felixalb/nixos-config
felixalb
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

hedgedoc: move from voyaer to sarek

This commit is contained in:
Felix Albrigtsen 2023-10-06 00:19:04 +02:00
parent 31ef7c58a5
commit 518d217500
6 changed files with 56 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.sops.yaml
View File

@ -2,6 +2,7 @@ keys:
- &user_felixalb_old age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw - &user_felixalb_old age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
- &user_felixalb age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf - &user_felixalb age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
- &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu - &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu
- &host_sarek age1yjc08ykd5d687p9tmn6mpsna3azryreuuz6akj2p0dtft9xqq5lsuamljk
creation_rules: creation_rules:
# Global secrets # Global secrets
@ -18,3 +19,10 @@ creation_rules:
- *host_voyager - *host_voyager
- *user_felixalb_old - *user_felixalb_old
- *user_felixalb - *user_felixalb
- path_regex: secrets/sarek/[^/]+\.yaml$
key_groups:
- age:
- *host_sarek
- *user_felixalb_old
- *user_felixalb

1
hosts/sarek/configuration.nix
View File

@ -9,6 +9,7 @@
./services/nginx.nix ./services/nginx.nix
./services/postgresql.nix ./services/postgresql.nix
./services/hedgedoc.nix
./services/flame.nix ./services/flame.nix
]; ];

5
hosts/voyager/services/hedgedoc.nix → hosts/sarek/services/hedgedoc.nix
View File

@ -4,7 +4,7 @@ let
domain = "md.feal.no"; domain = "md.feal.no";
port = 3300; port = 3300;
host = "0.0.0.0"; host = "0.0.0.0";
authServerUrl = config.services.kanidm.serverSettings.origin; authServerUrl = "https://auth.feal.no";
in { in {
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
sops.secrets."hedgedoc/env" = { sops.secrets."hedgedoc/env" = {
@ -48,7 +48,7 @@ in {
systemd.services.hedgedoc = { systemd.services.hedgedoc = {
requires = [ requires = [
"postgresql.service" "postgresql.service"
"kanidm.service" # "kanidm.service"
]; ];
serviceConfig = let serviceConfig = let
workDir = "/var/lib/hedgedoc"; workDir = "/var/lib/hedgedoc";
@ -93,5 +93,4 @@ in {
}; };
}]; }];
}; };
} }

5
hosts/sarek/services/postgresql.nix
View File

@ -3,6 +3,11 @@
services.postgresql = { services.postgresql = {
enable = true; enable = true;
enableTCPIP = true; # Expose on the network enableTCPIP = true; # Expose on the network
authentication = pkgs.lib.mkOverride 10 ''
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
}; };
services.postgresqlBackup = { services.postgresqlBackup = {

1
hosts/voyager/configuration.nix
View File

@ -21,7 +21,6 @@
./services/transmission.nix ./services/transmission.nix
./services/metrics ./services/metrics
./services/gitea.nix ./services/gitea.nix
./services/hedgedoc.nix
./services/vaultwarden.nix ./services/vaultwarden.nix
./services/calibre.nix ./services/calibre.nix
./services/stash.nix ./services/stash.nix

40
secrets/sarek/sarek.yaml Normal file
View File

@ -0,0 +1,40 @@
hedgedoc:
env: ENC[AES256_GCM,data:IE1Lp1Lx0ctKIyV9z0rJWIouaHvstEyhcFO6KLNliN2FHKYNlfggrXEwxT+UwNUvEyuN6p+nCOLc48pAxODLHdl+DuTtwmqb14lbiwS6s/CPxlkJvcUnkauFOhuk45qXOhu4rz9sdtA7vSjMXEGmi55bJNAB+AD+oIVgtDEYa/cNkAaGJltxClx3KjCyfmOnN69ZuL81ewOnk5dq8ms=,iv:HBdiT0I9vKgs0es3jluYP0j8lr0YS4seLQmZvj7Bs40=,tag:pqEjkBWeSMtA4QDXpYDKSg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1yjc08ykd5d687p9tmn6mpsna3azryreuuz6akj2p0dtft9xqq5lsuamljk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCc3lUVW1PNTNoRm4xbzBI
OTlBK1MzaHE1cU1UTEN2TkNlU3dVVXZSUXpBCjhISjdBSnZVSnhyckFoVXdJK3N1
cE9GanNRcExpckRJbEtPWkFvVFgwZ3MKLS0tIHhhb1A2dU5BbFpmK0d5Yi9yMDZY
c1lwVWNibW1PVTFEYlVkYzNKL2pmR3MK0WEvII7d3VUr53uFf/leic1JsALinG4G
PSXfzvhywVf+C1/YgE5HJH9pPhIDigLFins09UWt1RDVuwfdmXPJwA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMYkdUMmpDTmtzZHExT3RM
d3UxZy9DTzRjcHVrNHB6OTBNOHFkV25GV1JjCk1BU1poZ090U3ZJV0xuMEdIcDE0
MHYrbk9VYWlsdWg0bmpVY1pVUmJFTm8KLS0tIExoUG9aMy8rWlBvUXNZcGhUd0FC
dEpEWEJZdTMrOTZxVU1JcFN6Nlo5QzQKdo4cKvw7fBmGqsi2ALOEbdRVngzPGhte
5AC1PAX85a8r6DA/8etSKjXVh/wEdEs85+qKDgKKJSNqNG+nlzF+wQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxYU05cHJOUkZib3B3UHc3
dDdDTUlFK1pudHFubTNLMTQ3WDZKeERCRld3ClhCOVpEcjhDQWt6NGxDMXNVSlk0
QVhSdnFRc2hqZmZQUEFVR25BNWdYMDQKLS0tICt0bXp6SXpqbFlTdkxWMGlGK0Nw
enQ5UjA2ZVBGcUFCenhYckVjanVOeE0KT0NPv0yGmreBQzozp9z5tOtY9Awo5ajs
y00uxfBVUgQkhNYCUQ5j9vzMv2U5vDncHox07rEl7YqdlzjJzbuupA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-05T21:56:24Z"
mac: ENC[AES256_GCM,data:7n8WFY6fWEwEeF91CNzDbqJm/hx+Nm+A+uKmHN5r9zbwgkKNPuf+aX3bACkGDyI/B2XN6TxEGl3Gc2MnF3ZTazbRkaZE06gS3bPmosHIZkw1CCkJdgD5KM5y8Nffj4Dzdmu86Z1W74FkV29aAFF1BtYSRalBCJ+2kxWabSPTT2Y=,iv:mfpwBmI11ysnIK+xPt8J3n7FEWedRS1WW5HxTmGxCas=,tag:X8gUuKw+tRTm82NvhC5grw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3