fi/nix-infra
1
2
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity

Migrate ikiwiki to sops-nix

Browse source
This commit is contained in:
Fiona Grzebien 2026-05-17 00:19:55 +02:00
commit bff3401ada
Signed by: fi
SSH key fingerprint: SHA256:HQgl5VGC4+Yw3ds/0I/DqTge63SPBXvXwhNG/gRW26U
6 changed files with 52 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

12
.sops.yaml Normal file
View file

@ -0,0 +1,12 @@
keys:
- &admin_age_fi age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- &host_age_ikiwiki age1st5axcrn2s09effsjp6gl89rnwd967y007pzpzamlqydrpf7yeeqjwtnx0
creation_rules:
- path_regex: config/hosts/ikiwiki/.*
key_groups:
- age:
- *admin_age_fi
- *host_age_ikiwiki
stores:
yaml:
indent: 2

1
config/hosts/ikiwiki/default.nix
View file

@ -4,5 +4,6 @@
./configuration.nix ./configuration.nix
./ikiwiki.nix ./ikiwiki.nix
./nginx.nix ./nginx.nix
./sops.nix
]; ];
} }

9
config/hosts/ikiwiki/nginx.nix
View file

@ -26,7 +26,7 @@ in
tryFiles = "$uri $uri/ =404"; tryFiles = "$uri $uri/ =404";
}; };
"~ .cgi" = { "~ .cgi" = {
basicAuthFile = "/secrets/ikiwiki-auth-file.secret"; basicAuthFile = "/run/secrets/auth_file";
extraConfig = '' extraConfig = ''
gzip off; gzip off;
fastcgi_pass unix:${config.services.fcgiwrap.instances."ikiwiki".socket.address}; fastcgi_pass unix:${config.services.fcgiwrap.instances."ikiwiki".socket.address};
@ -45,4 +45,11 @@ in
''; '';
}; };
}; };
sops.secrets."auth_file" = {
mode = "0440";
owner = "nginx";
group = "nginx";
restartUnits = [ "nginx.service" ];
};
} }

11
config/hosts/ikiwiki/secrets.nix
View file

@ -1,11 +0,0 @@
{ keyCommandEnv, ... }:
{
deployment.keys."ikiwiki-auth-file.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "ikiwiki/auth-file" ];
destDir = "/secrets";
user = "nginx";
group = "nginx";
permissions = "0640";
uploadAt = "pre-activation";
};
}

25
config/hosts/ikiwiki/secrets.yaml Normal file
View file

@ -0,0 +1,25 @@
auth_file: ENC[AES256_GCM,data:5/uT1sIOI95LNA9YFWh3I9J2PCZmz/J38YxVsKVWFHfJdZUOQpSW6ekjX7StP/svtv6Tp0AonnvcKfRcyPYn,iv:NKdWae+EihasTMV24Hk+dKJG8032mWu+RWItWs0b6RE=,tag:WBM6pXlKaDXOMnBWGBLJWg==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArNDZLcEFGRHczMHg3S0w3
eTNvNGI5TXBWTTc1eXAzZStlSmZTQ3NkdTA4CmlYVEF1NWhldVZuZmwzTUU0NG5j
UFhvU3Q3Q1BvVHhrODJWc296UUo0TmMKLS0tIFFlUGRYVDNNYm40cXhlZ004eFk5
b3BnLzBjZFpjVDN2clZaTGlWV29NVUEKsdK4V5Og+bK26Gl6HTkOBtFrHfr1RFYu
zWNGQ3skkvATO/ypa0zFf3+qnupCTTO5emwscoRK8ZZFVgSswdnbIA==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPOUJXWW95OXlEZFFwbHlp
RzJJMDFJU2pUTjltZ1JaWjE5c0xPY0hvNUdZCk5uWk9kdlRWNTNVUUVmT3VVeE9j
ajNNeVlZcEw4WFdqZ2QwTXl2MlhVZ2cKLS0tIFVVUXJtWkhtREFsdXp5ODZkOTA1
b1h3THFYSU1yblM0WmdxTUVtZG1OYVUK5tmcOX+jOdbSD1YCPqcAeoGF8ny61lWY
xwguejMeVZ/pCjO/qf3tb+MUlInPMXva59FelGd3nz6cbVqbeWtxSQ==
-----END AGE ENCRYPTED FILE-----
recipient: age1st5axcrn2s09effsjp6gl89rnwd967y007pzpzamlqydrpf7yeeqjwtnx0
lastmodified: "2026-05-16T22:13:21Z"
mac: ENC[AES256_GCM,data:McAN1DueAhDBAY8kloB5l8M0pLIeswtnCxBtMYFyzBaY2Z43gNetBwdpzs5sL4nEmAZGPJ9AjXJVSmjb1tOn3BF8X5n6/9F7DzvHT7ukpIjumGC0KeB0QfaIGgKJyo7koISIVlGFZAwgcf1fQwaKZsYzfOGelj7UNrzFCjArK+Y=,iv:oZUmzcEr08jROw24J2fXQ4EjEJH3vzYysdy51vEtUNM=,tag:QJjNb/YvuZrZtQD9QE1Z3g==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

6
config/hosts/ikiwiki/sops.nix Normal file
View file

@ -0,0 +1,6 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}