From 57cd31d4a9e748074f3e810d378217246c186b0b Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Wed, 26 Apr 2023 12:07:36 +0200 Subject: [PATCH] Add sops-secrets, configure oauth --- .sops.yaml | 2 +- hosts/chapel/services/hedgedoc.nix | 22 ++++++++++++++++ hosts/voyager/services/hedgedoc.nix | 10 ++++--- secrets/voyager/voyager.yaml | 41 +++++++++++++++++++++++++++++ 4 files changed, 71 insertions(+), 4 deletions(-) create mode 100644 hosts/chapel/services/hedgedoc.nix create mode 100644 secrets/voyager/voyager.yaml diff --git a/.sops.yaml b/.sops.yaml index c7ccbf8..323c3e0 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,6 +1,6 @@ keys: - &user_felixalb age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw - - &host_voyager + - &host_voyager age1mlz5xzggpelscxy94eh2v5sjsqeyrqlggz0u90xrwew2x9vfguqs8h2wnr creation_rules: # Global secrets diff --git a/hosts/chapel/services/hedgedoc.nix b/hosts/chapel/services/hedgedoc.nix new file mode 100644 index 0000000..7329494 --- /dev/null +++ b/hosts/chapel/services/hedgedoc.nix @@ -0,0 +1,22 @@ +{ config, pkgs, ... }: + +{ + services.hedgedoc = { + enable = true; + settings = { + port = 3031; + allowFreeURL = true; + }; + config = { + domain = "md.feal.no"; + db = { + dialect = "mysql"; + host = "mysql.home.feal.no"; + port = 3306; + database = "hedgedoc"; + username = "hedgedoc"; + password = "DummyPasswordPlzSops"; + }; + }; + }; +} diff --git a/hosts/voyager/services/hedgedoc.nix b/hosts/voyager/services/hedgedoc.nix index 3828ede..1dd5a2b 100644 --- a/hosts/voyager/services/hedgedoc.nix +++ b/hosts/voyager/services/hedgedoc.nix @@ -5,6 +5,11 @@ let port = 3000; host = "0.0.0.0"; in { + # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET + sops.secrets."hedgedoc/env" = { + restartUnits = [ "hedgedoc.service" ]; + }; + services.hedgedoc = { enable = true; @@ -15,6 +20,8 @@ in { dialect = "sqlite"; storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; }; + environmentFile = config.sops.secrets."hedgedoc/env".path; + email = false; oauth2 = let authServerUrl = config.services.kanidm.serverSettings.origin; @@ -31,13 +38,10 @@ in { userProfileDisplayNameAttr = "displayname"; providerName = "KaniDM"; - # rolesClaim = "roles"; - # accessRole = "hedgedoc_users"; }; }; }; - #networking.firewall.allowedTCPPorts = [ port ]; services.nginx.virtualHosts.${domain} = { locations."/" = { proxyPass = "http://${host}:${toString port}/"; diff --git a/secrets/voyager/voyager.yaml b/secrets/voyager/voyager.yaml new file mode 100644 index 0000000..2be699a --- /dev/null +++ b/secrets/voyager/voyager.yaml @@ -0,0 +1,41 @@ +#ENC[AES256_GCM,data:TQjXsTPIvU+jAxEJ/ywG2BTlL1fdlCudOeyanuyD9kf3/X21/H4YwxBqEEcWhSMGWVkwNqpR,iv:G/msHWm6zQSJU3pB8tqEByZRTOrLir3SVKLjZiT98wo=,tag:ndJjInL70Ciuj8Ol/zp4Og==,type:comment] +#ENC[AES256_GCM,data:nuQ8TCJYMOeNNlCUpiz+VWSwg0fmca3lLYfq,iv:xeB+KNDLqHQS3IWDOLt9iMKfKrqq4Buur756KNhquis=,tag:cvdqPKwKoHwuxnr+dGkw+A==,type:comment] +#ENC[AES256_GCM,data:XdQrzS2erpgvelGmu6u5cIqa,iv:M9riyTv2sd+0faMjfZ34ZHBstAii9j887XBtIQX4mrA=,tag:89Wb67UwOcwFTqnSP7RLFA==,type:comment] +#ENC[AES256_GCM,data:Dz4xG1oTXplvn0Yi/GTN,iv:JlQ3myHw7f2sVzYn3FmP5XIDtYu9TMk32nxmyC02HkI=,tag:5DKkprVm5HMy3rIwdGjPHw==,type:comment] +#ENC[AES256_GCM,data:zry1+ReU/SOnuYNap3KXvEvbFYPs,iv:0VUUphFfr6YDzlKhAQqbjcG0C7Hqq43bel1OZsn4kHU=,tag:GrEXH4qz4yu8d33ap1w9XQ==,type:comment] +#ENC[AES256_GCM,data:KlKoLppWBl78IaV0ctqll9GicLE8,iv:TRPhTcB5b6VxRrDLYBo0sYgOh997q2bv5lp3ICdb6lw=,tag:B1Uc2vFtqfKaKKUppO9qew==,type:comment] +#ENC[AES256_GCM,data:heAA5L0BHcNFZbdZ0e9U397S3ONEdAnkXSR2,iv:lxd7wYK2LSDyKYGW/8qiHPDOivtnmZ45R3neBnpCuuY=,tag:4rAX0WusIcb54yvJP7yvfQ==,type:comment] +#ENC[AES256_GCM,data:WvfGA0hjDzJlwMb8gopNkZ+U,iv:mqkwAHWxqvt9XkQX0EKXQyJrK5KOCVDpva1Ok37XvKc=,tag:WPUKuAr5/RImfkp4jmAHOw==,type:comment] +#ENC[AES256_GCM,data:NiioWxDPtaRsfxc=,iv:4y5C0S75gp4qFFkJ4lOMcPbftOLyzB12wApqNOFYan4=,tag:HI7NJBn6nsSiqDc5qCsa/A==,type:comment] +#ENC[AES256_GCM,data:SFYebFcTT76PxKSj,iv:HlO9MCqBHtz1Hm9tILlEsJ2gfgTPThmmyoCXlGyy/9Y=,tag:WihZZmDBCysoAR9VAmC9yw==,type:comment] +hedgedoc: + env: ENC[AES256_GCM,data:6iRhiNZu2u8zyyAFx3B+Oo5K0skAoPm3KNtR+wlEcKlYddMSBqJ+tQakgfkx2R0YUgru7wVOmSGK4XIg0ikBOCsDiBxJdYjyHnjyjtVtjga6S7glMQR7Hf6aTsstlYP3pmP8+veD+GJ7D8wJ7x46StXd785PuvJNVirz/zKzP5bkEkzPj7Ta/Vx+WYw2qsNGFDhTvyr7E0HK7Hx+VOc=,iv:VKwB+AAq4kgOYwntHNXK+xdf0kk+sn39jAxJhLFiqdw=,tag:zmn3wZO/TglGDDWupu84aw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1mlz5xzggpelscxy94eh2v5sjsqeyrqlggz0u90xrwew2x9vfguqs8h2wnr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoSmI5amlwYWl1VS9VSWxO + YWo0NEhpNVRCZHBaWHNjVG9qbDBaUGp0K2xjClljVEpHQk5QZWxqUUFKekJ0OFhS + ZXo0aVNCVFUxcnhaU0lqYWQ2ekV6TnMKLS0tIEIxMVdNRHluem5ubmtWcHJGclJO + cTZ6VjJodmxyek5mcUtMVGFjblhaRTgKsmX3lTj8dC72CsfuPJ4PwtjE2/7JAKsW + 4eqlEIRMura8HVZWgvxMjhaJsdx8QXWw0owWhbarye+g2lgTftzhuw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtY1NDL1NlK3l4eGYreGV6 + dXJtQXo4RjBpdkVBM2JwS0R5Z3pRaHpUUldVCmZyTmJCVXltS3VwTmxXWEhEQ3Fi + a3NjY3RQMzN3Szd3S3QxNU9zMktUTFEKLS0tIHI4WmRXY3U1Q0hEa254YmtxZlJy + aXFsYkNzOHlYajVnTzgvNkVhdkdacGcKWXve8cFI3xmXugoqiLbaORBlRJ0dSpSc + e3NRr1qhK/79BZHREJ6Fu61UgHCX5LljAOkLEdyXGS0SZ4Ha01SGLg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-04-26T09:54:55Z" + mac: ENC[AES256_GCM,data:NsWvXiqV8tzo0Yvhk0gvupa8HchRpJoYeR9A3JqfrvNVmGD9HxnQJCsgM2Qb7SbFq1KvKP3zt2Q7LntnUf+uB06CiCF+6g5SYDlHKeOw351tdGLGxBt1gdKID5xwRH1PG5jkxThO6ZA70LU5M0BHMK43bYTYWqnNuxlsPVShBhk=,iv:Nhcn7zrwkBvdJeGq03hqDTPBvXrdPCEoyOhEYOsJkVs=,tag:YHyh7X8PJIz4ymK03VamyQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3