diff --git a/hosts/tsuki/services/hedgedoc.nix b/hosts/tsuki/services/hedgedoc.nix index 6f4a8ab..1f2a5ef 100644 --- a/hosts/tsuki/services/hedgedoc.nix +++ b/hosts/tsuki/services/hedgedoc.nix @@ -1,71 +1,80 @@ -{ pkgs, lib, config, options, ... }: let +{ pkgs, lib, config, ... }: let cfg = config.services.hedgedoc; in { - config = { - # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET - sops.secrets."hedgedoc/env" = { + sops = { + secrets = { + "hedgedoc/env/cmd_session_secret" = { }; + "hedgedoc/env/cmd_oauth2_client_secret" = { }; + }; + templates."hedgedoc.env" = { restartUnits = [ "hedgedoc.service" ]; owner = "hedgedoc"; group = "hedgedoc"; - }; - - users.groups.hedgedoc.members = [ "nginx" ]; - - services.hedgedoc = { - enable = true; - environmentFile = config.sops.secrets."hedgedoc/env".path; - settings = { - domain = "docs.nani.wtf"; - email = false; - allowAnonymous = false; - allowAnonymousEdits = true; - protocolUseSSL = true; - - path = "/run/hedgedoc/hedgedoc.sock"; - - db = { - username = "hedgedoc"; - # TODO: set a password - database = "hedgedoc"; - host = "/var/run/postgresql"; - dialect = "postgres"; - }; - - oauth2 = let - authServerUrl = config.services.kanidm.serverSettings.origin; - in rec { - baseURL = "${authServerUrl}/oauth2"; - tokenURL = "${authServerUrl}/oauth2/token"; - authorizationURL = "${authServerUrl}/ui/oauth2"; - userProfileURL = "${authServerUrl}/oauth2/openid/${clientID}/userinfo"; - - clientID = "hedgedoc"; - - scope = "openid email profile"; - userProfileUsernameAttr = "name"; - userProfileEmailAttr = "email"; - userProfileDisplayNameAttr = "displayname"; - - providerName = "KaniDM"; - }; - }; - }; - - services.postgresql = { - ensureDatabases = [ "hedgedoc" ]; - - ensureUsers = [{ - name = "hedgedoc"; - ensureDBOwnership = true; - }]; - }; - - systemd.services.hedgedoc = rec { - requires = [ - "postgresql.service" - "kanidm.service" - ]; - after = requires; + content = let + inherit (config.sops) placeholder; + in '' + CMD_SESSION_SECRET=${placeholder."hedgedoc/env/cmd_session_secret"} + CMD_OAUTH2_CLIENT_SECRET=${placeholder."hedgedoc/env/cmd_oauth2_client_secret"} + ''; }; }; + + users.groups.hedgedoc.members = [ "nginx" ]; + + services.hedgedoc = { + enable = true; + environmentFile = config.sops.templates."hedgedoc.env".path; + settings = { + domain = "docs.nani.wtf"; + email = false; + allowAnonymous = false; + allowAnonymousEdits = true; + protocolUseSSL = true; + + path = "/run/hedgedoc/hedgedoc.sock"; + + db = { + username = "hedgedoc"; + # TODO: set a password + database = "hedgedoc"; + host = "/var/run/postgresql"; + dialect = "postgres"; + }; + + oauth2 = let + authServerUrl = config.services.kanidm.serverSettings.origin; + in rec { + baseURL = "${authServerUrl}/oauth2"; + tokenURL = "${authServerUrl}/oauth2/token"; + authorizationURL = "${authServerUrl}/ui/oauth2"; + userProfileURL = "${authServerUrl}/oauth2/openid/${clientID}/userinfo"; + + clientID = "hedgedoc"; + + scope = "openid email profile"; + userProfileUsernameAttr = "name"; + userProfileEmailAttr = "email"; + userProfileDisplayNameAttr = "displayname"; + + providerName = "KaniDM"; + }; + }; + }; + + services.postgresql = { + ensureDatabases = [ "hedgedoc" ]; + + ensureUsers = [{ + name = "hedgedoc"; + ensureDBOwnership = true; + }]; + }; + + systemd.services.hedgedoc = rec { + requires = [ + "postgresql.service" + "kanidm.service" + ]; + after = requires; + }; } diff --git a/secrets/tsuki.yaml b/secrets/tsuki.yaml index 71474ec..a5f0128 100644 --- a/secrets/tsuki.yaml +++ b/secrets/tsuki.yaml @@ -11,7 +11,9 @@ grafana: headscale: oauth2_secret: ENC[AES256_GCM,data:OUOh2ICq4eMeo5WleqIui3rG8VJVW+XVyAkqF1hh6kdijr5G+1CkpQQbsbafwhq3,iv:99xDRg5b2gc7uGNput4R6QZung9voQWnanCDkvmdjyA=,tag:xEaQFbliEZeg508LubNWYA==,type:str] hedgedoc: - env: ENC[AES256_GCM,data:Sq69/2EIPexulpYTIe3VqsnGd5WfMf3/d52uai8QvNMIS+dXxie6OtFEZzh51I94F1vnA1rshTR0rv2zxerVUR2ZSaw+igWII6VJUu/Aw8tOilMhJv8K17xfxTCLjZFedMYmJOw88PfOFUuYH/CVA9Yj4xh/q8PE0Js8Mz1Ft48wNjze5SAlCiDbagRvJKQqBu9prUjEsQ4Db9vkDuTdej9w,iv:9Tkdp4ZXcTrJ4HdOE/OyCnNHOE6JXAkJOTRt2mXa9/o=,tag:h/FTyRC/ouURh8IyCjw6Mw==,type:str] + env: + cmd_session_secret: ENC[AES256_GCM,data:07Qg7KtmbFDq/rGfY3t/Q1epp+qef8PecWqn7FhZS2wc3TKsxwx2f38zKbe/V/8dRCG7eXAoJo63JfmnEscz9Q==,iv:YgpcyCmg6+Bmd0S78OKpBZ7qqR12YLYhn5Pa6dvscPk=,tag:ar6s7AlH/NMzskt8CGE18w==,type:str] + cmd_oauth2_client_secret: ENC[AES256_GCM,data:rSLCdLSe0svTaufu8VuaWwS8H26uypONs7g7RKJbqUITAKPtAwOOyxpwuV+9rvPT,iv:yQCBVcCLnotVUf4txxX8q6RHaMwhuCtfA3TjNdiyhxs=,tag:MwkdyQnijo6u6EHIt4dYWA==,type:str] cloudflare: api-key: ENC[AES256_GCM,data:Y1sHbPTUSiFzRyAiwk0ycFdM4s9ET5g/RPjVsb3sHXMlc3AJHDBYhTljyytZ1lCoFz7OdcZcUOHWzgvHtce6yXiGUpmo34XBKZqloFlNA5u6XC2UG31qfuUEWpRZb0kL,iv:iwN243uzSCjl5Za1msKbaC4pPAOE8frZ2WEvgZ5xknA=,tag:q32vyQI7SOFoN6s1RjQV5A==,type:str] drives: @@ -56,8 +58,8 @@ sops: MThmQ1Iza0F6Q0Y4N1JpT2V5a0FrTGMKIzpNe4dyCLuyKjjXjadZepRYvULr3j3i 7SSwFgVvESj0aVwcGMW1swkhdb2evZgcghhrJpiK8kKIPrWEuFiCcw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-28T23:23:32Z" - mac: ENC[AES256_GCM,data:lA4bB1kaZKeau71Fa7ZhUusoZ+jhF405N6cJap/EEQ3EYIDEwK9hYYGZas+AsrvQ/0HW9lDXI/LliVMUxpEWuOoizaK1gW+ZxVz7jsgoSINILU3I6ZJewcPXh5fbwRS6g5+HEVJ53ozXxcnyVx+jpE7Rysfe9wK+kAk90NL0i5c=,iv:/Ltl/Gcm3QDhsK6MnZqKo/UWjwFVPYENc5xKW38jLxk=,tag:Hly2g9tVihTfwqjJb2e+Dw==,type:str] + lastmodified: "2024-11-28T23:33:37Z" + mac: ENC[AES256_GCM,data:iw6m2XmdVgEvGeYQC9ORcaxu4p6kiYWJNWmkYPPOPLSn4xECgd8tmPlxUWHwiIEjDzD+Vi7atafW8eAtQg9T8s4mvV1Ovw7oBKzzGk3DqFKB9//myedBtIvntCYGDpBSXcVqK1iHKsG605fnY1CrzyRG5gi3xoub3AabcM8l8sQ=,iv:JdIKfELLUUG/2AzQx/uc+YaHhGNAb0sSiih3rDBkUjg=,tag:fqCMmnjIDACAzG+eiCCKrQ==,type:str] pgp: - created_at: "2024-06-25T17:16:27Z" enc: |-