cleanup

2025-03-19 20:19:38 -05:00
parent 6b43ce5ddd
commit e0713e0ba0
18 changed files with 353 additions and 205 deletions
--- a/hosts/nas/sops.nix
+++ b/hosts/nas/sops.nix
@@ -1,6 +1,6 @@
 { config, ... }:
 let
-  user = "admin";
+  user = "nix-apps";
 in
 {
  # Permission modes are in octal representation (same as chmod),
@@ -19,7 +19,7 @@ in
  # It is recommended to get the group name from `config.users.users.<?name>.group` to avoid misconfiguration
  sops = {
    defaultSopsFile = ../../secrets/secrets.yaml;
-    sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

    # ------------------------------
    # Secrets
@@ -34,7 +34,12 @@ in
      "wifi" = { };
      "jallen-nas/ups_password" = {
        mode = "0777";
-        # restartUnits = [ "ups stuff lol" ];
+        restartUnits = [
+          "upsdrv.service"
+          "upsd.service"
+          "ups-killpower.service"
+          "upsmon.service"
+        ];
      };
      "jallen-nas/collabora" = {
        restartUnits = [ "podman-collabora.service" ];
@@ -46,13 +51,22 @@ in
        restartUnits = [ "podman-mariadb.service" ];
      };
      "jallen-nas/nextcloud/dbpassword" = {
-        restartUnits = [ "podman-nextcloud.service" ];
+        mode = "0650";
+        owner = config.users.users."${user}".name;
+        group = config.users.users."${user}".group;
+        restartUnits = [ "container@nextcloud.service" ];
      };
      "jallen-nas/nextcloud/adminpassword" = {
-        restartUnits = [ "podman-nextcloud.service" ];
+        mode = "0650";
+        owner = config.users.users."${user}".name;
+        group = config.users.users."${user}".group;
+        restartUnits = [ "container@nextcloud.service" ];
      };
-      "jallen-nas/nextcloud/smtppassword" = {
-        restartUnits = [ "podman-nextcloud.service" ];
+      "jallen-nas/nextcloud/smtp_settings" = {
+        mode = "0650";
+        owner = config.users.users."${user}".name;
+        group = config.users.users."${user}".group;
+        restartUnits = [ "container@nextcloud.service" ];
      };
      "jallen-nas/manyfold/secretkeybase" = {
        restartUnits = [ "podman-manyfold.service" ];
@@ -87,18 +101,12 @@ in
      "jallen-nas/paperless/secret" = {
        restartUnits = [ "container@paperless.service" ];
      };
-      secrets."jallen-nas/paperless/authentik-client-id" = {
+      "jallen-nas/paperless/authentik-client-id" = {
        restartUnits = [ "container@paperless.service" ];
      };
      "jallen-nas/paperless/authentik-client-secret" = {
        restartUnits = [ "container@paperless.service" ];
      };
-      "jallen-nas/nextcloud/dbpassword" = {
-        mode = "0777";
-      };
-      "jallen-nas/nextcloud/adminpassword" = {
-        mode = "0777";
-      };
      "ssh-keys-public/jallen-nas-root" = {
        path = "/root/.ssh/id_ed25519.pub";
        mode = "0600";
@@ -136,19 +144,21 @@ in
        mode = "0600";
      };
    };
+
    templates = {
-      "nextcloud-smtp".content = ''
-        ${config.sops.secrets."jallen-nas/nextcloud/smtppassword"}
-      '';
-      "paperless-secret".content = ''
-        ${config.sops.secrets."jallen-nas/paperless/secret".path}
-      '';
-      "paperless-client-id".content = ''
-        ${config.sops.secrets."jallen-nas/paperless/authentik-client-id".path}
-      '';
-      "paperless-client-secret".content = ''
-        ${config.sops.secrets."jallen-nas/paperless/authentik-client-secret".path}
-      '';
+      "paperless.env" = {
+        content = ''
+          PAPERLESS_URL = "https://paperless.jallen.dev"
+          PAPERLESS_SECRET = ${config.sops.placeholder."jallen-nas/paperless/secret"}
+          PAPERLESS_ENABLE_ALLAUTH = true
+          PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect"
+          PAPERLESS_SOCIALACCOUNT_PROVIDERS = {"openid_connect":{"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"${config.sops.placeholder."jallen-nas/paperless/authentik-client-id"}","secret":"${config.sops.placeholder."jallen-nas/paperless/authentik-client-secret"}","settings":{"server_url":"https://authentik.mjallen.dev/application/o/paperless/.well-known/openid-configuration"}}]}}
+        '';
+        mode = "0650";
+        owner = config.users.users."${user}".name;
+        group = config.users.users."${user}".group;
+        restartUnits = [ "container@paperless.service" ];
+      };
    };
  };
 }