Move nextcloud instances to sops-nix

This commit is contained in:
Vili Sinervä 2025-06-21 16:36:41 +03:00
parent 66b8b64e2b
commit f7cc7cdbc2
Signed by: Vili Sinervä
SSH key fingerprint: SHA256:FladqYjaE4scJY3Hi+gnShZ6ygnTJgixy0I6BAoHyos
5 changed files with 93 additions and 4 deletions

View file

@ -3,6 +3,8 @@ keys:
- &helium age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q
- &ci age18k4drn9kuhu5qk8cqfd390nv9r0pq0qql6s76hkhzefxskwnscxsqm78q4
- &forgejo age1mfvue6vjj445dtly39k5vlcnhpfdf0ujumm6v8degk2lvaa9avcsl2eeg7
- &idacloud age1actwp5rqczazhgl94npwc0phxuxzjgrk9v82e32sahanw8cyuc7stxkls2
- &nextcloud age1rf6h87qp9ckpmf7yrvkmq3faqn5fnqx4lyg83zf5v09wnew7muzsmmnx9x
- &vaultwarden age1g9xu0m2wkpcrj0lr6sjcx6ak2akwtuxdxh2lct44wkkkzklgjsss5zt3r9
creation_rules:
- path_regex: ^secrets/helium/.*\.yaml$
@ -25,6 +27,17 @@ creation_rules:
- age:
- *vili-bw
- *forgejo
- path_regex: ^secrets/idacloud.yaml$
key_groups:
- age:
- *vili-bw
- *idacloud
- path_regex: ^secrets/nextcloud.yaml$
key_groups:
- age:
- *vili-bw
- *idacloud
- *nextcloud
- path_regex: ^secrets/vaultwarden.yaml$
key_groups:
- age:

View file

@ -1,4 +1,4 @@
{ ... }:
{ config, ... }:
{
custom.nextcloud_domain = "idacloud.sinerva.eu";
services.nextcloud.settings.trusted_domains = [ "idacloud.vsinerva.fi" ];
@ -10,6 +10,19 @@
../../servers/nextcloud.nix
];
sops = {
secrets = {
priv-idacloud-wg = {
sopsFile = ../../secrets/idacloud.yaml;
restartUnits = [ "wg-quick-wg0.service" ];
};
psk-laptop-idacloud-wg = {
sopsFile = ../../secrets/idacloud.yaml;
restartUnits = [ "wg-quick-wg0.service" ];
};
};
};
# Networking conf including WireGuard
networking = {
firewall.allowedUDPPorts = [ 51822 ];
@ -17,20 +30,21 @@
wg-quick.interfaces = {
wg0 = {
address = [ "10.1.0.1/24" ];
privateKeyFile = "/root/wireguard-keys/privatekey";
privateKeyFile = config.sops.secrets.priv-idacloud-wg.path;
listenPort = 51822;
peers = [
# Laptop
{
publicKey = "qJl6XBAGlmGHLre+RoCLUsZUrOrDgGoinREHFiw29ys=";
presharedKeyFile = "/root/wireguard-keys/psk1";
presharedKeyFile = config.sops.secrets.psk-laptop-idacloud-wg.path;
allowedIPs = [ "10.1.0.2/32" ];
}
# Phone
# {
# publicKey = "TODO";
# presharedKeyFile = "/root/wireguard-keys/psk2";
# presharedKeyFile = config.sops.secrets.psk-phone-idacloud-wg.path;
# allowedIPs = [ "10.1.0.3/32" ];
# }
];

26
secrets/idacloud.yaml Normal file
View file

@ -0,0 +1,26 @@
priv-idacloud-wg: ENC[AES256_GCM,data:F4gO/7noS1MsNJz/LMyXB4fCFIHvLD6hWXdPVbOSicxxGLidShcoJTrpOwA=,iv:ihJcx99h+gRlEkVFuDXPVNrhZf2oHlPPqwfTH5VBwFA=,tag:JuwDu5zz+IfOkl725xo+EA==,type:str]
psk-laptop-idacloud-wg: ENC[AES256_GCM,data:zufIOEf9UGVWQySHep7nkx6NFi3TR0pTU9rWk1SlOyTiB/quzkufuo4sa24=,iv:n7yuH0cT/4vX7N646dDwtUQGexZSrKl5jnlghXYvJjg=,tag:+vHPotKeVHWEvONR+njz1Q==,type:str]
sops:
age:
- recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpS2gxcWV4ak1XdXFtMmtp
bG5TR3djbHgrWU9sZUJmVXdwdWRMdGMzOGpVCjVqN2tRNlRtV1VLbWFIV25iYUU0
Mmg2bTU5d0xIMmliN2kxT2RHRS9sanMKLS0tIGxYd2NJdXZwOFhWNHlZRUZJRDM2
dDhSU1ZQMXJMdUF2SHJCMm1vZlpDYmsKDW3f6KtDxjP/WzJumlo9ZeMLRuFKAMcO
jmRGKmaA910KXicjruq4D6021kWT/sjTb2lY4Ns+ikWLLeyiNhN2ww==
-----END AGE ENCRYPTED FILE-----
- recipient: age1actwp5rqczazhgl94npwc0phxuxzjgrk9v82e32sahanw8cyuc7stxkls2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWWlYN1lpZ1lGOEJsTzlB
YWh5dnZkdkZNMEI3Z0tHZytodXJHVFlLOEZrClpFT1FNeWpnM2NBK2djSy83aTR3
OVFac3FWakd0OXljZEd3Vzd0RGxOaVkKLS0tIGlwbXYwMkh1LzQxSzV4eDRQSVlQ
M1lKeVA4MjdzOTM4eXBmRDc2cy9IZVkK0dTAu1FbkkHyJy3e14p3OQtfsJhZNp6W
tCoompCP8m1KkHOaRLWS53vrI1yt7N86KpqW9nhSfg2MFucB4+i50A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-21T13:34:03Z"
mac: ENC[AES256_GCM,data:tTUeWl7RnpzaJUh4pNzIVN0QbbLfB6UXsIXZMM898vb460IRF8Xc/eKFGbf/vtm0shZ3XjW6Em2kJFnUG2ZgoNqJSW3VGkCEg2t5v9mRiH0V/mZV3ljXglZSj7AWEmZZn76vbCHwOstGwTqLYrQ/xnMz4Wr3hUOLMWmNId+9oUI=,iv:E4lJquflKb2MPci9zYpMP8243W0LJ48UqrMW5w0l9NM=,tag:8+U1W/vOaRU4IdTtr8HOUw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2

34
secrets/nextcloud.yaml Normal file
View file

@ -0,0 +1,34 @@
admin-pass: ENC[AES256_GCM,data:xyiLD3YwkJ1CwQ==,iv:VasrF7TNjkiR9aVWUiZYP6uVS8rHPXozzApeYafF7Rw=,tag:E9fz/d3yhLxuu+fbCOsIcQ==,type:str]
sops:
age:
- recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnNW43cVMzdnI2L0NpRVZ1
VTBocVNRRTVoaVlsWFZ6RHZIQkp6MDF3ajMwCm5tQ1REYjkxcG1kdVRLWCtRalVz
cHdqanNuZkdMU1ZpZWdzUWxyOVJwbmsKLS0tIEx3T0drakJ3ZkRYZElEbEJvZEM2
dytuWSsrVW9iRGNqTjN0bmNQd3hkODAKFFY88Y3cn+OB4UnvtSZJDINMYwz47cJo
u/HMDjlcFsC7KWR5sXFjytG73MjrIBUMTBp9C6hjgfoUfzw+4AzCDg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1actwp5rqczazhgl94npwc0phxuxzjgrk9v82e32sahanw8cyuc7stxkls2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBRDNjNFVob0huQ0RKaFcz
R05SVlBvUloyL1VVUlVHeHoycXI3K0NJeEVVCmFWZ1dwMysrTlVZZFRhN05LRDVC
Q2x5ek1paUp2cGJmMDZEZmp6RkU1eFkKLS0tIDRBK2FSUkU3TS9Rb0VjTGFhV1pE
K25UQ3FKQzYzdUYyUjF2VkVGYytybncK4LKit4bQQ4ldhGYGQK5RWHIaQhDef8Fk
NTQkrdl+i6lR8DemERL055WUxWeyVUtgkevK5ihVd0tfPZwasRrhVQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1rf6h87qp9ckpmf7yrvkmq3faqn5fnqx4lyg83zf5v09wnew7muzsmmnx9x
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUVTBSeC9KK2hXZEtVUzhC
S2c1YWNiUDVFZlBkQWZpN3V6eTBWWTFCMnpBCnZIN3dabXowSGgrb045T2tpUlZY
cDBiSmNFZVdMY0pncnFiNzVQbVRkSmsKLS0tIDNDYTBzTm9WVzFmZjNMT0h0SWxm
MVA2V2Rnb0l2emU0YjI1dDVETStwbGMKjFdGEZwe3eqZjkIjHNNb3La2BaEAvZGB
Drs8PPefAWzLHVAiI1nctyniBgNtP7JE/HO0fLkATqJHOGgwnjncYA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-21T13:24:40Z"
mac: ENC[AES256_GCM,data:mrXZkOlLJBrTcBzetxOdshkIwoYUdO2bzRtOk+DRO8iuc75QpzZqze/1rGiumq4Y5rWxGOj4Z7vZjol5CqpiTq9wo2+2A8IoTkta+5B2FzlkjUzJiVi12szyOgMhcvPDYBtQ+BVUo6PqF3TOT1Vt8KBgga9t4jthVoWDdXe5uUU=,iv:VqImyU5562FPF6/SrzjLz2Mmsp0wzvdralmEZagVW7Q=,tag:SQ+pdA2TOyP0x5sT1au27w==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2

View file

@ -25,6 +25,8 @@
config = lib.mkMerge [
{
sops.secrets.admin-pass.sopsFile = ../secrets/nextcloud.yaml;
services = {
nextcloud = {
package = pkgs.nextcloud31;
@ -35,7 +37,7 @@
maxUploadSize = "512M"; # Default
config = {
dbtype = "sqlite";
adminpassFile = "/var/lib/nextcloud/adminpass";
adminpassFile = config.sops.secrets.admin-pass.path;
};
settings = {
overwriteprotocol = "https";