Kabbone/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

server: add secrets to nextcloud and postgresql

Browse Source
This commit is contained in:
Kabbone 2022-12-27 09:25:23 +01:00
parent 92a56bff1c
commit 211e8cbca2
No known key found for this signature in database
6 changed files with 66 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
modules/services/server/nextcloud.nix
View File

@ -12,10 +12,20 @@
dbname = "nextclouddb"; dbname = "nextclouddb";
dbport = dbport =
adminuser = "kabbone"; adminuser = "kabbone";
#adminpassFile = "secret123"; adminpassFile = config.age.secrets."services/nextcloud/adminpassFile".path;
dbpassFile = config.age.secrets."services/nextcloud/dbpassFile".path;
}; };
}; };
age.secrets."services/nextcloud/dbpassFile" = {
file = ../../../secrets/services/nextcloud/dbpassFile.age;
owner = "nextcloud";
};
age.secrets."services/nextcloud/adminpassFile" = {
file = ../../../secrets/services/nextcloud/adminpassFile.age;
owner = "nextcloud";
};
systemd.services."nextcloud-setup" = { systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"]; requires = ["postgresql.service"];
after = ["postgresql.service"]; after = ["postgresql.service"];

13
modules/services/server/postgresql.nix
View File

@ -21,18 +21,16 @@
timezone = "Europe/Berlin"; timezone = "Europe/Berlin";
}; };
authentication = pkgs.lib.mkOverride 14 '' authentication = pkgs.lib.mkOverride 14 ''
local all postgres peer #local all postgres peer
host giteadb gitea samehost scram-sha-256 host giteadb gitea samehost scram-sha-256
host nextclouddb nextcloud samehost scram-sha-256 host nextclouddb nextcloud samehost scram-sha-256
host synapsedb synapse_user samehost scram-sha-256 host synapsedb synapse samehost scram-sha-256
host whatsappdb mautrixwa samehost scram-sha-256 host whatsappdb mautrixwa samehost scram-sha-256
host telegramdb mautrixtele samehost scram-sha-256 host telegramdb mautrixtele samehost scram-sha-256
host signaldb mautrixsignal samehost scram-sha-256 host signaldb mautrixsignal samehost scram-sha-256
#host facebookdb mautrixfacebook samehost scram-sha-256
#host xmppdb ejabberd samehost scram-sha-256
#host prosodydb prosody samehost scram-sha-256
host keycloakdb keycloak samehost scram-sha-256 host keycloakdb keycloak samehost scram-sha-256
''; '';
initialScript = config.age.secrets."services/postgresql/initScript".path;
ensureDatabases = [ ensureDatabases = [
"giteadb" "giteadb"
"nextclouddb" "nextclouddb"
@ -90,4 +88,9 @@
services.postgresqlBackup.enable = true; services.postgresqlBackup.enable = true;
age.secrets."services/postgresql/initScript" = {
file = ../../../secrets/services/postgresql/initScript.age;
owner = "postgres";
};
} }

5
secrets/secrets.nix
View File

@ -29,8 +29,9 @@ let
]; ];
in in
{ {
#"passwords/services/mail/mailjet.age".publicKeys = servers ++ users; "services/postgresql/initScript.age".publicKeys = servers ++ users;
#"passwords/services/mail/mailjet.age".publicKeys = systems ++ users;
"services/coturn/static-auth.age".publicKeys = servers ++ users; "services/coturn/static-auth.age".publicKeys = servers ++ users;
"services/matrix/synapse.age".publicKeys = servers ++ users; "services/matrix/synapse.age".publicKeys = servers ++ users;
"services/nextcloud/adminpassFile.age".publicKeys = servers ++ users;
"services/nextcloud/dbpassFile.age".publicKeys = servers ++ users;
} }

22
secrets/services/nextcloud/adminpassFile.age Normal file
View File

@ -0,0 +1,22 @@
age-encryption.org/v1
-> ssh-ed25519 neExcQ 07jVEVD7GEq1+qohiaSLwDA46CY6AWeUREE4XABsu1g
lJeLdIW7CJOdPxYwZ0/aiGzq+thp4ie3/Bo/6912PLU
-> ssh-rsa VtjGpQ
YhtnxBV6BgZHQHqCr+LOKwnU6CsPH2jKv1ZDJ0mG5EuNM0+PrXKBab/PbcE82+Mn
ZgKLfmB97qGy/DW2MnoRgatRXx/kiPFx3BnEGdrr+PASWL99li5u6iFh5V4i0Imw
OGlqV/uVAW9CAhay3rUY+b5RmmNCglnqjZjeQaTVxfgd+ZuPBTBDihW/h6kGr+tW
yWe/wXARqVoWjM79/DjNbOKc7QsGY1vQa4i5qNDVxEFYU9w+ut+EmJrm0jDsKUSe
kXL48Bv0ochlchTduGIUkKiDBdvHsPSrdDa5YWOdqRdxq4vNCtCX0fQKpn78S1Mm
KZFWCaOgaKPeLUklD3FmVZrVkf8opBjmWvkyHXlTy0DmEBggg7MytrT3pF7j1B5y
sNi9BYfFx0meX1asdslNsjjZSI0nc3e6tlYaFotAwOMDH5eiaBEVUsCLdoiYwDhC
aGpvw0/T/b7/6eUoZDyP3h2D3e52e7ZiuE8vh9pAemU+4SN+2QD015F+tXqSaItP
ubUFZCrqMOvrCeS8aFhNLOMreqCscoSXlAAJNNjklGxzUmQfbx6hE5PJDJLZaBdE
QhqpdsXD9us5ligz8xot9ZCWa9l4pgsEGNEgtv8oxSq/qP/Newmu7mx1v0BDaQKa
HOmzdfkAISM1/L+yM9sOBxsVZGsJ4tUkUU+c4G8pkQE
-> piv-p256 grR75w Au56HVtkwuaPksAY5ZgJiUVSoSTVdsuxjYWuu6xvvl1h
rjE4k4/pge4LFvZlamaADv6ukwm1u55MjLctO/30u/w
-> r`C-grease 'Q`Y4=6 U&7# p`zO0DA
2jmMsZjzNgwT00hDemFcDPtVFPYcuv/sLNA6KlF+IEHw/MsAFK3yvAqbarTWmIqp
ZZlbasWsnJdPP22lvaTvIg
--- JLORjJ4Kj+D7C9O8MJMFxVNiIBkPAaLQiw4/jJ3j+38
Öæ„™ÉRT/ú°©XÜGÊWÉÐßRœ<ý?y2íb×NpG™§<1D>9±Ìa/

22
secrets/services/nextcloud/dbpassFile.age Normal file
View File

@ -0,0 +1,22 @@
age-encryption.org/v1
-> ssh-ed25519 neExcQ gAWuDpwpYwpbGxal3S3H5Jw+5S6AuydnzAvPssDOG2w
dhWCkGmYSLBH0qh4Z9w4ySpPVrkaUW9JuecuO/DFOjE
-> ssh-rsa VtjGpQ
kqzwhv5KMUUMZitbPYARFd+LLmn5ahUxEexslR3lVAOnwNkEVSJLAoLnVoYq/TBl
4d45JGbQgxSTm7OuYLmunN7LK97ygMgkU5BFMMYHaqkWYmoBl9G1Gvuhdh+7tE1e
6/SRmm1iwIOxvlrjnEmNU4cecaVt+kvLwj2uyr6S1QZG+0fQnGlf4QI/x14nem1u
F3ofjBvP1uL4lzQeu3yj8/sok6ujCP0oJMhDJmjbOwpjJ7uYoydVYw1DbDukfK12
CJl6CAvKT3v7mt5IBVjg99XJG76ltU6skX5LabqIORCgbiXovijY4D3JqWeRWF88
Ocw9tR88Z1AeqV/63tXACcjXOg55NvUzCiQHGstd+mdD3yt+IyPEokyHqMSjQqxB
o9yvyVACsFh6q51bgjrcIwoU+UjJgagWDYRW90jp7MJ0Hl4c8N5n39879gWyp9IQ
ypsZk7uKQ1VkFIn7CJ1dYcn0X8b8IwuUsX6ASevRBcUjJNvkXLsSwwJoMIxK/H+h
bBfnM2uW0g6cBPZQvLyTPatMV0NlVyxzTlic4hLvxbnfxJ/LD5zARltDwGR3WWUd
9kQjQR3nCtik6F/aCRppsaZ+f8QSUIK0PiTsjVaBk01EURrJ7GRZzPGb0IwzYgLY
siZdTcMduBqjEUAh5U0HM/fNEk6L5YdXzcxcLHoAGGc
-> piv-p256 grR75w AtpwJYzbWrR1/5sfxnhoYawIVzyZAefIu004VSBGnbJs
1w/w7E96BexLMmyp2qW1JE/TcttRYM6sJF5enqBhPro
-> TGjY-grease !! =t{G3_b o0O ?
bQ
--- 9exSKjW0kcxJijdrmqmb6wzQdLJp1qgSoKT3NRcbGDk
sőŹŽlăĎÄ=´ ď·ä¤yôň$ń´o‰†ÔnÚW \HR”Wßęp`¦® b©´ŁűÉ
ââe

BIN
secrets/services/postgresql/initScript.age Normal file
View File

Binary file not shown.