june/fi-nix-infra
1
0
Fork 0
forked from fi/nix-infra
Code Pull requests Activity

Migrate nextcloud to sops-nix

Browse source
This commit is contained in:
Fiona Grzebien 2026-05-24 01:09:56 +02:00
commit b5d6055f36
Signed by: fi
SSH key fingerprint: SHA256:HQgl5VGC4+Yw3ds/0I/DqTge63SPBXvXwhNG/gRW26U
3 changed files with 39 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

15
config/hosts/nextcloud/nextcloud.nix
View file

@ -7,7 +7,7 @@
https = true; https = true;
config = { config = {
dbtype = "pgsql"; dbtype = "pgsql";
adminpassFile = "/secrets/nextcloud-adminpass.secret"; adminpassFile = "/run/secrets/nextcloud-adminpass";
}; };
database.createLocally = true; database.createLocally = true;
configureRedis = true; configureRedis = true;
@ -30,7 +30,7 @@
default_phone_region = "DE"; default_phone_region = "DE";
}; };
# Only contains mail_smtppassword # Only contains mail_smtppassword
secretFile = "/secrets/nextcloud-secretfile.secret"; secretFile = "/run/secrets/nextcloud-secretfile";
phpOptions = { phpOptions = {
# The amount of memory for interned strings in Mbytes # The amount of memory for interned strings in Mbytes
"opcache.interned_strings_buffer" = "64"; "opcache.interned_strings_buffer" = "64";
@ -50,4 +50,15 @@
''; '';
}; };
}; };
sops.secrets."nextcloud-adminpass" = {
mode = "0440";
owner = "nextcloud";
group = "nextcloud";
};
sops.secrets."nextcloud-secretfile" = {
mode = "0440";
owner = "nextcloud";
group = "nextcloud";
};
} }

21
config/hosts/nextcloud/secrets.nix
View file

@ -1,21 +0,0 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"nextcloud-adminpass.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "nextcloud/adminpass" ];
destDir = "/secrets";
user = "nextcloud";
group = "nextcloud";
permissions = "0640";
uploadAt = "pre-activation";
};
"nextcloud-secretfile.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "nextcloud/secretfile" ];
destDir = "/secrets";
user = "nextcloud";
group = "nextcloud";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

26
config/hosts/nextcloud/secrets.yaml Normal file
View file

@ -0,0 +1,26 @@
nextcloud-adminpass: ENC[AES256_GCM,data:9hjeHUMNBg3fCN80mGCXarXEMOySEdyfnFIL8ivGb2Vi8LKbzZ2fHZZUzMO5/7XYRpNKWtBz1yzn2fj/ZeLiMw==,iv:38bucE+hmU/hZXw67fc34s1uZefXpWdY5vaTpvDfpUI=,tag:vKI6DrBYekjVU8Va/7BT8A==,type:str]
nextcloud-secretfile: ENC[AES256_GCM,data:PaX7jAFBNweVwyG9nNU/TTHlGrQvPfgc92uCS1s1UwrHH8KlbKGed6NpTPvulwgMQ5cjwUMy5OuOt15kGRS03LQNcWJ+mlu2TQ2Hjsza+SV/ahtxzs/NiA==,iv:An3LZG9gnnna8TuNYlXDGxyter/Sj5DbIjZyGedqteU=,tag:2VbInjBoiv+w3nhh6AAQng==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bDNNZnh5UTFtei84YXdC
SFJONFdHNE1WZ1FvSFZoSW4rMkh3ZC9tbWljClA0RWlRTFA1K2pSMTAyY0I0d01a
cHlUK3ZTd0lydm82VnpBbUdCQmFRYWcKLS0tIEhicldwUFc0cEt2aFVKeVhSeEtS
eFNBbUY1UXZMSEVzL3YyZDUrWVlxd0EKy5TnMyh7WxWK9lO7MKLINRbwMQuFlN4l
E01+FXAUiVSHO4aJW4CsqeegTAAux3FUWB1tL2myZskOFkJPws3boQ==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAra3A4ZDQzZEZCRGErVFBK
bUFqS0ZSTjJFYm00cnVuei85MldCU25MV0VrCnMwVTJndWNQbUUwWmJnMUR3MjJp
VXUwV1RaZElaN2l1S3JxQVVoOXhweEkKLS0tIFFndXpaRlRKdzRvUUxUZVN1cXVr
TTFFYmx5OVU4Q3BWaFpWNFlPdGJZSzQKMLLZzESV0JdlNbMGpdDaorJnDKaSuax0
YQT/+G702pjqOjg8kRbHH8BZ3pK/3wApJBUW5iilAAxIzIm1zU/0Hw==
-----END AGE ENCRYPTED FILE-----
recipient: age1lvlmct30jtg7p4qpf8evtjlld6g74q2ckh803hd3ynr7cz7zlceq84flwu
lastmodified: "2026-05-23T23:09:29Z"
mac: ENC[AES256_GCM,data:dPYCQ7hfToQptTlbeA22MQ7EEtn9NyYvdshG9d24h2kLkPKpq/i0bcmG3o6xfyDsofTPZOOzRjCVUlxRukWuhHODPpyOronoDv3hrJNtj1YHsMzeMEK1xK1hpNtJeYkWx12SBZw4zZ7Vw3tLxc5Ay95LD7ZWCsCTqawbMufMjwc=,iv:3LeWH8eU0vTtnJRr0ZqUHHNdifzb++i6Y3CB6J/2wdA=,tag:40tOjuZZ+0Ww2wOwIXkcUQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0