From c1ff76dc31f51dc4c2ccd31dfd739354cdba56b7 Mon Sep 17 00:00:00 2001 From: Christoph Urlacher Date: Wed, 9 Jul 2025 18:51:46 +0200 Subject: [PATCH] Serives: Use sops for service secrets (heidi, kopia) --- system/services/0_TEMPLATE.nix | 13 +++++++++++-- system/services/adguard.nix | 2 +- system/services/authelia.nix | 2 +- system/services/formula10.nix | 9 --------- system/services/formula11.nix | 18 ------------------ system/services/gitea-runner.nix | 2 +- system/services/gitea.nix | 4 ++-- system/services/heidi.nix | 21 +++++++++------------ system/services/immich.nix | 20 +------------------- system/services/jellyfin.nix | 2 +- system/services/kopia.nix | 16 ++++++++++++---- system/services/nextcloud.nix | 6 +++--- system/services/nginx-proxy-manager.nix | 2 +- system/services/paperless.nix | 13 ++----------- system/services/portainer.nix | 2 +- system/services/whats-up-docker.nix | 2 +- 16 files changed, 47 insertions(+), 87 deletions(-) diff --git a/system/services/0_TEMPLATE.nix b/system/services/0_TEMPLATE.nix index 1644df64..fad6b6b2 100644 --- a/system/services/0_TEMPLATE.nix +++ b/system/services/0_TEMPLATE.nix @@ -4,6 +4,11 @@ pkgs, ... }: { + # If we need to pass secrets to containers we can't use plain env variables. + sops.templates."TEMPLATE_secrets.env".content = '' + SECRET=${config.sops.placeholder.SECRET} + ''; + virtualisation.oci-containers.containers.TEMPLATE = { image = "TEMPLATE"; autoStart = true; @@ -14,7 +19,7 @@ # DockerHub Credentials username = "christoph.urlacher@protonmail.com"; - passwordFile = "${config.age.secrets.dockerhub-pasword.path}"; + passwordFile = "${config.sops.secrets.docker-password.path}"; }; dependsOn = []; @@ -31,9 +36,13 @@ # NVIDIA_DRIVER_CAPABILITIES = "all"; }; + environmentFiles = [ + config.sops.templates."TEMPLATE_secrets.env".path + ]; + extraOptions = [ - # "--gpus=all" "--net=behind-nginx" + # "--gpus=all" ]; }; } diff --git a/system/services/adguard.nix b/system/services/adguard.nix index 7cdbc523..798a7fff 100644 --- a/system/services/adguard.nix +++ b/system/services/adguard.nix @@ -14,7 +14,7 @@ # DockerHub Credentials username = "christoph.urlacher@protonmail.com"; - passwordFile = "${config.age.secrets.dockerhub-pasword.path}"; + passwordFile = "${config.sops.secrets.docker-password.path}"; }; dependsOn = []; diff --git a/system/services/authelia.nix b/system/services/authelia.nix index 38bea220..2acf8df5 100644 --- a/system/services/authelia.nix +++ b/system/services/authelia.nix @@ -14,7 +14,7 @@ # DockerHub Credentials username = "christoph.urlacher@protonmail.com"; - passwordFile = "${config.age.secrets.dockerhub-pasword.path}"; + passwordFile = "${config.sops.secrets.docker-password.path}"; }; dependsOn = [ diff --git a/system/services/formula10.nix b/system/services/formula10.nix index 8411a846..e7117090 100644 --- a/system/services/formula10.nix +++ b/system/services/formula10.nix @@ -8,15 +8,6 @@ image = "gitea.vps.chriphost.de/christoph/formula10:latest"; autoStart = true; - # login = { - # # Uses DockerHub by default - # # registry = ""; - # - # # DockerHub Credentials - # username = "christoph.urlacher@protonmail.com"; - # passwordFile = "${config.age.secrets.dockerhub-pasword.path}"; - # }; - dependsOn = []; ports = [ diff --git a/system/services/formula11.nix b/system/services/formula11.nix index e3c14e0c..8eb14b7b 100644 --- a/system/services/formula11.nix +++ b/system/services/formula11.nix @@ -8,15 +8,6 @@ image = "gitea.vps.chriphost.de/christoph/pocketbase:0.25.0"; autoStart = true; - # login = { - # # Uses DockerHub by default - # # registry = ""; - # - # # DockerHub Credentials - # username = "christoph.urlacher@protonmail.com"; - # passwordFile = "${config.age.secrets.dockerhub-pasword.path}"; - # }; - dependsOn = [ # "pihole" ]; @@ -41,15 +32,6 @@ image = "gitea.vps.chriphost.de/christoph/formula11:latest"; autoStart = true; - # login = { - # # Uses DockerHub by default - # # registry = ""; - # - # # DockerHub Credentials - # username = "christoph.urlacher@protonmail.com"; - # passwordFile = "${config.age.secrets.dockerhub-pasword.path}"; - # }; - dependsOn = [ "formula11_pocketbase" ]; diff --git a/system/services/gitea-runner.nix b/system/services/gitea-runner.nix index 8bc9057d..68f05e12 100644 --- a/system/services/gitea-runner.nix +++ b/system/services/gitea-runner.nix @@ -14,7 +14,7 @@ # DockerHub Credentials username = "christoph.urlacher@protonmail.com"; - passwordFile = "${config.age.secrets.dockerhub-pasword.path}"; + passwordFile = "${config.sops.secrets.docker-password.path}"; }; dependsOn = []; diff --git a/system/services/gitea.nix b/system/services/gitea.nix index ea3489bc..a2f544ac 100644 --- a/system/services/gitea.nix +++ b/system/services/gitea.nix @@ -29,7 +29,7 @@ # DockerHub Credentials username = "christoph.urlacher@protonmail.com"; - passwordFile = "${config.age.secrets.dockerhub-pasword.path}"; + passwordFile = "${config.sops.secrets.docker-password.path}"; }; dependsOn = []; @@ -61,7 +61,7 @@ # DockerHub Credentials username = "christoph.urlacher@protonmail.com"; - passwordFile = "${config.age.secrets.dockerhub-pasword.path}"; + passwordFile = "${config.sops.secrets.docker-password.path}"; }; dependsOn = [ diff --git a/system/services/heidi.nix b/system/services/heidi.nix index 0b512de8..655800a3 100644 --- a/system/services/heidi.nix +++ b/system/services/heidi.nix @@ -4,19 +4,15 @@ pkgs, ... }: { + # If we need to pass secrets to containers we can't use plain env variables. + sops.templates."heidi_secrets.env".content = '' + DISCORD_TOKEN=${config.sops.placeholder.heidi-discord-token} + ''; + virtualisation.oci-containers.containers.heidi = { image = "gitea.vps.chriphost.de/christoph/discord-heidi:latest"; autoStart = true; - # login = { - # # Uses DockerHub by default - # # registry = ""; - # - # # DockerHub Credentials - # username = "christoph.urlacher@protonmail.com"; - # passwordFile = "${config.age.secrets.dockerhub-pasword.path}"; - # }; - dependsOn = []; ports = []; @@ -28,12 +24,13 @@ ]; environment = { - # TODO: I can't do this because readFile obviously doesn't - # read at runtime but at buildtime, duh... - DISCORD_TOKEN = builtins.readFile config.age.secrets.heidi-discord-token.path; DOCKER = "True"; }; + environmentFiles = [ + config.sops.templates."heidi_secrets.env".path + ]; + extraOptions = [ "--init" # Make an init process take up PID 1, to make python receive the SIGTERM "--net=behind-nginx" diff --git a/system/services/immich.nix b/system/services/immich.nix index e217eb7a..200b462a 100644 --- a/system/services/immich.nix +++ b/system/services/immich.nix @@ -8,15 +8,6 @@ image = "ghcr.io/immich-app/postgres:15-vectorchord0.3.0-pgvectors0.2.0"; autoStart = true; - # login = { - # # Uses DockerHub by default - # # registry = ""; - # - # # DockerHub Credentials - # username = "christoph.urlacher@protonmail.com"; - # passwordFile = "${config.age.secrets.dockerhub-pasword.path}"; - # }; - dependsOn = []; ports = [ @@ -48,7 +39,7 @@ # DockerHub Credentials username = "christoph.urlacher@protonmail.com"; - passwordFile = "${config.age.secrets.dockerhub-pasword.path}"; + passwordFile = "${config.sops.secrets.docker-password.path}"; }; dependsOn = []; @@ -70,15 +61,6 @@ image = "ghcr.io/imagegenius/immich:latest"; autoStart = true; - # login = { - # # Uses DockerHub by default - # # registry = ""; - # - # # DockerHub Credentials - # username = "christoph.urlacher@protonmail.com"; - # passwordFile = "${config.age.secrets.dockerhub-pasword.path}"; - # }; - dependsOn = [ "immich-database" "immich-redis" diff --git a/system/services/jellyfin.nix b/system/services/jellyfin.nix index e57374e7..9460ebec 100644 --- a/system/services/jellyfin.nix +++ b/system/services/jellyfin.nix @@ -14,7 +14,7 @@ # DockerHub Credentials username = "christoph.urlacher@protonmail.com"; - passwordFile = "${config.age.secrets.dockerhub-pasword.path}"; + passwordFile = "${config.sops.secrets.docker-password.path}"; }; dependsOn = [ diff --git a/system/services/kopia.nix b/system/services/kopia.nix index 37296dc5..47ea6a26 100644 --- a/system/services/kopia.nix +++ b/system/services/kopia.nix @@ -4,6 +4,11 @@ pkgs, ... }: { + # If we need to pass secrets to containers we can't use plain env variables. + sops.templates."kopia_secrets.env".content = '' + KOPIA_PASSWORD=${config.sops.placeholder.kopia-user-password} + ''; + virtualisation.oci-containers.containers.kopia = { image = "kopia/kopia:latest"; autoStart = true; @@ -14,7 +19,7 @@ # DockerHub Credentials username = "christoph.urlacher@protonmail.com"; - passwordFile = "${config.age.secrets.dockerhub-pasword.path}"; + passwordFile = "${config.sops.secrets.docker-password.path}"; }; dependsOn = []; @@ -65,9 +70,12 @@ environment = { TZ = "Europe/Berlin"; USER = "christoph"; - KOPIA_PASSWORD = builtins.readFile config.age.secrets.kopia-user-password.path; }; + environmentFiles = [ + config.sops.templates."kopia_secrets.env".path + ]; + entrypoint = "/bin/kopia"; cmd = [ @@ -76,8 +84,8 @@ "--disable-csrf-token-checks" "--insecure" "--address=0.0.0.0:51515" - "--server-username=${builtins.readFile config.age.secrets.kopia-server-username.path}" - "--server-password=${builtins.readFile config.age.secrets.kopia-server-password.path}" + "--server-username=$(cat ${config.sops.secrets.kopia-server-username.path})" + "--server-password=$(cat ${config.sops.secrets.kopia-server-password.path})" ]; extraOptions = [ diff --git a/system/services/nextcloud.nix b/system/services/nextcloud.nix index ec231bd0..1c1af0aa 100644 --- a/system/services/nextcloud.nix +++ b/system/services/nextcloud.nix @@ -36,7 +36,7 @@ # DockerHub Credentials username = "christoph.urlacher@protonmail.com"; - passwordFile = "${config.age.secrets.dockerhub-pasword.path}"; + passwordFile = "${config.sops.secrets.docker-password.path}"; }; dependsOn = []; @@ -70,7 +70,7 @@ # DockerHub Credentials username = "christoph.urlacher@protonmail.com"; - passwordFile = "${config.age.secrets.dockerhub-pasword.path}"; + passwordFile = "${config.sops.secrets.docker-password.path}"; }; dependsOn = []; @@ -100,7 +100,7 @@ # DockerHub Credentials username = "christoph.urlacher@protonmail.com"; - passwordFile = "${config.age.secrets.dockerhub-pasword.path}"; + passwordFile = "${config.sops.secrets.docker-password.path}"; }; dependsOn = [ diff --git a/system/services/nginx-proxy-manager.nix b/system/services/nginx-proxy-manager.nix index 49706e75..2b8a7e69 100644 --- a/system/services/nginx-proxy-manager.nix +++ b/system/services/nginx-proxy-manager.nix @@ -14,7 +14,7 @@ # DockerHub Credentials username = "christoph.urlacher@protonmail.com"; - passwordFile = "${config.age.secrets.dockerhub-pasword.path}"; + passwordFile = "${config.sops.secrets.docker-password.path}"; }; dependsOn = [ diff --git a/system/services/paperless.nix b/system/services/paperless.nix index 6f1070e7..07be42b7 100644 --- a/system/services/paperless.nix +++ b/system/services/paperless.nix @@ -14,7 +14,7 @@ # DockerHub Credentials username = "christoph.urlacher@protonmail.com"; - passwordFile = "${config.age.secrets.dockerhub-pasword.path}"; + passwordFile = "${config.sops.secrets.docker-password.path}"; }; dependsOn = []; @@ -42,7 +42,7 @@ # DockerHub Credentials username = "christoph.urlacher@protonmail.com"; - passwordFile = "${config.age.secrets.dockerhub-pasword.path}"; + passwordFile = "${config.sops.secrets.docker-password.path}"; }; dependsOn = []; @@ -68,15 +68,6 @@ image = "ghcr.io/paperless-ngx/paperless-ngx:latest"; autoStart = true; - # login = { - # # Uses DockerHub by default - # # registry = ""; - # - # # DockerHub Credentials - # username = "christoph.urlacher@protonmail.com"; - # passwordFile = "${config.age.secrets.dockerhub-pasword.path}"; - # }; - dependsOn = [ "paperless-redis" "paperless-postgres" diff --git a/system/services/portainer.nix b/system/services/portainer.nix index 7b6bc923..71ce3fd7 100644 --- a/system/services/portainer.nix +++ b/system/services/portainer.nix @@ -38,7 +38,7 @@ # DockerHub Credentials username = "christoph.urlacher@protonmail.com"; - passwordFile = "${config.age.secrets.dockerhub-pasword.path}"; + passwordFile = "${config.sops.secrets.docker-password.path}"; }; dependsOn = []; diff --git a/system/services/whats-up-docker.nix b/system/services/whats-up-docker.nix index d7dcee6e..b663910b 100644 --- a/system/services/whats-up-docker.nix +++ b/system/services/whats-up-docker.nix @@ -14,7 +14,7 @@ # DockerHub Credentials username = "christoph.urlacher@protonmail.com"; - passwordFile = "${config.age.secrets.dockerhub-pasword.path}"; + passwordFile = "${config.sops.secrets.docker-password.path}"; }; dependsOn = [