From ca8a707ae258d0de403e8c96d3089fd1695ae555 Mon Sep 17 00:00:00 2001 From: TheWanderingCrow Date: Sun, 2 Nov 2025 11:10:45 -0500 Subject: [PATCH] migrate secrets to new structure --- flake.lock | 8 +- hosts/nixos/HandlerOne/backup.nix | 35 +++---- modules/services/actualbudget/default.nix | 25 +++-- modules/services/frigate/default.nix | 6 +- modules/services/jellyfin/tubearchivist.nix | 23 ++-- modules/services/lubelogger/default.nix | 110 +++++++++++--------- modules/services/matrix/default.nix | 13 ++- 7 files changed, 124 insertions(+), 96 deletions(-) diff --git a/flake.lock b/flake.lock index eebe44d..314bbc2 100644 --- a/flake.lock +++ b/flake.lock @@ -387,11 +387,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1761156521, - "narHash": "sha256-+lGuJKTRHqpBDEE8xgkImYpCNR67BRtHbH5zNCE2uhg=", + "lastModified": 1762099877, + "narHash": "sha256-aRDSsfVrwyvPxAlZQAH0bYTMRtDnE6dZZ7U8rakTuxo=", "ref": "refs/heads/master", - "rev": "e83722f7ae8d1289579ed1d064176e57b294eb41", - "revCount": 141, + "rev": "9e38f0a51ad341ad6a1367897d6f143730994839", + "revCount": 143, "type": "git", "url": "ssh://git@github.com/TheWanderingCrow/nix-secrets" }, diff --git a/hosts/nixos/HandlerOne/backup.nix b/hosts/nixos/HandlerOne/backup.nix index 65591ca..be19461 100644 --- a/hosts/nixos/HandlerOne/backup.nix +++ b/hosts/nixos/HandlerOne/backup.nix @@ -7,10 +7,6 @@ let Persistent = true; }; paths = [ - # bar-assistant.nix - "${volumePath}/bar-assistant" - "${volumePath}/meilisearch" - # homebox.nix "/var/lib/homebox/data" @@ -33,21 +29,20 @@ let ]; }; in - { - lib, - config, - ... - }: { - # Restic secrets - sops.secrets."restic/borg-base/url" = {}; - sops.secrets."restic/borg-base/key" = {}; +{ + lib, + config, + ... +}: +{ + # Restic secrets + sops.secrets."restic/borg-base/url" = { }; + sops.secrets."restic/borg-base/key" = { }; - services.restic.backups = { - borg-base = - restic-default - // { - repositoryFile = config.sops.secrets."restic/borg-base/url".path; - passwordFile = config.sops.secrets."restic/borg-base/key".path; - }; + services.restic.backups = { + borg-base = restic-default // { + repositoryFile = config.sops.secrets."restic/borg-base/url".path; + passwordFile = config.sops.secrets."restic/borg-base/key".path; }; - } + }; +} diff --git a/modules/services/actualbudget/default.nix b/modules/services/actualbudget/default.nix index db7bd6f..cf5f2d0 100644 --- a/modules/services/actualbudget/default.nix +++ b/modules/services/actualbudget/default.nix @@ -2,9 +2,12 @@ inputs, config, ... -}: let +}: +let volumePath = "/overseer/services"; -in { + sopsFolder = builtins.toString inputs.nix-secrets + "/sops"; +in +{ systemd.tmpfiles.rules = [ "d ${volumePath}/actualbudget" "d ${volumePath}/actualbudget-api" @@ -12,8 +15,12 @@ in { sops = { secrets = { - "actualbudget/pass" = {}; - "actualbudget/key" = {}; + "actualbudget/pass" = { + sopsFile = "${sopsFolder}/services.yaml"; + }; + "actualbudget/key" = { + sopsFile = "${sopsFolder}/services.yaml"; + }; }; templates."actualbudget-api-env".content = '' ACTUAL_SERVER_PASSWORD="${config.sops.placeholder."actualbudget/pass"}" @@ -39,20 +46,20 @@ in { containers = { "actualbudget" = { image = "actualbudget/actual-server:25.10.0"; - volumes = ["${volumePath}/actualbudget:/data"]; - extraOptions = ["--ip=10.88.0.12"]; + volumes = [ "${volumePath}/actualbudget:/data" ]; + extraOptions = [ "--ip=10.88.0.12" ]; environment = { ACTUAL_PORT = "80"; }; }; "actualbudget-api" = { image = "jhonderson/actual-http-api:25.10.0"; - volumes = ["${volumePath}/actualbudget-api:/data"]; - extraOptions = ["--ip=10.88.0.13"]; + volumes = [ "${volumePath}/actualbudget-api:/data" ]; + extraOptions = [ "--ip=10.88.0.13" ]; environment = { ACTUAL_SERVER_URL = "http://10.88.0.12"; }; - environmentFiles = [config.sops.templates."actualbudget-api-env".path]; + environmentFiles = [ config.sops.templates."actualbudget-api-env".path ]; }; }; }; diff --git a/modules/services/frigate/default.nix b/modules/services/frigate/default.nix index 047763a..d02c024 100644 --- a/modules/services/frigate/default.nix +++ b/modules/services/frigate/default.nix @@ -3,11 +3,13 @@ let in { pkgs, + inputs, lib, config, ... }: let + sopsFolder = builtins.toString inputs.nix-secrets + "/sops"; frigateConfig = pkgs.writeText "config.yaml" ( lib.generators.toYAML { } { auth.reset_admin_password = true; # roll the admin password every restart, depend on user accounts for long-lived access @@ -200,7 +202,9 @@ in FRIGATE_JWT_SECRET=${config.sops.placeholder."frigate/jwt"} ''; secrets = { - "frigate/jwt" = { }; + "frigate/jwt" = { + sopsFile = "${sopsFolder}/services.yaml"; + }; }; }; systemd.tmpfiles.rules = [ diff --git a/modules/services/jellyfin/tubearchivist.nix b/modules/services/jellyfin/tubearchivist.nix index b6dd0ff..ae00f67 100644 --- a/modules/services/jellyfin/tubearchivist.nix +++ b/modules/services/jellyfin/tubearchivist.nix @@ -1,8 +1,17 @@ -{config, ...}: let +{ + inputs, + config, + ... +}: +let volumePath = "/overseer/services"; -in { + sopsFolder = builtins.toString inputs.nix-secrets + "/sops"; +in +{ sops.secrets = { - "tubearchivist/secret" = {}; + "tubearchivist/secret" = { + sopsFile = "${sopsFolder}/services.yaml"; + }; }; sops.templates = { @@ -32,7 +41,7 @@ in { virtualisation.oci-containers.containers = { tubearchivist = { image = "bbilly1/tubearchivist"; - extraOptions = ["--ip=10.88.0.14"]; + extraOptions = [ "--ip=10.88.0.14" ]; volumes = [ "${volumePath}/tubearchivist/ta/youtube:/youtube" "${volumePath}/tubearchivist/ta/cache:/cache" @@ -46,7 +55,7 @@ in { TA_USERNAME = "admin"; TZ = "America/New_York"; }; - environmentFiles = [config.sops.templates.tubearchivist.path]; + environmentFiles = [ config.sops.templates.tubearchivist.path ]; dependsOn = [ "archivist-redis" "archivist-es" @@ -67,14 +76,14 @@ in { }; archivist-es = { image = "elasticsearch:8.18.0"; - extraOptions = ["--ip=10.88.0.16"]; + extraOptions = [ "--ip=10.88.0.16" ]; environment = { ES_JAVA_OPTS = "-Xms1g -Xmx1g"; "xpack.security.enabled" = "true"; "discovery.type" = "single-node"; "path.repo" = "/usr/share/elasticsearch/data/snapshot"; }; - environmentFiles = [config.sops.templates.archivist-es.path]; + environmentFiles = [ config.sops.templates.archivist-es.path ]; volumes = [ "${volumePath}/tubearchivist/es:/usr/share/elasticsearch/data" ]; diff --git a/modules/services/lubelogger/default.nix b/modules/services/lubelogger/default.nix index ff29750..dc62ba9 100644 --- a/modules/services/lubelogger/default.nix +++ b/modules/services/lubelogger/default.nix @@ -1,58 +1,66 @@ let volumePath = "/overseer/services"; in - { - lib, - config, - ... - }: { - systemd.tmpfiles.rules = [ - "d ${volumePath}/lubelogger" - "d ${volumePath}/lubelogger/data" - "d ${volumePath}/lubelogger/keys" - ]; - ########### - # Service # - ########### +{ + config, + inputs, + ... +}: +let + sopsFolder = builtins.toString inputs.nix-secrets + "/sops"; +in +{ + systemd.tmpfiles.rules = [ + "d ${volumePath}/lubelogger" + "d ${volumePath}/lubelogger/data" + "d ${volumePath}/lubelogger/keys" + ]; + ########### + # Service # + ########### - sops = { - secrets = { - "lubelogger/user_hash" = {}; - "lubelogger/pass_hash" = {}; + sops = { + secrets = { + "lubelogger/user_hash" = { + sopsFile = "${sopsFolder}/services.yaml"; }; - templates."lubelogger-env".content = '' - LC_ALL=en_US.UTF-8 - LANG=en_US.UTF-8 - MailConfig__EmailServer="" - MailConfig__EmailFrom="" - MailConfig__Port=587 - MailConfig__Username="" - MailConfig__Password="" - UserNameHash="${config.sops.placeholder."lubelogger/user_hash"}" - UserPasswordHash="${config.sops.placeholder."lubelogger/pass_hash"}" - LUBELOGGER_CUSTOM_WIDGETS=true - ''; - }; - - services.caddy = { - enable = true; - virtualHosts."garage.wanderingcrow.net".extraConfig = '' - reverse_proxy http://10.88.0.8:8080 - ''; - }; - - virtualisation.oci-containers = { - backend = "podman"; - containers = { - "lubelogger" = { - image = "ghcr.io/hargata/lubelogger:latest"; - extraOptions = ["--ip=10.88.0.8"]; - environmentFiles = [config.sops.templates."lubelogger-env".path]; - volumes = [ - "${volumePath}/lubelogger/data:/App/data" - "${volumePath}/lubelogger/keys:/root/.aspnet/DataProtection-Keys" - ]; - }; + "lubelogger/pass_hash" = { + sopsFile = "${sopsFolder}/services.yaml"; }; }; - } + templates."lubelogger-env".content = '' + LC_ALL=en_US.UTF-8 + LANG=en_US.UTF-8 + MailConfig__EmailServer="" + MailConfig__EmailFrom="" + MailConfig__Port=587 + MailConfig__Username="" + MailConfig__Password="" + UserNameHash="${config.sops.placeholder."lubelogger/user_hash"}" + UserPasswordHash="${config.sops.placeholder."lubelogger/pass_hash"}" + LUBELOGGER_CUSTOM_WIDGETS=true + ''; + }; + + services.caddy = { + enable = true; + virtualHosts."garage.wanderingcrow.net".extraConfig = '' + reverse_proxy http://10.88.0.8:8080 + ''; + }; + + virtualisation.oci-containers = { + backend = "podman"; + containers = { + "lubelogger" = { + image = "ghcr.io/hargata/lubelogger:latest"; + extraOptions = [ "--ip=10.88.0.8" ]; + environmentFiles = [ config.sops.templates."lubelogger-env".path ]; + volumes = [ + "${volumePath}/lubelogger/data:/App/data" + "${volumePath}/lubelogger/keys:/root/.aspnet/DataProtection-Keys" + ]; + }; + }; + }; +} diff --git a/modules/services/matrix/default.nix b/modules/services/matrix/default.nix index 5c4809d..3e9d7f5 100644 --- a/modules/services/matrix/default.nix +++ b/modules/services/matrix/default.nix @@ -3,7 +3,11 @@ inputs, pkgs, ... -}: { +}: +let + sopsFolder = builtins.toString inputs.nix-secrets + "/sops"; +in +{ imports = [ "${inputs.nixpkgs-unstable}/nixos/modules/services/matrix/tuwunel.nix" ]; @@ -15,6 +19,7 @@ sops.secrets."matrix/registration_token" = { owner = "tuwunel"; + sopsFile = "${sopsFolder}/services.yaml"; }; services.matrix-tuwunel = { @@ -32,14 +37,14 @@ allow_encryption = true; allow_federation = true; require_auth_for_profile_requests = true; # no user enumeration - trusted_servers = ["matrix.org"]; + trusted_servers = [ "matrix.org" ]; }; }; }; - networking.firewall.allowedTCPPorts = [8448]; + networking.firewall.allowedTCPPorts = [ 8448 ]; - users.users.caddy.extraGroups = ["tuwunel"]; + users.users.caddy.extraGroups = [ "tuwunel" ]; services.caddy = { enable = true;