From 02a3ccb1a4cd8b61ed76786325d847833f54d852 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Wed, 14 May 2025 11:47:30 +0200 Subject: [PATCH] Add secrets env files --- secrets.nix | 2 + services/docker/default.nix | 128 +++--------------- .../docker/secrets/docker-gluetun-env.age | 17 +++ .../docker/secrets/docker-qbittorrent-env.age | 16 +++ 4 files changed, 57 insertions(+), 106 deletions(-) create mode 100644 services/docker/secrets/docker-gluetun-env.age create mode 100644 services/docker/secrets/docker-qbittorrent-env.age diff --git a/secrets.nix b/secrets.nix index a7d41c7..996af1f 100644 --- a/secrets.nix +++ b/secrets.nix @@ -41,5 +41,7 @@ in { "secrets/redis-lapi-key.age".publicKeys = [tbarnouin redis]; + "services/docker/secrets/docker-gluetun-env.age".publicKeys = [tbarnouin docker]; + "services/docker/secrets/docker-qbittorrent-env.age".publicKeys = [tbarnouin docker]; "secrets/docker-lapi-key.age".publicKeys = [tbarnouin docker]; } diff --git a/services/docker/default.nix b/services/docker/default.nix index 2559bb7..42b00cd 100644 --- a/services/docker/default.nix +++ b/services/docker/default.nix @@ -15,17 +15,23 @@ in { }; config = lib.mkIf cfg.enable { age.secrets.docker-lapi-key = { - file = ../../secrets/docker-lapi-key.age; - owner = "crowdsec"; - }; + file = ../../secrets/docker-lapi-key.age; + owner = "crowdsec"; }; + age.secrets.docker-gluetun-env = { + file = ./secrets/docker-gluetun-env.age; + owner = "crowdsec"; + }; + age.secrets.docker-qbittorrent-env = { + file = ./secrets/docker-qbittorrent-env.age; + owner = "crowdsec"; + }; + users.users.tbarnouin.extraGroups = ["docker"]; fileSystems."/mnt/docker-data" = { device = "/dev/disk/by-uuid/39fb44a4-5c01-4337-894f-a6a6f4212b10"; fsType = "ext4"; }; - users.users.tbarnouin.extraGroups = [ "docker" ]; virtualisation = { - oci-containers.backend = "docker"; docker = { enable = true; autoPrune.enable = true; @@ -35,19 +41,21 @@ in { data-root = "/mnt/docker-data"; }; }; - + oci-containers.backend = "docker"; + }; + virtualisation.oci-containers.containers = { "gluetun" = { + autoStart = true; + autoRemoveOnStop = true; image = "ghcr.io/qdm12/gluetun:latest"; + environmentFiles = "${config.age.secrets.docker-gluetun-env.path}"; environment = { "QBT_WEBUI_ENABLED" = "true"; - "SERVER_CITIES" = "Paris"; - "SERVER_COUNTRIES" = "France"; "TZ" = "Europe/Paris"; "VPN_PORT_FORWARDING" = "on"; "VPN_SERVICE_PROVIDER" = "protonvpn"; "VPN_TYPE" = "wireguard"; - "WIREGUARD_PRIVATE_KEY" = "IJqSQQC2heTOqo0YvqNHq+ZzPmBuKk9vrdo5pZtU2GE="; }; volumes = [ "gluetun_gluetun-config:/gluetun:rw" @@ -69,12 +77,13 @@ in { ]; }; "qbittorrent" = { + autoStart = true; + autoRemoveOnStop = true; image = "lscr.io/linuxserver/qbittorrent:latest"; + environmentFiles = "${config.age.secrets.docker-qbittorrent-env.path}"; environment = { "DOCKER_MODS" = "ghcr.io/t-anc/gsp-qbittorent-gluetun-sync-port-mod:main"; - "GSP_GTN_API_KEY" = "1egJpY4lciGGs2CkpESR9RR480O4QyLqzKwQ792X7R4plzh5hri0pDsotWqYF1GM"; "GSP_MINIMAL_LOGS" = "false"; - "GSP_QBITTORRENT_PORT" = "53764"; "PGID" = "1000"; "PUID" = "1000"; "QBITTORRENT_INTERFACE" = "tun0"; @@ -83,7 +92,7 @@ in { }; volumes = [ "/mnt/DATA/:/downloads:rw" - "/mnt/docker-data/gluetun/qbittorrent/webui:/webui:rw" + "/home/tbarnouin/gluetun/qbittorrent/webui:/webui:rw" "gluetun_qbittorrent-config:/config:rw" ]; dependsOn = [ @@ -95,99 +104,6 @@ in { ]; }; }; - systemd.services = { - "docker-gluetun" = { - serviceConfig = { - Restart = lib.mkOverride 90 "always"; - RestartMaxDelaySec = lib.mkOverride 90 "1m"; - RestartSec = lib.mkOverride 90 "100ms"; - RestartSteps = lib.mkOverride 90 9; - }; - after = [ - "docker-network-gluetun_default.service" - "docker-volume-gluetun_gluetun-config.service" - ]; - requires = [ - "docker-network-gluetun_default.service" - "docker-volume-gluetun_gluetun-config.service" - ]; - partOf = [ - "docker-compose-gluetun-root.target" - ]; - wantedBy = [ - "docker-compose-gluetun-root.target" - ]; - }; - "docker-qbittorrent" = { - serviceConfig = { - Restart = lib.mkOverride 90 "always"; - RestartMaxDelaySec = lib.mkOverride 90 "1m"; - RestartSec = lib.mkOverride 90 "100ms"; - RestartSteps = lib.mkOverride 90 9; - }; - after = [ - "docker-volume-gluetun_qbittorrent-config.service" - ]; - requires = [ - "docker-volume-gluetun_qbittorrent-config.service" - ]; - partOf = [ - "docker-compose-gluetun-root.target" - ]; - wantedBy = [ - "docker-compose-gluetun-root.target" - ]; - }; - # Networks - "docker-network-gluetun_default" = { - path = [ pkgs.docker ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - ExecStop = "docker network rm -f gluetun_default"; - }; - script = '' - docker network inspect gluetun_default || docker network create gluetun_default - ''; - partOf = [ "docker-compose-gluetun-root.target" ]; - wantedBy = [ "docker-compose-gluetun-root.target" ]; - }; - # Volumes - "docker-volume-gluetun_gluetun-config" = { - path = [ pkgs.docker ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = '' - docker volume inspect gluetun_gluetun-config || docker volume create gluetun_gluetun-config - ''; - partOf = [ "docker-compose-gluetun-root.target" ]; - wantedBy = [ "docker-compose-gluetun-root.target" ]; - }; - "docker-volume-gluetun_qbittorrent-config" = { - path = [ pkgs.docker ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = '' - docker volume inspect gluetun_qbittorrent-config || docker volume create gluetun_qbittorrent-config - ''; - partOf = [ "docker-compose-gluetun-root.target" ]; - wantedBy = [ "docker-compose-gluetun-root.target" ]; - }; - # Root service - # When started, this will automatically create all resources and start - # the containers. When stopped, this will teardown all resources. - "docker-compose-gluetun-root" = { - unitConfig = { - Description = "Root target generated by compose2nix."; - }; - wantedBy = [ "multi-user.target" ]; - }; - }; - services = { crowdsec = { settings.lapi.credentialsFile = "${config.age.secrets.docker-lapi-key.path}"; @@ -195,7 +111,7 @@ in { acquisitions = [ { source = "journalctl"; - journalctl_filter = [ "_SYSTEMD_UNIT=docker.service" ]; + journalctl_filter = ["_SYSTEMD_UNIT=docker.service"]; labels = { type = "syslog"; }; diff --git a/services/docker/secrets/docker-gluetun-env.age b/services/docker/secrets/docker-gluetun-env.age new file mode 100644 index 0000000..9ae515b --- /dev/null +++ b/services/docker/secrets/docker-gluetun-env.age @@ -0,0 +1,17 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB6bm1Z +R0ZuamUzUG50b1QvdllrUlZ4YVRKaVRhanFWRlBPbDVKaXNRbkdrCk1Ob0VwZFRK +TE53cWJzVmNid0MzSVp3TkFjOEt3UmE5Q0o3cGgwTFdJL3MKLT4gc3NoLWVkMjU1 +MTkgOTNTUHhnIEFia2hJY3lCOEc1czBlNEZ1dEs0OUQwYmowQXVVVlpyTzFheFVI +ZzA2QzQKKzY3aFBjWkJOeHhFQ2xsUGhvSHc3ejlraGVnS3B5ejBua0k4Rll5Y0U0 +bwotPiAvckJxYXgtZ3JlYXNlIF8pQSp1Tl54ICJwS2pNSig4ClJKTW5tUXlJTXh3 +bldUbVQ2a1dMcXJTVDBBCi0tLSBXSG82YlFyTFU2YXp6M2pjK1IzMHZCT0RjMlVv +Smo2dTlwN2RxYmxDelA4ChrTlil3hnuuzsiSzo+XIjDKo4Qev/q2T0/DfhDsHlOv +loSNU91LEm6C00wf6uNt6YuVjqumlui42z1b2R79S1HHv06cqGUFyFQxn9F4LqTR +Q2+Xq+M16I3wUevztCoTRLBtBPX2fcOcdKjigyYT7X/hXAOIU1GGMXEQKqkgtTzg +jzJd5exlYbEFRsfMuVrpWc18dkZfiwvYNmXXERJe5xZpcqi5B15qrPi22/xH8KUC +cCNZ46KH5Q7p5qi3XrdxYSzgszpr+Cjg/eqkhsXRQIKv3CCZL+Frzycn5ybHgDWm +w9/wh73jcngAscWN9gDaoqysxwz65hkuNu07a/56YjQ30F13sXR92Bq7McaGUqM2 +rgSAPYEW9qT5QV7toTiB8gZAUCcz+MyjK4vh964EPdQc0975VRIp5KsLhFufc2AN +fWEbS/cCNKpHFq5oMR/MWSz7dnLpFDVObQ== +-----END AGE ENCRYPTED FILE----- diff --git a/services/docker/secrets/docker-qbittorrent-env.age b/services/docker/secrets/docker-qbittorrent-env.age new file mode 100644 index 0000000..d2638f7 --- /dev/null +++ b/services/docker/secrets/docker-qbittorrent-env.age @@ -0,0 +1,16 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB0L1JE +YkhtRG5yeWZnQzBSblViOUloS2Y5OXhoVFpSaE9IblJTdllXZmdRCjdFd05tWG5M +b010ZFZBQlc0TVg5SEpoMWdpMjYxWmR3QTFTekNkdUxvdzQKLT4gc3NoLWVkMjU1 +MTkgOTNTUHhnIGt6Z1FkTk9xdFBIckx0a01oSmxPUHN4aGhNMTZvS29UTk83ZlB5 +QndUajQKSG5jMWt2eXdMaFc0VEkvZTRLSFpBeDAxaXpwUFl2Q2JKOXF0VVgwUWRp +UQotPiArLWdyZWFzZQpYZwotLS0gYXdvWkVrc3dubHJzZ1UydUdYYk1IZ0RKcVNo +Ym5HOUg4REtNUHRpRDVOawqrsuUHQH8vgSluKn6/fdMSLhws0h8TTJJxaMjUdBk9 +FWyvRqf70W/p3X9P6Waasb97uIbOzcMtlnuljw0WLV9eNrGQ/AQWyyrWavw7UORT ++C/9c7pf7+pzeUi+uXRhTpJzoM25PAowmorEDcDpiRpdUcENy4PZJE+xTZUzZKnH +oMYK6pmAByzCSTt7DOxLRoSeWejSESOU/uBthVEr9YfO//7naImagz+H8zlBXU+O +MzGCmaVTgqmByKm2sSg43bwfOuOkvegqT4H5Pq7/gvNbl4VBNNttsgk5WDi7ekfg +HweTD/0fEojvPUfRt+s9Tz477hR5L2Sq8A/UPUI9O3/YLTcsBBQLRwE7aHwlJU+0 +oNJ5RMAvmSp4dgIQgZ0/X1fR7k35qUQ2gEGyM2ACeNCPmpMYc7c2IeEPHPHcSsXU +fKkLPSMuWGPVA06aoiqs07MR+A56rcU6dgg= +-----END AGE ENCRYPTED FILE-----