From 9e64e2dd1f840fa22ec92b94a8757b24114d04a5 Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Wed, 26 Apr 2023 23:40:18 +0200 Subject: [PATCH] Fix hedgedoc oauth, update flake, update sops --- .sops.yaml | 2 +- base.nix | 1 + flake.lock | 24 +++++++------- hosts/voyager/configuration.nix | 3 +- hosts/voyager/services/hedgedoc.nix | 28 ++++++++--------- secrets/voyager/voyager.yaml | 49 ++++++++++++++--------------- 6 files changed, 52 insertions(+), 55 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 780d050..e23962b 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,6 +1,6 @@ keys: - &user_felixalb age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw - - &host_voyager age1rfevltzuq0a3mv4f5544639g99vev5626u4g5kxkat85sth5246qpat3sr + - &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu creation_rules: # Global secrets diff --git a/base.nix b/base.nix index 20ca1c6..b4d5276 100644 --- a/base.nix +++ b/base.nix @@ -67,4 +67,5 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHkLmJIkBM6AMbYM/hYm27Flgya81UiGqh9/owYWmrbZ home.feal.no" ]; }; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; } diff --git a/flake.lock b/flake.lock index 3f6079d..20e424a 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1681570648, - "narHash": "sha256-ATsDh8cEXqx+gGIIpEPf5twAStM9INIbwmVgS4WcjYQ=", + "lastModified": 1682461850, + "narHash": "sha256-udJwbwbhUOt0y04cIJy+7W6zNQeL23m+p3o7G47ZFEg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "745a6200bf74c4dbec8f94dd731ab3769c0e9df3", + "rev": "c533ac9867368d28e29a23369ac5d597bc5da185", "type": "github" }, "original": { @@ -18,11 +18,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1681613598, - "narHash": "sha256-Ogkoma0ytYcDoMR2N7CZFABPo+i0NNo26dPngru9tPc=", + "lastModified": 1682173319, + "narHash": "sha256-tPhOpJJ+wrWIusvGgIB2+x6ILfDkEgQMX0BTtM5vd/4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1040ce5f652b586da95dfd80d48a745e107b9eac", + "rev": "ee7ec1c71adc47d2e3c2d5eb0d6b8fbbd42a8d1c", "type": "github" }, "original": { @@ -47,11 +47,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1681613729, - "narHash": "sha256-9Qb0tHW8l1hgFkuB76n4VT9UNUaR7QL3CgmJ5hcVYEg=", + "lastModified": 1682338428, + "narHash": "sha256-T7AL/Us6ecxowjMAlO77GETTQO2SO+1XX2+Y/OSfHk8=", "owner": "Mic92", "repo": "sops-nix", - "rev": "b7a6670a28b01cd1f62879921e36be2c69c4137a", + "rev": "7c8e9727a2ecf9994d4a63d577ad5327e933b6a4", "type": "github" }, "original": { @@ -62,11 +62,11 @@ }, "unstable": { "locked": { - "lastModified": 1681618194, - "narHash": "sha256-UR4OobzFHFyIVHXmanJLfm5o2DVufbFeP1Dn7C5Xqn0=", + "lastModified": 1682476574, + "narHash": "sha256-diM+haOZnOUPOp3dLLbuAgEZBCE7Iv9iyNzO5YVmwq0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f2654e378dfc8153a141a8fcb854b423fe259a27", + "rev": "8bac227a5a27ba29240e496e3e3fd55a2351f68b", "type": "github" }, "original": { diff --git a/hosts/voyager/configuration.nix b/hosts/voyager/configuration.nix index 26e90e8..85c4c2d 100644 --- a/hosts/voyager/configuration.nix +++ b/hosts/voyager/configuration.nix @@ -46,14 +46,13 @@ }; sops.defaultSopsFile = ../../secrets/voyager/voyager.yaml; - sops.age.keyFile = "/var/lib/sops-nix/key.txt"; environment.variables = { EDITOR = "vim"; }; environment.systemPackages = with pkgs; [ ((vim_configurable.override { }).customize{ name = "vim"; vimrcConfig.packages.myplugins = with pkgs.vimPlugins; { - start = [ vim-nix vim-lastplace ]; + start = [ vim-nix vim-lastplace vim-commentary ]; opt = []; }; vimrcConfig.customRC = '' diff --git a/hosts/voyager/services/hedgedoc.nix b/hosts/voyager/services/hedgedoc.nix index ac514f1..de70f33 100644 --- a/hosts/voyager/services/hedgedoc.nix +++ b/hosts/voyager/services/hedgedoc.nix @@ -2,8 +2,9 @@ let cfg = config.services.hedgedoc.settings; domain = "md.feal.no"; - port = 3000; + port = 3300; host = "0.0.0.0"; + authServerUrl = config.services.kanidm.serverSettings.origin; in { # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET sops.secrets."hedgedoc/env" = { @@ -12,27 +13,27 @@ in { services.hedgedoc = { enable = true; - + environmentFile = config.sops.secrets."hedgedoc/env".path; settings = { inherit domain port host; protocolUseSSL = true; + sessionSecret = "$CMD_SESSION_SECRET"; + + allowFreeURL = true; db = { dialect = "sqlite"; storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; }; - environmentFile = config.sops.secrets."hedgedoc/env".path; email = false; - oauth2 = let - authServerUrl = config.services.kanidm.serverSettings.origin; - in { + oauth2 = { baseURL = "${authServerUrl}/oauth2"; tokenURL = "${authServerUrl}/oauth2/token"; authorizationURL = "${authServerUrl}/ui/oauth2"; userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo"; clientID = "hedgedoc"; - clientSecret = ""; + clientSecret = "$CMD_OAUTH2_CLIENT_SECRET"; scope = "openid email profile"; userProfileUsernameAttr = "name"; userProfileEmailAttr = "email"; @@ -43,14 +44,11 @@ in { }; }; - services.nginx.virtualHosts.${domain} = { - locations."/" = { - proxyPass = "http://${host}:${toString port}/"; - }; - locations."/socket.io/" = { - proxyPass = "http://${host}:${toString port}/"; - proxyWebsockets = true; - }; + systemd.services.hedgedoc.serviceConfig = { + WorkingDirectory = lib.mkForce "/var/lib/hedgedoc"; + StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ]; }; + + networking.firewall.allowedTCPPorts = [ port ]; } diff --git a/secrets/voyager/voyager.yaml b/secrets/voyager/voyager.yaml index eec0cf0..2e94927 100644 --- a/secrets/voyager/voyager.yaml +++ b/secrets/voyager/voyager.yaml @@ -1,42 +1,41 @@ -#ENC[AES256_GCM,data:cYubTyNl41ufO3tMpRIZHJdo/a5gxT4Afv8is2mbxEtRumDUcW+5gZ5E6m3n7+IIg2jOuO1I,iv:G/msHWm6zQSJU3pB8tqEByZRTOrLir3SVKLjZiT98wo=,tag:ogNmvkNeaJC7DlB+pbMPnA==,type:comment] -#ENC[AES256_GCM,data:QcB3dNA10sP34pK8SCaKVs5jazW2uzD69a2U,iv:xeB+KNDLqHQS3IWDOLt9iMKfKrqq4Buur756KNhquis=,tag:UBibqrup4ogZoS2xXi0vrA==,type:comment] -#ENC[AES256_GCM,data:OuH/xIjJZZZvkof/j9Pz7aG0,iv:M9riyTv2sd+0faMjfZ34ZHBstAii9j887XBtIQX4mrA=,tag:f4ZxngtUAF+ctxJFlDrr4w==,type:comment] -#ENC[AES256_GCM,data:LC90R2o+4wPQ8yKpMlpb,iv:JlQ3myHw7f2sVzYn3FmP5XIDtYu9TMk32nxmyC02HkI=,tag:FOpLtkRX26IdV+LMDm9Nhw==,type:comment] -#ENC[AES256_GCM,data:p0s2J4k0xSJF02l6ZudSakxVnN7H,iv:0VUUphFfr6YDzlKhAQqbjcG0C7Hqq43bel1OZsn4kHU=,tag:xreaaMkZI5+cvvq/p38hGw==,type:comment] -#ENC[AES256_GCM,data:xuGaMth0lq9q7vmeUilgHskjjTZj,iv:TRPhTcB5b6VxRrDLYBo0sYgOh997q2bv5lp3ICdb6lw=,tag:L2c7XpZMP1aKswwx37lC+Q==,type:comment] -#ENC[AES256_GCM,data:d0zRwG8ZbGBthh/pu+Eyv9COARL7LGGEMES2,iv:lxd7wYK2LSDyKYGW/8qiHPDOivtnmZ45R3neBnpCuuY=,tag:/73UgFoIRRpKityxlcWldg==,type:comment] -#ENC[AES256_GCM,data:Qx48qmQtH8pXH/OsqbveUNwx,iv:mqkwAHWxqvt9XkQX0EKXQyJrK5KOCVDpva1Ok37XvKc=,tag:B/s/KfVDcjcyWqdBSMfyIA==,type:comment] -#ENC[AES256_GCM,data:uF4N/yAesQiwJWQ=,iv:4y5C0S75gp4qFFkJ4lOMcPbftOLyzB12wApqNOFYan4=,tag:tgUJZ79eWU2s4IdZCdvMxQ==,type:comment] -#ENC[AES256_GCM,data:7u87/8sEwf84DsXy,iv:HlO9MCqBHtz1Hm9tILlEsJ2gfgTPThmmyoCXlGyy/9Y=,tag:/WBgX1Lk8EZS27K3UwOtLw==,type:comment] +#ENC[AES256_GCM,data:DD7NMS1+lSV4f7fIAadvbyX0WsAlCMophBeQzoJ6OnYM5rx+Md9Z/R9SA7U4Mx9V5+LTn1/W,iv:G/msHWm6zQSJU3pB8tqEByZRTOrLir3SVKLjZiT98wo=,tag:8Z1EaoHSQXrRBC1yfvU3Sw==,type:comment] +#ENC[AES256_GCM,data:kJam8oGmTK5TsrjyreeA4ejmfmR6IGbhe9i9,iv:xeB+KNDLqHQS3IWDOLt9iMKfKrqq4Buur756KNhquis=,tag:jaI7Gt1lPFnCF3N/pznqaw==,type:comment] +#ENC[AES256_GCM,data:7ymKEd8NvmQacyFxhkd907ai,iv:M9riyTv2sd+0faMjfZ34ZHBstAii9j887XBtIQX4mrA=,tag:BS5OJdNb6JVWXwr7VQ8QAw==,type:comment] +#ENC[AES256_GCM,data:3tOkiA7K6Db/2cPFKDMf,iv:JlQ3myHw7f2sVzYn3FmP5XIDtYu9TMk32nxmyC02HkI=,tag:nqP2wyg5T+RwA1fDI2Q0bw==,type:comment] +#ENC[AES256_GCM,data:0298n6qm6ZE6WzkUQrr7M6t/Tj37,iv:0VUUphFfr6YDzlKhAQqbjcG0C7Hqq43bel1OZsn4kHU=,tag:RKm3ElD3CFlwPYFr9th2hQ==,type:comment] +#ENC[AES256_GCM,data:4I1NAGgZalSkGvmOEuzlIbdOLhFF,iv:TRPhTcB5b6VxRrDLYBo0sYgOh997q2bv5lp3ICdb6lw=,tag:HWfLK70NnUF5sNulbvGauA==,type:comment] +#ENC[AES256_GCM,data:X6a1nIcMHwE1LYvfdbv7obMoNLmogi8lMZJX,iv:lxd7wYK2LSDyKYGW/8qiHPDOivtnmZ45R3neBnpCuuY=,tag:HjxihWezjq37fksfkKpqYQ==,type:comment] +#ENC[AES256_GCM,data:T+pI1ogtfjo57NrOvCuhbs//,iv:mqkwAHWxqvt9XkQX0EKXQyJrK5KOCVDpva1Ok37XvKc=,tag:qrp2QeNrJSDr3ECN6cBDiA==,type:comment] +#ENC[AES256_GCM,data:46+Qt0FRlg2tN8A=,iv:4y5C0S75gp4qFFkJ4lOMcPbftOLyzB12wApqNOFYan4=,tag:T/4zLU7d90GkzDohJd2XTg==,type:comment] +#ENC[AES256_GCM,data:fvJA2s0OEs7PDOr/,iv:HlO9MCqBHtz1Hm9tILlEsJ2gfgTPThmmyoCXlGyy/9Y=,tag:7L1Kl4RgAFG+WLvtk30nYQ==,type:comment] hedgedoc: - env: ENC[AES256_GCM,data:A5m2hSK7OfKngJsjUwF+SaSDnTHscG2lexEjfmX3E3j8c4zXPjQh52tcP5k1+h7wq9G41GMni9EDHynyxfj/g0Y0Gpvr9t07BMvvwa/JfbDEgmPEHHuVcG/P6eeFhqU1raZ5Vl2M8Z9iChquubvSoNmvKrjJEMlsu3GqONb+C0uXje0CeUeAV6d2RYDumvklqmbUxXUR2lmKsI7M+ec=,iv:VKwB+AAq4kgOYwntHNXK+xdf0kk+sn39jAxJhLFiqdw=,tag:7OH5ClKcKjP9hTm3JtyFsg==,type:str] + env: ENC[AES256_GCM,data:okkj5V0veAwWwdmhjhsd4seAHiBOjdk7m80C3iVi78LNeHlNuGL2zdvKV5b4ClUR3awabotR/QwdvSvCUxZiFRpXwyeETxHPRRTtR4VDL1L4MifJ0LS27A5DAzAdjCjc799ckgDyBn5L3+T6P1136X0PnaXQT1KyRegizC1DFQ15/3fvlIe05tonDwDVAsPkV8ZEtmGuseB87yoFBxs=,iv:VKwB+AAq4kgOYwntHNXK+xdf0kk+sn39jAxJhLFiqdw=,tag:6bDyl7c23uAWMzVrJ5/YYQ==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age1mlz5xzggpelscxy94eh2v5sjsqeyrqlggz0u90xrwew2x9vfguqs8h2wnr + - recipient: age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpazVpRU9CdXJRbjBycXRx - V2dMVW16Rm43QW9xeTNhZ2NQWDBqN3JVS0NjCklQbXlCU295VmxUZHVwcGF1RHp5 - OG04bUd4V3RXNGFZMTZrbGVDczNlWEEKLS0tIEVHeFJVTExRY0NCNGlLdTdEQ05G - ekpycHViWDFUREluaytiSERVQk9DN2cK6stL4d2RqmhPmT4m6sLZz3qilE+ZrTkz - 8Yedd0J/kNMyeAFSEOJtVM4ADkBdZCpX1QOGy36XKISVbck+rZWoDQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOZml2bXBjSUYrMW5RcnFl + MTRzM1p2L1JMTGJCamk1RHczOStQUjlFSDFzCmdGTDYrYUhJUjAyYWdkclgwazNt + UWVqY0JxYXh3cXVyNjlSZ2h6c0R4REEKLS0tIDZHY0F6M0lOZ1JRelp3Umx0aW4x + cjRUa2szZGZuSnhjd3hCNmYvV0tXTmMKlYuaUIvwTv8NpaoBYVva4jbRemkFTdfU + yP4J5RyUry83aVlHFQ2f7neBpWc6A2rePl3XuEQxSggl13hh71H+nw== -----END AGE ENCRYPTED FILE----- - recipient: age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdWV4bCt1NEZEZHpRMlQ3 - VVlTcFVScUZBRENHczhwblNQVkk3Q3pwdm1jCmdQMjhJREM1cGJiRk1WZHlIWUxP - d2RZaFlWSWdHVUJaNGpTNmR2WEFWZEUKLS0tIDJCOHh5RmlxT1F1VElPTFhSUWwr - Sk9XMkpDVE4veGgxazRRbVdPZ2NsRUkK8ZYLUD7s5GvW/T4j7W2gie8vyyMJQnfZ - JT+BnhjvKIz+dj9/V0lOzoNnie01VWF9zJtxB4M6X4J1WFHhwF8iFg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOOG5GSDd4R09mZ2QvT0dy + YnIxMWNBL3huMXNmcjV0a1VlS0FxS1JtSFVjCmthenVlYytjZklxNk43YlR5NExG + aVQ2K1ZsbHdWTm91d1JvNDVsYW1FSEkKLS0tIFpTeG1zcVRpWWlWUE1abllKR1BW + THFRNjZXc0RsS0xKK1BkeEU1UzA4MW8KgOIQyL6A9u+Ii8zYkHJDWVAG/EEc61Qh + u+VFyGB7esTG56G19u1aCHB/NUxG5HYMG/DEqH/SyCyKUvHrXjEF4g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-04-26T11:19:53Z" - mac: ENC[AES256_GCM,data:UIfUFsrwPcAG74JPPRcpO77AKUQX1s4eKyFZOO5HH3JdCunZkVwet4iFdiYiY4x7GmnO2l4wrhiegUR+N9rjyOioN6AGjUE0GS2q2D6fHs16saWtflvsslk3H896F9oLbALmV8TMJuHL3MvQT6IqaAT6PhT7qrtudmUyW7tLP3o=,iv:uwPhCNPzKnxSkYpt+SPsb3FNT5yBYsi5SgZYeioSz2s=,tag:pQ45sspg8NhlgQ2h18rLLQ==,type:str] + lastmodified: "2023-04-26T11:53:47Z" + mac: ENC[AES256_GCM,data:CQi0+67t6NrYFlpqry7lULIlQs3adLG1L9bH7iYDhAPF/1Bi/A3OrKZfdNozp/VRqBlMnfp2z6UWh9ScvI1V5aOWfsTfEFKF4l945rwN4f7MYYRaYtgSDSefAoZrgE036Fzuh2seDDcvfoeOEnQ1VJ6BD/1wSrMPP1z1F3au1dE=,iv:cMZUXzedX1Gjkqn1uAZ1gufehtYQ9X/A8m/GRF5TLZw=,tag:C231MYSPUvYnAYiJ4TjdFA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 -