nico/dots
2
2
Fork 1
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

services: move all secrets into /media/secrets

Browse source 
moves all secrets into one centralised location in
/media/secrets and uses systemd-tmpfiles to set the
appropriate permissions for them
This commit is contained in:
Nico 2026-02-15 22:58:48 +11:00
parent 0dc8c93281
commit 93f912d548
Signed by: nico
SSH key fingerprint: SHA256:XuacYOrGqRxC3jVFjfLROn1CSvLz85Dec6N7O9Gwu/0
6 changed files with 35 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

1
modules/services/auth/kanidm.nix
View file

@ -30,7 +30,6 @@
dnsProvider = "cloudflare"; dnsProvider = "cloudflare";
dnsResolver = "1.1.1.1:53"; dnsResolver = "1.1.1.1:53";
dnsPropagationCheck = true; dnsPropagationCheck = true;
environmentFile = /var/lib/caddy/secret;
}; };
services.caddy.virtualHosts."${config.homelab.authDomain}" = { services.caddy.virtualHosts."${config.homelab.authDomain}" = {

6
modules/services/auth/tinyauth.nix
View file

@ -21,10 +21,14 @@
environmentFiles = [ environmentFiles = [
# set variable PROVIDERS_KANIDM_CLIENT_SECRET here # set variable PROVIDERS_KANIDM_CLIENT_SECRET here
/var/lib/tinyauth /media/secrets/tinyauth
]; ];
}; };
systemd.tmpfiles.rules = [
"f /media/secrets/tinyauth 0400 root root"
];
services.caddy.extraConfig = '' services.caddy.extraConfig = ''
(tinyauth_forwarder) { (tinyauth_forwarder) {
forward_auth 127.0.0.1:3009 { forward_auth 127.0.0.1:3009 {

7
modules/services/caddy.nix
View file

@ -33,6 +33,8 @@
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults.email = "hello@astolfo.org"; defaults.email = "hello@astolfo.org";
defaults.environmentFile = /media/secrets/acme;
defaults.profile = "shortlived";
certs."${config.homelab.domain}" = { certs."${config.homelab.domain}" = {
group = config.services.caddy.group; group = config.services.caddy.group;
@ -42,8 +44,11 @@
dnsProvider = "cloudflare"; dnsProvider = "cloudflare";
dnsResolver = "1.1.1.1:53"; dnsResolver = "1.1.1.1:53";
dnsPropagationCheck = true; dnsPropagationCheck = true;
environmentFile = /var/lib/caddy/secret;
}; };
}; };
systemd.tmpfiles.rules = [
"f /media/secrets/acme 0400 acme acme"
];
}; };
} }

11
modules/services/karakeep.nix
View file

@ -16,9 +16,18 @@
# put OAUTH_CLIENT_SECRET and OAUTH_CLIENT_ID in file # put OAUTH_CLIENT_SECRET and OAUTH_CLIENT_ID in file
# https://docs.karakeep.app/configuration/environment-variables#authentication--signup # https://docs.karakeep.app/configuration/environment-variables#authentication--signup
environmentFile = "/var/lib/karakeep/oidc"; environmentFile = "/media/secrets/karakeep";
}; };
systemd.tmpfiles.rules = [
"f /media/secrets/karakeep 0400 karakeep karakeep"
];
fileSystems."/var/lib/karakeep" = {
device = "/media/apps/karakeep";
options = [ "bind" ];
};
services.caddy.virtualHosts."karakeep.${config.homelab.domain}" = { services.caddy.virtualHosts."karakeep.${config.homelab.domain}" = {
useACMEHost = config.homelab.domain; useACMEHost = config.homelab.domain;
extraConfig = '' extraConfig = ''

6
modules/services/miniflux.nix
View file

@ -10,7 +10,7 @@
# OAUTH2_CLIENT_ID = "<client ID>"; # OAUTH2_CLIENT_ID = "<client ID>";
# OAUTH2_CLIENT_SECRET = "<client secret>"; # OAUTH2_CLIENT_SECRET = "<client secret>";
# https://pocket-id.org/docs/client-examples/miniflux/ # https://pocket-id.org/docs/client-examples/miniflux/
adminCredentialsFile = /var/lib/miniflux/oidc; adminCredentialsFile = /media/secrets/miniflux;
config = { config = {
LISTEN_ADDR = "0.0.0.0:8021"; LISTEN_ADDR = "0.0.0.0:8021";
@ -44,6 +44,10 @@
}; };
}; };
systemd.tmpfiles.rules = [
"f /media/secrets/miniflux 0400 root root"
];
services.caddy.virtualHosts."rss.${config.homelab.domain}" = { services.caddy.virtualHosts."rss.${config.homelab.domain}" = {
useACMEHost = config.homelab.domain; useACMEHost = config.homelab.domain;
extraConfig = '' extraConfig = ''

9
modules/services/uptime-kuma.nix
View file

@ -9,6 +9,15 @@
}; };
}; };
systemd.tmpfiles.rules = [
"d /media/secrets/uptime-kuma 0700 root root"
];
fileSystems."/var/lib/private/uptime-kuma" = {
device = "/media/apps/uptime-kuma";
options = [ "bind" ];
};
services.caddy.virtualHosts."status.${config.homelab.domain}" = { services.caddy.virtualHosts."status.${config.homelab.domain}" = {
useACMEHost = config.homelab.domain; useACMEHost = config.homelab.domain;
extraConfig = '' extraConfig = ''