Move secrets decryption from containers to server

2026-01-21 22:11:33 +01:00 · 2024-09-22 19:10:52 +02:00 · 2024-09-22 19:10:52 +02:00 · a7e1ced2a2
commit a7e1ced2a2
parent a4abd033cc
13 changed files with 58 additions and 196 deletions
--- a/hosts/stratus/containers/nspawn/paperless/default.nix
+++ b/hosts/stratus/containers/nspawn/paperless/default.nix
@ -4,21 +4,17 @@ let
  subdomain = "paper";
 in
 {
+  sops.secrets."container/paperless/admin-password" = { };
+
  containers.${serviceName}.config =
-    {
-      config,
-      dataDir,
-      ...
-    }:
+    { dataDir, ... }:
    {
      imports = [ ./backup.nix ];

-      sops.secrets."admin-password" = { };
-
      services.paperless = {
        enable = true;
        inherit dataDir;
-        passwordFile = config.sops.secrets."admin-password".path;
+        passwordFile = "/run/secrets/container/paperless/admin-password";
        settings.PAPERLESS_OCR_LANGUAGE = "deu+eng";
      };

--- a/hosts/stratus/containers/nspawn/paperless/secrets.yaml
+++ b/hosts/stratus/containers/nspawn/paperless/secrets.yaml
@ -1,35 +0,0 @@
-tailscale-auth-key: ENC[AES256_GCM,data:qXVu6U3gcDUq0+eWAtgFn8CZja9Dc4r3z7qZoaAqDm7r8uqpZsZ7JaX3AIBeipvRrBG11IDabP5DM38D8PQ=,iv:FKf7duFw+cV1wH2fd2oDNkbuokuQxgOW0gHgR+oSc7U=,tag:1aOb8XOL61cn/ESW3I/ocQ==,type:str]
-admin-password: ENC[AES256_GCM,data:cHi+UfaxyLGBxJKjV3M/4js/Nmc=,iv:zmTrC9Icy8D1Wlw0sL7lO1ft8BlXk3AsnNmUyAqANTI=,tag:pMXE0844vwbdPN0wWw6BnQ==,type:str]
-restic:
-  environment: ENC[AES256_GCM,data:JRwMFhbVLg4hkmJsNw+yNdCBX3Cud5ADbGL+nkRFUjpMkF1c3JubWnNI4lG/ehfJ0GJmHveOyMD304XEykPWuK89KVNNmqTuaa2hGUIykQPyqAqvkChOsOZAfGA/gHrC8tY=,iv:xsXanfAtI8ppOxwtsu89+3KWwNXtXPyT1k+Toe6f6Vw=,tag:hUO7jaTgzX+z4eiLK9CQ7g==,type:str]
-  password: ENC[AES256_GCM,data:txtSW2r1HTFeZXEmkkMBYhPkdms=,iv:kTI52zpI7vUU6IxO/qwzoAtdNZnHrhU69WovA1dBYi0=,tag:6XF1BUOA2Brao/qR3DNe0g==,type:str]
-healthchecks-ping-key: ENC[AES256_GCM,data:HihujYrVxFEXF5PnPscigc7vXWM8kg==,iv:T6JmbIjcMjfHKssR5tJrlfQGivqGDWz5d80PQORNLH4=,tag:2Gkddfksi5QPnFK1JFip2g==,type:str]
-sops:
-  kms: []
-  gcp_kms: []
-  azure_kv: []
-  hc_vault: []
-  age:
-    - recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
-      enc: |
-        -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWTmZLR2JOM1p2S2lxYkts
-        WTE2OFlRUXJ0a01EOUd3Mythc3R1d3llTTNrCkJQWVY1bGlFbThaL0plTWhwYUJK
-        WDlQNjFzZGhIS3ZlaHZiYytQdFo5WWMKLS0tIGZ3VDRTQlFHT2IwVkFIb0lwOXhT
-        dm9QRndWZXE0L0drS3JzMGF0c2x1S1kKXuxMaVAcbRwR4/QZnIUdb3wyRujYAy2I
-        8/FYL5r9PuNwhEv1Ene+dj8nkx1G+stTZmgepOS9Z0AyIvfDW6FS8g==
-        -----END AGE ENCRYPTED FILE-----
-    - recipient: age1y82j460w5fh0fpquatqar0zqet0vzzfzjnegrp686na3gejapdtsc37vuh
-      enc: |
-        -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNMVVzZUl5WVc3VVZudmVj
-        UkVDd2pYUU50MDBHRnZ4Sis5K28wV1RwNlQ4CmhONVd3Wkh5ZHlYSDYzeHlLMGdF
-        VUxiS2JWS2lwQVY2OHYwSk1UdGNSeUkKLS0tIGRSZVJ2U1J6azQveHJkRmViVnNs
-        cmFJeFpHdnRzMFA2a1NML1A1RFB6clEK+FH8x1dccz8TnUuEFc0EkTSzG6Ody0IF
-        tCNrHN2h3AzqYxKFYucquMmnE9WGJuzShijIXAv1W7JE2JZw9XnS4w==
-        -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2024-09-18T18:26:53Z"
-  mac: ENC[AES256_GCM,data:/WomZ6f0OUXtLTXRsTkugr9GQBE3Cb6b9t40BZRT0d4zq9CmYDqw9S4UZJRyB1TZFermsqZ4yjPiw4hQL/1g87ds9l9N+GOnxl/nhRZ166fl61hpe6SUEhuiFMDG3RBx0LbyYgZF8yi6gRAZOyIWPnCa6L0g1WIvcu5txbzXZ9U=,iv:gT2ik8izbHMFys0XCWotHWb+U+C243PG70Q7R6Sc9lo=,tag:3NHjEbt89aTKlK2/3oeQAg==,type:str]
-  pgp: []
-  unencrypted_suffix: _unencrypted
-  version: 3.9.0