Move nextcloud instances to sops-nix

2025-06-21 16:36:41 +03:00 · 2025-06-21 16:36:41 +03:00 · f7cc7cdbc2
commit f7cc7cdbc2
parent 66b8b64e2b
5 changed files with 93 additions and 4 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -3,6 +3,8 @@ keys:
  - &helium age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q
  - &ci age18k4drn9kuhu5qk8cqfd390nv9r0pq0qql6s76hkhzefxskwnscxsqm78q4
  - &forgejo age1mfvue6vjj445dtly39k5vlcnhpfdf0ujumm6v8degk2lvaa9avcsl2eeg7
+  - &idacloud age1actwp5rqczazhgl94npwc0phxuxzjgrk9v82e32sahanw8cyuc7stxkls2
+  - &nextcloud age1rf6h87qp9ckpmf7yrvkmq3faqn5fnqx4lyg83zf5v09wnew7muzsmmnx9x
  - &vaultwarden age1g9xu0m2wkpcrj0lr6sjcx6ak2akwtuxdxh2lct44wkkkzklgjsss5zt3r9
 creation_rules:
  - path_regex: ^secrets/helium/.*\.yaml$
@ -25,6 +27,17 @@ creation_rules:
    - age:
      - *vili-bw
      - *forgejo
+  - path_regex: ^secrets/idacloud.yaml$
+    key_groups:
+    - age:
+      - *vili-bw
+      - *idacloud
+  - path_regex: ^secrets/nextcloud.yaml$
+    key_groups:
+    - age:
+      - *vili-bw
+      - *idacloud
+      - *nextcloud
  - path_regex: ^secrets/vaultwarden.yaml$
    key_groups:
    - age:
--- a/hosts/idacloud/configuration.nix
+++ b/hosts/idacloud/configuration.nix
@ -1,4 +1,4 @@
-{ ... }:
+{ config, ... }:
 {
  custom.nextcloud_domain = "idacloud.sinerva.eu";
  services.nextcloud.settings.trusted_domains = [ "idacloud.vsinerva.fi" ];
@ -10,6 +10,19 @@
    ../../servers/nextcloud.nix
  ];

+  sops = {
+    secrets = {
+      priv-idacloud-wg = {
+        sopsFile = ../../secrets/idacloud.yaml;
+        restartUnits = [ "wg-quick-wg0.service" ];
+      };
+      psk-laptop-idacloud-wg = {
+        sopsFile = ../../secrets/idacloud.yaml;
+        restartUnits = [ "wg-quick-wg0.service" ];
+      };
+    };
+  };
+
  # Networking conf including WireGuard
  networking = {
    firewall.allowedUDPPorts = [ 51822 ];
@ -17,20 +30,21 @@
    wg-quick.interfaces = {
      wg0 = {
        address = [ "10.1.0.1/24" ];
-        privateKeyFile = "/root/wireguard-keys/privatekey";
+        privateKeyFile = config.sops.secrets.priv-idacloud-wg.path;
        listenPort = 51822;

        peers = [
          # Laptop
          {
            publicKey = "qJl6XBAGlmGHLre+RoCLUsZUrOrDgGoinREHFiw29ys=";
-            presharedKeyFile = "/root/wireguard-keys/psk1";
+            presharedKeyFile = config.sops.secrets.psk-laptop-idacloud-wg.path;
            allowedIPs = [ "10.1.0.2/32" ];
          }
          # Phone
          #          {
          #            publicKey = "TODO";
          #            presharedKeyFile = "/root/wireguard-keys/psk2";
+          #            presharedKeyFile = config.sops.secrets.psk-phone-idacloud-wg.path;
          #            allowedIPs = [ "10.1.0.3/32" ];
          #          }
        ];
--- a/secrets/idacloud.yaml
+++ b/secrets/idacloud.yaml
@ -0,0 +1,26 @@
+priv-idacloud-wg: ENC[AES256_GCM,data:F4gO/7noS1MsNJz/LMyXB4fCFIHvLD6hWXdPVbOSicxxGLidShcoJTrpOwA=,iv:ihJcx99h+gRlEkVFuDXPVNrhZf2oHlPPqwfTH5VBwFA=,tag:JuwDu5zz+IfOkl725xo+EA==,type:str]
+psk-laptop-idacloud-wg: ENC[AES256_GCM,data:zufIOEf9UGVWQySHep7nkx6NFi3TR0pTU9rWk1SlOyTiB/quzkufuo4sa24=,iv:n7yuH0cT/4vX7N646dDwtUQGexZSrKl5jnlghXYvJjg=,tag:+vHPotKeVHWEvONR+njz1Q==,type:str]
+sops:
+    age:
+        - recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpS2gxcWV4ak1XdXFtMmtp
+            bG5TR3djbHgrWU9sZUJmVXdwdWRMdGMzOGpVCjVqN2tRNlRtV1VLbWFIV25iYUU0
+            Mmg2bTU5d0xIMmliN2kxT2RHRS9sanMKLS0tIGxYd2NJdXZwOFhWNHlZRUZJRDM2
+            dDhSU1ZQMXJMdUF2SHJCMm1vZlpDYmsKDW3f6KtDxjP/WzJumlo9ZeMLRuFKAMcO
+            jmRGKmaA910KXicjruq4D6021kWT/sjTb2lY4Ns+ikWLLeyiNhN2ww==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1actwp5rqczazhgl94npwc0phxuxzjgrk9v82e32sahanw8cyuc7stxkls2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWWlYN1lpZ1lGOEJsTzlB
+            YWh5dnZkdkZNMEI3Z0tHZytodXJHVFlLOEZrClpFT1FNeWpnM2NBK2djSy83aTR3
+            OVFac3FWakd0OXljZEd3Vzd0RGxOaVkKLS0tIGlwbXYwMkh1LzQxSzV4eDRQSVlQ
+            M1lKeVA4MjdzOTM4eXBmRDc2cy9IZVkK0dTAu1FbkkHyJy3e14p3OQtfsJhZNp6W
+            tCoompCP8m1KkHOaRLWS53vrI1yt7N86KpqW9nhSfg2MFucB4+i50A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-21T13:34:03Z"
+    mac: ENC[AES256_GCM,data:tTUeWl7RnpzaJUh4pNzIVN0QbbLfB6UXsIXZMM898vb460IRF8Xc/eKFGbf/vtm0shZ3XjW6Em2kJFnUG2ZgoNqJSW3VGkCEg2t5v9mRiH0V/mZV3ljXglZSj7AWEmZZn76vbCHwOstGwTqLYrQ/xnMz4Wr3hUOLMWmNId+9oUI=,iv:E4lJquflKb2MPci9zYpMP8243W0LJ48UqrMW5w0l9NM=,tag:8+U1W/vOaRU4IdTtr8HOUw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
--- a/secrets/nextcloud.yaml
+++ b/secrets/nextcloud.yaml
@ -0,0 +1,34 @@
+admin-pass: ENC[AES256_GCM,data:xyiLD3YwkJ1CwQ==,iv:VasrF7TNjkiR9aVWUiZYP6uVS8rHPXozzApeYafF7Rw=,tag:E9fz/d3yhLxuu+fbCOsIcQ==,type:str]
+sops:
+    age:
+        - recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnNW43cVMzdnI2L0NpRVZ1
+            VTBocVNRRTVoaVlsWFZ6RHZIQkp6MDF3ajMwCm5tQ1REYjkxcG1kdVRLWCtRalVz
+            cHdqanNuZkdMU1ZpZWdzUWxyOVJwbmsKLS0tIEx3T0drakJ3ZkRYZElEbEJvZEM2
+            dytuWSsrVW9iRGNqTjN0bmNQd3hkODAKFFY88Y3cn+OB4UnvtSZJDINMYwz47cJo
+            u/HMDjlcFsC7KWR5sXFjytG73MjrIBUMTBp9C6hjgfoUfzw+4AzCDg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1actwp5rqczazhgl94npwc0phxuxzjgrk9v82e32sahanw8cyuc7stxkls2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBRDNjNFVob0huQ0RKaFcz
+            R05SVlBvUloyL1VVUlVHeHoycXI3K0NJeEVVCmFWZ1dwMysrTlVZZFRhN05LRDVC
+            Q2x5ek1paUp2cGJmMDZEZmp6RkU1eFkKLS0tIDRBK2FSUkU3TS9Rb0VjTGFhV1pE
+            K25UQ3FKQzYzdUYyUjF2VkVGYytybncK4LKit4bQQ4ldhGYGQK5RWHIaQhDef8Fk
+            NTQkrdl+i6lR8DemERL055WUxWeyVUtgkevK5ihVd0tfPZwasRrhVQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1rf6h87qp9ckpmf7yrvkmq3faqn5fnqx4lyg83zf5v09wnew7muzsmmnx9x
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUVTBSeC9KK2hXZEtVUzhC
+            S2c1YWNiUDVFZlBkQWZpN3V6eTBWWTFCMnpBCnZIN3dabXowSGgrb045T2tpUlZY
+            cDBiSmNFZVdMY0pncnFiNzVQbVRkSmsKLS0tIDNDYTBzTm9WVzFmZjNMT0h0SWxm
+            MVA2V2Rnb0l2emU0YjI1dDVETStwbGMKjFdGEZwe3eqZjkIjHNNb3La2BaEAvZGB
+            Drs8PPefAWzLHVAiI1nctyniBgNtP7JE/HO0fLkATqJHOGgwnjncYA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-21T13:24:40Z"
+    mac: ENC[AES256_GCM,data:mrXZkOlLJBrTcBzetxOdshkIwoYUdO2bzRtOk+DRO8iuc75QpzZqze/1rGiumq4Y5rWxGOj4Z7vZjol5CqpiTq9wo2+2A8IoTkta+5B2FzlkjUzJiVi12szyOgMhcvPDYBtQ+BVUo6PqF3TOT1Vt8KBgga9t4jthVoWDdXe5uUU=,iv:VqImyU5562FPF6/SrzjLz2Mmsp0wzvdralmEZagVW7Q=,tag:SQ+pdA2TOyP0x5sT1au27w==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
--- a/servers/nextcloud.nix
+++ b/servers/nextcloud.nix
@ -25,6 +25,8 @@

  config = lib.mkMerge [
    {
+      sops.secrets.admin-pass.sopsFile = ../secrets/nextcloud.yaml;
+
      services = {
        nextcloud = {
          package = pkgs.nextcloud31;
@ -35,7 +37,7 @@
          maxUploadSize = "512M"; # Default
          config = {
            dbtype = "sqlite";
-            adminpassFile = "/var/lib/nextcloud/adminpass";
+            adminpassFile = config.sops.secrets.admin-pass.path;
          };
          settings = {
            overwriteprotocol = "https";