From 51ba15df8b6efe837ff182bf08f21c6e85af15b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Billet?= Date: Thu, 27 Nov 2025 11:37:15 +0100 Subject: [PATCH] Made secrets variables more reliable 2. --- config-files/sops-nix/secrets.yaml | 72 +++++++++++++++--------------- deploy.sh | 30 ++++++------- 2 files changed, 51 insertions(+), 51 deletions(-) diff --git a/config-files/sops-nix/secrets.yaml b/config-files/sops-nix/secrets.yaml index 7b85e42..20bcb72 100644 --- a/config-files/sops-nix/secrets.yaml +++ b/config-files/sops-nix/secrets.yaml @@ -1,46 +1,46 @@ -ssh_public_keys: "${SSH_PUBLIC_KEY}" +ssh_public_keys: $SSH_PUBLIC_KEY docker: nextcloud: | - DOMAIN_NAME="${DOMAIN_NAME}" - NEXTCLOUD_ENABLE_DRI_DEVICE="${TARGET_GRAPHICS}" + DOMAIN_NAME=$DOMAIN_NAME + NEXTCLOUD_ENABLE_DRI_DEVICE=$TARGET_GRAPHICS frigate: | - DOMAIN_NAME="${DOMAIN_NAME}" - FRIGATE_MQTT_USER="${HOME_ASSISTANT_MQTT_USER}" - FRIGATE_MQTT_PASSWORD="${HOME_ASSISTANT_MQTT_PASSWORD}" + DOMAIN_NAME=$DOMAIN_NAME + FRIGATE_MQTT_USER=$HOME_ASSISTANT_MQTT_USER + FRIGATE_MQTT_PASSWORD=$HOME_ASSISTANT_MQTT_PASSWORD traefik: | - DOMAIN_NAME="${DOMAIN_NAME}" - CF_DNS_API_TOKEN="${CF_DNS_API_TOKEN}" + DOMAIN_NAME=$DOMAIN_NAME + CF_DNS_API_TOKEN=$CF_DNS_API_TOKEN hass: | - DOMAIN_NAME="${DOMAIN_NAME}" - HOME_ASSISTANT_MQTT_USER="${HOME_ASSISTANT_MQTT_USER}" - HOME_ASSISTANT_MQTT_PASSWORD="${HOME_ASSISTANT_MQTT_PASSWORD}" + DOMAIN_NAME=$DOMAIN_NAME + HOME_ASSISTANT_MQTT_USER=$HOME_ASSISTANT_MQTT_USER + HOME_ASSISTANT_MQTT_PASSWORD=$HOME_ASSISTANT_MQTT_PASSWORD passbolt: | - DOMAIN_NAME="${DOMAIN_NAME}" - TZ="Europe/Paris" - PASSBOLT_MYSQL_DATABASE="${PASSBOLT_MYSQL_DATABASE}" - PASSBOLT_MYSQL_USER="${PASSBOLT_MYSQL_USER}" - PASSBOLT_MYSQL_PASSWORD="${PASSBOLT_MYSQL_PASSWORD}" - SENDER_EMAIL_ADDRESS="${SENDER_EMAIL_ADDRESS}" - SENDER_EMAIL_ADDRESS_PASSWORD="${SENDER_EMAIL_ADDRESS_PASSWORD}" - SENDER_EMAIL_DOMAIN="${SENDER_EMAIL_DOMAIN}" - SENDER_EMAIL_PORT="${SENDER_EMAIL_PORT}" - EMAIL_ADDRESS="${EMAIL_ADDRESS}" + DOMAIN_NAME=$DOMAIN_NAME + TZ=Europe/Paris + PASSBOLT_MYSQL_DATABASE=$PASSBOLT_MYSQL_DATABASE + PASSBOLT_MYSQL_USER=$PASSBOLT_MYSQL_USER + PASSBOLT_MYSQL_PASSWORD=$PASSBOLT_MYSQL_PASSWORD + SENDER_EMAIL_ADDRESS=$SENDER_EMAIL_ADDRESS + SENDER_EMAIL_ADDRESS_PASSWORD=$SENDER_EMAIL_ADDRESS_PASSWORD + SENDER_EMAIL_DOMAIN=$SENDER_EMAIL_DOMAIN + SENDER_EMAIL_PORT=$SENDER_EMAIL_PORT + EMAIL_ADDRESS=$EMAIL_ADDRESS pihole: | - DOMAIN_NAME="${DOMAIN_NAME}" - TZ="Europe/Paris" - HOME_ROUTER_SUBNET="${HOME_ROUTER_SUBNET}" - HOME_ROUTER_IP="${HOME_ROUTER_IP}" - HOME_SERVER_IP="${HOME_SERVER_IP}" - FTLCONF_webserver_api_password="${FTLCONF_WEBSERVER_PASSWORD}" + DOMAIN_NAME=$DOMAIN_NAME + TZ=Europe/Paris + HOME_ROUTER_SUBNET=$HOME_ROUTER_SUBNET + HOME_ROUTER_IP=$HOME_ROUTER_IP + HOME_SERVER_IP=$HOME_SERVER_IP + FTLCONF_webserver_api_password=$FTLCONF_WEBSERVER_PASSWORD disks: - data_disk_1: "${DATA_DISK_1}" - data_disk_2: "${DATA_DISK_2}" - data_disk_3: "${DATA_DISK_3}" - data_disk_4: "${DATA_DISK_4}" - data_disk_5: "${DATA_DISK_5}" - data_disk_6: "${DATA_DISK_6}" - parity_disk_1: "${PARITY_DISK_1}" - parity_disk_2: "${PARITY_DISK_2}" - parity_disk_3: "${PARITY_DISK_3}" + data_disk_1: $DATA_DISK_1 + data_disk_2: $DATA_DISK_2 + data_disk_3: $DATA_DISK_3 + data_disk_4: $DATA_DISK_4 + data_disk_5: $DATA_DISK_5 + data_disk_6: $DATA_DISK_6 + parity_disk_1: $PARITY_DISK_1 + parity_disk_2: $PARITY_DISK_2 + parity_disk_3: $PARITY_DISK_3 diff --git a/deploy.sh b/deploy.sh index 71eea5d..bb001b7 100755 --- a/deploy.sh +++ b/deploy.sh @@ -175,21 +175,21 @@ files_generation() { envsubst < config-files/sops-nix/.sops.yaml > extra-files/etc/nixos/.sops.yaml echo -e "\n ✅ Generating secure random database passwords..." - HOME_ASSISTANT_MQTT_USER=$(openssl rand -base64 29 | tr -d "\123456789=+/" | cut -c1-10) - HOME_ASSISTANT_MQTT_PASSWORD=$(openssl rand -base64 29 | tr -d "\=+/" | cut -c1-64) - PASSBOLT_MYSQL_DATABASE=$(openssl rand -base64 29 | tr -d "\123456789=+/" | cut -c1-10) - PASSBOLT_MYSQL_USER=$(openssl rand -base64 29 | tr -d "\123456789=+/" | cut -c1-10) - PASSBOLT_MYSQL_PASSWORD=$(openssl rand -base64 29 | tr -d "\=+/" | cut -c1-64) - FTLCONF_WEBSERVER_PASSWORD=$(openssl rand -base64 29 | tr -d "\=+/" | cut -c1-64) - DATA_DISK_1=$(openssl rand -base64 300 | tr -d "\=+/" | cut -c1-300) - DATA_DISK_2=$(openssl rand -base64 300 | tr -d "\=+/" | cut -c1-300) - DATA_DISK_3=$(openssl rand -base64 300 | tr -d "\=+/" | cut -c1-300) - DATA_DISK_4=$(openssl rand -base64 300 | tr -d "\=+/" | cut -c1-300) - DATA_DISK_5=$(openssl rand -base64 300 | tr -d "\=+/" | cut -c1-300) - DATA_DISK_6=$(openssl rand -base64 300 | tr -d "\=+/" | cut -c1-300) - PARITY_DISK_1=$(openssl rand -base64 300 | tr -d "\=+/" | cut -c1-300) - PARITY_DISK_2=$(openssl rand -base64 300 | tr -d "\=+/" | cut -c1-300) - PARITY_DISK_3=$(openssl rand -base64 300 | tr -d "\=+/" | cut -c1-300) + HOME_ASSISTANT_MQTT_USER="$(openssl rand -hex 10)" + HOME_ASSISTANT_MQTT_PASSWORD="$(openssl rand -base64 32 | tr -d '\=+/')" + PASSBOLT_MYSQL_DATABASE="$(openssl rand -hex 10)" + PASSBOLT_MYSQL_USER="$(openssl rand -hex 10)" + PASSBOLT_MYSQL_PASSWORD="$(openssl rand -base64 32 | tr -d '\=+/')" + FTLCONF_WEBSERVER_PASSWORD="$(openssl rand -base64 32 | tr -d '\=+/')" + DATA_DISK_1="$(openssl rand -base64 32 | tr -d '\=+/')" + DATA_DISK_2="$(openssl rand -base64 32 | tr -d '\=+/')" + DATA_DISK_3="$(openssl rand -base64 32 | tr -d '\=+/')" + DATA_DISK_4="$(openssl rand -base64 32 | tr -d '\=+/')" + DATA_DISK_5="$(openssl rand -base64 32 | tr -d '\=+/')" + DATA_DISK_6="$(openssl rand -base64 32 | tr -d '\=+/')" + PARITY_DISK_1="$(openssl rand -base64 32 | tr -d '\=+/ ')" + PARITY_DISK_2="$(openssl rand -base64 32 | tr -d '\=+/ ')" + PARITY_DISK_3="$(openssl rand -base64 32 | tr -d '\=+/ ')" echo -e "\n ✅ Encrypting secrets in the correct file..." envsubst < "config-files/sops-nix/secrets.yaml" | sops encrypt --filename-override secrets.yaml \