diff --git a/hosts/ni/default.nix b/hosts/ni/default.nix index 3ce14792..33add34a 100644 --- a/hosts/ni/default.nix +++ b/hosts/ni/default.nix @@ -64,38 +64,12 @@ in }; }; - sops.secrets = - let - getKey = key: { - inherit key; - sopsFile = ./secrets/secrets.yaml; - }; - getSecrets = secrets: - lib.mapAttrs' - (secret: config: - lib.nameValuePair - "ni/${secret}" - ((getKey secret) // config)) - secrets; - in - getSecrets { - ssh-key = { }; - "wireguard/private-key" = { - group = config.users.users.systemd-network.group; - reloadUnits = [ "systemd-networkd.service" ]; - mode = "0640"; - }; - "wireguard/preshared-keys/plover" = { - group = config.users.users.systemd-network.group; - reloadUnits = [ "systemd-networkd.service" ]; - mode = "0640"; - }; - "wireguard/preshared-keys/phone" = { - group = config.users.users.systemd-network.group; - reloadUnits = [ "systemd-networkd.service" ]; - mode = "0640"; - }; - }; + sops.secrets = lib.getSecrets ./secrets/secrets.yaml { + "ni/ssh-key" = { }; + "ni/wireguard/private-key" = { }; + "ni/wireguard/preshared-keys/plover" = { }; + "ni/wireguard/preshared-keys/phone" = { }; + }; sops.age.keyFile = "/var/lib/sops-nix/key.txt"; diff --git a/hosts/plover/default.nix b/hosts/plover/default.nix index b7ed6136..ca857c8c 100644 --- a/hosts/plover/default.nix +++ b/hosts/plover/default.nix @@ -74,43 +74,15 @@ in ''; }; - # TODO: Put the secrets to the respective service module. - sops.secrets = - let - getKey = key: { - inherit key; - sopsFile = ./secrets/secrets.yaml; - }; - getSecrets = secrets: - lib.mapAttrs' - (secret: config: - lib.nameValuePair - "plover/${secret}" - ((getKey secret) // config)) - secrets; + sops.secrets = lib.getSecrets ./secrets/secrets.yaml { + "plover/ssh-key" = { }; + "plover/lego/env" = { }; - giteaUser = config.users.users."${config.services.gitea.user}".name; - portunusUser = config.users.users."${config.services.portunus.user}".name; - - # It is hardcoded but as long as the module is stable that way. - vaultwardenUser = config.users.groups.vaultwarden.name; - postgresUser = config.users.groups.postgres.name; - in - getSecrets { - "ssh-key" = { }; - "lego/env" = { }; - "gitea/db/password".owner = giteaUser; - "gitea/smtp/password".owner = giteaUser; - "vaultwarden/env".owner = vaultwardenUser; - - "borg/repos/host/patterns/keys" = { }; - "borg/repos/host/password" = { }; - "borg/repos/services/password" = { }; - "borg/ssh-key" = { }; - - "keycloak/db/password".owner = postgresUser; - "ldap/users/foodogsquared/password".owner = portunusUser; - }; + "plover/borg/repos/host/patterns/keys" = { }; + "plover/borg/repos/host/password" = { }; + "plover/borg/repos/services/password" = { }; + "plover/borg/ssh-key" = { }; + }; # All of the keys required to deploy the secrets. sops.age.keyFile = "/var/lib/sops-nix/key.txt"; diff --git a/hosts/plover/modules/services/bind.nix b/hosts/plover/modules/services/bind.nix index ecc69044..4862d9e9 100644 --- a/hosts/plover/modules/services/bind.nix +++ b/hosts/plover/modules/services/bind.nix @@ -53,27 +53,16 @@ in { sops.secrets = let - getKey = key: { - inherit key; - sopsFile = ../../secrets/secrets.yaml; - }; - getSecrets = secrets: - lib.mapAttrs' - (secret: config: - lib.nameValuePair - "plover/${secret}" - ((getKey secret) // config)) - secrets; dnsFileAttribute = { owner = config.users.users.named.name; group = config.users.users.named.group; mode = "0400"; }; in - getSecrets { - "dns/${domain}/mailbox-security-key" = dnsFileAttribute; - "dns/${domain}/mailbox-security-key-record" = dnsFileAttribute; - "dns/${domain}/rfc2136-key" = dnsFileAttribute // { + lib.getSecrets ../../secrets/secrets.yaml { + "plover/dns/${domain}/mailbox-security-key" = dnsFileAttribute; + "plover/dns/${domain}/mailbox-security-key-record" = dnsFileAttribute; + "plover/dns/${domain}/rfc2136-key" = dnsFileAttribute // { reloadUnits = [ "bind.service" ]; }; }; diff --git a/hosts/plover/modules/services/gitea.nix b/hosts/plover/modules/services/gitea.nix index eb3a429e..9ccffb2c 100644 --- a/hosts/plover/modules/services/gitea.nix +++ b/hosts/plover/modules/services/gitea.nix @@ -7,9 +7,15 @@ let codeForgeDomain = "code.${config.networking.domain}"; + giteaUser = config.users.users."${config.services.gitea.user}".name; giteaDatabaseUser = config.services.gitea.user; in { + sops.secrets = lib.getSecrets ../../secrets/secrets.yaml { + "plover/gitea/db/password".owner = giteaUser; + "plover/gitea/smtp/password".owner = giteaUser; + }; + services.gitea = { enable = true; appName = "foodogsquared's code forge"; diff --git a/hosts/plover/modules/services/keycloak.nix b/hosts/plover/modules/services/keycloak.nix index 68112912..13e285ee 100644 --- a/hosts/plover/modules/services/keycloak.nix +++ b/hosts/plover/modules/services/keycloak.nix @@ -11,10 +11,17 @@ let keycloakUser = config.services.keycloak.database.username; keycloakDbName = if config.services.keycloak.database.createLocally then keycloakUser else config.services.keycloak.database.username; + # This is for access to PostgreSQL database. + postgresUser = config.users.groups.postgres.name; + certs = config.security.acme.certs; host = "localhost"; in { + sops.secrets = lib.getSecrets ../../secrets/secrets.yaml { + "plover/keycloak/db/password".owner = postgresUser; + }; + # Hey, the hub for your application sign-in. services.keycloak = { enable = true; diff --git a/hosts/plover/modules/services/portunus.nix b/hosts/plover/modules/services/portunus.nix index 424f6f9d..0132400c 100644 --- a/hosts/plover/modules/services/portunus.nix +++ b/hosts/plover/modules/services/portunus.nix @@ -5,8 +5,13 @@ let ldapDomain = "ldap.${config.networking.fqdn}"; + portunusUser = config.users.users."${config.services.portunus.user}".name; in { + sops.secrets = lib.getSecrets ../../secrets/secrets.yaml { + "plover/ldap/users/foodogsquared/password".owner = portunusUser; + }; + services.portunus = { enable = true; diff --git a/hosts/plover/modules/services/vaultwarden.nix b/hosts/plover/modules/services/vaultwarden.nix index 916b2052..9c253cee 100644 --- a/hosts/plover/modules/services/vaultwarden.nix +++ b/hosts/plover/modules/services/vaultwarden.nix @@ -12,6 +12,10 @@ let vaultwardenDbName = "vaultwarden"; in { + sops.secrets = lib.getSecrets ../../secrets/secrets.yaml { + "plover/vaultwarden/env".owner = vaultwardenUser; + }; + services.vaultwarden = { enable = true; dbBackend = "postgresql"; diff --git a/hosts/plover/modules/services/wireguard.nix b/hosts/plover/modules/services/wireguard.nix index 59db3941..2dd914a7 100644 --- a/hosts/plover/modules/services/wireguard.nix +++ b/hosts/plover/modules/services/wireguard.nix @@ -18,29 +18,16 @@ in sops.secrets = let - getKey = key: { - inherit key; - sopsFile = ../../secrets/secrets.yaml; - }; - - getSecrets = secrets: - (lib.mapAttrs' - (name: config: - lib.nameValuePair - "plover/${name}" - ((getKey name) // config)) - secrets); - systemdNetworkdPermission = { group = config.users.users.systemd-network.group; reloadUnits = [ "systemd-networkd.service" ]; mode = "0640"; }; in - getSecrets { - "wireguard/private-key" = systemdNetworkdPermission; - "wireguard/preshared-keys/ni" = systemdNetworkdPermission; - "wireguard/preshared-keys/phone" = systemdNetworkdPermission; + lib.getSecrets ../../secrets/secrets.yaml { + "plover/wireguard/private-key" = systemdNetworkdPermission; + "plover/wireguard/preshared-keys/ni" = systemdNetworkdPermission; + "plover/wireguard/preshared-keys/phone" = systemdNetworkdPermission; }; networking.firewall = { diff --git a/modules/nixos/tasks/backup-archive/default.nix b/modules/nixos/tasks/backup-archive/default.nix index 219fc390..6f7a97e6 100644 --- a/modules/nixos/tasks/backup-archive/default.nix +++ b/modules/nixos/tasks/backup-archive/default.nix @@ -44,30 +44,16 @@ in lib.mkEnableOption "backup setup with BorgBackup"; config = lib.mkIf cfg.enable { - sops.secrets = - let - getKey = key: { - inherit key; - sopsFile = lib.getSecret "backup-archive.yaml"; - }; - getSecrets = secrets: - lib.mapAttrs' - (key: config: - lib.nameValuePair - "borg-backup/${key}" - ((getKey key) // config)) - secrets; - in - getSecrets { - "patterns/home" = { }; - "patterns/etc" = { }; - "patterns/keys" = { }; - "patterns/remote-backup" = { }; - "repos/archive/password" = { }; - "repos/external-drive/password" = { }; - "repos/hetzner-box/password" = { }; - "ssh-key" = { }; - }; + sops.secrets = lib.getSecrets (lib.getSecret "backup-archive.yaml") { + "borg-backup/patterns/home" = { }; + "borg-backup/patterns/etc" = { }; + "borg-backup/patterns/keys" = { }; + "borg-backup/patterns/remote-backup" = { }; + "borg-backup/repos/archive/password" = { }; + "borg-backup/repos/external-drive/password" = { }; + "borg-backup/repos/hetzner-box/password" = { }; + "borg-backup/ssh-key" = { }; + }; profiles.filesystem = { archive.enable = true; diff --git a/modules/nixos/tasks/multimedia-archive/default.nix b/modules/nixos/tasks/multimedia-archive/default.nix index 3b825913..b16e0551 100644 --- a/modules/nixos/tasks/multimedia-archive/default.nix +++ b/modules/nixos/tasks/multimedia-archive/default.nix @@ -93,16 +93,9 @@ in { environment.systemPackages = [ ytdlpArchiveVariant ]; - sops.secrets = - let - getKey = key: { - inherit key; - sopsFile = lib.getSecret "multimedia-archive.yaml"; - }; - in - { - "multimedia-archive/secrets-config" = getKey "secrets-config"; - }; + sops.secrets = lib.getSecrets (lib.getSecret "multimedia-archive.yaml") { + "multimedia-archive/secrets-config" = { }; + }; profiles.filesystem.archive.enable = true;