From f7cc7cdbc2562ad889cc947794365c8ab0f761f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vili=20Sinerv=C3=A4?= Date: Sat, 21 Jun 2025 16:36:41 +0300 Subject: [PATCH] Move nextcloud instances to sops-nix --- .sops.yaml | 13 ++++++++++++ hosts/idacloud/configuration.nix | 20 ++++++++++++++++--- secrets/idacloud.yaml | 26 ++++++++++++++++++++++++ secrets/nextcloud.yaml | 34 ++++++++++++++++++++++++++++++++ servers/nextcloud.nix | 4 +++- 5 files changed, 93 insertions(+), 4 deletions(-) create mode 100644 secrets/idacloud.yaml create mode 100644 secrets/nextcloud.yaml diff --git a/.sops.yaml b/.sops.yaml index 9761882..c29295e 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,6 +3,8 @@ keys: - &helium age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q - &ci age18k4drn9kuhu5qk8cqfd390nv9r0pq0qql6s76hkhzefxskwnscxsqm78q4 - &forgejo age1mfvue6vjj445dtly39k5vlcnhpfdf0ujumm6v8degk2lvaa9avcsl2eeg7 + - &idacloud age1actwp5rqczazhgl94npwc0phxuxzjgrk9v82e32sahanw8cyuc7stxkls2 + - &nextcloud age1rf6h87qp9ckpmf7yrvkmq3faqn5fnqx4lyg83zf5v09wnew7muzsmmnx9x - &vaultwarden age1g9xu0m2wkpcrj0lr6sjcx6ak2akwtuxdxh2lct44wkkkzklgjsss5zt3r9 creation_rules: - path_regex: ^secrets/helium/.*\.yaml$ @@ -25,6 +27,17 @@ creation_rules: - age: - *vili-bw - *forgejo + - path_regex: ^secrets/idacloud.yaml$ + key_groups: + - age: + - *vili-bw + - *idacloud + - path_regex: ^secrets/nextcloud.yaml$ + key_groups: + - age: + - *vili-bw + - *idacloud + - *nextcloud - path_regex: ^secrets/vaultwarden.yaml$ key_groups: - age: diff --git a/hosts/idacloud/configuration.nix b/hosts/idacloud/configuration.nix index 07ad6fa..0b6a776 100644 --- a/hosts/idacloud/configuration.nix +++ b/hosts/idacloud/configuration.nix @@ -1,4 +1,4 @@ -{ ... }: +{ config, ... }: { custom.nextcloud_domain = "idacloud.sinerva.eu"; services.nextcloud.settings.trusted_domains = [ "idacloud.vsinerva.fi" ]; @@ -10,6 +10,19 @@ ../../servers/nextcloud.nix ]; + sops = { + secrets = { + priv-idacloud-wg = { + sopsFile = ../../secrets/idacloud.yaml; + restartUnits = [ "wg-quick-wg0.service" ]; + }; + psk-laptop-idacloud-wg = { + sopsFile = ../../secrets/idacloud.yaml; + restartUnits = [ "wg-quick-wg0.service" ]; + }; + }; + }; + # Networking conf including WireGuard networking = { firewall.allowedUDPPorts = [ 51822 ]; @@ -17,20 +30,21 @@ wg-quick.interfaces = { wg0 = { address = [ "10.1.0.1/24" ]; - privateKeyFile = "/root/wireguard-keys/privatekey"; + privateKeyFile = config.sops.secrets.priv-idacloud-wg.path; listenPort = 51822; peers = [ # Laptop { publicKey = "qJl6XBAGlmGHLre+RoCLUsZUrOrDgGoinREHFiw29ys="; - presharedKeyFile = "/root/wireguard-keys/psk1"; + presharedKeyFile = config.sops.secrets.psk-laptop-idacloud-wg.path; allowedIPs = [ "10.1.0.2/32" ]; } # Phone # { # publicKey = "TODO"; # presharedKeyFile = "/root/wireguard-keys/psk2"; + # presharedKeyFile = config.sops.secrets.psk-phone-idacloud-wg.path; # allowedIPs = [ "10.1.0.3/32" ]; # } ]; diff --git a/secrets/idacloud.yaml b/secrets/idacloud.yaml new file mode 100644 index 0000000..87fbec5 --- /dev/null +++ b/secrets/idacloud.yaml @@ -0,0 +1,26 @@ +priv-idacloud-wg: ENC[AES256_GCM,data:F4gO/7noS1MsNJz/LMyXB4fCFIHvLD6hWXdPVbOSicxxGLidShcoJTrpOwA=,iv:ihJcx99h+gRlEkVFuDXPVNrhZf2oHlPPqwfTH5VBwFA=,tag:JuwDu5zz+IfOkl725xo+EA==,type:str] +psk-laptop-idacloud-wg: ENC[AES256_GCM,data:zufIOEf9UGVWQySHep7nkx6NFi3TR0pTU9rWk1SlOyTiB/quzkufuo4sa24=,iv:n7yuH0cT/4vX7N646dDwtUQGexZSrKl5jnlghXYvJjg=,tag:+vHPotKeVHWEvONR+njz1Q==,type:str] +sops: + age: + - recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpS2gxcWV4ak1XdXFtMmtp + bG5TR3djbHgrWU9sZUJmVXdwdWRMdGMzOGpVCjVqN2tRNlRtV1VLbWFIV25iYUU0 + Mmg2bTU5d0xIMmliN2kxT2RHRS9sanMKLS0tIGxYd2NJdXZwOFhWNHlZRUZJRDM2 + dDhSU1ZQMXJMdUF2SHJCMm1vZlpDYmsKDW3f6KtDxjP/WzJumlo9ZeMLRuFKAMcO + jmRGKmaA910KXicjruq4D6021kWT/sjTb2lY4Ns+ikWLLeyiNhN2ww== + -----END AGE ENCRYPTED FILE----- + - recipient: age1actwp5rqczazhgl94npwc0phxuxzjgrk9v82e32sahanw8cyuc7stxkls2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWWlYN1lpZ1lGOEJsTzlB + YWh5dnZkdkZNMEI3Z0tHZytodXJHVFlLOEZrClpFT1FNeWpnM2NBK2djSy83aTR3 + OVFac3FWakd0OXljZEd3Vzd0RGxOaVkKLS0tIGlwbXYwMkh1LzQxSzV4eDRQSVlQ + M1lKeVA4MjdzOTM4eXBmRDc2cy9IZVkK0dTAu1FbkkHyJy3e14p3OQtfsJhZNp6W + tCoompCP8m1KkHOaRLWS53vrI1yt7N86KpqW9nhSfg2MFucB4+i50A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-06-21T13:34:03Z" + mac: ENC[AES256_GCM,data:tTUeWl7RnpzaJUh4pNzIVN0QbbLfB6UXsIXZMM898vb460IRF8Xc/eKFGbf/vtm0shZ3XjW6Em2kJFnUG2ZgoNqJSW3VGkCEg2t5v9mRiH0V/mZV3ljXglZSj7AWEmZZn76vbCHwOstGwTqLYrQ/xnMz4Wr3hUOLMWmNId+9oUI=,iv:E4lJquflKb2MPci9zYpMP8243W0LJ48UqrMW5w0l9NM=,tag:8+U1W/vOaRU4IdTtr8HOUw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/secrets/nextcloud.yaml b/secrets/nextcloud.yaml new file mode 100644 index 0000000..bd15953 --- /dev/null +++ b/secrets/nextcloud.yaml @@ -0,0 +1,34 @@ +admin-pass: ENC[AES256_GCM,data:xyiLD3YwkJ1CwQ==,iv:VasrF7TNjkiR9aVWUiZYP6uVS8rHPXozzApeYafF7Rw=,tag:E9fz/d3yhLxuu+fbCOsIcQ==,type:str] +sops: + age: + - recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnNW43cVMzdnI2L0NpRVZ1 + VTBocVNRRTVoaVlsWFZ6RHZIQkp6MDF3ajMwCm5tQ1REYjkxcG1kdVRLWCtRalVz + cHdqanNuZkdMU1ZpZWdzUWxyOVJwbmsKLS0tIEx3T0drakJ3ZkRYZElEbEJvZEM2 + dytuWSsrVW9iRGNqTjN0bmNQd3hkODAKFFY88Y3cn+OB4UnvtSZJDINMYwz47cJo + u/HMDjlcFsC7KWR5sXFjytG73MjrIBUMTBp9C6hjgfoUfzw+4AzCDg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1actwp5rqczazhgl94npwc0phxuxzjgrk9v82e32sahanw8cyuc7stxkls2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBRDNjNFVob0huQ0RKaFcz + R05SVlBvUloyL1VVUlVHeHoycXI3K0NJeEVVCmFWZ1dwMysrTlVZZFRhN05LRDVC + Q2x5ek1paUp2cGJmMDZEZmp6RkU1eFkKLS0tIDRBK2FSUkU3TS9Rb0VjTGFhV1pE + K25UQ3FKQzYzdUYyUjF2VkVGYytybncK4LKit4bQQ4ldhGYGQK5RWHIaQhDef8Fk + NTQkrdl+i6lR8DemERL055WUxWeyVUtgkevK5ihVd0tfPZwasRrhVQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1rf6h87qp9ckpmf7yrvkmq3faqn5fnqx4lyg83zf5v09wnew7muzsmmnx9x + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUVTBSeC9KK2hXZEtVUzhC + S2c1YWNiUDVFZlBkQWZpN3V6eTBWWTFCMnpBCnZIN3dabXowSGgrb045T2tpUlZY + cDBiSmNFZVdMY0pncnFiNzVQbVRkSmsKLS0tIDNDYTBzTm9WVzFmZjNMT0h0SWxm + MVA2V2Rnb0l2emU0YjI1dDVETStwbGMKjFdGEZwe3eqZjkIjHNNb3La2BaEAvZGB + Drs8PPefAWzLHVAiI1nctyniBgNtP7JE/HO0fLkATqJHOGgwnjncYA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-06-21T13:24:40Z" + mac: ENC[AES256_GCM,data:mrXZkOlLJBrTcBzetxOdshkIwoYUdO2bzRtOk+DRO8iuc75QpzZqze/1rGiumq4Y5rWxGOj4Z7vZjol5CqpiTq9wo2+2A8IoTkta+5B2FzlkjUzJiVi12szyOgMhcvPDYBtQ+BVUo6PqF3TOT1Vt8KBgga9t4jthVoWDdXe5uUU=,iv:VqImyU5562FPF6/SrzjLz2Mmsp0wzvdralmEZagVW7Q=,tag:SQ+pdA2TOyP0x5sT1au27w==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/servers/nextcloud.nix b/servers/nextcloud.nix index 09af890..891cd29 100644 --- a/servers/nextcloud.nix +++ b/servers/nextcloud.nix @@ -25,6 +25,8 @@ config = lib.mkMerge [ { + sops.secrets.admin-pass.sopsFile = ../secrets/nextcloud.yaml; + services = { nextcloud = { package = pkgs.nextcloud31; @@ -35,7 +37,7 @@ maxUploadSize = "512M"; # Default config = { dbtype = "sqlite"; - adminpassFile = "/var/lib/nextcloud/adminpass"; + adminpassFile = config.sops.secrets.admin-pass.path; }; settings = { overwriteprotocol = "https";