From 93f912d548be4b8a72c10094fb2d953daa826d9d Mon Sep 17 00:00:00 2001 From: Nico Date: Sun, 15 Feb 2026 22:58:48 +1100 Subject: [PATCH] services: move all secrets into /media/secrets moves all secrets into one centralised location in /media/secrets and uses systemd-tmpfiles to set the appropriate permissions for them --- modules/services/auth/kanidm.nix | 1 - modules/services/auth/tinyauth.nix | 6 +++++- modules/services/caddy.nix | 7 ++++++- modules/services/karakeep.nix | 11 ++++++++++- modules/services/miniflux.nix | 6 +++++- modules/services/uptime-kuma.nix | 9 +++++++++ 6 files changed, 35 insertions(+), 5 deletions(-) diff --git a/modules/services/auth/kanidm.nix b/modules/services/auth/kanidm.nix index fb2a939..6bfd7a8 100644 --- a/modules/services/auth/kanidm.nix +++ b/modules/services/auth/kanidm.nix @@ -30,7 +30,6 @@ dnsProvider = "cloudflare"; dnsResolver = "1.1.1.1:53"; dnsPropagationCheck = true; - environmentFile = /var/lib/caddy/secret; }; services.caddy.virtualHosts."${config.homelab.authDomain}" = { diff --git a/modules/services/auth/tinyauth.nix b/modules/services/auth/tinyauth.nix index c5d4f4d..3bab219 100644 --- a/modules/services/auth/tinyauth.nix +++ b/modules/services/auth/tinyauth.nix @@ -21,10 +21,14 @@ environmentFiles = [ # set variable PROVIDERS_KANIDM_CLIENT_SECRET here - /var/lib/tinyauth + /media/secrets/tinyauth ]; }; + systemd.tmpfiles.rules = [ + "f /media/secrets/tinyauth 0400 root root" + ]; + services.caddy.extraConfig = '' (tinyauth_forwarder) { forward_auth 127.0.0.1:3009 { diff --git a/modules/services/caddy.nix b/modules/services/caddy.nix index 2d77842..2339ef7 100644 --- a/modules/services/caddy.nix +++ b/modules/services/caddy.nix @@ -33,6 +33,8 @@ security.acme = { acceptTerms = true; defaults.email = "hello@astolfo.org"; + defaults.environmentFile = /media/secrets/acme; + defaults.profile = "shortlived"; certs."${config.homelab.domain}" = { group = config.services.caddy.group; @@ -42,8 +44,11 @@ dnsProvider = "cloudflare"; dnsResolver = "1.1.1.1:53"; dnsPropagationCheck = true; - environmentFile = /var/lib/caddy/secret; }; }; + + systemd.tmpfiles.rules = [ + "f /media/secrets/acme 0400 acme acme" + ]; }; } diff --git a/modules/services/karakeep.nix b/modules/services/karakeep.nix index 6decca9..ec87014 100644 --- a/modules/services/karakeep.nix +++ b/modules/services/karakeep.nix @@ -16,9 +16,18 @@ # put OAUTH_CLIENT_SECRET and OAUTH_CLIENT_ID in file # https://docs.karakeep.app/configuration/environment-variables#authentication--signup - environmentFile = "/var/lib/karakeep/oidc"; + environmentFile = "/media/secrets/karakeep"; }; + + systemd.tmpfiles.rules = [ + "f /media/secrets/karakeep 0400 karakeep karakeep" + ]; + fileSystems."/var/lib/karakeep" = { + device = "/media/apps/karakeep"; + options = [ "bind" ]; + }; + services.caddy.virtualHosts."karakeep.${config.homelab.domain}" = { useACMEHost = config.homelab.domain; extraConfig = '' diff --git a/modules/services/miniflux.nix b/modules/services/miniflux.nix index 3d236b1..3f3f0f6 100644 --- a/modules/services/miniflux.nix +++ b/modules/services/miniflux.nix @@ -10,7 +10,7 @@ # OAUTH2_CLIENT_ID = ""; # OAUTH2_CLIENT_SECRET = ""; # https://pocket-id.org/docs/client-examples/miniflux/ - adminCredentialsFile = /var/lib/miniflux/oidc; + adminCredentialsFile = /media/secrets/miniflux; config = { LISTEN_ADDR = "0.0.0.0:8021"; @@ -44,6 +44,10 @@ }; }; + systemd.tmpfiles.rules = [ + "f /media/secrets/miniflux 0400 root root" + ]; + services.caddy.virtualHosts."rss.${config.homelab.domain}" = { useACMEHost = config.homelab.domain; extraConfig = '' diff --git a/modules/services/uptime-kuma.nix b/modules/services/uptime-kuma.nix index b08cd10..319f8a2 100644 --- a/modules/services/uptime-kuma.nix +++ b/modules/services/uptime-kuma.nix @@ -9,6 +9,15 @@ }; }; + systemd.tmpfiles.rules = [ + "d /media/secrets/uptime-kuma 0700 root root" + ]; + + fileSystems."/var/lib/private/uptime-kuma" = { + device = "/media/apps/uptime-kuma"; + options = [ "bind" ]; + }; + services.caddy.virtualHosts."status.${config.homelab.domain}" = { useACMEHost = config.homelab.domain; extraConfig = ''