mirror of
https://git.feal.no/felixalb/nixos-config.git
synced 2024-12-22 04:07:28 +01:00
Fix hedgedoc oauth, update flake, update sops
This commit is contained in:
parent
7d9a648030
commit
9e64e2dd1f
@ -1,6 +1,6 @@
|
||||
keys:
|
||||
- &user_felixalb age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
|
||||
- &host_voyager age1rfevltzuq0a3mv4f5544639g99vev5626u4g5kxkat85sth5246qpat3sr
|
||||
- &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu
|
||||
|
||||
creation_rules:
|
||||
# Global secrets
|
||||
|
1
base.nix
1
base.nix
@ -67,4 +67,5 @@
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHkLmJIkBM6AMbYM/hYm27Flgya81UiGqh9/owYWmrbZ home.feal.no"
|
||||
];
|
||||
};
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
}
|
||||
|
24
flake.lock
generated
24
flake.lock
generated
@ -2,11 +2,11 @@
|
||||
"nodes": {
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1681570648,
|
||||
"narHash": "sha256-ATsDh8cEXqx+gGIIpEPf5twAStM9INIbwmVgS4WcjYQ=",
|
||||
"lastModified": 1682461850,
|
||||
"narHash": "sha256-udJwbwbhUOt0y04cIJy+7W6zNQeL23m+p3o7G47ZFEg=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "745a6200bf74c4dbec8f94dd731ab3769c0e9df3",
|
||||
"rev": "c533ac9867368d28e29a23369ac5d597bc5da185",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -18,11 +18,11 @@
|
||||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1681613598,
|
||||
"narHash": "sha256-Ogkoma0ytYcDoMR2N7CZFABPo+i0NNo26dPngru9tPc=",
|
||||
"lastModified": 1682173319,
|
||||
"narHash": "sha256-tPhOpJJ+wrWIusvGgIB2+x6ILfDkEgQMX0BTtM5vd/4=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "1040ce5f652b586da95dfd80d48a745e107b9eac",
|
||||
"rev": "ee7ec1c71adc47d2e3c2d5eb0d6b8fbbd42a8d1c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -47,11 +47,11 @@
|
||||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1681613729,
|
||||
"narHash": "sha256-9Qb0tHW8l1hgFkuB76n4VT9UNUaR7QL3CgmJ5hcVYEg=",
|
||||
"lastModified": 1682338428,
|
||||
"narHash": "sha256-T7AL/Us6ecxowjMAlO77GETTQO2SO+1XX2+Y/OSfHk8=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "b7a6670a28b01cd1f62879921e36be2c69c4137a",
|
||||
"rev": "7c8e9727a2ecf9994d4a63d577ad5327e933b6a4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@ -62,11 +62,11 @@
|
||||
},
|
||||
"unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1681618194,
|
||||
"narHash": "sha256-UR4OobzFHFyIVHXmanJLfm5o2DVufbFeP1Dn7C5Xqn0=",
|
||||
"lastModified": 1682476574,
|
||||
"narHash": "sha256-diM+haOZnOUPOp3dLLbuAgEZBCE7Iv9iyNzO5YVmwq0=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "f2654e378dfc8153a141a8fcb854b423fe259a27",
|
||||
"rev": "8bac227a5a27ba29240e496e3e3fd55a2351f68b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -46,14 +46,13 @@
|
||||
};
|
||||
|
||||
sops.defaultSopsFile = ../../secrets/voyager/voyager.yaml;
|
||||
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
||||
|
||||
environment.variables = { EDITOR = "vim"; };
|
||||
environment.systemPackages = with pkgs; [
|
||||
((vim_configurable.override { }).customize{
|
||||
name = "vim";
|
||||
vimrcConfig.packages.myplugins = with pkgs.vimPlugins; {
|
||||
start = [ vim-nix vim-lastplace ];
|
||||
start = [ vim-nix vim-lastplace vim-commentary ];
|
||||
opt = [];
|
||||
};
|
||||
vimrcConfig.customRC = ''
|
||||
|
@ -2,8 +2,9 @@
|
||||
let
|
||||
cfg = config.services.hedgedoc.settings;
|
||||
domain = "md.feal.no";
|
||||
port = 3000;
|
||||
port = 3300;
|
||||
host = "0.0.0.0";
|
||||
authServerUrl = config.services.kanidm.serverSettings.origin;
|
||||
in {
|
||||
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
|
||||
sops.secrets."hedgedoc/env" = {
|
||||
@ -12,27 +13,27 @@ in {
|
||||
|
||||
services.hedgedoc = {
|
||||
enable = true;
|
||||
|
||||
environmentFile = config.sops.secrets."hedgedoc/env".path;
|
||||
settings = {
|
||||
inherit domain port host;
|
||||
protocolUseSSL = true;
|
||||
sessionSecret = "$CMD_SESSION_SECRET";
|
||||
|
||||
allowFreeURL = true;
|
||||
db = {
|
||||
dialect = "sqlite";
|
||||
storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
|
||||
};
|
||||
environmentFile = config.sops.secrets."hedgedoc/env".path;
|
||||
|
||||
email = false;
|
||||
oauth2 = let
|
||||
authServerUrl = config.services.kanidm.serverSettings.origin;
|
||||
in {
|
||||
oauth2 = {
|
||||
baseURL = "${authServerUrl}/oauth2";
|
||||
tokenURL = "${authServerUrl}/oauth2/token";
|
||||
authorizationURL = "${authServerUrl}/ui/oauth2";
|
||||
userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
|
||||
|
||||
clientID = "hedgedoc";
|
||||
clientSecret = "";
|
||||
clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
|
||||
scope = "openid email profile";
|
||||
userProfileUsernameAttr = "name";
|
||||
userProfileEmailAttr = "email";
|
||||
@ -43,14 +44,11 @@ in {
|
||||
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts.${domain} = {
|
||||
locations."/" = {
|
||||
proxyPass = "http://${host}:${toString port}/";
|
||||
};
|
||||
|
||||
locations."/socket.io/" = {
|
||||
proxyPass = "http://${host}:${toString port}/";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
systemd.services.hedgedoc.serviceConfig = {
|
||||
WorkingDirectory = lib.mkForce "/var/lib/hedgedoc";
|
||||
StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ port ];
|
||||
}
|
||||
|
@ -1,42 +1,41 @@
|
||||
#ENC[AES256_GCM,data:cYubTyNl41ufO3tMpRIZHJdo/a5gxT4Afv8is2mbxEtRumDUcW+5gZ5E6m3n7+IIg2jOuO1I,iv:G/msHWm6zQSJU3pB8tqEByZRTOrLir3SVKLjZiT98wo=,tag:ogNmvkNeaJC7DlB+pbMPnA==,type:comment]
|
||||
#ENC[AES256_GCM,data:QcB3dNA10sP34pK8SCaKVs5jazW2uzD69a2U,iv:xeB+KNDLqHQS3IWDOLt9iMKfKrqq4Buur756KNhquis=,tag:UBibqrup4ogZoS2xXi0vrA==,type:comment]
|
||||
#ENC[AES256_GCM,data:OuH/xIjJZZZvkof/j9Pz7aG0,iv:M9riyTv2sd+0faMjfZ34ZHBstAii9j887XBtIQX4mrA=,tag:f4ZxngtUAF+ctxJFlDrr4w==,type:comment]
|
||||
#ENC[AES256_GCM,data:LC90R2o+4wPQ8yKpMlpb,iv:JlQ3myHw7f2sVzYn3FmP5XIDtYu9TMk32nxmyC02HkI=,tag:FOpLtkRX26IdV+LMDm9Nhw==,type:comment]
|
||||
#ENC[AES256_GCM,data:p0s2J4k0xSJF02l6ZudSakxVnN7H,iv:0VUUphFfr6YDzlKhAQqbjcG0C7Hqq43bel1OZsn4kHU=,tag:xreaaMkZI5+cvvq/p38hGw==,type:comment]
|
||||
#ENC[AES256_GCM,data:xuGaMth0lq9q7vmeUilgHskjjTZj,iv:TRPhTcB5b6VxRrDLYBo0sYgOh997q2bv5lp3ICdb6lw=,tag:L2c7XpZMP1aKswwx37lC+Q==,type:comment]
|
||||
#ENC[AES256_GCM,data:d0zRwG8ZbGBthh/pu+Eyv9COARL7LGGEMES2,iv:lxd7wYK2LSDyKYGW/8qiHPDOivtnmZ45R3neBnpCuuY=,tag:/73UgFoIRRpKityxlcWldg==,type:comment]
|
||||
#ENC[AES256_GCM,data:Qx48qmQtH8pXH/OsqbveUNwx,iv:mqkwAHWxqvt9XkQX0EKXQyJrK5KOCVDpva1Ok37XvKc=,tag:B/s/KfVDcjcyWqdBSMfyIA==,type:comment]
|
||||
#ENC[AES256_GCM,data:uF4N/yAesQiwJWQ=,iv:4y5C0S75gp4qFFkJ4lOMcPbftOLyzB12wApqNOFYan4=,tag:tgUJZ79eWU2s4IdZCdvMxQ==,type:comment]
|
||||
#ENC[AES256_GCM,data:7u87/8sEwf84DsXy,iv:HlO9MCqBHtz1Hm9tILlEsJ2gfgTPThmmyoCXlGyy/9Y=,tag:/WBgX1Lk8EZS27K3UwOtLw==,type:comment]
|
||||
#ENC[AES256_GCM,data:DD7NMS1+lSV4f7fIAadvbyX0WsAlCMophBeQzoJ6OnYM5rx+Md9Z/R9SA7U4Mx9V5+LTn1/W,iv:G/msHWm6zQSJU3pB8tqEByZRTOrLir3SVKLjZiT98wo=,tag:8Z1EaoHSQXrRBC1yfvU3Sw==,type:comment]
|
||||
#ENC[AES256_GCM,data:kJam8oGmTK5TsrjyreeA4ejmfmR6IGbhe9i9,iv:xeB+KNDLqHQS3IWDOLt9iMKfKrqq4Buur756KNhquis=,tag:jaI7Gt1lPFnCF3N/pznqaw==,type:comment]
|
||||
#ENC[AES256_GCM,data:7ymKEd8NvmQacyFxhkd907ai,iv:M9riyTv2sd+0faMjfZ34ZHBstAii9j887XBtIQX4mrA=,tag:BS5OJdNb6JVWXwr7VQ8QAw==,type:comment]
|
||||
#ENC[AES256_GCM,data:3tOkiA7K6Db/2cPFKDMf,iv:JlQ3myHw7f2sVzYn3FmP5XIDtYu9TMk32nxmyC02HkI=,tag:nqP2wyg5T+RwA1fDI2Q0bw==,type:comment]
|
||||
#ENC[AES256_GCM,data:0298n6qm6ZE6WzkUQrr7M6t/Tj37,iv:0VUUphFfr6YDzlKhAQqbjcG0C7Hqq43bel1OZsn4kHU=,tag:RKm3ElD3CFlwPYFr9th2hQ==,type:comment]
|
||||
#ENC[AES256_GCM,data:4I1NAGgZalSkGvmOEuzlIbdOLhFF,iv:TRPhTcB5b6VxRrDLYBo0sYgOh997q2bv5lp3ICdb6lw=,tag:HWfLK70NnUF5sNulbvGauA==,type:comment]
|
||||
#ENC[AES256_GCM,data:X6a1nIcMHwE1LYvfdbv7obMoNLmogi8lMZJX,iv:lxd7wYK2LSDyKYGW/8qiHPDOivtnmZ45R3neBnpCuuY=,tag:HjxihWezjq37fksfkKpqYQ==,type:comment]
|
||||
#ENC[AES256_GCM,data:T+pI1ogtfjo57NrOvCuhbs//,iv:mqkwAHWxqvt9XkQX0EKXQyJrK5KOCVDpva1Ok37XvKc=,tag:qrp2QeNrJSDr3ECN6cBDiA==,type:comment]
|
||||
#ENC[AES256_GCM,data:46+Qt0FRlg2tN8A=,iv:4y5C0S75gp4qFFkJ4lOMcPbftOLyzB12wApqNOFYan4=,tag:T/4zLU7d90GkzDohJd2XTg==,type:comment]
|
||||
#ENC[AES256_GCM,data:fvJA2s0OEs7PDOr/,iv:HlO9MCqBHtz1Hm9tILlEsJ2gfgTPThmmyoCXlGyy/9Y=,tag:7L1Kl4RgAFG+WLvtk30nYQ==,type:comment]
|
||||
hedgedoc:
|
||||
env: ENC[AES256_GCM,data:A5m2hSK7OfKngJsjUwF+SaSDnTHscG2lexEjfmX3E3j8c4zXPjQh52tcP5k1+h7wq9G41GMni9EDHynyxfj/g0Y0Gpvr9t07BMvvwa/JfbDEgmPEHHuVcG/P6eeFhqU1raZ5Vl2M8Z9iChquubvSoNmvKrjJEMlsu3GqONb+C0uXje0CeUeAV6d2RYDumvklqmbUxXUR2lmKsI7M+ec=,iv:VKwB+AAq4kgOYwntHNXK+xdf0kk+sn39jAxJhLFiqdw=,tag:7OH5ClKcKjP9hTm3JtyFsg==,type:str]
|
||||
env: ENC[AES256_GCM,data:okkj5V0veAwWwdmhjhsd4seAHiBOjdk7m80C3iVi78LNeHlNuGL2zdvKV5b4ClUR3awabotR/QwdvSvCUxZiFRpXwyeETxHPRRTtR4VDL1L4MifJ0LS27A5DAzAdjCjc799ckgDyBn5L3+T6P1136X0PnaXQT1KyRegizC1DFQ15/3fvlIe05tonDwDVAsPkV8ZEtmGuseB87yoFBxs=,iv:VKwB+AAq4kgOYwntHNXK+xdf0kk+sn39jAxJhLFiqdw=,tag:6bDyl7c23uAWMzVrJ5/YYQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1mlz5xzggpelscxy94eh2v5sjsqeyrqlggz0u90xrwew2x9vfguqs8h2wnr
|
||||
- recipient: age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpazVpRU9CdXJRbjBycXRx
|
||||
V2dMVW16Rm43QW9xeTNhZ2NQWDBqN3JVS0NjCklQbXlCU295VmxUZHVwcGF1RHp5
|
||||
OG04bUd4V3RXNGFZMTZrbGVDczNlWEEKLS0tIEVHeFJVTExRY0NCNGlLdTdEQ05G
|
||||
ekpycHViWDFUREluaytiSERVQk9DN2cK6stL4d2RqmhPmT4m6sLZz3qilE+ZrTkz
|
||||
8Yedd0J/kNMyeAFSEOJtVM4ADkBdZCpX1QOGy36XKISVbck+rZWoDQ==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOZml2bXBjSUYrMW5RcnFl
|
||||
MTRzM1p2L1JMTGJCamk1RHczOStQUjlFSDFzCmdGTDYrYUhJUjAyYWdkclgwazNt
|
||||
UWVqY0JxYXh3cXVyNjlSZ2h6c0R4REEKLS0tIDZHY0F6M0lOZ1JRelp3Umx0aW4x
|
||||
cjRUa2szZGZuSnhjd3hCNmYvV0tXTmMKlYuaUIvwTv8NpaoBYVva4jbRemkFTdfU
|
||||
yP4J5RyUry83aVlHFQ2f7neBpWc6A2rePl3XuEQxSggl13hh71H+nw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdWV4bCt1NEZEZHpRMlQ3
|
||||
VVlTcFVScUZBRENHczhwblNQVkk3Q3pwdm1jCmdQMjhJREM1cGJiRk1WZHlIWUxP
|
||||
d2RZaFlWSWdHVUJaNGpTNmR2WEFWZEUKLS0tIDJCOHh5RmlxT1F1VElPTFhSUWwr
|
||||
Sk9XMkpDVE4veGgxazRRbVdPZ2NsRUkK8ZYLUD7s5GvW/T4j7W2gie8vyyMJQnfZ
|
||||
JT+BnhjvKIz+dj9/V0lOzoNnie01VWF9zJtxB4M6X4J1WFHhwF8iFg==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOOG5GSDd4R09mZ2QvT0dy
|
||||
YnIxMWNBL3huMXNmcjV0a1VlS0FxS1JtSFVjCmthenVlYytjZklxNk43YlR5NExG
|
||||
aVQ2K1ZsbHdWTm91d1JvNDVsYW1FSEkKLS0tIFpTeG1zcVRpWWlWUE1abllKR1BW
|
||||
THFRNjZXc0RsS0xKK1BkeEU1UzA4MW8KgOIQyL6A9u+Ii8zYkHJDWVAG/EEc61Qh
|
||||
u+VFyGB7esTG56G19u1aCHB/NUxG5HYMG/DEqH/SyCyKUvHrXjEF4g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-04-26T11:19:53Z"
|
||||
mac: ENC[AES256_GCM,data:UIfUFsrwPcAG74JPPRcpO77AKUQX1s4eKyFZOO5HH3JdCunZkVwet4iFdiYiY4x7GmnO2l4wrhiegUR+N9rjyOioN6AGjUE0GS2q2D6fHs16saWtflvsslk3H896F9oLbALmV8TMJuHL3MvQT6IqaAT6PhT7qrtudmUyW7tLP3o=,iv:uwPhCNPzKnxSkYpt+SPsb3FNT5yBYsi5SgZYeioSz2s=,tag:pQ45sspg8NhlgQ2h18rLLQ==,type:str]
|
||||
lastmodified: "2023-04-26T11:53:47Z"
|
||||
mac: ENC[AES256_GCM,data:CQi0+67t6NrYFlpqry7lULIlQs3adLG1L9bH7iYDhAPF/1Bi/A3OrKZfdNozp/VRqBlMnfp2z6UWh9ScvI1V5aOWfsTfEFKF4l945rwN4f7MYYRaYtgSDSefAoZrgE036Fzuh2seDDcvfoeOEnQ1VJ6BD/1wSrMPP1z1F3au1dE=,iv:cMZUXzedX1Gjkqn1uAZ1gufehtYQ9X/A8m/GRF5TLZw=,tag:C231MYSPUvYnAYiJ4TjdFA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user