From 7740eb01f238a74d8b0e4a71ab2f9577e62c08ee Mon Sep 17 00:00:00 2001 From: Fiona Grzebien Date: Sun, 24 May 2026 00:39:39 +0200 Subject: [PATCH] Migrate metrics-nekomesh to sops-nix --- config/hosts/metrics-nekomesh/grafana.nix | 33 ++++++++++++++++--- config/hosts/metrics-nekomesh/secrets.nix | 37 ---------------------- config/hosts/metrics-nekomesh/secrets.yaml | 28 ++++++++++++++++ 3 files changed, 57 insertions(+), 41 deletions(-) delete mode 100644 config/hosts/metrics-nekomesh/secrets.nix create mode 100644 config/hosts/metrics-nekomesh/secrets.yaml diff --git a/config/hosts/metrics-nekomesh/grafana.nix b/config/hosts/metrics-nekomesh/grafana.nix index 8c4255d..2c596c5 100644 --- a/config/hosts/metrics-nekomesh/grafana.nix +++ b/config/hosts/metrics-nekomesh/grafana.nix @@ -11,15 +11,15 @@ cookie_secure = true; cookie_samesite = "strict"; admin_user = "admin"; - admin_password = "$__file{/secrets/metrics-nekomesh-grafana-admin-password.secret}"; + admin_password = "$__file{/run/secrets/metrics-nekomesh-grafana-admin-password}"; admin_email = "fi@nekover.se"; - secret_key = "$__file{/secrets/metrics-nekomesh-grafana-secret-key.secret}"; + secret_key = "$__file{/run/secrets/metrics-nekomesh-grafana-secret-key}"; }; smtp = { enabled = true; host = "mail.grzb.de:465"; user = "nekomesh@grzb.de"; - password = "$__file{/secrets/mail-nekomesh-nekover-se.secret}"; + password = "$__file{/run/secrets/mail-nekomesh-nekover-se}"; from_address = "nyareply@nekover.se"; from_name = "Nekomesh"; startTLS_policy = "NoStartTLS"; @@ -29,7 +29,7 @@ name = "Nekoverse ID"; allow_sign_up = true; client_id = "nekomesh"; - client_secret = "$__file{/secrets/metrics-nekomesh-grafana-keycloak-client-secret.secret}"; + client_secret = "$__file{/run/secrets/metrics-nekomesh-grafana-keycloak-client-secret}"; scopes = "openid email profile offline_access roles"; email_attribute_path = "email"; login_attribute_path = "preferred_username"; @@ -52,4 +52,29 @@ } ]; }; + + sops.secrets."metrics-nekomesh-grafana-admin-password" = { + mode = "0440"; + owner = "grafana"; + group = "grafana"; + restartUnits = [ "grafana.service" ]; + }; + sops.secrets."metrics-nekomesh-grafana-keycloak-client-secret" = { + mode = "0440"; + owner = "grafana"; + group = "grafana"; + restartUnits = [ "grafana.service" ]; + }; + sops.secrets."metrics-nekomesh-grafana-secret-key" = { + mode = "0440"; + owner = "grafana"; + group = "grafana"; + restartUnits = [ "grafana.service" ]; + }; + sops.secrets."mail-nekomesh-nekover-se" = { + mode = "0440"; + owner = "grafana"; + group = "grafana"; + restartUnits = [ "grafana.service" ]; + }; } diff --git a/config/hosts/metrics-nekomesh/secrets.nix b/config/hosts/metrics-nekomesh/secrets.nix deleted file mode 100644 index 8014354..0000000 --- a/config/hosts/metrics-nekomesh/secrets.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys = { - "metrics-nekomesh-grafana-admin-password.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/admin-password" ]; - destDir = "/secrets"; - user = "grafana"; - group = "grafana"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "metrics-nekomesh-grafana-keycloak-client-secret.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/keycloak-client-secret" ]; - destDir = "/secrets"; - user = "grafana"; - group = "grafana"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "metrics-nekomesh-grafana-secret-key.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/secret-key" ]; - destDir = "/secrets"; - user = "grafana"; - group = "grafana"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mail-nekomesh-nekover-se.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ]; - destDir = "/secrets"; - user = "grafana"; - group = "grafana"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - }; -} diff --git a/config/hosts/metrics-nekomesh/secrets.yaml b/config/hosts/metrics-nekomesh/secrets.yaml new file mode 100644 index 0000000..53bef00 --- /dev/null +++ b/config/hosts/metrics-nekomesh/secrets.yaml @@ -0,0 +1,28 @@ +metrics-nekomesh-grafana-admin-password: ENC[AES256_GCM,data:7Ji5Bb+/ekFtptG6JQBViocqozol7vdTRxAgYuRpicO3v7UFswLBkFd/+asaCKkYTrYjDFcOOSjSMr2Yp+9IhQ==,iv:VjpntKn3PdIX56DjHlkhYmx05MZtvTinGcO0vz4BFkQ=,tag:Lcat3LbXJyWcEOq6pmTx9w==,type:str] +metrics-nekomesh-grafana-keycloak-client-secret: ENC[AES256_GCM,data:6SHmMy0gbT6rYC9i60TzCcP0q4eSzC3Srse9O3La1Ag=,iv:H6wEzy6MgX2Ft+D3rWzyWwnh8ZmNmMlcEQLuKrkSwoU=,tag:M7pGHOKq0fglHGyj5jFoYg==,type:str] +metrics-nekomesh-grafana-secret-key: ENC[AES256_GCM,data:5+aUdzNAy0nDuGW8g2e7LdT9woo=,iv:rSn+XTJA46Eq4FcKUQaph/WPLXC4vxnRulpSjls1QZg=,tag:aXSgUUzxe8tQV+oqXnidPA==,type:str] +mail-nekomesh-nekover-se: ENC[AES256_GCM,data:vuyDjtvCT0D8aYftcGiA59i7mriqLNoqeHy0+LQ3awUt4d//p81LpPNdb/EQMuUnCp2QZgdsy4rU5ktDa1Ewfg==,iv:+pqVQfWxSQF4fTJ0gMuAf4EjyvsUVFUxpRa2BHpvZ3Q=,tag:UlHzONbcfeCJuJjamKV39w==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvOVFIckQ3R2FsYXl4NkRW + RGdSRmNaMURIUkYrSGtnWmdxVGJMOUFta0JJCnN1blNoaG9PUVJNN1RJcUhnYlFq + WTlhcGx3cUUwbkREMVVleDZNazJ2dm8KLS0tIFl5NGhFeHZKaENmQjRwZ0hiS3Jl + TTRMVloxK25uUVVMcE56M1RMKzlDb2cKuNKexzjC9eefQHCjVAY4rS7wqTSqs0uO + PvSvxs4tY5d2nUJuORGn25MU9Y65UFTvTzuxgqg9Z37NTEjVfvnrYA== + -----END AGE ENCRYPTED FILE----- + recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByTzErWVY1V3ZrMHBYTjRm + M1IwTG9DZmhBTFpGSkwyTVJJYndsRnRSOTJrClhFWi9TbGhRWkQ1VjhLaE4wd3Bi + WlpSUUcxU3A4dmZUYmNJYnlyQnMwK00KLS0tIDZqdU1DcXc3YmpDMThRMzQwQWk4 + TnFKNS9xcXdKZXo0cThpbjd2NEQ3NTgK4XTrXdaHVveeXwsEuGx5+Y2bu/F6jooo + auWtrm7z3rxzCxePxNs6LCYr/ppoE7J8nEFKnFmT0vyUGryhzlbo9A== + -----END AGE ENCRYPTED FILE----- + recipient: age1rh7zgp445t39c7tmh84r30e9edju8gmtn84u7rjwhmyntzkugucq5x0xse + lastmodified: "2026-05-23T22:38:11Z" + mac: ENC[AES256_GCM,data:VWo7UFRey2w/2x/wn/XfFW9gCpogO9Igxt/xEBngHBTkSJh0p6HhbZlmA3iv3QmYKui74cHSfQUOq2IOc96CLsfWKUWhMQVw5z/be7OEoY3cIG8V1WRTixQB5a0284jPXcGHPreLdMdAQW5nvJJRwx6Pysm7+rTzdxi8VGmOKyE=,iv:l4KBomWzPfOw1UiVpMwWg68OdYc85FtrRcVygfbEoeU=,tag:EeboepV+hDkA9QNmi/Ao+w==,type:str] + unencrypted_suffix: _unencrypted + version: 3.13.0