diff --git a/hosts/poseidon/default.nix b/hosts/poseidon/default.nix index f978345..58bdee3 100644 --- a/hosts/poseidon/default.nix +++ b/hosts/poseidon/default.nix @@ -127,6 +127,8 @@ in paperless = { enable = true; port = 8085; + passwordFile = config.age.secrets."paperless/admin-password".path; + secretKeyFile = config.age.secrets."paperless/secret-key".path; }; postgresql-backup = { diff --git a/hosts/poseidon/secrets.nix b/hosts/poseidon/secrets.nix index ae5ba11..ada3ee4 100644 --- a/hosts/poseidon/secrets.nix +++ b/hosts/poseidon/secrets.nix @@ -23,6 +23,9 @@ owner = "nextcloud"; }; + "paperless/admin-password" = {}; + "paperless/secret-key" = {}; + "restic-backup/poseidon-credentials" = {}; "restic-backup/poseidon-password" = {}; diff --git a/modules/secrets/paperless/admin-password.age b/modules/secrets/paperless/admin-password.age new file mode 100644 index 0000000..9974501 --- /dev/null +++ b/modules/secrets/paperless/admin-password.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 z6Eu8Q cKvo+xxPeYdCpJZgcN7Yo8x4zxqKL+08LjQip00NR1M +nLEraZgmUlMjNfF4SZ3DRTRENC3/5L02KFMjLWQcDkk +-> BA-grease "TTy +LVWJdA/Rht1hzx5ezY0+4JxHDPtyveBBmrZ/sIN6RFC9Y7Xb875Z+Se/YYcI9unf +RZcSrVU +--- TT+H8/aMObjfwOga2VeDrifPmttTdle97PFZL/H6b0w +<2˜Ùf½’!¿˜ðžÁý‘Ì´t™X+·¬Q•¾Œ¯Í ïL P‚Ùñû;ø×w‘‘öY¼Õx-ˆ™4—Ó‰ùé8¦ ïL¹åЄ×Öæ¿òÕ:…lõÆ(«¹‘•. \ No newline at end of file diff --git a/modules/secrets/paperless/secret-key.age b/modules/secrets/paperless/secret-key.age new file mode 100644 index 0000000..0529df8 Binary files /dev/null and b/modules/secrets/paperless/secret-key.age differ diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index 2256b94..9aa0e53 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -21,6 +21,9 @@ in "nextcloud/admin-pass.age".publicKeys = [ poseidon ]; + "paperless/admin-password.age".publicKeys = [ poseidon ]; + "paperless/secret-key.age".publicKeys = [ poseidon ]; + "restic-backup/boreal-password.age".publicKeys = [ alarsyo boreal ]; "restic-backup/boreal-credentials.age".publicKeys = [ alarsyo boreal ]; "restic-backup/poseidon-password.age".publicKeys = [ alarsyo poseidon ]; diff --git a/secrets/default.nix b/secrets/default.nix index caa0d32..5b4ab4a 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -10,6 +10,5 @@ in { }; config.my.secrets = { - paperless = import ./paperless { inherit lib; }; }; } diff --git a/secrets/paperless/admin-password.secret b/secrets/paperless/admin-password.secret deleted file mode 100644 index e8111fc..0000000 Binary files a/secrets/paperless/admin-password.secret and /dev/null differ diff --git a/secrets/paperless/default.nix b/secrets/paperless/default.nix deleted file mode 100644 index 69c4008..0000000 --- a/secrets/paperless/default.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ lib }: -let - inherit (lib) - fileContents - ; -in -{ - secretKey = fileContents ./secret-key-file.secret; - adminPassword = fileContents ./admin-password.secret; -} diff --git a/secrets/paperless/secret-key-file.secret b/secrets/paperless/secret-key-file.secret deleted file mode 100644 index 1f447d4..0000000 Binary files a/secrets/paperless/secret-key-file.secret and /dev/null differ diff --git a/services/paperless.nix b/services/paperless.nix index 142ee13..7db2019 100644 --- a/services/paperless.nix +++ b/services/paperless.nix @@ -11,7 +11,6 @@ let my = config.my; domain = config.networking.domain; paperlessDomain = "paperless.${domain}"; - secretKeyFile = pkgs.writeText "paperless-secret-key-file.env" my.secrets.paperless.secretKey; in { options.my.services.paperless = let inherit (lib) types; in { @@ -23,13 +22,27 @@ in example = 8080; description = "Internal port for Paperless service"; }; + + passwordFile = mkOption { + type = types.path; + description = '' + Path to a file containing the admin's password + ''; + }; + + secretKeyFile = mkOption { + type = types.path; + description = '' + Path to a file containing the service's secret key + ''; + }; }; config = mkIf cfg.enable { services.paperless-ng = { enable = true; port = cfg.port; - passwordFile = pkgs.writeText "paperless-password-file.txt" config.my.secrets.paperless.adminPassword; + passwordFile = cfg.passwordFile; extraConfig = { # Postgres settings PAPERLESS_DBHOST = "/run/postgresql"; @@ -53,17 +66,17 @@ in systemd.services = { paperless-ng-server.serviceConfig = { - EnvironmentFile = secretKeyFile; + EnvironmentFile = cfg.secretKeyFile; BindReadOnlyPaths = [ config.services.redis.servers.paperless.unixSocket ]; }; paperless-ng-consumer.serviceConfig = { - EnvironmentFile = secretKeyFile; + EnvironmentFile = cfg.secretKeyFile; BindReadOnlyPaths = [ config.services.redis.servers.paperless.unixSocket ]; }; paperless-ng-web.serviceConfig = { - EnvironmentFile = secretKeyFile; + EnvironmentFile = cfg.secretKeyFile; BindReadOnlyPaths = [ config.services.redis.servers.paperless.unixSocket ]; }; };