From 326cde73dd798a8f8457461336436c59485c57a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20R=C3=B6ger?= Date: Thu, 3 Apr 2025 15:41:33 +0200 Subject: [PATCH] add harbor nc secrets --- .sops.yaml | 9 ++++++++- flake.nix | 1 + hosts/harbor/configuration.nix | 20 ++++++++++++++++---- modules/services/nextcloud-instance.nix | 10 +++++++--- 4 files changed, 32 insertions(+), 8 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index af3377a..4af5df8 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,12 +1,19 @@ keys: - &jonas age1expg8vyduf290pz7l4f3mjzvk9f0azfdn48pyjzs3m6p7v4qjq0qwtn36z + - &harbor age1wf0rq27v0n27zfy0es8ns3n25e2fdt063dgn68tt3f89rgrtu9csq4yhsp creation_rules: - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ key_groups: - age: - *jonas + - *harbor - path_regex: secrets/jonas/[^/]+\.(yaml|json|env|ini)$ key_groups: - age: - - *jonas \ No newline at end of file + - *jonas + + - path_regex: secrets/harbor/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *harbor diff --git a/flake.nix b/flake.nix index 20ed704..45aa5c9 100644 --- a/flake.nix +++ b/flake.nix @@ -63,6 +63,7 @@ }; modules = [ ({...}: {nixpkgs.overlays = [overlay-unstable];}) + inputs.sops-nix.nixosModules.sops ./hosts/harbor/configuration.nix ]; }; diff --git a/hosts/harbor/configuration.nix b/hosts/harbor/configuration.nix index e05e211..f36ecd5 100644 --- a/hosts/harbor/configuration.nix +++ b/hosts/harbor/configuration.nix @@ -1,9 +1,20 @@ -{pkgs, ...}: { +{ + config, + pkgs, + ... +}: { imports = [ ./hardware-configuration.nix ../../modules/services/nextcloud-instance.nix ]; + # Secret management + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + sops.secrets."nextcloud-admin-pass" = { + sopsFile = ../../secrets/harbor/nextcloud.yaml; + key = "admin-pass"; + }; + # Configure nix and garbage collection nix = { settings = { @@ -20,9 +31,9 @@ users.users.jonas = { isNormalUser = true; description = "Jonas"; - extraGroups = ["wheel" "docker"]; + extraGroups = ["wheel"]; openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyCyYsMSiy7shcehlzJEbCyRiHk+cicFB35Bc2uc4PjjkCjswLh01fRAV2QcplrNkH/5F4GBTbOoZHHc7/AVLyUxgwDC9ffD2i7fevuGpfBFy9D30uz6jDekxXkmRmIlidXLdG1Fh4zwVejGlwdhUu/Zb7PonO/dktx3EFdf1SpnW+y75anN85zoGsld7KQk42wEd0zXtCgx4CKI6Vvt6heWCEiJ9wyw1sLpTJr4H8In236CUj1/r1qY9Gfa8n9NA0J9XCpcwSCEWGRKQNicoQIpnp5txrgzaUq4r6qBKHmImYXmSTVnDZ9dJLRYNu2lDvBtTXP4ztlR6Lpxs873fPg51qgaX9rRVMMo/gGjq8fOFWsDVaJZab9VY3hZYNCKIbWFqo4GKyCQs9Xfzr2AUACm09HWiYMTefwEypOzvUb4z+LF2B/0c5XmghLF/TOzLVgDXzAgWMH4mCnPh9EDLHTtoJaGNURler9VRV8yQyLH6oK9UpHZovCFs7HpFN+WPv2QVFfkK8aHg7tnklFsT78z154bjuspiEI/fFGmTxoQUGufmHlRy/9GQDusgNfe24ZEB2hHBVjKv29XdIfvFAhoPVpA6+O/N3feSlmVISaU+8QraVQEf/TuQjopDUWpJTmqSxKvQSTPwcyWDy6NtcJ85bGAu6jSUGC3ouH4Rb2Q== cardno:000609618602" + (builtins.readFile ../../static/keys/my_pub.asc) ]; }; users.defaultUserShell = pkgs.zsh; @@ -37,7 +48,8 @@ services.nextcloud-instance.enable = true; services.nextcloud-instance.ssl = false; - services.nextcloud-instance.instanceFQDN = "replace-me"; + services.nextcloud-instance.adminPasswordFile = config.sops.secret.nextcloud-admin-pass.path; + services.nextcloud-instance.instanceFQDN = "nextcloud.jroeger.de"; # Allow unfree packages nixpkgs.config.allowUnfree = true; diff --git a/modules/services/nextcloud-instance.nix b/modules/services/nextcloud-instance.nix index f7949be..73101a5 100644 --- a/modules/services/nextcloud-instance.nix +++ b/modules/services/nextcloud-instance.nix @@ -20,11 +20,15 @@ in { default = true; description = "Use SSL and auto-update certificates"; }; + + adminPasswordFile = lib.mkOption { + type = lib.types.path; + example = "/etc/nc-admin-pass.txt"; + description = "Path to the file containing the Nextcloud admin password"; + }; }; config = lib.mkIf cfg.enable { - environment.etc."nc-admin-pass.txt".text = "replace-me-with-a-sops-secret"; - services.nextcloud = { # Instance enable = true; @@ -35,7 +39,7 @@ in { # DB config.dbtype = "pgsql"; config.dbhost = "/run/postgresql"; - config.adminpassFile = "/etc/nc-admin-pass.txt"; # FIXME: sops + config.adminpassFile = cfg.adminPasswordFile; #Mail settings = {