Split sops secrets management into separate files for each arion subdir

2024-03-06 11:35:13 +01:00 · 2024-03-06 11:35:13 +01:00 · fd4e1ce93d
commit fd4e1ce93d
parent d210f0eefb
7 changed files with 142 additions and 112 deletions
--- a/hosts/franz/arion/default.nix
+++ b/hosts/franz/arion/default.nix
@ -4,32 +4,18 @@
  config,
  ...
 }: {
-  imports = [inputs.arion.nixosModules.arion];
+  imports = [
+    inputs.arion.nixosModules.arion
+    ./dns
+    ./infrastructure
+    ./nas
+    ./nextcloud
+    ./push
+  ];

  environment.systemPackages = with pkgs; [arion];

-  networking.firewall = {
-    allowedUDPPorts = [137 138];
-    allowedTCPPorts = [139 445];
-  };
-
-  virtualisation.arion = {
-    backend = "docker";
-    projects = {
-      infrastructure.settings = {
-        imports = [./infrastructure/arion-compose.nix];
-      };
-      dns.settings = {
-        imports = [./dns/arion-compose.nix];
-      };
-      push.settings = {
-        imports = [./push/arion-compose.nix];
-      };
-      nas.settings = {
-        imports = [./nas/arion-compose.nix];
-      };
-    };
-  };
+  virtualisation.arion.backend = "docker";

  systemd.services.init-dmz-bridge-network = {
    description = "Create the network bridge dmz for the Docker stack.";
--- a/hosts/franz/arion/dns/default.nix
+++ b/hosts/franz/arion/dns/default.nix
@ -0,0 +1,7 @@
+{
+  virtualisation.arion = {
+    projects.dns.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+}
--- a/hosts/franz/arion/infrastructure/default.nix
+++ b/hosts/franz/arion/infrastructure/default.nix
@ -0,0 +1,73 @@
+{config, ...}: let
+  vars = import ../../../../vars.nix;
+in {
+  virtualisation.arion = {
+    projects.infrastructure.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+
+  sops.secrets."cloudflared/tunnel_token" = {
+    owner = vars.user;
+  };
+
+  sops.secrets."traefik/acme_email" = {
+    owner = vars.user;
+  };
+  sops.secrets."traefik/cloudflare_email" = {
+    owner = vars.user;
+  };
+  sops.secrets."traefik/cloudflare_api_key" = {
+    owner = vars.user;
+  };
+
+  sops.templates."cloudflared.env" = {
+    path = "/home/${vars.user}/.docker/infrastructure/cloudflared.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      TUNNEL_TOKEN="${config.sops.placeholder."cloudflared/tunnel_token"}"
+    '';
+  };
+
+  sops.templates."traefik.env" = {
+    path = "/home/${vars.user}/.docker/infrastructure/traefik.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      CLOUDFLARE_EMAIL="${config.sops.placeholder."traefik/cloudflare_email"}"
+      CLOUDFLARE_API_KEY="${config.sops.placeholder."traefik/cloudflare_api_key"}"
+    '';
+  };
+
+  sops.templates."traefik.toml" = {
+    path = "/home/${vars.user}/.docker/infrastructure/traefik_data/traefik.toml";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      [entryPoints]
+        [entryPoints.web]
+          address = ":80"
+        [entryPoints.websecure]
+          address = ":443"
+      [api]
+        dashboard = true
+        insecure = true
+
+      [certificatesResolvers.letsencrypt.acme]
+        email = "${config.sops.placeholder."traefik/acme_email"}"
+        storage = "/letsencrypt/acme.json"
+        [certificatesResolvers.letsencrypt.acme.dnsChallenge]
+          provider = "cloudflare"
+          resolvers = ["1.1.1.1:53", "1.0.0.1:53"]
+
+      [serversTransport]
+        insecureSkipVerify = true
+
+      [providers.docker]
+        watch = true
+        network = "web"
+        exposedByDefault = false
+    '';
+  };
+}
--- a/hosts/franz/arion/nas/default.nix
+++ b/hosts/franz/arion/nas/default.nix
@ -0,0 +1,12 @@
+{
+  networking.firewall = {
+    allowedUDPPorts = [137 138];
+    allowedTCPPorts = [139 445];
+  };
+
+  virtualisation.arion = {
+    projects.nas.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+}
--- a/hosts/franz/arion/nextcloud/default.nix
+++ b/hosts/franz/arion/nextcloud/default.nix
@ -0,0 +1,34 @@
+{config, ...}: let
+  vars = import ../../../../vars.nix;
+in {
+  virtualisation.arion = {
+    projects.nextcloud.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+
+  sops.secrets."nextcloud/mysql_root_password" = {
+    owner = vars.user;
+  };
+  sops.secrets."nextcloud/mysql_password" = {
+    owner = vars.user;
+  };
+  sops.secrets."nextcloud/mysql_database" = {
+    owner = vars.user;
+  };
+  sops.secrets."nextcloud/mysql_user" = {
+    owner = vars.user;
+  };
+
+  sops.templates."nextcloud.env" = {
+    path = "/home/${vars.user}/.docker/nextcloud/nextcloud.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      MYSQL_ROOT_PASSWORD="${config.sops.placeholder."nextcloud/mysql_root_password"}"
+      MYSQL_PASSWORD="${config.sops.placeholder."nextcloud/mysql_password"}"
+      MYSQL_DATABASE="${config.sops.placeholder."nextcloud/mysql_database"}"
+      MYSQL_USER="${config.sops.placeholder."nextcloud/mysql_user"}"
+    '';
+  };
+}
--- a/hosts/franz/arion/push/default.nix
+++ b/hosts/franz/arion/push/default.nix
@ -0,0 +1,7 @@
+{
+  virtualisation.arion = {
+    projects.push.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+}
--- a/hosts/franz/sops.nix
+++ b/hosts/franz/sops.nix
@ -15,93 +15,4 @@ in {
  sops.defaultSopsFile = ../../secrets/franz.yaml;
  sops.defaultSopsFormat = "yaml";
  sops.age.keyFile = "/home/${vars.user}/.config/sops/age/keys.txt";
-
-  sops.secrets."cloudflared/tunnel_token" = {
-    owner = vars.user;
-  };
-
-  sops.secrets."traefik/acme_email" = {
-    owner = vars.user;
-  };
-  sops.secrets."traefik/cloudflare_email" = {
-    owner = vars.user;
-  };
-  sops.secrets."traefik/cloudflare_api_key" = {
-    owner = vars.user;
-  };
-
-  sops.secrets."nextcloud/mysql_root_password" = {
-    owner = vars.user;
-  };
-  sops.secrets."nextcloud/mysql_password" = {
-    owner = vars.user;
-  };
-  sops.secrets."nextcloud/mysql_database" = {
-    owner = vars.user;
-  };
-  sops.secrets."nextcloud/mysql_user" = {
-    owner = vars.user;
-  };
-
-  sops.templates."cloudflared.env" = {
-    path = "/home/${vars.user}/.docker/infrastructure/cloudflared.env";
-    owner = vars.user;
-    mode = "0775";
-    content = ''
-      TUNNEL_TOKEN="${config.sops.placeholder."cloudflared/tunnel_token"}"
-    '';
-  };
-
-  sops.templates."traefik.env" = {
-    path = "/home/${vars.user}/.docker/infrastructure/traefik.env";
-    owner = vars.user;
-    mode = "0775";
-    content = ''
-      CLOUDFLARE_EMAIL="${config.sops.placeholder."traefik/cloudflare_email"}"
-      CLOUDFLARE_API_KEY="${config.sops.placeholder."traefik/cloudflare_api_key"}"
-    '';
-  };
-
-  sops.templates."nextcloud.env" = {
-    path = "/home/${vars.user}/.docker/nextcloud/nextcloud.env";
-    owner = vars.user;
-    mode = "0775";
-    content = ''
-      MYSQL_ROOT_PASSWORD="${config.sops.placeholder."nextcloud/mysql_root_password"}"
-      MYSQL_PASSWORD="${config.sops.placeholder."nextcloud/mysql_password"}"
-      MYSQL_DATABASE="${config.sops.placeholder."nextcloud/mysql_database"}"
-      MYSQL_USER="${config.sops.placeholder."nextcloud/mysql_user"}"
-    '';
-  };
-
-  sops.templates."traefik.toml" = {
-    path = "/home/${vars.user}/.docker/infrastructure/traefik_data/traefik.toml";
-    owner = vars.user;
-    mode = "0775";
-    content = ''
-      [entryPoints]
-        [entryPoints.web]
-          address = ":80"
-        [entryPoints.websecure]
-          address = ":443"
-      [api]
-        dashboard = true
-        insecure = true
-
-      [certificatesResolvers.letsencrypt.acme]
-        email = "${config.sops.placeholder."traefik/acme_email"}"
-        storage = "/letsencrypt/acme.json"
-        [certificatesResolvers.letsencrypt.acme.dnsChallenge]
-          provider = "cloudflare"
-          resolvers = ["1.1.1.1:53", "1.0.0.1:53"]
-
-      [serversTransport]
-        insecureSkipVerify = true
-
-      [providers.docker]
-        watch = true
-        network = "web"
-        exposedByDefault = false
-    '';
-  };
 }