moving docker secrets to sops
This commit is contained in:
Richie Cahill
@ -6,5 +6,17 @@
|
||||
./postgresql.nix
|
||||
];
|
||||
|
||||
users = {
|
||||
users.docker-service = {
|
||||
isSystemUser = true;
|
||||
group = "docker-service";
|
||||
extraGroups = [ "docker" ];
|
||||
uid = 600;
|
||||
};
|
||||
groups.docker-service = {
|
||||
gid = 600;
|
||||
};
|
||||
};
|
||||
|
||||
virtualisation.oci-containers.backend = "docker";
|
||||
}
|
||||
|
||||
43
systems/jeeves/docker/haproxy.cfg
Normal file
43
systems/jeeves/docker/haproxy.cfg
Normal file
@ -0,0 +1,43 @@
|
||||
global
|
||||
log stdout format raw local0
|
||||
# stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
|
||||
stats timeout 30s
|
||||
|
||||
defaults
|
||||
log global
|
||||
mode http
|
||||
timeout client 10s
|
||||
timeout connect 5s
|
||||
timeout server 10s
|
||||
timeout http-request 10s
|
||||
|
||||
|
||||
#Application Setup
|
||||
frontend ContentSwitching
|
||||
bind *:80
|
||||
bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem
|
||||
mode http
|
||||
# tmmworkshop.com
|
||||
acl host_mirror hdr(host) -i mirror.tmmworkshop.com
|
||||
acl host_dndrules hdr(host) -i dndrules.tmmworkshop.com
|
||||
acl host_grafana hdr(host) -i grafana.tmmworkshop.com
|
||||
|
||||
use_backend mirror_nodes if host_mirror
|
||||
use_backend dndrules_nodes if host_dndrules
|
||||
use_backend grafana_nodes if host_grafana
|
||||
|
||||
backend mirror_nodes
|
||||
mode http
|
||||
server server arch_mirror:80
|
||||
|
||||
backend mirror_rsync
|
||||
mode http
|
||||
server server arch_mirror:873
|
||||
|
||||
backend grafana_nodes
|
||||
mode http
|
||||
server server grafana:3000
|
||||
|
||||
backend dndrules_nodes
|
||||
mode http
|
||||
server server dnd_file_server:80
|
||||
@ -21,7 +21,7 @@
|
||||
POSTGRES_DB = "archive";
|
||||
POSTGRES_INITDB_ARGS = "--auth-host=scram-sha-256";
|
||||
};
|
||||
environmentFiles = [ config.sops.secrets."postgres".path ];
|
||||
environmentFiles = [ config.sops.secrets."docker/postgres".path ];
|
||||
autoStart = true;
|
||||
user = "postgres:postgres";
|
||||
};
|
||||
@ -29,6 +29,6 @@
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ../secrets.yaml;
|
||||
secrets."postgres".owner = "postgres";
|
||||
secrets."docker/postgres".owner = "postgres";
|
||||
};
|
||||
}
|
||||
|
||||
@ -1,3 +1,4 @@
|
||||
{ config, ... }:
|
||||
{
|
||||
virtualisation.oci-containers.containers = {
|
||||
grafana = {
|
||||
@ -34,7 +35,7 @@
|
||||
};
|
||||
volumes = [
|
||||
"/zfs/media/docker/cloudflare.pem:/etc/ssl/certs/cloudflare.pem"
|
||||
"/zfs/media/docker/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg"
|
||||
"/root/nix-dotfiles/systems/jeeves/docker/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg"
|
||||
];
|
||||
dependsOn = [
|
||||
"grafana"
|
||||
@ -50,10 +51,19 @@
|
||||
"tunnel"
|
||||
"run"
|
||||
];
|
||||
environmentFiles = [ "/zfs/media/docker/cloudflare_tunnel.env" ];
|
||||
environmentFiles = [ config.sops.secrets."docker/cloud_flare_tunnel:".path ];
|
||||
dependsOn = [ "haproxy" ];
|
||||
extraOptions = [ "--network=web" ];
|
||||
autoStart = true;
|
||||
};
|
||||
};
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ../secrets.yaml;
|
||||
secrets."docker/cloud_flare_tunnel:".owner = "docker-service";
|
||||
secrets."docker/haproxy_cert:" = {
|
||||
owner = "docker-service";
|
||||
path = "/zfs/media/docker/test_cloudflare.pem";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user