diff options
| author | stuebinm | 2023-04-11 18:37:20 +0200 |
|---|---|---|
| committer | stuebinm | 2023-04-11 18:41:13 +0200 |
| commit | 48d3f66855fb57379351fb9a458a95cf28522916 (patch) | |
| tree | 730f4f9186a5a7f52e64236417ec384968eb96fd /flora/services | |
| parent | 4e4eaf4838bbd45393d7a19ad182c8d4c076b043 (diff) | |
manage secrets with sops
not sure if i like this yet, but it seems worth trying it out.
Diffstat (limited to 'flora/services')
| -rw-r--r-- | flora/services/akkoma.nix | 16 | ||||
| -rw-r--r-- | flora/services/mail.nix | 4 |
2 files changed, 15 insertions, 5 deletions
diff --git a/flora/services/akkoma.nix b/flora/services/akkoma.nix index 98cfb7b..3eb9173 100644 --- a/flora/services/akkoma.nix +++ b/flora/services/akkoma.nix @@ -12,6 +12,11 @@ let staticDir = "/var/lib/akkoma/static"; in { + sops.secrets = { + "akkoma/keyBase" = {}; + "akkoma/signingSalt" = {}; + "akkoma/jokenDefaultSigner" = {}; + }; containers.pleroma = { autoStart = true; @@ -22,6 +27,11 @@ in hostAddress6 = "fd00::42:30"; localAddress6 = "fd00::42:31"; + bindMounts."/sops" = { + hostPath = "/run/secrets/akkoma"; + isReadOnly = true; + }; + config = {pkgs, config, ...}: { # generating the manual will fail when mixing nixos channels, @@ -63,10 +73,10 @@ in ":pleroma"."Pleroma.Web.Endpoint" = { "url" = { host = "pleroma.stuebinm.eu"; scheme = "https"; port = 443; }; "http" = { ip = "::"; port = 4000; }; - secret_key_base._secret = "/secret/secret_key_base"; - signing_salt._secret = "/secret/signing_salt"; + secret_key_base._secret = "/sops/keyBase"; + signing_salt._secret = "/sops/signingSalt"; }; - ":joken".":default_signer"._secret = "/secret/joken_default_signer"; + ":joken".":default_signer"._secret = "/sops/jokenDefaultSigner"; ":pleroma" = { ":instance" = { diff --git a/flora/services/mail.nix b/flora/services/mail.nix index d41f0e8..e43e56f 100644 --- a/flora/services/mail.nix +++ b/flora/services/mail.nix @@ -3,7 +3,7 @@ { imports = [ inputs.simple-nixos-mailserver.nixosModule ]; - + sops.secrets."mail/hashedPassword" = {}; mailserver = { enable = true; @@ -14,7 +14,7 @@ # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 loginAccounts = { "hello@stuebinm.eu" = { - hashedPasswordFile = "/var/mailstate/hello-password"; + hashedPasswordFile = "/run/secrets/mail/hashedPassword"; aliases = ["postmaster@stuebinm.eu" "abuse@stuebinm.eu"]; }; }; |