SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-01-21 15:11:34 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

sops: restructure secrets files

Browse source
This commit is contained in:
SebastianStork 2025-07-20 19:56:52 +02:00
parent 8561f6381b
commit d14732b063
10 changed files with 58 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

4
modules/system/services/caddy.nix
View file

@ -79,13 +79,13 @@ in
}
(lib.mkIf tailscaleHostsExist {
sops.secrets."service-tailscale-auth-key".owner = config.services.caddy.user;
sops.secrets."tailscale/service-auth-key".owner = config.services.caddy.user;
services.caddy = {
package = caddyWithTailscale;
globalConfig = ''
tailscale {
auth_key {file.${config.sops.secrets."service-tailscale-auth-key".path}}
auth_key {file.${config.sops.secrets."tailscale/service-auth-key".path}}
}
'';
};

4
modules/system/services/gatus.nix
View file

@ -96,9 +96,9 @@ in
};
sops = {
secrets."healthchecks-ping-key" = { };
secrets."healthchecks/ping-key" = { };
templates."gatus.env".content = ''
HEALTHCHECKS_PING_KEY=${config.sops.placeholder."healthchecks-ping-key"}
HEALTHCHECKS_PING_KEY=${config.sops.placeholder."healthchecks/ping-key"}
'';
};

8
modules/system/services/restic-backups/default.nix
View file

@ -27,14 +27,14 @@ in
config = lib.mkIf (resticBackups != { }) {
sops = {
secrets = {
"restic/backblaze/key-id" = { };
"restic/backblaze/application-key" = { };
"backblaze/key-id" = { };
"backblaze/application-key" = { };
"restic/password" = { };
};
templates."restic/environment".content = ''
AWS_ACCESS_KEY_ID=${config.sops.placeholder."restic/backblaze/key-id"}
AWS_SECRET_ACCESS_KEY=${config.sops.placeholder."restic/backblaze/application-key"}
AWS_ACCESS_KEY_ID=${config.sops.placeholder."backblaze/key-id"}
AWS_SECRET_ACCESS_KEY=${config.sops.placeholder."backblaze/application-key"}
'';
};

4
modules/system/services/restic-backups/healthchecks.nix
View file

@ -22,7 +22,7 @@ in
};
config = lib.mkIf (backupsWithHealthchecks != { }) {
sops.secrets."healthchecks-ping-key" = { };
sops.secrets."healthchecks/ping-key" = { };
systemd.services = lib.mkMerge [
{
@ -32,7 +32,7 @@ in
scriptArgs = "%i";
script = ''
${lib.getExe pkgs.curl} --fail --silent --show-error --max-time 10 --retry 5 https://hc-ping.com/$(cat ${
config.sops.secrets."healthchecks-ping-key".path
config.sops.secrets."healthchecks/ping-key".path
})/$(echo $1 | tr _ /)
'';
};

4
modules/system/services/tailscale.nix
View file

@ -16,11 +16,11 @@ in
config = lib.mkIf cfg.enable {
meta.ports.list = [ config.services.tailscale.port ];
sops.secrets."tailscale-auth-key" = { };
sops.secrets."tailscale/auth-key" = { };
services.tailscale = {
enable = true;
authKeyFile = config.sops.secrets."tailscale-auth-key".path;
authKeyFile = config.sops.secrets."tailscale/auth-key".path;
openFirewall = true;
useRoutingFeatures = if cfg.exitNode.enable then "server" else "client";
extraUpFlags = [ "--reset=true" ];