Serives: Use sops for service secrets (heidi, kopia)

System: Apply user password from sops
Modules/Sops: Add user system password to secrets
2025-07-09 18:55:18 +02:00 · 2025-07-09 18:41:39 +02:00 · 2025-07-09 18:41:16 +02:00 · 2025-07-09 18:41:03 +02:00 · 2025-07-09 18:40:37 +02:00 · 2025-07-09 18:35:16 +02:00
22 changed files with 110 additions and 111 deletions
--- a/config/navi/christoph.cheat
+++ b/config/navi/christoph.cheat
@ -179,7 +179,7 @@ $ file: eza -1
 watch -d -c -n 0.5 nvidia-smi
 ; ===========================
-; GPG
+; SECRETS
 ; ===========================
 % gpg
@ -202,11 +202,11 @@ $ mode: echo -e "--export            \tExport public key\n--export-secret-keys\t
 % sops
 # Edit secrets.yaml
-sops --config ~/NixFlake/system/modules/sops/sops.yaml ~/NixFlake/system/modules/sops/secrets.yaml
+sops ~/NixFlake/system/modules/sops-nix/secrets.yaml
 % sops
 # Rekey secrets.yaml
-sops --config ~/NixFlake/system/modules/sops/sops.yaml updatekeys ~/NixFlake/system/modules/sops/secrets.yaml
+sops updatekeys ~/NixFlake/system/modules/sops-nix/secrets.yaml
 % ssh
 # Generate a new SSH key
@ -222,6 +222,10 @@ age-keygen -o <file>
 age-keygen -y <key>
 $ key: eza -f -1
 % mkpasswd
 # Print the hash of a password
 echo "<password>" | mkpasswd -s
 ; ===========================
 ; CODE
 ; ===========================
--- a/home/christoph/default.nix
+++ b/home/christoph/default.nix
@ -89,7 +89,6 @@
          "$mainMod, E" = ["exec, kitty"];
          "$mainMod, N" = ["exec, neovide"];
          "$mainMod, R" = ["exec, kitty --class=rmpc --title=Rmpc rmpc"];
          "$mainMod, F" = ["exec, firefox"];
          "$mainMod CTRL, N" = ["exec, kitty --class=navi --title=Navi navi"];
          "$mainMod SHIFT, N" = ["exec, neovide ${config.paths.dotfiles}/navi/christoph.cheat"];
          "$mainMod SHIFT, F" = ["exec, neovide ${config.paths.dotfiles}/flake.nix"];
--- a/system/default.nix
+++ b/system/default.nix
@ -96,6 +96,10 @@ with mylib.networking; {
    sops-nix.secrets.${username} = [
      "docker-password"
    ];
    sops-nix.bootSecrets.${username} = [
      "user-password"
    ];
  };
  # Enable flakes
@ -105,7 +109,7 @@ with mylib.networking; {
      experimental-features = nix-command flakes
    '';
-    settings.trusted-users = ["root" "christoph"];
+    settings.trusted-users = ["root" "${username}"];
    # Auto garbage-collect and optimize store
    # gc.automatic = true; # NOTE: Disabled for "nh clean"
@ -144,7 +148,7 @@ with mylib.networking; {
    sudo.enable = true;
    sudo.extraRules = [
      {
-        users = ["christoph"];
+        users = ["${username}"];
        commands = [
          # We allow running flatpak without password
          # so flatpaks can be installed from the hm config
@ -199,9 +203,10 @@ with mylib.networking; {
  # Configure console keymap
  console.keyMap = "us-acentos";
-  # Define a user account. Don't forget to set a password with ‘passwd’.
+  # Define a user account. Password is set from sops-nix secrets automatically.
-  users.users.christoph = {
+  users.users.${username} = {
    isNormalUser = true;
    hashedPasswordFile = config.sops.secrets.user-password.path;
    description = "Christoph";
    extraGroups = [
      "networkmanager"
@ -224,14 +229,6 @@ with mylib.networking; {
    # packages = with pkgs; [];
  };
  # Generate a list of installed system packages in /etc/current-system-packages
  environment.etc."current-system-packages".text = let
    packages = builtins.map (p: "${p.name}") config.environment.systemPackages;
    sortedUnique = builtins.sort builtins.lessThan (lib.unique packages);
    formatted = builtins.concatStringsSep "\n" sortedUnique;
  in
    formatted;
  # We want these packages to be available even when no user profile is active
  # Empty since we basically only need git + editor which is enabled below
  environment.systemPackages = with pkgs; [
@ -285,7 +282,7 @@ with mylib.networking; {
      enable = true;
      clean.enable = true;
      clean.extraArgs = "--keep 3";
-      flake = "/home/christoph/NixFlake";
+      flake = "/home/${username}/NixFlake";
    };
    ssh.startAgent = true; # Use gnupg
--- a/system/modules/sops-nix/default.nix
+++ b/system/modules/sops-nix/default.nix
@ -14,9 +14,14 @@ in {
    environment.systemPackages = with pkgs; [
      sops
      age
-      ssh-to-age
+      # ssh-to-age
    ];
    environment.variables = {
      # Set this environment variable to make "sops edit secrets.yaml" work
      SOPS_AGE_KEY_FILE = config.sops.age.keyFile;
    };
    sops = {
      defaultSopsFile = ./secrets.yaml;
@ -27,11 +32,33 @@ in {
      };
      secrets = let
-        mkSecret = name: {${name} = {};};
+        mkSecret = name: {
          ${name} = {
            owner = config.users.users.${username}.name;
            group = config.users.users.${username}.group;
          };
        };
        mkBootSecret = name: {
          ${name} = {
            # Make these secrets available before creating users.
            # This means we can't set the owner or group.
            neededForUsers = true;
          };
        };
      in
-        if (builtins.hasAttr "${username}" sops-nix.secrets)
+        lib.mkMerge [
-        then lib.mergeAttrsList (builtins.map mkSecret sops-nix.secrets.${username})
+          (
-        else {};
+            if (builtins.hasAttr "${username}" sops-nix.secrets)
            then lib.mergeAttrsList (builtins.map mkSecret sops-nix.secrets.${username})
            else {}
          )
          (
            if (builtins.hasAttr "${username}" sops-nix.bootSecrets)
            then lib.mergeAttrsList (builtins.map mkBootSecret sops-nix.bootSecrets.${username})
            else {}
          )
        ];
    };
  };
 }
--- a/system/modules/sops-nix/options.nix
+++ b/system/modules/sops-nix/options.nix
@ -13,4 +13,15 @@
    '';
    default = [];
  };
  bootSecrets = lib.mkOption {
    type = lib.types.attrsOf (lib.types.listOf lib.types.str);
    description = "The secrets to expose on this host earlier in the boot process";
    example = ''
      christoph = [
        "user-password"
      ];
    '';
    default = [];
  };
 }
--- a/system/modules/sops-nix/secrets.yaml
+++ b/system/modules/sops-nix/secrets.yaml
@ -1,4 +1,5 @@
 #ENC[AES256_GCM,data:mZKPbrWtgyRvOg==,iv:vLyN3JkWWrWS+0pndTuom8cNVfpb8SUC4dA6m7utXoE=,tag:YAy2gPot6KFS9/VLVAoSxw==,type:comment]
 user-password: ENC[AES256_GCM,data:okgvaTTesCDwriI8PxhNdHZF8XgzB4yxapuFl2/CK8x4WNYxGFjuZqGKcu7pqfnBofNcF2ByuM+HLH9FKxpK0dMCoHD/laR1IA==,iv:ltExELuM7g7ydSAMj8ioF9Nb7N4xe5enhDQrVJ+k2jQ=,tag:AV165m5yKnX+uJnMyC3mxA==,type:str]
 docker-password: ENC[AES256_GCM,data:mK5YWEQPKWBtVCgRBZvwWTdVAi8MEGbLnLeP7hfDkcc=,iv:Az8+eAK6R6xssmmbhuEsDbLU+ks8lS+qzc4L33WfefA=,tag:NSXvRhbIuRZZqRR28Tu0PQ==,type:str]
 #ENC[AES256_GCM,data:Raagjz1qPvXC,iv:OSWTKaIlmo1paU2ZZn20XMeZ2gdM52pHmVZ3m2ngCdI=,tag:bPCdvjOFjpxxkrwA7Mhl5Q==,type:comment]
 heidi-discord-token: ENC[AES256_GCM,data:FYvfUn8tG7glqIomSDj9rGyNQjnHSCsD/C3Kk/JR1vm/xkrxzXwP3rpyxAzqRQ7vd+zFBf2BJfV/zMk=,iv:b+aKcu98rxslEGSYf6t/jGwPfS256WQ3B/iuQ4Qeykk=,tag:e48Q0BraIvItyD2WBfbYEA==,type:str]
@ -16,7 +17,7 @@ sops:
            SURMTmh1TGIrRmtENzc0Sk4rNFJNUE0KOpjN6jkEHO+lvdWdp4P++r9SNSPWaT0h
            FAbbvZZ/EdIk/njLEcayFN7B4ftTcD/f4XJZiyosilZnIkk76bMOHA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-09T15:56:25Z"
+    lastmodified: "2025-07-09T16:29:31Z"
-    mac: ENC[AES256_GCM,data:76VzAkSWhHHWNRio9rCYJbIeo8W9RZnOstPGaV0A2O8q+yVjAI0wL+ZpWHzoxtSbjMwa8WoR+f6FnLVVZOoP3iGok1ZpQDO2fb/ppsMeO6Znksm5qSDH5mSWz8sHACZNBx1HmXAUX7d8eyXOnSYWvOcxzsqN8I84LABg12yyNTw=,iv:MVASQtOnl3Nas1TnExzG95Q++Yw6sfTLJcRzqAztQMw=,tag:nEgB1Ckbjo3PCOarU35EpQ==,type:str]
+    mac: ENC[AES256_GCM,data:WHl/LuFVGoryGC43WTj+THfk17ZXxkTwzcGiPLy/JF8phf1euAPcmXrCT6/HbYOJGShiklUn9irIX/8mxG7rJxBc5v8eqQ8+H3R/AC5/SGSHSawMAYN20sKCxMEtl0KRoN2pVZiCgXJIQUa3++waakWLgDBcrFsPGGzpQhCW0as=,iv:N6kBDh5FGsxlqwOfgeokxrnm0mA1AZ+DZpOXoirFHuw=,tag:HLCpUIlScFoq+MX22QseSw==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2
--- a/system/services/0_TEMPLATE.nix
+++ b/system/services/0_TEMPLATE.nix
@ -14,7 +14,7 @@
      # DockerHub Credentials
      username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-pasword.path}";
    };
    dependsOn = [];
@ -31,9 +31,18 @@
      # NVIDIA_DRIVER_CAPABILITIES = "all";
    };
    # If we need to pass secrets to containers we can't use plain env variables.
    sops.templates."TEMPLATE_secrets.env".content = ''
      SECRET=${config.sops.placeholder.SECRET}
    '';
    environmentFiles = [
      config.sops.templates."TEMPLATE_secrets.env".path
    ];
    extraOptions = [
      # "--gpus=all"
      "--net=behind-nginx"
      # "--gpus=all"
    ];
  };
 }
--- a/system/services/adguard.nix
+++ b/system/services/adguard.nix
@ -14,7 +14,7 @@
      # DockerHub Credentials
      username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-pasword.path}";
    };
    dependsOn = [];
--- a/system/services/authelia.nix
+++ b/system/services/authelia.nix
@ -14,7 +14,7 @@
      # DockerHub Credentials
      username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-pasword.path}";
    };
    dependsOn = [
--- a/system/services/formula10.nix
+++ b/system/services/formula10.nix
@ -8,15 +8,6 @@
    image = "gitea.vps.chriphost.de/christoph/formula10:latest";
    autoStart = true;
    # login = {
    #   # Uses DockerHub by default
    #   # registry = "";
    #
    #   # DockerHub Credentials
    #   username = "christoph.urlacher@protonmail.com";
    #   passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
    # };
    dependsOn = [];
    ports = [
--- a/system/services/formula11.nix
+++ b/system/services/formula11.nix
@ -8,15 +8,6 @@
    image = "gitea.vps.chriphost.de/christoph/pocketbase:0.25.0";
    autoStart = true;
    # login = {
    #   # Uses DockerHub by default
    #   # registry = "";
    #
    #   # DockerHub Credentials
    #   username = "christoph.urlacher@protonmail.com";
    #   passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
    # };
    dependsOn = [
      # "pihole"
    ];
@ -41,15 +32,6 @@
    image = "gitea.vps.chriphost.de/christoph/formula11:latest";
    autoStart = true;
    # login = {
    #   # Uses DockerHub by default
    #   # registry = "";
    #
    #   # DockerHub Credentials
    #   username = "christoph.urlacher@protonmail.com";
    #   passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
    # };
    dependsOn = [
      "formula11_pocketbase"
    ];
--- a/system/services/gitea-runner.nix
+++ b/system/services/gitea-runner.nix
@ -14,7 +14,7 @@
      # DockerHub Credentials
      username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-pasword.path}";
    };
    dependsOn = [];
--- a/system/services/gitea.nix
+++ b/system/services/gitea.nix
@ -29,7 +29,7 @@
      # DockerHub Credentials
      username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-pasword.path}";
    };
    dependsOn = [];
@ -61,7 +61,7 @@
      # DockerHub Credentials
      username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-pasword.path}";
    };
    dependsOn = [
--- a/system/services/heidi.nix
+++ b/system/services/heidi.nix
@ -8,15 +8,6 @@
    image = "gitea.vps.chriphost.de/christoph/discord-heidi:latest";
    autoStart = true;
    # login = {
    #   # Uses DockerHub by default
    #   # registry = "";
    #
    #   # DockerHub Credentials
    #   username = "christoph.urlacher@protonmail.com";
    #   passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
    # };
    dependsOn = [];
    ports = [];
@ -28,12 +19,18 @@
    ];
    environment = {
      # TODO: I can't do this because readFile obviously doesn't
      #       read at runtime but at buildtime, duh...
      DISCORD_TOKEN = builtins.readFile config.age.secrets.heidi-discord-token.path;
      DOCKER = "True";
    };
    # If we need to pass secrets to containers we can't use plain env variables.
    sops.templates."heidi_secrets.env".content = ''
      DISCORD_TOKEN=${config.sops.placeholder.heidi-discord-token}
    '';
    environmentFiles = [
      config.sops.templates."heidi_secrets.env".path
    ];
    extraOptions = [
      "--init" # Make an init process take up PID 1, to make python receive the SIGTERM
      "--net=behind-nginx"
--- a/system/services/immich.nix
+++ b/system/services/immich.nix
@ -8,15 +8,6 @@
    image = "ghcr.io/immich-app/postgres:15-vectorchord0.3.0-pgvectors0.2.0";
    autoStart = true;
    # login = {
    #   # Uses DockerHub by default
    #   # registry = "";
    #
    #   # DockerHub Credentials
    #   username = "christoph.urlacher@protonmail.com";
    #   passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
    # };
    dependsOn = [];
    ports = [
@ -48,7 +39,7 @@
      # DockerHub Credentials
      username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-pasword.path}";
    };
    dependsOn = [];
@ -70,15 +61,6 @@
    image = "ghcr.io/imagegenius/immich:latest";
    autoStart = true;
    # login = {
    #   # Uses DockerHub by default
    #   # registry = "";
    #
    #   # DockerHub Credentials
    #   username = "christoph.urlacher@protonmail.com";
    #   passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
    # };
    dependsOn = [
      "immich-database"
      "immich-redis"
--- a/system/services/jellyfin.nix
+++ b/system/services/jellyfin.nix
@ -14,7 +14,7 @@
      # DockerHub Credentials
      username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-pasword.path}";
    };
    dependsOn = [
--- a/system/services/kopia.nix
+++ b/system/services/kopia.nix
@ -14,7 +14,7 @@
      # DockerHub Credentials
      username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-pasword.path}";
    };
    dependsOn = [];
@ -65,9 +65,17 @@
    environment = {
      TZ = "Europe/Berlin";
      USER = "christoph";
      KOPIA_PASSWORD = builtins.readFile config.age.secrets.kopia-user-password.path;
    };
    # If we need to pass secrets to containers we can't use plain env variables.
    sops.templates."kopia_secrets.env".content = ''
      KOPIA_PASSWORD=${config.sops.placeholder.kopia-user-password}
    '';
    environmentFiles = [
      config.sops.templates."kopia_secrets.env".path
    ];
    entrypoint = "/bin/kopia";
    cmd = [
@ -76,8 +84,8 @@
      "--disable-csrf-token-checks"
      "--insecure"
      "--address=0.0.0.0:51515"
-      "--server-username=${builtins.readFile config.age.secrets.kopia-server-username.path}"
+      "--server-username=$(cat ${config.sops.secrets.kopia-server-username.path})"
-      "--server-password=${builtins.readFile config.age.secrets.kopia-server-password.path}"
+      "--server-password=$(cat ${config.sops.secrets.kopia-server-password.path})"
    ];
    extraOptions = [
--- a/system/services/nextcloud.nix
+++ b/system/services/nextcloud.nix
@ -36,7 +36,7 @@
      # DockerHub Credentials
      username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-pasword.path}";
    };
    dependsOn = [];
@ -70,7 +70,7 @@
      # DockerHub Credentials
      username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-pasword.path}";
    };
    dependsOn = [];
@ -100,7 +100,7 @@
      # DockerHub Credentials
      username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-pasword.path}";
    };
    dependsOn = [
--- a/system/services/nginx-proxy-manager.nix
+++ b/system/services/nginx-proxy-manager.nix
@ -14,7 +14,7 @@
      # DockerHub Credentials
      username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-pasword.path}";
    };
    dependsOn = [
--- a/system/services/paperless.nix
+++ b/system/services/paperless.nix
@ -14,7 +14,7 @@
      # DockerHub Credentials
      username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-pasword.path}";
    };
    dependsOn = [];
@ -42,7 +42,7 @@
      # DockerHub Credentials
      username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-pasword.path}";
    };
    dependsOn = [];
@ -68,15 +68,6 @@
    image = "ghcr.io/paperless-ngx/paperless-ngx:latest";
    autoStart = true;
    # login = {
    #   # Uses DockerHub by default
    #   # registry = "";
    #
    #   # DockerHub Credentials
    #   username = "christoph.urlacher@protonmail.com";
    #   passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
    # };
    dependsOn = [
      "paperless-redis"
      "paperless-postgres"
--- a/system/services/portainer.nix
+++ b/system/services/portainer.nix
@ -38,7 +38,7 @@
      # DockerHub Credentials
      username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-pasword.path}";
    };
    dependsOn = [];
--- a/system/services/whats-up-docker.nix
+++ b/system/services/whats-up-docker.nix
@ -14,7 +14,7 @@
      # DockerHub Credentials
      username = "christoph.urlacher@protonmail.com";
-      passwordFile = "${config.age.secrets.dockerhub-pasword.path}";
+      passwordFile = "${config.sops.secrets.docker-pasword.path}";
    };
    dependsOn = [
Author	SHA1	Message	Date
Christoph Urlacher	f3d80aeb15	Serives: Use sops for service secrets (heidi, kopia)	2025-07-09 18:55:18 +02:00
Christoph Urlacher	1547ca68f6	System: Apply user password from sops	2025-07-09 18:41:39 +02:00
Christoph Urlacher	034e778db3	Modules/Sops: Add user system password to secrets	2025-07-09 18:41:16 +02:00
Christoph Urlacher	1bfc6c1d97	Modules/Sops: Allow setting secrets with "neededForUsers = true;"	2025-07-09 18:41:03 +02:00
Christoph Urlacher	4103416774	Modules/Sops: Set SOPS_AGE_KEY_FILE for "sops edit secrets.yaml"	2025-07-09 18:40:37 +02:00
Christoph Urlacher	cbfa9b4c40	Home: Remove duplicate <Mod-f> keybinding	2025-07-09 18:35:16 +02:00
Christoph Urlacher	503ce4eb8f	Config/Navi: Add mkpasswd cheat + fix sops paths	2025-07-09 18:34:57 +02:00