From a6ec7beff9dfda83c7cc5563c208be12e9759086 Mon Sep 17 00:00:00 2001 From: mjallen18 Date: Wed, 22 Jan 2025 17:52:48 -0600 Subject: [PATCH] update secrets, cleanup --- hosts/nas/apps/arrs/default.nix | 17 +++++++++----- hosts/nas/apps/jellyseerr/default.nix | 9 +------- hosts/nas/apps/ollama/default.nix | 5 ++-- hosts/nas/apps/paperless/default.nix | 15 ++++-------- hosts/nas/networking.nix | 8 +------ hosts/nas/services.nix | 2 +- hosts/nas/sops.nix | 33 ++++++++++++++++++--------- secrets/secrets.yaml | 11 ++++++--- 8 files changed, 51 insertions(+), 49 deletions(-) diff --git a/hosts/nas/apps/arrs/default.nix b/hosts/nas/apps/arrs/default.nix index 729c661..fa5259c 100644 --- a/hosts/nas/apps/arrs/default.nix +++ b/hosts/nas/apps/arrs/default.nix @@ -1,7 +1,6 @@ { config, pkgs, - lib, ... }: @@ -9,6 +8,7 @@ let radarrPort = 7878; sonarrPort = 8989; sabnzbdPort = 8280; + delugePort = 8112; jackettPort = 9117; radarrDataDir = "/var/lib/radarr"; downloadDir = "/downloads"; @@ -19,8 +19,11 @@ let mediaDir = "/media"; arrUserId = config.users.users.nix-apps.uid; arrGroupId = config.users.groups.jallen-nas.gid; - sonarrPkg = pkgs.stable.sonarr; + radarrPkg = pkgs.unstable.radarr; + sonarrPkg = pkgs.unstable.sonarr; + delugePkg = pkgs.unstable.deluge; jackettPkg = pkgs.unstable.jackett; + sabnzbdPkg = pkgs.unstable.sabnzbd; in { nixpkgs.config.permittedInsecurePackages = [ @@ -38,7 +41,6 @@ in config = { - config, pkgs, lib, ... @@ -59,6 +61,7 @@ in user = "arrs"; group = "media"; dataDir = radarrDataDir; + package = radarrPkg; }; # Enable Sonarr service @@ -68,7 +71,7 @@ in user = "arrs"; group = "media"; dataDir = sonarrDataDir; - # package = sonarrPkg; + package = sonarrPkg; }; # Enable Sabnzbd service @@ -78,6 +81,7 @@ in user = "arrs"; group = "media"; configFile = "${sabnzbdConfig}/sabnzbd.ini"; + package = sabnzbdPkg; }; services.deluge = { @@ -86,6 +90,7 @@ in group = "media"; openFirewall = true; dataDir = "/media"; + package = delugePkg; web = { enable = true; port = 8112; @@ -225,11 +230,11 @@ in } { destination = "10.0.1.51:8112"; - sourcePort = 8112; + sourcePort = delugePort; } { destination = "10.0.1.51:9117"; - sourcePort = 9117; + sourcePort = jackettPort; } ]; }; diff --git a/hosts/nas/apps/jellyseerr/default.nix b/hosts/nas/apps/jellyseerr/default.nix index b5359cc..6f27a78 100644 --- a/hosts/nas/apps/jellyseerr/default.nix +++ b/hosts/nas/apps/jellyseerr/default.nix @@ -1,9 +1,4 @@ -{ - config, - pkgs, - lib, - ... -}: +{ ... }: let jellyseerrPort = 5055; @@ -27,8 +22,6 @@ in config = { - config, - pkgs, lib, ... }: diff --git a/hosts/nas/apps/ollama/default.nix b/hosts/nas/apps/ollama/default.nix index d8a4872..df3cfbd 100644 --- a/hosts/nas/apps/ollama/default.nix +++ b/hosts/nas/apps/ollama/default.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ config, ... }: { services.ollama = { enable = true; @@ -16,9 +16,8 @@ port = 8888; openFirewall = true; # stateDir = "/media/nas/ssd/nix-app-data/open-webui"; + environmentFile = config.sops.secrets."jallen-nas/open-webui".path; environment = { - OAUTH_CLIENT_ID = "P4YrtPrdwoQkwYs4e5AHQx7xiz4FV6OpT24rjqXa"; - OAUTH_CLIENT_SECRET = "XpZ1Y9RUMD6FVxBSxg8evHkRYuSUJ3saN99uCFfeNo4Z8vrmnqZBHJQzSSCFig1fgqEYCr3SmcOvCHGHUsz9FJT2aZFlZxKv6bZZpuMQYASHiQtuX2pTVEspiNab3129"; OPENID_PROVIDER_URL = "https://authentik.mjallen.dev/application/o/chat/.well-known/openid-configuration"; OPENID_PROVIDER_NAME = "authentik"; ENABLE_OAUTH_SIGNUP = "true"; diff --git a/hosts/nas/apps/paperless/default.nix b/hosts/nas/apps/paperless/default.nix index 068b554..5ef0d0e 100644 --- a/hosts/nas/apps/paperless/default.nix +++ b/hosts/nas/apps/paperless/default.nix @@ -1,14 +1,15 @@ { config, pkgs, - lib, ... }: let paperlessPort = 28981; paperlessUserId = config.users.users.nix-apps.uid; paperlessGroupId = config.users.groups.jallen-nas.gid; - passwordFile = config.sops.secrets."jallen-nas/admin_password".path; + paperlessSecret = config.sops.templates."paperless-secret".content; + clientId = config.sops.templates."paperless-client-id".content; + clientSecret = config.sops.templates."paperless-client-secret".content; paperlessPkg = pkgs.stable.paperless-ngx; in { @@ -22,8 +23,6 @@ in config = { - config, - pkgs, lib, ... }: @@ -38,10 +37,10 @@ in passwordFile = "/var/lib/paperless/paperless-password"; settings = { PAPERLESS_URL = "https://paperless.jallen.dev"; - PAPERLESS_SECRET = "Luciferthecat03092024"; + PAPERLESS_SECRET = paperlessSecret; PAPERLESS_ENABLE_ALLAUTH = true; PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect"; - PAPERLESS_SOCIALACCOUNT_PROVIDERS = ''{"openid_connect":{"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"OZhMnBUxwJvpjkUhs4ISgA0iAWA7etgTXaohLCED","secret":"UrwdWObeyoEI1AogXcjV8SwYsJ585Wkh5YxDH5wFPXZxp8IVV9QNsn32PIAv6h9BdjaiiMrOFayaW3uXyZYg71olG5OQ1qGaD6WYn0EijYBwxoEuvp7LIdMJ4lImhVR1","settings":{"server_url":"https://authentik.mjallen.dev/application/o/paperless/.well-known/openid-configuration"}}]}}''; + PAPERLESS_SOCIALACCOUNT_PROVIDERS = ''{"openid_connect":{"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"${clientId}","secret":"${clientSecret}","settings":{"server_url":"https://authentik.mjallen.dev/application/o/paperless/.well-known/openid-configuration"}}]}}''; }; }; @@ -88,10 +87,6 @@ in hostPath = "/media/nas/ssd/nix-app-data/paperless"; isReadOnly = false; }; - # "/run/keys/paperless-password" = { - # hostPath = passwordFile; - # isReadOnly = true; - # }; }; }; diff --git a/hosts/nas/networking.nix b/hosts/nas/networking.nix index d1dd9b2..954fab4 100644 --- a/hosts/nas/networking.nix +++ b/hosts/nas/networking.nix @@ -1,17 +1,11 @@ -{ config, pkgs, ... }: +{ ... }: let hostname = "jallen-nas"; - ipAddress = "10.0.1.18"; - ipAddress2 = "10.0.1.19"; - gateway = "10.0.1.1"; ports = [ 9000 # authentik 2342 # grafana 51820 # wireguard ]; - - wireguard-private = config.sops.secrets."jallen-nas/wireguard/private".path; - wireguard-public = "r03IJPnTaSNmhVYIdQr+TGasox6NAUrgW8ycm/sac08="; in { # Networking configs diff --git a/hosts/nas/services.nix b/hosts/nas/services.nix index 70fa4b4..2f3aafd 100644 --- a/hosts/nas/services.nix +++ b/hosts/nas/services.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ pkgs, ... }: let enableDisplayManager = true; in diff --git a/hosts/nas/sops.nix b/hosts/nas/sops.nix index 4420f69..9647570 100644 --- a/hosts/nas/sops.nix +++ b/hosts/nas/sops.nix @@ -34,14 +34,14 @@ restartUnits = [ "podman-nextcloud.service" ]; }; - sops.secrets."jallen-nas/manyfold/secretkeybase" = { - restartUnits = [ "podman-manyfold.service" ]; - }; - sops.templates."nextcloud-smtp".content = '' ${config.sops.secrets."jallen-nas/nextcloud/smtppassword".path} ''; + sops.secrets."jallen-nas/manyfold/secretkeybase" = { + restartUnits = [ "podman-manyfold.service" ]; + }; + sops.secrets."jallen-nas/immich/db-password" = { restartUnits = [ "podman-immich-postgres.service" ]; }; @@ -61,16 +61,27 @@ restartUnits = [ "podman-immich-server.service" ]; }; - sops.secrets."jallen-nas/wireguard/private" = { - # restartUnits = [ "podman-immich-server.service" ]; + sops.secrets."jallen-nas/open-webui" = { + restartUnits = [ "open-webui.service" ]; }; - sops.secrets."jallen-nas/wireguard/public" = { - # restartUnits = [ "podman-immich-server.service" ]; + sops.secrets."jallen-nas/paperless/secret" = { + restartUnits = [ "container@paperless.service" ]; }; - - sops.templates."wireguard-public".content = '' - "${config.sops.placeholder."jallen-nas/wireguard/public"}" + sops.templates."paperless-secret".content = '' + ${config.sops.secrets."jallen-nas/paperless/secret".path} + ''; + sops.secrets."jallen-nas/paperless/authentik-client-id" = { + restartUnits = [ "container@paperless.service" ]; + }; + sops.templates."paperless-client-id".content = '' + ${config.sops.secrets."jallen-nas/paperless/authentik-client-id".path} + ''; + sops.secrets."jallen-nas/paperless/authentik-client-secret" = { + restartUnits = [ "container@paperless.service" ]; + }; + sops.templates."paperless-client-secret".content = '' + ${config.sops.secrets."jallen-nas/paperless/authentik-client-secret".path} ''; # Permission modes are in octal representation (same as chmod), diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 2ccccb2..84f75d7 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -21,6 +21,11 @@ jallen-nas: server-db-password: ENC[AES256_GCM,data:NtNMYemg+Se0CKT7yF7Yqso+33gCZn4=,iv:9lp0GoQY+I+2u/O/PFEu97H++HXDWgL1bxlOYqWfzyY=,tag:kILw1T9Ne7nSoIET4SSrOA==,type:str] server-db-name: ENC[AES256_GCM,data:bMXo9Jds5l0p9eYEPmquHQ8wwxbM+c0=,iv:fkb0P9uD9oMTOl5OuK7QDOxgJVfquKLaMfoPhRTwsAk=,tag:2Kat49n3odcVhn34c7+rig==,type:str] server-db-user: ENC[AES256_GCM,data:od8C91VJVK/cWCl824gCRqnOAC7mGA==,iv:mHJnrpKoD3c0z/XuUwFMHm8pDrOHoVzIloOS2U4IHzg=,tag:xE44Svdg/RWTe1i9Q43QQQ==,type:str] + open-webui: ENC[AES256_GCM,data:ZztFlXorZUFO8LywGRCYAWjmAsPwTBAEza4Wz88HoHtzp5q+qTLr500wJEtaHoC+rJze8bAajSj/rKx8n1XzbQKylDyV4opua5LErKGaiUZbFEm0jPCkpwWxmVJVde6yOMd8fboT2i4K8PMr7y2bOwqqczygDTIR77JbwdUID4nksVYjnv1RbBdJlefNxMMnK+vBPgCokrDOCWUvASVUDKg5OzSMMXQT+bvZuhIydDJv1gRz3XLG78PW0wQI9evKunfouK6eORgABe3zZQ==,iv:uJk5IrM+cDlz4dNTEAurg4vEMew5kGVCf3kqrKAUoMU=,tag:dlzFjr//fbVP5vP/67dELg==,type:str] + paperless: + secret: ENC[AES256_GCM,data:qrwi13OLSM1Oww4pttfblrjvsdPR,iv:IITw2M6YfoSP3nECeUPWlhr56n7u03ivp8+fx5MDd54=,tag:4thPUaa2ueO95LOB5SiL6w==,type:str] + authentik-client-id: ENC[AES256_GCM,data:8kHTmnT4kbxrN7Kyet1eu1KB+jA7bBx1Zs64cn5VZm0VjdSfYOwxxA==,iv:iTgsd9XWnRCQoBxj0QVjbIrSjPoYdnXv4lmn3qfllUA=,tag:CDAWMAOQ6X2sbu8RD8oiBw==,type:str] + authentik-client-secret: ENC[AES256_GCM,data:WROqpqGQrZ8+Xy6v4dxABfqWs4lPDnl/OdsD2xvw5nqZ8mD66IJMx5eoS9UJ1aIOAr0bvQCUyMtC+xzSMcEORCmMoxT7qfg2rV6KZgRzDtRGt1loYdHECXpz1hGAc87YwiD8fVrEsuTAmlK8N6tmmfie5o6QakcFeoTpZSlAUJ0=,iv:fQg5itx52OIZeqBSylSbwtR7FD/8kF0YiDZ0jguIKus=,tag:yIm8q0PJQVDt7F4IIljbdg==,type:str] wireguard: private: ENC[AES256_GCM,data:/nOkn5nMrEEeKi1ySo9fAp+r1lQL02k0FZA99hUIKq7THvVWNaQ/Z6paoJU=,iv:iCTfGSdjJ0wMwv/34dv2ygKSm3qAJq6czOErMaFqHtg=,tag:EJZzBlVB5FSvveo5MWtC1g==,type:str] public: ENC[AES256_GCM,data:rOmyhwpolxNV2JroLdh90gYAuCGNZu/gY5NBxkHHNJ+qEblmDsom9alNHMQ=,iv:bF+XCO9lPHopLCEILTT4gA349d/Sa5qReSKN70EA3d4=,tag:Yx2TL/37n5Uohlwnlx97vg==,type:str] @@ -60,8 +65,8 @@ sops: UGhsN2N0Mjl3UEJvUVlGRlJiN05WaUkKW37lU4G4CLTo6JoHC2OyhKsG/FuO+BiN pzlVJwzRnmAqwklRbc6RMbQLl2EQrp6KQcgYsUxCMH9OQ/9WJ98dxQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-17T19:16:19Z" - mac: ENC[AES256_GCM,data:d2xWXNFCgb7egUOJSXRC4lDBbPhRoNrhM5iz0JSCW4chmQuqW0JabwDLzW0PubSqsde2pw2fx7A2mgrhib/1zyyPG8ViYijO3xyBn0EX78vJuJoikVV/KE7c3ffzxuRCB6kwCJ+6mZEYeRR+daoCfJ/ZI48DiCYuGP1rMOAjtTs=,iv:s2riiffa/qyzaJLGfLEQG52z/fdLFb4pC/Gdb/yfbWI=,tag:8JjcN78FbTJzizi/jO3irw==,type:str] + lastmodified: "2025-01-22T23:41:50Z" + mac: ENC[AES256_GCM,data:Sim5O8dLkq4k4TTTqCSvtiPxUpIJKKhhBcUsQFPkvyaHfLriDawhDANFY9c2DZHIDN0pQJuQ8h/a3AsXqq+lfXAtOGQeMkrDaEG6L9rk22QPKpXcPlRfF940r1CUYY1bmjxSd6+8fIYJPyPE7svPzseIyPFfmM9vNZmOhyXmeJ4=,iv:v0UoG3iGWzZS46LctHKF+4cEw/6Er0NKOKJiIX8OD6Y=,tag:LUk7aUdbIjdX1w6aeu5h5A==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.9.1 + version: 3.9.3