Toast/nix-stuff
1
0
Fork 0
Code Issues Pull requests Projects 1 Wiki Activity

Server: migrate secrets to sops

Browse source
This commit is contained in:
Toast 2025-12-08 17:51:55 +01:00
parent 859a4b20a5
commit b668212daf
5 changed files with 35 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

8
flake.lock generated
View file

@ -524,11 +524,11 @@
"secrets": { "secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1764992299, "lastModified": 1765212399,
"narHash": "sha256-6vJ4teDUQus5TsOMfJZEfDOslsjvkhHPELZiOAeOX8s=", "narHash": "sha256-QEjuaK17HddWr0ZBRhsg3nt4QhSxQZ1i9YO2ctV045c=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "5c3122fc8dd5d6fe855d7da42740272cb2c313d4", "rev": "43c8697580bb389aea565459802c3b9827aa2d3d",
"revCount": 32, "revCount": 38,
"type": "git", "type": "git",
"url": "ssh://forgejo@git.toast003.xyz:4222/Toast/nix-secrets" "url": "ssh://forgejo@git.toast003.xyz:4222/Toast/nix-secrets"
}, },

12
roles/server/ddclient.nix
View file

@ -1,12 +1,6 @@
{ {config, ...}: {
config,
flakeSelf,
...
}: let
hostSecrets = "${flakeSelf.inputs.secrets}/" + config.networking.hostName;
in {
# Set up secrets # Set up secrets
age.secrets = {ddclient-passwd.file = hostSecrets + "/ddclient-password.age";}; sops.secrets.ddclientPassword = {};
services.ddclient = { services.ddclient = {
enable = true; enable = true;
@ -15,7 +9,7 @@ in {
protocol = "namecheap"; protocol = "namecheap";
server = "dynamicdns.park-your-domain.com"; server = "dynamicdns.park-your-domain.com";
username = "toast003.xyz"; username = "toast003.xyz";
passwordFile = config.age.secrets.ddclient-passwd.path; passwordFile = config.sops.secrets.ddclientPassword.path;
domains = ["@"]; domains = ["@"];
}; };
} }

30
roles/server/forgejo.nix
View file

@ -1,24 +1,20 @@
{ {
config, config,
lib, lib,
flakeSelf,
pkgs, pkgs,
... ...
}: let }: {
hostSecrets = "${flakeSelf.inputs.secrets}/" + config.networking.hostName + "/"; sops.secrets = let
in { owner = config.services.forgejo.user;
age.secrets = { group = config.services.forgejo.group;
forgejo-host-key = { in{
file = hostSecrets + "forgejoPrivateKey.age"; "forgejoHostKey/private" = {
mode = "0400"; inherit owner group;
owner = "forgejo"; name = "id_forgejo";
group = "forgejo";
}; };
"forgejo-host-key.pub" = { "forgejoHostKey/public" = {
file = hostSecrets + "forgejoPublicKey.age"; inherit owner group;
mode = "0400"; name = "id_forgejo.pub";
owner = "forgejo";
group = "forgejo";
}; };
}; };
@ -36,8 +32,8 @@ in {
ROOT_URL = "https://git.toast003.xyz"; ROOT_URL = "https://git.toast003.xyz";
START_SSH_SERVER = true; START_SSH_SERVER = true;
SSH_PORT = 4222; SSH_PORT = 4222;
SSH_SERVER_HOST_KEYS = config.age.secrets.forgejo-host-key.path; SSH_SERVER_HOST_KEYS = config.sops.secrets."forgejoHostKey/private".path;
SSH_SERVER_HOST_KEY = "forgejo-host-key"; SSH_SERVER_HOST_KEY = "id_forgejo";
}; };
repository = { repository = {
ENABLE_PUSH_CREATE_USER = true; ENABLE_PUSH_CREATE_USER = true;

27
roles/server/grafana.nix
View file

@ -1,23 +1,16 @@
{ {config, ...}: let
config,
flakeSelf,
...
}: let
domain = "monitoring.everest.tailscale"; domain = "monitoring.everest.tailscale";
in { in {
users.users.caddy.extraGroups = ["grafana"]; users.users.caddy.extraGroups = ["grafana"];
age.secrets = let sops.secrets = let
hostSecrets = "${flakeSelf.inputs.secrets}/" + config.networking.hostName + "/"; owner = "grafana";
group = "grafana";
in { in {
grafanaAdminName = { "grafanaAdmin/username" = {
file = hostSecrets + "grafana/admin_name.age"; inherit owner group;
owner = "grafana";
group = "grafana";
}; };
grafanaAdminPassword = { "grafanaAdmin/password" = {
file = hostSecrets + "grafana/admin_password.age"; inherit owner group;
owner = "grafana";
group = "grafana";
}; };
}; };
services = { services = {
@ -34,8 +27,8 @@ in {
settings = { settings = {
analytics.reporting_enabled = false; analytics.reporting_enabled = false;
security = { security = {
admin_user = "$__file{${config.age.secrets.grafanaAdminName.path}}"; admin_user = "$__file{${config.sops.secrets."grafanaAdmin/username".path}}";
admin_password = "$__file{${config.age.secrets.grafanaAdminPassword.path}}"; admin_password = "$__file{${config.sops.secrets."grafanaAdmin/password".path}}";
cookie_secure = true; cookie_secure = true;
strict_transport_security = true; strict_transport_security = true;
content_security_policy = true; content_security_policy = true;

21
roles/server/ssh.nix
View file

@ -1,11 +1,9 @@
{ {
flakeSelf,
config, config,
pkgs, pkgs,
lib, lib,
... ...
}: let }: let
hostSecrets = "${flakeSelf.inputs.secrets}/" + config.networking.hostName + "/";
hostKeyPath = "/etc/ssh/everest_host_key"; hostKeyPath = "/etc/ssh/everest_host_key";
notify = notify =
pkgs.writers.writePython3 "send-discord-login-notification" { pkgs.writers.writePython3 "send-discord-login-notification" {
@ -16,7 +14,7 @@
if os.environ["PAM_TYPE"] != "open_session": if os.environ["PAM_TYPE"] != "open_session":
raise SystemExit raise SystemExit
secretPath = "${config.age.secrets.discord-webhook.path}" secretPath = "${config.sops.secrets.discordWebhook.path}"
webhookUrl: str webhookUrl: str
@ -34,19 +32,10 @@
result = requests.post(webhookUrl, json=data) result = requests.post(webhookUrl, json=data)
''; '';
in { in {
age.secrets = { sops.secrets = {
everest-host-key = { discordWebhook = {};
file = hostSecrets + "host-private-key.age"; "hostKey/private".path = "${hostKeyPath}.pub";
path = hostKeyPath; "hostKey/public".path = hostKeyPath;
mode = "0400";
};
"everest-host-key.pub" = {
file = hostSecrets + "host-public-key.age";
path = hostKeyPath + ".pub";
};
discord-webhook = {
file = hostSecrets + "discord-webhook.age";
};
}; };
users.users.toast.openssh.authorizedKeys.keys = [ users.users.toast.openssh.authorizedKeys.keys = [