From 211e8cbca2ed123371a37ec80fe3758c4d04bf10 Mon Sep 17 00:00:00 2001 From: Kabbone Date: Tue, 27 Dec 2022 09:25:23 +0100 Subject: [PATCH] server: add secrets to nextcloud and postgresql --- modules/services/server/nextcloud.nix | 12 +++++++++- modules/services/server/postgresql.nix | 13 ++++++----- secrets/secrets.nix | 5 +++-- secrets/services/nextcloud/adminpassFile.age | 22 +++++++++++++++++++ secrets/services/nextcloud/dbpassFile.age | 22 +++++++++++++++++++ secrets/services/postgresql/initScript.age | Bin 0 -> 1612 bytes 6 files changed, 66 insertions(+), 8 deletions(-) create mode 100644 secrets/services/nextcloud/adminpassFile.age create mode 100644 secrets/services/nextcloud/dbpassFile.age create mode 100644 secrets/services/postgresql/initScript.age diff --git a/modules/services/server/nextcloud.nix b/modules/services/server/nextcloud.nix index 4ec94c2..ce75ac2 100644 --- a/modules/services/server/nextcloud.nix +++ b/modules/services/server/nextcloud.nix @@ -12,10 +12,20 @@ dbname = "nextclouddb"; dbport = adminuser = "kabbone"; - #adminpassFile = "secret123"; + adminpassFile = config.age.secrets."services/nextcloud/adminpassFile".path; + dbpassFile = config.age.secrets."services/nextcloud/dbpassFile".path; }; }; + age.secrets."services/nextcloud/dbpassFile" = { + file = ../../../secrets/services/nextcloud/dbpassFile.age; + owner = "nextcloud"; + }; + age.secrets."services/nextcloud/adminpassFile" = { + file = ../../../secrets/services/nextcloud/adminpassFile.age; + owner = "nextcloud"; + }; + systemd.services."nextcloud-setup" = { requires = ["postgresql.service"]; after = ["postgresql.service"]; diff --git a/modules/services/server/postgresql.nix b/modules/services/server/postgresql.nix index 1fe5e77..6be682c 100644 --- a/modules/services/server/postgresql.nix +++ b/modules/services/server/postgresql.nix @@ -21,18 +21,16 @@ timezone = "Europe/Berlin"; }; authentication = pkgs.lib.mkOverride 14 '' - local all postgres peer + #local all postgres peer host giteadb gitea samehost scram-sha-256 host nextclouddb nextcloud samehost scram-sha-256 - host synapsedb synapse_user samehost scram-sha-256 + host synapsedb synapse samehost scram-sha-256 host whatsappdb mautrixwa samehost scram-sha-256 host telegramdb mautrixtele samehost scram-sha-256 host signaldb mautrixsignal samehost scram-sha-256 - #host facebookdb mautrixfacebook samehost scram-sha-256 - #host xmppdb ejabberd samehost scram-sha-256 - #host prosodydb prosody samehost scram-sha-256 host keycloakdb keycloak samehost scram-sha-256 ''; + initialScript = config.age.secrets."services/postgresql/initScript".path; ensureDatabases = [ "giteadb" "nextclouddb" @@ -90,4 +88,9 @@ services.postgresqlBackup.enable = true; + age.secrets."services/postgresql/initScript" = { + file = ../../../secrets/services/postgresql/initScript.age; + owner = "postgres"; + }; + } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index c0ff038..c05748e 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -29,8 +29,9 @@ let ]; in { - #"passwords/services/mail/mailjet.age".publicKeys = servers ++ users; - #"passwords/services/mail/mailjet.age".publicKeys = systems ++ users; + "services/postgresql/initScript.age".publicKeys = servers ++ users; "services/coturn/static-auth.age".publicKeys = servers ++ users; "services/matrix/synapse.age".publicKeys = servers ++ users; + "services/nextcloud/adminpassFile.age".publicKeys = servers ++ users; + "services/nextcloud/dbpassFile.age".publicKeys = servers ++ users; } diff --git a/secrets/services/nextcloud/adminpassFile.age b/secrets/services/nextcloud/adminpassFile.age new file mode 100644 index 0000000..85951c5 --- /dev/null +++ b/secrets/services/nextcloud/adminpassFile.age @@ -0,0 +1,22 @@ +age-encryption.org/v1 +-> ssh-ed25519 neExcQ 07jVEVD7GEq1+qohiaSLwDA46CY6AWeUREE4XABsu1g +lJeLdIW7CJOdPxYwZ0/aiGzq+thp4ie3/Bo/6912PLU +-> ssh-rsa VtjGpQ +YhtnxBV6BgZHQHqCr+LOKwnU6CsPH2jKv1ZDJ0mG5EuNM0+PrXKBab/PbcE82+Mn +ZgKLfmB97qGy/DW2MnoRgatRXx/kiPFx3BnEGdrr+PASWL99li5u6iFh5V4i0Imw +OGlqV/uVAW9CAhay3rUY+b5RmmNCglnqjZjeQaTVxfgd+ZuPBTBDihW/h6kGr+tW +yWe/wXARqVoWjM79/DjNbOKc7QsGY1vQa4i5qNDVxEFYU9w+ut+EmJrm0jDsKUSe +kXL48Bv0ochlchTduGIUkKiDBdvHsPSrdDa5YWOdqRdxq4vNCtCX0fQKpn78S1Mm +KZFWCaOgaKPeLUklD3FmVZrVkf8opBjmWvkyHXlTy0DmEBggg7MytrT3pF7j1B5y +sNi9BYfFx0meX1asdslNsjjZSI0nc3e6tlYaFotAwOMDH5eiaBEVUsCLdoiYwDhC +aGpvw0/T/b7/6eUoZDyP3h2D3e52e7ZiuE8vh9pAemU+4SN+2QD015F+tXqSaItP +ubUFZCrqMOvrCeS8aFhNLOMreqCscoSXlAAJNNjklGxzUmQfbx6hE5PJDJLZaBdE +QhqpdsXD9us5ligz8xot9ZCWa9l4pgsEGNEgtv8oxSq/qP/Newmu7mx1v0BDaQKa +HOmzdfkAISM1/L+yM9sOBxsVZGsJ4tUkUU+c4G8pkQE +-> piv-p256 grR75w Au56HVtkwuaPksAY5ZgJiUVSoSTVdsuxjYWuu6xvvl1h +rjE4k4/pge4LFvZlamaADv6ukwm1u55MjLctO/30u/w +-> r`C-grease 'Q`Y4=6 U&7# p`zO0DA +2jmMsZjzNgwT00hDemFcDPtVFPYcuv/sLNA6KlF+IEHw/MsAFK3yvAqbarTWmIqp +ZZlbasWsnJdPP22lvaTvIg +--- JLORjJ4Kj+D7C9O8MJMFxVNiIBkPAaLQiw4/jJ3j+38 +愙RT/XGWR ssh-ed25519 neExcQ gAWuDpwpYwpbGxal3S3H5Jw+5S6AuydnzAvPssDOG2w +dhWCkGmYSLBH0qh4Z9w4ySpPVrkaUW9JuecuO/DFOjE +-> ssh-rsa VtjGpQ +kqzwhv5KMUUMZitbPYARFd+LLmn5ahUxEexslR3lVAOnwNkEVSJLAoLnVoYq/TBl +4d45JGbQgxSTm7OuYLmunN7LK97ygMgkU5BFMMYHaqkWYmoBl9G1Gvuhdh+7tE1e +6/SRmm1iwIOxvlrjnEmNU4cecaVt+kvLwj2uyr6S1QZG+0fQnGlf4QI/x14nem1u +F3ofjBvP1uL4lzQeu3yj8/sok6ujCP0oJMhDJmjbOwpjJ7uYoydVYw1DbDukfK12 +CJl6CAvKT3v7mt5IBVjg99XJG76ltU6skX5LabqIORCgbiXovijY4D3JqWeRWF88 +Ocw9tR88Z1AeqV/63tXACcjXOg55NvUzCiQHGstd+mdD3yt+IyPEokyHqMSjQqxB +o9yvyVACsFh6q51bgjrcIwoU+UjJgagWDYRW90jp7MJ0Hl4c8N5n39879gWyp9IQ +ypsZk7uKQ1VkFIn7CJ1dYcn0X8b8IwuUsX6ASevRBcUjJNvkXLsSwwJoMIxK/H+h +bBfnM2uW0g6cBPZQvLyTPatMV0NlVyxzTlic4hLvxbnfxJ/LD5zARltDwGR3WWUd +9kQjQR3nCtik6F/aCRppsaZ+f8QSUIK0PiTsjVaBk01EURrJ7GRZzPGb0IwzYgLY +siZdTcMduBqjEUAh5U0HM/fNEk6L5YdXzcxcLHoAGGc +-> piv-p256 grR75w AtpwJYzbWrR1/5sfxnhoYawIVzyZAefIu004VSBGnbJs +1w/w7E96BexLMmyp2qW1JE/TcttRYM6sJF5enqBhPro +-> TGjY-grease !! =t{G3_b o0O ? +bQ +--- 9exSKjW0kcxJijdrmqmb6wzQdLJp1qgSoKT3NRcbGDk +sl=y$onW \HRWp` b +e \ No newline at end of file diff --git a/secrets/services/postgresql/initScript.age b/secrets/services/postgresql/initScript.age new file mode 100644 index 0000000000000000000000000000000000000000..da7a8be331187578581306b723dbc43f559c8923 GIT binary patch literal 1612 zcmXxi|F0Vb0RZr6=9V3d4aWvAi}=VR(hpvm4hlsBJCDx=foxq=qkO1V8% z8bBuP+oU9WERVIhw-qm(4H zSRJGwO{hbYjy@~_s5|bLkw!IYp-oS=<;2J!un{QG0tO?Zj)Aa`wi_&;wj+|#idlm# zaL$Mhjfz=Gr2QcfrKy~Vl4FeQWzDK=bbPF<5kl0=iWW8v7)a6kO3G3A$N{ykP4@~= zm+_=_3Jxg=mSrHtf~{`7#=@AN5fT;{QM5*mWYdO*9M}ZMwYtgMwlwy`vPZPtTrcVm zculmWLb}WuJP4?0M{*ce6miByeU6<%PQ~ZchDBQ-)f631&N|$1lpc!dI$we*L=|+7 zVXF~2&EzLU2M`Fx4<|8X<50Q*wgz!UVDY@%G)pN9p_s8Vt)c^#plU?>v&Wt_PI{Rv zGHZ-#Xm&D7fNI>vv+c5|#Ssm*Y6fQ|Dt0&KObQbj8O=eh4x^5J3yA?zHzgO$mOA7Z zH3$dE7mQ57OQ5X@-yKK%5UZDn7M_uHg80nZA<^?t(imxquK}c1>@sCK1Gds*-)*Ji zLA^sM(?OrGCKXdl_)50z`CX;b%_wdZ)|hG$jwi5$h=e$>0w0K2A~q}KI#-$|LT4z) zkuC6zy35N^H)3oA35l8vCK$XvfSj??YlW3OkW40Lc~&nM?fgWQY)lZrK4Wk-rP&#P zaLK2;0jcyb-5s*2fHVN%HpslPoq2Kh;Tsz#=e~B})2D!|H$Y3%mH&*cy|;Af3olfj zj+&o8cXZdqXP$xNUo7qa*6Z^d|8@Dk^DCVEAB(TH@oh)fzBIG?wS&(+&~J!7xQfsJ ztqqR1p88ROxarQvUVrFeabXSq-1&nKT^{b#T z&@Fqne2zYK{-?JuuKrT**K5~aer4-??nr6R5AJ(s1+u()pY+kwX^%WboO}Dp=hvOs(Ez{w%h+3cbmNWsu{ZC1L*)Pc!58N~j2G^C;3qTOw&K#v zI;?T!@cr8!B!7=kzk2f4nf?3EAL<_Z?Kt`J&P%hEx%Cg9h|bIvf41rD2KDNy z-*A+1#JK+ZV14n&n}GwTch6s!BbIjFk$Y@mOZJHq%|Fb^FIK<4dEwm09~?hxpSf$( zCoA`yK0cYhICExZ>G5Y5*xtLN@19x3Urw4|DQ~*@`oDj4@wyw{J925)Keq4FHy#^D z{+)~KTYsv@?H%uL{_{O=zVrT?-`=VoI=%Of_3y@~+_%2DI5@fdRT13u=}VVhxrQC{ Pzx?5;