Fix hedgedoc oauth, update flake, update sops

This commit is contained in:
Felix Albrigtsen 2023-04-26 23:40:18 +02:00
parent 7d9a648030
commit 9e64e2dd1f
6 changed files with 52 additions and 55 deletions

View File

@ -1,6 +1,6 @@
keys:
- &user_felixalb age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
- &host_voyager age1rfevltzuq0a3mv4f5544639g99vev5626u4g5kxkat85sth5246qpat3sr
- &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu
creation_rules:
# Global secrets

View File

@ -67,4 +67,5 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHkLmJIkBM6AMbYM/hYm27Flgya81UiGqh9/owYWmrbZ home.feal.no"
];
};
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
}

View File

@ -2,11 +2,11 @@
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1681570648,
"narHash": "sha256-ATsDh8cEXqx+gGIIpEPf5twAStM9INIbwmVgS4WcjYQ=",
"lastModified": 1682461850,
"narHash": "sha256-udJwbwbhUOt0y04cIJy+7W6zNQeL23m+p3o7G47ZFEg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "745a6200bf74c4dbec8f94dd731ab3769c0e9df3",
"rev": "c533ac9867368d28e29a23369ac5d597bc5da185",
"type": "github"
},
"original": {
@ -18,11 +18,11 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1681613598,
"narHash": "sha256-Ogkoma0ytYcDoMR2N7CZFABPo+i0NNo26dPngru9tPc=",
"lastModified": 1682173319,
"narHash": "sha256-tPhOpJJ+wrWIusvGgIB2+x6ILfDkEgQMX0BTtM5vd/4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1040ce5f652b586da95dfd80d48a745e107b9eac",
"rev": "ee7ec1c71adc47d2e3c2d5eb0d6b8fbbd42a8d1c",
"type": "github"
},
"original": {
@ -47,11 +47,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1681613729,
"narHash": "sha256-9Qb0tHW8l1hgFkuB76n4VT9UNUaR7QL3CgmJ5hcVYEg=",
"lastModified": 1682338428,
"narHash": "sha256-T7AL/Us6ecxowjMAlO77GETTQO2SO+1XX2+Y/OSfHk8=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "b7a6670a28b01cd1f62879921e36be2c69c4137a",
"rev": "7c8e9727a2ecf9994d4a63d577ad5327e933b6a4",
"type": "github"
},
"original": {
@ -62,11 +62,11 @@
},
"unstable": {
"locked": {
"lastModified": 1681618194,
"narHash": "sha256-UR4OobzFHFyIVHXmanJLfm5o2DVufbFeP1Dn7C5Xqn0=",
"lastModified": 1682476574,
"narHash": "sha256-diM+haOZnOUPOp3dLLbuAgEZBCE7Iv9iyNzO5YVmwq0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "f2654e378dfc8153a141a8fcb854b423fe259a27",
"rev": "8bac227a5a27ba29240e496e3e3fd55a2351f68b",
"type": "github"
},
"original": {

View File

@ -46,14 +46,13 @@
};
sops.defaultSopsFile = ../../secrets/voyager/voyager.yaml;
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
environment.variables = { EDITOR = "vim"; };
environment.systemPackages = with pkgs; [
((vim_configurable.override { }).customize{
name = "vim";
vimrcConfig.packages.myplugins = with pkgs.vimPlugins; {
start = [ vim-nix vim-lastplace ];
start = [ vim-nix vim-lastplace vim-commentary ];
opt = [];
};
vimrcConfig.customRC = ''

View File

@ -2,8 +2,9 @@
let
cfg = config.services.hedgedoc.settings;
domain = "md.feal.no";
port = 3000;
port = 3300;
host = "0.0.0.0";
authServerUrl = config.services.kanidm.serverSettings.origin;
in {
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
sops.secrets."hedgedoc/env" = {
@ -12,27 +13,27 @@ in {
services.hedgedoc = {
enable = true;
environmentFile = config.sops.secrets."hedgedoc/env".path;
settings = {
inherit domain port host;
protocolUseSSL = true;
sessionSecret = "$CMD_SESSION_SECRET";
allowFreeURL = true;
db = {
dialect = "sqlite";
storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
};
environmentFile = config.sops.secrets."hedgedoc/env".path;
email = false;
oauth2 = let
authServerUrl = config.services.kanidm.serverSettings.origin;
in {
oauth2 = {
baseURL = "${authServerUrl}/oauth2";
tokenURL = "${authServerUrl}/oauth2/token";
authorizationURL = "${authServerUrl}/ui/oauth2";
userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
clientID = "hedgedoc";
clientSecret = "";
clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
scope = "openid email profile";
userProfileUsernameAttr = "name";
userProfileEmailAttr = "email";
@ -43,14 +44,11 @@ in {
};
};
services.nginx.virtualHosts.${domain} = {
locations."/" = {
proxyPass = "http://${host}:${toString port}/";
};
locations."/socket.io/" = {
proxyPass = "http://${host}:${toString port}/";
proxyWebsockets = true;
};
systemd.services.hedgedoc.serviceConfig = {
WorkingDirectory = lib.mkForce "/var/lib/hedgedoc";
StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
};
networking.firewall.allowedTCPPorts = [ port ];
}

View File

@ -1,42 +1,41 @@
#ENC[AES256_GCM,data:cYubTyNl41ufO3tMpRIZHJdo/a5gxT4Afv8is2mbxEtRumDUcW+5gZ5E6m3n7+IIg2jOuO1I,iv:G/msHWm6zQSJU3pB8tqEByZRTOrLir3SVKLjZiT98wo=,tag:ogNmvkNeaJC7DlB+pbMPnA==,type:comment]
#ENC[AES256_GCM,data:QcB3dNA10sP34pK8SCaKVs5jazW2uzD69a2U,iv:xeB+KNDLqHQS3IWDOLt9iMKfKrqq4Buur756KNhquis=,tag:UBibqrup4ogZoS2xXi0vrA==,type:comment]
#ENC[AES256_GCM,data:OuH/xIjJZZZvkof/j9Pz7aG0,iv:M9riyTv2sd+0faMjfZ34ZHBstAii9j887XBtIQX4mrA=,tag:f4ZxngtUAF+ctxJFlDrr4w==,type:comment]
#ENC[AES256_GCM,data:LC90R2o+4wPQ8yKpMlpb,iv:JlQ3myHw7f2sVzYn3FmP5XIDtYu9TMk32nxmyC02HkI=,tag:FOpLtkRX26IdV+LMDm9Nhw==,type:comment]
#ENC[AES256_GCM,data:p0s2J4k0xSJF02l6ZudSakxVnN7H,iv:0VUUphFfr6YDzlKhAQqbjcG0C7Hqq43bel1OZsn4kHU=,tag:xreaaMkZI5+cvvq/p38hGw==,type:comment]
#ENC[AES256_GCM,data:xuGaMth0lq9q7vmeUilgHskjjTZj,iv:TRPhTcB5b6VxRrDLYBo0sYgOh997q2bv5lp3ICdb6lw=,tag:L2c7XpZMP1aKswwx37lC+Q==,type:comment]
#ENC[AES256_GCM,data:d0zRwG8ZbGBthh/pu+Eyv9COARL7LGGEMES2,iv:lxd7wYK2LSDyKYGW/8qiHPDOivtnmZ45R3neBnpCuuY=,tag:/73UgFoIRRpKityxlcWldg==,type:comment]
#ENC[AES256_GCM,data:Qx48qmQtH8pXH/OsqbveUNwx,iv:mqkwAHWxqvt9XkQX0EKXQyJrK5KOCVDpva1Ok37XvKc=,tag:B/s/KfVDcjcyWqdBSMfyIA==,type:comment]
#ENC[AES256_GCM,data:uF4N/yAesQiwJWQ=,iv:4y5C0S75gp4qFFkJ4lOMcPbftOLyzB12wApqNOFYan4=,tag:tgUJZ79eWU2s4IdZCdvMxQ==,type:comment]
#ENC[AES256_GCM,data:7u87/8sEwf84DsXy,iv:HlO9MCqBHtz1Hm9tILlEsJ2gfgTPThmmyoCXlGyy/9Y=,tag:/WBgX1Lk8EZS27K3UwOtLw==,type:comment]
#ENC[AES256_GCM,data:DD7NMS1+lSV4f7fIAadvbyX0WsAlCMophBeQzoJ6OnYM5rx+Md9Z/R9SA7U4Mx9V5+LTn1/W,iv:G/msHWm6zQSJU3pB8tqEByZRTOrLir3SVKLjZiT98wo=,tag:8Z1EaoHSQXrRBC1yfvU3Sw==,type:comment]
#ENC[AES256_GCM,data:kJam8oGmTK5TsrjyreeA4ejmfmR6IGbhe9i9,iv:xeB+KNDLqHQS3IWDOLt9iMKfKrqq4Buur756KNhquis=,tag:jaI7Gt1lPFnCF3N/pznqaw==,type:comment]
#ENC[AES256_GCM,data:7ymKEd8NvmQacyFxhkd907ai,iv:M9riyTv2sd+0faMjfZ34ZHBstAii9j887XBtIQX4mrA=,tag:BS5OJdNb6JVWXwr7VQ8QAw==,type:comment]
#ENC[AES256_GCM,data:3tOkiA7K6Db/2cPFKDMf,iv:JlQ3myHw7f2sVzYn3FmP5XIDtYu9TMk32nxmyC02HkI=,tag:nqP2wyg5T+RwA1fDI2Q0bw==,type:comment]
#ENC[AES256_GCM,data:0298n6qm6ZE6WzkUQrr7M6t/Tj37,iv:0VUUphFfr6YDzlKhAQqbjcG0C7Hqq43bel1OZsn4kHU=,tag:RKm3ElD3CFlwPYFr9th2hQ==,type:comment]
#ENC[AES256_GCM,data:4I1NAGgZalSkGvmOEuzlIbdOLhFF,iv:TRPhTcB5b6VxRrDLYBo0sYgOh997q2bv5lp3ICdb6lw=,tag:HWfLK70NnUF5sNulbvGauA==,type:comment]
#ENC[AES256_GCM,data:X6a1nIcMHwE1LYvfdbv7obMoNLmogi8lMZJX,iv:lxd7wYK2LSDyKYGW/8qiHPDOivtnmZ45R3neBnpCuuY=,tag:HjxihWezjq37fksfkKpqYQ==,type:comment]
#ENC[AES256_GCM,data:T+pI1ogtfjo57NrOvCuhbs//,iv:mqkwAHWxqvt9XkQX0EKXQyJrK5KOCVDpva1Ok37XvKc=,tag:qrp2QeNrJSDr3ECN6cBDiA==,type:comment]
#ENC[AES256_GCM,data:46+Qt0FRlg2tN8A=,iv:4y5C0S75gp4qFFkJ4lOMcPbftOLyzB12wApqNOFYan4=,tag:T/4zLU7d90GkzDohJd2XTg==,type:comment]
#ENC[AES256_GCM,data:fvJA2s0OEs7PDOr/,iv:HlO9MCqBHtz1Hm9tILlEsJ2gfgTPThmmyoCXlGyy/9Y=,tag:7L1Kl4RgAFG+WLvtk30nYQ==,type:comment]
hedgedoc:
env: ENC[AES256_GCM,data:A5m2hSK7OfKngJsjUwF+SaSDnTHscG2lexEjfmX3E3j8c4zXPjQh52tcP5k1+h7wq9G41GMni9EDHynyxfj/g0Y0Gpvr9t07BMvvwa/JfbDEgmPEHHuVcG/P6eeFhqU1raZ5Vl2M8Z9iChquubvSoNmvKrjJEMlsu3GqONb+C0uXje0CeUeAV6d2RYDumvklqmbUxXUR2lmKsI7M+ec=,iv:VKwB+AAq4kgOYwntHNXK+xdf0kk+sn39jAxJhLFiqdw=,tag:7OH5ClKcKjP9hTm3JtyFsg==,type:str]
env: ENC[AES256_GCM,data:okkj5V0veAwWwdmhjhsd4seAHiBOjdk7m80C3iVi78LNeHlNuGL2zdvKV5b4ClUR3awabotR/QwdvSvCUxZiFRpXwyeETxHPRRTtR4VDL1L4MifJ0LS27A5DAzAdjCjc799ckgDyBn5L3+T6P1136X0PnaXQT1KyRegizC1DFQ15/3fvlIe05tonDwDVAsPkV8ZEtmGuseB87yoFBxs=,iv:VKwB+AAq4kgOYwntHNXK+xdf0kk+sn39jAxJhLFiqdw=,tag:6bDyl7c23uAWMzVrJ5/YYQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1mlz5xzggpelscxy94eh2v5sjsqeyrqlggz0u90xrwew2x9vfguqs8h2wnr
- recipient: age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpazVpRU9CdXJRbjBycXRx
V2dMVW16Rm43QW9xeTNhZ2NQWDBqN3JVS0NjCklQbXlCU295VmxUZHVwcGF1RHp5
OG04bUd4V3RXNGFZMTZrbGVDczNlWEEKLS0tIEVHeFJVTExRY0NCNGlLdTdEQ05G
ekpycHViWDFUREluaytiSERVQk9DN2cK6stL4d2RqmhPmT4m6sLZz3qilE+ZrTkz
8Yedd0J/kNMyeAFSEOJtVM4ADkBdZCpX1QOGy36XKISVbck+rZWoDQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOZml2bXBjSUYrMW5RcnFl
MTRzM1p2L1JMTGJCamk1RHczOStQUjlFSDFzCmdGTDYrYUhJUjAyYWdkclgwazNt
UWVqY0JxYXh3cXVyNjlSZ2h6c0R4REEKLS0tIDZHY0F6M0lOZ1JRelp3Umx0aW4x
cjRUa2szZGZuSnhjd3hCNmYvV0tXTmMKlYuaUIvwTv8NpaoBYVva4jbRemkFTdfU
yP4J5RyUry83aVlHFQ2f7neBpWc6A2rePl3XuEQxSggl13hh71H+nw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdWV4bCt1NEZEZHpRMlQ3
VVlTcFVScUZBRENHczhwblNQVkk3Q3pwdm1jCmdQMjhJREM1cGJiRk1WZHlIWUxP
d2RZaFlWSWdHVUJaNGpTNmR2WEFWZEUKLS0tIDJCOHh5RmlxT1F1VElPTFhSUWwr
Sk9XMkpDVE4veGgxazRRbVdPZ2NsRUkK8ZYLUD7s5GvW/T4j7W2gie8vyyMJQnfZ
JT+BnhjvKIz+dj9/V0lOzoNnie01VWF9zJtxB4M6X4J1WFHhwF8iFg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOOG5GSDd4R09mZ2QvT0dy
YnIxMWNBL3huMXNmcjV0a1VlS0FxS1JtSFVjCmthenVlYytjZklxNk43YlR5NExG
aVQ2K1ZsbHdWTm91d1JvNDVsYW1FSEkKLS0tIFpTeG1zcVRpWWlWUE1abllKR1BW
THFRNjZXc0RsS0xKK1BkeEU1UzA4MW8KgOIQyL6A9u+Ii8zYkHJDWVAG/EEc61Qh
u+VFyGB7esTG56G19u1aCHB/NUxG5HYMG/DEqH/SyCyKUvHrXjEF4g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-26T11:19:53Z"
mac: ENC[AES256_GCM,data:UIfUFsrwPcAG74JPPRcpO77AKUQX1s4eKyFZOO5HH3JdCunZkVwet4iFdiYiY4x7GmnO2l4wrhiegUR+N9rjyOioN6AGjUE0GS2q2D6fHs16saWtflvsslk3H896F9oLbALmV8TMJuHL3MvQT6IqaAT6PhT7qrtudmUyW7tLP3o=,iv:uwPhCNPzKnxSkYpt+SPsb3FNT5yBYsi5SgZYeioSz2s=,tag:pQ45sspg8NhlgQ2h18rLLQ==,type:str]
lastmodified: "2023-04-26T11:53:47Z"
mac: ENC[AES256_GCM,data:CQi0+67t6NrYFlpqry7lULIlQs3adLG1L9bH7iYDhAPF/1Bi/A3OrKZfdNozp/VRqBlMnfp2z6UWh9ScvI1V5aOWfsTfEFKF4l945rwN4f7MYYRaYtgSDSefAoZrgE036Fzuh2seDDcvfoeOEnQ1VJ6BD/1wSrMPP1z1F3au1dE=,iv:cMZUXzedX1Gjkqn1uAZ1gufehtYQ9X/A8m/GRF5TLZw=,tag:C231MYSPUvYnAYiJ4TjdFA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3