add some secrets

2025-02-02 07:04:17 -06:00 · 2025-01-31 10:15:45 -06:00 · 2025-01-31 10:15:45 -06:00 · 06dd891b6a
commit 06dd891b6a
parent 8391ef801c
5 changed files with 23 additions and 16 deletions
--- a/flake.lock
+++ b/flake.lock
@ -789,11 +789,11 @@
      },
      "locked": {
        "dir": "nix",
-        "lastModified": 1738281090,
-        "narHash": "sha256-WLdHHGCSaLjQ1DbZVsphHysWjnhs26JzXUaS+7RYfrg=",
+        "lastModified": 1738337180,
+        "narHash": "sha256-XXT8rGyMd1ow4jnir8qfLfYIwU2TgzDjpz6amMvs8ac=",
        "owner": "daylinmorgan",
        "repo": "tsm",
-        "rev": "2aab7c23de890700a1ce1c7f651c04478105393b",
+        "rev": "9a22c559c5b13472528fc2f814149af7b341dfe5",
        "type": "github"
      },
      "original": {
--- a/hosts/algiz/default.nix
+++ b/hosts/algiz/default.nix
@ -36,11 +36,4 @@

  # git user handles the forgjo ssh authentication
  users.users.git.isNormalUser = true;
-
-  sops = {
-    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-    defaultSopsFile = ./secrets.yaml;
-    # by default is accessible only by root:root which should work with above service
-    secrets.restic-algiz = { };
-  };
 }
--- a/hosts/algiz/secrets.nix
+++ b/hosts/algiz/secrets.nix
@ -0,0 +1,12 @@
+{ ... }:
+{
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    defaultSopsFile = ./secrets.yaml;
+
+    # by default is accessible only by root:root which should work with above service
+    secrets.restic-algiz = { };
+    secrets.atticd-env = { };
+  };
+
+}
--- a/hosts/algiz/secrets.yaml
+++ b/hosts/algiz/secrets.yaml
--- a/hosts/algiz/services.nix
+++ b/hosts/algiz/services.nix
@ -1,6 +1,8 @@
 {
+  config,
  pkgs,
  enabled,
+  flake,
  ...
 }:
 let
@ -24,7 +26,7 @@ in
  };

  security.polkit = enabled; # attic was looking for this...
-  environment.systemPackages = with pkgs; [ attic-client ];
+  environment.systemPackages = [ (flake.pkg "lix-atttic").attic-client ];

  # allow docker to forward the request to the host running attic
  # https://discourse.nixos.org/t/docker-container-not-resolving-to-host/30259/6
@ -32,8 +34,7 @@ in
  services.atticd = enabled // {

    # Replace with absolute path to your credentials file
-    # TODO: replace with sops-secret!
-    environmentFile = "/etc/atticd.env";
+    environmentFile = config.sops.secrets."atticd-env".path;

    settings = {
      listen = "[::]:${atticPort}";