SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-01-22 22:37:44 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Move secrets decryption from containers to server

Browse source
This commit is contained in:
SebastianStork 2024-09-22 19:10:52 +02:00
parent a4abd033cc
commit a7e1ced2a2
13 changed files with 58 additions and 196 deletions
Download patch file Download diff file Expand all files Collapse all files

13
hosts/stratus/containers/nspawn/forgejo/default.nix
View file

@ -4,6 +4,8 @@ let
subdomain = "git";
in
{
sops.secrets."container/forgejo/admin-password" = { };
containers.${serviceName}.config =
{
config,
@ -18,12 +20,8 @@ in
{
imports = [ ./backup.nix ];
sops.secrets."admin-password" = {
owner = userName;
group = groupName;
};
systemd.tmpfiles.rules = [
"z /run/secrets/container/forgejo/admin-password - ${userName} ${groupName} -"
"d ${dataDir}/home 750 ${userName} ${groupName} -"
"d ${dataDir}/postgresql 700 postgres postgres -"
];
@ -47,14 +45,13 @@ in
systemd.services.forgejo.preStart = ''
create="${lib.getExe config.services.forgejo.package} admin user create"
$create --admin --email "sebastian.stork@pm.me" --username seb --password "$(cat ${
config.sops.secrets."admin-password".path
})" || true
$create --admin --email "sebastian.stork@pm.me" --username seb --password "$(cat /run/secrets/container/forgejo/admin-password)" || true
'';
myConfig.tailscale = {
inherit subdomain;
serve = "3000";
};
};
}

35
hosts/stratus/containers/nspawn/forgejo/secrets.yaml
View file

@ -1,35 +0,0 @@
tailscale-auth-key: ENC[AES256_GCM,data:9jqpLTuBWvonEsTuzxxtgOnw4bvjQG49wu6VrxwdnrwI7VmLcTcVzotyU+Vqsmys5dTMR5JtMLkN+OOw6zg=,iv:HM819F8A2W+5oBi+QLaRW//4kPKzmqG4EQicWm9aGKc=,tag:XzFSLI4WNGmgPBiffv4rXQ==,type:str]
admin-password: ENC[AES256_GCM,data:f7rbPet7zkNQWZZ1r1zf4Yi+rBLbAypv/mxhK6d0,iv:MrMWa9tm32PIrM/k9/Qd+VsxGXjKQuqVEvZcn4bfy48=,tag:yjrgnPUWE33GMlzKVsbL+g==,type:str]
restic:
environment: ENC[AES256_GCM,data:il37oo0OywyZR+YpculEzkdzDwE0eZ+X21oX2yZ7hDa/91a+bn3Y/HJVpnh0qaxraupoL9OQJeGevI6xW6MSmpjiutofUSPzqg0dbXuw4/lE54y1CZUn1rRNoTeUja8zcyA=,iv:irIAnO7tizrgkdvZLFJGbL5HYgLee1DHDrqsiCJFxSE=,tag:a7hLwMLtmtCZDm7vrdgZJg==,type:str]
password: ENC[AES256_GCM,data:tmzBte5NDAzTfqakXlNn8cctwfWq6xzOzoRJ7cAi,iv:R4wGPjQPV42p+i7lp6Q2LDThv8OKKCO462eOVMnlyO8=,tag:owA+MdJ0pEf+0cuAzHdUwA==,type:str]
healthchecks-ping-key: ENC[AES256_GCM,data:oax0Kk4AYPnjMmZpSuWMvm0+6yPYzQ==,iv:CjrJ8ZdcB4MVzYPmeb2YB8FbEzm159koeaYmzTKo9q8=,tag:fj9Oo16FiX5D9UkkL94cKQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZejdhUzZyQ1RROGZmZUdX
UFR6NlBsbVZDMjJwM3pidi8waWNWVS9id2tnClBxQ3J6N0IwOGZ5eFZFZHU1ZEN3
YUh2c3VUd2xLa3NEdWUzdE1aOUZONFUKLS0tIHpGM1pMeUFQYytoQmdncHJWUHlz
L003dzV4Z0lTRllkVDJlSm16S1crMlUKtW70ZGOCC9iwfQ7kxzx+DT7l2qSub9Bf
VfdlHP1XHXhEw3Don3OLrzwaIzXBbfqGGtpd0rWIoxISqjguBulR9g==
-----END AGE ENCRYPTED FILE-----
- recipient: age12k607dpdjt5dyq0w3hpgyfdyfrrfuutxgra0tgt8qja30er7cupsfps60n
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdVFCOUt0TDdOZnA1c3NZ
UDVJcUNUS3dqVmJMOVIra0tEVEJ5cjVNYnljCkcxMXF2SGJFRDVDeEFFTEh5dUdV
MkEzQXE3TjhHcUJjdXhGSHZyanpVZ1UKLS0tIERlVXNXNjV5OHdyeG5LdCtIVWNG
YzNSUG5HWStBemtRZ0s4NzNOOTZRWDAKJHKjfzIPOQUoizt5SffPP/n4d+hOfGLg
bXsKSa99E5JMxskzYZQGH0G4OLZrJEMzegRW0DsJtEFwj8YORmn6iw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-18T17:47:10Z"
mac: ENC[AES256_GCM,data:SgCb2jDxUztO5PuhoHmcz9wn35f0vpGs/Qx7LJpTbfjtVNJ3UMAq1MCyZmOg2NS3kvqpiE7a32HC0Y+froLU3LgoEXwtRYdg1jrzgur5sjFgEWXKhhR3Ly2JVKJdb+L6iJH0AnoTBR0ufGdPQZ8Y4OYbrFUZ0WtI07fF4umfE2A=,iv:sU6c55msG5epdZzCdp/MFCFg6NJrtFmrBAzd4VUXysE=,tag:9H2KFubRTRnSs+G6eocbqQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0