radicale: Encrypt the whole htpasswd file

2026-01-21 17:31:34 +01:00 · 2025-09-19 18:27:05 +02:00 · 2025-09-19 18:27:05 +02:00 · d7ff914152
commit d7ff914152
parent 44da7817c3
2 changed files with 42 additions and 46 deletions
--- a/hosts/srv-private/secrets.json
+++ b/hosts/srv-private/secrets.json
@ -19,7 +19,7 @@
    "key": "ENC[AES256_GCM,data:Lg+YGdXdJxV/3ixMi46BL+m7WkU2yJZg0ygrGEQHsqdfQ0Lqawid/TCchdf3ep00tnF+NNcfhDy8qMZ/Qy4EBIMOHyEBmaAP7XhfumMncLGdxWXpAdtclvjjfrIwLZTH9F2wV79uo3Ir3FxLe/OS32pH3vTeERod/l1uOEfwksXXCOcZg1bTF9nxoxtwGrc2QnH3xYRgc2RNp344p+v2HApfy6ctkG/bWQjhJmi8a1aBGzwOVEeWptU+A/sP7C8kntZvjlMHnr+4Lkg7HxKGya7AnpqcgWGyPWhK/Sa5aKBBn9yZzIGxI7181UhyHYHMs+CJFxoH71RR+C45tXP2vey+hwVZUAZQb3Y8ZO+tZ1q9kWyzW+k0VIsRxyjctsPl,iv:IXlcy7FmBJHf6fP0B/HhkcGZxKUu3VivhFm8u3jYxkc=,tag:CChxY4hOHY/Yua3p1veoCw==,type:str]"
  },
  "radicale": {
-		"seb-password": "ENC[AES256_GCM,data:0r9+B52+U2cI7WaHvQJAv03UPS149AcBaUq65943npP0+97sFEm/58egtqHjW5WRaBkUnP6dnFSSQwQn,iv:x95hIJKqvqZPryccTsl5b7uL4xyK192Hwla1HUWDCB4=,tag:7desX0XrW5xuwgTvvrsYSA==,type:str]"
+    "htpasswd": "ENC[AES256_GCM,data:3EtGDFVnTJxjB4URcgUH1qLvShA4hAg1Zavb0azFNizEc9VcLvWDfNCoBjat+Ovc/I4UA2Dv86uu+gGj3wN+zg==,iv:Je68Sg1b5qkx1WYJ5y11yx+ASNd5bk43YpY8axzqNGI=,tag:K0VQ9LEccCuIPXzEuLK4mA==,type:str]"
  },
  "sops": {
    "age": [
@ -32,8 +32,8 @@
        "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpcGVRNzRrM2RTeFJScDBR\nZUFSOUd2dXhZaGh3TDdVYVdWZVBYYjNDUm5nCnl3RHJBM0F0RUlIWjJ3ZEVRVEVI\neXZMSVkvbU1Qamc0VGZIeW1lekVTeFEKLS0tIHVpTGtoSytuZFlIdzBtNEI0a1lh\naURRQUR4cVBhNmRFOTQ2MFdBN3p3OEkKJjy8KnruglNwYOuOcWIspJZq3+0VqHGx\nV6cldtjSabCks3xtTUYjvb8/mMwHT1ANW/bRkJ/BrBClZGGEM3hZgQ==\n-----END AGE ENCRYPTED FILE-----\n"
      }
    ],
-		"lastmodified": "2025-09-18T13:35:54Z",
-		"mac": "ENC[AES256_GCM,data:bzM1Z/7KtQTPKrDDuHkFWEZnA4mPwDo+eDwcKpboyKJbZsyIi0Qnk+Wm4bTl6KTIg1gZtbGnO050D4cnUL/kxzlbaXCN1GB7wEBe7RSNS3vuel8TEsd/XbfEIzoxo7slNsUMnrg+4eKQwxOPGBsI93ulZHSHpArr/3MBkj7aNck=,iv:NT0WMuL8fqJjzRZNmhxqm1Ymw1n7a3a+umxiuIJPmgE=,tag:aJoFjoYrj2m+7v2i4WcO6g==,type:str]",
+    "lastmodified": "2025-09-19T16:19:13Z",
+    "mac": "ENC[AES256_GCM,data:F3bCLnDFCdfqdOMzhqBNSvdjIXpPi9Ynzp1FORsZ5if5gt2JylWR7tEPD4AWNrNmWiJtT1jFkvNB/qd00BxVQ3wwLqJMPW1COZ+SkyonBhgHCvn+BfYRil2FeJgkEgWekMWtf0DpKtYKaqxPS2JmJyIJCWxePI3lQDHR8JvcVcg=,iv:uYgctx6vgD+5qN9LDZi/t2YgxrkfSHYb86SwlKX2XDM=,tag:K1KRzjBhNDR5vnYHDiDkRg==,type:str]",
    "unencrypted_suffix": "_unencrypted",
    "version": "3.10.2"
  }
--- a/modules/system/services/radicale.nix
+++ b/modules/system/services/radicale.nix
@ -28,14 +28,10 @@ in
      ports.tcp.list = [ cfg.port ];
    };

-    sops = {
-      secrets."radicale/seb-password" = { };
-      templates."radicale/htpasswd" = {
+    sops.secrets."radicale/htpasswd" = {
      owner = config.users.users.radicale.name;
-        content = "seb:${config.sops.placeholder."radicale/seb-password"}";
      restartUnits = [ "radicale.service" ];
    };
-    };

    services.radicale = {
      enable = true;
@ -43,7 +39,7 @@ in
        server.hosts = "localhost:${builtins.toString cfg.port}";
        auth = {
          type = "htpasswd";
-          htpasswd_filename = config.sops.templates."radicale/htpasswd".path;
+          htpasswd_filename = config.sops.secrets."radicale/htpasswd".path;
          htpasswd_encryption = "bcrypt";
        };
        storage.filesystem_folder = "/var/lib/radicale/collections";