tsuki/hedgedoc: use sops templates for env, dedent
This commit is contained in:
parent
fac13db8cb
commit
1301e848ed
@ -1,71 +1,80 @@
|
||||
{ pkgs, lib, config, options, ... }: let
|
||||
{ pkgs, lib, config, ... }: let
|
||||
cfg = config.services.hedgedoc;
|
||||
in {
|
||||
config = {
|
||||
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
|
||||
sops.secrets."hedgedoc/env" = {
|
||||
sops = {
|
||||
secrets = {
|
||||
"hedgedoc/env/cmd_session_secret" = { };
|
||||
"hedgedoc/env/cmd_oauth2_client_secret" = { };
|
||||
};
|
||||
templates."hedgedoc.env" = {
|
||||
restartUnits = [ "hedgedoc.service" ];
|
||||
owner = "hedgedoc";
|
||||
group = "hedgedoc";
|
||||
};
|
||||
|
||||
users.groups.hedgedoc.members = [ "nginx" ];
|
||||
|
||||
services.hedgedoc = {
|
||||
enable = true;
|
||||
environmentFile = config.sops.secrets."hedgedoc/env".path;
|
||||
settings = {
|
||||
domain = "docs.nani.wtf";
|
||||
email = false;
|
||||
allowAnonymous = false;
|
||||
allowAnonymousEdits = true;
|
||||
protocolUseSSL = true;
|
||||
|
||||
path = "/run/hedgedoc/hedgedoc.sock";
|
||||
|
||||
db = {
|
||||
username = "hedgedoc";
|
||||
# TODO: set a password
|
||||
database = "hedgedoc";
|
||||
host = "/var/run/postgresql";
|
||||
dialect = "postgres";
|
||||
};
|
||||
|
||||
oauth2 = let
|
||||
authServerUrl = config.services.kanidm.serverSettings.origin;
|
||||
in rec {
|
||||
baseURL = "${authServerUrl}/oauth2";
|
||||
tokenURL = "${authServerUrl}/oauth2/token";
|
||||
authorizationURL = "${authServerUrl}/ui/oauth2";
|
||||
userProfileURL = "${authServerUrl}/oauth2/openid/${clientID}/userinfo";
|
||||
|
||||
clientID = "hedgedoc";
|
||||
|
||||
scope = "openid email profile";
|
||||
userProfileUsernameAttr = "name";
|
||||
userProfileEmailAttr = "email";
|
||||
userProfileDisplayNameAttr = "displayname";
|
||||
|
||||
providerName = "KaniDM";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
ensureDatabases = [ "hedgedoc" ];
|
||||
|
||||
ensureUsers = [{
|
||||
name = "hedgedoc";
|
||||
ensureDBOwnership = true;
|
||||
}];
|
||||
};
|
||||
|
||||
systemd.services.hedgedoc = rec {
|
||||
requires = [
|
||||
"postgresql.service"
|
||||
"kanidm.service"
|
||||
];
|
||||
after = requires;
|
||||
content = let
|
||||
inherit (config.sops) placeholder;
|
||||
in ''
|
||||
CMD_SESSION_SECRET=${placeholder."hedgedoc/env/cmd_session_secret"}
|
||||
CMD_OAUTH2_CLIENT_SECRET=${placeholder."hedgedoc/env/cmd_oauth2_client_secret"}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
users.groups.hedgedoc.members = [ "nginx" ];
|
||||
|
||||
services.hedgedoc = {
|
||||
enable = true;
|
||||
environmentFile = config.sops.templates."hedgedoc.env".path;
|
||||
settings = {
|
||||
domain = "docs.nani.wtf";
|
||||
email = false;
|
||||
allowAnonymous = false;
|
||||
allowAnonymousEdits = true;
|
||||
protocolUseSSL = true;
|
||||
|
||||
path = "/run/hedgedoc/hedgedoc.sock";
|
||||
|
||||
db = {
|
||||
username = "hedgedoc";
|
||||
# TODO: set a password
|
||||
database = "hedgedoc";
|
||||
host = "/var/run/postgresql";
|
||||
dialect = "postgres";
|
||||
};
|
||||
|
||||
oauth2 = let
|
||||
authServerUrl = config.services.kanidm.serverSettings.origin;
|
||||
in rec {
|
||||
baseURL = "${authServerUrl}/oauth2";
|
||||
tokenURL = "${authServerUrl}/oauth2/token";
|
||||
authorizationURL = "${authServerUrl}/ui/oauth2";
|
||||
userProfileURL = "${authServerUrl}/oauth2/openid/${clientID}/userinfo";
|
||||
|
||||
clientID = "hedgedoc";
|
||||
|
||||
scope = "openid email profile";
|
||||
userProfileUsernameAttr = "name";
|
||||
userProfileEmailAttr = "email";
|
||||
userProfileDisplayNameAttr = "displayname";
|
||||
|
||||
providerName = "KaniDM";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
ensureDatabases = [ "hedgedoc" ];
|
||||
|
||||
ensureUsers = [{
|
||||
name = "hedgedoc";
|
||||
ensureDBOwnership = true;
|
||||
}];
|
||||
};
|
||||
|
||||
systemd.services.hedgedoc = rec {
|
||||
requires = [
|
||||
"postgresql.service"
|
||||
"kanidm.service"
|
||||
];
|
||||
after = requires;
|
||||
};
|
||||
}
|
||||
|
@ -11,7 +11,9 @@ grafana:
|
||||
headscale:
|
||||
oauth2_secret: ENC[AES256_GCM,data:OUOh2ICq4eMeo5WleqIui3rG8VJVW+XVyAkqF1hh6kdijr5G+1CkpQQbsbafwhq3,iv:99xDRg5b2gc7uGNput4R6QZung9voQWnanCDkvmdjyA=,tag:xEaQFbliEZeg508LubNWYA==,type:str]
|
||||
hedgedoc:
|
||||
env: ENC[AES256_GCM,data:Sq69/2EIPexulpYTIe3VqsnGd5WfMf3/d52uai8QvNMIS+dXxie6OtFEZzh51I94F1vnA1rshTR0rv2zxerVUR2ZSaw+igWII6VJUu/Aw8tOilMhJv8K17xfxTCLjZFedMYmJOw88PfOFUuYH/CVA9Yj4xh/q8PE0Js8Mz1Ft48wNjze5SAlCiDbagRvJKQqBu9prUjEsQ4Db9vkDuTdej9w,iv:9Tkdp4ZXcTrJ4HdOE/OyCnNHOE6JXAkJOTRt2mXa9/o=,tag:h/FTyRC/ouURh8IyCjw6Mw==,type:str]
|
||||
env:
|
||||
cmd_session_secret: ENC[AES256_GCM,data:07Qg7KtmbFDq/rGfY3t/Q1epp+qef8PecWqn7FhZS2wc3TKsxwx2f38zKbe/V/8dRCG7eXAoJo63JfmnEscz9Q==,iv:YgpcyCmg6+Bmd0S78OKpBZ7qqR12YLYhn5Pa6dvscPk=,tag:ar6s7AlH/NMzskt8CGE18w==,type:str]
|
||||
cmd_oauth2_client_secret: ENC[AES256_GCM,data:rSLCdLSe0svTaufu8VuaWwS8H26uypONs7g7RKJbqUITAKPtAwOOyxpwuV+9rvPT,iv:yQCBVcCLnotVUf4txxX8q6RHaMwhuCtfA3TjNdiyhxs=,tag:MwkdyQnijo6u6EHIt4dYWA==,type:str]
|
||||
cloudflare:
|
||||
api-key: ENC[AES256_GCM,data:Y1sHbPTUSiFzRyAiwk0ycFdM4s9ET5g/RPjVsb3sHXMlc3AJHDBYhTljyytZ1lCoFz7OdcZcUOHWzgvHtce6yXiGUpmo34XBKZqloFlNA5u6XC2UG31qfuUEWpRZb0kL,iv:iwN243uzSCjl5Za1msKbaC4pPAOE8frZ2WEvgZ5xknA=,tag:q32vyQI7SOFoN6s1RjQV5A==,type:str]
|
||||
drives:
|
||||
@ -56,8 +58,8 @@ sops:
|
||||
MThmQ1Iza0F6Q0Y4N1JpT2V5a0FrTGMKIzpNe4dyCLuyKjjXjadZepRYvULr3j3i
|
||||
7SSwFgVvESj0aVwcGMW1swkhdb2evZgcghhrJpiK8kKIPrWEuFiCcw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-11-28T23:23:32Z"
|
||||
mac: ENC[AES256_GCM,data:lA4bB1kaZKeau71Fa7ZhUusoZ+jhF405N6cJap/EEQ3EYIDEwK9hYYGZas+AsrvQ/0HW9lDXI/LliVMUxpEWuOoizaK1gW+ZxVz7jsgoSINILU3I6ZJewcPXh5fbwRS6g5+HEVJ53ozXxcnyVx+jpE7Rysfe9wK+kAk90NL0i5c=,iv:/Ltl/Gcm3QDhsK6MnZqKo/UWjwFVPYENc5xKW38jLxk=,tag:Hly2g9tVihTfwqjJb2e+Dw==,type:str]
|
||||
lastmodified: "2024-11-28T23:33:37Z"
|
||||
mac: ENC[AES256_GCM,data:iw6m2XmdVgEvGeYQC9ORcaxu4p6kiYWJNWmkYPPOPLSn4xECgd8tmPlxUWHwiIEjDzD+Vi7atafW8eAtQg9T8s4mvV1Ovw7oBKzzGk3DqFKB9//myedBtIvntCYGDpBSXcVqK1iHKsG605fnY1CrzyRG5gi3xoub3AabcM8l8sQ=,iv:JdIKfELLUUG/2AzQx/uc+YaHhGNAb0sSiih3rDBkUjg=,tag:fqCMmnjIDACAzG+eiCCKrQ==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-06-25T17:16:27Z"
|
||||
enc: |-
|
||||
|
Loading…
Reference in New Issue
Block a user