jonas/.hive
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add harbor nc secrets

Browse Source
This commit is contained in:
Jonas Röger 2025-04-03 15:41:33 +02:00
parent 2257a6dff8
commit 326cde73dd
Signed by: jonas
GPG Key ID: 4000EB35E1AE0F07
4 changed files with 32 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.sops.yaml
View File

@ -1,12 +1,19 @@
keys: keys:
- &jonas age1expg8vyduf290pz7l4f3mjzvk9f0azfdn48pyjzs3m6p7v4qjq0qwtn36z - &jonas age1expg8vyduf290pz7l4f3mjzvk9f0azfdn48pyjzs3m6p7v4qjq0qwtn36z
- &harbor age1wf0rq27v0n27zfy0es8ns3n25e2fdt063dgn68tt3f89rgrtu9csq4yhsp
creation_rules: creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups: key_groups:
- age: - age:
- *jonas - *jonas
- *harbor
- path_regex: secrets/jonas/[^/]+\.(yaml|json|env|ini)$ - path_regex: secrets/jonas/[^/]+\.(yaml|json|env|ini)$
key_groups: key_groups:
- age: - age:
- *jonas - *jonas
- path_regex: secrets/harbor/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *harbor

1
flake.nix
View File

@ -63,6 +63,7 @@
}; };
modules = [ modules = [
({...}: {nixpkgs.overlays = [overlay-unstable];}) ({...}: {nixpkgs.overlays = [overlay-unstable];})
inputs.sops-nix.nixosModules.sops
./hosts/harbor/configuration.nix ./hosts/harbor/configuration.nix
]; ];
}; };

20
hosts/harbor/configuration.nix
View File

@ -1,9 +1,20 @@
{pkgs, ...}: { {
config,
pkgs,
...
}: {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../modules/services/nextcloud-instance.nix ../../modules/services/nextcloud-instance.nix
]; ];
# Secret management
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.secrets."nextcloud-admin-pass" = {
sopsFile = ../../secrets/harbor/nextcloud.yaml;
key = "admin-pass";
};
# Configure nix and garbage collection # Configure nix and garbage collection
nix = { nix = {
settings = { settings = {
@ -20,9 +31,9 @@
users.users.jonas = { users.users.jonas = {
isNormalUser = true; isNormalUser = true;
description = "Jonas"; description = "Jonas";
extraGroups = ["wheel" "docker"]; extraGroups = ["wheel"];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyCyYsMSiy7shcehlzJEbCyRiHk+cicFB35Bc2uc4PjjkCjswLh01fRAV2QcplrNkH/5F4GBTbOoZHHc7/AVLyUxgwDC9ffD2i7fevuGpfBFy9D30uz6jDekxXkmRmIlidXLdG1Fh4zwVejGlwdhUu/Zb7PonO/dktx3EFdf1SpnW+y75anN85zoGsld7KQk42wEd0zXtCgx4CKI6Vvt6heWCEiJ9wyw1sLpTJr4H8In236CUj1/r1qY9Gfa8n9NA0J9XCpcwSCEWGRKQNicoQIpnp5txrgzaUq4r6qBKHmImYXmSTVnDZ9dJLRYNu2lDvBtTXP4ztlR6Lpxs873fPg51qgaX9rRVMMo/gGjq8fOFWsDVaJZab9VY3hZYNCKIbWFqo4GKyCQs9Xfzr2AUACm09HWiYMTefwEypOzvUb4z+LF2B/0c5XmghLF/TOzLVgDXzAgWMH4mCnPh9EDLHTtoJaGNURler9VRV8yQyLH6oK9UpHZovCFs7HpFN+WPv2QVFfkK8aHg7tnklFsT78z154bjuspiEI/fFGmTxoQUGufmHlRy/9GQDusgNfe24ZEB2hHBVjKv29XdIfvFAhoPVpA6+O/N3feSlmVISaU+8QraVQEf/TuQjopDUWpJTmqSxKvQSTPwcyWDy6NtcJ85bGAu6jSUGC3ouH4Rb2Q== cardno:000609618602" (builtins.readFile ../../static/keys/my_pub.asc)
]; ];
}; };
users.defaultUserShell = pkgs.zsh; users.defaultUserShell = pkgs.zsh;
@ -37,7 +48,8 @@
services.nextcloud-instance.enable = true; services.nextcloud-instance.enable = true;
services.nextcloud-instance.ssl = false; services.nextcloud-instance.ssl = false;
services.nextcloud-instance.instanceFQDN = "replace-me"; services.nextcloud-instance.adminPasswordFile = config.sops.secret.nextcloud-admin-pass.path;
services.nextcloud-instance.instanceFQDN = "nextcloud.jroeger.de";
# Allow unfree packages # Allow unfree packages
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;

10
modules/services/nextcloud-instance.nix
View File

@ -20,11 +20,15 @@ in {
default = true; default = true;
description = "Use SSL and auto-update certificates"; description = "Use SSL and auto-update certificates";
}; };
adminPasswordFile = lib.mkOption {
type = lib.types.path;
example = "/etc/nc-admin-pass.txt";
description = "Path to the file containing the Nextcloud admin password";
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
environment.etc."nc-admin-pass.txt".text = "replace-me-with-a-sops-secret";
services.nextcloud = { services.nextcloud = {
# Instance # Instance
enable = true; enable = true;
@ -35,7 +39,7 @@ in {
# DB # DB
config.dbtype = "pgsql"; config.dbtype = "pgsql";
config.dbhost = "/run/postgresql"; config.dbhost = "/run/postgresql";
config.adminpassFile = "/etc/nc-admin-pass.txt"; # FIXME: sops config.adminpassFile = cfg.adminPasswordFile;
#Mail #Mail
settings = { settings = {