simon/nixos-config
simon/nixos-config
1
1
Fork 0
Code Issues 8 Pull requests Actions Projects Activity

fuuko/go-neb: Use sops for secrets

Browse source
This commit is contained in:
Simon Bruder 2021-05-02 13:13:07 +02:00
parent 8a5a5e9a1c
commit 51f814c70d
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
3 changed files with 35 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
machines/fuuko/secrets.yaml
View file

@ -1,6 +1,7 @@
drone-rpc-environment: ENC[AES256_GCM,data:2Alck43ZrOFzhY7fKonIyboROD5qGuKkalTXlUZM0vBYTNeFLblU4u4tIIaA4t9nNO4=,iv:EakQQ/8pVZlIzM9PbNB0EGzSW46t/dWbxOtQo6uVAhs=,tag:NEhSgzkx8AxIjqtGetGG9w==,type:str]
drone-server-environment: ENC[AES256_GCM,data:73uDSq+u3nGiKhLqdhdegTIvec9mF9jxVLJLtCjer5jUiFEZu5PkeYv0AWAyLWbB7s8b0V+4fxNQo/QsAfBWH0eP2TVOAy1TAo/sOso9PEVRaQCdilw39UJBdT8II3dy9YIfGFUXRUXCMU+1xfzUFjhU0s7sc+mYQ4jEj2ZX90UbUDcbgppNjC7KIHo8mQdrxFHeMq+wQpaoncwFMlwwzn8lFlG75+dMnkPGYa4xSqkwjHn2tewLM8f9dCiBQVoMVQCWo+1RieMq2cd3CYEkP7MPl+y3OA==,iv:kggBBXdN01LJ82azzxOZap1lfWglshCjkKqaU+oi+T4=,tag:Zg0Ay2aLGok4fgX3/y4ILA==,type:str]
gitea-mail: ENC[AES256_GCM,data:ck4S9YJ1BLUb6+mOrRmg22KWI1xQwsdIw1dowNk1OOk=,iv:+aQiTSGzmBOLYbIVgwH/SIhslKgdJKoL1ZaGAXCeqHY=,tag:H3vCEGMktqAV/9BASVR5tg==,type:str]
go-neb-overrides: ENC[AES256_GCM,data:Ws/2yCNNLLEpa9MbN7mZk6BBBaJxtHN2X9I41baWJylZeUld6/h4WCxyHw4MWzigK7k26E+7CGVGThF5Ucd6AuvuD9dd21uaoOtwsAKJVsCavk6VPQvfAuSqYJcBYY2pSwDpA6KbXbQqhC9OgcktvYQdnvNPbsSffK4zhrDjcFpDYYyBRQWxqHu/ZGh2088ECbhm2OCWeC9/5u/2id8dHutip6tUXBIalFmWObc6zgx4atCJGdq9/bOPgajQzrpWlauV0h3ioMwp0gsulOJl2LuI7Lvbsvm+UWe8hVd9ZLqR+4ZAwC5oCQht68AxekKrLNl02KQ8rM4fmWJpbK4NsR/m8+ifMZhqIe8tqUUhWGvJqbxEI/Rsbqm92ToIHL5x9hNSZ/crm+hF4c2Uh9jnSA3E/tOxjZaMU5hB+2Y4tF83nz61tzFnwhQ32VxFeq6IHyMOhgQzGZkDPAyFg2e4tbG6zp5oMx2lsUlgbaXrSrzBU73CjWiLDiJFNyGLx7ADeZ4aZVsZnvGL6y7K4p0uVuK7KSNzoW0=,iv:tniWSP8RgSDJ8ap+PK83TcPAvRdaXWC/gchF6+8uffs=,tag:SC6RB8zyVmjjbLA73cFb4A==,type:str]
nix-binary-cache-htpasswd: ENC[AES256_GCM,data:IktPHrrvExeZlCPmP82W9AovC59ILPbMQExVDO7U2S9lJ9cQKP14mQPuYwA+yKTycIdA01MwRDbt/SxhVleZ+aKkyOPwx/iG5B0cQX6cVqQWVTNVmxlW2sjupnnwwibcdikU21CIw6YsDKs7pMqRAfC/U2OJ3POo2qH5GgFY,iv:ofzEQ143HQQGZIEVkdWCrcENz0i6JPljLDGmG0A7aJ8=,tag:a557cdgRD25jWHhZeT+CnQ==,type:str]
prometheus-htpasswd: ENC[AES256_GCM,data:eJOWrcTC3YISJJLuQV6sxzD0r8Gr8uoUt48D9sSEHhsbNUUy3pDgIPqJHrkG0ek2sIF6NvpWdDGK1kFcduRAL9h7nLxQLOtf7dxsdObGlPH5nwe6CwdR+1wTE/2WzrsmTGnUrMjMiBgLPV2yRiQg3VJ7W1Me8tHPYHrqYhM=,iv:WvgwIoIfxc3vyjF+znyUzOElv+sd/thoYpxWVaIavx0=,tag:9FnRw7ol++1PCbl1c2IyoA==,type:str]
restic-password: ENC[AES256_GCM,data:IVFXmuzzvvqDS0T3P0R5ZMIn2wdkbE1AqwDMkWqMpDdCOVMP4/HhP4jF+tEarq22,iv:Eu6Wspzm0rPl0CuSoYTTLz+MmaEtmwCD57nH2JTBuaA=,tag:tKqt5Z7nF7lLcSsDKS4E3A==,type:str]
@ -14,8 +15,8 @@ sops:
gcp_kms: []
azure_kv: []
hc_vault: []
lastmodified: '2021-04-08T11:39:09Z'
mac: ENC[AES256_GCM,data:4Z7Gvr2wi0rIwS8iBlwEfap4aAP1BPMlKX2WwCYPxt6BTnK1LLoZvZq4Wk6R2tm/6PchtJt8YDx5abS+hq4xMS7EmJuvBMFNe1pWGo5xqvzQi+CuBJ7+oTWEURP+vsgYypMgzHh1NjpLXJOZr+F60ZzdeIVRu9qiETDY18o2h08=,iv:Qe/b0lOs0FQr68Ga2rSoh1xYa6V6vWPJOXXNxtJEZNI=,tag:kkJldwps/dC4ozpQ7HQaUw==,type:str]
lastmodified: '2021-05-02T11:00:36Z'
mac: ENC[AES256_GCM,data:/6fzsH4xIoJtjUY68pfYBGNT8a22SwJ/JITqHMEdwqEMclZKbKLiU56RMREc88kqXz8Fj4sSTCc4lE4Q0o6IhWD3LXdh31PjrNatvxjobgXPsGP64j+g/7xlw1Q/o+MyNpnrK8+1oxswPNiLs2vivFY18PtIiCDZW+6tJ1SuLic=,iv:8J6743R+21xNlGohLyZ46f9a8VjCdLN3Ezm5t5uoRq8=,tag:YZ4hbYTRgYtgCB/myv5+tw==,type:str]
pgp:
- created_at: '2021-04-06T11:27:21Z'
enc: |

BIN
machines/fuuko/secrets/go-neb-alertmanager.nix
View file

Binary file not shown.

35
machines/fuuko/services/matrix/go-neb.nix
View file

@ -1,21 +1,25 @@
{ config, ... }:
{ config, lib, pkgs, ... }:
let
synapseCfg = config.services.matrix-synapse;
in
{
sops.secrets = {
go-neb-overrides.sopsFile = ../../secrets.yaml;
};
services.go-neb = rec {
enable = true;
bindAddress = "127.0.0.1:8010";
baseUrl = "http://${bindAddress}";
config = {
clients = [
({
{
UserID = "@alertmanager:${synapseCfg.server_name}";
HomeserverURL = synapseCfg.public_baseurl;
Sync = false;
AutoJoinRooms = false;
DisplayName = "Prometheus Alertmanager";
} // (import ../../secrets/go-neb-alertmanager.nix)) # AccessToken and DeviceID
}
];
services = [
{
@ -54,4 +58,29 @@ in
];
};
};
# Load AccessToken and DeviceID from secret
systemd.services.go-neb = {
serviceConfig = {
RuntimeDirectory = "go-neb";
RuntimeDirectoryMode = "0750";
ExecStartPre =
let
baseConfig = pkgs.writeText "config-base.json" (builtins.toJSON config.services.go-neb.config);
in
[
"!${pkgs.coreutils}/bin/install -g go-neb ${config.sops.secrets.go-neb-overrides.path} /run/go-neb/config-overrides.json"
# needs to be run in a shell script for redirection to work
(pkgs.writeShellScript "merge-go-neb-config" ''
${pkgs.jq}/bin/jq \
--slurp \
'. | map(map_values(. | with_entries(.key = (.value.ID // .value.SessionID // .value.UserID)))) | .[0] * .[1] | with_entries(.value = [.value[]])' \
${baseConfig} \
/run/go-neb/config-overrides.json \
> /run/go-neb/config.json
'')
];
};
environment.CONFIG_FILE = lib.mkForce "/run/go-neb/config.json";
};
}