+11 -19

hosts/marvin/services/buildbot.nix

reviewed

··· 1 1 { config, self, ... }: 2 2 let 3 3 - as = config.age.secrets; 4 3 d = self.lib.data.services.buildbot; 5 4 g = self.lib.data.services.git; 6 6 - bbSecret = { 7 7 - owner = "buildbot"; 8 8 - group = "buildbot"; 9 9 - }; 5 5 + sec = config.age.secrets; 6 6 + inherit (self.lib.secrets) mkServiceSecrets; 10 7 in 11 8 { 12 9 services = { 13 10 buildbot-nix.master = { 14 11 enable = true; 15 12 dbUrl = "postgresql://buildbot@localhost/buildbot"; 16 16 - workersFile = as.buildbot-workers.path; 13 13 + workersFile = sec.buildbot-workers.path; 17 14 authBackend = "gitea"; 18 15 gitea = { 19 16 enable = true; 20 20 - tokenFile = as.buildbot-gitea-token.path; 21 21 - oauthSecretFile = as.buildbot-oauth-secret.path; 17 17 + tokenFile = sec.buildbot-gitea-token.path; 18 18 + oauthSecretFile = sec.buildbot-oauth-secret.path; 22 19 instanceUrl = g.extUrl; 23 20 oauthId = "2bfd5c46-43a7-4d98-b443-9176dc0a9452"; 24 21 topic = "buildbot-enable"; ··· 39 36 }; 40 37 buildbot-master.port = 6915; 41 38 }; 42 42 - age.secrets = { 43 43 - buildbot-gitea-token = bbSecret // { 44 44 - file = ./secrets/buildbot-gitea-token.age; 45 45 - }; 46 46 - buildbot-oauth-secret = bbSecret // { 47 47 - file = ./secrets/buildbot-oauth-secret.age; 48 48 - }; 49 49 - buildbot-workers = bbSecret // { 50 50 - file = ./secrets/buildbot-workers.age; 51 51 - }; 52 52 - }; 39 39 + age.secrets = mkServiceSecrets "buildbot" ./secrets [ 40 40 + "gitea-token" 41 41 + "oauth-secret" 42 42 + "worker-password" 43 43 + "workers" 44 44 + ]; 53 45 }

+14 -48

hosts/marvin/services/git.nix

reviewed

··· 8 8 }: 9 9 let 10 10 cfg = config.services.forgejo.settings; 11 11 - age = config.age.secrets; 12 12 - 13 13 - forgejoSecret = { 14 14 - owner = "forgejo"; 15 15 - group = "forgejo"; 16 16 - }; 17 17 - 11 11 + sec = config.age.secrets; 18 12 d = self.lib.data.services.git; 19 13 in 20 14 { 21 15 catppuccin.forgejo.enable = true; 22 16 py.services.forgejo-runner = { 23 17 enable = true; 24 24 - tokenFile = age.forgejo-default-runner-token.path; 18 18 + tokenFile = sec.forgejo-default-runner-token.path; 25 19 }; 26 20 services.forgejo = { 27 21 enable = true; ··· 32 26 database = { 33 27 type = "postgres"; 34 28 createDatabase = true; 35 35 - passwordFile = age.forgejo-db-pw.path; 29 29 + passwordFile = sec.forgejo-db-pw.path; 36 30 }; 37 31 secrets = { 38 38 - mailer.PASSWD = age.forgejo-mail-pw.path; 39 39 - security.SECRET_KEY = lib.mkForce age.forgejo-secret-key.path; 40 40 - security.INTERNAL_TOKEN = lib.mkForce age.forgejo-internal-token.path; 41 41 - oauth2.JWT_SECRET = lib.mkForce age.forgejo-oauth2-jwt-secret.path; 42 42 - server.LFS_JWT_SECRET = lib.mkForce age.forgejo-lfs-jwt-secret.path; 32 32 + mailer.PASSWD = sec.forgejo-mail-pw.path; 33 33 + security.SECRET_KEY = lib.mkForce sec.forgejo-secret-key.path; 34 34 + security.INTERNAL_TOKEN = lib.mkForce sec.forgejo-internal-token.path; 35 35 + oauth2.JWT_SECRET = lib.mkForce sec.forgejo-oauth2-jwt-secret.path; 36 36 + server.LFS_JWT_SECRET = lib.mkForce sec.forgejo-lfs-jwt-secret.path; 43 37 }; 44 38 settings = { 45 39 DEFAULT = { ··· 125 119 }; 126 120 }; 127 121 }; 128 128 - age.secrets = self.lib.secrets.mkServiceSecrets "forgejo" true ./secrets [ 129 129 - "oidc-secret" 130 130 - "db-pw" 131 131 - "mail-pw" 122 122 + age.secrets = self.lib.secrets.mkServiceSecrets "forgejo" ./secrets [ 123 123 + # keep-sorted start 132 124 "aux-docs-runner-token" 125 125 + "db-pw" 133 126 "default-runner-token" 134 127 "gitgay-runner-token" 135 128 "internal-token" 129 129 + "lfs-jwt-secret" 130 130 + "mail-pw" 136 131 "oauth2-jwt-secret" 137 137 - "lfs-jwt-secret" 138 132 "secret-key" 133 133 + # keep-sorted end 139 134 ]; 140 140 - # age.secrets = lib.mkIf config.services.forgejo.enable { 141 141 - # forgejo-db-pw = forgejoSecret // { 142 142 - # file = ./secrets/forgejo/db-pw.age; 143 143 - # }; 144 144 - # forgejo-mail-pw = forgejoSecret // { 145 145 - # file = ./secrets/forgejo/mail-pw.age; 146 146 - # }; 147 147 - # forgejo-aux-docs-runner-token = forgejoSecret // { 148 148 - # file = ./secrets/forgejo/aux-docs-runner-token.age; 149 149 - # }; 150 150 - # forgejo-default-runner-token = forgejoSecret // { 151 151 - # file = ./secrets/forgejo/default-runner-token.age; 152 152 - # }; 153 153 - # forgejo-gitgay-runner-token = forgejoSecret // { 154 154 - # file = ./secrets/forgejo/gitgay-runner-token.age; 155 155 - # }; 156 156 - # forgejo-internal-token = forgejoSecret // { 157 157 - # file = ./secrets/forgejo/internal-token.age; 158 158 - # }; 159 159 - # forgejo-oauth2-jwt-secret = forgejoSecret // { 160 160 - # file = ./secrets/forgejo/oauth2-jwt-secret.age; 161 161 - # }; 162 162 - # forgejo-lfs-jwt-secret = forgejoSecret // { 163 163 - # file = ./secrets/forgejo/lfs-jwt-secret.age; 164 164 - # }; 165 165 - # forgejo-secret-key = forgejoSecret // { 166 166 - # file = ./secrets/forgejo/secret-key.age; 167 167 - # }; 168 168 - # }; 169 135 services.anubis.instances.forgejo = lib.mkIf config.services.forgejo.enable { 170 136 settings = { 171 137 BIND = ":${toString d.anubis}";

+2 -16

hosts/marvin/services/grafana.nix

reviewed

··· 7 7 let 8 8 d = self.lib.data.services.grafana; 9 9 p = self.lib.data.services.pocket-id; 10 10 - 11 11 - grafanaSecret = name: { 12 12 - owner = "grafana"; 13 13 - group = "grafana"; 14 14 - file = ./secrets/grafana/${name}.age; 15 15 - }; 16 16 - 17 17 - mkGrafanaSecrets = 18 18 - secrets: 19 19 - builtins.listToAttrs ( 20 20 - map (sec: { 21 21 - name = "grafana-${sec}"; 22 22 - value = grafanaSecret sec; 23 23 - }) secrets 24 24 - ); 10 10 + inherit (self.lib.secrets) mkServiceSecrets; 25 11 in 26 12 { 27 13 services.grafana = { ··· 63 49 }; 64 50 }; 65 51 }; 66 66 - age.secrets = mkGrafanaSecrets [ 52 52 + age.secrets = mkServiceSecrets "grafana" ./secrets [ 67 53 "admin-password" 68 54 "smtp-password" 69 55 "oidc-secret"

+5 -12

hosts/marvin/services/immich.nix

reviewed

··· 6 6 }: 7 7 let 8 8 d = self.lib.data.services.immich; 9 9 + inherit (self.lib.secrets) mkServiceSecrets; 9 10 in 10 11 { 11 12 services = { ··· 38 39 "video" 39 40 "render" 40 41 ]; 41 41 - age.secrets = { 42 42 - immich-oauth-secret = { 43 43 - file = ./secrets/immich/oauth-secret.age; 44 44 - owner = "immich"; 45 45 - group = "immich"; 46 46 - }; 47 47 - immich-mail-pw = { 48 48 - file = ./secrets/immich/mail-pw.age; 49 49 - owner = "immich"; 50 50 - group = "immich"; 51 51 - }; 52 52 - }; 42 42 + age.secrets = mkServiceSecrets "immich" ./secrets [ 43 43 + "oauth-secret" 44 44 + "mail-pw" 45 45 + ]; 53 46 }

+7 -13

hosts/marvin/services/paperless.nix

reviewed

··· 6 6 let 7 7 d = self.lib.data.services.paperless; 8 8 sec = config.age.secrets; 9 9 + inherit (self.lib.secrets) mkServiceSecrets; 9 10 in 10 11 { 11 12 services.paperless = { ··· 13 14 inherit (d) port; 14 15 address = "0.0.0.0"; 15 16 domain = d.extUrl; 16 16 - passwordFile = sec.paperless-admin-pw.path; 17 17 + passwordFile = sec.paperless-admin-password.path; 17 18 database.createLocally = true; 18 19 configureTika = true; 19 20 settings = { ··· 28 29 PAPERLESS_TASK_WORKERS = 3; 29 30 }; 30 31 }; 31 31 - age.secrets = { 32 32 - paperless-admin-pw = { 33 33 - file = ./secrets/paperless/admin-password.age; 34 34 - owner = "paperless"; 35 35 - group = "paperless"; 36 36 - }; 37 37 - paperless-secrets = { 38 38 - file = ./secrets/paperless/secrets.age; 39 39 - owner = "paperless"; 40 40 - group = "paperless"; 41 41 - }; 42 42 - }; 32 32 + 33 33 + age.secrets = mkServiceSecrets "paperless" ./secrets [ 34 34 + "admin-password" 35 35 + "secrets" 36 36 + ]; 43 37 }