diff --git a/hosts/hetzner-arm/containers/vault/default.nix b/hosts/hetzner-arm/containers/vault/default.nix deleted file mode 100644 index b5f41d1..0000000 --- a/hosts/hetzner-arm/containers/vault/default.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ - self, - hostPath, - tree, - inputs, - config, - pkgs, - ... -}: let - containerAddresses = import "${hostPath}/data/containerAddresses.nix"; - hostIP = containerAddresses.host; - containerIP = containerAddresses.containers.vault; -in { - containers.vault = { - autoStart = true; - privateNetwork = true; - hostAddress = hostIP; - localAddress = containerIP; - additionalCapabilities = ["CAP_IPC_LOCK"]; - - specialArgs = { - inherit inputs; - inherit tree; - inherit self; - inherit hostPath; - }; - - config = {...}: { - nixpkgs.pkgs = pkgs; - - imports = with tree; - [ - presets.nixos.containerBase - ./secrets.nix - ] - ++ (with hosts.hetzner-arm.containers.vault.profiles; [ - vault - restic - ]); - - networking.firewall.allowedTCPPorts = [8200 8443]; - - home-manager.users.root.home.stateVersion = "24.05"; - system.stateVersion = "24.05"; - }; - }; - - services.nginx.virtualHosts."vault.owo.monster" = { - forceSSL = true; - enableACME = true; - locations = { - "/".proxyPass = "http://${containerIP}:8200"; - }; - }; -} diff --git a/hosts/hetzner-arm/containers/vault/profiles/restic.nix b/hosts/hetzner-arm/containers/vault/profiles/restic.nix deleted file mode 100644 index 215e369..0000000 --- a/hosts/hetzner-arm/containers/vault/profiles/restic.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ - self, - config, - ... -}: let - backupSchedules = import "${self}/data/backupSchedules.nix"; - inherit (config.services.secrets) secrets; -in { - services.restic.backups.vault = { - user = "root"; - paths = [ - "/var/lib/vault" - ]; - timerConfig = backupSchedules.restic.high; - - repository = "s3:s3.eu-central-003.backblazeb2.com/Chaos-Backups/Restic/Vault"; - passwordFile = "${secrets.restic_password.path}"; - environmentFile = "${secrets.restic_env.path}"; - createWrapper = true; - }; -} diff --git a/hosts/hetzner-arm/containers/vault/profiles/vault.nix b/hosts/hetzner-arm/containers/vault/profiles/vault.nix deleted file mode 100644 index c305b11..0000000 --- a/hosts/hetzner-arm/containers/vault/profiles/vault.nix +++ /dev/null @@ -1,12 +0,0 @@ -{pkgs, ...}: { - environment.systemPackages = with pkgs; [vault]; - services.vault = { - enable = true; - package = pkgs.vault-bin; - address = "0.0.0.0:8200"; - storageBackend = "file"; - extraConfig = '' - ui = true - ''; - }; -} diff --git a/hosts/hetzner-arm/containers/vault/secrets.nix b/hosts/hetzner-arm/containers/vault/secrets.nix deleted file mode 100644 index 1040a34..0000000 --- a/hosts/hetzner-arm/containers/vault/secrets.nix +++ /dev/null @@ -1,40 +0,0 @@ -{pkgs, ...}: { - services.secrets = { - enable = true; - - packages = with pkgs; [ - apacheHttpd - ]; - - vaultLogin = { - enable = true; - loginUsername = "hetzner-arm-container-vault"; - }; - - requiredVaultPaths = [ - "private-public-keys/data/restic/Vault" - - "api-keys/data/backblaze/Chaos-Backups" - ]; - - secrets = { - vault_password = { - manual = true; - }; - - restic_password = { - fetchScript = '' - simple_get "/private-public-keys/restic/Vault" .password > "$secretFile" - ''; - }; - restic_env = { - fetchScript = '' - cat << EOF > "$secretFile" - AWS_ACCESS_KEY_ID=$(simple_get "/api-keys/backblaze/Chaos-Backups" .keyID) - AWS_SECRET_ACCESS_KEY=$(simple_get "/api-keys/backblaze/Chaos-Backups" .applicationKey) - EOF - ''; - }; - }; - }; -} diff --git a/hosts/hetzner-arm/profiles/gotosocial.nix b/hosts/hetzner-arm/profiles/gotosocial.nix index 1801f36..910e723 100644 --- a/hosts/hetzner-arm/profiles/gotosocial.nix +++ b/hosts/hetzner-arm/profiles/gotosocial.nix @@ -1,8 +1,4 @@ -{ - hostPath, - config, - ... -}: let +{config, ...}: let inherit (config.services.secrets) secrets; in { services.gotosocial = { diff --git a/hosts/hetzner-arm/profiles/restic.nix b/hosts/hetzner-arm/profiles/restic.nix index 7a73397..a7ef35c 100644 --- a/hosts/hetzner-arm/profiles/restic.nix +++ b/hosts/hetzner-arm/profiles/restic.nix @@ -97,5 +97,18 @@ in { pruneOpts = ["--keep-last 50"]; timerConfig = backupSchedules.restic.high; }; + vault = { + user = "root"; + paths = [ + "/var/lib/vault" + ]; + + repository = "${repoRoot}/Vault"; + environmentFile = secrets.restic_backups_env.path; + passwordFile = secrets.restic_password_vault.path; + createWrapper = true; + + timerConfig = backupSchedules.restic.high; + }; }; } diff --git a/hosts/hetzner-arm/profiles/vault.nix b/hosts/hetzner-arm/profiles/vault.nix new file mode 100644 index 0000000..0e08740 --- /dev/null +++ b/hosts/hetzner-arm/profiles/vault.nix @@ -0,0 +1,23 @@ +{pkgs, ...}: { + environment.systemPackages = with pkgs; [ + vault + ]; + + services.vault = { + enable = true; + package = pkgs.vault-bin; + address = "127.0.0.1:8200"; + storageBackend = "file"; + extraConfig = '' + ui = true + ''; + }; + + services.nginx.virtualHosts."vault.owo.monster" = { + forceSSL = true; + enableACME = true; + locations = { + "/".proxyPass = "http://127.0.0.1:8200"; + }; + }; +} diff --git a/hosts/hetzner-arm/secrets.nix b/hosts/hetzner-arm/secrets.nix index 3db1ec8..3070c59 100644 --- a/hosts/hetzner-arm/secrets.nix +++ b/hosts/hetzner-arm/secrets.nix @@ -27,6 +27,8 @@ "api-keys/data/radicale" "private-public-keys/data/restic/Radicale" + + "private-public-keys/data/restic/Vault" ]; secrets = { @@ -132,6 +134,12 @@ simple_get "/private-public-keys/restic/Radicale" .password > "$secretFile" ''; }; + + restic_password_vault = { + fetchScript = '' + simple_get "/private-public-keys/restic/Vault" .password > "$secretFile" + ''; + }; }; }; }