tlaternet-server/configuration/sops.nix

{
  sops = {
    defaultSopsFile = ../keys/production.yaml;

    secrets = {
      "battery-manager/email" = {
        owner = "battery-manager";
        group = "battery-manager";
      };

      "battery-manager/password" = {
        owner = "battery-manager";
        group = "battery-manager";
      };

      # Gitea
      "forgejo/metrics-token" = {
        owner = "forgejo";
        group = "metrics";
        mode = "0440";
      };

      # Grafana
      "grafana/adminPassword" = {
        owner = "grafana";
        group = "grafana";
      };
      "grafana/secretKey" = {
        owner = "grafana";
        group = "grafana";
      };

      # Heisenbridge
      "heisenbridge/as-token" = { };
      "heisenbridge/hs-token" = { };

      "hetzner-api" = {
        owner = "acme";
      };

      # Nextcloud
      "nextcloud/tlater" = {
        owner = "nextcloud";
        group = "nextcloud";
      };

      # Restic
      "restic/local-backups" = {
        owner = "root";
        group = "backup";
        mode = "0440";
      };
      "restic/storagebox-backups" = {
        owner = "root";
        group = "backup";
        mode = "0440";
      };
      "restic/storagebox-ssh-key" = {
        owner = "backup";
        group = "backup";
        mode = "0040";
      };

      # Steam
      "steam/tlater" = { };

      # Turn
      "turn/env" = { };
      "turn/secret" = {
        owner = "turnserver";
      };
      "turn/ssl-key" = {
        owner = "turnserver";
      };
      "turn/ssl-cert" = {
        owner = "turnserver";
      };

      # Wireguard
      "wireguard/server-key" = {
        owner = "root";
        group = "systemd-network";
        mode = "0440";
      };
    };
  };
}
sops: Improve secrets provisioning to split out staging 2022-10-12 02:03:22 +01:00			`{`
			`sops = {`
			`defaultSopsFile = ../keys/production.yaml;`
services: Add wireguard service 2023-04-23 23:42:25 +01:00
			`secrets = {`
sonnenshift: Init 2024-04-08 19:02:53 +01:00			`"battery-manager/email" = {`
			`owner = "battery-manager";`
			`group = "battery-manager";`
			`};`

			`"battery-manager/password" = {`
			`owner = "battery-manager";`
			`group = "battery-manager";`
			`};`

metrics: Add metrics with victoriametrics + grafana 2023-10-07 21:14:43 +01:00			`# Gitea`
gitea: Migrate to forgejo 2023-12-29 15:11:16 +00:00			`"forgejo/metrics-token" = {`
			`owner = "forgejo";`
metrics: Add metrics with victoriametrics + grafana 2023-10-07 21:14:43 +01:00			`group = "metrics";`
			`mode = "0440";`
			`};`

			`# Grafana`
			`"grafana/adminPassword" = {`
			`owner = "grafana";`
			`group = "grafana";`
			`};`
			`"grafana/secretKey" = {`
			`owner = "grafana";`
			`group = "grafana";`
			`};`

sops: Sort secrets alphabetically 2023-10-02 00:02:28 +01:00			`# Heisenbridge`
services: Add wireguard service 2023-04-23 23:42:25 +01:00			`"heisenbridge/as-token" = { };`
			`"heisenbridge/hs-token" = { };`

acme: Switch to a wildcard certificate 2024-04-16 00:08:13 +01:00			`"hetzner-api" = {`
			`owner = "acme";`
			`};`

sops: Sort secrets alphabetically 2023-10-02 00:02:28 +01:00			`# Nextcloud`
			`"nextcloud/tlater" = {`
			`owner = "nextcloud";`
			`group = "nextcloud";`
services: Add wireguard service 2023-04-23 23:42:25 +01:00			`};`

sops: Sort secrets alphabetically 2023-10-02 00:02:28 +01:00			`# Restic`
backups: Add atomic backups with restic 2023-09-22 05:20:36 +01:00			`"restic/local-backups" = {`
			`owner = "root";`
			`group = "backup";`
			`mode = "0440";`
			`};`
backups: Switch to hetzner storage box 2024-03-18 04:05:54 +00:00			`"restic/storagebox-backups" = {`
			`owner = "root";`
			`group = "backup";`
			`mode = "0440";`
			`};`
			`"restic/storagebox-ssh-key" = {`
			`owner = "backup";`
			`group = "backup";`
			`mode = "0040";`
			`};`
backups: Add atomic backups with restic 2023-09-22 05:20:36 +01:00
sops: Sort secrets alphabetically 2023-10-02 00:02:28 +01:00			`# Steam`
			`"steam/tlater" = { };`

			`# Turn`
services: Add wireguard service 2023-04-23 23:42:25 +01:00			`"turn/env" = { };`
			`"turn/secret" = {`
			`owner = "turnserver";`
			`};`
			`"turn/ssl-key" = {`
			`owner = "turnserver";`
			`};`
			`"turn/ssl-cert" = {`
			`owner = "turnserver";`
			`};`
sops: Sort secrets alphabetically 2023-10-02 00:02:28 +01:00
			`# Wireguard`
			`"wireguard/server-key" = {`
			`owner = "root";`
			`group = "systemd-network";`
			`mode = "0440";`
			`};`
conduit: Enable TURNS with a ZeroSSL-provided certificate 2022-11-05 22:26:52 +00:00			`};`
sops: Improve secrets provisioning to split out staging 2022-10-12 02:03:22 +01:00			`};`
			`}`