moving docker secrets to sops
This commit is contained in:
Richie Cahill
parent
776ae1c811
commit
ae21d96746
@ -6,5 +6,17 @@
|
||||
./postgresql.nix
|
||||
];
|
||||
|
||||
users = {
|
||||
users.docker-service = {
|
||||
isSystemUser = true;
|
||||
group = "docker-service";
|
||||
extraGroups = [ "docker" ];
|
||||
uid = 600;
|
||||
};
|
||||
groups.docker-service = {
|
||||
gid = 600;
|
||||
};
|
||||
};
|
||||
|
||||
virtualisation.oci-containers.backend = "docker";
|
||||
}
|
||||
|
||||
43
systems/jeeves/docker/haproxy.cfg
Normal file
43
systems/jeeves/docker/haproxy.cfg
Normal file
@ -0,0 +1,43 @@
|
||||
global
|
||||
log stdout format raw local0
|
||||
# stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
|
||||
stats timeout 30s
|
||||
|
||||
defaults
|
||||
log global
|
||||
mode http
|
||||
timeout client 10s
|
||||
timeout connect 5s
|
||||
timeout server 10s
|
||||
timeout http-request 10s
|
||||
|
||||
|
||||
#Application Setup
|
||||
frontend ContentSwitching
|
||||
bind *:80
|
||||
bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem
|
||||
mode http
|
||||
# tmmworkshop.com
|
||||
acl host_mirror hdr(host) -i mirror.tmmworkshop.com
|
||||
acl host_dndrules hdr(host) -i dndrules.tmmworkshop.com
|
||||
acl host_grafana hdr(host) -i grafana.tmmworkshop.com
|
||||
|
||||
use_backend mirror_nodes if host_mirror
|
||||
use_backend dndrules_nodes if host_dndrules
|
||||
use_backend grafana_nodes if host_grafana
|
||||
|
||||
backend mirror_nodes
|
||||
mode http
|
||||
server server arch_mirror:80
|
||||
|
||||
backend mirror_rsync
|
||||
mode http
|
||||
server server arch_mirror:873
|
||||
|
||||
backend grafana_nodes
|
||||
mode http
|
||||
server server grafana:3000
|
||||
|
||||
backend dndrules_nodes
|
||||
mode http
|
||||
server server dnd_file_server:80
|
||||
@ -21,7 +21,7 @@
|
||||
POSTGRES_DB = "archive";
|
||||
POSTGRES_INITDB_ARGS = "--auth-host=scram-sha-256";
|
||||
};
|
||||
environmentFiles = [ config.sops.secrets."postgres".path ];
|
||||
environmentFiles = [ config.sops.secrets."docker/postgres".path ];
|
||||
autoStart = true;
|
||||
user = "postgres:postgres";
|
||||
};
|
||||
@ -29,6 +29,6 @@
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ../secrets.yaml;
|
||||
secrets."postgres".owner = "postgres";
|
||||
secrets."docker/postgres".owner = "postgres";
|
||||
};
|
||||
}
|
||||
|
||||
@ -1,3 +1,4 @@
|
||||
{ config, ... }:
|
||||
{
|
||||
virtualisation.oci-containers.containers = {
|
||||
grafana = {
|
||||
@ -34,7 +35,7 @@
|
||||
};
|
||||
volumes = [
|
||||
"/zfs/media/docker/cloudflare.pem:/etc/ssl/certs/cloudflare.pem"
|
||||
"/zfs/media/docker/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg"
|
||||
"/root/nix-dotfiles/systems/jeeves/docker/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg"
|
||||
];
|
||||
dependsOn = [
|
||||
"grafana"
|
||||
@ -50,10 +51,19 @@
|
||||
"tunnel"
|
||||
"run"
|
||||
];
|
||||
environmentFiles = [ "/zfs/media/docker/cloudflare_tunnel.env" ];
|
||||
environmentFiles = [ config.sops.secrets."docker/cloud_flare_tunnel:".path ];
|
||||
dependsOn = [ "haproxy" ];
|
||||
extraOptions = [ "--network=web" ];
|
||||
autoStart = true;
|
||||
};
|
||||
};
|
||||
|
||||
sops = {
|
||||
defaultSopsFile = ../secrets.yaml;
|
||||
secrets."docker/cloud_flare_tunnel:".owner = "docker-service";
|
||||
secrets."docker/haproxy_cert:" = {
|
||||
owner = "docker-service";
|
||||
path = "/zfs/media/docker/test_cloudflare.pem";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@ -1,4 +1,7 @@
|
||||
postgres: ENC[AES256_GCM,data:OqV8CH0ULLuKL3cIno1pGIGZKEY4Ox9t/lQ9/w/O98vGNWFC6lnh2m+m+O8q4VRdwKvPTLBXzTHA,iv:kFXNJaSigTD/1PZeB/oiijxXjhtHLd14h+jcTDOLZ6I=,tag:Hp8zfs5mtpOgDd6KiD9fxQ==,type:str]
|
||||
docker:
|
||||
postgres: ENC[AES256_GCM,data:IpXIrRDzyGFjDz908w1NNb0GBna/ce9lCtOkXrpUfyllsTWca6AeqaRo23bL4jfFGfHn0Zf9okLO,iv:IwO7vJJHFfm0SGcJETpWtdhr41jPddN9nuVAH/Ooa7Y=,tag:xstwPvpvkNOZucxvzq2+ag==,type:str]
|
||||
cloud_flare_tunnel: ENC[AES256_GCM,data:O4LATPE4iFZyYL8YROMUAOY8b3r5RKg3OgWTng47Y+sCDGPN7+fkXxwP6aThAFRQdUvt8dw7XM8SEI6CupDsNYCHrMUzgFsCi1Fk3HnG0hGZIgl7rDFLU+ueKVi0TQIOi8ooK7gBwCn25A8fPmR2+hDeNKBRMotqty+tpge/xWOpHePzayKLidyevdc8Ha775sbWuBas5U+uy3eWeOeUrnmaO1QqzZwfX7UjMMXVdsBGeOLG9QC8tiy1cps9ZlvuBpafVgbSdw==,iv:1948RXXwIudqykInRG/1mp7ZPSzfkLsSj59re+RRPo0=,tag:Oa1RNWjewdV7aQx9djIzIg==,type:str]
|
||||
haproxy_cert: ENC[AES256_GCM,data:sPM58lQC3wrpwjlY1QVmoe2/fMDcv5Fa2/FaKBrBf90YEPOrQKQlM40GdtWo2PmApsgSUir0cq5I2QUo3hy7eAAaSwZjsq3jvq8uW1KPqL7sZIV6yvmrvtmDr+LN/PLII/CyfyHdMAjfGEYCzrn6DeMZxvi+F6ERY9DP5K/+D8sErrVkw8U8t/xU15l/zzdDdIO1tmvtpDzoaL2NPgMFTTklveeE2HL6wDak/Ukoc5CVFsHeZDF6sMdc1hdzkVvXs8eUmKupviOPGvw3ZDGsxY0teX44ePQVDsdQPYVrzby9AHrQQ00vsgxnkGjO6+t7bHflG5ujM9C/5i9fkGbtDtiKIyXg4q6aUMucyifEoRD7t0P0Hu9gBASV2V6Bhx3xAs2x275N7QnWV6Fbz01TmmxWxvLfaRzhWKLRRsh8aaDPp1Qyyn/vpXK/RKVGa9s9bSEqa4wy0UfFjyosk6KQx56kPTEj6fcIz0myp2Saamf2PChcZTxIbMK/wI9V0vGDSM4sFqHCuPtypidBSXzkOMh4BFzhp7jW5rG1IM+6rEsJuL4aGpvPPz4DfNd69FFSvYFKQN9RNerUZdqIgHzy5vGH52Ta/AysRnHRYhnb6PsfmJIXli1rFu+ikZIWMIADQ7vzPzuB+EcNLDjuI1upghqoXomLJYVYFkIKrENvLJ869cSWh+PUequCZDujYgf+J3Ntdtb8yM6zR3wy8hkxzHnyO4lOlhl+7Phre3TyBfiLm9TqEcgtBwEFWy4mugi2L2Alq46EuU0vbFUqJJwVEGNl4N+ZYHGZTIkwPe1az+Hs9dZ/2Q9XwuVw6Ghyd12w9E061oOLi2yOwW+lZ+5OvSvdgVOHFjTwkUw1VnHK//jj6ZjmuZ+efAxxlXwSEq+RRPdOho1a21ZMU2MsVFWbYZx0vLp0rkQzF6fPvQvTAdiWl/d5LX/62gouomLq9YFZPMro7ml5NZqN+j8UgXvgQCr41L9oG8n9a4Vy427AdjQNJVafi/ZI3PoEeoseoinWN647G7bjmPYB144rnM3HiN43plZrbnyVlYBpE2WFzbly0saZWXjj8QcrdxzGunpy3b4e65bXW6/2D2CSnBUJdp2VZxZYCxBpxoj760o67J+pvQrApN50sAuvBQC7lRN0JSkG198Q2qNEcKBMLRmxRiNvHH/CuuoJt3aB8BWJE9YWs9Jbz8zkpyXglrP574kH9EecDqMuLGBpf93MI12+0ZJs4kUm8k3pT+7oIJNg9xTFJ6j9zu3T/RlZaqh3qhSMt13v1rrVUaS1Yw2GgB8/E2L/ZyTOfIZ3Y00TnIKL3Mzwk5M6YC1NSfZPEUGXT1fn4Iaz+4Jdid4MtmTzcds67eJJbY9bGVeMoT2Mogaov2sjEIFRtCxsQD/6ohUqJcj1To+DIGeOf6ZZjSWRyUM+Vbl8iSE6AnHLOrDxcDRkUQw05nu2Z7L9kW4QoiIy73y9PsxgkJ8ETAbnnAHTLG5MPYHe8Sg1Y73LLR4SYSzuu+rO4UMUm9wEy3PTwUw9CDn7jpJU+DgQDb8iOLNUW3fBgiGyVfsfdR0tUr3P8Mwkweu+YepAFFF1yn/Qe4bINEgQF83pvy7RhqiCo1tfotWGpP1lEgXg0PtCHaC/HFpy4FLzrkOq867mEjSoXFqYD5dND40hEvrmDqIEemCgAsjq0H9Mbp68XtEBGfilAwapD/23t0XzbjEMjajAdoyf+ynwTHbomckGqL68GkdG+6ma4O1ddWy061T6vjOO6DQsV4HTIrJNIxQf2jAZIqbEMfjUyogYgvPvP5spwYzFVNM6Wn/wbJWWAWdU+yO+Eq12wVDz8J3tHbFwzKgTKDLsHnSJyRdkdopfhCUQvNoPZzOQTTUhMujtH1JEZNCc,iv:W4RyDZyIkSrOOgd4to37A6gKm0v1Z9lVjMzcERVJGC0=,tag:0HFBoTys09y2Xt7AqEFFQA==,type:str]
|
||||
zfs:
|
||||
backup_key: ENC[AES256_GCM,data:sJzR/DfM6+tmmcewZT+NAJk0gj8wmU43QfFCRCj9+2GITOS8suRL7E5rHTherCZgRe79T90ikM97bYf9RbZdtQ==,iv:j8F3BG/hh7UK3kC+pB6WO0OHlSSHn0jo90AgaTdpyNY=,tag:5hraDn8YqS/q57y26AXwjw==,type:str]
|
||||
docker_key: ENC[AES256_GCM,data:HiW+3IYJCgqg9HJmPYQinhb6kWJouORABKniryY5e35tf8BQGKn1ldgj4Dw+79SYmvIUbf4ZSja0Ziz1isKTWA==,iv:6vBtbIlTHC+PUgyXYb92SnMTuWd8jCaEzZ3Vmv2QHhA=,tag:izKWtAQWRfn5tAYKyOO+ZQ==,type:str]
|
||||
@ -25,8 +28,8 @@ sops:
|
||||
bVhXamJyMWMvODUvajk2aDZnQ1k1blEKoNIYxUA+k+DA+1WYq5BSa0iXuQ2Lctuy
|
||||
9W7OO2m+QGzjdLLM0uS7WWGXWP2cDDgUGcqozTqM0Oqi2/OY0Bo3Jg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-06-19T22:15:57Z"
|
||||
mac: ENC[AES256_GCM,data:FLbbRez083ACStzNH3Elfej7jGlI2x/h5tq2NmqVMn8eyt5MkhWG2TDFwHXya5lpu+ZoaeGrvMgPDmpD2j1GNmlts6D735VR7RuYz7hqckxyqIcQSUVOPhR+yeOoV3Br2sfnn/ABLr+McljEmEj+TLhOw8tVEPXxGDBkIYRYnYE=,iv:iOaXC7Mrj2F/zY2wAgH/GbU+Q/fk9eMwVUvilBwt8Fo=,tag:gE20QJyhaj+cX2RzrH3l1Q==,type:str]
|
||||
lastmodified: "2024-06-22T01:19:52Z"
|
||||
mac: ENC[AES256_GCM,data:rTKW0ENLZgPbiJgvX+WXuKY7Eq1goBrka1Lw3N5ZxAiH/a2s14lpNHC1rp9t+pW/KSCEv7DeVzHb/zx8F1vztdRSjZgsTw/C7qjjE2jA34nLBYYPelPtpYbXCrzoGrChL9PVU+wh8kHb+X6WVfJo3oKKGG5Cca4MD1ojSnPdDN4=,iv:xLH5weSYmN/SUcwjLAJaER4J0Frb++z9A/s1gDLCOjA=,tag:3vAtqQEQL1YsLLbIDIw/7g==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-03-02T20:52:17Z"
|
||||
enc: |-
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user