Feature: Init stack.nix for manyfold.

- Rotate keys in manyfold and postgres. - Move postgres volume to $APPDATA.
2025-02-01 00:34:52 -08:00 · 2025-02-01 00:34:52 -08:00 · bd26c3ea0f
commit bd26c3ea0f
parent 9311a40618
5 changed files with 56 additions and 96 deletions
--- a/homelab/stacks/manyfold/.env
+++ b/homelab/stacks/manyfold/.env
@ -1 +0,0 @@
-STL_DIR="/mnt/nas/3DPrinting/Model Library/VanDAM"
--- a/homelab/stacks/manyfold/docker-compose.yml
+++ b/homelab/stacks/manyfold/docker-compose.yml
@ -11,10 +11,10 @@ services:
      DATABASE_USER: "manyfold"
      DATABASE_NAME: "manyfold"
    env_file:
-      - path: ./manyfold.secrets
+      - path: /run/secrets/manyfold/manyfold
        required: true
    volumes:
-      - ${STL_DIR}:/libraries
+      - $LIBRARY:/libraries
    networks:
      - web
      - manyfold
@ -34,10 +34,10 @@ services:
    environment:
      POSTGRES_USER: manyfold
    env_file:
-      - path: ./postgres.secrets
+      - path: /run/secrets/manyfold/postgres
        required: true
    volumes:
-      - postgres_data:/var/lib/postgresql/data
+      - $APPDATA:/var/lib/postgresql/data

  redis:
    image: redis:7
@ -45,9 +45,6 @@ services:
      - manyfold
    container_name: manyfold_redis

-volumes:
-  postgres_data:
-
 networks:
  web:
    external: true
--- a/homelab/stacks/manyfold/manyfold.secrets
+++ b/homelab/stacks/manyfold/manyfold.secrets
@ -1,54 +1,21 @@
 {
 	"data": "ENC[AES256_GCM,data:/rLRtCdOwj3TWKs/HL3VQiSagekUueSs+A1F9SwrswgOF7bdR8DsrNMCgmb6Insg+djIj7a9D23AuoSsDTroQzgGHdAWEn9l8YKKTr/n909EBhDsszqtM9mK5PxcDnQUJydTZbK6BY4K0hkQiOuBpRcq4WCh+M78xboVYgOPTTmusCAs,iv:kFPdTG+sOuRy4ey7j5w3Fx41ODX6VYSTJCi/5jD0cAs=,tag:3td1E9sMkBjQJ+8sTBo0mg==,type:str]",
 	"sops": {
-		"shamir_threshold": 2,
-		"key_groups": [
-			{
-				"hc_vault": null,
-				"age": [
-					{
-						"recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00",
-						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOY1BhOTltekVMU2E3Rm8z\ndjNJR3ZXVjdZdi9jVURGNDlUN3Bocm5SMWhRCkVFL1k1TytxL1BuV0x2NmFwdWEr\nSURLNUkzWU9ObzNHMms3eE9iSEtRQncKLS0tIEtBVE52eUc0aTB4OHRNUlpQMTBW\nTHcyZFdmYVErdCtHMnc3S3d4cHVMVW8KKPbqsFNbZrIpQWsHFT+rELNc256XpfI5\nn/YjKoItQisiq9bTV2uakAfOHbEMIJLfaa63skTlAuAE7Y72ulz02bI=\n-----END AGE ENCRYPTED FILE-----\n"
-					}
-				]
-			},
-			{
-				"hc_vault": null,
-				"age": [
-					{
-						"recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00",
-						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxc29HTk53bGJpOHRXNW1h\ncDhNVU9YL2w4TE14UkxycG5FZWl6Tmk1aFdZClQ5Y0tQUy9YaG9ORHFoVXNxa0dS\nUjRHVUtYYXJzSUtqbFBwZ3dvMjF0Yk0KLS0tIGdtZEY4bkswQnBWRTkxbFJoMEVM\nb28rWnVtT0ErUjhHVG9LVkhoR2hYenMKHvSZjkQSYD1cAcaFJvt5dm1gP5irqmv+\ny/pjWgP0v2TirS03Cao3yMg9apu77ACYMLjsRetqwNuOV7uqZtOs7d4=\n-----END AGE ENCRYPTED FILE-----\n"
-					}
-				]
-			},
-			{
-				"hc_vault": null,
-				"age": [
-					{
-						"recipient": "age193t908fjxl8ekl77p5xqnpj4xmw3y0khvyzlrw22hdzjduk6l53q05spq3",
-						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLQjQ2K3h3YytsQWZkUWww\nSHZwRDYvQ1JFSzd1RFRBeGhoTEZMS2sxcEZnClZ4QnZWNE9Qb3lYMlVkWHlBWk9E\nQVY5ZHM0anpvemhNdVJuUXIwanJaOW8KLS0tIHE0cDRDSTR2c1JXT3FIOXBlMDhR\nWUluUEVYd21uSHUvLzJqQ2d4TnF3TFUK7ATZTe1SnO4gepF+lwQEmFGvoiBUvCM9\nYlR3vtwklFDXr1nk5ldjePRownCpG/Yb/nWRXAOh3rNkrUniEA3VeeA=\n-----END AGE ENCRYPTED FILE-----\n"
-					}
-				]
-			},
-			{
-				"hc_vault": null,
-				"age": [
-					{
-						"recipient": "age13prhyye2jy3ysa6ltnjgkrqtxrxgs0035d86jyn4ltgk3wxtqgrqgav855",
-						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaSXU1OU1SR0lmSHlxNGNO\nTWRpRkE2YngzcHlWUlkyaGI2dkhYZzBYekhjCksxd1EzaUJDUC9xMDZkVEI2M3VL\nWWloeHBKeXY2WjZ3d0pjeTVvN25EaFUKLS0tIG9sOGwwVTE5M3hYb2RxTE9iQlYy\ndmdqNytKRURsV2Zod2d5VWh4WlVoRncK0Lf+BCDkDh3W/MSbntWBaayY3271Id7M\ns0es3/cLGoIj25XCsShFNKvCqZdpCnOlcBwSucKbQI04zUnPhy7D6GM=\n-----END AGE ENCRYPTED FILE-----\n"
-					},
-					{
-						"recipient": "age1n20krynrj75jqfy2muvhrygvzd4ee8ngamljqavsrk033zwx0ses2tdtfe",
-						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzcDBQQlkvQytSWmd6dmd3\ndzIvZkpmdU5lZS9jN1VXaGg4ZzFMaHkxM0FNCkw4d2IzWWw4U3V3Ty9UNjdQU3Vv\nMEszZTArbTFMQnNEREgxcnZwNGlrQjQKLS0tIFg3aUZqOVM1QndRNXE5dGtENXFu\nSHRVQ0RoTGg2WlRaSDZmQzh4TlIyVDgKp9k8Hakqeulcq1aB0EhRj6g2QO7eIqgu\n2bZ/na1+hTjzE7uXDITS7m7P/XBImXk2wupYNQWjPiqFKP/30F7nNck=\n-----END AGE ENCRYPTED FILE-----\n"
-					}
-				]
-			}
-		],
+		"shamir_threshold": 1,
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
-		"age": null,
+		"age": [
+			{
+				"recipient": "age1v5wy7epv5mm8ddf3cfv8m0e9w4s693dw7djpuytz9td8ycha5f0sv2se9n",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5bjk0amlLNlhiNGZUaFA1\nVEc2WUpvWDMzbEhDYVpOYlZ5ZXlKcUR5NmxNCkhxOTRIV1haYk9iajNkeTNmUEJo\nc1pydEZvbHpPcWMwVmppVFpRQWY0WUkKLS0tIFVaWlBhM1lseTA2SGhwR0pWRmRa\ndTNzM3BHMnAzWWIyNkk2bXVIaXJaOFUKoancGO2PhiHdpspCZrUGlQMNlZYSbvky\ni6c53CZHE+xTVocnrYUI6DRrjRhnypEEVjoR5yebuSG9gSU+q9BLgw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsMEJxcTNDNEhFbG5hdDZj\nTldMYWdBZFhOaWRjMlFYTFoyOXBtcy9nNEJrClFYN2tsRUJZakRDdWRsNHdZT21U\nd2Y5a0s1NDVhbitxNnNOc1g2TUNoU2MKLS0tIFFvUzdxUVNsZmNpYWlrc1B3NDFz\nSTk4YlpJdTk0c013Y3NSRHRXeUlLRm8KHGCo8i6aKQXO0PzN4kS7G+XsPmnYGggS\nM/x9YhQsCwl3aReX1FSwVnKZBc9+S2LmyXu1ofkVPEgXpz484VF4nQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
 		"lastmodified": "2024-10-08T18:54:39Z",
 		"mac": "ENC[AES256_GCM,data:9om/bmA4LAovlO5D0Q/TLLSY4IGeUXaBG6EAx7S0NmEOp8ctBXDq4f2DBWJyUVsI443wX1rTLArO1lyG84TgpB0/JXPdwVLa4vsqnJJCvm/rGU7X3rCk32GuktE9MaIkKQQJbQH1dSBLt+swyKTGH8qztolcenngP6pp5nciLec=,iv:bLmB5Q+mVERTR1VLLB1d+gxhSV8QGPpN/MCpwK6rGYA=,tag:sBRJWDo3RrmLotHuuNIZcg==,type:str]",
 		"pgp": null,
--- a/homelab/stacks/manyfold/postgres.secrets
+++ b/homelab/stacks/manyfold/postgres.secrets
@ -1,54 +1,21 @@
 {
 	"data": "ENC[AES256_GCM,data:YVUtJ7/TMEHZt1a+vruciEfG/veqNGFGBHyKWH7/+xDeHvE8nZ4iF5h9tEGA6XmIVQfHN21K8v4wmhKvxJKfhAc3,iv:pthOj8UfK2mPhiG+VfLaBt36IQAQX516vlSkAu4q6bo=,tag:XBWRS4/71VFLIvhxuFwI8w==,type:str]",
 	"sops": {
-		"shamir_threshold": 2,
-		"key_groups": [
-			{
-				"hc_vault": null,
-				"age": [
-					{
-						"recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00",
-						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxcGZLdWhwNzF5YUNKdlVD\nVytzdXlSRmRIYlpROHFZZThMZWhLTktwQnlRClhjdkxYV2hDOTRIcVNXUXphMUtC\nam5XWnIxOFFaSkthM2w5QVZac0RBVXMKLS0tIFdLY3pndmNwTHRxV0VWOEEzVlR2\nL0tUVWZCSUQ3VDJOZWxNMUhSeUNpNkEKkRqifh3mIhUGZ+BT2vZLaefpd7pDH9/p\n9sAcVETkjlDY1wVEOHXJGTeOpy5PbamDvVuHPlIq3lL1qDbtYZTHodQ=\n-----END AGE ENCRYPTED FILE-----\n"
-					}
-				]
-			},
-			{
-				"hc_vault": null,
-				"age": [
-					{
-						"recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00",
-						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByQ3NwNGpCdlhPSVB3RThM\nSVpDSmtPS2djOUNHVUNQNFBodlVoRmRka0Y0CkRMa0x5eGNiZFVTdStTa3Yzb3Ny\nckVwTTUzNzRkM3N5QmtrZU95RTV2S2MKLS0tIGpTSmJhRnRPNFY2Wmk2cllSd0VO\nU3dsVWRtaDc0N0lDTy95eUFNTlNvbEkKt3Oe8Jm+4NOcvXYT7pbpyVy1gdJQ1WSC\nZdLobZsEJScuTmlRdG6jb37Z5tjq4jBcmnAOg8Z+i2xy8uAODMIzgcw=\n-----END AGE ENCRYPTED FILE-----\n"
-					}
-				]
-			},
-			{
-				"hc_vault": null,
-				"age": [
-					{
-						"recipient": "age193t908fjxl8ekl77p5xqnpj4xmw3y0khvyzlrw22hdzjduk6l53q05spq3",
-						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHdXlRNzlwSy9XTVFzc3hX\nTmxRZTNETGhqUmJjRTNPUldDa0NSZGNqcWpnClExaFM2czRCa2xNSENMS3kybFp3\nTk9QSE5ISFlqQ1VZRjJJUzI1cXFjaHcKLS0tIDRFNXNKbktwSFFRQXRoT3dJdzE2\nMnBJbkhpMUJzZnZjUDByelRLb0xvNUEKwPSHI4jY2Cw2tsvdY30TJgYkJb8KNREy\nc+XjlKez3vuuuCmeUNeCBTcBOw+qJjB/BkraXR3f/C6AJ1hZrg1g1Zk=\n-----END AGE ENCRYPTED FILE-----\n"
-					}
-				]
-			},
-			{
-				"hc_vault": null,
-				"age": [
-					{
-						"recipient": "age13prhyye2jy3ysa6ltnjgkrqtxrxgs0035d86jyn4ltgk3wxtqgrqgav855",
-						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRVGhKbkV3ZUdGWU1vb1A5\nem9nNzcxaTdlY3lVV3ROcHJIWFhvdDVXNlJnCksrODNQc0g3ZzR6VlR4ekFvTWxl\na01ka25HU2YvYWhYTVc0NmtjTHBpc28KLS0tIG4yYkhIRmRNcG1EWGxnRC9OclNT\nOW1CQnZXZFBkNjg4TDloWDNQQ3ZkMTQKgbFSxtERB1vBfObKIIj/EWOK9RYa2/Y8\nrbpkxqEtFmtSPJ7wMM/IxpLsYSuLm9ZnlpjQlWvnpO1aJ201qgnY8BM=\n-----END AGE ENCRYPTED FILE-----\n"
-					},
-					{
-						"recipient": "age1n20krynrj75jqfy2muvhrygvzd4ee8ngamljqavsrk033zwx0ses2tdtfe",
-						"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZ3ZvbGpxd3p2U21LNkps\ncVNvdnc5MUp6Nk5Ed0crb3lTSVIzOWJ6SlJnCk90TE5FZU54T3BwUmlaRE5KUDVT\nbkt2U1ZUOEdqNjVPOHo0ZmlOTzhpYUkKLS0tIGxOYVVIc1djZVIwSXlYV09IVkh4\nbllqZkJTTFI0ZDM3Y3pObTd4a2VPbTAKQHhjG5bRazEilzGkHLwNio8hkvZNqgvI\nxGH7HPh2KKe/3UkiTNA2jdEmdCSC5DA+R01nDgBNX8shNz7NPUY2uew=\n-----END AGE ENCRYPTED FILE-----\n"
-					}
-				]
-			}
-		],
+		"shamir_threshold": 1,
 		"kms": null,
 		"gcp_kms": null,
 		"azure_kv": null,
 		"hc_vault": null,
-		"age": null,
+		"age": [
+			{
+				"recipient": "age1v5wy7epv5mm8ddf3cfv8m0e9w4s693dw7djpuytz9td8ycha5f0sv2se9n",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWT21IdHNWS3hvbmVBY0h0\nL05UdHZWQ1FIcWx3enRJTHFpYThPVEJ4cUNRCkJ1eDlVZEx2SHNYc25hK29vTG1I\namYvYWQrbkNoSDg3RTlqaUNBTjkvaHMKLS0tICtaSlJXdUxnS0tBbmcrQmhIYWVC\nRHRkam9DS3VKQjYzYkdGYkowUHFybXMKP0PcRfOM1wwPKHpVqLIVROTfiytmnJa5\nlsBWe6loQJyjf/DDu/F44TdcJitjcVdEWuyPdXlwaUFvSA5ge+bYlw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zswcq6t5wl8spr3g2wpxhxukjklngcav0vw8py0jnfkqd2jm2ypq53ga00",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYN3o4MTdOc3ZrUXpoS1ln\ncHlaeU1kRnVSY256UktwVlVRM3NQRnRtNURNCkN1Rk43VDdFbTZmZGZkMzhudVA2\nMkVnNitha0xMR2FISTN5cm5FY1BlRGMKLS0tIElDMFBDZjQvVXVVRTcwMGNJaGZj\ndzgzWjNxY1hkQW1PcWNnUTZsTGZXajQKg9fCh3KgPQbPZoCpUxRw7TpvsqD9vRIo\n4fBobk0Xb2t08YLnZtLJf4LZBuwnvnJX3CFi5ciPr2bbOU/2TXpPww==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
 		"lastmodified": "2024-10-08T18:54:39Z",
 		"mac": "ENC[AES256_GCM,data:szIgJj+CaEms9yg6PV7FffMyVRb1X3WsPcXTCzPlflNp05tlqY64gCuCwNiIIu8BxZgNi2LDTrIuvwwunKxFxW5xONdz4Ji7r1swmhY4c0BJggQXAMmLDg7t+p0n4rXAxGPrNHTiBWkha+IxI9faydHUpiZ0dMEvIRdJRmUqnN8=,iv:I6wMEPRLl3S3J349R63hWCCLgZRp83mU80zJNdsvD14=,tag:FntjWMXkNWy9JT0KiIXMlw==,type:str]",
 		"pgp": null,
--- a/homelab/stacks/manyfold/stack.nix
+++ b/homelab/stacks/manyfold/stack.nix
@ -0,0 +1,30 @@
+{ sys, ... }: let stack = "manyfold"; in {
+  home-manager.users."${sys.username}".home.file = {
+    "${stack}" = {
+      enable = true;
+      recursive = true;
+      source = ./.;
+      target = "stacks/${stack}/";
+    };
+    "${stack}/.env" = {
+      enable = true;
+      text = ''
+        APPDATA=${sys.dataDirs.appdata}/${stack}
+        LIBRARY=${sys.dataDirs.library.digitalModels}/Model Library/VanDAM
+      '';
+      target = "stacks/${stack}/.env";
+    };
+  };
+  sops.secrets."${stack}/manyfold" = { 
+    sopsFile = ./manyfold.secrets;
+    key = "";
+    mode = "0440";
+    owner = sys.username;
+  };
+  sops.secrets."${stack}/postgres" = { 
+    sopsFile = ./postgres.secrets;
+    key = "";
+    mode = "0440";
+    owner = sys.username;
+  };
+}
				`@ -1 +0,0 @@`
				`STL_DIR="/mnt/nas/3DPrinting/Model Library/VanDAM"`