Move nextcloud instances to sops-nix
This commit is contained in:
parent
66b8b64e2b
commit
f7cc7cdbc2
5 changed files with 93 additions and 4 deletions
13
.sops.yaml
13
.sops.yaml
|
@ -3,6 +3,8 @@ keys:
|
|||
- &helium age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q
|
||||
- &ci age18k4drn9kuhu5qk8cqfd390nv9r0pq0qql6s76hkhzefxskwnscxsqm78q4
|
||||
- &forgejo age1mfvue6vjj445dtly39k5vlcnhpfdf0ujumm6v8degk2lvaa9avcsl2eeg7
|
||||
- &idacloud age1actwp5rqczazhgl94npwc0phxuxzjgrk9v82e32sahanw8cyuc7stxkls2
|
||||
- &nextcloud age1rf6h87qp9ckpmf7yrvkmq3faqn5fnqx4lyg83zf5v09wnew7muzsmmnx9x
|
||||
- &vaultwarden age1g9xu0m2wkpcrj0lr6sjcx6ak2akwtuxdxh2lct44wkkkzklgjsss5zt3r9
|
||||
creation_rules:
|
||||
- path_regex: ^secrets/helium/.*\.yaml$
|
||||
|
@ -25,6 +27,17 @@ creation_rules:
|
|||
- age:
|
||||
- *vili-bw
|
||||
- *forgejo
|
||||
- path_regex: ^secrets/idacloud.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *vili-bw
|
||||
- *idacloud
|
||||
- path_regex: ^secrets/nextcloud.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *vili-bw
|
||||
- *idacloud
|
||||
- *nextcloud
|
||||
- path_regex: ^secrets/vaultwarden.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ ... }:
|
||||
{ config, ... }:
|
||||
{
|
||||
custom.nextcloud_domain = "idacloud.sinerva.eu";
|
||||
services.nextcloud.settings.trusted_domains = [ "idacloud.vsinerva.fi" ];
|
||||
|
@ -10,6 +10,19 @@
|
|||
../../servers/nextcloud.nix
|
||||
];
|
||||
|
||||
sops = {
|
||||
secrets = {
|
||||
priv-idacloud-wg = {
|
||||
sopsFile = ../../secrets/idacloud.yaml;
|
||||
restartUnits = [ "wg-quick-wg0.service" ];
|
||||
};
|
||||
psk-laptop-idacloud-wg = {
|
||||
sopsFile = ../../secrets/idacloud.yaml;
|
||||
restartUnits = [ "wg-quick-wg0.service" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Networking conf including WireGuard
|
||||
networking = {
|
||||
firewall.allowedUDPPorts = [ 51822 ];
|
||||
|
@ -17,20 +30,21 @@
|
|||
wg-quick.interfaces = {
|
||||
wg0 = {
|
||||
address = [ "10.1.0.1/24" ];
|
||||
privateKeyFile = "/root/wireguard-keys/privatekey";
|
||||
privateKeyFile = config.sops.secrets.priv-idacloud-wg.path;
|
||||
listenPort = 51822;
|
||||
|
||||
peers = [
|
||||
# Laptop
|
||||
{
|
||||
publicKey = "qJl6XBAGlmGHLre+RoCLUsZUrOrDgGoinREHFiw29ys=";
|
||||
presharedKeyFile = "/root/wireguard-keys/psk1";
|
||||
presharedKeyFile = config.sops.secrets.psk-laptop-idacloud-wg.path;
|
||||
allowedIPs = [ "10.1.0.2/32" ];
|
||||
}
|
||||
# Phone
|
||||
# {
|
||||
# publicKey = "TODO";
|
||||
# presharedKeyFile = "/root/wireguard-keys/psk2";
|
||||
# presharedKeyFile = config.sops.secrets.psk-phone-idacloud-wg.path;
|
||||
# allowedIPs = [ "10.1.0.3/32" ];
|
||||
# }
|
||||
];
|
||||
|
|
26
secrets/idacloud.yaml
Normal file
26
secrets/idacloud.yaml
Normal file
|
@ -0,0 +1,26 @@
|
|||
priv-idacloud-wg: ENC[AES256_GCM,data:F4gO/7noS1MsNJz/LMyXB4fCFIHvLD6hWXdPVbOSicxxGLidShcoJTrpOwA=,iv:ihJcx99h+gRlEkVFuDXPVNrhZf2oHlPPqwfTH5VBwFA=,tag:JuwDu5zz+IfOkl725xo+EA==,type:str]
|
||||
psk-laptop-idacloud-wg: ENC[AES256_GCM,data:zufIOEf9UGVWQySHep7nkx6NFi3TR0pTU9rWk1SlOyTiB/quzkufuo4sa24=,iv:n7yuH0cT/4vX7N646dDwtUQGexZSrKl5jnlghXYvJjg=,tag:+vHPotKeVHWEvONR+njz1Q==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpS2gxcWV4ak1XdXFtMmtp
|
||||
bG5TR3djbHgrWU9sZUJmVXdwdWRMdGMzOGpVCjVqN2tRNlRtV1VLbWFIV25iYUU0
|
||||
Mmg2bTU5d0xIMmliN2kxT2RHRS9sanMKLS0tIGxYd2NJdXZwOFhWNHlZRUZJRDM2
|
||||
dDhSU1ZQMXJMdUF2SHJCMm1vZlpDYmsKDW3f6KtDxjP/WzJumlo9ZeMLRuFKAMcO
|
||||
jmRGKmaA910KXicjruq4D6021kWT/sjTb2lY4Ns+ikWLLeyiNhN2ww==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1actwp5rqczazhgl94npwc0phxuxzjgrk9v82e32sahanw8cyuc7stxkls2
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWWlYN1lpZ1lGOEJsTzlB
|
||||
YWh5dnZkdkZNMEI3Z0tHZytodXJHVFlLOEZrClpFT1FNeWpnM2NBK2djSy83aTR3
|
||||
OVFac3FWakd0OXljZEd3Vzd0RGxOaVkKLS0tIGlwbXYwMkh1LzQxSzV4eDRQSVlQ
|
||||
M1lKeVA4MjdzOTM4eXBmRDc2cy9IZVkK0dTAu1FbkkHyJy3e14p3OQtfsJhZNp6W
|
||||
tCoompCP8m1KkHOaRLWS53vrI1yt7N86KpqW9nhSfg2MFucB4+i50A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-06-21T13:34:03Z"
|
||||
mac: ENC[AES256_GCM,data:tTUeWl7RnpzaJUh4pNzIVN0QbbLfB6UXsIXZMM898vb460IRF8Xc/eKFGbf/vtm0shZ3XjW6Em2kJFnUG2ZgoNqJSW3VGkCEg2t5v9mRiH0V/mZV3ljXglZSj7AWEmZZn76vbCHwOstGwTqLYrQ/xnMz4Wr3hUOLMWmNId+9oUI=,iv:E4lJquflKb2MPci9zYpMP8243W0LJ48UqrMW5w0l9NM=,tag:8+U1W/vOaRU4IdTtr8HOUw==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
34
secrets/nextcloud.yaml
Normal file
34
secrets/nextcloud.yaml
Normal file
|
@ -0,0 +1,34 @@
|
|||
admin-pass: ENC[AES256_GCM,data:xyiLD3YwkJ1CwQ==,iv:VasrF7TNjkiR9aVWUiZYP6uVS8rHPXozzApeYafF7Rw=,tag:E9fz/d3yhLxuu+fbCOsIcQ==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnNW43cVMzdnI2L0NpRVZ1
|
||||
VTBocVNRRTVoaVlsWFZ6RHZIQkp6MDF3ajMwCm5tQ1REYjkxcG1kdVRLWCtRalVz
|
||||
cHdqanNuZkdMU1ZpZWdzUWxyOVJwbmsKLS0tIEx3T0drakJ3ZkRYZElEbEJvZEM2
|
||||
dytuWSsrVW9iRGNqTjN0bmNQd3hkODAKFFY88Y3cn+OB4UnvtSZJDINMYwz47cJo
|
||||
u/HMDjlcFsC7KWR5sXFjytG73MjrIBUMTBp9C6hjgfoUfzw+4AzCDg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1actwp5rqczazhgl94npwc0phxuxzjgrk9v82e32sahanw8cyuc7stxkls2
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBRDNjNFVob0huQ0RKaFcz
|
||||
R05SVlBvUloyL1VVUlVHeHoycXI3K0NJeEVVCmFWZ1dwMysrTlVZZFRhN05LRDVC
|
||||
Q2x5ek1paUp2cGJmMDZEZmp6RkU1eFkKLS0tIDRBK2FSUkU3TS9Rb0VjTGFhV1pE
|
||||
K25UQ3FKQzYzdUYyUjF2VkVGYytybncK4LKit4bQQ4ldhGYGQK5RWHIaQhDef8Fk
|
||||
NTQkrdl+i6lR8DemERL055WUxWeyVUtgkevK5ihVd0tfPZwasRrhVQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1rf6h87qp9ckpmf7yrvkmq3faqn5fnqx4lyg83zf5v09wnew7muzsmmnx9x
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUVTBSeC9KK2hXZEtVUzhC
|
||||
S2c1YWNiUDVFZlBkQWZpN3V6eTBWWTFCMnpBCnZIN3dabXowSGgrb045T2tpUlZY
|
||||
cDBiSmNFZVdMY0pncnFiNzVQbVRkSmsKLS0tIDNDYTBzTm9WVzFmZjNMT0h0SWxm
|
||||
MVA2V2Rnb0l2emU0YjI1dDVETStwbGMKjFdGEZwe3eqZjkIjHNNb3La2BaEAvZGB
|
||||
Drs8PPefAWzLHVAiI1nctyniBgNtP7JE/HO0fLkATqJHOGgwnjncYA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-06-21T13:24:40Z"
|
||||
mac: ENC[AES256_GCM,data:mrXZkOlLJBrTcBzetxOdshkIwoYUdO2bzRtOk+DRO8iuc75QpzZqze/1rGiumq4Y5rWxGOj4Z7vZjol5CqpiTq9wo2+2A8IoTkta+5B2FzlkjUzJiVi12szyOgMhcvPDYBtQ+BVUo6PqF3TOT1Vt8KBgga9t4jthVoWDdXe5uUU=,iv:VqImyU5562FPF6/SrzjLz2Mmsp0wzvdralmEZagVW7Q=,tag:SQ+pdA2TOyP0x5sT1au27w==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
|
@ -25,6 +25,8 @@
|
|||
|
||||
config = lib.mkMerge [
|
||||
{
|
||||
sops.secrets.admin-pass.sopsFile = ../secrets/nextcloud.yaml;
|
||||
|
||||
services = {
|
||||
nextcloud = {
|
||||
package = pkgs.nextcloud31;
|
||||
|
@ -35,7 +37,7 @@
|
|||
maxUploadSize = "512M"; # Default
|
||||
config = {
|
||||
dbtype = "sqlite";
|
||||
adminpassFile = "/var/lib/nextcloud/adminpass";
|
||||
adminpassFile = config.sops.secrets.admin-pass.path;
|
||||
};
|
||||
settings = {
|
||||
overwriteprotocol = "https";
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue