diff options
Diffstat (limited to '')
| -rw-r--r-- | flora/configuration.nix | 4 | ||||
| -rw-r--r-- | flora/services/akkoma.nix | 16 | ||||
| -rw-r--r-- | flora/services/mail.nix | 4 |
3 files changed, 19 insertions, 5 deletions
diff --git a/flora/configuration.nix b/flora/configuration.nix index 3eaaa08..954e5e6 100644 --- a/flora/configuration.nix +++ b/flora/configuration.nix @@ -19,6 +19,10 @@ boot.loader.grub.version = 2; boot.loader.grub.devices = [ "/dev/sda" ]; + sops.defaultSopsFile = ../secrets/flora.yaml; + # This will automatically import SSH keys as age keys + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + networking = { hostName = "flora"; diff --git a/flora/services/akkoma.nix b/flora/services/akkoma.nix index 98cfb7b..3eb9173 100644 --- a/flora/services/akkoma.nix +++ b/flora/services/akkoma.nix @@ -12,6 +12,11 @@ let staticDir = "/var/lib/akkoma/static"; in { + sops.secrets = { + "akkoma/keyBase" = {}; + "akkoma/signingSalt" = {}; + "akkoma/jokenDefaultSigner" = {}; + }; containers.pleroma = { autoStart = true; @@ -22,6 +27,11 @@ in hostAddress6 = "fd00::42:30"; localAddress6 = "fd00::42:31"; + bindMounts."/sops" = { + hostPath = "/run/secrets/akkoma"; + isReadOnly = true; + }; + config = {pkgs, config, ...}: { # generating the manual will fail when mixing nixos channels, @@ -63,10 +73,10 @@ in ":pleroma"."Pleroma.Web.Endpoint" = { "url" = { host = "pleroma.stuebinm.eu"; scheme = "https"; port = 443; }; "http" = { ip = "::"; port = 4000; }; - secret_key_base._secret = "/secret/secret_key_base"; - signing_salt._secret = "/secret/signing_salt"; + secret_key_base._secret = "/sops/keyBase"; + signing_salt._secret = "/sops/signingSalt"; }; - ":joken".":default_signer"._secret = "/secret/joken_default_signer"; + ":joken".":default_signer"._secret = "/sops/jokenDefaultSigner"; ":pleroma" = { ":instance" = { diff --git a/flora/services/mail.nix b/flora/services/mail.nix index d41f0e8..e43e56f 100644 --- a/flora/services/mail.nix +++ b/flora/services/mail.nix @@ -3,7 +3,7 @@ { imports = [ inputs.simple-nixos-mailserver.nixosModule ]; - + sops.secrets."mail/hashedPassword" = {}; mailserver = { enable = true; @@ -14,7 +14,7 @@ # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 loginAccounts = { "hello@stuebinm.eu" = { - hashedPasswordFile = "/var/mailstate/hello-password"; + hashedPasswordFile = "/run/secrets/mail/hashedPassword"; aliases = ["postmaster@stuebinm.eu" "abuse@stuebinm.eu"]; }; }; |