = "paper";
in
{
sops.secrets."container/paperless/admin-password" = { };
containers.${serviceName}.config =
{
config,
dataDir,
...
}:
{ dataDir, ... }:
{
imports = [ ./backup.nix ];
sops.secrets."admin-password" = { };
services.paperless = {
enable = true;
inherit dataDir;
passwordFile = config.sops.secrets."admin-password".path;
passwordFile = "/run/secrets/container/paperless/admin-password";
settings.PAPERLESS_OCR_LANGUAGE = "deu+eng";
};

35
hosts/stratus/containers/nspawn/paperless/secrets.yaml
View file

@ -1,35 +0,0 @@
tailscale-auth-key: ENC[AES256_GCM,data:qXVu6U3gcDUq0+eWAtgFn8CZja9Dc4r3z7qZoaAqDm7r8uqpZsZ7JaX3AIBeipvRrBG11IDabP5DM38D8PQ=,iv:FKf7duFw+cV1wH2fd2oDNkbuokuQxgOW0gHgR+oSc7U=,tag:1aOb8XOL61cn/ESW3I/ocQ==,type:str]
admin-password: ENC[AES256_GCM,data:cHi+UfaxyLGBxJKjV3M/4js/Nmc=,iv:zmTrC9Icy8D1Wlw0sL7lO1ft8BlXk3AsnNmUyAqANTI=,tag:pMXE0844vwbdPN0wWw6BnQ==,type:str]
restic:
environment: ENC[AES256_GCM,data:JRwMFhbVLg4hkmJsNw+yNdCBX3Cud5ADbGL+nkRFUjpMkF1c3JubWnNI4lG/ehfJ0GJmHveOyMD304XEykPWuK89KVNNmqTuaa2hGUIykQPyqAqvkChOsOZAfGA/gHrC8tY=,iv:xsXanfAtI8ppOxwtsu89+3KWwNXtXPyT1k+Toe6f6Vw=,tag:hUO7jaTgzX+z4eiLK9CQ7g==,type:str]
password: ENC[AES256_GCM,data:txtSW2r1HTFeZXEmkkMBYhPkdms=,iv:kTI52zpI7vUU6IxO/qwzoAtdNZnHrhU69WovA1dBYi0=,tag:6XF1BUOA2Brao/qR3DNe0g==,type:str]
healthchecks-ping-key: ENC[AES256_GCM,data:HihujYrVxFEXF5PnPscigc7vXWM8kg==,iv:T6JmbIjcMjfHKssR5tJrlfQGivqGDWz5d80PQORNLH4=,tag:2Gkddfksi5QPnFK1JFip2g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWTmZLR2JOM1p2S2lxYkts
WTE2OFlRUXJ0a01EOUd3Mythc3R1d3llTTNrCkJQWVY1bGlFbThaL0plTWhwYUJK
WDlQNjFzZGhIS3ZlaHZiYytQdFo5WWMKLS0tIGZ3VDRTQlFHT2IwVkFIb0lwOXhT
dm9QRndWZXE0L0drS3JzMGF0c2x1S1kKXuxMaVAcbRwR4/QZnIUdb3wyRujYAy2I
8/FYL5r9PuNwhEv1Ene+dj8nkx1G+stTZmgepOS9Z0AyIvfDW6FS8g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1y82j460w5fh0fpquatqar0zqet0vzzfzjnegrp686na3gejapdtsc37vuh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNMVVzZUl5WVc3VVZudmVj
UkVDd2pYUU50MDBHRnZ4Sis5K28wV1RwNlQ4CmhONVd3Wkh5ZHlYSDYzeHlLMGdF
VUxiS2JWS2lwQVY2OHYwSk1UdGNSeUkKLS0tIGRSZVJ2U1J6azQveHJkRmViVnNs
cmFJeFpHdnRzMFA2a1NML1A1RFB6clEK+FH8x1dccz8TnUuEFc0EkTSzG6Ody0IF
tCNrHN2h3AzqYxKFYucquMmnE9WGJuzShijIXAv1W7JE2JZw9XnS4w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-18T18:26:53Z"
mac: ENC[AES256_GCM,data:/WomZ6f0OUXtLTXRsTkugr9GQBE3Cb6b9t40BZRT0d4zq9CmYDqw9S4UZJRyB1TZFermsqZ4yjPiw4hQL/1g87ds9l9N+GOnxl/nhRZ166fl61hpe6SUEhuiFMDG3RBx0LbyYgZF8yi6gRAZOyIWPnCa6L0g1WIvcu5txbzXZ9U=,iv:gT2ik8izbHMFys0XCWotHWb+U+C243PG70Q7R6Sc9lo=,tag:3NHjEbt89aTKlK2/3oeQAg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0