SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-01-21 23:11:34 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Move secrets decryption from containers to server

Browse source
This commit is contained in:
SebastianStork 2024-09-22 19:10:52 +02:00
parent a4abd033cc
commit a7e1ced2a2
13 changed files with 58 additions and 196 deletions
Download patch file Download diff file Expand all files Collapse all files

21
modules/system/restic-backup.nix
View file

@ -6,6 +6,8 @@
}:
let
cfg = lib.filterAttrs (_: value: value.enable) config.myConfig.resticBackup;
healthchecksEnable = (lib.filterAttrs (_: value: value.healthchecks.enable) cfg) != { };
in
{
options.myConfig.resticBackup = lib.mkOption {
@ -35,7 +37,7 @@ in
users.groups.backup.members = lib.mapAttrsToList (_: value: value.user) cfg;
sops.secrets =
sops.secrets = lib.optionalAttrs config.myConfig.sops.enable (
let
resticPermissions = {
mode = "440";
@ -45,11 +47,9 @@ in
{
"restic/environment" = resticPermissions;
"restic/password" = resticPermissions;
"healthchecks-ping-key" = lib.mkIf (
(lib.filterAttrs (_: value: value.healthchecks.enable) cfg) != { }
) resticPermissions;
};
"healthchecks-ping-key" = lib.mkIf healthchecksEnable resticPermissions;
}
);
services.restic.backups = lib.mapAttrs (
name: value:
@ -57,8 +57,9 @@ in
inherit (value) user;
initialize = true;
repository = "s3:https://s3.eu-central-003.backblazeb2.com/stork-atlas/${name}";
environmentFile = config.sops.secrets."restic/environment".path;
passwordFile = config.sops.secrets."restic/password".path;
environmentFile =
config.sops.secrets."restic/environment".path or "/run/secrets/restic/environment";
passwordFile = config.sops.secrets."restic/password".path or "/run/secrets/restic/password";
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 5"
@ -79,14 +80,14 @@ in
}
) (lib.filterAttrs (_: value: value.healthchecks.enable) cfg))
(lib.mkIf ((lib.filterAttrs (_: value: value.healthchecks.enable) cfg) != { }) {
(lib.mkIf healthchecksEnable {
"healthcheck-ping@" = {
description = "Pings healthcheck (%i)";
serviceConfig.Type = "oneshot";
scriptArgs = "%i";
script = ''
${lib.getExe pkgs.curl} -fsS -m 10 --retry 5 https://hc-ping.com/$(cat ${
config.sops.secrets."healthchecks-ping-key".path
config.sops.secrets."healthchecks-ping-key".path or "/run/secrets/healthchecks-ping-key"
})/$(echo $1 | tr _ /)
'';
};

6
modules/system/tailscale.nix
View file

@ -23,11 +23,13 @@ in
};
config = lib.mkIf cfg.enable {
sops.secrets."tailscale-auth-key" = { };
sops.secrets = lib.optionalAttrs config.myConfig.sops.enable {
"tailscale-auth-key" = { };
};
services.tailscale = {
enable = true;
authKeyFile = config.sops.secrets."tailscale-auth-key".path;
authKeyFile = config.sops.secrets."tailscale-auth-key".path or "/run/secrets/tailscale-auth-key";
openFirewall = true;
useRoutingFeatures = if (cfg.exitNode.enable || (cfg.serve != null)) then "server" else "client";
extraUpFlags = [ "--reset=true" ];