sora/nixconfig
1
0
Fork 1
Code Issues 2 Pull Requests Actions Releases Activity

Fix db

Browse Source
This commit is contained in:
soraefir
2026-05-06 02:37:23 +02:00
parent 865c12cacc
commit e3e535f527
4 changed files with 13 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
modules/server/containers/defs/authentik.nix
View File

@@ -14,16 +14,16 @@ in {
"${serverCfg.dataPath}/authentik/media:/media" "${serverCfg.dataPath}/authentik/media:/media"
"${serverCfg.dataPath}/authentik/templates:/templates" "${serverCfg.dataPath}/authentik/templates:/templates"
]; ];
environmentFiles = [
config.sops.secrets."AUTHENTIK".path
];
environment = { environment = {
"AUTHENTIK_POSTGRESQL__HOST" = "host.internal"; "AUTHENTIK_POSTGRESQL__HOST" = "host.internal";
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user"; "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db"; "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
"AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD";
"AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY";
"AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}"; "AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}";
"AUTHENTIK_EMAIL__PORT" = "587"; "AUTHENTIK_EMAIL__PORT" = "587";
"AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}"; "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
"AUTHENTIK_EMAIL__PASSWORD" = "AUTHENTIK_EMAIL_PASSWORD";
"AUTHENTIK_EMAIL__USE_TLS" = "true"; "AUTHENTIK_EMAIL__USE_TLS" = "true";
"AUTHENTIK_EMAIL__USE_SSL" = "false"; "AUTHENTIK_EMAIL__USE_SSL" = "false";
"AUTHENTIK_EMAIL__TIMEOUT" = "10"; "AUTHENTIK_EMAIL__TIMEOUT" = "10";
@@ -55,14 +55,16 @@ in {
"/var/run/docker.sock:/var/run/docker.sock" "/var/run/docker.sock:/var/run/docker.sock"
]; ];
environmentFiles = [ environmentFiles = [
config.sops.secrets."authentik_pass".path config.sops.secrets."AUTHENTIK".path
]; ];
environment = { environment = {
"AUTHENTIK_POSTGRESQL__HOST" = "host.internal"; "AUTHENTIK_POSTGRESQL__HOST" = "host.internal";
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user"; "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db"; "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
"AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY";
}; };
extraOptions = [
"--add-host=host.internal:host-gateway"
];
cmd = [ "worker" ]; cmd = [ "worker" ];
}; };
}; };

4
modules/server/database/default.nix
View File

@@ -60,8 +60,8 @@ in {
done done
$PSQL -tAc "ALTER DATABASE ${name}_db OWNER TO ${name}_user;" $PSQL -tAc "ALTER DATABASE ${name}_db OWNER TO ${name}_user;"
if [ -f "${config.sops.secrets."${name}_pass".path}" ]; then if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then
PASS=''$(cut -d'=' -f2- "${config.sops.secrets."${name}_pass".path}") PASS=''$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-)
$PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';"
fi fi
'') allApps} '') allApps}

2
modules/server/sops/default.nix
View File

@@ -8,7 +8,7 @@ in{
config = lib.mkIf (config.syscfg.server.sops) { config = lib.mkIf (config.syscfg.server.sops) {
sops.secrets = { sops.secrets = {
INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; }; INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; };
} // (lib.genAttrs (map (name: "${name}_pass") allApps) (name: { } // (lib.genAttrs (map (name: "${lib.toUpper name}") allApps) (name: {
owner = "postgres"; owner = "postgres";
sopsFile = ./server.yaml; sopsFile = ./server.yaml;
})); }));

6
modules/server/sops/server.yaml
View File

@@ -1,5 +1,5 @@
INFOMANIAK_API_KEY: ENC[AES256_GCM,data:QhjQoCMxogXAPtvUbf/EWkqsFAndn73LBuTqj5essjruekynH287D/CYN/cwfcnDqZoh6Z4A9p08uUmXzqmTiralAhsCoc+Ljb/monmsruc=,iv:8rMGNc9398jnFXZm34fOht6fMNDAcDZ68B1jwoQPn2Q=,tag:ZlQnPaxkCktpwiC6HzmFVg==,type:str] INFOMANIAK_API_KEY: ENC[AES256_GCM,data:QhjQoCMxogXAPtvUbf/EWkqsFAndn73LBuTqj5essjruekynH287D/CYN/cwfcnDqZoh6Z4A9p08uUmXzqmTiralAhsCoc+Ljb/monmsruc=,iv:8rMGNc9398jnFXZm34fOht6fMNDAcDZ68B1jwoQPn2Q=,tag:ZlQnPaxkCktpwiC6HzmFVg==,type:str]
authentik_pass: ENC[AES256_GCM,data:5obiSGKSJcXxrxB45KA9ITNMKLjwP6612JSJrWHCeAMhag==,iv:dN6i1f6z/cT7M/YFz6vgg3ZOiShIBOed9Djn9QdzhgA=,tag:dNmQJEb8QqmWxvqJgmgVnA==,type:str] AUTHENTIK: ENC[AES256_GCM,data:BNe8AdY5zf2+7yTmmlwIsTxdgeYJhGoqZQ6rPgLtG8P/tMMjLjr/pPvp0K3HRyKi41+V6DKY8rVTqKnhi8iwK2ZtFzttSEa6bpc++nFRXb9xVwpYaL0LoTps5u2P55Bttx3cEoXL8zRXN1D0UFHmiyC166A8Y7gz0SVIfrmrEg==,iv:cBX2Mr1h7dh1MD1NlEOK3/n+DVWKlGUa9+QEXg+dH2g=,tag:9qJcROMIRUw9f8ZA0jvB4Q==,type:str]
sops: sops:
age: age:
- recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
@@ -20,8 +20,8 @@ sops:
S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA== d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-05-06T00:22:30Z" lastmodified: "2026-05-06T00:35:40Z"
mac: ENC[AES256_GCM,data:Irpt5adS904hbzw1eeQ5aedLd0CRSd3fAsvDhpyCNOgUNv08sZlreak0Ko4vpA/Toz8UsH+5HBPlIJxEm0EfeBADUH7UaNSYb4uJtFttksMPxtJ6cF9eDNSAGomEmXPV5bo//81o8ZQdXLECHX8ZsqdBBLYJV2EXxwicz6Br/00=,iv:hyH7zFV0vbxd3h4dEhuEQsDtJ54wK+fnVmBEuyQApfI=,tag:ZjnXoUMghjL3iwE4VPSEkA==,type:str] mac: ENC[AES256_GCM,data:EbdxTv1UCMU11B/9mEHnm2hXFVtARbcsdZLU4AuPTlTrzeHE/Cuqt6tIZn3C6nGXU0a63Z8fHokcpWdcQs1dIteGtZuhdvqH+x+K5UHcRcOwMaPWfPzn2XnNg9YVzJ7yyoGTfzuhqiBVKxTzid3Tnd9nWGimas4brjrnKZ0KoBA=,iv:U2OGBqg0HfVIQWts2U+8sVXN9SPkXVbGXBMeZTd+IGM=,tag:vLVaq1kChNg+/Bkb9+3X4Q==,type:str]
pgp: pgp:
- created_at: "2026-05-05T23:46:27Z" - created_at: "2026-05-05T23:46:27Z"
enc: |- enc: |-