Move nextcloud instances to sops-nix

2025-06-21 16:36:41 +03:00 · 2025-06-21 16:36:41 +03:00 · f7cc7cdbc2
commit f7cc7cdbc2
parent 66b8b64e2b
5 changed files with 93 additions and 4 deletions
--- a/hosts/idacloud/configuration.nix
+++ b/hosts/idacloud/configuration.nix
@ -1,4 +1,4 @@
-{ ... }:
+{ config, ... }:
 {
  custom.nextcloud_domain = "idacloud.sinerva.eu";
  services.nextcloud.settings.trusted_domains = [ "idacloud.vsinerva.fi" ];
@ -10,6 +10,19 @@
    ../../servers/nextcloud.nix
  ];

+  sops = {
+    secrets = {
+      priv-idacloud-wg = {
+        sopsFile = ../../secrets/idacloud.yaml;
+        restartUnits = [ "wg-quick-wg0.service" ];
+      };
+      psk-laptop-idacloud-wg = {
+        sopsFile = ../../secrets/idacloud.yaml;
+        restartUnits = [ "wg-quick-wg0.service" ];
+      };
+    };
+  };
+
  # Networking conf including WireGuard
  networking = {
    firewall.allowedUDPPorts = [ 51822 ];
@ -17,20 +30,21 @@
    wg-quick.interfaces = {
      wg0 = {
        address = [ "10.1.0.1/24" ];
-        privateKeyFile = "/root/wireguard-keys/privatekey";
+        privateKeyFile = config.sops.secrets.priv-idacloud-wg.path;
        listenPort = 51822;

        peers = [
          # Laptop
          {
            publicKey = "qJl6XBAGlmGHLre+RoCLUsZUrOrDgGoinREHFiw29ys=";
-            presharedKeyFile = "/root/wireguard-keys/psk1";
+            presharedKeyFile = config.sops.secrets.psk-laptop-idacloud-wg.path;
            allowedIPs = [ "10.1.0.2/32" ];
          }
          # Phone
          #          {
          #            publicKey = "TODO";
          #            presharedKeyFile = "/root/wireguard-keys/psk2";
+          #            presharedKeyFile = config.sops.secrets.psk-phone-idacloud-wg.path;
          #            allowedIPs = [ "10.1.0.3/32" ];
          #          }
        ];