From 11f4b0fcf6c6f201efc6d0fc289052c072075167 Mon Sep 17 00:00:00 2001 From: Christoph Urlacher Date: Fri, 11 Jul 2025 19:15:24 +0200 Subject: [PATCH] Services/Kopia: Try to pass secrets via env I don't know how else to pass the server credentials to kopia, since it expects them as cli arguments... --- system/services/kopia.nix | 181 +++++++++++++++++++++----------------- 1 file changed, 98 insertions(+), 83 deletions(-) diff --git a/system/services/kopia.nix b/system/services/kopia.nix index 47ea6a26..4536e986 100644 --- a/system/services/kopia.nix +++ b/system/services/kopia.nix @@ -3,96 +3,111 @@ lib, pkgs, ... -}: { +}: let + kopiaVersion = "latest"; +in { # If we need to pass secrets to containers we can't use plain env variables. sops.templates."kopia_secrets.env".content = '' KOPIA_PASSWORD=${config.sops.placeholder.kopia-user-password} + KOPIA_SERVER_USERNAME=${config.sops.placeholder.kopia-server-username} + KOPIA_SERVER_PASSWORD=${config.sops.placeholder.kopia-server-password} ''; - virtualisation.oci-containers.containers.kopia = { - image = "kopia/kopia:latest"; - autoStart = true; + virtualisation.oci-containers.containers = { + kopia = { + image = "kopia/kopia:${kopiaVersion}"; + autoStart = true; - login = { - # Uses DockerHub by default - # registry = ""; + login = { + # Uses DockerHub by default + # registry = ""; - # DockerHub Credentials - username = "christoph.urlacher@protonmail.com"; - passwordFile = "${config.sops.secrets.docker-password.path}"; + # DockerHub Credentials + username = "christoph.urlacher@protonmail.com"; + passwordFile = "${config.sops.secrets.docker-password.path}"; + }; + + dependsOn = []; + + ports = [ + # "51515:51515" + ]; + + volumes = [ + "kopia_config:/app/config" + "kopia_cache:/app/cache" + "kopia_logs:/app/logs" + "kopia_temp:/tmp" + + # Repository, where snapshots are stored (incrementally) + "/media/synology-syncthing:/repository" + + # Folders that are backed up + # "adguard_config:/data/adguard_config:ro" # ThinkNix + # "adguard_work:/data/adguard_work:ro" # ThinkNix + + "authelia_config:/data/authelia_config:ro" + + "formula10_cache:/data/formula10_cache:ro" + "formula10_data:/data/formula10_data:ro" + + "formula11_pb_data:/pb/pb_data:ro" + + "gitea-db_data:/data/gitea-db_data:ro" + "gitea-runner_config:/data/gitea-runner_config:ro" + "gitea-runner_data:/data/gitea-runner_data:ro" + "gitea_data:/data/gitea_data:ro" + + "heidi_config:/data/heidi_config:ro" + + "immich-database_data:/data/immich-database_data:ro" + "immich_config:/data/immich_config:ro" + "immich_data:/data/immich_data:ro" + "immich_machine-learning:/data/immich_machine-learning:ro" + + "jellyfin_config:/data/jellyfin_config:ro" + + "nextcloud-db_data:/data/nextcloud-db_data:ro" + "nextcloud_data:/data/nextcloud_data:ro" + + "nginx_config:/data/nginx_config:ro" + "nginx_letsencrypt:/data/nginx_letsencrypt:ro" + "nginx_snippets:/data/nginx_snippets:ro" + + "paperless-postgres_data:/data/paperless-postgres_data:ro" + "paperless_data:/data/paperless_data:ro" + + # "portainer_config:/data/portainer_config:ro" + ]; + + environment = { + TZ = "Europe/Berlin"; + USER = "christoph"; + }; + + environmentFiles = [ + config.sops.templates."kopia_secrets.env".path + ]; + + entrypoint = "/bin/kopia"; + + cmd = [ + "server" + "start" + "--disable-csrf-token-checks" + "--insecure" + "--address=0.0.0.0:51515" + # TODO: How to set this? + "--server-username=$KOPIA_SERVER_USERNAME" + "--server-password=$KOPIA_SERVER_PASSWORD" + ]; + + extraOptions = [ + "--privileged" + "--device=/dev/fuse:/dev/fuse:rwm" + "--cap-add=SYS_ADMIN" + "--net=behind-nginx" + ]; }; - - dependsOn = []; - - ports = [ - # "51515:51515" - ]; - - volumes = [ - "kopia_config:/app/config" - "kopia_cache:/app/cache" - "kopia_logs:/app/logs" - "kopia_temp:/tmp" - - # Repository, where snapshots are stored (incrementally) - "/media/synology-syncthing:/repository" - - # Folders that are backed up - # "adguard_config:/data/adguard_config:ro" # ThinkNix - # "adguard_work:/data/adguard_work:ro" # ThinkNix - "authelia_config:/data/authelia_config:ro" - "formula10_cache:/data/formula10_cache:ro" - "formula10_data:/data/formula10_data:ro" - "gitea-db_data:/data/gitea-db_data:ro" - "gitea-runner_config:/data/gitea-runner_config:ro" - "gitea-runner_data:/data/gitea-runner_data:ro" - "gitea_data:/data/gitea_data:ro" - "heidi_config:/data/heidi_config:ro" - # "homeassistant_config:/data/homeassistant_config:ro" # ThinkNix - # "homepage_config:/data/homepage_config:ro" - "immich-database_data:/data/immich-database_data:ro" - "immich_config:/data/immich_config:ro" - "immich_data:/data/immich_data:ro" - "immich_machine-learning:/data/immich_machine-learning:ro" - "jellyfin_config:/data/jellyfin_config:ro" - "nextcloud-db_data:/data/nextcloud-db_data:ro" - "nextcloud_data:/data/nextcloud_data:ro" - "nginx_config:/data/nginx_config:ro" - "nginx_letsencrypt:/data/nginx_letsencrypt:ro" - "nginx_snippets:/data/nginx_snippets:ro" - "paperless-postgres_data:/data/paperless-postgres_data:ro" - "paperless_data:/data/paperless_data:ro" - # "portainer_config:/data/portainer_config:ro" - # "uptime-kuma_config:/data/uptime-kuma_config:ro" # Disabled - # "wireguard_vps_config:/data/wireguard_vps_config:ro" - ]; - - environment = { - TZ = "Europe/Berlin"; - USER = "christoph"; - }; - - environmentFiles = [ - config.sops.templates."kopia_secrets.env".path - ]; - - entrypoint = "/bin/kopia"; - - cmd = [ - "server" - "start" - "--disable-csrf-token-checks" - "--insecure" - "--address=0.0.0.0:51515" - "--server-username=$(cat ${config.sops.secrets.kopia-server-username.path})" - "--server-password=$(cat ${config.sops.secrets.kopia-server-password.path})" - ]; - - extraOptions = [ - "--privileged" - "--device=/dev/fuse:/dev/fuse:rwm" - "--cap-add=SYS_ADMIN" - "--net=behind-nginx" - ]; }; }