feat(nextcloud): switch to age-protected secrets

2024-12-06 21:17:00 +00:00 · 2024-12-06 21:17:00 +00:00 · b4f4c69c42
commit b4f4c69c42
parent 273b694e4f
4 changed files with 43 additions and 3 deletions
--- a/hosts/architect/nextcloud.nix
+++ b/hosts/architect/nextcloud.nix
@ -8,6 +8,17 @@ let
  inherit (utilities) architectInterfaceAddress;
 in
 {
+  age.secrets = {
+    nextcloud-admin = {
+      file = ../../secrets/nextcloud-admin.age;
+      owner = "nextcloud";
+    };
+    nextcloud-database = {
+      file = ../../secrets/nextcloud-database.age;
+      owner = "nextcloud";
+    };
+  };
+
  environment.systemPackages = with pkgs; [
    nodejs-18_x
    libtensorflow
@ -62,14 +73,14 @@ in
      settings = {
        overwriteprotocol = "https";
      };
-      
+
      config = {
        dbtype = "mysql";
        dbuser = "nextcloud";
        dbhost = "localhost";
        dbname = "nextcloud";
-        dbpassFile = "/secrets/nextcloud/dbpass.txt";
-        adminpassFile = "/secrets/nextcloud/dbpass.txt";
+        dbpassFile = config.age.secrets.nextcloud-database.path;
+        adminpassFile = config.age.secrets.nextcloud-admin.path;
      };
    };
  };
--- a/secrets/nextcloud-admin.age
+++ b/secrets/nextcloud-admin.age
--- a/secrets/nextcloud-database.age
+++ b/secrets/nextcloud-database.age
@ -0,0 +1,27 @@
+age-encryption.org/v1
+-> ssh-rsa QXZdow
+JFZ512g1V5fHSCDuxPcpFGSSAzI6326lbmmQaepxfPyTzZpK5Qo7WaUeF0dCmwi1
+mwS038cbo57hPnuGapJtrqggiVm8B53rli7xlwFQCydVkxnKPSvcERI8KphEn1K5
+1YGeU6XdqqNyv1NSV9V8A4Y74LMk1H+igWR5sWZnO6sQi7LLAwfL+BsskdwY0ZuW
+9TOzkeZtgU5qy9IbN6liouEMliO660q1sb+OxQFP8pVIS3xt9mD2IE4W3hP9aZyF
+JHUZPizwF+HvspR8oMV4R7JI4gexBwnMVeu4HVu+ayY2udQvr2DNxQNHM66zClPo
+7G67rblH6IfCOrOieqIVvYrbJQuSZip4npnQyXVXzg/wQ6CGu0k4E8wF1xHFYKAO
+LGWK8uUxffC1ITEfNMaSs/3AKMuqBsJcDXYYe4yq4lJYxSfwXbu+G6aqOgHYAe7p
+LBQgl5Dn19r/7zKRLJTK4eJ0ah8bnWWTU9FcHAJbqKFYK6DW+syqFYinXfwt9AQI
+g0w5apgPm/B3PX0wKiabci8c4AZ6n2JVWvI9sJkhcL5t93JS9uBsgxzc3Hv4nu3E
+zD1Skp648In+oQ+6xuDmIuEuu8xIhGwU3jhJeIiTZwX54wj35v/gNLU2sH1hK/90
+vyJcZClmpGDsOu/vHeKPSfP29MEzlahA5dZS0DDkt58
+-> ssh-ed25519 7eGqHw AJlmB4Up3Zs4gNdfRRt8zZ5r1M8DcXSdj7B09VUlYCk
+Vteh5QnSqhIrXm10zdOjP+Lhm3qwABqGgQFHfrnrjH4
+-> ssh-rsa tO3rGg
+VPAsazrTmffI7Y0LOsLwAoeOtz9lnDm3vYTDcFi8DoJcHsXDh2cYib1hET4noWLf
+gFQiP30rNKTvkBDeThdH5opyZbO9BfDX1IgJo5Fm7yO3LdSWB44fL3Mn8HoMKGkn
+d6TKM0ZxDZAkApTMcKHjHlcnWgy5sGxW0pHDnBvCCqsQHqRywcGDZTVhmxshLxQw
+giQo3ZI8fzD436bY+rWYJtqWKcOnBLGEiFoWJr9qfLcG2FwB0xLppfX7S6htLQpn
+btqafMtA8HgGVkVGC+uADqghPGzO/rN/z571xvZ6F4GyeB1/2RbVX62N4jN8FlPc
+6UWe3kgxM9cOedpwYPqte3gIETWBxlfpspOfVaRv6qMx6ZM1mPsP1qTpQNUabm2
+2Ale/EkLnfYzwXmaiql0/oEuqq7Dp806XP5AcKxZHNUJeZHRdqOUHGCNJzfAO3H4
+uazZGDtZR+pSq0QwEZqp1GoodtzCbBnbko5ZwVYXIXc1gSbwvP6ZW/5HiPEM0jaM
+
+--- TXLi+4AqW9L3grKPVMBDb75OHyjatQzBxUlI4Xe1eMw
+ÛÞÁ }ccn‡ó…¹'Ï’F¥At«5ËT Æµ –E]Òx7írÑ|kô§ÿ<C2A7><C3BF>µI°mÅ‹¼ú×%‚}’´¿‰<C2BF>¬#=<3D>J.
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -7,4 +7,6 @@ in
 {
  "matrix-synapse.age".publicKeys = pubkeys;
  "teslamate.age".publicKeys = pubkeys;
+  "nextcloud-admin.age".publicKeys = pubkeys;
+  "nextcloud-database.age".publicKeys = pubkeys;
 }