{ config, lib, ... }: let user = "nix-apps"; defaultSops = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml"); in { # Permission modes are in octal representation (same as chmod), # the digits represent: user|group|others # 7 - full (rwx) # 6 - read and write (rw-) # 5 - read and execute (r-x) # 4 - read only (r--) # 3 - write and execute (-wx) # 2 - write only (-w-) # 1 - execute only (--x) # 0 - none (---) # Either a user id or group name representation of the secret owner # It is recommended to get the user name from `config.users.users..name` to avoid misconfiguration # Either the group id or group name representation of the secret group # It is recommended to get the group name from `config.users.users..group` to avoid misconfiguration sops = { age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # ------------------------------ # Secrets # ------------------------------ secrets = { "jallen-nas/admin_password" = { sopsFile = defaultSops; neededForUsers = true; mode = "0600"; owner = config.users.users."${user}".name; group = config.users.users."${user}".group; }; "jallen-nas/nas_pool" = { sopsFile = defaultSops; mode = "0600"; owner = config.users.users."${user}".name; group = config.users.users."${user}".group; }; # ------------------------------ # ups # ------------------------------ "jallen-nas/ups_password" = { sopsFile = defaultSops; mode = "0777"; restartUnits = [ "upsdrv.service" "upsd.service" "ups-killpower.service" "upsmon.service" ]; }; # ------------------------------ # SSH keys # ------------------------------ "ssh-keys-public/jallen-nas-root" = { path = "/root/.ssh/id_ed25519.pub"; mode = "0640"; }; "ssh-keys-private/jallen-nas-root" = { path = "/root/.ssh/id_ed25519"; mode = "0600"; }; # ------------------------------ # authentik # ------------------------------ "jallen-nas/authentik-env" = { sopsFile = defaultSops; restartUnits = [ "authentik.service" ]; }; # ------------------------------ # attic # ------------------------------ "jallen-nas/attic-key" = { sopsFile = defaultSops; restartUnits = [ "atticd.service" ]; }; # ------------------------------ # collabora # TODO # ------------------------------ "jallen-nas/collabora" = { sopsFile = defaultSops; restartUnits = [ "coolwsd.service" ]; }; # ------------------------------ # crowdsec # ------------------------------ # "jallen-nas/crowdsec-firewall-bouncer-api-key" = { # restartUnits = [ "crowdsec-firewall-bouncer.service" ]; # }; # "jallen-nas/crowdsec-capi" = { # sopsFile = defaultSops; # owner = "crowdsec"; # group = "crowdsec"; # restartUnits = [ "crowdsec.service" ]; # }; # ------------------------------ # mariadb # TODO # ------------------------------ "jallen-nas/mariadb/db_pass" = { sopsFile = defaultSops; restartUnits = [ "mysql.service" ]; }; "jallen-nas/mariadb/root_pass" = { sopsFile = defaultSops; restartUnits = [ "mysql.service" ]; }; # ------------------------------ # nextcloud # ------------------------------ "jallen-nas/nextcloud/dbpassword" = { sopsFile = defaultSops; mode = "0650"; owner = config.users.users."${user}".name; group = config.users.users."${user}".group; restartUnits = [ "nextcloud.service" ]; }; "jallen-nas/nextcloud/adminpassword" = { sopsFile = defaultSops; mode = "0440"; owner = config.users.users."${user}".name; group = "keys"; restartUnits = [ "nextcloud.service" "prometheus-nextcloud-exporter.service" # actual systemd unit name ]; }; "jallen-nas/nextcloud/smtp_settings" = { sopsFile = defaultSops; mode = "0650"; owner = config.users.users."${user}".name; group = config.users.users."${user}".group; restartUnits = [ "nextcloud.service" ]; }; # ------------------------------ # onlyoffice # ------------------------------ "jallen-nas/onlyoffice-key" = { sopsFile = defaultSops; mode = "0655"; owner = config.users.users."${user}".name; group = config.users.users."${user}".group; restartUnits = [ "nextcloud.service" ]; }; # ------------------------------ # manyfold # ------------------------------ "jallen-nas/manyfold/secretkeybase" = { sopsFile = defaultSops; restartUnits = [ "podman-manyfold.service" ]; }; # ------------------------------ # immich # ------------------------------ "jallen-nas/immich/db-password" = { sopsFile = defaultSops; mode = "0440"; group = "keys"; restartUnits = [ "immich.service" ]; }; # ------------------------------ # open-webui # ------------------------------ "jallen-nas/open-webui" = { sopsFile = defaultSops; restartUnits = [ "open-webui.service" ]; }; # ------------------------------ # paperless # ------------------------------ "jallen-nas/paperless/secret" = { sopsFile = defaultSops; restartUnits = [ "paperless.service" ]; }; "jallen-nas/paperless/authentik-client-id" = { sopsFile = defaultSops; restartUnits = [ "paperless.service" ]; }; "jallen-nas/paperless/authentik-client-secret" = { sopsFile = defaultSops; restartUnits = [ "paperless.service" ]; }; # ------------------------------ # Gitea # ------------------------------ "jallen-nas/gitea/mail-key" = { sopsFile = defaultSops; owner = "root"; group = "keys"; mode = "0440"; restartUnits = [ "gitea.service" ]; }; "jallen-nas/gitea/metrics-key" = { sopsFile = defaultSops; owner = "root"; group = "keys"; mode = "0440"; restartUnits = [ "gitea.service" ]; }; # ------------------------------ # free-games-claimer # ------------------------------ "jallen-nas/free-games/eg-email" = { sopsFile = defaultSops; }; "jallen-nas/free-games/eg-pass" = { sopsFile = defaultSops; }; "jallen-nas/free-games/eg-otp" = { sopsFile = defaultSops; }; "jallen-nas/free-games/pg-email" = { sopsFile = defaultSops; }; "jallen-nas/free-games/pg-pass" = { sopsFile = defaultSops; }; "jallen-nas/free-games/gog-email" = { sopsFile = defaultSops; }; "jallen-nas/free-games/gog-pass" = { sopsFile = defaultSops; }; # ------------------------------ # ntfy # ------------------------------ "jallen-nas/ntfy/auth-users" = { sopsFile = defaultSops; }; "jallen-nas/ntfy/user" = { sopsFile = defaultSops; mode = "0440"; group = "keys"; restartUnits = [ "grafana.service" "crowdsec.service" "upsmon.service" ]; }; "jallen-nas/ntfy/password" = { sopsFile = defaultSops; mode = "0440"; group = "keys"; restartUnits = [ "grafana.service" "crowdsec.service" "upsmon.service" ]; }; # ------------------------------ # sparky-fitness # ------------------------------ "jallen-nas/sparky-fitness/db-password" = { sopsFile = defaultSops; restartUnits = [ "podman-sparky-fitness-server.service" ]; }; "jallen-nas/sparky-fitness/api-encryption-key" = { sopsFile = defaultSops; restartUnits = [ "podman-sparky-fitness-server.service" ]; }; "jallen-nas/sparky-fitness/auth-secret" = { sopsFile = defaultSops; restartUnits = [ "podman-sparky-fitness-server.service" ]; }; # ------------------------------ # authentik-rac # NOTE: add to nas-secrets.yaml via `sops secrets/nas-secrets.yaml`: # jallen-nas/authentik-rac/token: # ------------------------------ "jallen-nas/authentik-rac/token" = { sopsFile = defaultSops; restartUnits = [ "podman-authenticRac.service" ]; }; # ------------------------------ # Grafana # ------------------------------ # secret_key was previously the upstream default "SW2YcwTIb9zpOOhoPsMm". # It is stored here so Grafana can read it via the file provider without # embedding it in the world-readable Nix store. # To rotate: use https://github.com/erooke/grafana-secretkey-rotation-tool "jallen-nas/grafana/secret-key" = { sopsFile = defaultSops; owner = "grafana"; group = "grafana"; mode = "0400"; restartUnits = [ "grafana.service" ]; }; }; # ------------------------------ # Templates # ------------------------------ templates = { "fgc.env" = { content = '' EG_EMAIL = ${config.sops.placeholder."jallen-nas/free-games/eg-email"} EG_PASSWORD = ${config.sops.placeholder."jallen-nas/free-games/eg-pass"} EG_OTPKEY = ${config.sops.placeholder."jallen-nas/free-games/eg-otp"} PG_EMAIL = ${config.sops.placeholder."jallen-nas/free-games/pg-email"} PG_PASSWORD = ${config.sops.placeholder."jallen-nas/free-games/pg-pass"} GOG_EMAIL = ${config.sops.placeholder."jallen-nas/free-games/gog-email"} GOG_PASSWORD = ${config.sops.placeholder."jallen-nas/free-games/gog-pass"} ''; mode = "0650"; owner = config.users.users."${user}".name; group = config.users.users."${user}".group; restartUnits = [ "podman-free-games-claimer.service" ]; }; "authentik-rac.env" = { content = '' AUTHENTIK_TOKEN=${config.sops.placeholder."jallen-nas/authentik-rac/token"} ''; mode = "0600"; restartUnits = [ "podman-authenticRac.service" ]; }; "ntfy.env" = { content = '' NTFY_USER=${config.sops.placeholder."jallen-nas/ntfy/user"} NTFY_PASSWORD=${config.sops.placeholder."jallen-nas/ntfy/password"} ''; mode = "0640"; group = "keys"; restartUnits = [ "crowdsec.service" "upsmon.service" "nix-rebuild-cache.service" "update-qwen-model.service" ]; }; # CrowdSec HTTP notification plugin config with credentials baked in. # The plugin process spawned by crowdsec/cscli reads this file directly. # Credentials are embedded in the URL using HTTP basic auth so no # base64 encoding or env var injection is needed. "crowdsec/notifications/ntfy.yaml" = { content = '' type: http name: ntfy_plugin log_level: info format: "{{range . -}}CrowdSec blocked: {{.Scenario}}\nSource IP: {{.Source.Value}}\nCountry: {{.Source.Cn}}\nDecisions: {{.Decisions | len}}{{range .Decisions}}\nAction: {{.Type}} for {{.Duration}}{{end}}\n{{end}}" url: https://${config.sops.placeholder."jallen-nas/ntfy/user"}:${ config.sops.placeholder."jallen-nas/ntfy/password" }@ntfy.mjallen.dev/crowdsec method: POST headers: Title: "CrowdSec: {{(index . 0).Scenario}}" Priority: "high" Tags: "rotating_light,shield" skip_tls_verify: false timeout: 10s ''; mode = "0440"; owner = "crowdsec"; group = "crowdsec"; restartUnits = [ "crowdsec.service" ]; }; "paperless.env" = { content = '' PAPERLESS_ADMIN_USER = "mjallen" PAPERLESS_ADMIN_PASSWORD = ${config.sops.placeholder."matt_password"} PAPERLESS_URL = "https://paperless.jallen.dev" PAPERLESS_SECRET = ${config.sops.placeholder."jallen-nas/paperless/secret"} PAPERLESS_ENABLE_ALLAUTH = true PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect" PAPERLESS_SOCIALACCOUNT_PROVIDERS = {"openid_connect":{"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"${ config.sops.placeholder."jallen-nas/paperless/authentik-client-id" }","secret":"${ config.sops.placeholder."jallen-nas/paperless/authentik-client-secret" }","settings":{"server_url":"https://authentik.mjallen.dev/application/o/paperless/.well-known/openid-configuration"}}]}} ''; mode = "0650"; owner = config.users.users."${user}".name; group = config.users.users."${user}".group; restartUnits = [ "paperless-web.service" ]; }; }; }; }