migrate secrets to new structure

2026-01-11 01:34:08 -05:00 · 2025-11-02 11:10:45 -05:00 · 2025-11-02 11:10:45 -05:00 · ca8a707ae2
commit ca8a707ae2
parent 957225dd0d
7 changed files with 124 additions and 96 deletions
--- a/modules/services/actualbudget/default.nix
+++ b/modules/services/actualbudget/default.nix
@ -2,9 +2,12 @@
  inputs,
  config,
  ...
-}: let
+}:
+let
  volumePath = "/overseer/services";
-in {
+  sopsFolder = builtins.toString inputs.nix-secrets + "/sops";
+in
+{
  systemd.tmpfiles.rules = [
    "d ${volumePath}/actualbudget"
    "d ${volumePath}/actualbudget-api"
@ -12,8 +15,12 @@ in {

  sops = {
    secrets = {
-      "actualbudget/pass" = {};
-      "actualbudget/key" = {};
+      "actualbudget/pass" = {
+        sopsFile = "${sopsFolder}/services.yaml";
+      };
+      "actualbudget/key" = {
+        sopsFile = "${sopsFolder}/services.yaml";
+      };
    };
    templates."actualbudget-api-env".content = ''
      ACTUAL_SERVER_PASSWORD="${config.sops.placeholder."actualbudget/pass"}"
@ -39,20 +46,20 @@ in {
    containers = {
      "actualbudget" = {
        image = "actualbudget/actual-server:25.10.0";
-        volumes = ["${volumePath}/actualbudget:/data"];
-        extraOptions = ["--ip=10.88.0.12"];
+        volumes = [ "${volumePath}/actualbudget:/data" ];
+        extraOptions = [ "--ip=10.88.0.12" ];
        environment = {
          ACTUAL_PORT = "80";
        };
      };
      "actualbudget-api" = {
        image = "jhonderson/actual-http-api:25.10.0";
-        volumes = ["${volumePath}/actualbudget-api:/data"];
-        extraOptions = ["--ip=10.88.0.13"];
+        volumes = [ "${volumePath}/actualbudget-api:/data" ];
+        extraOptions = [ "--ip=10.88.0.13" ];
        environment = {
          ACTUAL_SERVER_URL = "http://10.88.0.12";
        };
-        environmentFiles = [config.sops.templates."actualbudget-api-env".path];
+        environmentFiles = [ config.sops.templates."actualbudget-api-env".path ];
      };
    };
  };
--- a/modules/services/frigate/default.nix
+++ b/modules/services/frigate/default.nix
@ -3,11 +3,13 @@ let
 in
 {
  pkgs,
+  inputs,
  lib,
  config,
  ...
 }:
 let
+  sopsFolder = builtins.toString inputs.nix-secrets + "/sops";
  frigateConfig = pkgs.writeText "config.yaml" (
    lib.generators.toYAML { } {
      auth.reset_admin_password = true; # roll the admin password every restart, depend on user accounts for long-lived access
@ -200,7 +202,9 @@ in
      FRIGATE_JWT_SECRET=${config.sops.placeholder."frigate/jwt"}
    '';
    secrets = {
-      "frigate/jwt" = { };
+      "frigate/jwt" = {
+        sopsFile = "${sopsFolder}/services.yaml";
+      };
    };
  };
  systemd.tmpfiles.rules = [
--- a/modules/services/jellyfin/tubearchivist.nix
+++ b/modules/services/jellyfin/tubearchivist.nix
@ -1,8 +1,17 @@
-{config, ...}: let
+{
+  inputs,
+  config,
+  ...
+}:
+let
  volumePath = "/overseer/services";
-in {
+  sopsFolder = builtins.toString inputs.nix-secrets + "/sops";
+in
+{
  sops.secrets = {
-    "tubearchivist/secret" = {};
+    "tubearchivist/secret" = {
+      sopsFile = "${sopsFolder}/services.yaml";
+    };
  };

  sops.templates = {
@ -32,7 +41,7 @@ in {
  virtualisation.oci-containers.containers = {
    tubearchivist = {
      image = "bbilly1/tubearchivist";
-      extraOptions = ["--ip=10.88.0.14"];
+      extraOptions = [ "--ip=10.88.0.14" ];
      volumes = [
        "${volumePath}/tubearchivist/ta/youtube:/youtube"
        "${volumePath}/tubearchivist/ta/cache:/cache"
@ -46,7 +55,7 @@ in {
        TA_USERNAME = "admin";
        TZ = "America/New_York";
      };
-      environmentFiles = [config.sops.templates.tubearchivist.path];
+      environmentFiles = [ config.sops.templates.tubearchivist.path ];
      dependsOn = [
        "archivist-redis"
        "archivist-es"
@ -67,14 +76,14 @@ in {
    };
    archivist-es = {
      image = "elasticsearch:8.18.0";
-      extraOptions = ["--ip=10.88.0.16"];
+      extraOptions = [ "--ip=10.88.0.16" ];
      environment = {
        ES_JAVA_OPTS = "-Xms1g -Xmx1g";
        "xpack.security.enabled" = "true";
        "discovery.type" = "single-node";
        "path.repo" = "/usr/share/elasticsearch/data/snapshot";
      };
-      environmentFiles = [config.sops.templates.archivist-es.path];
+      environmentFiles = [ config.sops.templates.archivist-es.path ];
      volumes = [
        "${volumePath}/tubearchivist/es:/usr/share/elasticsearch/data"
      ];
--- a/modules/services/lubelogger/default.nix
+++ b/modules/services/lubelogger/default.nix
@ -1,58 +1,66 @@
 let
  volumePath = "/overseer/services";
 in
-  {
-    lib,
-    config,
-    ...
-  }: {
-    systemd.tmpfiles.rules = [
-      "d ${volumePath}/lubelogger"
-      "d ${volumePath}/lubelogger/data"
-      "d ${volumePath}/lubelogger/keys"
-    ];
-    ###########
-    # Service #
-    ###########
+{
+  config,
+  inputs,
+  ...
+}:
+let
+  sopsFolder = builtins.toString inputs.nix-secrets + "/sops";
+in
+{
+  systemd.tmpfiles.rules = [
+    "d ${volumePath}/lubelogger"
+    "d ${volumePath}/lubelogger/data"
+    "d ${volumePath}/lubelogger/keys"
+  ];
+  ###########
+  # Service #
+  ###########

-    sops = {
-      secrets = {
-        "lubelogger/user_hash" = {};
-        "lubelogger/pass_hash" = {};
+  sops = {
+    secrets = {
+      "lubelogger/user_hash" = {
+        sopsFile = "${sopsFolder}/services.yaml";
      };
-      templates."lubelogger-env".content = ''
-        LC_ALL=en_US.UTF-8
-        LANG=en_US.UTF-8
-        MailConfig__EmailServer=""
-        MailConfig__EmailFrom=""
-        MailConfig__Port=587
-        MailConfig__Username=""
-        MailConfig__Password=""
-        UserNameHash="${config.sops.placeholder."lubelogger/user_hash"}"
-        UserPasswordHash="${config.sops.placeholder."lubelogger/pass_hash"}"
-        LUBELOGGER_CUSTOM_WIDGETS=true
-      '';
-    };
-
-    services.caddy = {
-      enable = true;
-      virtualHosts."garage.wanderingcrow.net".extraConfig = ''
-        reverse_proxy http://10.88.0.8:8080
-      '';
-    };
-
-    virtualisation.oci-containers = {
-      backend = "podman";
-      containers = {
-        "lubelogger" = {
-          image = "ghcr.io/hargata/lubelogger:latest";
-          extraOptions = ["--ip=10.88.0.8"];
-          environmentFiles = [config.sops.templates."lubelogger-env".path];
-          volumes = [
-            "${volumePath}/lubelogger/data:/App/data"
-            "${volumePath}/lubelogger/keys:/root/.aspnet/DataProtection-Keys"
-          ];
-        };
+      "lubelogger/pass_hash" = {
+        sopsFile = "${sopsFolder}/services.yaml";
      };
    };
-  }
+    templates."lubelogger-env".content = ''
+      LC_ALL=en_US.UTF-8
+      LANG=en_US.UTF-8
+      MailConfig__EmailServer=""
+      MailConfig__EmailFrom=""
+      MailConfig__Port=587
+      MailConfig__Username=""
+      MailConfig__Password=""
+      UserNameHash="${config.sops.placeholder."lubelogger/user_hash"}"
+      UserPasswordHash="${config.sops.placeholder."lubelogger/pass_hash"}"
+      LUBELOGGER_CUSTOM_WIDGETS=true
+    '';
+  };
+
+  services.caddy = {
+    enable = true;
+    virtualHosts."garage.wanderingcrow.net".extraConfig = ''
+      reverse_proxy http://10.88.0.8:8080
+    '';
+  };
+
+  virtualisation.oci-containers = {
+    backend = "podman";
+    containers = {
+      "lubelogger" = {
+        image = "ghcr.io/hargata/lubelogger:latest";
+        extraOptions = [ "--ip=10.88.0.8" ];
+        environmentFiles = [ config.sops.templates."lubelogger-env".path ];
+        volumes = [
+          "${volumePath}/lubelogger/data:/App/data"
+          "${volumePath}/lubelogger/keys:/root/.aspnet/DataProtection-Keys"
+        ];
+      };
+    };
+  };
+}
--- a/modules/services/matrix/default.nix
+++ b/modules/services/matrix/default.nix
@ -3,7 +3,11 @@
  inputs,
  pkgs,
  ...
-}: {
+}:
+let
+  sopsFolder = builtins.toString inputs.nix-secrets + "/sops";
+in
+{
  imports = [
    "${inputs.nixpkgs-unstable}/nixos/modules/services/matrix/tuwunel.nix"
  ];
@ -15,6 +19,7 @@

  sops.secrets."matrix/registration_token" = {
    owner = "tuwunel";
+    sopsFile = "${sopsFolder}/services.yaml";
  };

  services.matrix-tuwunel = {
@ -32,14 +37,14 @@
        allow_encryption = true;
        allow_federation = true;
        require_auth_for_profile_requests = true; # no user enumeration
-        trusted_servers = ["matrix.org"];
+        trusted_servers = [ "matrix.org" ];
      };
    };
  };

-  networking.firewall.allowedTCPPorts = [8448];
+  networking.firewall.allowedTCPPorts = [ 8448 ];

-  users.users.caddy.extraGroups = ["tuwunel"];
+  users.users.caddy.extraGroups = [ "tuwunel" ];

  services.caddy = {
    enable = true;