sops -> clan facts

This commit is contained in:
Ingolf Wagner 2024-06-03 20:01:14 +02:00
parent e4bb865b3d
commit 295c536b1a
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
6 changed files with 44 additions and 65 deletions

View file

@ -20,7 +20,8 @@
./hass-zigbee2mqtt.nix
./hass.nix
./taskwarrior-autotag.nix
# todo: add autotag again
#./taskwarrior-autotag.nix
./media-audiobookshelf.nix
./media-castget.nix
@ -33,7 +34,6 @@
./telemetry/grafana.nix
./telemetry/telegraf-smart.nix
./telemetry/telegraf.nix
#./telemetry/opentelemetry-hass.nix
./telemetry/prometheus.nix
./telemetry/loki.nix # todo enable this one again

View file

@ -1,13 +1,14 @@
{ config, ... }:
{
clanCore.facts.services.s3 = factsGenerator.password { name = "root"; service = "s3"; };
services.minio = {
enable = true;
region = "home";
rootCredentialsFile = config.sops.secrets.minioRootCredentials.path;
rootCredentialsFile = config.clanCore.facts.services.s3.secret."s3.root".path;
};
sops.secrets.minioRootCredentials = { };
services.nginx = {
enable = true;
virtualHosts."s3.${config.networking.hostName}.private" = {

View file

@ -1,28 +1,42 @@
{ config, lib, pkgs, ... }:
{
sops.secrets.autotagTaskwarriorCa = {
owner = "taskwarrior-autotag";
key = "taskwarriorCa";
};
sops.secrets.autotagTaskwarriorCertificate = {
owner = "taskwarrior-autotag";
key = "taskwarriorCertificate";
};
sops.secrets.autotagTaskwarriorKey = {
owner = "taskwarrior-autotag";
key = "taskwarriorKey";
clanCore.facts.services.taskserver = {
secret."taskserver.ca" = { };
secret."taskserver.cert" = { };
secret."taskserver.key" = { };
generator.script = "";
};
#sops.secrets.autotagTaskwarriorCa = {
# owner = "taskwarrior-autotag";
# key = "taskwarriorCa";
#};
#sops.secrets.autotagTaskwarriorCertificate = {
# owner = "taskwarrior-autotag";
# key = "taskwarriorCertificate";
#};
#sops.secrets.autotagTaskwarriorKey = {
# owner = "taskwarrior-autotag";
# key = "taskwarriorKey";
#};
services.taskwarrior-autotag = {
enable = true;
recurrence = "off";
onCalendar = "hourly";
server = "taskd.ingolf-wagner.de:53589";
caFile = config.sops.secrets.autotagTaskwarriorCa.path;
certificateFile = config.sops.secrets.autotagTaskwarriorCertificate.path;
keyFile = config.sops.secrets.autotagTaskwarriorKey.path;
#caFile = config.sops.secrets.autotagTaskwarriorCa.path;
#certificateFile = config.sops.secrets.autotagTaskwarriorCertificate.path;
#keyFile = config.sops.secrets.autotagTaskwarriorKey.path;
credentials = "1337/palo/ad40dce8-4b38-4011-b032-60a91b6f22cd";
caFile = config.clanCore.facts.services.taskserver.secret."taskserver.ca".path;
certificateFile = config.clanCore.facts.services.taskserver.secret."taskserver.cert".path;
keyFile = config.clanCore.facts.services.taskserver.secret."taskserver.key".path;
};
}

View file

@ -1,38 +0,0 @@
{ config, ... }:
{
#{
# name = "home-assistant";
# rules = [
# {
# record = "home_open_window_sum";
# expr = ''sum( homeassistant_binary_sensor_state{entity=~"binary_sensor\\.window_02_contact|binary_sensor\\.window_03_contact|binary_sensor\\.window_04_contact|binary_sensor\\.window_05_contact|binary_sensor\\.window_06_contact|binary_sensor\\.window_07_contact"} )'';
# }
# ] ++ (map
# (number:
# {
# record = "home_at_least_n_windows_open";
# expr = ''home_open_window_sum >= bool ${toString number}'';
# labels.n = number;
# }) [ 1 2 3 ]);
#};
sops.secrets.hass_long_term_token.owner = "prometheus";
services.opentelemetry-collector.settings = {
service.pipelines.metrics.receivers = [ "prometheus" ];
receivers.prometheus.config.scrape_configs = [
{
# see https://www.home-assistant.io/integrations/prometheus/
job_name = "home-assistant";
scrape_interval = "60s";
metrics_path = "/api/prometheus";
bearer_token_file = toString config.sops.secrets.hass_long_term_token.path;
static_configs = [{
targets = [ "127.0.0.1:8123" ];
}];
}
];
};
}

View file

@ -21,9 +21,6 @@
system.stateVersion = "22.11";
sops.secrets.pushover_user_key = { };
sops.secrets.pushover_api_key = { };
# Use the systemd-boot EFI boot loader, not grub
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;

View file

@ -1,4 +1,4 @@
{ pkgs, config, ... }:
{ pkgs, config, factsGenerator, ... }:
# don't forget the database backup before upgrading
# -------------------------------------------------
@ -50,8 +50,11 @@ in
};
};
sops.secrets.nextcloud_database_password.owner = "nextcloud";
sops.secrets.nextcloud_root_password.owner = "nextcloud";
#sops.secrets.nextcloud_database_password.owner = "nextcloud";
#sops.secrets.nextcloud_root_password.owner = "nextcloud";
clanCore.facts.services.nextcloud_root = factsGenerator.password { service = "nextcloud"; name = "root"; };
clanCore.facts.services.nextcloud_database = factsGenerator.password { service = "nextcloud"; name = "database"; };
users.users.nextcloud = {
isSystemUser = true;
@ -72,12 +75,14 @@ in
# mount host folders
bindMounts = {
rootpassword = {
hostPath = "/run/secrets/nextcloud_root_password";
#hostPath = "/run/secrets/nextcloud_root_password";
hostPath = config.clanCore.facts.services.nextcloud_root.secret."nextcloud.root".path;
mountPoint = "/run/secrets/nextcloud_root_password";
isReadOnly = true;
};
databasepassword = {
hostPath = "/run/secrets/nextcloud_database_password";
#hostPath = "/run/secrets/nextcloud_database_password";
hostPath = config.clanCore.facts.services.nextcloud_database.secret."nextcloud.database".path;
mountPoint = "/run/secrets/nextcloud_database_password";
isReadOnly = true;
};