mirror of
https://github.com/SebastianStork/nixos-config.git
synced 2026-01-21 16:21:34 +01:00
Move secrets decryption from containers to server
This commit is contained in:
parent
a4abd033cc
commit
a7e1ced2a2
13 changed files with 58 additions and 196 deletions
22
.sops.yaml
22
.sops.yaml
|
|
@ -6,11 +6,6 @@ keys:
|
|||
- &inspiron age1jl9s4vp78wuwymjxaje6fg4ax0gg5aq8pn8khfmtn5rvap0d83tqfr05dv
|
||||
- &stratus age1pryafed9elaea6zk5gnf6drjt4nznc02385y973lwt9t2s7j7vmsfnggkp
|
||||
|
||||
# Containers
|
||||
- &forgejo age12k607dpdjt5dyq0w3hpgyfdyfrrfuutxgra0tgt8qja30er7cupsfps60n
|
||||
- &nextcloud age1jutruntzdaqs26mpe68pafje23m9n4klm04fva05fcdyvyqnaamsvqf3jr
|
||||
- &paperless age1y82j460w5fh0fpquatqar0zqet0vzzfzjnegrp686na3gejapdtsc37vuh
|
||||
|
||||
# Users
|
||||
- &seb-north age1p32cyzakxtcx346ej82ftln4r2aw2pcuazq3583s85nzsan4ygqsj32hjf
|
||||
- &seb-inspiron age1s9h9hh8f0vudwn4awr90mj0ka2xh9gppwus0jmvmaz3j3uckz94s36gzkz
|
||||
|
|
@ -33,23 +28,6 @@ creation_rules:
|
|||
- *admin
|
||||
- *stratus
|
||||
|
||||
# Containers
|
||||
- path_regex: hosts/stratus/containers/nspawn/forgejo/secrets.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *admin
|
||||
- *forgejo
|
||||
- path_regex: hosts/stratus/containers/nspawn/nextcloud/secrets.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *admin
|
||||
- *nextcloud
|
||||
- path_regex: hosts/stratus/containers/nspawn/paperless/secrets.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *admin
|
||||
- *paperless
|
||||
|
||||
# Users
|
||||
- path_regex: users/seb/@north/secrets.yaml$
|
||||
key_groups:
|
||||
|
|
|
|||
|
|
@ -5,9 +5,7 @@ in
|
|||
{
|
||||
imports = lib.mapAttrsToList (name: _: ./${name}) containers;
|
||||
|
||||
sops.secrets = lib.mapAttrs' (
|
||||
name: _: lib.nameValuePair "container/${name}/tailscale-auth-key" { }
|
||||
) containers;
|
||||
sops.secrets."container/tailscale-auth-key" = { };
|
||||
|
||||
virtualisation.oci-containers = {
|
||||
backend = "docker";
|
||||
|
|
@ -23,7 +21,7 @@ in
|
|||
};
|
||||
environmentFiles = [
|
||||
# Contains "TS_AUTHKEY=<token>"
|
||||
config.sops.secrets."container/${name}/tailscale-auth-key".path
|
||||
config.sops.secrets."container/tailscale-auth-key".path
|
||||
];
|
||||
volumes = [ "/var/lib/tailscale-${name}:/var/lib/tailscale" ];
|
||||
extraOptions = [ "--network=container:${name}" ];
|
||||
|
|
|
|||
|
|
@ -12,9 +12,12 @@ in
|
|||
{
|
||||
imports = lib.mapAttrsToList (name: _: ./${name}) containers;
|
||||
|
||||
sops.secrets = lib.mapAttrs' (
|
||||
name: _: lib.nameValuePair "container/${name}/ssh-key" { }
|
||||
) containers;
|
||||
sops.secrets = {
|
||||
"container/tailscale-auth-key" = { };
|
||||
"restic/environment" = { };
|
||||
"restic/password" = { };
|
||||
"healthchecks-ping-key" = { };
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = lib.flatten (
|
||||
lib.mapAttrsToList (name: _: [
|
||||
|
|
@ -44,7 +47,11 @@ in
|
|||
hostBridge = "br0";
|
||||
|
||||
bindMounts = {
|
||||
"/etc/ssh/ssh_host_ed25519_key".hostPath = config.sops.secrets."container/${name}/ssh-key".path;
|
||||
"/run/secrets/container/tailscale-auth-key" = { };
|
||||
"/run/secrets/container/${name}" = { };
|
||||
"/run/secrets/restic" = { };
|
||||
"/run/secrets/healthchecks-ping-key" = { };
|
||||
|
||||
${dataDirOf name}.isReadOnly = false;
|
||||
"/var/lib/tailscale" = {
|
||||
hostPath = "/var/lib/tailscale-${name}";
|
||||
|
|
@ -79,12 +86,6 @@ in
|
|||
};
|
||||
services.resolved.enable = true;
|
||||
|
||||
myConfig.sops = {
|
||||
enable = true;
|
||||
defaultSopsFile = ./${name}/secrets.yaml;
|
||||
};
|
||||
|
||||
sops.secrets."tailscale-auth-key" = { };
|
||||
myConfig.tailscale.enable = true;
|
||||
};
|
||||
}) containers;
|
||||
|
|
|
|||
|
|
@ -4,6 +4,8 @@ let
|
|||
subdomain = "git";
|
||||
in
|
||||
{
|
||||
sops.secrets."container/forgejo/admin-password" = { };
|
||||
|
||||
containers.${serviceName}.config =
|
||||
{
|
||||
config,
|
||||
|
|
@ -18,12 +20,8 @@ in
|
|||
{
|
||||
imports = [ ./backup.nix ];
|
||||
|
||||
sops.secrets."admin-password" = {
|
||||
owner = userName;
|
||||
group = groupName;
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"z /run/secrets/container/forgejo/admin-password - ${userName} ${groupName} -"
|
||||
"d ${dataDir}/home 750 ${userName} ${groupName} -"
|
||||
"d ${dataDir}/postgresql 700 postgres postgres -"
|
||||
];
|
||||
|
|
@ -47,14 +45,13 @@ in
|
|||
|
||||
systemd.services.forgejo.preStart = ''
|
||||
create="${lib.getExe config.services.forgejo.package} admin user create"
|
||||
$create --admin --email "sebastian.stork@pm.me" --username seb --password "$(cat ${
|
||||
config.sops.secrets."admin-password".path
|
||||
})" || true
|
||||
$create --admin --email "sebastian.stork@pm.me" --username seb --password "$(cat /run/secrets/container/forgejo/admin-password)" || true
|
||||
'';
|
||||
|
||||
myConfig.tailscale = {
|
||||
inherit subdomain;
|
||||
serve = "3000";
|
||||
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,35 +0,0 @@
|
|||
tailscale-auth-key: ENC[AES256_GCM,data:9jqpLTuBWvonEsTuzxxtgOnw4bvjQG49wu6VrxwdnrwI7VmLcTcVzotyU+Vqsmys5dTMR5JtMLkN+OOw6zg=,iv:HM819F8A2W+5oBi+QLaRW//4kPKzmqG4EQicWm9aGKc=,tag:XzFSLI4WNGmgPBiffv4rXQ==,type:str]
|
||||
admin-password: ENC[AES256_GCM,data:f7rbPet7zkNQWZZ1r1zf4Yi+rBLbAypv/mxhK6d0,iv:MrMWa9tm32PIrM/k9/Qd+VsxGXjKQuqVEvZcn4bfy48=,tag:yjrgnPUWE33GMlzKVsbL+g==,type:str]
|
||||
restic:
|
||||
environment: ENC[AES256_GCM,data:il37oo0OywyZR+YpculEzkdzDwE0eZ+X21oX2yZ7hDa/91a+bn3Y/HJVpnh0qaxraupoL9OQJeGevI6xW6MSmpjiutofUSPzqg0dbXuw4/lE54y1CZUn1rRNoTeUja8zcyA=,iv:irIAnO7tizrgkdvZLFJGbL5HYgLee1DHDrqsiCJFxSE=,tag:a7hLwMLtmtCZDm7vrdgZJg==,type:str]
|
||||
password: ENC[AES256_GCM,data:tmzBte5NDAzTfqakXlNn8cctwfWq6xzOzoRJ7cAi,iv:R4wGPjQPV42p+i7lp6Q2LDThv8OKKCO462eOVMnlyO8=,tag:owA+MdJ0pEf+0cuAzHdUwA==,type:str]
|
||||
healthchecks-ping-key: ENC[AES256_GCM,data:oax0Kk4AYPnjMmZpSuWMvm0+6yPYzQ==,iv:CjrJ8ZdcB4MVzYPmeb2YB8FbEzm159koeaYmzTKo9q8=,tag:fj9Oo16FiX5D9UkkL94cKQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZejdhUzZyQ1RROGZmZUdX
|
||||
UFR6NlBsbVZDMjJwM3pidi8waWNWVS9id2tnClBxQ3J6N0IwOGZ5eFZFZHU1ZEN3
|
||||
YUh2c3VUd2xLa3NEdWUzdE1aOUZONFUKLS0tIHpGM1pMeUFQYytoQmdncHJWUHlz
|
||||
L003dzV4Z0lTRllkVDJlSm16S1crMlUKtW70ZGOCC9iwfQ7kxzx+DT7l2qSub9Bf
|
||||
VfdlHP1XHXhEw3Don3OLrzwaIzXBbfqGGtpd0rWIoxISqjguBulR9g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age12k607dpdjt5dyq0w3hpgyfdyfrrfuutxgra0tgt8qja30er7cupsfps60n
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdVFCOUt0TDdOZnA1c3NZ
|
||||
UDVJcUNUS3dqVmJMOVIra0tEVEJ5cjVNYnljCkcxMXF2SGJFRDVDeEFFTEh5dUdV
|
||||
MkEzQXE3TjhHcUJjdXhGSHZyanpVZ1UKLS0tIERlVXNXNjV5OHdyeG5LdCtIVWNG
|
||||
YzNSUG5HWStBemtRZ0s4NzNOOTZRWDAKJHKjfzIPOQUoizt5SffPP/n4d+hOfGLg
|
||||
bXsKSa99E5JMxskzYZQGH0G4OLZrJEMzegRW0DsJtEFwj8YORmn6iw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-09-18T17:47:10Z"
|
||||
mac: ENC[AES256_GCM,data:SgCb2jDxUztO5PuhoHmcz9wn35f0vpGs/Qx7LJpTbfjtVNJ3UMAq1MCyZmOg2NS3kvqpiE7a32HC0Y+froLU3LgoEXwtRYdg1jrzgur5sjFgEWXKhhR3Ly2JVKJdb+L6iJH0AnoTBR0ufGdPQZ8Y4OYbrFUZ0WtI07fF4umfE2A=,iv:sU6c55msG5epdZzCdp/MFCFg6NJrtFmrBAzd4VUXysE=,tag:9H2KFubRTRnSs+G6eocbqQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.0
|
||||
|
|
@ -4,6 +4,11 @@ let
|
|||
subdomain = "cloud";
|
||||
in
|
||||
{
|
||||
sops.secrets = {
|
||||
"container/nextcloud/admin-password" = { };
|
||||
"container/nextcloud/gmail-password" = { };
|
||||
};
|
||||
|
||||
containers.${serviceName}.config =
|
||||
{
|
||||
config,
|
||||
|
|
@ -22,12 +27,8 @@ in
|
|||
./backup.nix
|
||||
];
|
||||
|
||||
sops.secrets."admin-password" = {
|
||||
owner = userName;
|
||||
group = groupName;
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"z /run/secrets/container/nextcloud/admin-password - ${userName} ${groupName} -"
|
||||
"d ${dataDir}/home 750 ${userName} ${groupName} -"
|
||||
"d ${dataDir}/postgresql 700 postgres postgres -"
|
||||
];
|
||||
|
|
@ -44,7 +45,7 @@ in
|
|||
config = {
|
||||
dbtype = "pgsql";
|
||||
adminuser = "admin";
|
||||
adminpassFile = config.sops.secrets."admin-password".path;
|
||||
adminpassFile = "/run/secrets/container/nextcloud/admin-password";
|
||||
};
|
||||
|
||||
https = true;
|
||||
|
|
|
|||
|
|
@ -1,7 +1,4 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
sops.secrets."gmail-password" = { };
|
||||
|
||||
services.nextcloud.settings = {
|
||||
mail_smtpmode = "sendmail";
|
||||
mail_sendmailmode = "pipe";
|
||||
|
|
@ -16,7 +13,7 @@
|
|||
port = "587";
|
||||
user = "nextcloud.stork";
|
||||
from = "nextcloud.stork@gmail.com";
|
||||
passwordeval = "cat ${config.sops.secrets."gmail-password".path}";
|
||||
passwordeval = "cat /run/secrets/container/nextcloud/gmail-password";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,36 +0,0 @@
|
|||
tailscale-auth-key: ENC[AES256_GCM,data:HLRjtK6MXLSlzEsu76mUye9V9gAD4Grxbd0UU1RySEGekG4StMeO3yo+wHYHNU2UcRdZEW4OKaZyLbRCHpg=,iv:Kbey9sU5tCqH9pnas30bns1HyTGYlAL0pR3WcVeVvrY=,tag:NiFLtMWJ1FCN+EYR/ZHrrg==,type:str]
|
||||
admin-password: ENC[AES256_GCM,data:E1BSDKAeInmXTW1zuTL4LJZTtsP0Dd/Bfz20VQLV,iv:ilZgom7Ka+Wsv8Nwemb2C6j+kHovqHe7Xa5S5rzo5Zk=,tag:BYb9K8wWG9zWPuQScVJKjg==,type:str]
|
||||
gmail-password: ENC[AES256_GCM,data:E3kxSudXdE4uH9qB1wVJWm+tGsc=,iv:h49oGGfNJpU6RKPPP0RKDZ3NILb9FsuWTuS82yxxe/k=,tag:mY1OREVPyWHpL1YpaNE9/w==,type:str]
|
||||
restic:
|
||||
environment: ENC[AES256_GCM,data:bYC7JBKvOMUdqB3X/Z9Nh4g8mhSJpqo63vU3zIrdSO+zlRF+PT+n4yofZe8D47Wz46YGAfwnKXGvAy2WQwHsDcMfdWW85e/1ttV5eESWMotSBM7WzpyFRjNDg+vCy4nWkWI=,iv:RVBMlsOwJCehMuJ2Hzls+gnzUIJM8MjdLu5uMJczugw=,tag:hds43pJX/hpBLwXTujiJ8w==,type:str]
|
||||
password: ENC[AES256_GCM,data:yMs1EG39X1+RYcgeM3SFi38ypOU=,iv:vsEl9jLR3DcqRxJmH5cpIe1+I2W49Hj12oOfwrymznI=,tag:uevinZPEfj0J4KFkTLsV5g==,type:str]
|
||||
healthchecks-ping-key: ENC[AES256_GCM,data:3bLMIixDXZpCWfkuf8UbCovRvbtlIw==,iv:0G7oIezhyNDl7U9EXw2auvTvdxng6CAbAViXQSbzo+c=,tag:u1QWKdszu9dDLb6LZdAShA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKWFVKV0IzbVVTV1g1c3o1
|
||||
ZnpwMTFyZ0RhcmhhNk8vd1dYWGdWZHZhNFVRCjE3MG9Wd0ZXNEtrRS84M3hMRVdk
|
||||
T1BOczN0VmoybUs3dXJUR3FNc2swdlkKLS0tIEFXam96UGlJWnphVzVpRittSXNS
|
||||
SDU0U0IwTTh6NHI2enZZTEwwd2lkQXMKsHAwayLHW3GfRc90sq0xhN1rF4RkvXSS
|
||||
+WGyhmI0fik6NPyVN7DNaYhte2IoVJe3RTH2vJigpTLIIziMgTPgFQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1jutruntzdaqs26mpe68pafje23m9n4klm04fva05fcdyvyqnaamsvqf3jr
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwSExmaW9CUGo0WWloZDha
|
||||
c3ZUNy9xVXgvVkdzRHRjWFZERllycG41RENzCnZuazR2RW41VlJNWk9TZjcwcGpM
|
||||
dnZQQTNSbDBieGhmOW5xU24xeVhpYjQKLS0tIHAzTDV2dHdDNnQ4ZC9ielM3Qyt1
|
||||
aWFqYXYrMmJBbEQwQWxza1lrdmU4bmMKm0QbJP1QiNVOA7slpocaPxkq9orE8jrP
|
||||
xxrDtRUZhvEOEZuCD61wWTfgdeI7SFWaSJkN6MgPlvRyuYQ+3TZh3Q==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-09-18T18:38:36Z"
|
||||
mac: ENC[AES256_GCM,data:YJDQWeSHOuYZ5WieOJ18t0G6Lh3YFPR4RKPN+vA4gmFJp43frnwwXa70IbTcRd1hYQJfiKA5JjZ5rWKZnZOFEKoYUNDhDl39zFxLRv4h9ie6lspXI9ZnpeWfKX0KO6lE30lPVZLSwkdDg7PAntz0+Cp/eK0O2r8zrJ99VWxkJFw=,iv:QGZlAqs7UAJg5TL+qatMUzpau5iu54n86Dr0hgIMUlM=,tag:GL+NphBCkOQITXKJBY2i8g==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.0
|
||||
|
|
@ -4,21 +4,17 @@ let
|
|||
subdomain = "paper";
|
||||
in
|
||||
{
|
||||
sops.secrets."container/paperless/admin-password" = { };
|
||||
|
||||
containers.${serviceName}.config =
|
||||
{
|
||||
config,
|
||||
dataDir,
|
||||
...
|
||||
}:
|
||||
{ dataDir, ... }:
|
||||
{
|
||||
imports = [ ./backup.nix ];
|
||||
|
||||
sops.secrets."admin-password" = { };
|
||||
|
||||
services.paperless = {
|
||||
enable = true;
|
||||
inherit dataDir;
|
||||
passwordFile = config.sops.secrets."admin-password".path;
|
||||
passwordFile = "/run/secrets/container/paperless/admin-password";
|
||||
settings.PAPERLESS_OCR_LANGUAGE = "deu+eng";
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -1,35 +0,0 @@
|
|||
tailscale-auth-key: ENC[AES256_GCM,data:qXVu6U3gcDUq0+eWAtgFn8CZja9Dc4r3z7qZoaAqDm7r8uqpZsZ7JaX3AIBeipvRrBG11IDabP5DM38D8PQ=,iv:FKf7duFw+cV1wH2fd2oDNkbuokuQxgOW0gHgR+oSc7U=,tag:1aOb8XOL61cn/ESW3I/ocQ==,type:str]
|
||||
admin-password: ENC[AES256_GCM,data:cHi+UfaxyLGBxJKjV3M/4js/Nmc=,iv:zmTrC9Icy8D1Wlw0sL7lO1ft8BlXk3AsnNmUyAqANTI=,tag:pMXE0844vwbdPN0wWw6BnQ==,type:str]
|
||||
restic:
|
||||
environment: ENC[AES256_GCM,data:JRwMFhbVLg4hkmJsNw+yNdCBX3Cud5ADbGL+nkRFUjpMkF1c3JubWnNI4lG/ehfJ0GJmHveOyMD304XEykPWuK89KVNNmqTuaa2hGUIykQPyqAqvkChOsOZAfGA/gHrC8tY=,iv:xsXanfAtI8ppOxwtsu89+3KWwNXtXPyT1k+Toe6f6Vw=,tag:hUO7jaTgzX+z4eiLK9CQ7g==,type:str]
|
||||
password: ENC[AES256_GCM,data:txtSW2r1HTFeZXEmkkMBYhPkdms=,iv:kTI52zpI7vUU6IxO/qwzoAtdNZnHrhU69WovA1dBYi0=,tag:6XF1BUOA2Brao/qR3DNe0g==,type:str]
|
||||
healthchecks-ping-key: ENC[AES256_GCM,data:HihujYrVxFEXF5PnPscigc7vXWM8kg==,iv:T6JmbIjcMjfHKssR5tJrlfQGivqGDWz5d80PQORNLH4=,tag:2Gkddfksi5QPnFK1JFip2g==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWTmZLR2JOM1p2S2lxYkts
|
||||
WTE2OFlRUXJ0a01EOUd3Mythc3R1d3llTTNrCkJQWVY1bGlFbThaL0plTWhwYUJK
|
||||
WDlQNjFzZGhIS3ZlaHZiYytQdFo5WWMKLS0tIGZ3VDRTQlFHT2IwVkFIb0lwOXhT
|
||||
dm9QRndWZXE0L0drS3JzMGF0c2x1S1kKXuxMaVAcbRwR4/QZnIUdb3wyRujYAy2I
|
||||
8/FYL5r9PuNwhEv1Ene+dj8nkx1G+stTZmgepOS9Z0AyIvfDW6FS8g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1y82j460w5fh0fpquatqar0zqet0vzzfzjnegrp686na3gejapdtsc37vuh
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNMVVzZUl5WVc3VVZudmVj
|
||||
UkVDd2pYUU50MDBHRnZ4Sis5K28wV1RwNlQ4CmhONVd3Wkh5ZHlYSDYzeHlLMGdF
|
||||
VUxiS2JWS2lwQVY2OHYwSk1UdGNSeUkKLS0tIGRSZVJ2U1J6azQveHJkRmViVnNs
|
||||
cmFJeFpHdnRzMFA2a1NML1A1RFB6clEK+FH8x1dccz8TnUuEFc0EkTSzG6Ody0IF
|
||||
tCNrHN2h3AzqYxKFYucquMmnE9WGJuzShijIXAv1W7JE2JZw9XnS4w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-09-18T18:26:53Z"
|
||||
mac: ENC[AES256_GCM,data:/WomZ6f0OUXtLTXRsTkugr9GQBE3Cb6b9t40BZRT0d4zq9CmYDqw9S4UZJRyB1TZFermsqZ4yjPiw4hQL/1g87ds9l9N+GOnxl/nhRZ166fl61hpe6SUEhuiFMDG3RBx0LbyYgZF8yi6gRAZOyIWPnCa6L0g1WIvcu5txbzXZ9U=,iv:gT2ik8izbHMFys0XCWotHWb+U+C243PG70Q7R6Sc9lo=,tag:3NHjEbt89aTKlK2/3oeQAg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.0
|
||||
|
|
@ -1,23 +1,20 @@
|
|||
seb-password: ENC[AES256_GCM,data:N3w7niUZsyFmF2gF+gMhlDb6XfoYZ8yNrZvv2J0Cb3zDhstW7LsgYZVcM3+MXPbTDE9xJ00VGBayOT7fW+5IYYWdGgbRWvOH0w==,iv:rLCKJ9wUL+3sjIaqwV89pYJtt/ERuoR4AAgbt9H4oHg=,tag:nuh9rT0W500w8+y76MqC1Q==,type:str]
|
||||
tailscale-auth-key: ENC[AES256_GCM,data:vwFTBVQr7T8/Wrc3jOCF3TeQhuEpFyJ0M9yES2g+hSmoc4kraq+QfXmpbz9ciw5dk3mZoZycZFPKU2HJig==,iv:1Ca6tOhQNRw3jxnl3+IoKSJpRuy4jHy9HC/Dj2xOsmQ=,tag:ZqZPqBOF5GZoRLLO1Iq2Iw==,type:str]
|
||||
container:
|
||||
tailscale-auth-key: ENC[AES256_GCM,data:bGWXOYfbHeG4Qy1ZOfKFEZeMI+H65zp7Frqt3MnGx2JnoVWD/Ih73XG4Nj+EfzZVrq4zWGhx0G5H6LKkUQ==,iv:L0KqAxsGuRZcRPzypG/hLo5zSCELNlLK+TEcX+NpMS8=,tag:Af04U0pHJSiiaebgS73ySg==,type:str]
|
||||
onlyoffice:
|
||||
jwt-secret: ENC[AES256_GCM,data:cLEV5yTwzrcUWjS+RSOy4QGmB+yP24j/Bo51LCS+2yX9fpeeJ+tPAuA=,iv:4R/1YcVQjLTcEKJbQ5oq1/vUM+dc4zBLkFLSgH4wq0w=,tag:i0ub07cM9FwV2ryu+XTLbQ==,type:str]
|
||||
forgejo:
|
||||
admin-password: ENC[AES256_GCM,data:vwFxyLQkU2rzkkgQX7ACEeVHLVbrci9kPUk9L4yD,iv:2gmdO1dImo3fZWRaO3oyt3/IfD3zscHwxgv0iwgAMgQ=,tag:fu1ZYeG183nJH18DqVmTtQ==,type:str]
|
||||
nextcloud:
|
||||
admin-password: ENC[AES256_GCM,data:SJxRKv+i+WK8u8f3kqlaxmTqOxmQ7510E9sEpyXV,iv:4Nja7A+VyPPBiJP42fhDTWe93MmBo4/X8IMTR5PGo3s=,tag:Z32bryhJ73IA9ig53epVzQ==,type:str]
|
||||
gmail-password: ENC[AES256_GCM,data:dL1Kag8U5UoNbLOHNbu6dpdJ0GQ=,iv:5oVZRC/L9//pA/vqlk79WNoAdHO+c8CVhywYFRC15eA=,tag:67zXXYMYW7FKR521NM6sYA==,type:str]
|
||||
paperless:
|
||||
admin-password: ENC[AES256_GCM,data:NtQGomRO2uGW+kVybFhIwPvbXWE=,iv:rfPMMiCCYxgQa5k+9RWRKpIkkLWamzBg1cIrsGun9G8=,tag:ltgfGSI4FqUnTGULs+p2cA==,type:str]
|
||||
restic:
|
||||
environment: ENC[AES256_GCM,data:f6on7t1no/jPtnxQ6b7CYd1YyrdRyhuPa2H0z8ytGeCb4aIIrPDvKBjEUx8fvUKNk00Nf8Z2Vi+ZmuSz0gMHA7nQTvPhejU0VZvNT0X1AmUhahehDz4m0cylM8ZmtXklWl4=,iv:+ohpmCKu/KIEn4gcBn3hNDTF7qybQAe3uDWiQ8GAIVw=,tag:5FSZXr7t1VEC8xnlQrVyyQ==,type:str]
|
||||
password: ENC[AES256_GCM,data:ERm1OwndSGhT7aTUyBW5E0z2l9gQhGy6LQbi+rDv,iv:XPPs61l6KWGA06uhRZid6rAgNfbHtcJWYjrD5QJrnlI=,tag:AmAdsNRqtjvGmQ0G44s9Fw==,type:str]
|
||||
healthchecks-ping-key: ENC[AES256_GCM,data:F7XBp/zPuIxnIEmQX3+BHDPO0VBwJQ==,iv:c+/jK+4SiCby3yKdjXq69PEyfCOhua9quGCj7OK0Nhc=,tag:sjIAAuk8DY9VFHy0/p60WQ==,type:str]
|
||||
container:
|
||||
actualbudget:
|
||||
tailscale-auth-key: ENC[AES256_GCM,data:n6sxwHbhKyvk1gubSIg6qXyDONob2LJOWOUCvLwmZDe3tCVxkq62vwfgiqAA5is2HEaLi72JdgdYMFQNoggwEnZ5X1YcS8WC,iv:0rJJiL+T9y45nZqRqpMobP1XmVYHeLfZei7jQoofMLE=,tag:RKPj2JwBlhNMvYH27lGsaQ==,type:str]
|
||||
onlyoffice:
|
||||
tailscale-auth-key: ENC[AES256_GCM,data:nxNiy9AKzspdPx3OfdT1WFjO+De1k9xHMaITZZ0y/gYCj6hsOnF9cOq1A+YV5N/zYB5RbPd9Hg77kLwfPeHYgnJklNbVMNfs,iv:ruk+riD2BVlv+gTsRDBhMB7+trvxioq7M8rUlyrG2fk=,tag:RCtXHI16EWOnl+cljqQyxg==,type:str]
|
||||
jwt-secret: ENC[AES256_GCM,data:cLEV5yTwzrcUWjS+RSOy4QGmB+yP24j/Bo51LCS+2yX9fpeeJ+tPAuA=,iv:4R/1YcVQjLTcEKJbQ5oq1/vUM+dc4zBLkFLSgH4wq0w=,tag:i0ub07cM9FwV2ryu+XTLbQ==,type:str]
|
||||
stirling-pdf:
|
||||
tailscale-auth-key: ENC[AES256_GCM,data:7V+9/D60QxsxRxGMLtgGBqrha7OEx3T7jxUmw9MOuA8l9fxqiqsbneAXRJeTfcY1acafmfweOcwcF6y+/2znQdKHEk/HSrGO,iv:eSpyPUkpOC66mT40siVJ2FcE1pDML+3q1Jpt/Zzoaac=,tag:8EuaXQV0n1VoO95O9wr3PA==,type:str]
|
||||
forgejo:
|
||||
ssh-key: ENC[AES256_GCM,data:PbPRioKPPE/sv8jceAzuV5NFSVSBNOZAejCfUJUYmhLblLSuDsZ7fdgk5+TFjf7baVPhWasUGAo588z7fqzMlTgHfT/RtwDJ4QUMaPXts68CxdZemdjVa8LbV96i9UNlCJP8Sz/7Wvc8axnmyIApAhcLBA7d9KTQn/7lXgaGs9QtDDpSSmJluQHDe1t4QG2UqV73ZZ4I1MY9nVYO9lmaKBej43247cnw8FrkeCQLx4nXuArCp88rBug0CpgY8z15eK4RWXonBjBe5TDoCOWpENyD/6uVFeQIow5TSJgKlkh1w+dj9IiCBfYBllH5xQxjsjlVpDba4A+hfoBhah+EWhK3J765UGn4ufslVMNTQeL9yD87WMa1EkYwGSCVgCTD+/BfgP4HjzgGbM0OuU2Z5t2WV/R9Dm69w+wISbcjTmqqk+q6hle0RR5SkY9bOax2AKsOkcp/k6BS9QmNnajD7qnIVgGTLEwqgWjbQJGFLEE5mSNmZU5oV2gatrbPnN609LbaH6d6Zj28l7Hwr6jH,iv:fgUklpj946AqYe5hh3gwII4CUoUXsrrk3cW2TVugm0c=,tag:ypVvK3K/lSunq2g/LFIWRA==,type:str]
|
||||
nextcloud:
|
||||
ssh-key: ENC[AES256_GCM,data:HXCYEpNL6Y5GOLp5bhQY9M6NTLV0+e8DiQz2PbnCskvMSiZSp4yHr3wcAzgZttWhLmAydY4moelGzsmkvH8O/DiR2Gkw9Ex4uFEffS2HjlEzTwi7qL70Av6ZbF395NCP82M34Gnnl143+y7wZiJjCPL/oY5QZSzbgg3FgHrqo7f1xcSPcv4LukZ33zcsn4irOGRi2KktiDgcvAdVMLiChWxO0snqS+h7zPIaX4NIcNFW3BgOmUJ42cAoKcsR2ORDDbq0FmSSePh67pKqQJPbBoya6OzfYufNKek0nuwfWVkIjnQbqi0sicx4lks4WXYWMj1WapbIFzPkabfVysfHXcYPpt6OXNqnXTN9bn9Ww/dgEeQyyO+Qc7MHjfXxcLZd8p4bmiP+9bVJ6/ed0YHdCUkt14IxTOiXu0n5lI8/NMam4YLaGiMbRyYAGN6q8W7UYurFBOoKajVByUPTa7FK4H8rZDsNd6HYtTc4lqyeqzKYA9EU/99P9GCmMhrkQYMcoF77tLAAsDdn74OfS2AY86z7xGHCRg67ROMb,iv:pj3P1p5wBn67wGyguLFHJs2+Qhz1X7U9EoD8OsdNTKc=,tag:lKogFelSJIXugKYm/gVy8w==,type:str]
|
||||
paperless:
|
||||
ssh-key: ENC[AES256_GCM,data:9A82GwjT+6Vf9uVGUcgkZZZtbVD7Fqc7C4TtGZ97WaTSNDku9LDRZN/qwk2neHrUb5s3V4Ag4hoszvfe9Hqz+1wDLHu6DyDZNhz9awdZbRD6y7ZavB67cTQtj/qjR5sfqWABVHOFaJxH74+cxvUZjBNOaUEhYBmnKow4AL4CpXjkF+DfT0WcpCWJCBagUA2tfvdScASShbu2bA3+NouY/KR54nOrHTI9cqio+3NNs0Ux1R8D1tzzKj1B4oM8u7e5AFyX7E7W9dJmIFEW9JkfqyToZwX9KxkLJG4T12tuReXLHy1HJtsll1OVytznDp4//pHOC64TFvRgcuHrdldXhUtILqd6we5Lt2Cg+HdITie0Veuvce8V9vVnNX8j7I4Wr6z1HHwWFhcRp/JgVCBOInRVGByF0IA5j4lG3XZ5WZgXKVHgLHN1mqkyPJC8pu7ZL57rdDUOCuSZxKT6aG54glD/PtqayFS0+8G0zeZ6xQ6UYSVCvD1VjDGKWDsZgeLHMV+IE2tTdzp0+AahhgW0RmCXh/FCgrMDfnJk,iv:I65+PTiDG2z8k1kE1ngp3kI/dD3bevIug8/CV5TqKPQ=,tag:fAwumpJkO66Uune9i0e3ug==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
|
@ -42,8 +39,8 @@ sops:
|
|||
aW00MUpGdXpYam5LYVFUenh2VndzcE0KT6Hfx1CYJFseFaEZxwi4Fds4v1HEFzBo
|
||||
FdSC6pzpZkfXso8EtSftq0lPx10GfJ6GZXYb+bCB2S9ROvUMPYDH3A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-09-20T22:17:19Z"
|
||||
mac: ENC[AES256_GCM,data:PCZldOy6JE6qqJ2NcdXzhFjTEezH1k7UZWNng/s+FGMRH1qtDZRHbXDtZ5oX/0pY+a6LafZpdi20YozrrZGZzSJKxC3m/p9NTR09PpuunNqzNQ7kRQnQklkiD/pirIHj6c7Fp+c6se0f3odurd/kwPtPHeGs7xT/qgxkI98alRE=,iv:lIvE0p+kqfSUzkbS4Tt+PEuQLKVjt5sELc0PfVrUunY=,tag:tcp14+fRxBqpbQzSn5r+uA==,type:str]
|
||||
lastmodified: "2024-09-22T15:20:15Z"
|
||||
mac: ENC[AES256_GCM,data:vnajGY3wqVFm6i9GwmCklse4o8Q9wQxvFlA3hayLmuqLbDBPkycnx8nTr0xnJzp/HXcTpPMa8CyBpCcL5MAWlAa1ClmgT26MHt0kEGGHZOe7ph8KJSIIja8GiRI/Ik4HL8bGsUyv1P/SWsxXf41sqNAAAMDm0djkYMsf76HsBko=,iv:u0wYU6WDh9Msl7jfFdrTwAYq7h1JPKbKU1cax3A/EHA=,tag:ewSDASC024Hee6eDoZ+MoA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.0
|
||||
|
|
|
|||
|
|
@ -6,6 +6,8 @@
|
|||
}:
|
||||
let
|
||||
cfg = lib.filterAttrs (_: value: value.enable) config.myConfig.resticBackup;
|
||||
|
||||
healthchecksEnable = (lib.filterAttrs (_: value: value.healthchecks.enable) cfg) != { };
|
||||
in
|
||||
{
|
||||
options.myConfig.resticBackup = lib.mkOption {
|
||||
|
|
@ -35,7 +37,7 @@ in
|
|||
|
||||
users.groups.backup.members = lib.mapAttrsToList (_: value: value.user) cfg;
|
||||
|
||||
sops.secrets =
|
||||
sops.secrets = lib.optionalAttrs config.myConfig.sops.enable (
|
||||
let
|
||||
resticPermissions = {
|
||||
mode = "440";
|
||||
|
|
@ -45,11 +47,9 @@ in
|
|||
{
|
||||
"restic/environment" = resticPermissions;
|
||||
"restic/password" = resticPermissions;
|
||||
|
||||
"healthchecks-ping-key" = lib.mkIf (
|
||||
(lib.filterAttrs (_: value: value.healthchecks.enable) cfg) != { }
|
||||
) resticPermissions;
|
||||
};
|
||||
"healthchecks-ping-key" = lib.mkIf healthchecksEnable resticPermissions;
|
||||
}
|
||||
);
|
||||
|
||||
services.restic.backups = lib.mapAttrs (
|
||||
name: value:
|
||||
|
|
@ -57,8 +57,9 @@ in
|
|||
inherit (value) user;
|
||||
initialize = true;
|
||||
repository = "s3:https://s3.eu-central-003.backblazeb2.com/stork-atlas/${name}";
|
||||
environmentFile = config.sops.secrets."restic/environment".path;
|
||||
passwordFile = config.sops.secrets."restic/password".path;
|
||||
environmentFile =
|
||||
config.sops.secrets."restic/environment".path or "/run/secrets/restic/environment";
|
||||
passwordFile = config.sops.secrets."restic/password".path or "/run/secrets/restic/password";
|
||||
pruneOpts = [
|
||||
"--keep-daily 7"
|
||||
"--keep-weekly 5"
|
||||
|
|
@ -79,14 +80,14 @@ in
|
|||
}
|
||||
) (lib.filterAttrs (_: value: value.healthchecks.enable) cfg))
|
||||
|
||||
(lib.mkIf ((lib.filterAttrs (_: value: value.healthchecks.enable) cfg) != { }) {
|
||||
(lib.mkIf healthchecksEnable {
|
||||
"healthcheck-ping@" = {
|
||||
description = "Pings healthcheck (%i)";
|
||||
serviceConfig.Type = "oneshot";
|
||||
scriptArgs = "%i";
|
||||
script = ''
|
||||
${lib.getExe pkgs.curl} -fsS -m 10 --retry 5 https://hc-ping.com/$(cat ${
|
||||
config.sops.secrets."healthchecks-ping-key".path
|
||||
config.sops.secrets."healthchecks-ping-key".path or "/run/secrets/healthchecks-ping-key"
|
||||
})/$(echo $1 | tr _ /)
|
||||
'';
|
||||
};
|
||||
|
|
|
|||
|
|
@ -23,11 +23,13 @@ in
|
|||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
sops.secrets."tailscale-auth-key" = { };
|
||||
sops.secrets = lib.optionalAttrs config.myConfig.sops.enable {
|
||||
"tailscale-auth-key" = { };
|
||||
};
|
||||
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
authKeyFile = config.sops.secrets."tailscale-auth-key".path;
|
||||
authKeyFile = config.sops.secrets."tailscale-auth-key".path or "/run/secrets/tailscale-auth-key";
|
||||
openFirewall = true;
|
||||
useRoutingFeatures = if (cfg.exitNode.enable || (cfg.serve != null)) then "server" else "client";
|
||||
extraUpFlags = [ "--reset=true" ];
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue