From e1ac22b2787fdd7bae1ab08630985666ff69220c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Tue, 28 Jan 2025 11:22:37 +0100 Subject: [PATCH 1/6] Fix pgsql init script --- flake.lock | 252 +----------------- flake.nix | 64 ++--- secrets.nix | 5 + services/postgresql/default.nix | 48 ++-- .../postgresql/secrets/authentikDBPass.age | 0 services/postgresql/secrets/giteaDBPass.age | 0 services/postgresql/secrets/grafanaDBPass.age | 0 .../postgresql/secrets/nextcloudDBPass.age | 0 8 files changed, 54 insertions(+), 315 deletions(-) create mode 100644 services/postgresql/secrets/authentikDBPass.age create mode 100644 services/postgresql/secrets/giteaDBPass.age create mode 100644 services/postgresql/secrets/grafanaDBPass.age create mode 100644 services/postgresql/secrets/nextcloudDBPass.age diff --git a/flake.lock b/flake.lock index 5e03548..99b74c2 100644 --- a/flake.lock +++ b/flake.lock @@ -46,48 +46,6 @@ "type": "github" } }, - "authentik-nix": { - "inputs": { - "authentik-src": "authentik-src", - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", - "flake-utils": "flake-utils_2", - "napalm": "napalm", - "nixpkgs": "nixpkgs_2", - "poetry2nix": "poetry2nix", - "systems": "systems_3" - }, - "locked": { - "lastModified": 1737810234, - "narHash": "sha256-zTS99/ZE8khNnIWFEsF21E6seR9IizGYkY19t6iK7z4=", - "owner": "nix-community", - "repo": "authentik-nix", - "rev": "1fa3cbed36fb03d2f6ceab981d083af98b5c7d0f", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "authentik-nix", - "type": "github" - } - }, - "authentik-src": { - "flake": false, - "locked": { - "lastModified": 1736440980, - "narHash": "sha256-Z3rFFrXrOKaF9NpY/fInsEbzdOWnWqLfEYl7YX9hFEU=", - "owner": "goauthentik", - "repo": "authentik", - "rev": "9d81f0598c7735e2b4616ee865ab896056a67408", - "type": "github" - }, - "original": { - "owner": "goauthentik", - "ref": "version/2024.12.2", - "repo": "authentik", - "type": "github" - } - }, "crane": { "locked": { "lastModified": 1725409566, @@ -126,40 +84,6 @@ "type": "github" } }, - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1733328505, - "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib" - }, - "locked": { - "lastModified": 1736143030, - "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, "flake-utils": { "inputs": { "systems": "systems_2" @@ -180,28 +104,7 @@ }, "flake-utils_2": { "inputs": { - "systems": [ - "authentik-nix", - "systems" - ] - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_3": { - "inputs": { - "systems": "systems_4" + "systems": "systems_3" }, "locked": { "lastModified": 1731533236, @@ -262,7 +165,7 @@ }, "microvm": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs" ], @@ -282,54 +185,6 @@ "type": "github" } }, - "napalm": { - "inputs": { - "flake-utils": [ - "authentik-nix", - "flake-utils" - ], - "nixpkgs": [ - "authentik-nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1725806412, - "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=", - "owner": "willibutz", - "repo": "napalm", - "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5", - "type": "github" - }, - "original": { - "owner": "willibutz", - "ref": "avoid-foldl-stack-overflow", - "repo": "napalm", - "type": "github" - } - }, - "nix-github-actions": { - "inputs": { - "nixpkgs": [ - "authentik-nix", - "poetry2nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729742964, - "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, "nixpkgs": { "locked": { "lastModified": 1725634671, @@ -346,38 +201,10 @@ "type": "github" } }, - "nixpkgs-lib": { - "locked": { - "lastModified": 1735774519, - "narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" - } - }, "nixpkgs_2": { "locked": { - "lastModified": 1737632463, - "narHash": "sha256-38J9QfeGSej341ouwzqf77WIHAScihAKCt8PQJ+NH28=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "0aa475546ed21629c4f5bbf90e38c846a99ec9e9", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1737885640, - "narHash": "sha256-GFzPxJzTd1rPIVD4IW+GwJlyGwBDV1Tj5FLYwDQQ9sM=", + "lastModified": 1736200483, + "narHash": "sha256-JO+lFN2HsCwSLMUWXHeOad6QUxOuwe9UOAF/iSl1J4I=", "owner": "NixOS", "repo": "nixpkgs", "rev": "4e96537f163fad24ed9eb317798a79afc85b51b7", @@ -390,44 +217,12 @@ "type": "github" } }, - "poetry2nix": { - "inputs": { - "flake-utils": [ - "authentik-nix", - "flake-utils" - ], - "nix-github-actions": "nix-github-actions", - "nixpkgs": [ - "authentik-nix", - "nixpkgs" - ], - "systems": [ - "authentik-nix", - "systems" - ], - "treefmt-nix": "treefmt-nix" - }, - "locked": { - "lastModified": 1736884309, - "narHash": "sha256-eiCqmKl0BIRiYk5/ZhZozwn4/7Km9CWTbc15Cv+VX5k=", - "owner": "nix-community", - "repo": "poetry2nix", - "rev": "75d0515332b7ca269f6d7abfd2c44c47a7cbca7b", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "poetry2nix", - "type": "github" - } - }, "root": { "inputs": { "agenix": "agenix", - "authentik-nix": "authentik-nix", "home-manager": "home-manager_2", "microvm": "microvm", - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_2" } }, "rust-overlay": { @@ -498,21 +293,6 @@ } }, "systems_3": { - "locked": { - "lastModified": 1689347949, - "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", - "owner": "nix-systems", - "repo": "default-linux", - "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default-linux", - "type": "github" - } - }, - "systems_4": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", @@ -526,28 +306,6 @@ "repo": "default", "type": "github" } - }, - "treefmt-nix": { - "inputs": { - "nixpkgs": [ - "authentik-nix", - "poetry2nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1730120726, - "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 4dbb568..d7d7706 100644 --- a/flake.nix +++ b/flake.nix @@ -7,9 +7,10 @@ url = "github:nix-community/home-manager/release-24.11"; inputs.nixpkgs.follows = "nixpkgs"; }; - microvm.url = "github:astro/microvm.nix"; - microvm.inputs.nixpkgs.follows = "nixpkgs"; - authentik-nix.url = "github:nix-community/authentik-nix"; + microvm = { + url = "github:astro/microvm.nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; agenix.url = "github:yaxitech/ragenix"; }; @@ -73,6 +74,21 @@ } ]; }; + pgsql = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" + "${inputs.self}/systems/minimalLXCConfig.nix" + "${inputs.self}/services" + { + networking.hostName = "pgsql"; + services.vm_postgresql = { + enable = true; + }; + } + ]; + }; onlyoffice = nixpkgs.lib.nixosSystem { inherit system; modules = [ @@ -170,48 +186,6 @@ } ]; }; - authentik = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - inputs.authentik-nix.nixosModules.default - { - services.authentik = { - enable = true; - environmentFile = "/run/secrets/authentik/authentik-env"; - settings = { - disable_startup_analytics = true; - avatars = "initials"; - }; - }; - services.vm_authentik = { - enable = true; - }; - } - microvm.nixosModules.microvm - "${inputs.self}/systems/minimalMicrovmConfig.nix" - "${inputs.self}/services" - { - microvm = { - volumes = [ - { - mountPoint = "/media"; - image = "/var/lib/microvms/authentik/media.img"; - size = 2048; - } - ]; - }; - services.micro_vm = { - enable = true; - hostname = "authentik"; - vm_ip = "192.168.1.25"; - vm_cpu = 2; - vm_mem = 2048; - macAddr = "02:00:00:00:00:25"; - }; - } - ]; - }; }; }; } diff --git a/secrets.nix b/secrets.nix index b8b0abd..182f264 100644 --- a/secrets.nix +++ b/secrets.nix @@ -5,6 +5,7 @@ let forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner"; grafana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana"; onlyoffice = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbnzv2/Or4XdQXLDjIbr7oIDTQEvgSMTX4aiNCQk4tC root@onlyoffice"; + postgresql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+Ol11EWgsAMB3OmwTWdBbhPBgtgWHR5h0lCAJDCgCX root@pgsql"; systems = [forgejo grafana]; in { @@ -14,4 +15,8 @@ in { "services/grafana/secrets/kuma-token.age".publicKeys = [tbarnouin grafana]; "services/onlyoffice/secrets/office-dbpass.age".publicKeys = [tbarnouin onlyoffice]; "services/onlyoffice/secrets/office-jwtpass.age".publicKeys = [tbarnouin onlyoffice]; + "services/postgresql/secrets/nextcloudDBPass.age".publicKeys = [ tbarnouin postgresql ]; + "services/postgresql/secrets/giteaDBPass.age".publicKeys = [ tbarnouin postgresql ]; + "services/postgresql/secrets/authentikDBPass.age".publicKeys = [ tbarnouin postgresql ]; + "services/postgresql/secrets/grafanaDBPass.age".publicKeys = [ tbarnouin postgresql ]; } diff --git a/services/postgresql/default.nix b/services/postgresql/default.nix index 5823ec3..9dfee7a 100644 --- a/services/postgresql/default.nix +++ b/services/postgresql/default.nix @@ -10,41 +10,43 @@ in { enable = lib.mkEnableOption "Enable minimal config"; }; config = lib.mkIf cfg.enable { + age.secrets = { + nextcloudDBPass.file = ./secrets/nextcloudDBPass.age; + giteaDBPass.file = ./secrets/giteaDBPass.age; + authentikDBPass.file = ./secrets/authentikDBPass.age; + grafanaDBPass.file = ./secrets/grafanaDBPass.age; + }; services.postgresql = { enable = true; package = pkgs.postgresql_16; enableTCPIP = true; settings.port = 5432; - ensureDatabases = [ - "gitea" - "nextcloud" - "netbox" - "authentik" - "grafana" - ]; - ensureUsers = [ - { - name = "gitea"; - ensureDBOwnership = true; - } - { - name = "nextcloud"; - ensureDBOwnership = true; - } - ]; authentication = " host nextcloud nextcloud 192.168.1.44/32 md5 host gitea gitea 192.168.1.14/32 md5 - host netbox netbox 192.168.1.45/32 md5 host authentik authentik 192.168.1.125/32 md5 host grafana grafana 192.168.1.27/32 md5 "; - # Not great, not in prod, cleartext pass - # waiting for ensureUsers.*.passwordFile option - # https://github.com/NixOS/nixpkgs/pull/326306 initialScript = pkgs.writeText "init-sql-script" '' - alter user gitea with password 'password'; - alter user nextcloud with password 'password'; + nextcloudSecret = $(echo ${config.age.secrets.nextcloudDBPass.path}) + CREATE ROLE nextcloud WITH LOGIN PASSWORD $nextcloudSecret CREATEDB; + CREATE DATABASE nextcloud; + GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud; + + giteaSecret = $(echo ${config.age.secrets.giteaDBPass.path}) + CREATE ROLE gitea WITH LOGIN PASSWORD $giteaSecret CREATEDB; + CREATE DATABASE gitea; + GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea; + + authentikSecret = $(echo ${config.age.secrets.authentikDBPass.path}) + CREATE ROLE authentik WITH LOGIN PASSWORD $authentikSecret CREATEDB; + CREATE DATABASE authentik; + GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik; + + grafanaSecret = $(echo ${config.age.secrets.grafanaDBPass.path}) + CREATE ROLE grafana WITH LOGIN PASSWORD $grafanaSecret CREATEDB; + CREATE DATABASE grafana; + GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana; ''; }; networking.firewall.allowedTCPPorts = [5432]; diff --git a/services/postgresql/secrets/authentikDBPass.age b/services/postgresql/secrets/authentikDBPass.age new file mode 100644 index 0000000..e69de29 diff --git a/services/postgresql/secrets/giteaDBPass.age b/services/postgresql/secrets/giteaDBPass.age new file mode 100644 index 0000000..e69de29 diff --git a/services/postgresql/secrets/grafanaDBPass.age b/services/postgresql/secrets/grafanaDBPass.age new file mode 100644 index 0000000..e69de29 diff --git a/services/postgresql/secrets/nextcloudDBPass.age b/services/postgresql/secrets/nextcloudDBPass.age new file mode 100644 index 0000000..e69de29 From 02e59846a632cc29aaa5141fc42c0dd623a96a2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Tue, 28 Jan 2025 10:20:26 +0100 Subject: [PATCH 2/6] Manage secrets --- secrets/initialPassword.age | 22 +++++++++---------- services/grafana/secrets/grafana-db.age | 17 +++++++------- .../grafana/secrets/grafana-oauth_secret.age | 22 +++++++++---------- services/grafana/secrets/kuma-token.age | 20 ++++++++--------- services/onlyoffice/secrets/office-dbpass.age | 20 +++++++++-------- .../onlyoffice/secrets/office-jwtpass.age | 19 +++++++++------- .../postgresql/secrets/authentikDBPass.age | 12 ++++++++++ services/postgresql/secrets/giteaDBPass.age | 10 +++++++++ services/postgresql/secrets/grafanaDBPass.age | 11 ++++++++++ .../postgresql/secrets/nextcloudDBPass.age | 13 +++++++++++ 10 files changed, 108 insertions(+), 58 deletions(-) diff --git a/secrets/initialPassword.age b/secrets/initialPassword.age index 7be04a4..6ccfb0c 100644 --- a/secrets/initialPassword.age +++ b/secrets/initialPassword.age @@ -1,13 +1,13 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB5SjZL -dXhYcTh4RjBrUmhSSzBaWXRNZUQ3V1NVRTBZUzNLeUZCYkJmWGpNClZwMU9ldXRK -OGhZNXlFcEE1YzNGSVIwdzBXbFN4SlNWUWMwOGlEMnRQUG8KLT4gc3NoLWVkMjU1 -MTkgTVRPMXBnIHJSKzh1ZzZGeUJldW15Z2o3ejBqUC9EYUlNcHd5ZEEyRTNTQ2xS -STEwaGMKSHNVL1l3cnVQOHIwQTZZN0VqWHgvaXh0UmFxdEE3eWZqaXZFZjQwS05h -dwotPiBzc2gtZWQyNTUxOSB3bkVVcHcgVG9KYmRZenoyczJVQjhYbGkrQXdOclRJ -anhyVS9va3ZxcGVlR3BKV2xoVQplQk15MFhUdzF1REV3Qkt0dElaTTA4aTVBcGNH -ckxTWHh2dFVvUlo2V2JjCi0+ID9BQCstZ3JlYXNlCnVVWno2OEl1NVVNRy9VSHky -TjhGVDFHVjV2ME1GV0o0bHY0NlFoRGFyK2xvSlJudHNBCi0tLSBRd2hIUFV6Tndk -Z0pTenY1YUpEbldvcG1RdzdWUTZVYjRKMkNrZnpOTklRCo2ITrJB/w2tgDVxFe9e -jrmYkqnpujXppfQHXMhDGzdIPrAIEJrEMJp95sdz4EFqqk5mgu3K +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyAxNTY2 +UWt0ZFVCUTFDeFZGNDRmZ3hsNVBzbFZJNWxRTGliZ1l2bDdWRWlJCjhBRXdxZU9t +NllPYzFpVUdiZjl6MGdHWGJqNUlQWWVaMUViWjcxaWJLS0kKLT4gc3NoLWVkMjU1 +MTkgTVRPMXBnIGRKd1piYlltVjIzL1p4eFBUWEluWXZaakVxVXBJd1JmUTdYMFI3 +YWJwVWMKcWRaTUp4b3hTWlBVRTd5L2hDRThSWW1McHBYNGVxQm9ZS0ZkZloxYzlt +bwotPiBzc2gtZWQyNTUxOSB3bkVVcHcgMmxiL1RaZHJSSS9YMTNLa3B2UlVTMjB4 +Ri9hbEZzSE10Qm5vUjVMU1VDMAp2NDQxRk9LMDhqRlNlZDI2Mk5Ua1BDWk91Lytz +MFVuRzFhaTdpanhVNGZRCi0+IGJhIi1ncmVhc2UKclJnb1FIS1FjaFNKWUV3ZTJn +OTlXKzBxNjZ6bmtSalJJVDFJMEEKLS0tIEFFeG10SlJBSDFTdnZYSkVISFhoT0d6 +d0RuMEhvVXd4REJWVEFKSGFZUE0K4Nv7iSPgPXOAgSCpblobw2u/id2/Ci9wNW3X +usjc2NB/2Qes1BC5SX6terEx/vEYgzU6l6Q= -----END AGE ENCRYPTED FILE----- diff --git a/services/grafana/secrets/grafana-db.age b/services/grafana/secrets/grafana-db.age index 12da728..ccaa748 100644 --- a/services/grafana/secrets/grafana-db.age +++ b/services/grafana/secrets/grafana-db.age @@ -1,10 +1,11 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyArbVYy -QVAralludnhwNVJSMC9WeFAya3J5NUtuemx0TWNid084b3gwNHdRCjlqMVR5K0sx -TTdOT2NEYzMwRCtyWUY2eGVOUmpsKzU4SENiSmJxYzdqWWsKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IDlQTWpieUFDTDluV3VlaEV6ak9FRlJ4VVY1NlJWNkdIR1VKcmdl -RThjeHcKMjlSQ3lFMVI0NlRReDIvbjFRQ2FQclc0S0VnRTFCeUp0S25VVW44NDVQ -UQotPiAqTmpzJVctZ3JlYXNlCkYzVkUKLS0tIGpiaGhyMWl5VjMvZ2REVXJXb3FV -V25rTjRORDVXTDZZVG9MbnZFRUU4NlUKsUTcVfmpxX5claATFT9wTiFd2DFLJ9KV -+Un8kZobFeAjeLCZ3r/Cb8vUtw== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyAzVytr +MzduSmVVTHhkTHdCR2NhS2Njck9TdjF2MUVHaysxZGt1TExKdTIwCm1MQklsVWoz +dGk1QnFiVlUwMFVVMkMyNlhHTWhqTlgwTUM4QS83YlFCL2sKLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IHlhRWhuZFZsY0ZtdXR6L2R4RVpodXoyMHh4Sk4xVnBNcWdEVkZz +U2g5VE0KVUNPUGltS1d5Z203NEc3dWZ5MjNGRFBRRmZMWEQyUjVBNmhjTHpQNFhn +dwotPiBiJ3lfLWdyZWFzZSBnCjQwLzArbEdTNE9wR2M5Z0gyWEYrZEtWRjB0NzVm +Wkt4S0xBSGVlZ2xmc01YRjB2UytWZUZ4MWtBbG00dHdJM3kKKzU0c3hBCi0tLSBy +MjcrM2NwT1NBeitFQTBmR1NMNnlUbHdzU3ExYkhZSWtJd3BCako5U1FVCh2ULVgF +smBAWqjkoQpYMMOV8r5kx4CXyfnLvZNJlMv4B1U6+rXYOEzDTYw= -----END AGE ENCRYPTED FILE----- diff --git a/services/grafana/secrets/grafana-oauth_secret.age b/services/grafana/secrets/grafana-oauth_secret.age index 1d606ce..5fe268f 100644 --- a/services/grafana/secrets/grafana-oauth_secret.age +++ b/services/grafana/secrets/grafana-oauth_secret.age @@ -1,13 +1,13 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBtMm9n -VGJyeEdFckZjWHNybm94b2crSE0wclE1QlRXZkVGMVk4U1hMdFJBCnhQL3FSdW9l -cUdNNThIdDVwQkxZWEQ2ZXZuekpKcWxQNy9jZlVoTVArZEkKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IEtwTmV3ckQybkd3L3R0TFp0a2JMTzNiMmdyNkNyVkdHUkQyd0Fm -cGkxamMKeGNCSmF6TCtkVXZ5WG5Cd1F6WmkxWjlRZ0FCZ0p1NklPcmw1bFJ6dFNv -ZwotPiAoLWdyZWFzZSAzfUpGL0QgOEtFWXdwCnJCNTFoeTQzUVJlejRUakRqREVy -WS8zTmh3aUptcE56RDBqMld3NXNKZwotLS0gRnlBdEc1cVZOeDFQblAwOVN1MDUx -Yko2UEJ6UE14Z3haUW5XWjJzNFVodwrg7eJ6dnbIAjvsz/XoktAot7G1+u1UJsAE -QkLEtM7DpcFEvESO3JOhuIO/l6qoWjDuksh7yNhdLv2uOKa7ZpM5Q0DGFnRke3Qk -RU2E2UU4w30cmAXFm75NT2T9Po0R182Px25gV7fvfNHMHmONFJZRqNxS2IUDS20W -hDqk+ea9mnYNG1icpmYPj56OpKt+mqrf6kSFuU+R6zwIcoKpMR2wCA== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBMdWE1 +bHljSDRoY3YwTmVWVGZYdVJPSzh4Y3M0OFJLMlNWVDVqNzNsYjBjCnhMbDE5UVVp +OVNuYXFuU1o3TllvMW1tRWlJQkFJekRhWkNhZXpYR0JaMFUKLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IEhsZU5mcFA4TkxEZWFLWmFISnArRmtvdlJJNzZKa01HbW1NT0RW +eUhqU0EKNW9BQjBWZDhYT3UyYS9BNmp5TUlnREVlekFxSHpQMXVGWWhKTDdZd250 +OAotPiByIlNMLWdyZWFzZSBxVnozIDs3bG0iIGAKRDc0dFhNZ3JHc0NQZ3ljeDNG +UVkzY2dJaWxVQkdFcm03NExUUzFTVEpvSmwKLS0tIFkrTVNiWFdZZStIMXRlRFBZ +cVdCMldpMVNNUzBnb09rVXRFYlA1ZDBFbXMKVGNN0rtRqPXTVa/IZW4u+ix5oNzW +ejnWmxzp9cFCKF3Rq8GfrovrxvzfNUaQn5cmF+hQCz+bl9AQH7mMPTF7waE8toAV +QeGNqYpqGUbmEXMVuzcCqUked8waXdBabhhlKqL05WuDHspG8ks7N/rTzyAcTO9G +btUKGSDQXcxyk/QoKWnKCxI5yoI7GnU9oxjhwOXOJiRGvrIs9HHPi6JFECE= -----END AGE ENCRYPTED FILE----- diff --git a/services/grafana/secrets/kuma-token.age b/services/grafana/secrets/kuma-token.age index e63927d..0c4f10f 100644 --- a/services/grafana/secrets/kuma-token.age +++ b/services/grafana/secrets/kuma-token.age @@ -1,13 +1,11 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBTQUxm -NFREMUViaURWUURzNmxXMjRaZXlYVWczUUs5TXJ0WXIrdEhHTXljCnlBeEhhUmdq -eGlYbTV3eEg5blBaRnIwRWcycmJOd3NZZUpLMUU3RXo2SGsKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IGlZVURNTGdzMGozbnJBMFdoRTI0aDhoeXk0UkxMYVFYaERXWHo2 -RjRLVzQKbjhDQWQrSlF3enRDcE5lcXRDYitvcDdlT3pEbjNUMDRDbE9tUGdUZWY4 -SQotPiBRTCcuLWdyZWFzZQpHVGFOQ0NSZ2c5V1MvZ3UxZXZ6UFhaQ1pBT0NGa0RB -MmVnakZMcTBLWnhEK3NWaGJEeU1Xd01lT1pWQ3N5aHFqCmlHelRmdUkrT0c1ZTZP -VmJRQVlweURMd3htM2IvN3o4NDM0MjduQ0w1a1VaRjBjcgotLS0gTmRzWC9VZjhv -N0VjUnZjbUpCdWIvaVNSRFlObVc3T0NDMEpKWVFVS2RTOAoVROmS4bW4nX6JXqWC -DAcXSN8GvUVqrbnh7W6KHpPLvUc3AK1dZ6cKqb91WOQVBpEOfjWqd7tE8Rp+IAa7 -/22y3xxHOz46gLDI4Byyjw== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBSVVNB +ZnBDdGtWbGRJK2hCMU9IWm85T3BVN0J3ZXpmbHZXclI2Tk9wS200CmlMODNQS1g1 +WGRENHRjN2dBMWpLbFFCcVRuSldtcWJDL1NCM1c3UnJDSTQKLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IEVRcXphbE0wY1hybTVVMHVDaXpRdjkrZldsTm15N0pNQlVZa0Zo +NUhvUjQKVm5OM3pMbWhpeXFSSGVuS3gzWVBDUDhQVzhCWUpqbFFTZjNlUWY0WTFZ +RQotPiB4aHh3YWV8LWdyZWFzZSBKcCB+SDA8CnhRCi0tLSB1WmtJTWlSOGQxamNu +d0JjWHFQZUVqU0xHTmhkRHFYNndLV0Z6M3B0QStZCnbzddApbyGbtMMfujvFcNvq +XIj64QynycmBMIix7DfEBlS6UQ/bGm1kEMRwPDDtXopbudZ0/8IqhPBXm8ZhzSs6 +SUeMr8vym15uBx4F -----END AGE ENCRYPTED FILE----- diff --git a/services/onlyoffice/secrets/office-dbpass.age b/services/onlyoffice/secrets/office-dbpass.age index 488bba0..6f3ef04 100644 --- a/services/onlyoffice/secrets/office-dbpass.age +++ b/services/onlyoffice/secrets/office-dbpass.age @@ -1,11 +1,13 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBocWVS -dS9jdG85QSsza20rbWhBVkwvQXF1dWxYNDMrSURhMk5RSktFNGhFCjJGY1pPazdV -b3ZJMGVaNC9VcGxoZzlhZWFSYUkzM0hFdUNCaFRXSDNqV2sKLT4gc3NoLWVkMjU1 -MTkgSXpNcXdRIDhMeStYYW1RWEg4ZHFReFF6QjhONE1SUi9wbTVMVi9vQmRxS1dM -SWlmU2cKRkdlK1pIRDAzd3laVXg5Q0dIQllQbkF1cjhVeEpwa1c5d0xWVUFxMThW -awotPiA3US1ncmVhc2UKUmFCODRUSi9zdzdlcitUaXNwTHg1eHE5QjhmVEZaa09P -dUphRkRkajRXTmpWUUh3U1ZySk0xNUhLaVpCaWlVCi0tLSBWQkprbFBXOWNjU3pt -UVpza3ZjSDk4QllEQnpIU3BoNzU5L3RLS1hOZHRFCqYg1Z912qrGFWLIfhSyoKiW -r0cvLu4276n5bEw0rUzpyPrr1QaXHdOyjdNOrlc= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB2MHA1 +OEo3Y0FJb21oSUNrVVB1ZEV0R2txOERQVzdSVFdhT3Vyb3h0NWpjCnAyR0k5ck04 +S0N2VWk5aGd3R1puU2RiYmJyVm1NTTZjSUZRK2FBWUtWWkUKLT4gc3NoLWVkMjU1 +MTkgSXpNcXdRIGdXeDFyV1lTbGpwSnBXMURpd2E0NjNSRTA3YzF6N0xrVEVBRHdq +dUJoRHMKNHUwT2pqR0RGQW83ZUpEVWhGNmZQdktHczRtVDRIWkY2ZkZMMEZKOUZQ +dwotPiBwLWdyZWFzZSAxZCBLfDIKZVVLTkltOUNEZTZOSGFJaFIrWXd1MDlhSk82 +VnFtaytxMHlDS21HQngrZXJxeEkrTWRCdVlBY3FKb0I3bGR6LwppbjhxU3ZpSFdY +NFVIU3NGV3VoN2huN3RtaktrVmxyTlhjRkoyenMyNlVCT0lsb2Z4R3pjaDJjaUhM +S3M5UQotLS0gRWlsRytTU3BvUkdtQXppcEFtMnJUMU1uWWZoSHJrOTFjTnUxa1dk +ampsNAoBLXSvxFyybYqAPsCqHaL9soMr555CZCAE9edgPa3TrS/Fn/inu5htip6k +AMS+ -----END AGE ENCRYPTED FILE----- diff --git a/services/onlyoffice/secrets/office-jwtpass.age b/services/onlyoffice/secrets/office-jwtpass.age index 7157924..0d5c5c7 100644 --- a/services/onlyoffice/secrets/office-jwtpass.age +++ b/services/onlyoffice/secrets/office-jwtpass.age @@ -1,10 +1,13 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBybjlG -ZXVqakxMNjB5L1dDZnZnMW92M3lpTnhwMU1qMXdVYmQ1RXZwTFJnCkV6L3lKSXA1 -Y0FqQ0htUzdRTXFqVitIVUp1K2VKc2RUNTlQNWJLVTBFNDAKLT4gc3NoLWVkMjU1 -MTkgSXpNcXdRIDVXRUlBcHRucDc3ZzM4SG9UUUY0dzNJV2ZlWkRncXVGWm5Gd2xp -U0E2d0kKOGNTUXhFL2xDZTNPK2MrVTA0Qjduci9rS201UDJYaDlaajV3Q091VEFq -RQotPiBxZy1ncmVhc2UgPmYydCBwfG8gPCBhWGFgYUYqLwpYZWMKLS0tIHlrbkd1 -b1dQdTJKVXhYMlhJdmhCU01iT0ZpRC9BZEVXSXhsWDBjc09yMkEKi3aQtU6pMcZ+ -F+DZFI/hTYJ3AXYhkyTlNK47SzF4Ut6RLqzvUAT0scIf1kGepzITUg== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA4SU9O +cXRwK3hqVUxSYjJiUDRzclFJeTZsWkpYc2dLZlZuZnhLTUNYN1c0CmtabExidWdZ +MXBtV2M4T3ROMHZDWjNVRXpzYXo3NHM4UVN4RjZTZmcvbmsKLT4gc3NoLWVkMjU1 +MTkgSXpNcXdRIHg5dGJCaVp4NEthc1dram1zNVFyNEszWXdqVjh1bjN0N3U4Ynpo +Q0RveGcKWFRtY1JDL1ltLzRZNitwTkh6MktISjZlV0NOdWl1STV6Z0VBZDQ1ZU5S +WQotPiA+RWEtZ3JlYXNlIG1pY1IKR1lWdkU4TWsyYUI3MGl1MUZEcmR3S0dhVGhi +c3FWUUordHQxcys1WStIZGJ3dG1YNTBLNVhuYVNPeitscGt6egpPOG04Mm9sSDRs +M2RGeE81Q0Y3WUp4SnozMXQ2eDYxQmUwOFN3S3J3YXNxS3N1eDdyMno5RHhkK2xR +Ci0tLSB1R1J4NWIveXA0R1FlYVpyaXUzcEFFUGN2T1hGRWNNdVYvUnpsTkZrRFU0 +Cvc2R5V2SnftU/ocO5xU7Rdf2FuMMOjEYptyoLzBSA9WCZVG5RL3m7ECPLOaT8jC +pAw= -----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/authentikDBPass.age b/services/postgresql/secrets/authentikDBPass.age index e69de29..d582d09 100644 --- a/services/postgresql/secrets/authentikDBPass.age +++ b/services/postgresql/secrets/authentikDBPass.age @@ -0,0 +1,12 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBHelAz +NTdXWjRLeXpvenJHaHcrMEsrTlNNL25iZllzNWdMVWpsdjVleEhFCnRwZWpHL0Rs +dXVMZTBBazNUR3pYQk1ZY210RE1DR2kvQUdDUmxXUnpGYjQKLT4gc3NoLWVkMjU1 +MTkgRERORkdnIDg3ZTRDK2Roem8yeHZmVkEzTmhya0xNeDVBTndJSmFlMWJlNlRU +YURXZ0kKbXRpblAycUUreXg4SEUvSHZZcS9wUDBpalRJRjVyM1NldmtreGppY1d4 +TQotPiAhdzwtZ3JlYXNlIF0+PGInUFUKRlJQcFZITVR1ZE9HSWZwU2U2M1ppR0pM +dC85K0JhTlFZTlpESEJLRnlkZUZGZ0xnanhRSFdYVk1kaDR2N3Z3bAo2cDZKWE05 +Z0NBM1FIVDQKLS0tIDEwenVReXU1SEdsYmEwdlM2QUl5NnZvdHJiZkJ3QUxtSlJB +QWpYeHFUM3cKVqrhAwJYiUTH/CMoRZ+a+g1acG88gXGz+vZl+ZZLgXQjgEVYAzNQ +7N8xAYdl668C +-----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/giteaDBPass.age b/services/postgresql/secrets/giteaDBPass.age index e69de29..604d772 100644 --- a/services/postgresql/secrets/giteaDBPass.age +++ b/services/postgresql/secrets/giteaDBPass.age @@ -0,0 +1,10 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBQZDRw +bDNxWkF5d2JoRmJwdFhOZ05FdmgyYUJzaWhzR1dHRUFQR09raFdzCjhHYk1DNkNm +dzhnTThnbm5TY1dYU3lWZG9sZ05JV1lwQ2hlY0VQcGptV1kKLT4gc3NoLWVkMjU1 +MTkgRERORkdnIERsUm40MThEQ084R1NRVVlwMEpwWXlxcUM4R1RLbnoveExPd2xC +OU4zQ1EKQjdJTE9VNjJoWklwTDNNcVo5VDJjTXV3QjhDZ0Q5elFNWWV2Vnc5akVm +RQotPiB7NF8tZ3JlYXNlCmZ5SjZOMm80eDRwOVBCM2Naa1U1STRFUgotLS0gV2Ir +Sm1RRXBVSjFDRmkxc3NheUtIWGRxdGpRMU1BNHFWcENENXZFQm5SUQpPLzxgUJjq +JVnuUu3yPQGd7Lg59B3/Zx+O2CaVwhJRsG9UtNAQFjQ1wafi6g== +-----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/grafanaDBPass.age b/services/postgresql/secrets/grafanaDBPass.age index e69de29..5469b22 100644 --- a/services/postgresql/secrets/grafanaDBPass.age +++ b/services/postgresql/secrets/grafanaDBPass.age @@ -0,0 +1,11 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA0Q2VV +V3FiRG12YVRmQUZ3dnNZZnRGNWNNc1Q0OVY2SEhFUDlBWnVERjJ3Cmx6M251bWZC +c2JwKzdJQW11eVk2VHZ1M0VYWUdJYmdXaTlTcHJtaEpwRk0KLT4gc3NoLWVkMjU1 +MTkgRERORkdnIEFHY2pNL2tkTjZUTkZqblBQb0FyZHl1aHJhUXR5eVQ1OEh5VEth +blVpQm8KT1VwQ0YvRVh3NXE1Mm56aGpKYnQ1dDNBL0NVdkJST1hkcVN4TDRlOVpK +WQotPiBpLWdyZWFzZSA7alR+MkIgTk9IamggcyRiIEE5PE91aF0mClRwbEFHTE10 +TXRaL1hQeWF3NTRuR0pObjN6TW5TUC9xN09CTnRySQotLS0gd1gwT3RWcUQzSUZu +dXpielppN2Fya3VudTU3bGFlRExJWWIyQ0o4d2dmSQosIoHtBd/8voBFCFP2w9+6 +3HzT2b7AvfD2h01LGaxvhxAiMGMmuiAQQW93srnX +-----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/nextcloudDBPass.age b/services/postgresql/secrets/nextcloudDBPass.age index e69de29..8ee3f3c 100644 --- a/services/postgresql/secrets/nextcloudDBPass.age +++ b/services/postgresql/secrets/nextcloudDBPass.age @@ -0,0 +1,13 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBlTWZr +cFhQVHc1Yjk0Y0xYeVBqUkhmc3FPaEVCaFowSEEreFlLeDIvbUVvCjkxbm5YdnBs +d1pDYjZOeHZjUzVLQ1hGVnhRYzJjMzY2RlRyRW5TRzRWYWsKLT4gc3NoLWVkMjU1 +MTkgRERORkdnIDlZcmZ5TDJSNWFRalVzdUlWSWRRdXlsTk0wREp2NTd3ZDFpeEJE +eGFHelkKdExveWNyTTFDVVg1RlNqdk1aRWFJK0d3UHl3SUlaanA4em5FcHNicFpF +RQotPiBkL2UtZ3JlYXNlIEJhIDxpfCFOIVwgLkw8RjZTViApNT54CmpxS0xKWDVM +ekNKejNyd0U2ZWwxSnFpWHlHbHJsbmVDUWFLTkdNbnRhc1dJRVFsY1hoREJGVWVv +VndFMXJUeDYKcm9LT1RiQm96Q0czdWRZcFQrSFZPaFUvVXNRTDJIdFRBbDkyR3Y3 +NUNIY0grYUdaCi0tLSBmRlF0ZWVyblRvQmZuNWFLMjlxM2JtOGxFQmp3SWJUSkY1 +WnFoTm94TVBnCvZGih5XHuWMFu3Kr+hn2oLAvRPydesiEKRWSL0DJQ/nM3RwsUuN +rHLDNiimTAQqEA== +-----END AGE ENCRYPTED FILE----- From 7ec275cbe27062f20e634473f5f08f0d29759561 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Tue, 28 Jan 2025 10:23:19 +0100 Subject: [PATCH 3/6] Manage secrets --- secrets.nix | 2 +- secrets/initialPassword.age | 22 ++++++++--------- services/grafana/secrets/grafana-db.age | 20 +++++++++------- .../grafana/secrets/grafana-oauth_secret.age | 24 ++++++++++--------- services/grafana/secrets/kuma-token.age | 19 ++++++++------- services/onlyoffice/secrets/office-dbpass.age | 21 ++++++++-------- .../onlyoffice/secrets/office-jwtpass.age | 21 ++++++++-------- .../postgresql/secrets/authentikDBPass.age | 20 ++++++++-------- services/postgresql/secrets/giteaDBPass.age | 17 ++++++------- services/postgresql/secrets/grafanaDBPass.age | 18 +++++++------- .../postgresql/secrets/nextcloudDBPass.age | 19 +++++++-------- 11 files changed, 102 insertions(+), 101 deletions(-) diff --git a/secrets.nix b/secrets.nix index 182f264..cfad339 100644 --- a/secrets.nix +++ b/secrets.nix @@ -5,7 +5,7 @@ let forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner"; grafana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana"; onlyoffice = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbnzv2/Or4XdQXLDjIbr7oIDTQEvgSMTX4aiNCQk4tC root@onlyoffice"; - postgresql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+Ol11EWgsAMB3OmwTWdBbhPBgtgWHR5h0lCAJDCgCX root@pgsql"; + postgresql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRP52p1Pg1zBZc9ywr61iKAjMhQ9jo7FZvQQgAaV49m root@pgsql"; systems = [forgejo grafana]; in { diff --git a/secrets/initialPassword.age b/secrets/initialPassword.age index 6ccfb0c..f063770 100644 --- a/secrets/initialPassword.age +++ b/secrets/initialPassword.age @@ -1,13 +1,13 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyAxNTY2 -UWt0ZFVCUTFDeFZGNDRmZ3hsNVBzbFZJNWxRTGliZ1l2bDdWRWlJCjhBRXdxZU9t -NllPYzFpVUdiZjl6MGdHWGJqNUlQWWVaMUViWjcxaWJLS0kKLT4gc3NoLWVkMjU1 -MTkgTVRPMXBnIGRKd1piYlltVjIzL1p4eFBUWEluWXZaakVxVXBJd1JmUTdYMFI3 -YWJwVWMKcWRaTUp4b3hTWlBVRTd5L2hDRThSWW1McHBYNGVxQm9ZS0ZkZloxYzlt -bwotPiBzc2gtZWQyNTUxOSB3bkVVcHcgMmxiL1RaZHJSSS9YMTNLa3B2UlVTMjB4 -Ri9hbEZzSE10Qm5vUjVMU1VDMAp2NDQxRk9LMDhqRlNlZDI2Mk5Ua1BDWk91Lytz -MFVuRzFhaTdpanhVNGZRCi0+IGJhIi1ncmVhc2UKclJnb1FIS1FjaFNKWUV3ZTJn -OTlXKzBxNjZ6bmtSalJJVDFJMEEKLS0tIEFFeG10SlJBSDFTdnZYSkVISFhoT0d6 -d0RuMEhvVXd4REJWVEFKSGFZUE0K4Nv7iSPgPXOAgSCpblobw2u/id2/Ci9wNW3X -usjc2NB/2Qes1BC5SX6terEx/vEYgzU6l6Q= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBPM09R +eVN0bnRWK1BDSWJHaHNxTFhDUStDUWhLTUpjbnQ5bW9kY2E5ZEZzCktlaDExMHMv +V0NJWTB5amVKWkVSd2Y0UmhGL1p0NE1YTkRUaDZqbDA2ZTgKLT4gc3NoLWVkMjU1 +MTkgTVRPMXBnIEZzT0lpNlhCd2VWZFNwTFVxYWljVndGcElSVUI0R09SdGpHMVhv +ZWpSSDQKS2VBeEFicEloNEdlS01mNU9SU2F2a3QvMWRzcDhSTTZpWTRMTE01TTVC +awotPiBzc2gtZWQyNTUxOSB3bkVVcHcgUFc1ZDk3T1RYSzIzcWhGdmpJQ1pwYzVV +L3RFWmxVRzlJNzNCMnZSRFVYZwpCWHduc1NYcWVhUlEyNENDa2ZMbWkyRXFoWlZL +eXgzaUJxWkg3Nlh1dDNBCi0+IDh2ckxKK0YtZ3JlYXNlIHFMZiBrKF5LP1EgUUtW +RGZpKgp5b2x5cGJEb3FQSmlKRHFMNytuMQotLS0gN0RNSzlTZGhXeERjZWpSVFNq +ZktYbVJMRml2UTRNMEc4NUlTaTQwL1drYwrJqloEOrJgfdbOuTqbZvBj7zI+bFrv +CJA5AhL4z+RaxOxCO/z/8tsRdOMv8SEuf5Xy8lPugw== -----END AGE ENCRYPTED FILE----- diff --git a/services/grafana/secrets/grafana-db.age b/services/grafana/secrets/grafana-db.age index ccaa748..dbeccf6 100644 --- a/services/grafana/secrets/grafana-db.age +++ b/services/grafana/secrets/grafana-db.age @@ -1,11 +1,13 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyAzVytr -MzduSmVVTHhkTHdCR2NhS2Njck9TdjF2MUVHaysxZGt1TExKdTIwCm1MQklsVWoz -dGk1QnFiVlUwMFVVMkMyNlhHTWhqTlgwTUM4QS83YlFCL2sKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IHlhRWhuZFZsY0ZtdXR6L2R4RVpodXoyMHh4Sk4xVnBNcWdEVkZz -U2g5VE0KVUNPUGltS1d5Z203NEc3dWZ5MjNGRFBRRmZMWEQyUjVBNmhjTHpQNFhn -dwotPiBiJ3lfLWdyZWFzZSBnCjQwLzArbEdTNE9wR2M5Z0gyWEYrZEtWRjB0NzVm -Wkt4S0xBSGVlZ2xmc01YRjB2UytWZUZ4MWtBbG00dHdJM3kKKzU0c3hBCi0tLSBy -MjcrM2NwT1NBeitFQTBmR1NMNnlUbHdzU3ExYkhZSWtJd3BCako5U1FVCh2ULVgF -smBAWqjkoQpYMMOV8r5kx4CXyfnLvZNJlMv4B1U6+rXYOEzDTYw= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB4T3Vr +aTdZTG82QXljNk1NanFzbFkwbzBXWEZ1SzFNc3IxMGRuVk05TWhFCmxFaHF6QU9N +N05Na0JDb2Z2U0NWYnRaTTZRdTZXQzg3QTZndnBqRlhEYVkKLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IDEzaDVsNU15UUcwcllIVTBPMVFkOXNzclgvV1RaV0I5cmI4aVBj +MEZFMWMKelNEc1M2UFZpTzV0YU54cW1hOUNtQldHQ3gzUG1nV2pNVnFLY2Q1NE1K +cwotPiBwMkktZ3JlYXNlCkdrR0FmZjV6R3d2K2VyS1c5VkhlSUo5UTluSktNZ1lK +M3hpVnNRV2diOEYyMFBOVzcwaXdGVnBoUEprbjgvb3oKRU9FeEk0M1Y5ZkxleEd4 +V3J0WWk4eTAzdVY5MS9neXd5T056cm94NXRhSC9Hb2l0TFBKVlJEUUpJVzRIZzNV +QwpMSUUKLS0tIHgvd3J1MGNmMytEUFlRY3J1YWVIcEdPQTZ3aW1VYlpxQmVyNkpv +OTJmbU0KorOMji8zS8qIpQKkGI7zRBWzAdmrUMz7kMvaixi0zQS45lVJv6jL8yvg +wA== -----END AGE ENCRYPTED FILE----- diff --git a/services/grafana/secrets/grafana-oauth_secret.age b/services/grafana/secrets/grafana-oauth_secret.age index 5fe268f..0b056ff 100644 --- a/services/grafana/secrets/grafana-oauth_secret.age +++ b/services/grafana/secrets/grafana-oauth_secret.age @@ -1,13 +1,15 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBMdWE1 -bHljSDRoY3YwTmVWVGZYdVJPSzh4Y3M0OFJLMlNWVDVqNzNsYjBjCnhMbDE5UVVp -OVNuYXFuU1o3TllvMW1tRWlJQkFJekRhWkNhZXpYR0JaMFUKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IEhsZU5mcFA4TkxEZWFLWmFISnArRmtvdlJJNzZKa01HbW1NT0RW -eUhqU0EKNW9BQjBWZDhYT3UyYS9BNmp5TUlnREVlekFxSHpQMXVGWWhKTDdZd250 -OAotPiByIlNMLWdyZWFzZSBxVnozIDs3bG0iIGAKRDc0dFhNZ3JHc0NQZ3ljeDNG -UVkzY2dJaWxVQkdFcm03NExUUzFTVEpvSmwKLS0tIFkrTVNiWFdZZStIMXRlRFBZ -cVdCMldpMVNNUzBnb09rVXRFYlA1ZDBFbXMKVGNN0rtRqPXTVa/IZW4u+ix5oNzW -ejnWmxzp9cFCKF3Rq8GfrovrxvzfNUaQn5cmF+hQCz+bl9AQH7mMPTF7waE8toAV -QeGNqYpqGUbmEXMVuzcCqUked8waXdBabhhlKqL05WuDHspG8ks7N/rTzyAcTO9G -btUKGSDQXcxyk/QoKWnKCxI5yoI7GnU9oxjhwOXOJiRGvrIs9HHPi6JFECE= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBRSFpq +TGpzZXdWTjY3UUx1MGQzblAzSXJoM3VseFBEZ095WWpmTTZCTUg4CjI0R1JoSEd6 +cUgrU1NITkcxRHcrN3hXVm9mTGdlVjByU3Q0ZGtranFaSzAKLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IE9CQ29NRFFDNTBsenhtUlNBQSt1YXF1RmZBcW5VWWJsL29oa25E +dm1iRlkKbWk2Z2QzbG95RXROZ0xkTGxxTnZ3MVlHNjNhL3VuN1lMSVNIWVNvOWV4 +bwotPiBqRWtGLWdyZWFzZSApW2NKaTgvCndnZjhqOW1kbmdycHZEK0ZtTTBWZUl0 +R28vMzFad3k0c2pUbXFSNFRLQ2dHZ2dFL0Q3dHNVVUVKeXNLdlJrcXQKbU92L3Iw +TmNMNy90ekRxR2dLMGdBMkxFNjNDSFBNVVdaSktET2xJY25TMVowdwotLS0gNWc3 +WWIzTWlyRWN6Ukh3QXh3eUZ6Y0FhLzFqakVNNTVlU3FKWEtDb2dzTQrHuYbbpKNA +5Be45skIhBObjU7fOTgQUYm6odJz9N8u+wcGqYSWzUTYGuXWGUNKY5G21Pq2KmXb +f1+yKPaOkSVYDQyEIvKEGSLepBipKhuvzPUmHE0GX7/j/jsMgQJyVgShiuTVmiS6 +UKhgyC92t4iLY7wS/G1Dt4VWHqE40W0OIQRdHiHgP95wXFQsh/aMGiF5rIAwGEKQ +v4RcC7buznusZA== -----END AGE ENCRYPTED FILE----- diff --git a/services/grafana/secrets/kuma-token.age b/services/grafana/secrets/kuma-token.age index 0c4f10f..29a7f8e 100644 --- a/services/grafana/secrets/kuma-token.age +++ b/services/grafana/secrets/kuma-token.age @@ -1,11 +1,12 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBSVVNB -ZnBDdGtWbGRJK2hCMU9IWm85T3BVN0J3ZXpmbHZXclI2Tk9wS200CmlMODNQS1g1 -WGRENHRjN2dBMWpLbFFCcVRuSldtcWJDL1NCM1c3UnJDSTQKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IEVRcXphbE0wY1hybTVVMHVDaXpRdjkrZldsTm15N0pNQlVZa0Zo -NUhvUjQKVm5OM3pMbWhpeXFSSGVuS3gzWVBDUDhQVzhCWUpqbFFTZjNlUWY0WTFZ -RQotPiB4aHh3YWV8LWdyZWFzZSBKcCB+SDA8CnhRCi0tLSB1WmtJTWlSOGQxamNu -d0JjWHFQZUVqU0xHTmhkRHFYNndLV0Z6M3B0QStZCnbzddApbyGbtMMfujvFcNvq -XIj64QynycmBMIix7DfEBlS6UQ/bGm1kEMRwPDDtXopbudZ0/8IqhPBXm8ZhzSs6 -SUeMr8vym15uBx4F +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBRbzlL +anBjcHRpYTFucVBZTHBTMDJPa1krMjFKcUNaYjRVWnN2S09QQ0dJCjFaMTNPUHNW +QlRHQlJPQjJla2lTTE5OMXpMLzBGZGNlU0s1aFl5VmRnaDgKLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IFpvbTJsNXJKWHRxTUg5MkpOMWxoSVJUd2NRc2ZzbGEwSHk4dXhR +cDV3RFEKQmxpbGV2di82TndoTmtqYlZNbzRJYVJGdXU1ZFNLcWFXSWVsQmtvS2VK +bwotPiAzcUEmJi1ncmVhc2UgKy50SVdTOjYgRCB5YE9mRTZZXCBlPQp2KzRJaUlS +ZmpVcGVRYWxmNm0xMGtoT2JkRTVvOTZFRU5DLyt6aHNudHl2ZXQxanE0N0hpUkxv +R0hyajE2a2sKLS0tIHpFU2w1UGV3blIrTkUyNThZSDNJWVVCMCtoTnJtY1cyTXo2 +MUw0VDhLWUEKTNVRd90rB1+mz1gFlU7XOajlI5ETkiPOdQO1IslYIoVVadFkljZU +RX3oneaRfGTou9VvDINV8Mg3i2sMcMQ17hgn3AlFccxMIvHY8d4= -----END AGE ENCRYPTED FILE----- diff --git a/services/onlyoffice/secrets/office-dbpass.age b/services/onlyoffice/secrets/office-dbpass.age index 6f3ef04..b089781 100644 --- a/services/onlyoffice/secrets/office-dbpass.age +++ b/services/onlyoffice/secrets/office-dbpass.age @@ -1,13 +1,12 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB2MHA1 -OEo3Y0FJb21oSUNrVVB1ZEV0R2txOERQVzdSVFdhT3Vyb3h0NWpjCnAyR0k5ck04 -S0N2VWk5aGd3R1puU2RiYmJyVm1NTTZjSUZRK2FBWUtWWkUKLT4gc3NoLWVkMjU1 -MTkgSXpNcXdRIGdXeDFyV1lTbGpwSnBXMURpd2E0NjNSRTA3YzF6N0xrVEVBRHdq -dUJoRHMKNHUwT2pqR0RGQW83ZUpEVWhGNmZQdktHczRtVDRIWkY2ZkZMMEZKOUZQ -dwotPiBwLWdyZWFzZSAxZCBLfDIKZVVLTkltOUNEZTZOSGFJaFIrWXd1MDlhSk82 -VnFtaytxMHlDS21HQngrZXJxeEkrTWRCdVlBY3FKb0I3bGR6LwppbjhxU3ZpSFdY -NFVIU3NGV3VoN2huN3RtaktrVmxyTlhjRkoyenMyNlVCT0lsb2Z4R3pjaDJjaUhM -S3M5UQotLS0gRWlsRytTU3BvUkdtQXppcEFtMnJUMU1uWWZoSHJrOTFjTnUxa1dk -ampsNAoBLXSvxFyybYqAPsCqHaL9soMr555CZCAE9edgPa3TrS/Fn/inu5htip6k -AMS+ +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBuZHZx +NXZ2eGh6V044cmJsNmtjZzRtTFJkbElLNVFjVFRrOGpEeldEbm1JCjgyUFcwRWZo +ekNtcWwycWZSSGhRRG9Zd3ZqY0NJY2w3ZzZuelhtbU15Um8KLT4gc3NoLWVkMjU1 +MTkgSXpNcXdRIDdvWFhEZ09FMWN0d1Z1WkIyUVRPWXFLeGpLQkoxTmVIMlJHWlU3 +YlFuekEKOWhTMnRaSXRuL3d5SVBWUi9LQURPTm1JTDVubk1sYnkwOHlmNWJXUW5i +YwotPiBULWdyZWFzZSBvejB2NC9lQCBNdXMgJEBNPCBxdiQjOzsvCnF0ZzZjMXNm +K3ZkZ1NZR2lxL2c5VTVjOHN0d1FwN3I1Ry96MXljMkkvYUFsc1Q3Y0lPYk81d3A5 +dzlYTTlnSHQKSld5NAotLS0gQm83Y1Ewcm9kMmx4UVptM2NmVHBqaWU2UDJVaTdZ +dHFKeURzaVpjK3ozZwqQZrz4zVWepgK+JMT0q+fB02yL8Kkv557wmFoukJH3JNLX +gkZNHNCxqkvsDNWI -----END AGE ENCRYPTED FILE----- diff --git a/services/onlyoffice/secrets/office-jwtpass.age b/services/onlyoffice/secrets/office-jwtpass.age index 0d5c5c7..2da1a86 100644 --- a/services/onlyoffice/secrets/office-jwtpass.age +++ b/services/onlyoffice/secrets/office-jwtpass.age @@ -1,13 +1,12 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA4SU9O -cXRwK3hqVUxSYjJiUDRzclFJeTZsWkpYc2dLZlZuZnhLTUNYN1c0CmtabExidWdZ -MXBtV2M4T3ROMHZDWjNVRXpzYXo3NHM4UVN4RjZTZmcvbmsKLT4gc3NoLWVkMjU1 -MTkgSXpNcXdRIHg5dGJCaVp4NEthc1dram1zNVFyNEszWXdqVjh1bjN0N3U4Ynpo -Q0RveGcKWFRtY1JDL1ltLzRZNitwTkh6MktISjZlV0NOdWl1STV6Z0VBZDQ1ZU5S -WQotPiA+RWEtZ3JlYXNlIG1pY1IKR1lWdkU4TWsyYUI3MGl1MUZEcmR3S0dhVGhi -c3FWUUordHQxcys1WStIZGJ3dG1YNTBLNVhuYVNPeitscGt6egpPOG04Mm9sSDRs -M2RGeE81Q0Y3WUp4SnozMXQ2eDYxQmUwOFN3S3J3YXNxS3N1eDdyMno5RHhkK2xR -Ci0tLSB1R1J4NWIveXA0R1FlYVpyaXUzcEFFUGN2T1hGRWNNdVYvUnpsTkZrRFU0 -Cvc2R5V2SnftU/ocO5xU7Rdf2FuMMOjEYptyoLzBSA9WCZVG5RL3m7ECPLOaT8jC -pAw= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBlZDdv +bDM4d3NCQkl0cTM1N2hmM1JsdElBVzh0VHJRd2Z2U2JLcUFwSWxFCmNRMytUR2hw +Rzc5WUlwbDhjZnA1SGVTVEFqa3UxSVM3d1RrSHJUR0xBZHcKLT4gc3NoLWVkMjU1 +MTkgSXpNcXdRIEVCY3lpT1B1ZHkrWE1kL3NSa0hOZlplT2xlSHkybmxteHpxbkVh +UTRIRjgKemdFaCs2c2JWYkhRTHIyVUk0bE53dVY2aUxIblJ3WUVqbzlaTDV1ZzVj +QQotPiA6bC1ncmVhc2UgK3RoJ09nIHgjQDNGWCBzT1c1PEAgU0NyIm08KQpVM3Ba +STBCOUxzdGRWMkpZendmOTN0YnN4akM5dG0rWDZOdjdIcE9OZSsybTlYbUJyY0lo +cnRub1VtZVVJcHllCkdTalA1UE5rRWxrTEppWHBPUEI4V09DbFE4TTllV01QCi0t +LSA4aFlvN3hDZ1k3emh5STFkTEJsSlZDYitCQ05rOHdYWTdpQmZ4SDk3Q29jCvDW +ssSwiHfGd40yaprJdEkaTCBefdXymmKh3nlC11vjK+sXUZB3+PVZP8ZNT+IXoVc= -----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/authentikDBPass.age b/services/postgresql/secrets/authentikDBPass.age index d582d09..8f76b5a 100644 --- a/services/postgresql/secrets/authentikDBPass.age +++ b/services/postgresql/secrets/authentikDBPass.age @@ -1,12 +1,12 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBHelAz -NTdXWjRLeXpvenJHaHcrMEsrTlNNL25iZllzNWdMVWpsdjVleEhFCnRwZWpHL0Rs -dXVMZTBBazNUR3pYQk1ZY210RE1DR2kvQUdDUmxXUnpGYjQKLT4gc3NoLWVkMjU1 -MTkgRERORkdnIDg3ZTRDK2Roem8yeHZmVkEzTmhya0xNeDVBTndJSmFlMWJlNlRU -YURXZ0kKbXRpblAycUUreXg4SEUvSHZZcS9wUDBpalRJRjVyM1NldmtreGppY1d4 -TQotPiAhdzwtZ3JlYXNlIF0+PGInUFUKRlJQcFZITVR1ZE9HSWZwU2U2M1ppR0pM -dC85K0JhTlFZTlpESEJLRnlkZUZGZ0xnanhRSFdYVk1kaDR2N3Z3bAo2cDZKWE05 -Z0NBM1FIVDQKLS0tIDEwenVReXU1SEdsYmEwdlM2QUl5NnZvdHJiZkJ3QUxtSlJB -QWpYeHFUM3cKVqrhAwJYiUTH/CMoRZ+a+g1acG88gXGz+vZl+ZZLgXQjgEVYAzNQ -7N8xAYdl668C +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBEdXFI +QTZyL2c5VnFBbWwvY0Zwa2hkSnpuc3IzeFVBd2RUUHRVR2VuQkRjClAvVmRac09V +SzVaNjI2YVhFWGVDdnJ5SWVRMjVFY09IaThGL0dkUUlXWWsKLT4gc3NoLWVkMjU1 +MTkgcm54WFpBIFIvaHNlcFRtM1dTN0Y2Y2pwak1FT0laT0llampkUVNYQU1yQUs5 +UVgzVGsKSFRoVEFBWTkrMnJkSEdKWEtqNE5nNjkxbEYrUHhYUGZxaE9pQllWcGZM +dwotPiBCbXdwZnMtZ3JlYXNlIHRUXnIjdU4gaiBIYGN0bV9uIEgKYTB3ZlBNcVdq +dlViTGRXaG1rOHpITU5yZmpBbkNGc1ZEek1oS2FDWWZmUzVGKzdYSTYwbmk4eXYx +SXlQZlFHMgpJYW55N1A1SlVDRUlneERJNUEKLS0tIHFLb1dxeVZXZFhjcVFzY2JN +djh3dTA2RWkvSktCVWZJWjlWUkM1T0NTZWcKGJSV2RSmYsv/LHHUjRki2GYwVOn7 +VwgDvoIZSjH7oUyLoKiXlUTFO9HLrcXrgI/x -----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/giteaDBPass.age b/services/postgresql/secrets/giteaDBPass.age index 604d772..0d980ca 100644 --- a/services/postgresql/secrets/giteaDBPass.age +++ b/services/postgresql/secrets/giteaDBPass.age @@ -1,10 +1,11 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBQZDRw -bDNxWkF5d2JoRmJwdFhOZ05FdmgyYUJzaWhzR1dHRUFQR09raFdzCjhHYk1DNkNm -dzhnTThnbm5TY1dYU3lWZG9sZ05JV1lwQ2hlY0VQcGptV1kKLT4gc3NoLWVkMjU1 -MTkgRERORkdnIERsUm40MThEQ084R1NRVVlwMEpwWXlxcUM4R1RLbnoveExPd2xC -OU4zQ1EKQjdJTE9VNjJoWklwTDNNcVo5VDJjTXV3QjhDZ0Q5elFNWWV2Vnc5akVm -RQotPiB7NF8tZ3JlYXNlCmZ5SjZOMm80eDRwOVBCM2Naa1U1STRFUgotLS0gV2Ir -Sm1RRXBVSjFDRmkxc3NheUtIWGRxdGpRMU1BNHFWcENENXZFQm5SUQpPLzxgUJjq -JVnuUu3yPQGd7Lg59B3/Zx+O2CaVwhJRsG9UtNAQFjQ1wafi6g== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB1VE5L +Ni9xMjF5UHY2bGhWY0tyUzBaZWRTd0RJcm1Mb0VUcDAzaGk4MEVzCmo1bUcyM1lt +cjhHaFMxVnROM3RPNFBpd2dxMFBrbndiY1FRaWtGYXBIZ1kKLT4gc3NoLWVkMjU1 +MTkgcm54WFpBIDhrYVZxSGN2cnYwYTRTYnYvUFdYb2krcWZyS2tzRmk3Zy8yNjds +UnJudzQKY2dlV3UxQkRmb0ZsWWpqSTR1eC9oQ05yU1pwYW1IN2dNSGRBU0dzSVVR +cwotPiBreyQrdW9keC1ncmVhc2UgKzIrfUVBTykgPgpOSStZeU1tSEhaOUJraHli +Tm5MYWxZaTg5OXA2NllyVWxMNTlmd212ekFnCi0tLSBYaDVKZ2xRNnFRQytJYTNj +VnBoVE1vbEExb1NEM0NQQ3greVU4ZEd2OVRnCuGH693QRAsZJF+12PGBF0D6SSrw +8r9vZclZMbLtjZkaCfIdL6Ae/wiy0Tc3 -----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/grafanaDBPass.age b/services/postgresql/secrets/grafanaDBPass.age index 5469b22..480436d 100644 --- a/services/postgresql/secrets/grafanaDBPass.age +++ b/services/postgresql/secrets/grafanaDBPass.age @@ -1,11 +1,11 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA0Q2VV -V3FiRG12YVRmQUZ3dnNZZnRGNWNNc1Q0OVY2SEhFUDlBWnVERjJ3Cmx6M251bWZC -c2JwKzdJQW11eVk2VHZ1M0VYWUdJYmdXaTlTcHJtaEpwRk0KLT4gc3NoLWVkMjU1 -MTkgRERORkdnIEFHY2pNL2tkTjZUTkZqblBQb0FyZHl1aHJhUXR5eVQ1OEh5VEth -blVpQm8KT1VwQ0YvRVh3NXE1Mm56aGpKYnQ1dDNBL0NVdkJST1hkcVN4TDRlOVpK -WQotPiBpLWdyZWFzZSA7alR+MkIgTk9IamggcyRiIEE5PE91aF0mClRwbEFHTE10 -TXRaL1hQeWF3NTRuR0pObjN6TW5TUC9xN09CTnRySQotLS0gd1gwT3RWcUQzSUZu -dXpielppN2Fya3VudTU3bGFlRExJWWIyQ0o4d2dmSQosIoHtBd/8voBFCFP2w9+6 -3HzT2b7AvfD2h01LGaxvhxAiMGMmuiAQQW93srnX +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyAxWVQ1 +TUhyN2VJdmxsblYrQUJJYmtiL3BkLzd6SU54VVl0NVR5NEFMZ3drCnh3RFI2MjR5 +ZS85cnNuRmxSa3BFd21MZHRZV09FcjJjb0JJbnZ2b1VIc2sKLT4gc3NoLWVkMjU1 +MTkgcm54WFpBIEdndVl6VzRJeTdGTWFpdldmYnhoSXJXN0JhWnBTNXBYWDhVTlhq +cUo2V1UKbWMxaFlIZGhCaERDRktKZ3JFalRlOWxqOFp3bDJMS1MwVlArZjhYSkFq +dwotPiBFOmMtZ3JlYXNlCnFkeXY3YnQ0TVFkOGJyelpwc2NOUU8wVXdla1dzaWQ2 +d2tmL1hRenBMT0hBYU5Oa2ovY0VZTlFRUzZWZnBETDkKOGR5UG5EdnFnZwotLS0g +Ny9oTVBMekhac3lENWdJY2R4Z2hpZWduWUphTzg4SjVmeW10c3ZSNVBoMArVSmLO +s4vHIk5a1HiGKQJEw4fHMN9dbMU6QDi3yjMpX9QC5I1OTd5By7EGeuV8 -----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/nextcloudDBPass.age b/services/postgresql/secrets/nextcloudDBPass.age index 8ee3f3c..a33b6ee 100644 --- a/services/postgresql/secrets/nextcloudDBPass.age +++ b/services/postgresql/secrets/nextcloudDBPass.age @@ -1,13 +1,10 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBlTWZr -cFhQVHc1Yjk0Y0xYeVBqUkhmc3FPaEVCaFowSEEreFlLeDIvbUVvCjkxbm5YdnBs -d1pDYjZOeHZjUzVLQ1hGVnhRYzJjMzY2RlRyRW5TRzRWYWsKLT4gc3NoLWVkMjU1 -MTkgRERORkdnIDlZcmZ5TDJSNWFRalVzdUlWSWRRdXlsTk0wREp2NTd3ZDFpeEJE -eGFHelkKdExveWNyTTFDVVg1RlNqdk1aRWFJK0d3UHl3SUlaanA4em5FcHNicFpF -RQotPiBkL2UtZ3JlYXNlIEJhIDxpfCFOIVwgLkw8RjZTViApNT54CmpxS0xKWDVM -ekNKejNyd0U2ZWwxSnFpWHlHbHJsbmVDUWFLTkdNbnRhc1dJRVFsY1hoREJGVWVv -VndFMXJUeDYKcm9LT1RiQm96Q0czdWRZcFQrSFZPaFUvVXNRTDJIdFRBbDkyR3Y3 -NUNIY0grYUdaCi0tLSBmRlF0ZWVyblRvQmZuNWFLMjlxM2JtOGxFQmp3SWJUSkY1 -WnFoTm94TVBnCvZGih5XHuWMFu3Kr+hn2oLAvRPydesiEKRWSL0DJQ/nM3RwsUuN -rHLDNiimTAQqEA== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB3OHBo +cExaSGJzRE92N2pLNXRvbVRWK1NIVk9paTJGR0FkZkxtQlM2aVRFCnBMb2hjRFV3 +T0ZxZDB0TVI0L05HNzhUMDRnd05xSkZVQkJCL3IrS1FYYTgKLT4gc3NoLWVkMjU1 +MTkgcm54WFpBIFlMMENCM0s4VXR5OVVtZU43b1k0ZVg5bEY0SXc5K2ZQUmhhZXQx +VkdNUjAKaU8xdE8yalVoOGZvVFg1YjMzVTV2Q0VBWnd4U20wTFROSVdVZjY0bnNv +RQotPiBvTzJULWdyZWFzZQp0MDlCczdlNVhNSE9SRFVDNkMwVzhFQWcKLS0tIFMr +MkIvSmZSbGNubUZMajRNVkVBaStHWkhtRUkwLy8wWXFoSEZPZmFYVUEKp6fXv5BS +GT/rViqwW5nqLQBV5HwqUInKIIEAIfIBcDSAkYieRwkQqWLsuo6SM+Uq -----END AGE ENCRYPTED FILE----- From 89fd1f0a245657b8dcfa0a50b363d620964b8a4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Tue, 28 Jan 2025 10:33:51 +0100 Subject: [PATCH 4/6] Fix pgsql init script --- services/postgresql/default.nix | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/services/postgresql/default.nix b/services/postgresql/default.nix index 9dfee7a..0c9deae 100644 --- a/services/postgresql/default.nix +++ b/services/postgresql/default.nix @@ -11,10 +11,22 @@ in { }; config = lib.mkIf cfg.enable { age.secrets = { - nextcloudDBPass.file = ./secrets/nextcloudDBPass.age; - giteaDBPass.file = ./secrets/giteaDBPass.age; - authentikDBPass.file = ./secrets/authentikDBPass.age; - grafanaDBPass.file = ./secrets/grafanaDBPass.age; + nextcloudDBPass = { + file = ./secrets/nextcloudDBPass.age; + owner = "postgres"; + }; + giteaDBPass = { + file = ./secrets/giteaDBPass.age; + owner = "postgres"; + }; + authentikDBPass = { + file = ./secrets/authentikDBPass.age; + owner = "postgres"; + }; + grafanaDBPass = { + file = ./secrets/grafanaDBPass.age; + owner = "postgres"; + }; }; services.postgresql = { enable = true; @@ -28,22 +40,22 @@ in { host grafana grafana 192.168.1.27/32 md5 "; initialScript = pkgs.writeText "init-sql-script" '' - nextcloudSecret = $(echo ${config.age.secrets.nextcloudDBPass.path}) + nextcloudSecret=$(echo ${config.age.secrets.nextcloudDBPass.path}) CREATE ROLE nextcloud WITH LOGIN PASSWORD $nextcloudSecret CREATEDB; CREATE DATABASE nextcloud; GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud; - giteaSecret = $(echo ${config.age.secrets.giteaDBPass.path}) + giteaSecret=$(echo ${config.age.secrets.giteaDBPass.path}) CREATE ROLE gitea WITH LOGIN PASSWORD $giteaSecret CREATEDB; CREATE DATABASE gitea; GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea; - authentikSecret = $(echo ${config.age.secrets.authentikDBPass.path}) + authentikSecret=$(echo ${config.age.secrets.authentikDBPass.path}) CREATE ROLE authentik WITH LOGIN PASSWORD $authentikSecret CREATEDB; CREATE DATABASE authentik; GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik; - grafanaSecret = $(echo ${config.age.secrets.grafanaDBPass.path}) + grafanaSecret=$(echo ${config.age.secrets.grafanaDBPass.path}) CREATE ROLE grafana WITH LOGIN PASSWORD $grafanaSecret CREATEDB; CREATE DATABASE grafana; GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana; From e29eca289e936bcaa9189ad20e4f858b8a3809fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Tue, 28 Jan 2025 10:34:47 +0100 Subject: [PATCH 5/6] Manage secrets --- secrets.nix | 2 +- secrets/initialPassword.age | 22 ++++++++--------- services/grafana/secrets/grafana-db.age | 21 ++++++++-------- .../grafana/secrets/grafana-oauth_secret.age | 24 +++++++++---------- services/grafana/secrets/kuma-token.age | 19 +++++++-------- services/onlyoffice/secrets/office-dbpass.age | 18 +++++++------- .../onlyoffice/secrets/office-jwtpass.age | 19 +++++++-------- .../postgresql/secrets/authentikDBPass.age | 19 +++++++-------- services/postgresql/secrets/giteaDBPass.age | 18 +++++++------- services/postgresql/secrets/grafanaDBPass.age | 19 ++++++++------- .../postgresql/secrets/nextcloudDBPass.age | 18 +++++++------- 11 files changed, 97 insertions(+), 102 deletions(-) diff --git a/secrets.nix b/secrets.nix index cfad339..29bf405 100644 --- a/secrets.nix +++ b/secrets.nix @@ -5,7 +5,7 @@ let forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner"; grafana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana"; onlyoffice = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbnzv2/Or4XdQXLDjIbr7oIDTQEvgSMTX4aiNCQk4tC root@onlyoffice"; - postgresql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRP52p1Pg1zBZc9ywr61iKAjMhQ9jo7FZvQQgAaV49m root@pgsql"; + postgresql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJW7qA7j1sICuu1RAfs9ifR9dmOlHq45tKu1ga7CKaob root@pgsql"; systems = [forgejo grafana]; in { diff --git a/secrets/initialPassword.age b/secrets/initialPassword.age index f063770..4dd2382 100644 --- a/secrets/initialPassword.age +++ b/secrets/initialPassword.age @@ -1,13 +1,13 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBPM09R -eVN0bnRWK1BDSWJHaHNxTFhDUStDUWhLTUpjbnQ5bW9kY2E5ZEZzCktlaDExMHMv -V0NJWTB5amVKWkVSd2Y0UmhGL1p0NE1YTkRUaDZqbDA2ZTgKLT4gc3NoLWVkMjU1 -MTkgTVRPMXBnIEZzT0lpNlhCd2VWZFNwTFVxYWljVndGcElSVUI0R09SdGpHMVhv -ZWpSSDQKS2VBeEFicEloNEdlS01mNU9SU2F2a3QvMWRzcDhSTTZpWTRMTE01TTVC -awotPiBzc2gtZWQyNTUxOSB3bkVVcHcgUFc1ZDk3T1RYSzIzcWhGdmpJQ1pwYzVV -L3RFWmxVRzlJNzNCMnZSRFVYZwpCWHduc1NYcWVhUlEyNENDa2ZMbWkyRXFoWlZL -eXgzaUJxWkg3Nlh1dDNBCi0+IDh2ckxKK0YtZ3JlYXNlIHFMZiBrKF5LP1EgUUtW -RGZpKgp5b2x5cGJEb3FQSmlKRHFMNytuMQotLS0gN0RNSzlTZGhXeERjZWpSVFNq -ZktYbVJMRml2UTRNMEc4NUlTaTQwL1drYwrJqloEOrJgfdbOuTqbZvBj7zI+bFrv -CJA5AhL4z+RaxOxCO/z/8tsRdOMv8SEuf5Xy8lPugw== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBIZzc3 +NEpKbjZKaHNJTkUwbUVVWkRNYzRVZ1g3aHFWbmw0RjByQy9DNUY0ClBraUZmM29P +dW9RZXNhUVZQajQ0VVZzN3E2ZjlQa2hIN2QrOG4vamVhUTAKLT4gc3NoLWVkMjU1 +MTkgTVRPMXBnIFBFbFVLNFBSdmQxeWhkWFcyRkdidUJDMHVhcWtuM0RNYU9MN25G +bWtqaGMKM1dDYTJjY3lwQlRGSU1nSERxWkYzck1JU21kaDBvelgyMUhXd2NabzFJ +QQotPiBzc2gtZWQyNTUxOSB3bkVVcHcgN3NVYnF3blJYdk9NMlpFeHBkSWpmL3hX +SVlZakZ0VG5SZjJzODNKZ2UzRQpXeWhBWm1GU2czTzhZN3hvQXErQ2xzWlBrdGM3 +bjFmQXRTQzJTNzlXeUFRCi0+ICZEazJMXy1ncmVhc2Ugb0Qga15CMW83OGAKSEk5 +ek9EV09TMm4vUGJEWDgwRnY4b0I3Z3ZxQk5GS0x5eEgyNFUvS2h3Ci0tLSA0RHBw +WXNxTGtDUHlVQ2ZHWk5WeGtuTTVseDFHeWxBcFZzNFRwUWptZHRvClgW5JGwRhTf +X5W+zQOJKbaiChYCtdqrPnEd4tRJMnMtm19UIUnR7asWmDdl8LU7DvodK4UA -----END AGE ENCRYPTED FILE----- diff --git a/services/grafana/secrets/grafana-db.age b/services/grafana/secrets/grafana-db.age index dbeccf6..e4129a5 100644 --- a/services/grafana/secrets/grafana-db.age +++ b/services/grafana/secrets/grafana-db.age @@ -1,13 +1,12 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB4T3Vr -aTdZTG82QXljNk1NanFzbFkwbzBXWEZ1SzFNc3IxMGRuVk05TWhFCmxFaHF6QU9N -N05Na0JDb2Z2U0NWYnRaTTZRdTZXQzg3QTZndnBqRlhEYVkKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IDEzaDVsNU15UUcwcllIVTBPMVFkOXNzclgvV1RaV0I5cmI4aVBj -MEZFMWMKelNEc1M2UFZpTzV0YU54cW1hOUNtQldHQ3gzUG1nV2pNVnFLY2Q1NE1K -cwotPiBwMkktZ3JlYXNlCkdrR0FmZjV6R3d2K2VyS1c5VkhlSUo5UTluSktNZ1lK -M3hpVnNRV2diOEYyMFBOVzcwaXdGVnBoUEprbjgvb3oKRU9FeEk0M1Y5ZkxleEd4 -V3J0WWk4eTAzdVY5MS9neXd5T056cm94NXRhSC9Hb2l0TFBKVlJEUUpJVzRIZzNV -QwpMSUUKLS0tIHgvd3J1MGNmMytEUFlRY3J1YWVIcEdPQTZ3aW1VYlpxQmVyNkpv -OTJmbU0KorOMji8zS8qIpQKkGI7zRBWzAdmrUMz7kMvaixi0zQS45lVJv6jL8yvg -wA== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBINHll +clhGaUlhZ0VIZUV1b0lzYVpvbEVrUk1SRmdla2s5MVJRT0pYM2tVCldnMWprYVpo +cHNkTGlUWHU4SzdwZDVkSlYxeUJXNlJ6TGpVVVdvVzErdlEKLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IDhEOUt2anYvMjg0ejlhZk9NQy9aMi9zV3hHVzhsOXRlbHU4d2hL +bi9lQk0KRUNpcnRVaXBWOGZEN0xSaURwanBEODhkWkVuYnBVbCs1V0c0YzBMOVlo +bwotPiBCR3wtZ3JlYXNlIEVZc2Zcfgo3SHl2UUV2TUFSUVZnbjJ0WDdWb0lRTUFz +bzhGNTd5dzdTN3VpUjBXdVZ5NGJwMkNLMTZncjFjTDNOQm5tVllZCmFZejlaS1FL +UFZwK3hMT05KQ20ybS8yT0lCU0FaM280R1prRnVBCi0tLSB1MWoxYzJ2bVNuTTZN +eDE1dzFoNjBmc0dacXZrMXJkMUpKU3JReE93VEVnCmIawaa6DCtgRRHcp0kS6MCl +1MOX+wYg6YIE7UJ5cx6w9cQVIO4sfkx8e8U= -----END AGE ENCRYPTED FILE----- diff --git a/services/grafana/secrets/grafana-oauth_secret.age b/services/grafana/secrets/grafana-oauth_secret.age index 0b056ff..a5df31e 100644 --- a/services/grafana/secrets/grafana-oauth_secret.age +++ b/services/grafana/secrets/grafana-oauth_secret.age @@ -1,15 +1,13 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBRSFpq -TGpzZXdWTjY3UUx1MGQzblAzSXJoM3VseFBEZ095WWpmTTZCTUg4CjI0R1JoSEd6 -cUgrU1NITkcxRHcrN3hXVm9mTGdlVjByU3Q0ZGtranFaSzAKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IE9CQ29NRFFDNTBsenhtUlNBQSt1YXF1RmZBcW5VWWJsL29oa25E -dm1iRlkKbWk2Z2QzbG95RXROZ0xkTGxxTnZ3MVlHNjNhL3VuN1lMSVNIWVNvOWV4 -bwotPiBqRWtGLWdyZWFzZSApW2NKaTgvCndnZjhqOW1kbmdycHZEK0ZtTTBWZUl0 -R28vMzFad3k0c2pUbXFSNFRLQ2dHZ2dFL0Q3dHNVVUVKeXNLdlJrcXQKbU92L3Iw -TmNMNy90ekRxR2dLMGdBMkxFNjNDSFBNVVdaSktET2xJY25TMVowdwotLS0gNWc3 -WWIzTWlyRWN6Ukh3QXh3eUZ6Y0FhLzFqakVNNTVlU3FKWEtDb2dzTQrHuYbbpKNA -5Be45skIhBObjU7fOTgQUYm6odJz9N8u+wcGqYSWzUTYGuXWGUNKY5G21Pq2KmXb -f1+yKPaOkSVYDQyEIvKEGSLepBipKhuvzPUmHE0GX7/j/jsMgQJyVgShiuTVmiS6 -UKhgyC92t4iLY7wS/G1Dt4VWHqE40W0OIQRdHiHgP95wXFQsh/aMGiF5rIAwGEKQ -v4RcC7buznusZA== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB3YTc2 +dFJoTkttVnYwNW0rY2pDWmVXV25aQTNvR2tKY3pZVmlvZlVrWkhNCkFXZkxrMXAz +dVhrVXhVMnJOZ2ZlTE1LS1ZyckJuMHB0a2NjNDVIZFJGNlUKLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IEZVT1dYZHprQXJpR3JjVzRWcVQ1WHcyTkxkZHNqM2syWkNzOHpQ +OUx1VW8KVWlzSVhPZnhZcmJEMzFabytQY0MwbWNQenJRcUxvV2w5aW9LV3Fickh1 +MAotPiBHTCcvQy1ncmVhc2UgTV1zNgpZNWswWE5DdEZXVVBzeFR3R2taZFpHakxS +MEppblllczc3bWt0NmJzZDZrZTlYblJIWDQKLS0tIFJHWWVQL3VvTHF1OVBITXFH +WVlhcUlrRldLQWNUZVJIOGY5OUtIZzlmdFkKHUb1KkIRJuEKk430LNP8gNQpDtlo +ifMWwhBcrDDOUxQSpEow42sgbIbCpvHt+gMgMCz2sLbdBnEUfCAIuG2SRZF3sfvD +JxY8/0mtK0upF+7jb3oCeGN9ah+gGoHEwKjRnBP6zFHG+yRMNQEiqO5h07JGEtrV +junjkEC11HAgybtC+gzr7Visx91cyK52ZIsNdg0AI9wM6EGUIX3quC3zGpw= -----END AGE ENCRYPTED FILE----- diff --git a/services/grafana/secrets/kuma-token.age b/services/grafana/secrets/kuma-token.age index 29a7f8e..9b3ca80 100644 --- a/services/grafana/secrets/kuma-token.age +++ b/services/grafana/secrets/kuma-token.age @@ -1,12 +1,11 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBRbzlL -anBjcHRpYTFucVBZTHBTMDJPa1krMjFKcUNaYjRVWnN2S09QQ0dJCjFaMTNPUHNW -QlRHQlJPQjJla2lTTE5OMXpMLzBGZGNlU0s1aFl5VmRnaDgKLT4gc3NoLWVkMjU1 -MTkgd25FVXB3IFpvbTJsNXJKWHRxTUg5MkpOMWxoSVJUd2NRc2ZzbGEwSHk4dXhR -cDV3RFEKQmxpbGV2di82TndoTmtqYlZNbzRJYVJGdXU1ZFNLcWFXSWVsQmtvS2VK -bwotPiAzcUEmJi1ncmVhc2UgKy50SVdTOjYgRCB5YE9mRTZZXCBlPQp2KzRJaUlS -ZmpVcGVRYWxmNm0xMGtoT2JkRTVvOTZFRU5DLyt6aHNudHl2ZXQxanE0N0hpUkxv -R0hyajE2a2sKLS0tIHpFU2w1UGV3blIrTkUyNThZSDNJWVVCMCtoTnJtY1cyTXo2 -MUw0VDhLWUEKTNVRd90rB1+mz1gFlU7XOajlI5ETkiPOdQO1IslYIoVVadFkljZU -RX3oneaRfGTou9VvDINV8Mg3i2sMcMQ17hgn3AlFccxMIvHY8d4= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB1OE5Y +T3FiL3VKNG1HRDZHcHpDMGtvaDR1V25tT1dOYXRRM0VEUjYyb3c4CkRkSE95dkpp +SnVROXcyZGNmTkZUNjFtQnF5dDRRc2syaWoydGk0V0FBRWcKLT4gc3NoLWVkMjU1 +MTkgd25FVXB3IG5yMjlBYThRMkdYZjVIWVhIbXk3UjNMTmtKTktkQTlVaEdqZDEw +d0NYUzgKbEo4bnVpOEFlT05PdWo2bGFlVTMzVmJOODFpTzErWDYvRm5tNk4wbm1G +WQotPiA5NHEtZ3JlYXNlIFlHI3NaIFNBfDIgKzBARwoxL1BNNzNQWkU1elZqVDhr +NEJURHI2TQotLS0gWFBJUXpmRU95S1p1eDR0cC9Pajc2aUZJL0JFbU5XWDZpU2Va +SGcvaHJDVQr9/6z8OCUSXg88ib9iqQAGp7ozAaslowdoONR/gSUelziKvaCEP/Cc +1GQOMJy8W2Q/oBwAavq+qi4QKTSYXQ5dDmkip8fBU+Df14euww== -----END AGE ENCRYPTED FILE----- diff --git a/services/onlyoffice/secrets/office-dbpass.age b/services/onlyoffice/secrets/office-dbpass.age index b089781..37dd633 100644 --- a/services/onlyoffice/secrets/office-dbpass.age +++ b/services/onlyoffice/secrets/office-dbpass.age @@ -1,12 +1,10 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBuZHZx -NXZ2eGh6V044cmJsNmtjZzRtTFJkbElLNVFjVFRrOGpEeldEbm1JCjgyUFcwRWZo -ekNtcWwycWZSSGhRRG9Zd3ZqY0NJY2w3ZzZuelhtbU15Um8KLT4gc3NoLWVkMjU1 -MTkgSXpNcXdRIDdvWFhEZ09FMWN0d1Z1WkIyUVRPWXFLeGpLQkoxTmVIMlJHWlU3 -YlFuekEKOWhTMnRaSXRuL3d5SVBWUi9LQURPTm1JTDVubk1sYnkwOHlmNWJXUW5i -YwotPiBULWdyZWFzZSBvejB2NC9lQCBNdXMgJEBNPCBxdiQjOzsvCnF0ZzZjMXNm -K3ZkZ1NZR2lxL2c5VTVjOHN0d1FwN3I1Ry96MXljMkkvYUFsc1Q3Y0lPYk81d3A5 -dzlYTTlnSHQKSld5NAotLS0gQm83Y1Ewcm9kMmx4UVptM2NmVHBqaWU2UDJVaTdZ -dHFKeURzaVpjK3ozZwqQZrz4zVWepgK+JMT0q+fB02yL8Kkv557wmFoukJH3JNLX -gkZNHNCxqkvsDNWI +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBxVVZD +ZUFVVTZESHNCb01Kc0pPb3dKOXZKR0RYS0ZQcXhvQ2RzbXNKRGpJCjFaV3AyQUY2 +OTB1L0JrZTlFMy9keElTS01IVS92YWRBSVRuKzFFL2pSVU0KLT4gc3NoLWVkMjU1 +MTkgSXpNcXdRIGI4U202VWRydGhVSzhJUFpLeDJZZkVoeFIzZFRQRjhYcWcybkhr +ZWM4MFkKSXpzT3E2OXRJVjc3V05XaUxCNW1aQm5kKzlrYzhWRUxoWndCaTRqa2Q4 +MAotPiBWLWdyZWFzZSAyOGsxIFI2R3EgIT0ueSBDd2o9NGp9CkZBCi0tLSBWRlc4 +RFFYOEkvUmY3TUFSa0lmZ3kvMG9IdGxUakhvMWhPWjhzOXhERmZrCkil25ySWO1w +BYB6Wt5MfsL7I5Izfdfpw0lqniC5r/4oh+lDQUcvsi1vQx+BRe8= -----END AGE ENCRYPTED FILE----- diff --git a/services/onlyoffice/secrets/office-jwtpass.age b/services/onlyoffice/secrets/office-jwtpass.age index 2da1a86..822f259 100644 --- a/services/onlyoffice/secrets/office-jwtpass.age +++ b/services/onlyoffice/secrets/office-jwtpass.age @@ -1,12 +1,11 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBlZDdv -bDM4d3NCQkl0cTM1N2hmM1JsdElBVzh0VHJRd2Z2U2JLcUFwSWxFCmNRMytUR2hw -Rzc5WUlwbDhjZnA1SGVTVEFqa3UxSVM3d1RrSHJUR0xBZHcKLT4gc3NoLWVkMjU1 -MTkgSXpNcXdRIEVCY3lpT1B1ZHkrWE1kL3NSa0hOZlplT2xlSHkybmxteHpxbkVh -UTRIRjgKemdFaCs2c2JWYkhRTHIyVUk0bE53dVY2aUxIblJ3WUVqbzlaTDV1ZzVj -QQotPiA6bC1ncmVhc2UgK3RoJ09nIHgjQDNGWCBzT1c1PEAgU0NyIm08KQpVM3Ba -STBCOUxzdGRWMkpZendmOTN0YnN4akM5dG0rWDZOdjdIcE9OZSsybTlYbUJyY0lo -cnRub1VtZVVJcHllCkdTalA1UE5rRWxrTEppWHBPUEI4V09DbFE4TTllV01QCi0t -LSA4aFlvN3hDZ1k3emh5STFkTEJsSlZDYitCQ05rOHdYWTdpQmZ4SDk3Q29jCvDW -ssSwiHfGd40yaprJdEkaTCBefdXymmKh3nlC11vjK+sXUZB3+PVZP8ZNT+IXoVc= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyAvVWNp +a1BjZG8vWC81SlhUT09SSERWUGtzNGtFYzYwbjJYTEZZL1VZKzFZCjA5djJNQ0tJ +SEIvSjVCaDVaK1FvUG8yNW4rd0N4cTdTLy9PT0p3WFd5bUUKLT4gc3NoLWVkMjU1 +MTkgSXpNcXdRIFp1TmhSSlRKdkFSeUN6YnJwV2pXWVFyZTBkWWZNOG8vbDFrenlu +QWF3VGcKUmNMbUVkbnpwQ3M5bnJTSjdGYWZiSldncWtwU3BZenZ2OWZ2YStrTHlh +SQotPiAwRS1ncmVhc2UgT2lrPQo3YVREamovMVhQSSttUXNiNkVZMW83alFDaDRv +N1JzOXg2b1dTNWxja2oyYlNaSS8KLS0tIFQzc1Bqdmt4Zkc4NVZBOHM5b1NNL0dC +L1lRTjA2enE3NlFDRkN3cmV0MjQKEI287XlTGhe+gTmysPhQXPNALUj3QzDnmznB +dnY2NmBArjrXnanMONycttWH2hwz1Q== -----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/authentikDBPass.age b/services/postgresql/secrets/authentikDBPass.age index 8f76b5a..d1988ed 100644 --- a/services/postgresql/secrets/authentikDBPass.age +++ b/services/postgresql/secrets/authentikDBPass.age @@ -1,12 +1,11 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBEdXFI -QTZyL2c5VnFBbWwvY0Zwa2hkSnpuc3IzeFVBd2RUUHRVR2VuQkRjClAvVmRac09V -SzVaNjI2YVhFWGVDdnJ5SWVRMjVFY09IaThGL0dkUUlXWWsKLT4gc3NoLWVkMjU1 -MTkgcm54WFpBIFIvaHNlcFRtM1dTN0Y2Y2pwak1FT0laT0llampkUVNYQU1yQUs5 -UVgzVGsKSFRoVEFBWTkrMnJkSEdKWEtqNE5nNjkxbEYrUHhYUGZxaE9pQllWcGZM -dwotPiBCbXdwZnMtZ3JlYXNlIHRUXnIjdU4gaiBIYGN0bV9uIEgKYTB3ZlBNcVdq -dlViTGRXaG1rOHpITU5yZmpBbkNGc1ZEek1oS2FDWWZmUzVGKzdYSTYwbmk4eXYx -SXlQZlFHMgpJYW55N1A1SlVDRUlneERJNUEKLS0tIHFLb1dxeVZXZFhjcVFzY2JN -djh3dTA2RWkvSktCVWZJWjlWUkM1T0NTZWcKGJSV2RSmYsv/LHHUjRki2GYwVOn7 -VwgDvoIZSjH7oUyLoKiXlUTFO9HLrcXrgI/x +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBDODRK +d2pTZktDczVpSjBYdWNSVFdUL1k2TVlmMzlJRnAxQ0dhcXV3elhjCkd2V3BXVWMw +YUdtYTFzUGZyaU05R0dPWGNHYVR2TWYvbUtSdSt4TUlVQ00KLT4gc3NoLWVkMjU1 +MTkgc2luZ3ZRIDZ5L3I2ZmErNjNuYnh5QTRwNkNVVGhLSE9JMjZROFU0ZnMrelQw +WUJmQ1UKL2Y1T3pER2ZIdUloTTl1dU13RWRKL2tQangycTBzWHJ5dVByYVNuNVdY +WQotPiBrRTwnPigtZ3JlYXNlCit3QldhZUhmZ2kzS3VHK1pweGRxQ1V1eFA2eEtu +bmJWRzZqdjY0SUNlZFNaVG92dXRnCi0tLSBIb0JVbk42aVowT1p4cEtVbUJneFRP +dmNlZTdBcm9OZUVuOUxIbUc2VUZNCsahsNPPKDASJc0LKL+vxvXC81q3fBoSz9c3 +Vxw9grzRH+aWXhKY+cxrOl6WOXTjCQ== -----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/giteaDBPass.age b/services/postgresql/secrets/giteaDBPass.age index 0d980ca..15a2368 100644 --- a/services/postgresql/secrets/giteaDBPass.age +++ b/services/postgresql/secrets/giteaDBPass.age @@ -1,11 +1,11 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB1VE5L -Ni9xMjF5UHY2bGhWY0tyUzBaZWRTd0RJcm1Mb0VUcDAzaGk4MEVzCmo1bUcyM1lt -cjhHaFMxVnROM3RPNFBpd2dxMFBrbndiY1FRaWtGYXBIZ1kKLT4gc3NoLWVkMjU1 -MTkgcm54WFpBIDhrYVZxSGN2cnYwYTRTYnYvUFdYb2krcWZyS2tzRmk3Zy8yNjds -UnJudzQKY2dlV3UxQkRmb0ZsWWpqSTR1eC9oQ05yU1pwYW1IN2dNSGRBU0dzSVVR -cwotPiBreyQrdW9keC1ncmVhc2UgKzIrfUVBTykgPgpOSStZeU1tSEhaOUJraHli -Tm5MYWxZaTg5OXA2NllyVWxMNTlmd212ekFnCi0tLSBYaDVKZ2xRNnFRQytJYTNj -VnBoVE1vbEExb1NEM0NQQ3greVU4ZEd2OVRnCuGH693QRAsZJF+12PGBF0D6SSrw -8r9vZclZMbLtjZkaCfIdL6Ae/wiy0Tc3 +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyAxUGZT +Y1JMSE5MNTlmR3N2ZXJQV2xoK3BTNWZJa21uVjhac0VQOTd2YVZnClJqbnNEWFln +NTZncyttV0RBU2NBbkRrME1mNjluaFkrQ3pMTWhBR2VPTEUKLT4gc3NoLWVkMjU1 +MTkgc2luZ3ZRIEZBVytVcWZ2QVRmQm1BblZ1UEgxWVRwTFgxU1BJRFRiUUdGa2Ny +bnJJMmcKRms5bUtDdHUvS1BzTFViOTJ5RnhuQ212aWFWSHFXdm9uYVZjcU9sWHlz +awotPiBRLWdyZWFzZSBkP1RWKHxtCi9LQWdLV0hwRTFhQzhSb2Y5Z2QzY2xWd1ZS +dFhoZGFRbnNIS2loeUZDVUZpd3VsTllLc0xva1ExYVpXRHY4ZwotLS0gbVd5NWZq +NDkvY3JUbkMyS1o0U0hiMkMxUjdFTTBqWGZDT3ZpUnNYQThUOAqBMtKcCEvvDrTm +Rz3S4csriN1X6gGEOURKVmKDXO5P8O7yMGzRjl8MkpSOIw== -----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/grafanaDBPass.age b/services/postgresql/secrets/grafanaDBPass.age index 480436d..828e9d2 100644 --- a/services/postgresql/secrets/grafanaDBPass.age +++ b/services/postgresql/secrets/grafanaDBPass.age @@ -1,11 +1,12 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyAxWVQ1 -TUhyN2VJdmxsblYrQUJJYmtiL3BkLzd6SU54VVl0NVR5NEFMZ3drCnh3RFI2MjR5 -ZS85cnNuRmxSa3BFd21MZHRZV09FcjJjb0JJbnZ2b1VIc2sKLT4gc3NoLWVkMjU1 -MTkgcm54WFpBIEdndVl6VzRJeTdGTWFpdldmYnhoSXJXN0JhWnBTNXBYWDhVTlhq -cUo2V1UKbWMxaFlIZGhCaERDRktKZ3JFalRlOWxqOFp3bDJMS1MwVlArZjhYSkFq -dwotPiBFOmMtZ3JlYXNlCnFkeXY3YnQ0TVFkOGJyelpwc2NOUU8wVXdla1dzaWQ2 -d2tmL1hRenBMT0hBYU5Oa2ovY0VZTlFRUzZWZnBETDkKOGR5UG5EdnFnZwotLS0g -Ny9oTVBMekhac3lENWdJY2R4Z2hpZWduWUphTzg4SjVmeW10c3ZSNVBoMArVSmLO -s4vHIk5a1HiGKQJEw4fHMN9dbMU6QDi3yjMpX9QC5I1OTd5By7EGeuV8 +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBQT3I4 +MFB6SzNuTlFXbkdOcTlERnZTbmYvTEJUamlKS2tmWmpnZ1loTmhBCkpBaHVtbWQ5 +QUFQTE5YR0VUSW15MHhlQkRxVVRyb0NQck5BbXM5NmtCdlEKLT4gc3NoLWVkMjU1 +MTkgc2luZ3ZRIHF5VXZqOXhlR0lMRDRrTk90bUw3dDIwN2NieGpjOHUvUUliTDBh +WG1VbDQKWjZ5NGZrQW1OS2tDL3JId0Q2WU1rdndmQ2svUE5nYlh6QVBUY29iSzFt +VQotPiAjLWdyZWFzZQpuSWxGdGhlU3NYUWh2RTU1R1dYYzg0OG1ndjRLUnA5UjlQ +ckxncDNUR2puQkhNOFJFNVgybkVPczRyUmJwanZFCmV6endjbmlKRXpIaVZ3Nith +Z0dDZ00rUGxzbGxpVnZoV3pIYUk1Q3J0R0RDWW1ITFpNWXMybi9YT1dBeAotLS0g +OFl1aktFMDh0b3lQdmoyOXcvZ1doTVh4U3JZd0hpcDAyc1J3QlZLZklLawoL8YjP +b+cpjtpje2h4fuxNLvEviqW92K6t8l4wf0sVlDtiH2Qf6FnwSYYkElb5 -----END AGE ENCRYPTED FILE----- diff --git a/services/postgresql/secrets/nextcloudDBPass.age b/services/postgresql/secrets/nextcloudDBPass.age index a33b6ee..a9834b6 100644 --- a/services/postgresql/secrets/nextcloudDBPass.age +++ b/services/postgresql/secrets/nextcloudDBPass.age @@ -1,10 +1,12 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyB3OHBo -cExaSGJzRE92N2pLNXRvbVRWK1NIVk9paTJGR0FkZkxtQlM2aVRFCnBMb2hjRFV3 -T0ZxZDB0TVI0L05HNzhUMDRnd05xSkZVQkJCL3IrS1FYYTgKLT4gc3NoLWVkMjU1 -MTkgcm54WFpBIFlMMENCM0s4VXR5OVVtZU43b1k0ZVg5bEY0SXc5K2ZQUmhhZXQx -VkdNUjAKaU8xdE8yalVoOGZvVFg1YjMzVTV2Q0VBWnd4U20wTFROSVdVZjY0bnNv -RQotPiBvTzJULWdyZWFzZQp0MDlCczdlNVhNSE9SRFVDNkMwVzhFQWcKLS0tIFMr -MkIvSmZSbGNubUZMajRNVkVBaStHWkhtRUkwLy8wWXFoSEZPZmFYVUEKp6fXv5BS -GT/rViqwW5nqLQBV5HwqUInKIIEAIfIBcDSAkYieRwkQqWLsuo6SM+Uq +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBxaU02 +T0swYkQ2S2cxblRuM2ZHZ0F4WmMzNDd5ZHJLcVF5SjJiYWhJS1NNCm9pcTRCWHJL +RWVUTEJTalEwOHh0aDlJZHF5S0NWN01zY3hMVG91SHk4NWcKLT4gc3NoLWVkMjU1 +MTkgc2luZ3ZRIHdoL0F2MHY4VWxTWDR1c1c4bTh2eHVQU0FoWDFwdHhsZE16Wms4 +UXFFaXMKSFZhTi9TRUh3akNvNStlQ0w2T1FnRTdOWFhZaXh6RGYrQ0NlUkdyejAv +UQotPiAlJilLPy1ncmVhc2UgUWB3RApyZVFkR1Y0SXdFSUxzUzAvZVZuWEthODY3 +Y3dVbVFWMGR3ZURqZXdsSzE4KzVNdzFlS2dRcW5maG5MQ3Y4SEdZCnlLMUlKWG1Q +eFpLTUtRCi0tLSBsU1pRemZQZmhDK21SbVRvQW9NSFlCdG9YR0ttRlM2NXUzTjM0 +ajRBc05zCo0JQrIpSdXQTgcTULp18sAFF1aGwlgthv6lSetqlQLeusaEuVnR/rf2 +G3ecxNZ2TA== -----END AGE ENCRYPTED FILE----- From 51affbb4a3761b0b601b50b9ad42ae0f59d01cb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Tue, 28 Jan 2025 11:18:06 +0100 Subject: [PATCH 6/6] Fix pgsql init script --- services/postgresql/default.nix | 38 ++++++++++++++++++++++++++------- 1 file changed, 30 insertions(+), 8 deletions(-) diff --git a/services/postgresql/default.nix b/services/postgresql/default.nix index 0c9deae..4540e7d 100644 --- a/services/postgresql/default.nix +++ b/services/postgresql/default.nix @@ -40,27 +40,49 @@ in { host grafana grafana 192.168.1.27/32 md5 "; initialScript = pkgs.writeText "init-sql-script" '' - nextcloudSecret=$(echo ${config.age.secrets.nextcloudDBPass.path}) - CREATE ROLE nextcloud WITH LOGIN PASSWORD $nextcloudSecret CREATEDB; + CREATE ROLE nextcloud WITH LOGIN CREATEDB; CREATE DATABASE nextcloud; GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud; - giteaSecret=$(echo ${config.age.secrets.giteaDBPass.path}) - CREATE ROLE gitea WITH LOGIN PASSWORD $giteaSecret CREATEDB; + CREATE ROLE gitea WITH LOGIN CREATEDB; CREATE DATABASE gitea; GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea; - authentikSecret=$(echo ${config.age.secrets.authentikDBPass.path}) - CREATE ROLE authentik WITH LOGIN PASSWORD $authentikSecret CREATEDB; + CREATE ROLE authentik WITH LOGIN CREATEDB; CREATE DATABASE authentik; GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik; - grafanaSecret=$(echo ${config.age.secrets.grafanaDBPass.path}) - CREATE ROLE grafana WITH LOGIN PASSWORD $grafanaSecret CREATEDB; + CREATE ROLE grafana WITH LOGIN CREATEDB; CREATE DATABASE grafana; GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana; ''; }; + # Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3 + # This is an awful situation + systemd.services.postgresql.postStart = let + nextcloudDBPass = config.age.secrets.nextcloudDBPass.path; + giteaDBPass = config.age.secrets.giteaDBPass.path; + authentikDBPass = config.age.secrets.authentikDBPass.path; + grafanaDBPass = config.age.secrets.grafanaDBPass.path; + in '' + $PSQL -tA <<'EOF' + DO $$ + DECLARE password TEXT; + BEGIN + password := trim(both from replace(pg_read_file('${nextcloudDBPass}'), E'\n', ''')); + EXECUTE format('ALTER ROLE nextcloud WITH PASSWORD '''%s''';', password); + + password := trim(both from replace(pg_read_file('${giteaDBPass}'), E'\n', ''')); + EXECUTE format('ALTER ROLE gitea WITH PASSWORD '''%s''';', password); + + password := trim(both from replace(pg_read_file('${authentikDBPass}'), E'\n', ''')); + EXECUTE format('ALTER ROLE authentik WITH PASSWORD '''%s''';', password); + + password := trim(both from replace(pg_read_file('${grafanaDBPass}'), E'\n', ''')); + EXECUTE format('ALTER ROLE grafana WITH PASSWORD '''%s''';', password); + END $$; + EOF + ''; networking.firewall.allowedTCPPorts = [5432]; }; }