Reorderd Secrets to match a structure
This commit is contained in:
+11
-7
@@ -23,9 +23,11 @@
|
||||
./catppuccin.nix
|
||||
];
|
||||
|
||||
sops.secrets."nix_cache_priv_key" = {
|
||||
|
||||
mode = "0400";
|
||||
sops.secrets = {
|
||||
"nix/cache_priv_key" = {
|
||||
mode = "0400";
|
||||
};
|
||||
"nix/cachix_auth_token" = { };
|
||||
};
|
||||
|
||||
nix = {
|
||||
@@ -48,7 +50,7 @@
|
||||
"https://nix-community.cachix.org"
|
||||
"https://cyper-cache.cachix.org"
|
||||
];
|
||||
secret-key-files = [ config.sops.secrets."nix_cache_priv_key".path ];
|
||||
secret-key-files = [ config.sops.secrets."nix/cache_priv_key".path ];
|
||||
trusted-public-keys = [
|
||||
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
|
||||
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
|
||||
@@ -113,8 +115,6 @@
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets.cachix_auth_token = { };
|
||||
|
||||
systemd.services.cachix-push = {
|
||||
description = "Push new store paths to Cachix";
|
||||
after = [ "multi-user.target" ];
|
||||
@@ -122,7 +122,11 @@
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
ExecStart = "${pkgs.bash}/bin/bash -c 'CACHIX_AUTH_TOKEN=$(cat ${config.sops.secrets.cachix_auth_token.path}) ${pkgs.nix}/bin/nix path-info --recursive /run/current-system | CACHIX_AUTH_TOKEN=$(cat ${config.sops.secrets.cachix_auth_token.path}) ${pkgs.cachix}/bin/cachix push cyper-cache'";
|
||||
ExecStart = "${pkgs.bash}/bin/bash -c 'CACHIX_AUTH_TOKEN=$(cat ${
|
||||
config.sops.secrets."nix/cachix_auth_token".path
|
||||
}) ${pkgs.nix}/bin/nix path-info --recursive /run/current-system | CACHIX_AUTH_TOKEN=$(cat ${
|
||||
config.sops.secrets."nix/cachix_auth_token".path
|
||||
}) ${pkgs.cachix}/bin/cachix push cyper-cache'";
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
@@ -13,7 +13,7 @@ let
|
||||
"/var/lib/flame-${name}:/app/data"
|
||||
]
|
||||
++ extraVolumes;
|
||||
environmentFiles = [ config.sops.secrets."flame_${name}_password".path ];
|
||||
environmentFiles = [ config.sops.secrets."services/flame/${name}_password".path ];
|
||||
};
|
||||
|
||||
instances = [
|
||||
@@ -57,7 +57,7 @@ in
|
||||
];
|
||||
|
||||
sops.secrets = lib.listToAttrs (
|
||||
map ({ name, ... }: lib.nameValuePair "flame_${name}_password" { }) instances
|
||||
map ({ name, ... }: lib.nameValuePair "services/flame/${name}_password" { }) instances
|
||||
);
|
||||
|
||||
virtualisation = {
|
||||
|
||||
+9
-10
@@ -2,7 +2,6 @@
|
||||
pkgs,
|
||||
lib,
|
||||
config,
|
||||
primaryUser,
|
||||
...
|
||||
}:
|
||||
|
||||
@@ -20,27 +19,27 @@ let
|
||||
in
|
||||
{
|
||||
sops.secrets = {
|
||||
"gitea/dbPassword" = {
|
||||
"services/gitea/db_password" = {
|
||||
owner = "gitea";
|
||||
group = "gitea";
|
||||
mode = "0444";
|
||||
};
|
||||
"gitea/internalToken" = {
|
||||
"services/gitea/internal_token" = {
|
||||
owner = "gitea";
|
||||
group = "gitea";
|
||||
};
|
||||
"gitea/lfsJwtSecret" = {
|
||||
"services/gitea/lfs_jwt_secret" = {
|
||||
owner = "gitea";
|
||||
group = "gitea";
|
||||
};
|
||||
"gitea/mailerPassword" = {
|
||||
"services/gitea/mailer_password" = {
|
||||
owner = "gitea";
|
||||
group = "gitea";
|
||||
};
|
||||
"gitea/runnerToken" = {
|
||||
"services/gitea/runner_token" = {
|
||||
mode = "0444";
|
||||
};
|
||||
"kanidm_gitea_secret" = {
|
||||
"kanidm/gitea_secret" = {
|
||||
owner = "gitea";
|
||||
group = "gitea";
|
||||
mode = "0444";
|
||||
@@ -75,7 +74,7 @@ in
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
script = ''
|
||||
pass=$(cat ${config.sops.secrets."gitea/dbPassword".path})
|
||||
pass=$(cat ${config.sops.secrets."services/gitea/db_password".path})
|
||||
${pkgs.postgresql_14}/bin/psql -c \
|
||||
"ALTER USER gitea WITH PASSWORD '$pass';"
|
||||
'';
|
||||
@@ -126,7 +125,7 @@ in
|
||||
port = 5432;
|
||||
name = "gitea";
|
||||
user = "gitea";
|
||||
passwordFile = config.sops.secrets."gitea/dbPassword".path;
|
||||
passwordFile = config.sops.secrets."services/gitea/db_password".path;
|
||||
};
|
||||
|
||||
settings = {
|
||||
@@ -222,7 +221,7 @@ in
|
||||
gitea-actions-runner.instances."cyper_nix" = {
|
||||
enable = true;
|
||||
url = "https://git.cyperpunk.de";
|
||||
tokenFile = config.sops.secrets."gitea/runnerToken".path;
|
||||
tokenFile = config.sops.secrets."services/gitea/runner_token".path;
|
||||
name = "cyper-controller";
|
||||
labels = [ "nix:host" ];
|
||||
|
||||
|
||||
@@ -1,15 +1,14 @@
|
||||
{ config, lib, ... }:
|
||||
{
|
||||
sops.secrets = {
|
||||
coturn_static_auth_secret = {
|
||||
"matrix/coturn_static_auth_secret" = {
|
||||
owner = "turnserver";
|
||||
group = "turnserver";
|
||||
};
|
||||
|
||||
coturn_static_auth_secret_synapse = {
|
||||
owner = "matrix-synapse";
|
||||
group = "matrix-synapse";
|
||||
key = "coturn_static_auth_secret";
|
||||
key = "matrix/coturn_static_auth_secret";
|
||||
};
|
||||
};
|
||||
|
||||
@@ -21,7 +20,7 @@
|
||||
min-port = 49000;
|
||||
max-port = 50000;
|
||||
use-auth-secret = true;
|
||||
static-auth-secret-file = config.sops.secrets.coturn_static_auth_secret.path;
|
||||
static-auth-secret-file = config.sops.secrets."matrix/coturn_static_auth_secret".path;
|
||||
realm = "turn.cyperpunk.de";
|
||||
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
|
||||
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
|
||||
|
||||
@@ -1,15 +1,15 @@
|
||||
{ config, lib, ... }:
|
||||
{
|
||||
sops.secrets = {
|
||||
discord_bot_token = {
|
||||
"matrix/bridges/discord/bot_token" = {
|
||||
owner = "mautrix-discord";
|
||||
group = "mautrix-discord";
|
||||
};
|
||||
discord_client_id = {
|
||||
"matrix/bridges/discord/client_id" = {
|
||||
owner = "mautrix-discord";
|
||||
group = "mautrix-discord";
|
||||
};
|
||||
discord_pickle_key = {
|
||||
"matrix/bridges/discord/pickle_key" = {
|
||||
owner = "mautrix-discord";
|
||||
group = "mautrix-discord";
|
||||
};
|
||||
@@ -35,9 +35,15 @@
|
||||
};
|
||||
script = ''
|
||||
mkdir -p /run/mautrix-discord
|
||||
echo "DISCORD_BOT_TOKEN=$(cat ${config.sops.secrets.discord_bot_token.path})" > /run/mautrix-discord/env
|
||||
echo "DISCORD_CLIENT_ID=$(cat ${config.sops.secrets.discord_client_id.path})" >> /run/mautrix-discord/env
|
||||
echo "DISCORD_PICKLE_KEY=$(cat ${config.sops.secrets.discord_pickle_key.path})" >> /run/mautrix-discord/env
|
||||
echo "DISCORD_BOT_TOKEN=$(cat ${
|
||||
config.sops.secrets."matrix/bridges/discord/bot_token".path
|
||||
})" > /run/mautrix-discord/env
|
||||
echo "DISCORD_CLIENT_ID=$(cat ${
|
||||
config.sops.secrets."matrix/bridges/discord/client_id".path
|
||||
})" >> /run/mautrix-discord/env
|
||||
echo "DISCORD_PICKLE_KEY=$(cat ${
|
||||
config.sops.secrets."matrix/bridges/discord/pickle_key".path
|
||||
})" >> /run/mautrix-discord/env
|
||||
chmod 600 /run/mautrix-discord/env
|
||||
chown mautrix-discord:mautrix-discord /run/mautrix-discord/env
|
||||
'';
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{ config, ... }:
|
||||
{
|
||||
sops.secrets.draupnir_access_token = { };
|
||||
sops.secrets."matrix/draupnir_access_token" = { };
|
||||
|
||||
environment.persistence."/persist".directories = [
|
||||
{
|
||||
@@ -13,7 +13,7 @@
|
||||
|
||||
services.draupnir = {
|
||||
enable = true;
|
||||
secrets.accessToken = config.sops.secrets.draupnir_access_token.path;
|
||||
secrets.accessToken = config.sops.secrets."matrix/draupnir_access_token".path;
|
||||
settings = {
|
||||
homeserverUrl = "https://matrix.cyperpunk.de";
|
||||
managementRoom = "!eErCimyDjLSebHjpJA:cyperpunk.de";
|
||||
|
||||
@@ -1,18 +1,20 @@
|
||||
{ config, ... }:
|
||||
{
|
||||
sops.secrets.livekit_key_file = { };
|
||||
sops.secrets."matrix/livekit_key_file" = { };
|
||||
|
||||
services.livekit = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
settings.room.auto_create = false;
|
||||
keyFile = config.sops.secrets.livekit_key_file.path;
|
||||
};
|
||||
services = {
|
||||
livekit = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
settings.room.auto_create = false;
|
||||
keyFile = config.sops.secrets."matrix/livekit_key_file".path;
|
||||
};
|
||||
|
||||
services.lk-jwt-service = {
|
||||
enable = true;
|
||||
livekitUrl = "wss://cyperpunk.de/livekit/sfu";
|
||||
keyFile = config.sops.secrets.livekit_key_file.path;
|
||||
lk-jwt-service = {
|
||||
enable = true;
|
||||
livekitUrl = "wss://cyperpunk.de/livekit/sfu";
|
||||
keyFile = config.sops.secrets."matrix/livekit_key_file".path;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = "cyperpunk.de";
|
||||
|
||||
@@ -1,19 +1,19 @@
|
||||
{ config, lib, ... }:
|
||||
{
|
||||
sops.secrets = {
|
||||
meta_as_token = {
|
||||
"matrix/bridges/meta/as_token" = {
|
||||
owner = "mautrix-meta-facebook";
|
||||
group = "mautrix-meta";
|
||||
};
|
||||
meta_hs_token = {
|
||||
"matrix/bridges/meta/hs_token" = {
|
||||
owner = "mautrix-meta-facebook";
|
||||
group = "mautrix-meta";
|
||||
};
|
||||
instagram_as_token = {
|
||||
"matrix/bridges/instagram/as_token" = {
|
||||
owner = "mautrix-meta-instagram";
|
||||
group = "mautrix-meta";
|
||||
};
|
||||
instagram_hs_token = {
|
||||
"matrix/bridges/instagram/hs_token" = {
|
||||
owner = "mautrix-meta-instagram";
|
||||
group = "mautrix-meta";
|
||||
};
|
||||
@@ -44,8 +44,12 @@
|
||||
};
|
||||
script = ''
|
||||
mkdir -p /run/mautrix-meta-facebook
|
||||
echo "META_AS_TOKEN=$(cat ${config.sops.secrets.meta_as_token.path})" > /run/mautrix-meta-facebook/env
|
||||
echo "META_HS_TOKEN=$(cat ${config.sops.secrets.meta_hs_token.path})" >> /run/mautrix-meta-facebook/env
|
||||
echo "META_AS_TOKEN=$(cat ${
|
||||
config.sops.secrets."matrix/bridges/meta/as_token".path
|
||||
})" > /run/mautrix-meta-facebook/env
|
||||
echo "META_HS_TOKEN=$(cat ${
|
||||
config.sops.secrets."matrix/bridges/meta/hs_token".path
|
||||
})" >> /run/mautrix-meta-facebook/env
|
||||
chmod 600 /run/mautrix-meta-facebook/env
|
||||
chown mautrix-meta-facebook:mautrix-meta /run/mautrix-meta-facebook/env
|
||||
'';
|
||||
@@ -60,8 +64,12 @@
|
||||
};
|
||||
script = ''
|
||||
mkdir -p /run/mautrix-meta-instagram
|
||||
echo "INSTAGRAM_AS_TOKEN=$(cat ${config.sops.secrets.instagram_as_token.path})" > /run/mautrix-meta-instagram/env
|
||||
echo "INSTAGRAM_HS_TOKEN=$(cat ${config.sops.secrets.instagram_hs_token.path})" >> /run/mautrix-meta-instagram/env
|
||||
echo "INSTAGRAM_AS_TOKEN=$(cat ${
|
||||
config.sops.secrets."matrix/bridges/instagram/as_token".path
|
||||
})" > /run/mautrix-meta-instagram/env
|
||||
echo "INSTAGRAM_HS_TOKEN=$(cat ${
|
||||
config.sops.secrets."matrix/bridges/instagram/hs_token".path
|
||||
})" >> /run/mautrix-meta-instagram/env
|
||||
chmod 600 /run/mautrix-meta-instagram/env
|
||||
chown mautrix-meta-instagram:mautrix-meta /run/mautrix-meta-instagram/env
|
||||
'';
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
}:
|
||||
{
|
||||
sops.secrets = {
|
||||
pg_replication_password = {
|
||||
"postgres/replication_password" = {
|
||||
owner = "root";
|
||||
group = "root";
|
||||
};
|
||||
@@ -17,12 +17,10 @@
|
||||
description = "PostgreSQL WAL streaming replica (Docker)";
|
||||
requires = [
|
||||
"docker.service"
|
||||
"tailscaled.service"
|
||||
"network-online.target"
|
||||
];
|
||||
after = [
|
||||
"docker.service"
|
||||
"tailscaled.service"
|
||||
"network-online.target"
|
||||
];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
@@ -35,61 +33,49 @@
|
||||
};
|
||||
|
||||
preStart = ''
|
||||
DATADIR="/storage/backup/postgresql-replica"
|
||||
PG_PASS=$(cat ${config.sops.secrets.pg_replication_password.path})
|
||||
|
||||
${pkgs.docker}/bin/docker pull postgres:17
|
||||
|
||||
if [ ! -f "$DATADIR/PG_VERSION" ]; then
|
||||
echo "No data dir found — running pg_basebackup..."
|
||||
rm -rf "$DATADIR"
|
||||
|
||||
${pkgs.docker}/bin/docker run --rm \
|
||||
-e PGPASSWORD="$PG_PASS" \
|
||||
-v "/storage/backup:/out" \
|
||||
--network host \
|
||||
postgres:17 \
|
||||
pg_basebackup \
|
||||
--host=10.10.0.1 \
|
||||
--port=5432 \
|
||||
--username=replicator \
|
||||
--pgdata=/out/postgresql-replica \
|
||||
--wal-method=stream \
|
||||
--checkpoint=fast \
|
||||
--progress \
|
||||
--verbose
|
||||
|
||||
# standby signal
|
||||
touch "$DATADIR/standby.signal"
|
||||
|
||||
# primary conninfo
|
||||
cat > "$DATADIR/postgresql.auto.conf" <<EOF
|
||||
DATADIR="/storage/backup/postgresql-replica"
|
||||
PG_PASS=$(cat ${config.sops.secrets."postgres/replication_password".path})
|
||||
${pkgs.docker}/bin/docker pull postgres:17
|
||||
if [ ! -f "$DATADIR/PG_VERSION" ]; then
|
||||
echo "No data dir found — running pg_basebackup..."
|
||||
rm -rf "$DATADIR"
|
||||
${pkgs.docker}/bin/docker run --rm \
|
||||
-e PGPASSWORD="$PG_PASS" \
|
||||
-v "/storage/backup:/out" \
|
||||
--network host \
|
||||
postgres:17 \
|
||||
pg_basebackup \
|
||||
--host=10.10.0.1 \
|
||||
--port=5432 \
|
||||
--username=replicator \
|
||||
--pgdata=/out/postgresql-replica \
|
||||
--wal-method=stream \
|
||||
--checkpoint=fast \
|
||||
--progress \
|
||||
--verbose
|
||||
touch "$DATADIR/standby.signal"
|
||||
cat > "$DATADIR/postgresql.auto.conf" <<EOF
|
||||
primary_conninfo = 'host=10.10.0.1 port=5432 user=replicator password=$PG_PASS application_name=cyper-controller sslmode=disable'
|
||||
EOF
|
||||
|
||||
# minimal postgresql.conf
|
||||
cat > "$DATADIR/postgresql.conf" <<EOF
|
||||
cat > "$DATADIR/postgresql.conf" <<EOF
|
||||
hot_standby = on
|
||||
hot_standby_feedback = on
|
||||
wal_receiver_timeout = '60s'
|
||||
port = 5434
|
||||
listen_addresses = '*'
|
||||
EOF
|
||||
|
||||
chown -R 999:999 "$DATADIR"
|
||||
fi
|
||||
|
||||
# ensure postgresql.conf exists on subsequent starts
|
||||
if [ ! -f "$DATADIR/postgresql.conf" ]; then
|
||||
cat > "$DATADIR/postgresql.conf" <<EOF
|
||||
chown -R 999:999 "$DATADIR"
|
||||
fi
|
||||
if [ ! -f "$DATADIR/postgresql.conf" ]; then
|
||||
cat > "$DATADIR/postgresql.conf" <<EOF
|
||||
hot_standby = on
|
||||
hot_standby_feedback = on
|
||||
wal_receiver_timeout = '60s'
|
||||
port = 5434
|
||||
listen_addresses = '*'
|
||||
EOF
|
||||
chown 999:999 "$DATADIR/postgresql.conf"
|
||||
fi
|
||||
chown 999:999 "$DATADIR/postgresql.conf"
|
||||
fi
|
||||
'';
|
||||
|
||||
script = ''
|
||||
|
||||
@@ -34,16 +34,16 @@ let
|
||||
in
|
||||
{
|
||||
sops.secrets = {
|
||||
matrix_macaroon_secret = { };
|
||||
matrix_registration_secret = {
|
||||
"matrix/macaroon_secret" = { };
|
||||
"matrix/registration_secret" = {
|
||||
owner = "matrix-synapse";
|
||||
group = "matrix-synapse";
|
||||
};
|
||||
pg_replication_password = {
|
||||
"postgres/replication_password" = {
|
||||
owner = "postgres";
|
||||
group = "postgres";
|
||||
};
|
||||
kanidm_synapse_secret = {
|
||||
"kanidm/synapse_secret" = {
|
||||
owner = "matrix-synapse";
|
||||
group = "matrix-synapse";
|
||||
};
|
||||
@@ -95,8 +95,8 @@ in
|
||||
enable_registration = false;
|
||||
trusted_key_servers = [ { server_name = "matrix.org"; } ];
|
||||
suppress_key_server_warning = true;
|
||||
registration_shared_secret_path = config.sops.secrets.matrix_registration_secret.path;
|
||||
macaroon_secret_key = "$__file{${config.sops.secrets.matrix_macaroon_secret.path}}";
|
||||
registration_shared_secret_path = config.sops.secrets."matrix/registration_secret".path;
|
||||
macaroon_secret_key = "$__file{${config.sops.secrets."matrix/macaroon_secret".path}}";
|
||||
matrix_rtc = {
|
||||
enabled = true;
|
||||
transports = [
|
||||
@@ -162,7 +162,7 @@ in
|
||||
idp_name = "Kanidm";
|
||||
issuer = "https://auth.cyperpunk.de/oauth2/openid/synapse";
|
||||
client_id = "synapse";
|
||||
client_secret_path = config.sops.secrets.kanidm_synapse_secret.path;
|
||||
client_secret_path = config.sops.secrets."kanidm/synapse_secret".path;
|
||||
scopes = [
|
||||
"openid"
|
||||
"profile"
|
||||
@@ -254,7 +254,7 @@ in
|
||||
ssl = true;
|
||||
};
|
||||
authentication = lib.mkAfter ''
|
||||
hostssl replication replicator 100.0.0.0/8 scram-sha-256
|
||||
hostssl replication replicator 10.10.0.2/32 scram-sha-256
|
||||
'';
|
||||
};
|
||||
|
||||
@@ -273,7 +273,7 @@ in
|
||||
"/var/lib/mautrix-whatsapp"
|
||||
];
|
||||
postgresql.postStart = lib.mkAfter ''
|
||||
PG_PASS=$(cat ${config.sops.secrets.pg_replication_password.path})
|
||||
PG_PASS=$(cat ${config.sops.secrets."postgres/replication_password".path})
|
||||
${config.services.postgresql.package}/bin/psql -U postgres -c \
|
||||
"ALTER ROLE replicator WITH PASSWORD '$PG_PASS';"
|
||||
'';
|
||||
|
||||
@@ -27,15 +27,15 @@ in
|
||||
imports = [ ./gs-exporter.nix ];
|
||||
|
||||
sops.secrets = {
|
||||
grafana_secret_key = {
|
||||
"services/grafana/secret_key" = {
|
||||
owner = "grafana";
|
||||
group = "grafana";
|
||||
};
|
||||
kanidm_grafana_secret = {
|
||||
"kanidm/grafana_secret" = {
|
||||
owner = "grafana";
|
||||
group = "grafana";
|
||||
};
|
||||
zyxel_pass = {
|
||||
"network/zyxel_pass" = {
|
||||
group = "gs1200-exporter";
|
||||
mode = "0440";
|
||||
};
|
||||
@@ -78,7 +78,7 @@ in
|
||||
serve_from_sub_path = true;
|
||||
};
|
||||
security = {
|
||||
secret_key = "$__file{${config.sops.secrets.grafana_secret_key.path}}";
|
||||
secret_key = "$__file{${config.sops.secrets."services/grafana/secret_key".path}}";
|
||||
allow_embedding = true;
|
||||
cookie_samesite = "none";
|
||||
cookie_secure = true;
|
||||
@@ -91,7 +91,7 @@ in
|
||||
enabled = true;
|
||||
name = "Kanidm";
|
||||
client_id = "grafana";
|
||||
client_secret = "$__file{${config.sops.secrets.kanidm_grafana_secret.path}}";
|
||||
client_secret = "$__file{${config.sops.secrets."kanidm/grafana_secret".path}}";
|
||||
scopes = "openid profile email";
|
||||
auth_url = "https://auth.cyperpunk.de/ui/oauth2";
|
||||
token_url = "https://auth.cyperpunk.de/oauth2/token";
|
||||
@@ -181,13 +181,13 @@ in
|
||||
zyxel1 = {
|
||||
address = "192.168.2.3";
|
||||
port = 9934;
|
||||
passwordFile = config.sops.secrets.zyxel_pass.path;
|
||||
passwordFile = config.sops.secrets."network/zyxel_pass".path;
|
||||
group = "gs1200-exporter";
|
||||
};
|
||||
zyxel2 = {
|
||||
address = "192.168.2.4";
|
||||
port = 9935;
|
||||
passwordFile = config.sops.secrets.zyxel_pass.path;
|
||||
passwordFile = config.sops.secrets."network/zyxel_pass".path;
|
||||
group = "gs1200-exporter";
|
||||
};
|
||||
};
|
||||
|
||||
@@ -1,11 +1,10 @@
|
||||
{ config, ... }:
|
||||
{
|
||||
|
||||
sops.secrets = {
|
||||
paperless_admin = {
|
||||
"services/paperless/admin" = {
|
||||
owner = "paperless";
|
||||
};
|
||||
paperless_oidc_secret = {
|
||||
"services/paperless/oidc_secret" = {
|
||||
owner = "paperless";
|
||||
};
|
||||
};
|
||||
@@ -18,7 +17,7 @@
|
||||
consumptionDir = "/storage/fast/paperless/consume";
|
||||
dataDir = "/storage/fast/paperless";
|
||||
configureTika = true;
|
||||
passwordFile = config.sops.secrets.paperless_admin.path;
|
||||
passwordFile = config.sops.secrets."services/paperless/admin".path;
|
||||
settings = {
|
||||
PAPERLESS_USE_X_FORWARDED_HOST = true;
|
||||
PAPERLESS_USE_X_FORWARDED_PORT = true;
|
||||
@@ -54,7 +53,7 @@
|
||||
requires = [ "systemd-tmpfiles-setup.service" ];
|
||||
};
|
||||
paperless-web = {
|
||||
serviceConfig.EnvironmentFiles = [ config.sops.secrets.paperless_oidc_secret.path ];
|
||||
serviceConfig.EnvironmentFiles = [ config.sops.secrets."services/paperless/oidc_secret".path ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@@ -8,7 +8,8 @@ let
|
||||
userScss = builtins.readFile ./user.vaultwarden.scss.hbs;
|
||||
in
|
||||
{
|
||||
sops.secrets.vaultwarden_env = {
|
||||
|
||||
sops.secrets."services/vaultwarden/env" = {
|
||||
owner = "vaultwarden";
|
||||
group = "vaultwarden";
|
||||
};
|
||||
@@ -25,7 +26,7 @@ in
|
||||
services.vaultwarden = {
|
||||
enable = true;
|
||||
package = pkgs.oidcwarden;
|
||||
environmentFile = config.sops.secrets.vaultwarden_env.path;
|
||||
environmentFile = config.sops.secrets."services/vaultwarden/env".path;
|
||||
backupDir = "/var/local/vaultwarden/backup";
|
||||
config = {
|
||||
DOMAIN = "https://vault.cyperpunk.de";
|
||||
|
||||
Reference in New Issue
Block a user