tlaternet/tlaternet-server
1
0
Fork 0
Code Issues 8 Pull requests Activity

refactor(sops): Move secret definitions to specific modules

Browse source
This commit is contained in:
Tristan Daniël Maat 2025-11-14 10:54:51 +08:00
parent 767a14ab6e
commit 7fcaa34b28
Signed by: tlater
GPG key ID: 02E935006CF2E8E7
15 changed files with 81 additions and 105 deletions
Download patch file Download diff file Expand all files Collapse all files

2
configuration/default.nix
View file

@ -28,7 +28,6 @@
# ./services/starbound.nix -- Not currently used # ./services/starbound.nix -- Not currently used
./services/postgres.nix ./services/postgres.nix
./nginx ./nginx
./sops.nix
]; ];
nixpkgs.overlays = [ (_: prev: { local = import ../pkgs { pkgs = prev; }; }) ]; nixpkgs.overlays = [ (_: prev: { local = import ../pkgs { pkgs = prev; }; }) ];
@ -124,6 +123,7 @@
services.sudo.rssh = true; services.sudo.rssh = true;
}; };
}; };
sops.defaultSopsFile = ../keys/production.yaml;
# Remove some unneeded packages # Remove some unneeded packages
environment.defaultPackages = [ ]; environment.defaultPackages = [ ];

5
configuration/nginx/ssl.nix
View file

@ -64,5 +64,10 @@
in in
''${pkgs.runtimeShell} -c '${confirm}' ''; ''${pkgs.runtimeShell} -c '${confirm}' '';
}; };
sops.secrets = {
"porkbun/api-key".owner = "acme";
"porkbun/secret-api-key".owner = "acme";
};
}; };
} }

13
configuration/services/backups.nix
View file

@ -265,5 +265,18 @@ in
}; };
groups.backup = { }; groups.backup = { };
}; };
sops.secrets = {
"restic/storagebox-backups" = {
owner = "root";
group = "backup";
mode = "0440";
};
"restic/storagebox-ssh-key" = {
owner = "backup";
group = "backup";
mode = "0040";
};
};
}; };
} }

5
configuration/services/battery-manager.nix
View file

@ -13,4 +13,9 @@
log_level = "DEBUG"; log_level = "DEBUG";
}; };
}; };
sops.secrets = {
"battery-manager/email" = { };
"battery-manager/password" = { };
};
} }

7
configuration/services/conduit/default.nix
View file

@ -179,4 +179,11 @@ in
systemd.services.coturn.serviceConfig.SupplementaryGroups = [ systemd.services.coturn.serviceConfig.SupplementaryGroups = [
config.security.acme.certs."tlater.net".group config.security.acme.certs."tlater.net".group
]; ];
sops.secrets = {
"turn/env" = { };
"turn/secret" = {
owner = "turnserver";
};
};
} }

6
configuration/services/conduit/heisenbridge.nix
View file

@ -75,4 +75,10 @@ in
# AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; # AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
}; };
}; };
sops.secrets = {
# Accessed via systemd cred through /run/secrets/heisebridge
"heisenbridge/as-token" = { };
"heisenbridge/hs-token" = { };
};
} }

6
configuration/services/conduit/matrix-hookshot.nix
View file

@ -163,4 +163,10 @@ in
metrics.enabled = true; metrics.enabled = true;
}; };
}; };
sops.secrets = {
# Accessed via systemd cred through /run/secrets/matrix-hookshot
"matrix-hookshot/as-token" = { };
"matrix-hookshot/hs-token" = { };
};
} }

11
configuration/services/metrics/grafana.nix
View file

@ -67,4 +67,15 @@ in
}; };
}; };
}; };
sops.secrets = {
"grafana/adminPassword" = {
owner = "grafana";
group = "grafana";
};
"grafana/secretKey" = {
owner = "grafana";
group = "grafana";
};
};
} }

8
configuration/services/metrics/victoriametrics.nix
View file

@ -4,7 +4,7 @@ let
blackbox_port = config.services.prometheus.exporters.blackbox.port; blackbox_port = config.services.prometheus.exporters.blackbox.port;
in in
{ {
config.services.victoriametrics = { services.victoriametrics = {
enable = true; enable = true;
extraOptions = [ "-storage.minFreeDiskSpaceBytes=5GB" ]; extraOptions = [ "-storage.minFreeDiskSpaceBytes=5GB" ];
@ -96,4 +96,10 @@ in
victorialogs.targets = [ config.services.victorialogs.bindAddress ]; victorialogs.targets = [ config.services.victorialogs.bindAddress ];
}; };
}; };
sops.secrets."forgejo/metrics-token" = {
owner = "forgejo";
group = "metrics";
mode = "0440";
};
} }

5
configuration/services/nextcloud.nix
View file

@ -100,4 +100,9 @@ in
# Ensure that this service doesn't start before postgres is ready # Ensure that this service doesn't start before postgres is ready
systemd.services.nextcloud-setup.after = [ "postgresql.service" ]; systemd.services.nextcloud-setup.after = [ "postgresql.service" ];
sops.secrets."nextcloud/tlater" = {
owner = "nextcloud";
group = "nextcloud";
};
} }

3
configuration/services/starbound.nix
View file

@ -114,4 +114,7 @@ in
paths = [ "/var/lib/private/starbound/storage/universe/" ]; paths = [ "/var/lib/private/starbound/storage/universe/" ];
pauseServices = [ "starbound.service" ]; pauseServices = [ "starbound.service" ];
}; };
# Accessed via systemd cred through /run/secrets/steam
sops.secrets."steam/tlater" = { };
} }

6
configuration/services/wireguard.nix
View file

@ -62,4 +62,10 @@
}; };
}; };
}; };
sops.secrets."wireguard/server-key" = {
owner = "root";
group = "systemd-network";
mode = "0440";
};
} }

89
configuration/sops.nix
View file

@ -1,89 +0,0 @@
{
sops = {
defaultSopsFile = ../keys/production.yaml;
secrets = {
"battery-manager/email" = { };
"battery-manager/password" = { };
# Gitea
"forgejo/metrics-token" = {
owner = "forgejo";
group = "metrics";
mode = "0440";
};
# Grafana
"grafana/adminPassword" = {
owner = "grafana";
group = "grafana";
};
"grafana/secretKey" = {
owner = "grafana";
group = "grafana";
};
# Heisenbridge
"heisenbridge/as-token" = { };
"heisenbridge/hs-token" = { };
# Matrix-hookshot
"matrix-hookshot/as-token" = { };
"matrix-hookshot/hs-token" = { };
# Nextcloud
"nextcloud/tlater" = {
owner = "nextcloud";
group = "nextcloud";
};
# Porkbub/ACME
"porkbun/api-key" = {
owner = "acme";
};
"porkbun/secret-api-key" = {
owner = "acme";
};
# Restic
"restic/local-backups" = {
owner = "root";
group = "backup";
mode = "0440";
};
"restic/storagebox-backups" = {
owner = "root";
group = "backup";
mode = "0440";
};
"restic/storagebox-ssh-key" = {
owner = "backup";
group = "backup";
mode = "0040";
};
# Steam
"steam/tlater" = { };
# Turn
"turn/env" = { };
"turn/secret" = {
owner = "turnserver";
};
"turn/ssl-key" = {
owner = "turnserver";
};
"turn/ssl-cert" = {
owner = "turnserver";
};
# Wireguard
"wireguard/server-key" = {
owner = "root";
group = "systemd-network";
mode = "0440";
};
};
};
}

10
keys/production.yaml
View file

File diff suppressed because one or more lines are too long

10
keys/staging.yaml
View file

@ -22,18 +22,14 @@ matrix-hookshot:
wireguard: wireguard:
server-key: ENC[AES256_GCM,data:FvY897XdKoa/mckE8JQLCkklsnYD6Wz1wpsu5t3uhEnW3iarnDQxF9msuYU=,iv:jqGXfekM+Vs+J9b5nlZ5Skd1ZKHajoUo2Dc4tMYPm1w=,tag:EehikjI/FCU8wqtpvJRamQ==,type:str] server-key: ENC[AES256_GCM,data:FvY897XdKoa/mckE8JQLCkklsnYD6Wz1wpsu5t3uhEnW3iarnDQxF9msuYU=,iv:jqGXfekM+Vs+J9b5nlZ5Skd1ZKHajoUo2Dc4tMYPm1w=,tag:EehikjI/FCU8wqtpvJRamQ==,type:str]
restic: restic:
local-backups: ENC[AES256_GCM,data:3QjEv03t7wE=,iv:y/6Lv4eUbZZfGPwUONykz8VNL62cAJuWaJy9yk3aAmk=,tag:wMlGsepuG9JjwtUKGWSibw==,type:str]
storagebox-backups: ENC[AES256_GCM,data:NEHk57B3YtI=,iv:0/qnqMVK0662sgfDQoLxcW7L09SKF8E5liCnjaQ2+2k=,tag:RU0BPwGgvI9bgOPr8VItmA==,type:str] storagebox-backups: ENC[AES256_GCM,data:NEHk57B3YtI=,iv:0/qnqMVK0662sgfDQoLxcW7L09SKF8E5liCnjaQ2+2k=,tag:RU0BPwGgvI9bgOPr8VItmA==,type:str]
storagebox-ssh-key: ENC[AES256_GCM,data:65+kbJPO90y+rRh3Q5cqLDtQa3VFfbaDPPo1nJLqxgAB7Wm3J7K4qUYAKPcYnkWV4/xFz63R2uCNaq5xv+vuZA==,iv:O7AeE/ujp5p1P7nff7PpghQfN2tQUYBSWL+EHRbE5yA=,tag:Pu/+bEAQuqwmD1Rc//t0cA==,type:str] storagebox-ssh-key: ENC[AES256_GCM,data:65+kbJPO90y+rRh3Q5cqLDtQa3VFfbaDPPo1nJLqxgAB7Wm3J7K4qUYAKPcYnkWV4/xFz63R2uCNaq5xv+vuZA==,iv:O7AeE/ujp5p1P7nff7PpghQfN2tQUYBSWL+EHRbE5yA=,tag:Pu/+bEAQuqwmD1Rc//t0cA==,type:str]
turn: turn:
env: ENC[AES256_GCM,data:xjIz/AY109lyiL5N01p5T3HcYco/rM5CJSRTtg==,iv:16bW6OpyOK/QL0QPGQp/Baa9xyT8E3ZsYkwqmjuofk0=,tag:J5re3uKxIykw3YunvQWBgg==,type:str] env: ENC[AES256_GCM,data:xjIz/AY109lyiL5N01p5T3HcYco/rM5CJSRTtg==,iv:16bW6OpyOK/QL0QPGQp/Baa9xyT8E3ZsYkwqmjuofk0=,tag:J5re3uKxIykw3YunvQWBgg==,type:str]
secret: ENC[AES256_GCM,data:eQ7dAocoZtg=,iv:fgzjTPv30WqTKlLy+yMn5MsKQgjhPnwlGFFwYEg3gWs=,tag:1ze33U1NBkgMX/9SiaBNQg==,type:str] secret: ENC[AES256_GCM,data:eQ7dAocoZtg=,iv:fgzjTPv30WqTKlLy+yMn5MsKQgjhPnwlGFFwYEg3gWs=,tag:1ze33U1NBkgMX/9SiaBNQg==,type:str]
ssl-key: ENC[AES256_GCM,data:RYfwHjBvwFXgXxXIEuWUzaycTdrCvmPivsNvvUIwDRynS5G2Dl6RCVp1w9zuLvoNun5ncUPGGuLMmVqN2wkJlw==,iv:UKI3bVTY7iTDNvp5UqrZ3QlQkMZ5p2bjgODEc6DCBfQ=,tag:sz7VTyRWyZxAsP4nE48DnA==,type:str]
#ENC[AES256_GCM,data:bxhKzU5Tzezl749CDu8e8kxa7ahGuZFaPa9K3kxuD+4sg5Hi3apgDlC0n8oK0DeiK4Ks7+9Cyw==,iv:T/zVJUpNAv1rR0a9+6SDTG08ws2A1hFBs5Ia3TpT0uk=,tag:uGXb1VryM+lIJ8r0I5durA==,type:comment]
ssl-cert: ENC[AES256_GCM,data:xHUr14CjKslgbGh/n5jYSOuCw9JRxS6YXE4fxS+aJzFcNeSeGNqoipPeuJupZGBnQP/FCqohiHY=,iv:/OEsVqRshGL9NIvntMC42EPZSNL0u6EfhtUBqgV7qog=,tag:4pxtNjuvy/ibm6nDtKdSkw==,type:str]
sops: sops:
lastmodified: "2025-02-07T17:43:24Z" lastmodified: "2025-11-19T16:42:43Z"
mac: ENC[AES256_GCM,data:akmD/bfgeTyFzW1quvM16cdj0fC6+CbJ8WyX9173H11yKGxvE1USQYcErpl1SHOx9Jk8LVb7f+MsUm2fjQF1MEq6xaWI74jem12lZ9CGXFaTL7e87JvfbK7pV+aKpxSBBNFyJgbYm30ibdUwxwKmNVfPb1e0HT9qwenvoV7RobM=,iv:mKqOW0ULXL711uczUbRf9NPo6uPTQoS/IbR46S+JID4=,tag:vE6NYzYLbQHDImov1XGTcg==,type:str] mac: ENC[AES256_GCM,data:4YivckDS+jBX3Bkon0bTAm3SXya4v2ieZyqeBXjBUYZeCmelIng7bn2dP7791O6RK6RvSXAGhiykWgGRW/boG3QM8VLxDMSRTKovJo5k6oxtFJC8OLDJoh1EC5BQLznJDKl4So6FgYPEtdQ6rx+Q6Ah7JSMtQilxRoe/hYapT90=,iv:9BGtS585gVbvH6l96/YYZiY1DrwB565vPaNNtFC9vbk=,tag:HsZuDMqPFHTMPxQsD36LNQ==,type:str]
pgp: pgp:
- created_at: "2025-10-03T21:38:26Z" - created_at: "2025-10-03T21:38:26Z"
enc: |- enc: |-
@ -67,4 +63,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 2f5caa73e7ceea4fcc8d2881fde587e6737d2dbc fp: 2f5caa73e7ceea4fcc8d2881fde587e6737d2dbc
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.2 version: 3.11.0