secrets: move paperless secrets to agenix

This commit is contained in:
Antoine Martin 2022-03-11 18:55:56 +01:00
parent 8d75500055
commit 2c3032c642
10 changed files with 34 additions and 16 deletions

View file

@ -127,6 +127,8 @@ in
paperless = { paperless = {
enable = true; enable = true;
port = 8085; port = 8085;
passwordFile = config.age.secrets."paperless/admin-password".path;
secretKeyFile = config.age.secrets."paperless/secret-key".path;
}; };
postgresql-backup = { postgresql-backup = {

View file

@ -23,6 +23,9 @@
owner = "nextcloud"; owner = "nextcloud";
}; };
"paperless/admin-password" = {};
"paperless/secret-key" = {};
"restic-backup/poseidon-credentials" = {}; "restic-backup/poseidon-credentials" = {};
"restic-backup/poseidon-password" = {}; "restic-backup/poseidon-password" = {};

View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 z6Eu8Q cKvo+xxPeYdCpJZgcN7Yo8x4zxqKL+08LjQip00NR1M
nLEraZgmUlMjNfF4SZ3DRTRENC3/5L02KFMjLWQcDkk
-> BA-grease "TTy
LVWJdA/Rht1hzx5ezY0+4JxHDPtyveBBmrZ/sIN6RFC9Y7Xb875Z+Se/YYcI9unf
RZcSrVU
--- TT+H8/aMObjfwOga2VeDrifPmttTdle97PFZL/H6b0w
<2˜Ùf½!¿˜ðžÁý‘Ì´<>t™X+·¬Q•¾Œ<C2BE>¯Í ïL P‚Ùñû;ø×wöY¼Õx-ˆ™4—Ó‰ùé8¦ ïL¹åЄ×Öæ¿òÕ:…lõÆ(«¹‘•.

Binary file not shown.

View file

@ -21,6 +21,9 @@ in
"nextcloud/admin-pass.age".publicKeys = [ poseidon ]; "nextcloud/admin-pass.age".publicKeys = [ poseidon ];
"paperless/admin-password.age".publicKeys = [ poseidon ];
"paperless/secret-key.age".publicKeys = [ poseidon ];
"restic-backup/boreal-password.age".publicKeys = [ alarsyo boreal ]; "restic-backup/boreal-password.age".publicKeys = [ alarsyo boreal ];
"restic-backup/boreal-credentials.age".publicKeys = [ alarsyo boreal ]; "restic-backup/boreal-credentials.age".publicKeys = [ alarsyo boreal ];
"restic-backup/poseidon-password.age".publicKeys = [ alarsyo poseidon ]; "restic-backup/poseidon-password.age".publicKeys = [ alarsyo poseidon ];

View file

@ -10,6 +10,5 @@ in {
}; };
config.my.secrets = { config.my.secrets = {
paperless = import ./paperless { inherit lib; };
}; };
} }

View file

@ -1,10 +0,0 @@
{ lib }:
let
inherit (lib)
fileContents
;
in
{
secretKey = fileContents ./secret-key-file.secret;
adminPassword = fileContents ./admin-password.secret;
}

View file

@ -11,7 +11,6 @@ let
my = config.my; my = config.my;
domain = config.networking.domain; domain = config.networking.domain;
paperlessDomain = "paperless.${domain}"; paperlessDomain = "paperless.${domain}";
secretKeyFile = pkgs.writeText "paperless-secret-key-file.env" my.secrets.paperless.secretKey;
in in
{ {
options.my.services.paperless = let inherit (lib) types; in { options.my.services.paperless = let inherit (lib) types; in {
@ -23,13 +22,27 @@ in
example = 8080; example = 8080;
description = "Internal port for Paperless service"; description = "Internal port for Paperless service";
}; };
passwordFile = mkOption {
type = types.path;
description = ''
Path to a file containing the admin's password
'';
};
secretKeyFile = mkOption {
type = types.path;
description = ''
Path to a file containing the service's secret key
'';
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.paperless-ng = { services.paperless-ng = {
enable = true; enable = true;
port = cfg.port; port = cfg.port;
passwordFile = pkgs.writeText "paperless-password-file.txt" config.my.secrets.paperless.adminPassword; passwordFile = cfg.passwordFile;
extraConfig = { extraConfig = {
# Postgres settings # Postgres settings
PAPERLESS_DBHOST = "/run/postgresql"; PAPERLESS_DBHOST = "/run/postgresql";
@ -53,17 +66,17 @@ in
systemd.services = { systemd.services = {
paperless-ng-server.serviceConfig = { paperless-ng-server.serviceConfig = {
EnvironmentFile = secretKeyFile; EnvironmentFile = cfg.secretKeyFile;
BindReadOnlyPaths = [ config.services.redis.servers.paperless.unixSocket ]; BindReadOnlyPaths = [ config.services.redis.servers.paperless.unixSocket ];
}; };
paperless-ng-consumer.serviceConfig = { paperless-ng-consumer.serviceConfig = {
EnvironmentFile = secretKeyFile; EnvironmentFile = cfg.secretKeyFile;
BindReadOnlyPaths = [ config.services.redis.servers.paperless.unixSocket ]; BindReadOnlyPaths = [ config.services.redis.servers.paperless.unixSocket ];
}; };
paperless-ng-web.serviceConfig = { paperless-ng-web.serviceConfig = {
EnvironmentFile = secretKeyFile; EnvironmentFile = cfg.secretKeyFile;
BindReadOnlyPaths = [ config.services.redis.servers.paperless.unixSocket ]; BindReadOnlyPaths = [ config.services.redis.servers.paperless.unixSocket ];
}; };
}; };