From 211e8cbca2ed123371a37ec80fe3758c4d04bf10 Mon Sep 17 00:00:00 2001 From: Kabbone Date: Tue, 27 Dec 2022 09:25:23 +0100 Subject: [PATCH] server: add secrets to nextcloud and postgresql --- modules/services/server/nextcloud.nix | 12 +++++++++- modules/services/server/postgresql.nix | 13 ++++++----- secrets/secrets.nix | 5 +++-- secrets/services/nextcloud/adminpassFile.age | 22 +++++++++++++++++++ secrets/services/nextcloud/dbpassFile.age | 22 +++++++++++++++++++ secrets/services/postgresql/initScript.age | Bin 0 -> 1612 bytes 6 files changed, 66 insertions(+), 8 deletions(-) create mode 100644 secrets/services/nextcloud/adminpassFile.age create mode 100644 secrets/services/nextcloud/dbpassFile.age create mode 100644 secrets/services/postgresql/initScript.age diff --git a/modules/services/server/nextcloud.nix b/modules/services/server/nextcloud.nix index 4ec94c2..ce75ac2 100644 --- a/modules/services/server/nextcloud.nix +++ b/modules/services/server/nextcloud.nix @@ -12,10 +12,20 @@ dbname = "nextclouddb"; dbport = adminuser = "kabbone"; - #adminpassFile = "secret123"; + adminpassFile = config.age.secrets."services/nextcloud/adminpassFile".path; + dbpassFile = config.age.secrets."services/nextcloud/dbpassFile".path; }; }; + age.secrets."services/nextcloud/dbpassFile" = { + file = ../../../secrets/services/nextcloud/dbpassFile.age; + owner = "nextcloud"; + }; + age.secrets."services/nextcloud/adminpassFile" = { + file = ../../../secrets/services/nextcloud/adminpassFile.age; + owner = "nextcloud"; + }; + systemd.services."nextcloud-setup" = { requires = ["postgresql.service"]; after = ["postgresql.service"]; diff --git a/modules/services/server/postgresql.nix b/modules/services/server/postgresql.nix index 1fe5e77..6be682c 100644 --- a/modules/services/server/postgresql.nix +++ b/modules/services/server/postgresql.nix @@ -21,18 +21,16 @@ timezone = "Europe/Berlin"; }; authentication = pkgs.lib.mkOverride 14 '' - local all postgres peer + #local all postgres peer host giteadb gitea samehost scram-sha-256 host nextclouddb nextcloud samehost scram-sha-256 - host synapsedb synapse_user samehost scram-sha-256 + host synapsedb synapse samehost scram-sha-256 host whatsappdb mautrixwa samehost scram-sha-256 host telegramdb mautrixtele samehost scram-sha-256 host signaldb mautrixsignal samehost scram-sha-256 - #host facebookdb mautrixfacebook samehost scram-sha-256 - #host xmppdb ejabberd samehost scram-sha-256 - #host prosodydb prosody samehost scram-sha-256 host keycloakdb keycloak samehost scram-sha-256 ''; + initialScript = config.age.secrets."services/postgresql/initScript".path; ensureDatabases = [ "giteadb" "nextclouddb" @@ -90,4 +88,9 @@ services.postgresqlBackup.enable = true; + age.secrets."services/postgresql/initScript" = { + file = ../../../secrets/services/postgresql/initScript.age; + owner = "postgres"; + }; + } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index c0ff038..c05748e 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -29,8 +29,9 @@ let ]; in { - #"passwords/services/mail/mailjet.age".publicKeys = servers ++ users; - #"passwords/services/mail/mailjet.age".publicKeys = systems ++ users; + "services/postgresql/initScript.age".publicKeys = servers ++ users; "services/coturn/static-auth.age".publicKeys = servers ++ users; "services/matrix/synapse.age".publicKeys = servers ++ users; + "services/nextcloud/adminpassFile.age".publicKeys = servers ++ users; + "services/nextcloud/dbpassFile.age".publicKeys = servers ++ users; } diff --git a/secrets/services/nextcloud/adminpassFile.age b/secrets/services/nextcloud/adminpassFile.age new file mode 100644 index 0000000..85951c5 --- /dev/null +++ b/secrets/services/nextcloud/adminpassFile.age @@ -0,0 +1,22 @@ +age-encryption.org/v1 +-> ssh-ed25519 neExcQ 07jVEVD7GEq1+qohiaSLwDA46CY6AWeUREE4XABsu1g +lJeLdIW7CJOdPxYwZ0/aiGzq+thp4ie3/Bo/6912PLU +-> ssh-rsa VtjGpQ +YhtnxBV6BgZHQHqCr+LOKwnU6CsPH2jKv1ZDJ0mG5EuNM0+PrXKBab/PbcE82+Mn +ZgKLfmB97qGy/DW2MnoRgatRXx/kiPFx3BnEGdrr+PASWL99li5u6iFh5V4i0Imw +OGlqV/uVAW9CAhay3rUY+b5RmmNCglnqjZjeQaTVxfgd+ZuPBTBDihW/h6kGr+tW +yWe/wXARqVoWjM79/DjNbOKc7QsGY1vQa4i5qNDVxEFYU9w+ut+EmJrm0jDsKUSe +kXL48Bv0ochlchTduGIUkKiDBdvHsPSrdDa5YWOdqRdxq4vNCtCX0fQKpn78S1Mm +KZFWCaOgaKPeLUklD3FmVZrVkf8opBjmWvkyHXlTy0DmEBggg7MytrT3pF7j1B5y +sNi9BYfFx0meX1asdslNsjjZSI0nc3e6tlYaFotAwOMDH5eiaBEVUsCLdoiYwDhC +aGpvw0/T/b7/6eUoZDyP3h2D3e52e7ZiuE8vh9pAemU+4SN+2QD015F+tXqSaItP +ubUFZCrqMOvrCeS8aFhNLOMreqCscoSXlAAJNNjklGxzUmQfbx6hE5PJDJLZaBdE +QhqpdsXD9us5ligz8xot9ZCWa9l4pgsEGNEgtv8oxSq/qP/Newmu7mx1v0BDaQKa +HOmzdfkAISM1/L+yM9sOBxsVZGsJ4tUkUU+c4G8pkQE +-> piv-p256 grR75w Au56HVtkwuaPksAY5ZgJiUVSoSTVdsuxjYWuu6xvvl1h +rjE4k4/pge4LFvZlamaADv6ukwm1u55MjLctO/30u/w +-> r`C-grease 'Q`Y4=6 U&7# p`zO0DA +2jmMsZjzNgwT00hDemFcDPtVFPYcuv/sLNA6KlF+IEHw/MsAFK3yvAqbarTWmIqp +ZZlbasWsnJdPP22lvaTvIg +--- JLORjJ4Kj+D7C9O8MJMFxVNiIBkPAaLQiw4/jJ3j+38 +愙RT/XGWR ssh-ed25519 neExcQ gAWuDpwpYwpbGxal3S3H5Jw+5S6AuydnzAvPssDOG2w +dhWCkGmYSLBH0qh4Z9w4ySpPVrkaUW9JuecuO/DFOjE +-> ssh-rsa VtjGpQ +kqzwhv5KMUUMZitbPYARFd+LLmn5ahUxEexslR3lVAOnwNkEVSJLAoLnVoYq/TBl +4d45JGbQgxSTm7OuYLmunN7LK97ygMgkU5BFMMYHaqkWYmoBl9G1Gvuhdh+7tE1e +6/SRmm1iwIOxvlrjnEmNU4cecaVt+kvLwj2uyr6S1QZG+0fQnGlf4QI/x14nem1u +F3ofjBvP1uL4lzQeu3yj8/sok6ujCP0oJMhDJmjbOwpjJ7uYoydVYw1DbDukfK12 +CJl6CAvKT3v7mt5IBVjg99XJG76ltU6skX5LabqIORCgbiXovijY4D3JqWeRWF88 +Ocw9tR88Z1AeqV/63tXACcjXOg55NvUzCiQHGstd+mdD3yt+IyPEokyHqMSjQqxB +o9yvyVACsFh6q51bgjrcIwoU+UjJgagWDYRW90jp7MJ0Hl4c8N5n39879gWyp9IQ +ypsZk7uKQ1VkFIn7CJ1dYcn0X8b8IwuUsX6ASevRBcUjJNvkXLsSwwJoMIxK/H+h +bBfnM2uW0g6cBPZQvLyTPatMV0NlVyxzTlic4hLvxbnfxJ/LD5zARltDwGR3WWUd +9kQjQR3nCtik6F/aCRppsaZ+f8QSUIK0PiTsjVaBk01EURrJ7GRZzPGb0IwzYgLY +siZdTcMduBqjEUAh5U0HM/fNEk6L5YdXzcxcLHoAGGc +-> piv-p256 grR75w AtpwJYzbWrR1/5sfxnhoYawIVzyZAefIu004VSBGnbJs +1w/w7E96BexLMmyp2qW1JE/TcttRYM6sJF5enqBhPro +-> TGjY-grease !! =t{G3_b o0O ? +bQ +--- 9exSKjW0kcxJijdrmqmb6wzQdLJp1qgSoKT3NRcbGDk +sl=y$onW \HRWp` b +e \ No newline at end of file diff --git a/secrets/services/postgresql/initScript.age b/secrets/services/postgresql/initScript.age new file mode 100644 index 0000000000000000000000000000000000000000..da7a8be331187578581306b723dbc43f559c8923 GIT binary patch literal 1612 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7OLeVC4pay#PxP}$ z%`h-23MdH;Dy;GhuyipFPPa^}3du5!DhV)fGK&m1&vFk9GvP`LH~021HFj~%Ps%E; zG%igJ&&W5(E^)~#FE%u+aPf1hvheqftV#??_l4P3RGg>~R+8mj5Xj|dl$C4Ynx<`L zQCS+AWnq!#VQNusZj|8`nx}2yo16;p6F5?&}>GQBvjU>zeQ3Tasj&Sy^gSn&n;*7ifY zmu#GG=2L2xVdjzKY-yp-6=G=~5>XWzo|2L2=o6NgACc}AQBmOGk{KRUVV+%LR^(-n zoRpkd;_Vt(Vd9(N;^kiCWtQ(+8I@L%m|NhS!If!LUJ{ra5o%c)ni`(tX5yY?7*?EJ z5>QoOoLS(LAEs^T=9FKMo0e!%uI=p{USedPUTjjBTj`Qi;$Br%RmfH9SsYm6mg$t4 zSXfzTnV49lALL}1Y#bWqOwJ>>g_FRA%9nZJH4fm7ZK|k&@~d zSP^C#nrTs0;%c0jmXoNTo9I`OYml0f<&y1XoZ?y#5vgxd>KtJb6~(3RW)Pkd9OPzV zQEU{booP_v?2_tK6qS)>T6LsoZ*+16;W1P>RaF#neU!mk(1|_8k!a1W$5dX z?q|T2WS$(6>*^L7YU!G9UhLskWt{6@?2#0b>5^&S92S~e5M`R{QCMVH7-|^o=VRh* zmK2!g;p!Gp;Z$YhS?-w373k<%Tv}dfoMmZj7-A5fSLq+J9+}$ySt*qs z8O|1=u2JUh#^K4XNoB>EW|dq{X&Dju2BtpAPG#olj=5%@Ug<_&1={A}<$ft;6@G;l z!9I@RmPS!&j*cL^Y9d@TjCIqCQWJ|)xtvnHQ(S#rj10mJ%Zl^E4J-44lbsW*@^TzA z%l$J_wTlx?BMXXC68%$*67wrcgIoi=O)ASxBFsV^L-R6Ain%J>94j;YeS;O`!;vn|r{3*GcfoYJ`h6^%3gRJ(3#+bkGzPT6+( z-z8lC_>6B=vAnAIf8*9y)(!qkE5ewb?QZ(AY?*P?%3BNLj%bL!{#Ey!A=mS~_nt`0 zgx$P5B-syaT-})y5?XA)=I8k!(x5En@)T`H5zVeB;Dlg|(^q79ZH} z|C^E3CUJ4W4-4U=k9<=|4(>b4zYB{q^p`xE ztdTIuL@)Dg|KjC;W*v*#*I+C$*^bfW^7A<=J?ygC>v?&9?TXQG-{R9hq3#lc*(3HD z5#M@Fx84eldAPADcY{g$pZ^C^XD)Gkc5%^K{$n*E2KB2d3wU>n3Z@-CX?-Hp@6AUc z<%z51+Imv|!pKnUp^ixq(r{>(w+OG=!$^z4m zRoqtgo+tKDIO!kTRuAX&E$KWR2Ejd3rMZ@0Yt!I%cf3`r=03OE&UC@Cu(Qfh+XC#R zyPy5|c=Tb`Z5^?nEdAGxmTP>Gye)Za{)%q5?5jnMx7qxD>1Js8iiz_)`SyjI@5Yv| zO)slwq=_Cbt0>m&5eUB$Tp3w&SNf*a$xC-R_sS)0x;9x&;A-XN{L|4rdFLM4gc^wb W-SKtTe~ZJ#@}Dp3RvVn~+yemCxLYLv literal 0 HcmV?d00001