Use agenix to encrypt secrets

2024-12-09 22:35:34 +00:00 · 2024-12-09 22:35:34 +00:00 · c01820a33b
commit c01820a33b
parent 04c32edb04
7 changed files with 137 additions and 13 deletions
--- a/nix/hosts/lemp11/default.nix
+++ b/nix/hosts/lemp11/default.nix
@ -1,3 +1,5 @@
+{ inputs, ... }:
+
 {
  features = {
    cli = {
@ -17,5 +19,9 @@
    };
  };

-  imports = [ ./configuration.nix ];
+  imports = [
+    inputs.agenix.nixosModules.default
+    ./configuration.nix
+    ./secrets.nix
+  ];
 }
--- a/nix/hosts/lemp11/secrets.nix
+++ b/nix/hosts/lemp11/secrets.nix
@ -0,0 +1,5 @@
+{
+  age.secrets = {
+    tubearchivist.file = ../../secrets/tubearchivist.age;
+  };
+}
--- a/nix/modules/nixos/features/homelab/tubearchivist-container.nix
+++ b/nix/modules/nixos/features/homelab/tubearchivist-container.nix
@ -29,13 +29,16 @@ in
      image = "bbilly1/tubearchivist-es";

      environment = {
-        "ELASTIC_PASSWORD" = "verysecret";
        "ES_JAVA_OPTS" = "-Xms1g -Xmx1g";
        "discovery.type" = "single-node";
        "path.repo" = "/usr/share/elasticsearch/data/snapshot";
        "xpack.security.enabled" = "true";
      };

+      environmentFiles = [
+        config.age.secrets.tubearchivist.path
+      ];
+
      volumes = [
        "tubearchivist_es:/usr/share/elasticsearch/data:rw"
      ];
@ -125,17 +128,18 @@ in
      image = "bbilly1/tubearchivist";

      environment = {
-        "ELASTIC_PASSWORD" = "verysecret";
        "ES_URL" = "http://archivist-es:9200";
        "HOST_GID" = "1000";
        "HOST_UID" = "1000";
        "REDIS_HOST" = "archivist-redis";
        "TA_HOST" = "tubearchivist.local";
-        "TA_PASSWORD" = "verysecret";
-        "TA_USERNAME" = "tubearchivist";
-        "TZ" = "America/New_York";
+        "TZ" = "Europe/London";
      };

+      environmentFiles = [
+        config.age.secrets.tubearchivist.path
+      ];
+
      volumes = [
        "tubearchivist_cache:/cache:rw"
        "tubearchivist_media:/youtube:rw"
--- a/nix/secrets/secrets.nix
+++ b/nix/secrets/secrets.nix
@ -0,0 +1,6 @@
+let
+  lemp11 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZ+ljJKd6uqdAk+fqxwtObI4Stab2N9Bjo4QFHY/v8n";
+in
+{
+  "tubearchivist.age".publicKeys = [ lemp11 ];
+}
--- a/nix/secrets/tubearchivist.age
+++ b/nix/secrets/tubearchivist.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 sHhprA Cbb0hZFbjSm4+wohOIa0rrppM4aiCD2OBxua/UTzjgU
+6E7zItGopz9VqRflgpJAC910cDZ9i85Mz7+PwvIsxPk
+--- oBcUij9hrWy2ol4cLUFlWkFaS/w4byNu42nk3sI0ras
+”XvAœ-rÐ|‚÷ýýk~m›!Ó– <aAhŸÂÆ¸€+äËNšõÉa²qÝLEá Þ<>×XŒ¢²Èžº<C5BE>Ù€<02>(äâ$côÌ¦¾4²ðÏªÿYüÉ8c<38>2û_0U“õwí*CµozÊb