Compare commits
2 commits
49fa2325f3
...
003f2f7e44
Author | SHA1 | Date | |
---|---|---|---|
stuebinm | 003f2f7e44 | ||
stuebinm | 0d75469590 |
|
@ -4,6 +4,7 @@ keys:
|
|||
- &stuebinm-ilex age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt
|
||||
- &stuebinm-surltesh-echer age1q88az2y5hnx8naqsvrurllqj6y5gtehrpa9emmrxy5ghwsr7pvnqf7tfpx
|
||||
- &stuebinm-abbenay age18nkru4pwvvapdw76nauv2xdtlj8cvyv3ugahe9kcxtvtsptx2eyqw7p0m6
|
||||
- &zauberberg-conway age16fk0m26n0fr2vmuxm2mjsmrawclde2mlyj6wg3ee9jvzmu5ru3ustgs5jq
|
||||
- &moira-2022-06 age1l694a4xht7r0eza9r2vjncupmp6cxyk3k9x2ljwynnur4m2lc5jqmy3jut
|
||||
- &moira-openpgp age1m374x78q9eykua32ldrqxh8rh36kz6jyre69a263krf28hcycsqsrmshl0
|
||||
creation_rules:
|
||||
|
@ -15,5 +16,6 @@ creation_rules:
|
|||
- *stuebinm-ilex
|
||||
- *stuebinm-surltesh-echer
|
||||
- *stuebinm-abbenay
|
||||
- *zauberberg-conway
|
||||
- *moira-2022-06
|
||||
- *moira-openpgp
|
||||
|
|
16
README.md
16
README.md
|
@ -36,6 +36,22 @@ nix build .#nixosConfigurations.parsons.config.system.build.toplevel
|
|||
|
||||
(but you might have trouble deploying it)
|
||||
|
||||
## Secret management
|
||||
|
||||
We use [sops-nix](https://github.com/Mic92/sops-nix) to manage secrets which we'd
|
||||
like to have in Git but don't want to be public. Entires in `secrets.yaml` are
|
||||
encrypted for each of the age keys listed in `.sops.yaml`, which are themselves
|
||||
derived from ssh keys.
|
||||
|
||||
For the initial set up, please take a look at the sops-nix Readme file.
|
||||
|
||||
To edit the secrets file, just use `sops secrets.yaml`, which will decrypt the
|
||||
file & open it in your $EDITOR, then re-encrypt it when you're done.
|
||||
|
||||
To add a new key, use `ssh-to-age` to convert your ssh key to age, and add it to
|
||||
`sops.yaml`. Then do `sops updatekeys secrets.yaml` to re-encrypt the file for
|
||||
the new set of keys.
|
||||
|
||||
## Working on websites
|
||||
|
||||
Websites are exposed as flake outputs: if you're working on a website & want to
|
||||
|
|
|
@ -46,7 +46,7 @@
|
|||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" "cdrom" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt34ou3NYWoUayWrJa5ISzihAAhFiwolJPmm2fF9llPUUA8DP3BQRiKeqDlkDzhWLwztb+dNIUuregiFJdRN5Q2JZBKlM7Gqb1QtPhtK+xe2pyZPX2SWKIsKA6j3VAThhXsQdj3slXu3dG8FF7j+IFg/eTgpeQIFQQkMIc204ha8OP2ASYAJqgJVbXq8Xh3KkAc1HSrjYJLntryvK10wyU8p3ug370dMu3vRUn44FEyDzXFM9rfsgysQTzVgp+sXdRfMLeyvf+SUrE8hiPjzevF2nsUP0Xf/rIaK5VayChPLXJkulognINzvuVWAdwNPDLpgGwkjglF2681Ag88bLX allesmoeglicheundvielmehr@hotmail.de"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfxXSy22k2EZwz1EtvIMwQKGWsswEBeLn5ClhuiI4Ma lukas@Conway.lan"
|
||||
];
|
||||
packages = with pkgs; [ ffmpeg ];
|
||||
};
|
||||
|
|
89
secrets.yaml
89
secrets.yaml
|
@ -1,5 +1,11 @@
|
|||
hedgedoc-hacc:
|
||||
env: ENC[AES256_GCM,data:e2vSolxJNucya9QNs28gAVDBJQq5AJh7jS1nBh0UTkDnhNL8NPW1KTxcun4rM99EhiNZsz6Z9qHRMejmP4frQw==,iv:DqAGhGWYf/EpGnI79MxKmBlHMhK26zx50vXb1TbvESw=,tag:Xix499XAcAmxhNuGr2ApcA==,type:str]
|
||||
mattermost:
|
||||
env: ENC[AES256_GCM,data:4GcV8UOYmVUjZoYc0Nq/vEWtxtYNV81zVTEyFnZIfY1k/Ar1MU+fn5A99JLIMc8U84/QupDU7TcneiN/wqPv2jYqGS7ixSNTk+x5uUPMarzKZ04ynav6FCWEvlSF0Sz4/5s/Pvp1Qi3zdv16ZVGUHbM8/wCcaZBkSS0ofwBTIXVsVYSRPFxLehtBgwjAnD46qS+YJmszmd7V5N/adWWF34vAdfLiO6Y7KDB3jnMLOPU6Drtw9L83AW6NuOtk8crZrI1dkTD/xUC07IvMhZpZVc9ktQJqIvlk/ADs5aIp/QYrjICdYvb8xC16oV7jC/7yzXzC/UuYbCvS5gnHGMK/CsBkmM9HXmQ6mWjrfuOJEkMHSefS7O8HyrNoNDSXq0ivCr6KJmwrz7NXNAE6a6xx9LMjs5DJ8H5fda1l5TGVAdA2tg==,iv:dG4cnEtUgUxw7zS2k15p+6//Bl19WquTfFIiz5Vi/0M=,tag:cMBU8CtFBBjfcfpO709Kpg==,type:str]
|
||||
tracktrain:
|
||||
env: ENC[AES256_GCM,data:jaq039FNxBrsPfG/q+InYpiyl1LBdY++DlLM6UpSAwKlINucooTrHz51QrdRWhAZDqXhVTHM55Q/Zm4wazweCABiNjkXDFoZgxc5YJX+pvBct6M533xl109yD6KiYOXDqPY03u71aop8OmOAnKDp1JlzPS1otdlaN8Vd56G+,iv:nYU2rgMMG4QcJo5DnZpYZm1zr82idd7r1uTsqNiXLdA=,tag:9rdxAneYUREacXNunpTuHw==,type:str]
|
||||
vaultwarden:
|
||||
env: ENC[AES256_GCM,data:hdm91tI8WBd3es+IUbdBO69kh1pNZTNvZNFIdSZO8lm4yYMPE+Jm7EzVqwOaZRbpQaVDBg7uh5P4ODc=,iv:no7U0wQCwZOeL2pwXf2pUIgrEsEOYwqOT04LvpCl614=,tag:AGSu5M7H69x6pDM062bC6g==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
@ -9,68 +15,77 @@ sops:
|
|||
- recipient: age1yql8qaf7upraqy4cq397tt4vgs046hq0v59qymla8t3x0ujqvu4sesgsvw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByREd2cmhXSUhNMWxEa3FB
|
||||
em5WZ0lkaVVka2c5RUdidC9UQ2F5N2FXWGhBCmY2dUlHUmtpZkFZTitlaTVxMS8y
|
||||
RFM0cHQwOFBwZFpSS0JWRXFVbUxMbTQKLS0tIFBNU2YxYUM4Y0U1NSt4Lzg1SnRF
|
||||
N2Z1ZUpxKzBwV3Q0T0ppQis3UFJmT3cKRa4o6e0hNCSqZibQ8yjUMntXDaZxrmMc
|
||||
tKAr9uGbSWQMbfjK26JKiOFt7QgF0olNvv7MxVD/kFScJBr1AerBQg==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzNUJDcnZRa0VGaW94V2wy
|
||||
WmVSV29KV09kOVBjMXFzeURvalNPUEM5OFE0CmxJbmRwV3duOVFYcGh4MTFMU0Vl
|
||||
SWRoWnhZR3JDSDR5U2h2NDM0NmpWVzgKLS0tIFgxUFhYYmYrRi9XQmxpdWRJYkUv
|
||||
ekh6d0dXTTRqbllzdUFjOFpncndWazgK1TtGwiWPkgjOZoMY0LC1XDI93kTU6bii
|
||||
2xm0MV05TTQWJiQBRxgyk6Vu3ZMVawXsQgiTQiMaamJuI2y+UTSo5A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1zgdegurzlr8cw9948wgf4q5qh3efltwhhzus5tt6az5xvvsux9us2v4tyd
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNlQyeGtWeUx2R25oVFFr
|
||||
ckh0UlRCTkt5aEg5MUREOEpIUzN4aWovVFFnCjIxREF0RTBHUStBS3hFSUtUVC9y
|
||||
ZXVyVlUwSlJKRTMyOG5CS0d6amFjU3cKLS0tIDZFdisyM0xEbHl1LzhJL2VwNVhR
|
||||
d2RWMHdTS2hDNUpDOHFxNmNQVDZmNFEKgo3vmIWXFYsYSohZxh1eGhuq6kh3j/n1
|
||||
R5kN1Rs46/Id0lkFkySXUfuAzOqCWlnJYYgMtqOmxVI3UQhJAtWXOg==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwREhqS2E3M0lmNVNlMk9o
|
||||
UXkzZkdQR0p6aVppTnliK3RzNllSakJTdzAwCjEzSnNVTjhxaXUzWmVvSCtidERK
|
||||
MTB2ODNhbmNtQnBEbklBS3orbDhNdjgKLS0tIGw0c3BKaDg2dDc5ZUlFa0NObzQv
|
||||
R2NwY2tyOFEwcFRiTy9XOXpmdzRsYkEKzqPoluJCRUGUPFrA/CXPR9OHgB1/9X/W
|
||||
KFiQDbVIGC7gTjJRIoc7QqUKBRTdwFt/u6t+3yMOhEIMuPgGbP91eg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUi8zQ2lPZS9nZHByQVBl
|
||||
eU05WDRaUjlCVzZlbDI4K0ZhMkFNVFg5UlQwCkNuakpJTStvZFpTZkQ5UWFoWHVH
|
||||
RzRqTzlpNjNlMHlGbEFheFRTV1ByencKLS0tIDNHWEE4SENqRWZwNVpHcHN0TzY5
|
||||
NkpFTXFoLzUrcjEvbVBNSzdINzZHQ2MKb3knCvuJ1ivuGMZ+0bmLJoi5nUXMRNVf
|
||||
l50GRm4JVZ210wwQq0vqf86HLIUE0hwaXiWsb7Sn3VvdsgE4x7wEmQ==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGUmdmOFU5bUFyOUZWbUQ2
|
||||
UnNCQWpHNlpRZGhab2JHZGNvTXN5T1VQSFhnCndkcmlYajZSb0svdUFyTktmWE9V
|
||||
RzZENlVtdlg5U2RibkFUUU1yOEY0UmsKLS0tIGVXMVlSOTBtWFU3dWI2Tm5lbnpW
|
||||
Q000bzIvcUpNWEpmb0dQTVlLbXFYUTQK2VBY6N6JqXUwK3Aq0xDZkAVbbFh6bTbD
|
||||
XYWAG3jj7L+uYmd6RF8DFZaLSVE2xxf8nO3zwrLdZlKuKJmhkw6aIQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1q88az2y5hnx8naqsvrurllqj6y5gtehrpa9emmrxy5ghwsr7pvnqf7tfpx
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArNUY4c25EN3BBSTFTMEU0
|
||||
Vjg3RjFkS1FzZ2NXTUlZZHJNR3pTa0MzNVRNCkZhS1FMY2RlNGlCN3hoSm9yN0RL
|
||||
UHAwNlFQNWN5UWp0TUJybjVhMjY1TW8KLS0tIEJ3VGFQOEkrU01lbWYvQnRYdkx1
|
||||
VzFDbm9zMk4rVWlMQm5Sdk9uMEF1OTgK1d0syR0MY4DNA059QApJess94MZTulNQ
|
||||
THZ2S/BmEJGPoyvjKot5clX0Lm6s7LyNoYDjBypo+6OI8Cvjo5Qjgg==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtMDVWYXZ1NTY0QVBLd3JP
|
||||
bmRTc3lRejBLcHl4Wnl2NWNuL2ZJVmxlK3ljCnFtR3FueUV6dlNKaHNkc0ZFMXhC
|
||||
QkFXYmtuWVpvdENUOVQ5SFR5bTNBeTQKLS0tIG0ydVQybHdvUnhjcGpHR1UwWDFK
|
||||
ZTdNR0gxYzlzVnNSOXlTQTdNRytKQXMKO17jeAbjljOr9SYwG7RVtwp9jbI/QAQi
|
||||
Z8zQfloVTLrdzVc3abdvw3v/KcPInI7/PIWp8Anv+djyujzBpOKKtg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age18nkru4pwvvapdw76nauv2xdtlj8cvyv3ugahe9kcxtvtsptx2eyqw7p0m6
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCK0luUmtzZXdGOTY4bU51
|
||||
V016dTFaRkxyNksyMXJiUmY5QkJjcXdoSXd3CnpoQVVXVTNZWnZmajUzMlNJN2Fz
|
||||
dDN1NThmS0IyREIvQSt2SlJKYmgwR1kKLS0tIFU5dHJYNzdydDkwT3FyQzRCRlFh
|
||||
VUpXYTFRK3FTRlJYd1B3Qm5HMEQzMWMK5IqzmCIdUphR2W6y6UtZLo2cPRW2L0d4
|
||||
X0qmWnDxa4ghD1CMlIi2spIS/0mE2+tu+XmxYnWYtfMggCtJpZen6g==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBncjN3STJ6T2dNMjRlSXFt
|
||||
S0lNcWdieDJTSFEwc1BkcWN1SXZTNDI2aFM4ClJqSFFhQUVwWjdselA4WlVjRjBH
|
||||
Z1dCYjVYSzFYYlN6VUlZbUQ4Q2ZidzQKLS0tIFRJeit6NWhVWVdYeEE0dFBFRUx5
|
||||
Y3gwYU8reUhJbEh2MWpMMFZiZU43WlUKLVtfVb2UDPTQfrN9YvOsXahNuT0r07m4
|
||||
JySi8BynrHY7YsiN2nxMHtW7I/2horgGpu2hv+AKj4WbPJCzSg0y/g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age16fk0m26n0fr2vmuxm2mjsmrawclde2mlyj6wg3ee9jvzmu5ru3ustgs5jq
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTYk4reWJIdVRKZXNwMTN4
|
||||
Wi9uWDYvU2daUUVEVHluSi94UkZjNGtINDJVClF4ZFhBeWdINmVhQk5CdEhjRUlX
|
||||
MlNSNVdHdXZPNWZrbGVQTnVFb1FOZUEKLS0tIFEvTHVlWlZ0dUtPTFlFUlZLTmtS
|
||||
eTdXVHFRRzJBZTF5aERFUGI0akJxajAKngyn3eyeg2ysKDJC36N9UHrX/hNS2Kv2
|
||||
3Fvnmg/hCQ3l3SvUSPiXezU1xK+/3XMEyaC0p4Tb+YdWapwKre9ZGw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1l694a4xht7r0eza9r2vjncupmp6cxyk3k9x2ljwynnur4m2lc5jqmy3jut
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuNEUvL2ZQbEo4SytWYnRJ
|
||||
a1ZMdS9FR1JsUUpsMlZTdXRzOGtDeTdIcFI4ClhxaFN0dXVmR3RhOHVpdFNxNEVE
|
||||
UzBxYStNMGZjNFJmTllxdlg2R1RIRm8KLS0tIFRJYzVrdE9mTGJZeXdpWnBUSkll
|
||||
QmZtNmtabkVYQVNNZFRtWnE3LzR3Z3cKKOUqRmH5OzXSLNJAwCylXDMxoHJFT4Dn
|
||||
5iuRwydc9VvI/XKLmK/rR2XXeXzxESWu1OJVXPV87VIFh1jF71lCbQ==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQZHZ0RjZ6K3djb09INTAx
|
||||
S25Lci9Ra1lwSjE3WHFkOEszNXRhVG5oTHk4ClUxYklHVHUvSFNJWWtEZlRhYW1G
|
||||
dnJyMjNPV2RYRC9pMUJPbEhmWXZ0ZW8KLS0tIHc4a3VZYjBraDZlc2lENkpEMHZJ
|
||||
N3M1MEtXS1RaMUR1VjJwZlhEVmczV00KFl8MTogCwPLJEkN4tJdo+5DVPaDFTUyA
|
||||
gsk/u1/ud3dJ34edVRf/KfcSjq0YdD2lKhfdwZHCXVNdwT02fbGTmw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1m374x78q9eykua32ldrqxh8rh36kz6jyre69a263krf28hcycsqsrmshl0
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlZ3VRd1lNYVZpRHNsRWti
|
||||
eEM5NjlOaEc4L29yRlA1eVdEZzFWbThXR2xFCngwN0YzWXdpTk4rY0h6VDBzQWtM
|
||||
TGhPYk8wRWRqd0ttRm5zSTBMbVAzNWcKLS0tIFBsQnQ3TTJqQUZXQVlVZTcxWXJG
|
||||
bVFISHFrRnZHVE9YbGVlakxJSFE1aTgKsddkeIFwHckApYhK53/qzG8bUYm3JXiI
|
||||
amI6nq+0nNoU2bzOTO4FLW7gYssxWFxdSVV153BWGJHSNh/JItvDHg==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0ZFJ4WEdQZFBIYkhrbng2
|
||||
bmJ0UXM4dTRhQ3BCbFJCUWdZQ1IzY1c5UmpnCklGcm9nN24xb1FoOHd6NWEzYUgv
|
||||
aFVqMnJIZVE3K2wvV082WUszRjFnb1kKLS0tIE9ZaTY4Z0kzSFhwMjF3OUNhelBj
|
||||
ejdpTEtMNFNIVWlYMGtuMTJZbHZabUEKBGLoMDZQVwENcAXee8m4fsEmwFl/As6H
|
||||
346X4tfBghf1tk857h/1j5sXj3ZgyHvMlIavnS3AoVlOIsgxI1BYMg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-04-19T14:56:57Z"
|
||||
mac: ENC[AES256_GCM,data:Mw5SUPLqVhq3bEjYj7v7qZO2RqEKDzC6u+lzLsFXdnJ+pLSUslulzGgIerkKbe9wXM3m7LgPIEeCdRhmRfjuDbqdvE8RifuE3UpJ1F0497RmGPAVsxZeUh8YaHzKe/fij3QGgGAaahLYs413WUZNvGPrnJSIISlRdJ2JNlTQw8c=,iv:2vEUSrdr30gEZh/wqSDDuakK3W+ZY6iJS5BgUpYKkk8=,tag:p8X8exlJoutmUW3WaP68Tw==,type:str]
|
||||
lastmodified: "2023-05-03T20:47:22Z"
|
||||
mac: ENC[AES256_GCM,data:5ks4oj4ILLZoJ8TAGLSktV+TZBt1igMOVTiRssr00xnMs1OpR4u0wqwbkM3e2vNP3Hk51AHn7J0W+Ex6f3/iuGdcpYmY/nmSuu+IRZkLL7UEulPm+FDUcw9wgifpNQ263LqvmtFmPURpx4jkTdvcKItWrN0ovV0Wk3jspQ4/QYA=,iv:Kp0cJCYSXBBD4nNetXs6XrFVEl77D7oPuJYAS91DEbU=,tag:b3KF/SFJf1TxDBJ+7KmFvg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
|
|
|
@ -3,6 +3,11 @@
|
|||
let
|
||||
mattermost = pkgs.mattermost;
|
||||
in {
|
||||
|
||||
sops.secrets = {
|
||||
"mattermost/env" = {};
|
||||
};
|
||||
|
||||
containers.mattermost = {
|
||||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
|
@ -14,6 +19,7 @@ in {
|
|||
hostPath = "/persist/containers/mattermost";
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/secrets".hostPath = "/run/secrets/mattermost";
|
||||
};
|
||||
|
||||
path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
|
||||
|
@ -23,7 +29,7 @@ in {
|
|||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
systemd.services.mattermost.serviceConfig.EnvironmentFile =
|
||||
"/persist/mattermost/secrets.env";
|
||||
"/secrets/env";
|
||||
# overwrite the -c flag given in the module. this can be removed once we're on nixos 22.05
|
||||
systemd.services.mattermost.serviceConfig.ExecStart =
|
||||
lib.mkForce "${pkgs.mattermost}/bin/mattermost -c /persist/mattermost/config/config.json";
|
||||
|
|
|
@ -17,6 +17,10 @@ let
|
|||
'';
|
||||
in
|
||||
{
|
||||
sops.secrets = {
|
||||
"tracktrain/env" = {};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."tracktrain.ilztalbahn.eu" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
@ -46,6 +50,7 @@ in
|
|||
hostPath = "/persist/containers/tracktrain";
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/secrets".hostPath = "/run/secrets/tracktrain";
|
||||
};
|
||||
|
||||
path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
|
||||
|
@ -146,7 +151,7 @@ in
|
|||
};
|
||||
|
||||
systemd.services.grafana.serviceConfig.EnvironmentFile =
|
||||
"/persist/secrets.env";
|
||||
"/secrets/env";
|
||||
});
|
||||
};
|
||||
|
||||
|
|
|
@ -1,6 +1,10 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
sops.secrets = {
|
||||
"vaultwarden/env" = {};
|
||||
};
|
||||
|
||||
services.vaultwarden = {
|
||||
enable = true;
|
||||
config = {
|
||||
|
@ -27,7 +31,7 @@
|
|||
SMTP_USERNAME="noreply@infra4future.de";
|
||||
|
||||
};
|
||||
environmentFile = "/persist/var/lib/vaultwarden/vaultwarden.env"; #contains SMTP_PASSWORD
|
||||
environmentFile = "/run/secrets/vaultwarden/env";
|
||||
dbBackend = "sqlite";
|
||||
backupDir = "/persist/data/vaultwarden_backups/";
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue