From 1301e848ed9f60ab82254e33a86bf76a29610807 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Fri, 29 Nov 2024 00:41:30 +0100
Subject: [PATCH] tsuki/hedgedoc: use sops templates for env, dedent

---
 hosts/tsuki/services/hedgedoc.nix | 135 ++++++++++++++++--------------
 secrets/tsuki.yaml                |   8 +-
 2 files changed, 77 insertions(+), 66 deletions(-)

diff --git a/hosts/tsuki/services/hedgedoc.nix b/hosts/tsuki/services/hedgedoc.nix
index 6f4a8ab..1f2a5ef 100644
--- a/hosts/tsuki/services/hedgedoc.nix
+++ b/hosts/tsuki/services/hedgedoc.nix
@@ -1,71 +1,80 @@
-{ pkgs, lib, config, options, ... }: let
+{ pkgs, lib, config, ... }: let
   cfg = config.services.hedgedoc;
 in {
-  config = {
-    # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
-    sops.secrets."hedgedoc/env" = {
+  sops = {
+    secrets = {
+      "hedgedoc/env/cmd_session_secret" = { };
+      "hedgedoc/env/cmd_oauth2_client_secret" = { };
+    };
+    templates."hedgedoc.env" = {
       restartUnits = [ "hedgedoc.service" ];
       owner = "hedgedoc";
       group = "hedgedoc";
-    };
-
-    users.groups.hedgedoc.members = [ "nginx" ];
-
-    services.hedgedoc = {
-      enable = true;
-      environmentFile = config.sops.secrets."hedgedoc/env".path;
-      settings = {
-        domain = "docs.nani.wtf";
-        email = false;
-        allowAnonymous = false;
-        allowAnonymousEdits = true;
-        protocolUseSSL = true;
-
-        path = "/run/hedgedoc/hedgedoc.sock";
-
-        db = {
-          username = "hedgedoc";
-          # TODO: set a password
-          database = "hedgedoc";
-          host = "/var/run/postgresql";
-          dialect = "postgres";
-        };
-
-        oauth2 = let
-          authServerUrl = config.services.kanidm.serverSettings.origin;
-        in rec {
-          baseURL = "${authServerUrl}/oauth2";
-          tokenURL = "${authServerUrl}/oauth2/token";
-          authorizationURL = "${authServerUrl}/ui/oauth2";
-          userProfileURL = "${authServerUrl}/oauth2/openid/${clientID}/userinfo";
-
-          clientID = "hedgedoc";
-
-          scope = "openid email profile";
-          userProfileUsernameAttr = "name";
-          userProfileEmailAttr = "email";
-          userProfileDisplayNameAttr = "displayname";
-
-          providerName = "KaniDM";
-        };
-      };
-    };
-
-    services.postgresql = {
-      ensureDatabases = [ "hedgedoc" ];
-
-      ensureUsers = [{
-        name = "hedgedoc";
-        ensureDBOwnership = true;
-      }];
-    };
-
-    systemd.services.hedgedoc = rec {
-      requires = [
-        "postgresql.service"
-        "kanidm.service"
-      ];
-      after = requires;
+      content = let
+        inherit (config.sops) placeholder;
+      in ''
+        CMD_SESSION_SECRET=${placeholder."hedgedoc/env/cmd_session_secret"}
+        CMD_OAUTH2_CLIENT_SECRET=${placeholder."hedgedoc/env/cmd_oauth2_client_secret"}
+      '';
     };
   };
+
+  users.groups.hedgedoc.members = [ "nginx" ];
+
+  services.hedgedoc = {
+    enable = true;
+    environmentFile = config.sops.templates."hedgedoc.env".path;
+    settings = {
+      domain = "docs.nani.wtf";
+      email = false;
+      allowAnonymous = false;
+      allowAnonymousEdits = true;
+      protocolUseSSL = true;
+
+      path = "/run/hedgedoc/hedgedoc.sock";
+
+      db = {
+        username = "hedgedoc";
+        # TODO: set a password
+        database = "hedgedoc";
+        host = "/var/run/postgresql";
+        dialect = "postgres";
+      };
+
+      oauth2 = let
+        authServerUrl = config.services.kanidm.serverSettings.origin;
+      in rec {
+        baseURL = "${authServerUrl}/oauth2";
+        tokenURL = "${authServerUrl}/oauth2/token";
+        authorizationURL = "${authServerUrl}/ui/oauth2";
+        userProfileURL = "${authServerUrl}/oauth2/openid/${clientID}/userinfo";
+
+        clientID = "hedgedoc";
+
+        scope = "openid email profile";
+        userProfileUsernameAttr = "name";
+        userProfileEmailAttr = "email";
+        userProfileDisplayNameAttr = "displayname";
+
+        providerName = "KaniDM";
+      };
+    };
+  };
+
+  services.postgresql = {
+    ensureDatabases = [ "hedgedoc" ];
+
+    ensureUsers = [{
+      name = "hedgedoc";
+      ensureDBOwnership = true;
+    }];
+  };
+
+  systemd.services.hedgedoc = rec {
+    requires = [
+      "postgresql.service"
+      "kanidm.service"
+    ];
+    after = requires;
+  };
 }
diff --git a/secrets/tsuki.yaml b/secrets/tsuki.yaml
index 71474ec..a5f0128 100644
--- a/secrets/tsuki.yaml
+++ b/secrets/tsuki.yaml
@@ -11,7 +11,9 @@ grafana:
 headscale:
     oauth2_secret: ENC[AES256_GCM,data:OUOh2ICq4eMeo5WleqIui3rG8VJVW+XVyAkqF1hh6kdijr5G+1CkpQQbsbafwhq3,iv:99xDRg5b2gc7uGNput4R6QZung9voQWnanCDkvmdjyA=,tag:xEaQFbliEZeg508LubNWYA==,type:str]
 hedgedoc:
-    env: ENC[AES256_GCM,data:Sq69/2EIPexulpYTIe3VqsnGd5WfMf3/d52uai8QvNMIS+dXxie6OtFEZzh51I94F1vnA1rshTR0rv2zxerVUR2ZSaw+igWII6VJUu/Aw8tOilMhJv8K17xfxTCLjZFedMYmJOw88PfOFUuYH/CVA9Yj4xh/q8PE0Js8Mz1Ft48wNjze5SAlCiDbagRvJKQqBu9prUjEsQ4Db9vkDuTdej9w,iv:9Tkdp4ZXcTrJ4HdOE/OyCnNHOE6JXAkJOTRt2mXa9/o=,tag:h/FTyRC/ouURh8IyCjw6Mw==,type:str]
+    env:
+        cmd_session_secret: ENC[AES256_GCM,data:07Qg7KtmbFDq/rGfY3t/Q1epp+qef8PecWqn7FhZS2wc3TKsxwx2f38zKbe/V/8dRCG7eXAoJo63JfmnEscz9Q==,iv:YgpcyCmg6+Bmd0S78OKpBZ7qqR12YLYhn5Pa6dvscPk=,tag:ar6s7AlH/NMzskt8CGE18w==,type:str]
+        cmd_oauth2_client_secret: ENC[AES256_GCM,data:rSLCdLSe0svTaufu8VuaWwS8H26uypONs7g7RKJbqUITAKPtAwOOyxpwuV+9rvPT,iv:yQCBVcCLnotVUf4txxX8q6RHaMwhuCtfA3TjNdiyhxs=,tag:MwkdyQnijo6u6EHIt4dYWA==,type:str]
 cloudflare:
     api-key: ENC[AES256_GCM,data:Y1sHbPTUSiFzRyAiwk0ycFdM4s9ET5g/RPjVsb3sHXMlc3AJHDBYhTljyytZ1lCoFz7OdcZcUOHWzgvHtce6yXiGUpmo34XBKZqloFlNA5u6XC2UG31qfuUEWpRZb0kL,iv:iwN243uzSCjl5Za1msKbaC4pPAOE8frZ2WEvgZ5xknA=,tag:q32vyQI7SOFoN6s1RjQV5A==,type:str]
 drives:
@@ -56,8 +58,8 @@ sops:
             MThmQ1Iza0F6Q0Y4N1JpT2V5a0FrTGMKIzpNe4dyCLuyKjjXjadZepRYvULr3j3i
             7SSwFgVvESj0aVwcGMW1swkhdb2evZgcghhrJpiK8kKIPrWEuFiCcw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-28T23:23:32Z"
-    mac: ENC[AES256_GCM,data:lA4bB1kaZKeau71Fa7ZhUusoZ+jhF405N6cJap/EEQ3EYIDEwK9hYYGZas+AsrvQ/0HW9lDXI/LliVMUxpEWuOoizaK1gW+ZxVz7jsgoSINILU3I6ZJewcPXh5fbwRS6g5+HEVJ53ozXxcnyVx+jpE7Rysfe9wK+kAk90NL0i5c=,iv:/Ltl/Gcm3QDhsK6MnZqKo/UWjwFVPYENc5xKW38jLxk=,tag:Hly2g9tVihTfwqjJb2e+Dw==,type:str]
+    lastmodified: "2024-11-28T23:33:37Z"
+    mac: ENC[AES256_GCM,data:iw6m2XmdVgEvGeYQC9ORcaxu4p6kiYWJNWmkYPPOPLSn4xECgd8tmPlxUWHwiIEjDzD+Vi7atafW8eAtQg9T8s4mvV1Ovw7oBKzzGk3DqFKB9//myedBtIvntCYGDpBSXcVqK1iHKsG605fnY1CrzyRG5gi3xoub3AabcM8l8sQ=,iv:JdIKfELLUUG/2AzQx/uc+YaHhGNAb0sSiih3rDBkUjg=,tag:fqCMmnjIDACAzG+eiCCKrQ==,type:str]
     pgp:
         - created_at: "2024-06-25T17:16:27Z"
           enc: |-