Reorderd Secrets to match a structure

This commit is contained in:
2026-06-29 12:17:55 +02:00
parent a24e82bf5a
commit 73ff128705
19 changed files with 199 additions and 180 deletions
+2 -2
View File
@@ -13,7 +13,7 @@ let
"/var/lib/flame-${name}:/app/data"
]
++ extraVolumes;
environmentFiles = [ config.sops.secrets."flame_${name}_password".path ];
environmentFiles = [ config.sops.secrets."services/flame/${name}_password".path ];
};
instances = [
@@ -57,7 +57,7 @@ in
];
sops.secrets = lib.listToAttrs (
map ({ name, ... }: lib.nameValuePair "flame_${name}_password" { }) instances
map ({ name, ... }: lib.nameValuePair "services/flame/${name}_password" { }) instances
);
virtualisation = {
+9 -10
View File
@@ -2,7 +2,6 @@
pkgs,
lib,
config,
primaryUser,
...
}:
@@ -20,27 +19,27 @@ let
in
{
sops.secrets = {
"gitea/dbPassword" = {
"services/gitea/db_password" = {
owner = "gitea";
group = "gitea";
mode = "0444";
};
"gitea/internalToken" = {
"services/gitea/internal_token" = {
owner = "gitea";
group = "gitea";
};
"gitea/lfsJwtSecret" = {
"services/gitea/lfs_jwt_secret" = {
owner = "gitea";
group = "gitea";
};
"gitea/mailerPassword" = {
"services/gitea/mailer_password" = {
owner = "gitea";
group = "gitea";
};
"gitea/runnerToken" = {
"services/gitea/runner_token" = {
mode = "0444";
};
"kanidm_gitea_secret" = {
"kanidm/gitea_secret" = {
owner = "gitea";
group = "gitea";
mode = "0444";
@@ -75,7 +74,7 @@ in
RemainAfterExit = true;
};
script = ''
pass=$(cat ${config.sops.secrets."gitea/dbPassword".path})
pass=$(cat ${config.sops.secrets."services/gitea/db_password".path})
${pkgs.postgresql_14}/bin/psql -c \
"ALTER USER gitea WITH PASSWORD '$pass';"
'';
@@ -126,7 +125,7 @@ in
port = 5432;
name = "gitea";
user = "gitea";
passwordFile = config.sops.secrets."gitea/dbPassword".path;
passwordFile = config.sops.secrets."services/gitea/db_password".path;
};
settings = {
@@ -222,7 +221,7 @@ in
gitea-actions-runner.instances."cyper_nix" = {
enable = true;
url = "https://git.cyperpunk.de";
tokenFile = config.sops.secrets."gitea/runnerToken".path;
tokenFile = config.sops.secrets."services/gitea/runner_token".path;
name = "cyper-controller";
labels = [ "nix:host" ];
+3 -4
View File
@@ -1,15 +1,14 @@
{ config, lib, ... }:
{
sops.secrets = {
coturn_static_auth_secret = {
"matrix/coturn_static_auth_secret" = {
owner = "turnserver";
group = "turnserver";
};
coturn_static_auth_secret_synapse = {
owner = "matrix-synapse";
group = "matrix-synapse";
key = "coturn_static_auth_secret";
key = "matrix/coturn_static_auth_secret";
};
};
@@ -21,7 +20,7 @@
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
static-auth-secret-file = config.sops.secrets.coturn_static_auth_secret.path;
static-auth-secret-file = config.sops.secrets."matrix/coturn_static_auth_secret".path;
realm = "turn.cyperpunk.de";
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
+12 -6
View File
@@ -1,15 +1,15 @@
{ config, lib, ... }:
{
sops.secrets = {
discord_bot_token = {
"matrix/bridges/discord/bot_token" = {
owner = "mautrix-discord";
group = "mautrix-discord";
};
discord_client_id = {
"matrix/bridges/discord/client_id" = {
owner = "mautrix-discord";
group = "mautrix-discord";
};
discord_pickle_key = {
"matrix/bridges/discord/pickle_key" = {
owner = "mautrix-discord";
group = "mautrix-discord";
};
@@ -35,9 +35,15 @@
};
script = ''
mkdir -p /run/mautrix-discord
echo "DISCORD_BOT_TOKEN=$(cat ${config.sops.secrets.discord_bot_token.path})" > /run/mautrix-discord/env
echo "DISCORD_CLIENT_ID=$(cat ${config.sops.secrets.discord_client_id.path})" >> /run/mautrix-discord/env
echo "DISCORD_PICKLE_KEY=$(cat ${config.sops.secrets.discord_pickle_key.path})" >> /run/mautrix-discord/env
echo "DISCORD_BOT_TOKEN=$(cat ${
config.sops.secrets."matrix/bridges/discord/bot_token".path
})" > /run/mautrix-discord/env
echo "DISCORD_CLIENT_ID=$(cat ${
config.sops.secrets."matrix/bridges/discord/client_id".path
})" >> /run/mautrix-discord/env
echo "DISCORD_PICKLE_KEY=$(cat ${
config.sops.secrets."matrix/bridges/discord/pickle_key".path
})" >> /run/mautrix-discord/env
chmod 600 /run/mautrix-discord/env
chown mautrix-discord:mautrix-discord /run/mautrix-discord/env
'';
+2 -2
View File
@@ -1,6 +1,6 @@
{ config, ... }:
{
sops.secrets.draupnir_access_token = { };
sops.secrets."matrix/draupnir_access_token" = { };
environment.persistence."/persist".directories = [
{
@@ -13,7 +13,7 @@
services.draupnir = {
enable = true;
secrets.accessToken = config.sops.secrets.draupnir_access_token.path;
secrets.accessToken = config.sops.secrets."matrix/draupnir_access_token".path;
settings = {
homeserverUrl = "https://matrix.cyperpunk.de";
managementRoom = "!eErCimyDjLSebHjpJA:cyperpunk.de";
+13 -11
View File
@@ -1,18 +1,20 @@
{ config, ... }:
{
sops.secrets.livekit_key_file = { };
sops.secrets."matrix/livekit_key_file" = { };
services.livekit = {
enable = true;
openFirewall = true;
settings.room.auto_create = false;
keyFile = config.sops.secrets.livekit_key_file.path;
};
services = {
livekit = {
enable = true;
openFirewall = true;
settings.room.auto_create = false;
keyFile = config.sops.secrets."matrix/livekit_key_file".path;
};
services.lk-jwt-service = {
enable = true;
livekitUrl = "wss://cyperpunk.de/livekit/sfu";
keyFile = config.sops.secrets.livekit_key_file.path;
lk-jwt-service = {
enable = true;
livekitUrl = "wss://cyperpunk.de/livekit/sfu";
keyFile = config.sops.secrets."matrix/livekit_key_file".path;
};
};
systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = "cyperpunk.de";
+16 -8
View File
@@ -1,19 +1,19 @@
{ config, lib, ... }:
{
sops.secrets = {
meta_as_token = {
"matrix/bridges/meta/as_token" = {
owner = "mautrix-meta-facebook";
group = "mautrix-meta";
};
meta_hs_token = {
"matrix/bridges/meta/hs_token" = {
owner = "mautrix-meta-facebook";
group = "mautrix-meta";
};
instagram_as_token = {
"matrix/bridges/instagram/as_token" = {
owner = "mautrix-meta-instagram";
group = "mautrix-meta";
};
instagram_hs_token = {
"matrix/bridges/instagram/hs_token" = {
owner = "mautrix-meta-instagram";
group = "mautrix-meta";
};
@@ -44,8 +44,12 @@
};
script = ''
mkdir -p /run/mautrix-meta-facebook
echo "META_AS_TOKEN=$(cat ${config.sops.secrets.meta_as_token.path})" > /run/mautrix-meta-facebook/env
echo "META_HS_TOKEN=$(cat ${config.sops.secrets.meta_hs_token.path})" >> /run/mautrix-meta-facebook/env
echo "META_AS_TOKEN=$(cat ${
config.sops.secrets."matrix/bridges/meta/as_token".path
})" > /run/mautrix-meta-facebook/env
echo "META_HS_TOKEN=$(cat ${
config.sops.secrets."matrix/bridges/meta/hs_token".path
})" >> /run/mautrix-meta-facebook/env
chmod 600 /run/mautrix-meta-facebook/env
chown mautrix-meta-facebook:mautrix-meta /run/mautrix-meta-facebook/env
'';
@@ -60,8 +64,12 @@
};
script = ''
mkdir -p /run/mautrix-meta-instagram
echo "INSTAGRAM_AS_TOKEN=$(cat ${config.sops.secrets.instagram_as_token.path})" > /run/mautrix-meta-instagram/env
echo "INSTAGRAM_HS_TOKEN=$(cat ${config.sops.secrets.instagram_hs_token.path})" >> /run/mautrix-meta-instagram/env
echo "INSTAGRAM_AS_TOKEN=$(cat ${
config.sops.secrets."matrix/bridges/instagram/as_token".path
})" > /run/mautrix-meta-instagram/env
echo "INSTAGRAM_HS_TOKEN=$(cat ${
config.sops.secrets."matrix/bridges/instagram/hs_token".path
})" >> /run/mautrix-meta-instagram/env
chmod 600 /run/mautrix-meta-instagram/env
chown mautrix-meta-instagram:mautrix-meta /run/mautrix-meta-instagram/env
'';
+30 -44
View File
@@ -5,7 +5,7 @@
}:
{
sops.secrets = {
pg_replication_password = {
"postgres/replication_password" = {
owner = "root";
group = "root";
};
@@ -17,12 +17,10 @@
description = "PostgreSQL WAL streaming replica (Docker)";
requires = [
"docker.service"
"tailscaled.service"
"network-online.target"
];
after = [
"docker.service"
"tailscaled.service"
"network-online.target"
];
wantedBy = [ "multi-user.target" ];
@@ -35,61 +33,49 @@
};
preStart = ''
DATADIR="/storage/backup/postgresql-replica"
PG_PASS=$(cat ${config.sops.secrets.pg_replication_password.path})
${pkgs.docker}/bin/docker pull postgres:17
if [ ! -f "$DATADIR/PG_VERSION" ]; then
echo "No data dir found running pg_basebackup..."
rm -rf "$DATADIR"
${pkgs.docker}/bin/docker run --rm \
-e PGPASSWORD="$PG_PASS" \
-v "/storage/backup:/out" \
--network host \
postgres:17 \
pg_basebackup \
--host=10.10.0.1 \
--port=5432 \
--username=replicator \
--pgdata=/out/postgresql-replica \
--wal-method=stream \
--checkpoint=fast \
--progress \
--verbose
# standby signal
touch "$DATADIR/standby.signal"
# primary conninfo
cat > "$DATADIR/postgresql.auto.conf" <<EOF
DATADIR="/storage/backup/postgresql-replica"
PG_PASS=$(cat ${config.sops.secrets."postgres/replication_password".path})
${pkgs.docker}/bin/docker pull postgres:17
if [ ! -f "$DATADIR/PG_VERSION" ]; then
echo "No data dir found running pg_basebackup..."
rm -rf "$DATADIR"
${pkgs.docker}/bin/docker run --rm \
-e PGPASSWORD="$PG_PASS" \
-v "/storage/backup:/out" \
--network host \
postgres:17 \
pg_basebackup \
--host=10.10.0.1 \
--port=5432 \
--username=replicator \
--pgdata=/out/postgresql-replica \
--wal-method=stream \
--checkpoint=fast \
--progress \
--verbose
touch "$DATADIR/standby.signal"
cat > "$DATADIR/postgresql.auto.conf" <<EOF
primary_conninfo = 'host=10.10.0.1 port=5432 user=replicator password=$PG_PASS application_name=cyper-controller sslmode=disable'
EOF
# minimal postgresql.conf
cat > "$DATADIR/postgresql.conf" <<EOF
cat > "$DATADIR/postgresql.conf" <<EOF
hot_standby = on
hot_standby_feedback = on
wal_receiver_timeout = '60s'
port = 5434
listen_addresses = '*'
EOF
chown -R 999:999 "$DATADIR"
fi
# ensure postgresql.conf exists on subsequent starts
if [ ! -f "$DATADIR/postgresql.conf" ]; then
cat > "$DATADIR/postgresql.conf" <<EOF
chown -R 999:999 "$DATADIR"
fi
if [ ! -f "$DATADIR/postgresql.conf" ]; then
cat > "$DATADIR/postgresql.conf" <<EOF
hot_standby = on
hot_standby_feedback = on
wal_receiver_timeout = '60s'
port = 5434
listen_addresses = '*'
EOF
chown 999:999 "$DATADIR/postgresql.conf"
fi
chown 999:999 "$DATADIR/postgresql.conf"
fi
'';
script = ''
+9 -9
View File
@@ -34,16 +34,16 @@ let
in
{
sops.secrets = {
matrix_macaroon_secret = { };
matrix_registration_secret = {
"matrix/macaroon_secret" = { };
"matrix/registration_secret" = {
owner = "matrix-synapse";
group = "matrix-synapse";
};
pg_replication_password = {
"postgres/replication_password" = {
owner = "postgres";
group = "postgres";
};
kanidm_synapse_secret = {
"kanidm/synapse_secret" = {
owner = "matrix-synapse";
group = "matrix-synapse";
};
@@ -95,8 +95,8 @@ in
enable_registration = false;
trusted_key_servers = [ { server_name = "matrix.org"; } ];
suppress_key_server_warning = true;
registration_shared_secret_path = config.sops.secrets.matrix_registration_secret.path;
macaroon_secret_key = "$__file{${config.sops.secrets.matrix_macaroon_secret.path}}";
registration_shared_secret_path = config.sops.secrets."matrix/registration_secret".path;
macaroon_secret_key = "$__file{${config.sops.secrets."matrix/macaroon_secret".path}}";
matrix_rtc = {
enabled = true;
transports = [
@@ -162,7 +162,7 @@ in
idp_name = "Kanidm";
issuer = "https://auth.cyperpunk.de/oauth2/openid/synapse";
client_id = "synapse";
client_secret_path = config.sops.secrets.kanidm_synapse_secret.path;
client_secret_path = config.sops.secrets."kanidm/synapse_secret".path;
scopes = [
"openid"
"profile"
@@ -254,7 +254,7 @@ in
ssl = true;
};
authentication = lib.mkAfter ''
hostssl replication replicator 100.0.0.0/8 scram-sha-256
hostssl replication replicator 10.10.0.2/32 scram-sha-256
'';
};
@@ -273,7 +273,7 @@ in
"/var/lib/mautrix-whatsapp"
];
postgresql.postStart = lib.mkAfter ''
PG_PASS=$(cat ${config.sops.secrets.pg_replication_password.path})
PG_PASS=$(cat ${config.sops.secrets."postgres/replication_password".path})
${config.services.postgresql.package}/bin/psql -U postgres -c \
"ALTER ROLE replicator WITH PASSWORD '$PG_PASS';"
'';
+7 -7
View File
@@ -27,15 +27,15 @@ in
imports = [ ./gs-exporter.nix ];
sops.secrets = {
grafana_secret_key = {
"services/grafana/secret_key" = {
owner = "grafana";
group = "grafana";
};
kanidm_grafana_secret = {
"kanidm/grafana_secret" = {
owner = "grafana";
group = "grafana";
};
zyxel_pass = {
"network/zyxel_pass" = {
group = "gs1200-exporter";
mode = "0440";
};
@@ -78,7 +78,7 @@ in
serve_from_sub_path = true;
};
security = {
secret_key = "$__file{${config.sops.secrets.grafana_secret_key.path}}";
secret_key = "$__file{${config.sops.secrets."services/grafana/secret_key".path}}";
allow_embedding = true;
cookie_samesite = "none";
cookie_secure = true;
@@ -91,7 +91,7 @@ in
enabled = true;
name = "Kanidm";
client_id = "grafana";
client_secret = "$__file{${config.sops.secrets.kanidm_grafana_secret.path}}";
client_secret = "$__file{${config.sops.secrets."kanidm/grafana_secret".path}}";
scopes = "openid profile email";
auth_url = "https://auth.cyperpunk.de/ui/oauth2";
token_url = "https://auth.cyperpunk.de/oauth2/token";
@@ -181,13 +181,13 @@ in
zyxel1 = {
address = "192.168.2.3";
port = 9934;
passwordFile = config.sops.secrets.zyxel_pass.path;
passwordFile = config.sops.secrets."network/zyxel_pass".path;
group = "gs1200-exporter";
};
zyxel2 = {
address = "192.168.2.4";
port = 9935;
passwordFile = config.sops.secrets.zyxel_pass.path;
passwordFile = config.sops.secrets."network/zyxel_pass".path;
group = "gs1200-exporter";
};
};
+4 -5
View File
@@ -1,11 +1,10 @@
{ config, ... }:
{
sops.secrets = {
paperless_admin = {
"services/paperless/admin" = {
owner = "paperless";
};
paperless_oidc_secret = {
"services/paperless/oidc_secret" = {
owner = "paperless";
};
};
@@ -18,7 +17,7 @@
consumptionDir = "/storage/fast/paperless/consume";
dataDir = "/storage/fast/paperless";
configureTika = true;
passwordFile = config.sops.secrets.paperless_admin.path;
passwordFile = config.sops.secrets."services/paperless/admin".path;
settings = {
PAPERLESS_USE_X_FORWARDED_HOST = true;
PAPERLESS_USE_X_FORWARDED_PORT = true;
@@ -54,7 +53,7 @@
requires = [ "systemd-tmpfiles-setup.service" ];
};
paperless-web = {
serviceConfig.EnvironmentFiles = [ config.sops.secrets.paperless_oidc_secret.path ];
serviceConfig.EnvironmentFiles = [ config.sops.secrets."services/paperless/oidc_secret".path ];
};
};
};
+3 -2
View File
@@ -8,7 +8,8 @@ let
userScss = builtins.readFile ./user.vaultwarden.scss.hbs;
in
{
sops.secrets.vaultwarden_env = {
sops.secrets."services/vaultwarden/env" = {
owner = "vaultwarden";
group = "vaultwarden";
};
@@ -25,7 +26,7 @@ in
services.vaultwarden = {
enable = true;
package = pkgs.oidcwarden;
environmentFile = config.sops.secrets.vaultwarden_env.path;
environmentFile = config.sops.secrets."services/vaultwarden/env".path;
backupDir = "/var/local/vaultwarden/backup";
config = {
DOMAIN = "https://vault.cyperpunk.de";