use sops to encrypt vals secrets

2024-04-14 14:48:27 +02:00 · 2024-04-14 14:48:27 +02:00 · db0303f4d8
commit db0303f4d8
parent 6e608e6ca8
9 changed files with 49 additions and 11 deletions
--- a/kubenix-modules/forgejo.nix
+++ b/kubenix-modules/forgejo.nix
@ -29,7 +29,7 @@
          SSH_PORT         = 56287
          SSH_LISTEN_PORT  = 22
          LFS_START_SERVER = true
-          LFS_JWT_SECRET   = ref+file:///home/pim/.config/home/vals.yaml#/forgejo/lfsJwtSecret
+          LFS_JWT_SECRET   = ref+sops://secrets/sops.yaml#/forgejo/lfsJwtSecret
          OFFLINE_MODE     = false

          [database]
@ -72,7 +72,7 @@
          SECRET_KEY                    = 
          REVERSE_PROXY_LIMIT           = 1
          REVERSE_PROXY_TRUSTED_PROXIES = *
-          INTERNAL_TOKEN                = ref+file:///home/pim/.config/home/vals.yaml#/forgejo/internalToken
+          INTERNAL_TOKEN                = ref+sops://secrets/sops.yaml#/forgejo/internalToken
          PASSWORD_HASH_ALGO            = pbkdf2

          [service]
--- a/kubenix-modules/freshrss.nix
+++ b/kubenix-modules/freshrss.nix
@ -7,8 +7,7 @@
      PUBLISHED_PORT = "443";
    };

-    # TODO: encrypt this with sops and commit to git repo.
-    secrets.freshrss.stringData.adminPassword = "ref+file:///home/pim/.config/home/vals.yaml#/freshrss/password";
+    secrets.freshrss.stringData.adminPassword = "ref+sops://secrets/sops.yaml#/freshrss/password";

    deployments.freshrss = {
      metadata.labels.app = "freshrss";
--- a/kubenix-modules/hedgedoc.nix
+++ b/kubenix-modules/hedgedoc.nix
@ -20,8 +20,8 @@
    };

    secrets.hedgedoc.stringData = {
-      databaseURL = "ref+file:///home/pim/.config/home/vals.yaml#/hedgedoc/databaseURL";
-      sessionSecret = "ref+file:///home/pim/.config/home/vals.yaml#/hedgedoc/sessionSecret";
+      databaseURL = "ref+sops://secrets/sops.yaml#/hedgedoc/databaseURL";
+      sessionSecret = "ref+sops://secrets/sops.yaml#/hedgedoc/sessionSecret";
    };

    deployments.hedgedoc = {
--- a/kubenix-modules/kitchenowl.nix
+++ b/kubenix-modules/kitchenowl.nix
@ -4,7 +4,7 @@
      BACK_URL = "kitchenowl-backend.default.svc.cluster.local:5000";
    };

-    secrets.kitchenowl.stringData.jwtSecretKey = "ref+file:///home/pim/.config/home/vals.yaml#/kitchenowl/jwtSecretKey";
+    secrets.kitchenowl.stringData.jwtSecretKey = "ref+sops://secrets/sops.yaml#/kitchenowl/jwtSecretKey";

    deployments = {
      # TODO: this is quite a lot of boilerplate to create these deployments
--- a/kubenix-modules/nextcloud.nix
+++ b/kubenix-modules/nextcloud.nix
@ -6,7 +6,7 @@
      POSTGRES_HOST = "lewis.dmz";
    };

-    secrets.nextcloud.stringData.databasePassword = "ref+file:///home/pim/.config/home/vals.yaml#/nextcloud/databasePassword";
+    secrets.nextcloud.stringData.databasePassword = "ref+sops://secrets/sops.yaml#/nextcloud/databasePassword";

    deployments.nextcloud = {
      metadata.labels.app = "nextcloud";
--- a/kubenix-modules/paperless-ngx.nix
+++ b/kubenix-modules/paperless-ngx.nix
@ -17,8 +17,8 @@
    };

    secrets.paperless-ngx.stringData = {
-      databasePassword = "ref+file:///home/pim/.config/home/vals.yaml#/paperless-ngx/databasePassword";
-      secretKey = "ref+file:///home/pim/.config/home/vals.yaml#/paperless-ngx/secretKey";
+      databasePassword = "ref+sops://secrets/sops.yaml#/paperless-ngx/databasePassword";
+      secretKey = "ref+sops://secrets/sops.yaml#/paperless-ngx/secretKey";
    };

    deployments = {
--- a/kubenix-modules/pihole.nix
+++ b/kubenix-modules/pihole.nix
@ -5,7 +5,7 @@
      PIHOLE_DNS_ = "192.168.30.1";
    };

-    secrets.pihole.stringData.webPassword = "ref+file:///home/pim/.config/home/vals.yaml#/pihole/password";
+    secrets.pihole.stringData.webPassword = "ref+sops://secrets/sops.yaml#/pihole/password";

    deployments.pihole = {
      metadata.labels.app = "pihole";