server: add secrets to nextcloud and postgresql

2022-12-27 09:25:23 +01:00 · 2022-12-27 09:25:23 +01:00 · 211e8cbca2
commit 211e8cbca2
parent 92a56bff1c
6 changed files with 66 additions and 8 deletions
--- a/modules/services/server/nextcloud.nix
+++ b/modules/services/server/nextcloud.nix
@ -12,10 +12,20 @@
            dbname = "nextclouddb";
            dbport = 
            adminuser = "kabbone"; 
-            #adminpassFile = "secret123";
+            adminpassFile = config.age.secrets."services/nextcloud/adminpassFile".path;
+            dbpassFile = config.age.secrets."services/nextcloud/dbpassFile".path;
        };
    };

+    age.secrets."services/nextcloud/dbpassFile" = {
+        file = ../../../secrets/services/nextcloud/dbpassFile.age;
+        owner = "nextcloud";
+    };
+    age.secrets."services/nextcloud/adminpassFile" = {
+        file = ../../../secrets/services/nextcloud/adminpassFile.age;
+        owner = "nextcloud";
+    };
+
    systemd.services."nextcloud-setup" = {
        requires = ["postgresql.service"];
        after = ["postgresql.service"];
--- a/modules/services/server/postgresql.nix
+++ b/modules/services/server/postgresql.nix
@ -21,18 +21,16 @@
        timezone = "Europe/Berlin";
    };
    authentication = pkgs.lib.mkOverride 14 ''
-        local all        postgres                  peer
+        #local all        postgres                  peer
        host  giteadb     gitea           samehost scram-sha-256
        host  nextclouddb nextcloud       samehost scram-sha-256
-        host  synapsedb   synapse_user    samehost scram-sha-256
+        host  synapsedb   synapse         samehost scram-sha-256
        host  whatsappdb  mautrixwa       samehost scram-sha-256
        host  telegramdb  mautrixtele     samehost scram-sha-256
        host  signaldb    mautrixsignal   samehost scram-sha-256
-        #host  facebookdb  mautrixfacebook samehost scram-sha-256
-        #host  xmppdb      ejabberd        samehost scram-sha-256
-        #host  prosodydb   prosody         samehost scram-sha-256
        host  keycloakdb  keycloak        samehost scram-sha-256
    '';
+    initialScript = config.age.secrets."services/postgresql/initScript".path;
    ensureDatabases = [
        "giteadb"
        "nextclouddb"
@ -90,4 +88,9 @@

  services.postgresqlBackup.enable = true;

+  age.secrets."services/postgresql/initScript" = {
+      file = ../../../secrets/services/postgresql/initScript.age;
+      owner = "postgres";
+  };
+
 }
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -29,8 +29,9 @@ let
  ];
 in
    {
-        #"passwords/services/mail/mailjet.age".publicKeys = servers ++ users;
-        #"passwords/services/mail/mailjet.age".publicKeys = systems ++ users;
+        "services/postgresql/initScript.age".publicKeys = servers ++ users;
        "services/coturn/static-auth.age".publicKeys = servers ++ users;
        "services/matrix/synapse.age".publicKeys = servers ++ users;
+        "services/nextcloud/adminpassFile.age".publicKeys = servers ++ users;
+        "services/nextcloud/dbpassFile.age".publicKeys = servers ++ users;
    }
--- a/secrets/services/nextcloud/adminpassFile.age
+++ b/secrets/services/nextcloud/adminpassFile.age
@ -0,0 +1,22 @@
+age-encryption.org/v1
+-> ssh-ed25519 neExcQ 07jVEVD7GEq1+qohiaSLwDA46CY6AWeUREE4XABsu1g
+lJeLdIW7CJOdPxYwZ0/aiGzq+thp4ie3/Bo/6912PLU
+-> ssh-rsa VtjGpQ
+YhtnxBV6BgZHQHqCr+LOKwnU6CsPH2jKv1ZDJ0mG5EuNM0+PrXKBab/PbcE82+Mn
+ZgKLfmB97qGy/DW2MnoRgatRXx/kiPFx3BnEGdrr+PASWL99li5u6iFh5V4i0Imw
+OGlqV/uVAW9CAhay3rUY+b5RmmNCglnqjZjeQaTVxfgd+ZuPBTBDihW/h6kGr+tW
+yWe/wXARqVoWjM79/DjNbOKc7QsGY1vQa4i5qNDVxEFYU9w+ut+EmJrm0jDsKUSe
+kXL48Bv0ochlchTduGIUkKiDBdvHsPSrdDa5YWOdqRdxq4vNCtCX0fQKpn78S1Mm
+KZFWCaOgaKPeLUklD3FmVZrVkf8opBjmWvkyHXlTy0DmEBggg7MytrT3pF7j1B5y
+sNi9BYfFx0meX1asdslNsjjZSI0nc3e6tlYaFotAwOMDH5eiaBEVUsCLdoiYwDhC
+aGpvw0/T/b7/6eUoZDyP3h2D3e52e7ZiuE8vh9pAemU+4SN+2QD015F+tXqSaItP
+ubUFZCrqMOvrCeS8aFhNLOMreqCscoSXlAAJNNjklGxzUmQfbx6hE5PJDJLZaBdE
+QhqpdsXD9us5ligz8xot9ZCWa9l4pgsEGNEgtv8oxSq/qP/Newmu7mx1v0BDaQKa
+HOmzdfkAISM1/L+yM9sOBxsVZGsJ4tUkUU+c4G8pkQE
+-> piv-p256 grR75w Au56HVtkwuaPksAY5ZgJiUVSoSTVdsuxjYWuu6xvvl1h
+rjE4k4/pge4LFvZlamaADv6ukwm1u55MjLctO/30u/w
+-> r`C-grease 'Q`Y4=6 U&7# p`zO0DA
+2jmMsZjzNgwT00hDemFcDPtVFPYcuv/sLNA6KlF+IEHw/MsAFK3yvAqbarTWmIqp
+ZZlbasWsnJdPP22lvaTvIg
+--- JLORjJ4Kj+D7C9O8MJMFxVNiIBkPAaLQiw4/jJ3j+38
+Öæ„™ÉRT/ú°©›XÜGÊWÉÐßRœ<ý?y2íb×NpG™§<1D>9±Ìa/
--- a/secrets/services/nextcloud/dbpassFile.age
+++ b/secrets/services/nextcloud/dbpassFile.age
@ -0,0 +1,22 @@
+age-encryption.org/v1
+-> ssh-ed25519 neExcQ gAWuDpwpYwpbGxal3S3H5Jw+5S6AuydnzAvPssDOG2w
+dhWCkGmYSLBH0qh4Z9w4ySpPVrkaUW9JuecuO/DFOjE
+-> ssh-rsa VtjGpQ
+kqzwhv5KMUUMZitbPYARFd+LLmn5ahUxEexslR3lVAOnwNkEVSJLAoLnVoYq/TBl
+4d45JGbQgxSTm7OuYLmunN7LK97ygMgkU5BFMMYHaqkWYmoBl9G1Gvuhdh+7tE1e
+6/SRmm1iwIOxvlrjnEmNU4cecaVt+kvLwj2uyr6S1QZG+0fQnGlf4QI/x14nem1u
+F3ofjBvP1uL4lzQeu3yj8/sok6ujCP0oJMhDJmjbOwpjJ7uYoydVYw1DbDukfK12
+CJl6CAvKT3v7mt5IBVjg99XJG76ltU6skX5LabqIORCgbiXovijY4D3JqWeRWF88
+Ocw9tR88Z1AeqV/63tXACcjXOg55NvUzCiQHGstd+mdD3yt+IyPEokyHqMSjQqxB
+o9yvyVACsFh6q51bgjrcIwoU+UjJgagWDYRW90jp7MJ0Hl4c8N5n39879gWyp9IQ
+ypsZk7uKQ1VkFIn7CJ1dYcn0X8b8IwuUsX6ASevRBcUjJNvkXLsSwwJoMIxK/H+h
+bBfnM2uW0g6cBPZQvLyTPatMV0NlVyxzTlic4hLvxbnfxJ/LD5zARltDwGR3WWUd
+9kQjQR3nCtik6F/aCRppsaZ+f8QSUIK0PiTsjVaBk01EURrJ7GRZzPGb0IwzYgLY
+siZdTcMduBqjEUAh5U0HM/fNEk6L5YdXzcxcLHoAGGc
+-> piv-p256 grR75w AtpwJYzbWrR1/5sfxnhoYawIVzyZAefIu004VSBGnbJs
+1w/w7E96BexLMmyp2qW1JE/TcttRYM6sJF5enqBhPro
+-> TGjY-grease !! =t{G3_b o0O ?
+bQ
+--- 9exSKjW0kcxJijdrmqmb6wzQdLJp1qgSoKT3NRcbGDk
+sőŹŽlăĎÄ=´ ď·ä¤yôň$ń´o‰†ÔnÚW	‘\HR”Wßęp`¦®
b©´ŁűÉ
+ââe
--- a/secrets/services/postgresql/initScript.age
+++ b/secrets/services/postgresql/initScript.age