christoph/flake-nixinator
1
Fork 0
Code Activity

Services/Kopia: Try to pass secrets via env

Browse Source 
I don't know how else to pass the server credentials to kopia, since it
expects them as cli arguments...
This commit is contained in:
Christoph Urlacher
2025-07-11 19:15:24 +02:00
parent ca99932e78
commit 2facc59798
1 changed files with 98 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

181
system/services/kopia.nix
View File

@ -3,96 +3,111 @@
lib,
pkgs,
...
}: {
}: let
kopiaVersion = "latest";
in {
# If we need to pass secrets to containers we can't use plain env variables.
sops.templates."kopia_secrets.env".content = ''
KOPIA_PASSWORD=${config.sops.placeholder.kopia-user-password}
KOPIA_SERVER_USERNAME=${config.sops.placeholder.kopia-server-username}
KOPIA_SERVER_PASSWORD=${config.sops.placeholder.kopia-server-password}
'';
virtualisation.oci-containers.containers.kopia = {
image = "kopia/kopia:latest";
autoStart = true;
virtualisation.oci-containers.containers = {
kopia = {
image = "kopia/kopia:${kopiaVersion}";
autoStart = true;
login = {
# Uses DockerHub by default
# registry = "";
login = {
# Uses DockerHub by default
# registry = "";
# DockerHub Credentials
username = "christoph.urlacher@protonmail.com";
passwordFile = "${config.sops.secrets.docker-password.path}";
# DockerHub Credentials
username = "christoph.urlacher@protonmail.com";
passwordFile = "${config.sops.secrets.docker-password.path}";
};
dependsOn = [];
ports = [
# "51515:51515"
];
volumes = [
"kopia_config:/app/config"
"kopia_cache:/app/cache"
"kopia_logs:/app/logs"
"kopia_temp:/tmp"
# Repository, where snapshots are stored (incrementally)
"/media/synology-syncthing:/repository"
# Folders that are backed up
# "adguard_config:/data/adguard_config:ro" # ThinkNix
# "adguard_work:/data/adguard_work:ro" # ThinkNix
"authelia_config:/data/authelia_config:ro"
"formula10_cache:/data/formula10_cache:ro"
"formula10_data:/data/formula10_data:ro"
"formula11_pb_data:/pb/pb_data:ro"
"gitea-db_data:/data/gitea-db_data:ro"
"gitea-runner_config:/data/gitea-runner_config:ro"
"gitea-runner_data:/data/gitea-runner_data:ro"
"gitea_data:/data/gitea_data:ro"
"heidi_config:/data/heidi_config:ro"
"immich-database_data:/data/immich-database_data:ro"
"immich_config:/data/immich_config:ro"
"immich_data:/data/immich_data:ro"
"immich_machine-learning:/data/immich_machine-learning:ro"
"jellyfin_config:/data/jellyfin_config:ro"
"nextcloud-db_data:/data/nextcloud-db_data:ro"
"nextcloud_data:/data/nextcloud_data:ro"
"nginx_config:/data/nginx_config:ro"
"nginx_letsencrypt:/data/nginx_letsencrypt:ro"
"nginx_snippets:/data/nginx_snippets:ro"
"paperless-postgres_data:/data/paperless-postgres_data:ro"
"paperless_data:/data/paperless_data:ro"
# "portainer_config:/data/portainer_config:ro"
];
environment = {
TZ = "Europe/Berlin";
USER = "christoph";
};
environmentFiles = [
config.sops.templates."kopia_secrets.env".path
];
entrypoint = "/bin/kopia";
cmd = [
"server"
"start"
"--disable-csrf-token-checks"
"--insecure"
"--address=0.0.0.0:51515"
# TODO: How to set this?
"--server-username=$KOPIA_SERVER_USERNAME"
"--server-password=$KOPIA_SERVER_PASSWORD"
];
extraOptions = [
"--privileged"
"--device=/dev/fuse:/dev/fuse:rwm"
"--cap-add=SYS_ADMIN"
"--net=behind-nginx"
];
};
dependsOn = [];
ports = [
# "51515:51515"
];
volumes = [
"kopia_config:/app/config"
"kopia_cache:/app/cache"
"kopia_logs:/app/logs"
"kopia_temp:/tmp"
# Repository, where snapshots are stored (incrementally)
"/media/synology-syncthing:/repository"
# Folders that are backed up
# "adguard_config:/data/adguard_config:ro" # ThinkNix
# "adguard_work:/data/adguard_work:ro" # ThinkNix
"authelia_config:/data/authelia_config:ro"
"formula10_cache:/data/formula10_cache:ro"
"formula10_data:/data/formula10_data:ro"
"gitea-db_data:/data/gitea-db_data:ro"
"gitea-runner_config:/data/gitea-runner_config:ro"
"gitea-runner_data:/data/gitea-runner_data:ro"
"gitea_data:/data/gitea_data:ro"
"heidi_config:/data/heidi_config:ro"
# "homeassistant_config:/data/homeassistant_config:ro" # ThinkNix
# "homepage_config:/data/homepage_config:ro"
"immich-database_data:/data/immich-database_data:ro"
"immich_config:/data/immich_config:ro"
"immich_data:/data/immich_data:ro"
"immich_machine-learning:/data/immich_machine-learning:ro"
"jellyfin_config:/data/jellyfin_config:ro"
"nextcloud-db_data:/data/nextcloud-db_data:ro"
"nextcloud_data:/data/nextcloud_data:ro"
"nginx_config:/data/nginx_config:ro"
"nginx_letsencrypt:/data/nginx_letsencrypt:ro"
"nginx_snippets:/data/nginx_snippets:ro"
"paperless-postgres_data:/data/paperless-postgres_data:ro"
"paperless_data:/data/paperless_data:ro"
# "portainer_config:/data/portainer_config:ro"
# "uptime-kuma_config:/data/uptime-kuma_config:ro" # Disabled
# "wireguard_vps_config:/data/wireguard_vps_config:ro"
];
environment = {
TZ = "Europe/Berlin";
USER = "christoph";
};
environmentFiles = [
config.sops.templates."kopia_secrets.env".path
];
entrypoint = "/bin/kopia";
cmd = [
"server"
"start"
"--disable-csrf-token-checks"
"--insecure"
"--address=0.0.0.0:51515"
"--server-username=$(cat ${config.sops.secrets.kopia-server-username.path})"
"--server-password=$(cat ${config.sops.secrets.kopia-server-password.path})"
];
extraOptions = [
"--privileged"
"--device=/dev/fuse:/dev/fuse:rwm"
"--cap-add=SYS_ADMIN"
"--net=behind-nginx"
];
};
}