diff --git a/modules/services/server/nextcloud.nix b/modules/services/server/nextcloud.nix index 4ec94c2..ce75ac2 100644 --- a/modules/services/server/nextcloud.nix +++ b/modules/services/server/nextcloud.nix @@ -12,10 +12,20 @@ dbname = "nextclouddb"; dbport = adminuser = "kabbone"; - #adminpassFile = "secret123"; + adminpassFile = config.age.secrets."services/nextcloud/adminpassFile".path; + dbpassFile = config.age.secrets."services/nextcloud/dbpassFile".path; }; }; + age.secrets."services/nextcloud/dbpassFile" = { + file = ../../../secrets/services/nextcloud/dbpassFile.age; + owner = "nextcloud"; + }; + age.secrets."services/nextcloud/adminpassFile" = { + file = ../../../secrets/services/nextcloud/adminpassFile.age; + owner = "nextcloud"; + }; + systemd.services."nextcloud-setup" = { requires = ["postgresql.service"]; after = ["postgresql.service"]; diff --git a/modules/services/server/postgresql.nix b/modules/services/server/postgresql.nix index 1fe5e77..6be682c 100644 --- a/modules/services/server/postgresql.nix +++ b/modules/services/server/postgresql.nix @@ -21,18 +21,16 @@ timezone = "Europe/Berlin"; }; authentication = pkgs.lib.mkOverride 14 '' - local all postgres peer + #local all postgres peer host giteadb gitea samehost scram-sha-256 host nextclouddb nextcloud samehost scram-sha-256 - host synapsedb synapse_user samehost scram-sha-256 + host synapsedb synapse samehost scram-sha-256 host whatsappdb mautrixwa samehost scram-sha-256 host telegramdb mautrixtele samehost scram-sha-256 host signaldb mautrixsignal samehost scram-sha-256 - #host facebookdb mautrixfacebook samehost scram-sha-256 - #host xmppdb ejabberd samehost scram-sha-256 - #host prosodydb prosody samehost scram-sha-256 host keycloakdb keycloak samehost scram-sha-256 ''; + initialScript = config.age.secrets."services/postgresql/initScript".path; ensureDatabases = [ "giteadb" "nextclouddb" @@ -90,4 +88,9 @@ services.postgresqlBackup.enable = true; + age.secrets."services/postgresql/initScript" = { + file = ../../../secrets/services/postgresql/initScript.age; + owner = "postgres"; + }; + } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index c0ff038..c05748e 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -29,8 +29,9 @@ let ]; in { - #"passwords/services/mail/mailjet.age".publicKeys = servers ++ users; - #"passwords/services/mail/mailjet.age".publicKeys = systems ++ users; + "services/postgresql/initScript.age".publicKeys = servers ++ users; "services/coturn/static-auth.age".publicKeys = servers ++ users; "services/matrix/synapse.age".publicKeys = servers ++ users; + "services/nextcloud/adminpassFile.age".publicKeys = servers ++ users; + "services/nextcloud/dbpassFile.age".publicKeys = servers ++ users; } diff --git a/secrets/services/nextcloud/adminpassFile.age b/secrets/services/nextcloud/adminpassFile.age new file mode 100644 index 0000000..85951c5 --- /dev/null +++ b/secrets/services/nextcloud/adminpassFile.age @@ -0,0 +1,22 @@ +age-encryption.org/v1 +-> ssh-ed25519 neExcQ 07jVEVD7GEq1+qohiaSLwDA46CY6AWeUREE4XABsu1g +lJeLdIW7CJOdPxYwZ0/aiGzq+thp4ie3/Bo/6912PLU +-> ssh-rsa VtjGpQ +YhtnxBV6BgZHQHqCr+LOKwnU6CsPH2jKv1ZDJ0mG5EuNM0+PrXKBab/PbcE82+Mn +ZgKLfmB97qGy/DW2MnoRgatRXx/kiPFx3BnEGdrr+PASWL99li5u6iFh5V4i0Imw +OGlqV/uVAW9CAhay3rUY+b5RmmNCglnqjZjeQaTVxfgd+ZuPBTBDihW/h6kGr+tW +yWe/wXARqVoWjM79/DjNbOKc7QsGY1vQa4i5qNDVxEFYU9w+ut+EmJrm0jDsKUSe +kXL48Bv0ochlchTduGIUkKiDBdvHsPSrdDa5YWOdqRdxq4vNCtCX0fQKpn78S1Mm +KZFWCaOgaKPeLUklD3FmVZrVkf8opBjmWvkyHXlTy0DmEBggg7MytrT3pF7j1B5y +sNi9BYfFx0meX1asdslNsjjZSI0nc3e6tlYaFotAwOMDH5eiaBEVUsCLdoiYwDhC +aGpvw0/T/b7/6eUoZDyP3h2D3e52e7ZiuE8vh9pAemU+4SN+2QD015F+tXqSaItP +ubUFZCrqMOvrCeS8aFhNLOMreqCscoSXlAAJNNjklGxzUmQfbx6hE5PJDJLZaBdE +QhqpdsXD9us5ligz8xot9ZCWa9l4pgsEGNEgtv8oxSq/qP/Newmu7mx1v0BDaQKa +HOmzdfkAISM1/L+yM9sOBxsVZGsJ4tUkUU+c4G8pkQE +-> piv-p256 grR75w Au56HVtkwuaPksAY5ZgJiUVSoSTVdsuxjYWuu6xvvl1h +rjE4k4/pge4LFvZlamaADv6ukwm1u55MjLctO/30u/w +-> r`C-grease 'Q`Y4=6 U&7# p`zO0DA +2jmMsZjzNgwT00hDemFcDPtVFPYcuv/sLNA6KlF+IEHw/MsAFK3yvAqbarTWmIqp +ZZlbasWsnJdPP22lvaTvIg +--- JLORjJ4Kj+D7C9O8MJMFxVNiIBkPAaLQiw4/jJ3j+38 +愙RT/XGWR ssh-ed25519 neExcQ gAWuDpwpYwpbGxal3S3H5Jw+5S6AuydnzAvPssDOG2w +dhWCkGmYSLBH0qh4Z9w4ySpPVrkaUW9JuecuO/DFOjE +-> ssh-rsa VtjGpQ +kqzwhv5KMUUMZitbPYARFd+LLmn5ahUxEexslR3lVAOnwNkEVSJLAoLnVoYq/TBl +4d45JGbQgxSTm7OuYLmunN7LK97ygMgkU5BFMMYHaqkWYmoBl9G1Gvuhdh+7tE1e +6/SRmm1iwIOxvlrjnEmNU4cecaVt+kvLwj2uyr6S1QZG+0fQnGlf4QI/x14nem1u +F3ofjBvP1uL4lzQeu3yj8/sok6ujCP0oJMhDJmjbOwpjJ7uYoydVYw1DbDukfK12 +CJl6CAvKT3v7mt5IBVjg99XJG76ltU6skX5LabqIORCgbiXovijY4D3JqWeRWF88 +Ocw9tR88Z1AeqV/63tXACcjXOg55NvUzCiQHGstd+mdD3yt+IyPEokyHqMSjQqxB +o9yvyVACsFh6q51bgjrcIwoU+UjJgagWDYRW90jp7MJ0Hl4c8N5n39879gWyp9IQ +ypsZk7uKQ1VkFIn7CJ1dYcn0X8b8IwuUsX6ASevRBcUjJNvkXLsSwwJoMIxK/H+h +bBfnM2uW0g6cBPZQvLyTPatMV0NlVyxzTlic4hLvxbnfxJ/LD5zARltDwGR3WWUd +9kQjQR3nCtik6F/aCRppsaZ+f8QSUIK0PiTsjVaBk01EURrJ7GRZzPGb0IwzYgLY +siZdTcMduBqjEUAh5U0HM/fNEk6L5YdXzcxcLHoAGGc +-> piv-p256 grR75w AtpwJYzbWrR1/5sfxnhoYawIVzyZAefIu004VSBGnbJs +1w/w7E96BexLMmyp2qW1JE/TcttRYM6sJF5enqBhPro +-> TGjY-grease !! =t{G3_b o0O ? +bQ +--- 9exSKjW0kcxJijdrmqmb6wzQdLJp1qgSoKT3NRcbGDk +sl=y$onW \HRWp` b +e \ No newline at end of file diff --git a/secrets/services/postgresql/initScript.age b/secrets/services/postgresql/initScript.age new file mode 100644 index 0000000..da7a8be Binary files /dev/null and b/secrets/services/postgresql/initScript.age differ