add harbor nc secrets

2025-04-03 15:41:33 +02:00 · 2025-04-03 15:41:33 +02:00 · 326cde73dd
commit 326cde73dd
parent 2257a6dff8
4 changed files with 32 additions and 8 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,12 +1,19 @@
 keys:
  - &jonas age1expg8vyduf290pz7l4f3mjzvk9f0azfdn48pyjzs3m6p7v4qjq0qwtn36z
+  - &harbor age1wf0rq27v0n27zfy0es8ns3n25e2fdt063dgn68tt3f89rgrtu9csq4yhsp
 creation_rules:
  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
    key_groups:
    - age:
      - *jonas
+      - *harbor

  - path_regex: secrets/jonas/[^/]+\.(yaml|json|env|ini)$
    key_groups:
    - age:
      - *jonas
+
+  - path_regex: secrets/harbor/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - age:
+      - *harbor
--- a/flake.nix
+++ b/flake.nix
@ -63,6 +63,7 @@
        };
        modules = [
          ({...}: {nixpkgs.overlays = [overlay-unstable];})
+          inputs.sops-nix.nixosModules.sops
          ./hosts/harbor/configuration.nix
        ];
      };
--- a/hosts/harbor/configuration.nix
+++ b/hosts/harbor/configuration.nix
@ -1,9 +1,20 @@
-{pkgs, ...}: {
+{
+  config,
+  pkgs,
+  ...
+}: {
  imports = [
    ./hardware-configuration.nix
    ../../modules/services/nextcloud-instance.nix
  ];

+  # Secret management
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.secrets."nextcloud-admin-pass" = {
+    sopsFile = ../../secrets/harbor/nextcloud.yaml;
+    key = "admin-pass";
+  };
+
  # Configure nix and garbage collection
  nix = {
    settings = {
@ -20,9 +31,9 @@
  users.users.jonas = {
    isNormalUser = true;
    description = "Jonas";
-    extraGroups = ["wheel" "docker"];
+    extraGroups = ["wheel"];
    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyCyYsMSiy7shcehlzJEbCyRiHk+cicFB35Bc2uc4PjjkCjswLh01fRAV2QcplrNkH/5F4GBTbOoZHHc7/AVLyUxgwDC9ffD2i7fevuGpfBFy9D30uz6jDekxXkmRmIlidXLdG1Fh4zwVejGlwdhUu/Zb7PonO/dktx3EFdf1SpnW+y75anN85zoGsld7KQk42wEd0zXtCgx4CKI6Vvt6heWCEiJ9wyw1sLpTJr4H8In236CUj1/r1qY9Gfa8n9NA0J9XCpcwSCEWGRKQNicoQIpnp5txrgzaUq4r6qBKHmImYXmSTVnDZ9dJLRYNu2lDvBtTXP4ztlR6Lpxs873fPg51qgaX9rRVMMo/gGjq8fOFWsDVaJZab9VY3hZYNCKIbWFqo4GKyCQs9Xfzr2AUACm09HWiYMTefwEypOzvUb4z+LF2B/0c5XmghLF/TOzLVgDXzAgWMH4mCnPh9EDLHTtoJaGNURler9VRV8yQyLH6oK9UpHZovCFs7HpFN+WPv2QVFfkK8aHg7tnklFsT78z154bjuspiEI/fFGmTxoQUGufmHlRy/9GQDusgNfe24ZEB2hHBVjKv29XdIfvFAhoPVpA6+O/N3feSlmVISaU+8QraVQEf/TuQjopDUWpJTmqSxKvQSTPwcyWDy6NtcJ85bGAu6jSUGC3ouH4Rb2Q== cardno:000609618602"
+      (builtins.readFile ../../static/keys/my_pub.asc)
    ];
  };
  users.defaultUserShell = pkgs.zsh;
@ -37,7 +48,8 @@

  services.nextcloud-instance.enable = true;
  services.nextcloud-instance.ssl = false;
-  services.nextcloud-instance.instanceFQDN = "replace-me";
+  services.nextcloud-instance.adminPasswordFile = config.sops.secret.nextcloud-admin-pass.path;
+  services.nextcloud-instance.instanceFQDN = "nextcloud.jroeger.de";

  # Allow unfree packages
  nixpkgs.config.allowUnfree = true;
--- a/modules/services/nextcloud-instance.nix
+++ b/modules/services/nextcloud-instance.nix
@ -20,11 +20,15 @@ in {
      default = true;
      description = "Use SSL and auto-update certificates";
    };
+
+    adminPasswordFile = lib.mkOption {
+      type = lib.types.path;
+      example = "/etc/nc-admin-pass.txt";
+      description = "Path to the file containing the Nextcloud admin password";
+    };
  };

  config = lib.mkIf cfg.enable {
-    environment.etc."nc-admin-pass.txt".text = "replace-me-with-a-sops-secret";
-
    services.nextcloud = {
      # Instance
      enable = true;
@ -35,7 +39,7 @@ in {
      # DB
      config.dbtype = "pgsql";
      config.dbhost = "/run/postgresql";
-      config.adminpassFile = "/etc/nc-admin-pass.txt"; # FIXME: sops
+      config.adminpassFile = cfg.adminPasswordFile;

      #Mail
      settings = {