christoph/flake-nixinator
1
Fork 0
Code Activity

Services/Kopia: Try to pass secrets via env

Browse Source 
I don't know how else to pass the server credentials to kopia, since it
expects them as cli arguments...
This commit is contained in:
Christoph Urlacher
2025-07-11 19:15:24 +02:00
parent ca99932e78
commit 2facc59798
1 changed files with 98 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
system/services/kopia.nix
View File

@ -3,14 +3,19 @@
lib, lib,
pkgs, pkgs,
... ...
}: { }: let
kopiaVersion = "latest";
in {
# If we need to pass secrets to containers we can't use plain env variables. # If we need to pass secrets to containers we can't use plain env variables.
sops.templates."kopia_secrets.env".content = '' sops.templates."kopia_secrets.env".content = ''
KOPIA_PASSWORD=${config.sops.placeholder.kopia-user-password} KOPIA_PASSWORD=${config.sops.placeholder.kopia-user-password}
KOPIA_SERVER_USERNAME=${config.sops.placeholder.kopia-server-username}
KOPIA_SERVER_PASSWORD=${config.sops.placeholder.kopia-server-password}
''; '';
virtualisation.oci-containers.containers.kopia = { virtualisation.oci-containers.containers = {
image = "kopia/kopia:latest"; kopia = {
image = "kopia/kopia:${kopiaVersion}";
autoStart = true; autoStart = true;
login = { login = {
@ -40,31 +45,39 @@
# Folders that are backed up # Folders that are backed up
# "adguard_config:/data/adguard_config:ro" # ThinkNix # "adguard_config:/data/adguard_config:ro" # ThinkNix
# "adguard_work:/data/adguard_work:ro" # ThinkNix # "adguard_work:/data/adguard_work:ro" # ThinkNix
"authelia_config:/data/authelia_config:ro" "authelia_config:/data/authelia_config:ro"
"formula10_cache:/data/formula10_cache:ro" "formula10_cache:/data/formula10_cache:ro"
"formula10_data:/data/formula10_data:ro" "formula10_data:/data/formula10_data:ro"
"formula11_pb_data:/pb/pb_data:ro"
"gitea-db_data:/data/gitea-db_data:ro" "gitea-db_data:/data/gitea-db_data:ro"
"gitea-runner_config:/data/gitea-runner_config:ro" "gitea-runner_config:/data/gitea-runner_config:ro"
"gitea-runner_data:/data/gitea-runner_data:ro" "gitea-runner_data:/data/gitea-runner_data:ro"
"gitea_data:/data/gitea_data:ro" "gitea_data:/data/gitea_data:ro"
"heidi_config:/data/heidi_config:ro" "heidi_config:/data/heidi_config:ro"
# "homeassistant_config:/data/homeassistant_config:ro" # ThinkNix
# "homepage_config:/data/homepage_config:ro"
"immich-database_data:/data/immich-database_data:ro" "immich-database_data:/data/immich-database_data:ro"
"immich_config:/data/immich_config:ro" "immich_config:/data/immich_config:ro"
"immich_data:/data/immich_data:ro" "immich_data:/data/immich_data:ro"
"immich_machine-learning:/data/immich_machine-learning:ro" "immich_machine-learning:/data/immich_machine-learning:ro"
"jellyfin_config:/data/jellyfin_config:ro" "jellyfin_config:/data/jellyfin_config:ro"
"nextcloud-db_data:/data/nextcloud-db_data:ro" "nextcloud-db_data:/data/nextcloud-db_data:ro"
"nextcloud_data:/data/nextcloud_data:ro" "nextcloud_data:/data/nextcloud_data:ro"
"nginx_config:/data/nginx_config:ro" "nginx_config:/data/nginx_config:ro"
"nginx_letsencrypt:/data/nginx_letsencrypt:ro" "nginx_letsencrypt:/data/nginx_letsencrypt:ro"
"nginx_snippets:/data/nginx_snippets:ro" "nginx_snippets:/data/nginx_snippets:ro"
"paperless-postgres_data:/data/paperless-postgres_data:ro" "paperless-postgres_data:/data/paperless-postgres_data:ro"
"paperless_data:/data/paperless_data:ro" "paperless_data:/data/paperless_data:ro"
# "portainer_config:/data/portainer_config:ro" # "portainer_config:/data/portainer_config:ro"
# "uptime-kuma_config:/data/uptime-kuma_config:ro" # Disabled
# "wireguard_vps_config:/data/wireguard_vps_config:ro"
]; ];
environment = { environment = {
@ -84,8 +97,9 @@
"--disable-csrf-token-checks" "--disable-csrf-token-checks"
"--insecure" "--insecure"
"--address=0.0.0.0:51515" "--address=0.0.0.0:51515"
"--server-username=$(cat ${config.sops.secrets.kopia-server-username.path})" # TODO: How to set this?
"--server-password=$(cat ${config.sops.secrets.kopia-server-password.path})" "--server-username=$KOPIA_SERVER_USERNAME"
"--server-password=$KOPIA_SERVER_PASSWORD"
]; ];
extraOptions = [ extraOptions = [
@ -95,4 +109,5 @@
"--net=behind-nginx" "--net=behind-nginx"
]; ];
}; };
};
} }