Add sops-secrets, configure oauth
This commit is contained in:
parent
34b77b3ed0
commit
57cd31d4a9
|
|
@ -1,6 +1,6 @@
|
|||
keys:
|
||||
- &user_felixalb age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
|
||||
- &host_voyager
|
||||
- &host_voyager age1mlz5xzggpelscxy94eh2v5sjsqeyrqlggz0u90xrwew2x9vfguqs8h2wnr
|
||||
|
||||
creation_rules:
|
||||
# Global secrets
|
||||
|
|
|
|||
|
|
@ -0,0 +1,22 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
services.hedgedoc = {
|
||||
enable = true;
|
||||
settings = {
|
||||
port = 3031;
|
||||
allowFreeURL = true;
|
||||
};
|
||||
config = {
|
||||
domain = "md.feal.no";
|
||||
db = {
|
||||
dialect = "mysql";
|
||||
host = "mysql.home.feal.no";
|
||||
port = 3306;
|
||||
database = "hedgedoc";
|
||||
username = "hedgedoc";
|
||||
password = "DummyPasswordPlzSops";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -5,6 +5,11 @@ let
|
|||
port = 3000;
|
||||
host = "0.0.0.0";
|
||||
in {
|
||||
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
|
||||
sops.secrets."hedgedoc/env" = {
|
||||
restartUnits = [ "hedgedoc.service" ];
|
||||
};
|
||||
|
||||
services.hedgedoc = {
|
||||
enable = true;
|
||||
|
||||
|
|
@ -15,6 +20,8 @@ in {
|
|||
dialect = "sqlite";
|
||||
storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
|
||||
};
|
||||
environmentFile = config.sops.secrets."hedgedoc/env".path;
|
||||
|
||||
email = false;
|
||||
oauth2 = let
|
||||
authServerUrl = config.services.kanidm.serverSettings.origin;
|
||||
|
|
@ -31,13 +38,10 @@ in {
|
|||
userProfileDisplayNameAttr = "displayname";
|
||||
|
||||
providerName = "KaniDM";
|
||||
# rolesClaim = "roles";
|
||||
# accessRole = "hedgedoc_users";
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
#networking.firewall.allowedTCPPorts = [ port ];
|
||||
services.nginx.virtualHosts.${domain} = {
|
||||
locations."/" = {
|
||||
proxyPass = "http://${host}:${toString port}/";
|
||||
|
|
|
|||
|
|
@ -0,0 +1,41 @@
|
|||
#ENC[AES256_GCM,data:TQjXsTPIvU+jAxEJ/ywG2BTlL1fdlCudOeyanuyD9kf3/X21/H4YwxBqEEcWhSMGWVkwNqpR,iv:G/msHWm6zQSJU3pB8tqEByZRTOrLir3SVKLjZiT98wo=,tag:ndJjInL70Ciuj8Ol/zp4Og==,type:comment]
|
||||
#ENC[AES256_GCM,data:nuQ8TCJYMOeNNlCUpiz+VWSwg0fmca3lLYfq,iv:xeB+KNDLqHQS3IWDOLt9iMKfKrqq4Buur756KNhquis=,tag:cvdqPKwKoHwuxnr+dGkw+A==,type:comment]
|
||||
#ENC[AES256_GCM,data:XdQrzS2erpgvelGmu6u5cIqa,iv:M9riyTv2sd+0faMjfZ34ZHBstAii9j887XBtIQX4mrA=,tag:89Wb67UwOcwFTqnSP7RLFA==,type:comment]
|
||||
#ENC[AES256_GCM,data:Dz4xG1oTXplvn0Yi/GTN,iv:JlQ3myHw7f2sVzYn3FmP5XIDtYu9TMk32nxmyC02HkI=,tag:5DKkprVm5HMy3rIwdGjPHw==,type:comment]
|
||||
#ENC[AES256_GCM,data:zry1+ReU/SOnuYNap3KXvEvbFYPs,iv:0VUUphFfr6YDzlKhAQqbjcG0C7Hqq43bel1OZsn4kHU=,tag:GrEXH4qz4yu8d33ap1w9XQ==,type:comment]
|
||||
#ENC[AES256_GCM,data:KlKoLppWBl78IaV0ctqll9GicLE8,iv:TRPhTcB5b6VxRrDLYBo0sYgOh997q2bv5lp3ICdb6lw=,tag:B1Uc2vFtqfKaKKUppO9qew==,type:comment]
|
||||
#ENC[AES256_GCM,data:heAA5L0BHcNFZbdZ0e9U397S3ONEdAnkXSR2,iv:lxd7wYK2LSDyKYGW/8qiHPDOivtnmZ45R3neBnpCuuY=,tag:4rAX0WusIcb54yvJP7yvfQ==,type:comment]
|
||||
#ENC[AES256_GCM,data:WvfGA0hjDzJlwMb8gopNkZ+U,iv:mqkwAHWxqvt9XkQX0EKXQyJrK5KOCVDpva1Ok37XvKc=,tag:WPUKuAr5/RImfkp4jmAHOw==,type:comment]
|
||||
#ENC[AES256_GCM,data:NiioWxDPtaRsfxc=,iv:4y5C0S75gp4qFFkJ4lOMcPbftOLyzB12wApqNOFYan4=,tag:HI7NJBn6nsSiqDc5qCsa/A==,type:comment]
|
||||
#ENC[AES256_GCM,data:SFYebFcTT76PxKSj,iv:HlO9MCqBHtz1Hm9tILlEsJ2gfgTPThmmyoCXlGyy/9Y=,tag:WihZZmDBCysoAR9VAmC9yw==,type:comment]
|
||||
hedgedoc:
|
||||
env: ENC[AES256_GCM,data:6iRhiNZu2u8zyyAFx3B+Oo5K0skAoPm3KNtR+wlEcKlYddMSBqJ+tQakgfkx2R0YUgru7wVOmSGK4XIg0ikBOCsDiBxJdYjyHnjyjtVtjga6S7glMQR7Hf6aTsstlYP3pmP8+veD+GJ7D8wJ7x46StXd785PuvJNVirz/zKzP5bkEkzPj7Ta/Vx+WYw2qsNGFDhTvyr7E0HK7Hx+VOc=,iv:VKwB+AAq4kgOYwntHNXK+xdf0kk+sn39jAxJhLFiqdw=,tag:zmn3wZO/TglGDDWupu84aw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1mlz5xzggpelscxy94eh2v5sjsqeyrqlggz0u90xrwew2x9vfguqs8h2wnr
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoSmI5amlwYWl1VS9VSWxO
|
||||
YWo0NEhpNVRCZHBaWHNjVG9qbDBaUGp0K2xjClljVEpHQk5QZWxqUUFKekJ0OFhS
|
||||
ZXo0aVNCVFUxcnhaU0lqYWQ2ekV6TnMKLS0tIEIxMVdNRHluem5ubmtWcHJGclJO
|
||||
cTZ6VjJodmxyek5mcUtMVGFjblhaRTgKsmX3lTj8dC72CsfuPJ4PwtjE2/7JAKsW
|
||||
4eqlEIRMura8HVZWgvxMjhaJsdx8QXWw0owWhbarye+g2lgTftzhuw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtY1NDL1NlK3l4eGYreGV6
|
||||
dXJtQXo4RjBpdkVBM2JwS0R5Z3pRaHpUUldVCmZyTmJCVXltS3VwTmxXWEhEQ3Fi
|
||||
a3NjY3RQMzN3Szd3S3QxNU9zMktUTFEKLS0tIHI4WmRXY3U1Q0hEa254YmtxZlJy
|
||||
aXFsYkNzOHlYajVnTzgvNkVhdkdacGcKWXve8cFI3xmXugoqiLbaORBlRJ0dSpSc
|
||||
e3NRr1qhK/79BZHREJ6Fu61UgHCX5LljAOkLEdyXGS0SZ4Ha01SGLg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-04-26T09:54:55Z"
|
||||
mac: ENC[AES256_GCM,data:NsWvXiqV8tzo0Yvhk0gvupa8HchRpJoYeR9A3JqfrvNVmGD9HxnQJCsgM2Qb7SbFq1KvKP3zt2Q7LntnUf+uB06CiCF+6g5SYDlHKeOw351tdGLGxBt1gdKID5xwRH1PG5jkxThO6ZA70LU5M0BHMK43bYTYWqnNuxlsPVShBhk=,iv:Nhcn7zrwkBvdJeGq03hqDTPBvXrdPCEoyOhEYOsJkVs=,tag:YHyh7X8PJIz4ymK03VamyQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
Loading…
Reference in New Issue