A sops test in practice, not tested yet

2023-11-20 15:36:39 +01:00 · 2023-11-20 15:36:39 +01:00 · 470d865cde
parent 0ef0a4b67b
commit 470d865cde
3 changed files with 27 additions and 2 deletions
--- a/nixos/queen/configuration.nix
+++ b/nixos/queen/configuration.nix
@ -122,6 +122,7 @@
      extraGroups = ["sudo" "networkmanager" "wheel" "vboxsf"];
      shell = pkgs.zsh;
    };
    nextcloud.extraGroups = [config.sops.secrets.queen-Lillian."nextcloudadmin" config.sops.secrets.queen-Lillian."nextclouddb"];
  };
  # Enable completion of system packages by zsh
--- a/nixos/queen/nextcloud.nix
+++ b/nixos/queen/nextcloud.nix
@ -42,6 +42,8 @@
    # Set what time makes sense for you
    autoUpdateApps.startAt = "05:00:00";
    configureRedis = true;
    config = {
      # Further forces Nextcloud to use HTTPS
      overwriteProtocol = "https";
@ -51,10 +53,10 @@
      dbuser = "nextcloud";
      dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
      dbname = "nextcloud";
-      dbpassFile = "/var/nextcloud-db-pass";
+      dbpassFile = config.sops.secrets.queen-Lillian."nextclouddb".path;
      #TODO: work with sops to set this instead of a file & make sure the db setup is the same as on the previous server for easy migration
-      adminpassFile = "/var/nextcloud-admin-pass";
+      adminpassFile = config.sops.secrets.queen-Lillian."nextcloudadmin".path;
      adminuser = "admin";
    };
  };
--- a/secrets/queen-Lillian.yaml
+++ b/secrets/queen-Lillian.yaml
@ -0,0 +1,22 @@
 nextcloudadmin: ENC[AES256_GCM,data:LqgutUXs1msmFUNa+4JI1BEq0R8=,iv:sLP52reqsJfUNQnA9MbtbcZjGeluHDaO3dlHpWCLU4M=,tag:ChG/hZIMcmc0wt2AWOBNCA==,type:str]
 nextclouddb: ENC[AES256_GCM,data:Jl2Lz2n64tQYVmj0t/ZIfae3KNk=,iv:e/ne3VfIMhCX1ohgGyhFK2tHGwuXJGFhxtNIR0ZHe3I=,tag:Vr1Nn2279t91LvD1XVbJKg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age12e00qvf4shtmsfq3ujamyaa72pjvad2qhrxkvpl9hryrjvgxev4sjhmkxz
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUMmlWMEsrVHhYT2ZuN05a
            alAzNWlPMDVJeVdGMTQzQXNlTmw0V3E3UHljCmQ3WnNuY0liOGtqdmNiRmQyV1RN
            d0ZKQVUyeWFjOXpXWVVSSFlPVXhjUmcKLS0tIFA0RkltN01XVXZnR3p4SWxkVnAr
            KzNBMCtUaS9sU21Xc1JUd1FSR29tSkEKyqaDM/WUWjK2l+ahE6sIFYsQ6Qtkf7yz
            NWFTzsDZBmm9kpSIjchf+PuBuoRHeEKbEH8jnMlYB3J8boEnUnXMlw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-11-20T14:35:52Z"
    mac: ENC[AES256_GCM,data:IZg0gpsnLu4/dSjeiV3nf2ZW+ifq3FvshLeYE/fNOpNWTdCRm8OhCJNxY0kTuTBae7vCQXcjUQHCuAd+1eZPQD4juBOUd7CVOE5Chn4/o01HyEncjBjwha7uxLazqe15Q3gIFxC+8vqnAbV1BVTh1gIpkSaM61nE8Thr5sE8kvg=,iv:Dg8tUPT2V+IQK7/7DhrZHcnWoxC1APwQcM9owTzU+PU=,tag:qbypt7U5r0O3RRuNdOswIQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1