use agenix

2025-02-11 22:15:44 +02:00
parent 8a1f2c4968
commit 0bc01cd2b1
20 changed files with 182 additions and 20 deletions
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,9 +1,10 @@
-{ ... }:
+{ inputs, ... }:
 {
  imports = [
    ./vlans.nix
    ./firewall.nix
    ./storage-box-mounts.nix
    ./services
+    inputs.agenix.nixosModules.default
  ];
 }
--- a/modules/services/gotosocial.nix
+++ b/modules/services/gotosocial.nix
@@ -1,6 +1,7 @@
 { config, lib, ... }:
 let
  cfg = config.modules.services.gotosocial;
+  secrets = config.age.secrets;
  domain = config.networking.domain;
  fqdn = "${cfg.subdomain}.${domain}";
  port = cfg.port;
@@ -24,7 +25,7 @@ in
  config = lib.mkIf cfg.enable {
    services.gotosocial = {
      enable = true;
-      environmentFile = "/var/secrets/gotosocial.env";
+      environmentFile = secrets.gotosocial.path;
      settings = {
        host = fqdn;
        account-domain = domain;
--- a/modules/services/grafana.nix
+++ b/modules/services/grafana.nix
@@ -1,6 +1,7 @@
 { lib, config, ... }:
 let
  cfg = config.modules.services.grafana;
+  secrets = config.age.secrets;
  fqdn = "${cfg.subdomain}.${config.networking.domain}";
 in
 {
@@ -40,7 +41,7 @@ in
          from_address = "noreply@freun.dev";
          from_name = "Vaultwarden";
          user = "noreply@freun.dev";
-          password = "$__file{/var/secrets/smtp-password}";
+          password = "$__file{${secrets.smtp-password.path}}";
        };
      };
    };
--- a/modules/services/hastebin.nix
+++ b/modules/services/hastebin.nix
@@ -1,6 +1,7 @@
 { lib, config, inputs, ... }:
 let
  cfg = config.services.hastebin;
+  secrets = config.age.secrets;
  fqdn = "${cfg.subdomain}.${config.networking.domain}";
 in
 {
@@ -33,7 +34,7 @@ in
          "jsx"
        ];
      };
-      auth_tokens_file = "/var/secrets/hastebin-tokens";
+      auth_tokens_file = secrets.hastebin-tokens.path;
    };

    modules.services.webserver = {
--- a/modules/services/immich.nix
+++ b/modules/services/immich.nix
@@ -1,6 +1,7 @@
 { pkgs, lib, config, ... }:
 let
  cfg = config.modules.services.immich;
+  secrets = config.age.secrets;
  fqdn = "${cfg.subdomain}.${config.networking.domain}";

  volumeServices = names: (
@@ -52,6 +53,13 @@ let
      { }
      services
  );
+
+  environment = {
+    TZ = cfg.timezone;
+    DB_USERNAME = "postgres";
+    POSTGRES_USER = environment.DB_USERNAME;
+    DB_DATABASE_NAME = "immich";
+  };
 in
 {
  options.modules.services.immich = {
@@ -59,6 +67,10 @@ in
    subdomain = lib.mkOption {
      type = lib.types.str;
    };
+    timezone = lib.mkOption {
+      type = lib.types.str;
+      default = "Europe/Helsinki";
+    };
    version = lib.mkOption {
      type = lib.types.str;
      default = "latest";
@@ -97,8 +109,9 @@ in
      virtualisation.oci-containers.containers = {
        "immich_machine_learning" = {
          image = "ghcr.io/immich-app/immich-machine-learning:${cfg.version}";
+          inherit environment;
          environmentFiles = [
-            "/var/secrets/immich.env"
+            secrets.immich.path
          ];
          volumes = [
            "immich_model_cache:/cache:rw"
@@ -113,9 +126,9 @@ in
        "immich_postgres" = {
          image = "registry.hub.docker.com/tensorchord/pgvecto-rs:pg14-v0.2.0";
          environmentFiles = [
-            "/var/secrets/immich.env"
+            secrets.immich.path
          ];
-          environment = {
+          environment = environment // {
            POSTGRES_INITDB_ARGS = "--data-checksums";
          };
          volumes = [
@@ -131,8 +144,9 @@ in

        "immich_redis" = {
          image = "registry.hub.docker.com/library/redis:6.2-alpine";
+          inherit environment;
          environmentFiles = [
-            "/var/secrets/immich.env"
+            secrets.immich.path
          ];
          log-driver = "journald";
          extraOptions = [
@@ -143,8 +157,9 @@ in

        "immich_server" = {
          image = "ghcr.io/immich-app/immich-server:${cfg.version}";
+          inherit environment;
          environmentFiles = [
-            "/var/secrets/immich.env"
+            secrets.immich.path
          ];
          volumes = [
            "/etc/localtime:/etc/localtime:ro"
--- a/modules/services/vaultwarden.nix
+++ b/modules/services/vaultwarden.nix
@@ -1,6 +1,7 @@
 { lib, config, ... }:
 let
  cfg = config.modules.services.vaultwarden;
+  secrets = config.age.secrets;
  fqdn = "${cfg.subdomain}.${config.networking.domain}";
  port = config.services.vaultwarden.config.ROCKET_PORT;
 in
@@ -23,7 +24,7 @@ in
    services.vaultwarden = {
      enable = true;
      dbBackend = "postgresql";
-      environmentFile = "/var/secrets/vaultwarden.env";
+      environmentFile = secrets.vaultwarden.path;
      config = {
        DOMAIN = "https://${fqdn}";
        DATABASE_URL = "postgres://%2Fvar%2Frun%2Fpostgresql/vaultwarden";
--- a/modules/services/webserver.nix
+++ b/modules/services/webserver.nix
@@ -38,10 +38,6 @@ in
        type = lib.types.str;
        default = "hetzner";
      };
-      environmentFile = lib.mkOption {
-        type = lib.types.str;
-        default = "/var/secrets/lego";
-      };
    };
    vHosts = lib.mkOption {
      type = lib.types.attrsOf types.vhost;
--- a/modules/storage-box-mounts.nix
+++ b/modules/storage-box-mounts.nix
@@ -23,12 +23,14 @@ let
  };

  cfg = config.modules.storageBoxMounts;
+  secrets = config.age.secrets;
+
  mountOptions = { uid, gid, ... }: [
    "x-systemd.automount"
    "auto"
    "x-systemd.device-timeout=5s"
    "x-systemd.mount-timeout=5s"
-    "credentials=/var/secrets/storage-box-credentials"
+    "credentials=${secrets.storage-box-credentials.path}"
  ] ++ (
    if (uid != null) then [ "uid=${toString uid}" ] else [ ]
  ) ++ (