SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-01-21 23:11:34 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Move secrets decryption from containers to server

Browse source
This commit is contained in:
SebastianStork 2024-09-22 19:10:52 +02:00
parent a4abd033cc
commit a7e1ced2a2
13 changed files with 58 additions and 196 deletions
Download patch file Download diff file Expand all files Collapse all files

21
hosts/stratus/containers/nspawn/default.nix
View file

@ -12,9 +12,12 @@ in
{
imports = lib.mapAttrsToList (name: _: ./${name}) containers;
sops.secrets = lib.mapAttrs' (
name: _: lib.nameValuePair "container/${name}/ssh-key" { }
) containers;
sops.secrets = {
"container/tailscale-auth-key" = { };
"restic/environment" = { };
"restic/password" = { };
"healthchecks-ping-key" = { };
};
systemd.tmpfiles.rules = lib.flatten (
lib.mapAttrsToList (name: _: [
@ -44,7 +47,11 @@ in
hostBridge = "br0";
bindMounts = {
"/etc/ssh/ssh_host_ed25519_key".hostPath = config.sops.secrets."container/${name}/ssh-key".path;
"/run/secrets/container/tailscale-auth-key" = { };
"/run/secrets/container/${name}" = { };
"/run/secrets/restic" = { };
"/run/secrets/healthchecks-ping-key" = { };
${dataDirOf name}.isReadOnly = false;
"/var/lib/tailscale" = {
hostPath = "/var/lib/tailscale-${name}";
@ -79,12 +86,6 @@ in
};
services.resolved.enable = true;
myConfig.sops = {
enable = true;
defaultSopsFile = ./${name}/secrets.yaml;
};
sops.secrets."tailscale-auth-key" = { };
myConfig.tailscale.enable = true;
};
}) containers;