SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-01-21 23:11:34 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Move secrets decryption from containers to server

Browse source
This commit is contained in:
SebastianStork 2024-09-22 19:10:52 +02:00
parent a4abd033cc
commit a7e1ced2a2
13 changed files with 58 additions and 196 deletions
Download patch file Download diff file Expand all files Collapse all files

13
hosts/stratus/containers/nspawn/nextcloud/default.nix
View file

@ -4,6 +4,11 @@ let
subdomain = "cloud";
in
{
sops.secrets = {
"container/nextcloud/admin-password" = { };
"container/nextcloud/gmail-password" = { };
};
containers.${serviceName}.config =
{
config,
@ -22,12 +27,8 @@ in
./backup.nix
];
sops.secrets."admin-password" = {
owner = userName;
group = groupName;
};
systemd.tmpfiles.rules = [
"z /run/secrets/container/nextcloud/admin-password - ${userName} ${groupName} -"
"d ${dataDir}/home 750 ${userName} ${groupName} -"
"d ${dataDir}/postgresql 700 postgres postgres -"
];
@ -44,7 +45,7 @@ in
config = {
dbtype = "pgsql";
adminuser = "admin";
adminpassFile = config.sops.secrets."admin-password".path;
adminpassFile = "/run/secrets/container/nextcloud/admin-password";
};
https = true;

5
hosts/stratus/containers/nspawn/nextcloud/email-server.nix
View file

@ -1,7 +1,4 @@
{ config, ... }:
{
sops.secrets."gmail-password" = { };
services.nextcloud.settings = {
mail_smtpmode = "sendmail";
mail_sendmailmode = "pipe";
@ -16,7 +13,7 @@
port = "587";
user = "nextcloud.stork";
from = "nextcloud.stork@gmail.com";
passwordeval = "cat ${config.sops.secrets."gmail-password".path}";
passwordeval = "cat /run/secrets/container/nextcloud/gmail-password";
};
};
}

36
hosts/stratus/containers/nspawn/nextcloud/secrets.yaml
View file

@ -1,36 +0,0 @@
tailscale-auth-key: ENC[AES256_GCM,data:HLRjtK6MXLSlzEsu76mUye9V9gAD4Grxbd0UU1RySEGekG4StMeO3yo+wHYHNU2UcRdZEW4OKaZyLbRCHpg=,iv:Kbey9sU5tCqH9pnas30bns1HyTGYlAL0pR3WcVeVvrY=,tag:NiFLtMWJ1FCN+EYR/ZHrrg==,type:str]
admin-password: ENC[AES256_GCM,data:E1BSDKAeInmXTW1zuTL4LJZTtsP0Dd/Bfz20VQLV,iv:ilZgom7Ka+Wsv8Nwemb2C6j+kHovqHe7Xa5S5rzo5Zk=,tag:BYb9K8wWG9zWPuQScVJKjg==,type:str]
gmail-password: ENC[AES256_GCM,data:E3kxSudXdE4uH9qB1wVJWm+tGsc=,iv:h49oGGfNJpU6RKPPP0RKDZ3NILb9FsuWTuS82yxxe/k=,tag:mY1OREVPyWHpL1YpaNE9/w==,type:str]
restic:
environment: ENC[AES256_GCM,data:bYC7JBKvOMUdqB3X/Z9Nh4g8mhSJpqo63vU3zIrdSO+zlRF+PT+n4yofZe8D47Wz46YGAfwnKXGvAy2WQwHsDcMfdWW85e/1ttV5eESWMotSBM7WzpyFRjNDg+vCy4nWkWI=,iv:RVBMlsOwJCehMuJ2Hzls+gnzUIJM8MjdLu5uMJczugw=,tag:hds43pJX/hpBLwXTujiJ8w==,type:str]
password: ENC[AES256_GCM,data:yMs1EG39X1+RYcgeM3SFi38ypOU=,iv:vsEl9jLR3DcqRxJmH5cpIe1+I2W49Hj12oOfwrymznI=,tag:uevinZPEfj0J4KFkTLsV5g==,type:str]
healthchecks-ping-key: ENC[AES256_GCM,data:3bLMIixDXZpCWfkuf8UbCovRvbtlIw==,iv:0G7oIezhyNDl7U9EXw2auvTvdxng6CAbAViXQSbzo+c=,tag:u1QWKdszu9dDLb6LZdAShA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKWFVKV0IzbVVTV1g1c3o1
ZnpwMTFyZ0RhcmhhNk8vd1dYWGdWZHZhNFVRCjE3MG9Wd0ZXNEtrRS84M3hMRVdk
T1BOczN0VmoybUs3dXJUR3FNc2swdlkKLS0tIEFXam96UGlJWnphVzVpRittSXNS
SDU0U0IwTTh6NHI2enZZTEwwd2lkQXMKsHAwayLHW3GfRc90sq0xhN1rF4RkvXSS
+WGyhmI0fik6NPyVN7DNaYhte2IoVJe3RTH2vJigpTLIIziMgTPgFQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jutruntzdaqs26mpe68pafje23m9n4klm04fva05fcdyvyqnaamsvqf3jr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwSExmaW9CUGo0WWloZDha
c3ZUNy9xVXgvVkdzRHRjWFZERllycG41RENzCnZuazR2RW41VlJNWk9TZjcwcGpM
dnZQQTNSbDBieGhmOW5xU24xeVhpYjQKLS0tIHAzTDV2dHdDNnQ4ZC9ielM3Qyt1
aWFqYXYrMmJBbEQwQWxza1lrdmU4bmMKm0QbJP1QiNVOA7slpocaPxkq9orE8jrP
xxrDtRUZhvEOEZuCD61wWTfgdeI7SFWaSJkN6MgPlvRyuYQ+3TZh3Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-18T18:38:36Z"
mac: ENC[AES256_GCM,data:YJDQWeSHOuYZ5WieOJ18t0G6Lh3YFPR4RKPN+vA4gmFJp43frnwwXa70IbTcRd1hYQJfiKA5JjZ5rWKZnZOFEKoYUNDhDl39zFxLRv4h9ie6lspXI9ZnpeWfKX0KO6lE30lPVZLSwkdDg7PAntz0+Cp/eK0O2r8zrJ99VWxkJFw=,iv:QGZlAqs7UAJg5TL+qatMUzpau5iu54n86Dr0hgIMUlM=,tag:GL+NphBCkOQITXKJBY2i8g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0