secrets: move paperless secrets to agenix
This commit is contained in:
parent
8d75500055
commit
2c3032c642
|
@ -127,6 +127,8 @@ in
|
||||||
paperless = {
|
paperless = {
|
||||||
enable = true;
|
enable = true;
|
||||||
port = 8085;
|
port = 8085;
|
||||||
|
passwordFile = config.age.secrets."paperless/admin-password".path;
|
||||||
|
secretKeyFile = config.age.secrets."paperless/secret-key".path;
|
||||||
};
|
};
|
||||||
|
|
||||||
postgresql-backup = {
|
postgresql-backup = {
|
||||||
|
|
|
@ -23,6 +23,9 @@
|
||||||
owner = "nextcloud";
|
owner = "nextcloud";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
"paperless/admin-password" = {};
|
||||||
|
"paperless/secret-key" = {};
|
||||||
|
|
||||||
"restic-backup/poseidon-credentials" = {};
|
"restic-backup/poseidon-credentials" = {};
|
||||||
"restic-backup/poseidon-password" = {};
|
"restic-backup/poseidon-password" = {};
|
||||||
|
|
||||||
|
|
8
modules/secrets/paperless/admin-password.age
Normal file
8
modules/secrets/paperless/admin-password.age
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 z6Eu8Q cKvo+xxPeYdCpJZgcN7Yo8x4zxqKL+08LjQip00NR1M
|
||||||
|
nLEraZgmUlMjNfF4SZ3DRTRENC3/5L02KFMjLWQcDkk
|
||||||
|
-> BA-grease "TTy
|
||||||
|
LVWJdA/Rht1hzx5ezY0+4JxHDPtyveBBmrZ/sIN6RFC9Y7Xb875Z+Se/YYcI9unf
|
||||||
|
RZcSrVU
|
||||||
|
--- TT+H8/aMObjfwOga2VeDrifPmttTdle97PFZL/H6b0w
|
||||||
|
<2˜Ùf½’!¿˜ðžÁý‘Ì´<>t™X+·¬Q•¾Œ<C2BE>¯ÍïLP‚Ùñû;ø×w‘‘öY¼Õx-ˆ™4—Ó‰ùé8¦ ïL¹åЄ×Öæ¿òÕ:…lõÆ(«¹‘•.
|
BIN
modules/secrets/paperless/secret-key.age
Normal file
BIN
modules/secrets/paperless/secret-key.age
Normal file
Binary file not shown.
|
@ -21,6 +21,9 @@ in
|
||||||
|
|
||||||
"nextcloud/admin-pass.age".publicKeys = [ poseidon ];
|
"nextcloud/admin-pass.age".publicKeys = [ poseidon ];
|
||||||
|
|
||||||
|
"paperless/admin-password.age".publicKeys = [ poseidon ];
|
||||||
|
"paperless/secret-key.age".publicKeys = [ poseidon ];
|
||||||
|
|
||||||
"restic-backup/boreal-password.age".publicKeys = [ alarsyo boreal ];
|
"restic-backup/boreal-password.age".publicKeys = [ alarsyo boreal ];
|
||||||
"restic-backup/boreal-credentials.age".publicKeys = [ alarsyo boreal ];
|
"restic-backup/boreal-credentials.age".publicKeys = [ alarsyo boreal ];
|
||||||
"restic-backup/poseidon-password.age".publicKeys = [ alarsyo poseidon ];
|
"restic-backup/poseidon-password.age".publicKeys = [ alarsyo poseidon ];
|
||||||
|
|
|
@ -10,6 +10,5 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
config.my.secrets = {
|
config.my.secrets = {
|
||||||
paperless = import ./paperless { inherit lib; };
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Binary file not shown.
|
@ -1,10 +0,0 @@
|
||||||
{ lib }:
|
|
||||||
let
|
|
||||||
inherit (lib)
|
|
||||||
fileContents
|
|
||||||
;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
secretKey = fileContents ./secret-key-file.secret;
|
|
||||||
adminPassword = fileContents ./admin-password.secret;
|
|
||||||
}
|
|
Binary file not shown.
|
@ -11,7 +11,6 @@ let
|
||||||
my = config.my;
|
my = config.my;
|
||||||
domain = config.networking.domain;
|
domain = config.networking.domain;
|
||||||
paperlessDomain = "paperless.${domain}";
|
paperlessDomain = "paperless.${domain}";
|
||||||
secretKeyFile = pkgs.writeText "paperless-secret-key-file.env" my.secrets.paperless.secretKey;
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.my.services.paperless = let inherit (lib) types; in {
|
options.my.services.paperless = let inherit (lib) types; in {
|
||||||
|
@ -23,13 +22,27 @@ in
|
||||||
example = 8080;
|
example = 8080;
|
||||||
description = "Internal port for Paperless service";
|
description = "Internal port for Paperless service";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
passwordFile = mkOption {
|
||||||
|
type = types.path;
|
||||||
|
description = ''
|
||||||
|
Path to a file containing the admin's password
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
secretKeyFile = mkOption {
|
||||||
|
type = types.path;
|
||||||
|
description = ''
|
||||||
|
Path to a file containing the service's secret key
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
services.paperless-ng = {
|
services.paperless-ng = {
|
||||||
enable = true;
|
enable = true;
|
||||||
port = cfg.port;
|
port = cfg.port;
|
||||||
passwordFile = pkgs.writeText "paperless-password-file.txt" config.my.secrets.paperless.adminPassword;
|
passwordFile = cfg.passwordFile;
|
||||||
extraConfig = {
|
extraConfig = {
|
||||||
# Postgres settings
|
# Postgres settings
|
||||||
PAPERLESS_DBHOST = "/run/postgresql";
|
PAPERLESS_DBHOST = "/run/postgresql";
|
||||||
|
@ -53,17 +66,17 @@ in
|
||||||
|
|
||||||
systemd.services = {
|
systemd.services = {
|
||||||
paperless-ng-server.serviceConfig = {
|
paperless-ng-server.serviceConfig = {
|
||||||
EnvironmentFile = secretKeyFile;
|
EnvironmentFile = cfg.secretKeyFile;
|
||||||
BindReadOnlyPaths = [ config.services.redis.servers.paperless.unixSocket ];
|
BindReadOnlyPaths = [ config.services.redis.servers.paperless.unixSocket ];
|
||||||
};
|
};
|
||||||
|
|
||||||
paperless-ng-consumer.serviceConfig = {
|
paperless-ng-consumer.serviceConfig = {
|
||||||
EnvironmentFile = secretKeyFile;
|
EnvironmentFile = cfg.secretKeyFile;
|
||||||
BindReadOnlyPaths = [ config.services.redis.servers.paperless.unixSocket ];
|
BindReadOnlyPaths = [ config.services.redis.servers.paperless.unixSocket ];
|
||||||
};
|
};
|
||||||
|
|
||||||
paperless-ng-web.serviceConfig = {
|
paperless-ng-web.serviceConfig = {
|
||||||
EnvironmentFile = secretKeyFile;
|
EnvironmentFile = cfg.secretKeyFile;
|
||||||
BindReadOnlyPaths = [ config.services.redis.servers.paperless.unixSocket ];
|
BindReadOnlyPaths = [ config.services.redis.servers.paperless.unixSocket ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue