felixalb/nixos-config
felixalb
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix hedgedoc oauth, update flake, update sops

This commit is contained in:
Felix Albrigtsen 2023-04-26 23:40:18 +02:00
parent 7d9a648030
commit 9e64e2dd1f
6 changed files with 52 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.sops.yaml
View File

@ -1,6 +1,6 @@
keys: keys:
- &user_felixalb age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw - &user_felixalb age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
- &host_voyager age1rfevltzuq0a3mv4f5544639g99vev5626u4g5kxkat85sth5246qpat3sr - &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu
creation_rules: creation_rules:
# Global secrets # Global secrets

1
base.nix
View File

@ -67,4 +67,5 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHkLmJIkBM6AMbYM/hYm27Flgya81UiGqh9/owYWmrbZ home.feal.no" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHkLmJIkBM6AMbYM/hYm27Flgya81UiGqh9/owYWmrbZ home.feal.no"
]; ];
}; };
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
} }

24
flake.lock
View File

@ -2,11 +2,11 @@
"nodes": { "nodes": {
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1681570648, "lastModified": 1682461850,
"narHash": "sha256-ATsDh8cEXqx+gGIIpEPf5twAStM9INIbwmVgS4WcjYQ=", "narHash": "sha256-udJwbwbhUOt0y04cIJy+7W6zNQeL23m+p3o7G47ZFEg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "745a6200bf74c4dbec8f94dd731ab3769c0e9df3", "rev": "c533ac9867368d28e29a23369ac5d597bc5da185",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -18,11 +18,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1681613598, "lastModified": 1682173319,
"narHash": "sha256-Ogkoma0ytYcDoMR2N7CZFABPo+i0NNo26dPngru9tPc=", "narHash": "sha256-tPhOpJJ+wrWIusvGgIB2+x6ILfDkEgQMX0BTtM5vd/4=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "1040ce5f652b586da95dfd80d48a745e107b9eac", "rev": "ee7ec1c71adc47d2e3c2d5eb0d6b8fbbd42a8d1c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -47,11 +47,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1681613729, "lastModified": 1682338428,
"narHash": "sha256-9Qb0tHW8l1hgFkuB76n4VT9UNUaR7QL3CgmJ5hcVYEg=", "narHash": "sha256-T7AL/Us6ecxowjMAlO77GETTQO2SO+1XX2+Y/OSfHk8=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "b7a6670a28b01cd1f62879921e36be2c69c4137a", "rev": "7c8e9727a2ecf9994d4a63d577ad5327e933b6a4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -62,11 +62,11 @@
}, },
"unstable": { "unstable": {
"locked": { "locked": {
"lastModified": 1681618194, "lastModified": 1682476574,
"narHash": "sha256-UR4OobzFHFyIVHXmanJLfm5o2DVufbFeP1Dn7C5Xqn0=", "narHash": "sha256-diM+haOZnOUPOp3dLLbuAgEZBCE7Iv9iyNzO5YVmwq0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "f2654e378dfc8153a141a8fcb854b423fe259a27", "rev": "8bac227a5a27ba29240e496e3e3fd55a2351f68b",
"type": "github" "type": "github"
}, },
"original": { "original": {

3
hosts/voyager/configuration.nix
View File

@ -46,14 +46,13 @@
}; };
sops.defaultSopsFile = ../../secrets/voyager/voyager.yaml; sops.defaultSopsFile = ../../secrets/voyager/voyager.yaml;
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
environment.variables = { EDITOR = "vim"; }; environment.variables = { EDITOR = "vim"; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
((vim_configurable.override { }).customize{ ((vim_configurable.override { }).customize{
name = "vim"; name = "vim";
vimrcConfig.packages.myplugins = with pkgs.vimPlugins; { vimrcConfig.packages.myplugins = with pkgs.vimPlugins; {
start = [ vim-nix vim-lastplace ]; start = [ vim-nix vim-lastplace vim-commentary ];
opt = []; opt = [];
}; };
vimrcConfig.customRC = '' vimrcConfig.customRC = ''

28
hosts/voyager/services/hedgedoc.nix
View File

@ -2,8 +2,9 @@
let let
cfg = config.services.hedgedoc.settings; cfg = config.services.hedgedoc.settings;
domain = "md.feal.no"; domain = "md.feal.no";
port = 3000; port = 3300;
host = "0.0.0.0"; host = "0.0.0.0";
authServerUrl = config.services.kanidm.serverSettings.origin;
in { in {
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
sops.secrets."hedgedoc/env" = { sops.secrets."hedgedoc/env" = {
@ -12,27 +13,27 @@ in {
services.hedgedoc = { services.hedgedoc = {
enable = true; enable = true;
environmentFile = config.sops.secrets."hedgedoc/env".path;
settings = { settings = {
inherit domain port host; inherit domain port host;
protocolUseSSL = true; protocolUseSSL = true;
sessionSecret = "$CMD_SESSION_SECRET";
allowFreeURL = true;
db = { db = {
dialect = "sqlite"; dialect = "sqlite";
storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
}; };
environmentFile = config.sops.secrets."hedgedoc/env".path;
email = false; email = false;
oauth2 = let oauth2 = {
authServerUrl = config.services.kanidm.serverSettings.origin;
in {
baseURL = "${authServerUrl}/oauth2"; baseURL = "${authServerUrl}/oauth2";
tokenURL = "${authServerUrl}/oauth2/token"; tokenURL = "${authServerUrl}/oauth2/token";
authorizationURL = "${authServerUrl}/ui/oauth2"; authorizationURL = "${authServerUrl}/ui/oauth2";
userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo"; userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
clientID = "hedgedoc"; clientID = "hedgedoc";
clientSecret = ""; clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
scope = "openid email profile"; scope = "openid email profile";
userProfileUsernameAttr = "name"; userProfileUsernameAttr = "name";
userProfileEmailAttr = "email"; userProfileEmailAttr = "email";
@ -43,14 +44,11 @@ in {
}; };
}; };
services.nginx.virtualHosts.${domain} = {
locations."/" = {
proxyPass = "http://${host}:${toString port}/";
};
locations."/socket.io/" = { systemd.services.hedgedoc.serviceConfig = {
proxyPass = "http://${host}:${toString port}/"; WorkingDirectory = lib.mkForce "/var/lib/hedgedoc";
proxyWebsockets = true; StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
};
}; };
networking.firewall.allowedTCPPorts = [ port ];
} }

49
secrets/voyager/voyager.yaml
View File

@ -1,42 +1,41 @@
#ENC[AES256_GCM,data:cYubTyNl41ufO3tMpRIZHJdo/a5gxT4Afv8is2mbxEtRumDUcW+5gZ5E6m3n7+IIg2jOuO1I,iv:G/msHWm6zQSJU3pB8tqEByZRTOrLir3SVKLjZiT98wo=,tag:ogNmvkNeaJC7DlB+pbMPnA==,type:comment] #ENC[AES256_GCM,data:DD7NMS1+lSV4f7fIAadvbyX0WsAlCMophBeQzoJ6OnYM5rx+Md9Z/R9SA7U4Mx9V5+LTn1/W,iv:G/msHWm6zQSJU3pB8tqEByZRTOrLir3SVKLjZiT98wo=,tag:8Z1EaoHSQXrRBC1yfvU3Sw==,type:comment]
#ENC[AES256_GCM,data:QcB3dNA10sP34pK8SCaKVs5jazW2uzD69a2U,iv:xeB+KNDLqHQS3IWDOLt9iMKfKrqq4Buur756KNhquis=,tag:UBibqrup4ogZoS2xXi0vrA==,type:comment] #ENC[AES256_GCM,data:kJam8oGmTK5TsrjyreeA4ejmfmR6IGbhe9i9,iv:xeB+KNDLqHQS3IWDOLt9iMKfKrqq4Buur756KNhquis=,tag:jaI7Gt1lPFnCF3N/pznqaw==,type:comment]
#ENC[AES256_GCM,data:OuH/xIjJZZZvkof/j9Pz7aG0,iv:M9riyTv2sd+0faMjfZ34ZHBstAii9j887XBtIQX4mrA=,tag:f4ZxngtUAF+ctxJFlDrr4w==,type:comment] #ENC[AES256_GCM,data:7ymKEd8NvmQacyFxhkd907ai,iv:M9riyTv2sd+0faMjfZ34ZHBstAii9j887XBtIQX4mrA=,tag:BS5OJdNb6JVWXwr7VQ8QAw==,type:comment]
#ENC[AES256_GCM,data:LC90R2o+4wPQ8yKpMlpb,iv:JlQ3myHw7f2sVzYn3FmP5XIDtYu9TMk32nxmyC02HkI=,tag:FOpLtkRX26IdV+LMDm9Nhw==,type:comment] #ENC[AES256_GCM,data:3tOkiA7K6Db/2cPFKDMf,iv:JlQ3myHw7f2sVzYn3FmP5XIDtYu9TMk32nxmyC02HkI=,tag:nqP2wyg5T+RwA1fDI2Q0bw==,type:comment]
#ENC[AES256_GCM,data:p0s2J4k0xSJF02l6ZudSakxVnN7H,iv:0VUUphFfr6YDzlKhAQqbjcG0C7Hqq43bel1OZsn4kHU=,tag:xreaaMkZI5+cvvq/p38hGw==,type:comment] #ENC[AES256_GCM,data:0298n6qm6ZE6WzkUQrr7M6t/Tj37,iv:0VUUphFfr6YDzlKhAQqbjcG0C7Hqq43bel1OZsn4kHU=,tag:RKm3ElD3CFlwPYFr9th2hQ==,type:comment]
#ENC[AES256_GCM,data:xuGaMth0lq9q7vmeUilgHskjjTZj,iv:TRPhTcB5b6VxRrDLYBo0sYgOh997q2bv5lp3ICdb6lw=,tag:L2c7XpZMP1aKswwx37lC+Q==,type:comment] #ENC[AES256_GCM,data:4I1NAGgZalSkGvmOEuzlIbdOLhFF,iv:TRPhTcB5b6VxRrDLYBo0sYgOh997q2bv5lp3ICdb6lw=,tag:HWfLK70NnUF5sNulbvGauA==,type:comment]
#ENC[AES256_GCM,data:d0zRwG8ZbGBthh/pu+Eyv9COARL7LGGEMES2,iv:lxd7wYK2LSDyKYGW/8qiHPDOivtnmZ45R3neBnpCuuY=,tag:/73UgFoIRRpKityxlcWldg==,type:comment] #ENC[AES256_GCM,data:X6a1nIcMHwE1LYvfdbv7obMoNLmogi8lMZJX,iv:lxd7wYK2LSDyKYGW/8qiHPDOivtnmZ45R3neBnpCuuY=,tag:HjxihWezjq37fksfkKpqYQ==,type:comment]
#ENC[AES256_GCM,data:Qx48qmQtH8pXH/OsqbveUNwx,iv:mqkwAHWxqvt9XkQX0EKXQyJrK5KOCVDpva1Ok37XvKc=,tag:B/s/KfVDcjcyWqdBSMfyIA==,type:comment] #ENC[AES256_GCM,data:T+pI1ogtfjo57NrOvCuhbs//,iv:mqkwAHWxqvt9XkQX0EKXQyJrK5KOCVDpva1Ok37XvKc=,tag:qrp2QeNrJSDr3ECN6cBDiA==,type:comment]
#ENC[AES256_GCM,data:uF4N/yAesQiwJWQ=,iv:4y5C0S75gp4qFFkJ4lOMcPbftOLyzB12wApqNOFYan4=,tag:tgUJZ79eWU2s4IdZCdvMxQ==,type:comment] #ENC[AES256_GCM,data:46+Qt0FRlg2tN8A=,iv:4y5C0S75gp4qFFkJ4lOMcPbftOLyzB12wApqNOFYan4=,tag:T/4zLU7d90GkzDohJd2XTg==,type:comment]
#ENC[AES256_GCM,data:7u87/8sEwf84DsXy,iv:HlO9MCqBHtz1Hm9tILlEsJ2gfgTPThmmyoCXlGyy/9Y=,tag:/WBgX1Lk8EZS27K3UwOtLw==,type:comment] #ENC[AES256_GCM,data:fvJA2s0OEs7PDOr/,iv:HlO9MCqBHtz1Hm9tILlEsJ2gfgTPThmmyoCXlGyy/9Y=,tag:7L1Kl4RgAFG+WLvtk30nYQ==,type:comment]
hedgedoc: hedgedoc:
env: ENC[AES256_GCM,data:A5m2hSK7OfKngJsjUwF+SaSDnTHscG2lexEjfmX3E3j8c4zXPjQh52tcP5k1+h7wq9G41GMni9EDHynyxfj/g0Y0Gpvr9t07BMvvwa/JfbDEgmPEHHuVcG/P6eeFhqU1raZ5Vl2M8Z9iChquubvSoNmvKrjJEMlsu3GqONb+C0uXje0CeUeAV6d2RYDumvklqmbUxXUR2lmKsI7M+ec=,iv:VKwB+AAq4kgOYwntHNXK+xdf0kk+sn39jAxJhLFiqdw=,tag:7OH5ClKcKjP9hTm3JtyFsg==,type:str] env: ENC[AES256_GCM,data:okkj5V0veAwWwdmhjhsd4seAHiBOjdk7m80C3iVi78LNeHlNuGL2zdvKV5b4ClUR3awabotR/QwdvSvCUxZiFRpXwyeETxHPRRTtR4VDL1L4MifJ0LS27A5DAzAdjCjc799ckgDyBn5L3+T6P1136X0PnaXQT1KyRegizC1DFQ15/3fvlIe05tonDwDVAsPkV8ZEtmGuseB87yoFBxs=,iv:VKwB+AAq4kgOYwntHNXK+xdf0kk+sn39jAxJhLFiqdw=,tag:6bDyl7c23uAWMzVrJ5/YYQ==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: age:
- recipient: age1mlz5xzggpelscxy94eh2v5sjsqeyrqlggz0u90xrwew2x9vfguqs8h2wnr - recipient: age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpazVpRU9CdXJRbjBycXRx YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOZml2bXBjSUYrMW5RcnFl
V2dMVW16Rm43QW9xeTNhZ2NQWDBqN3JVS0NjCklQbXlCU295VmxUZHVwcGF1RHp5 MTRzM1p2L1JMTGJCamk1RHczOStQUjlFSDFzCmdGTDYrYUhJUjAyYWdkclgwazNt
OG04bUd4V3RXNGFZMTZrbGVDczNlWEEKLS0tIEVHeFJVTExRY0NCNGlLdTdEQ05G UWVqY0JxYXh3cXVyNjlSZ2h6c0R4REEKLS0tIDZHY0F6M0lOZ1JRelp3Umx0aW4x
ekpycHViWDFUREluaytiSERVQk9DN2cK6stL4d2RqmhPmT4m6sLZz3qilE+ZrTkz cjRUa2szZGZuSnhjd3hCNmYvV0tXTmMKlYuaUIvwTv8NpaoBYVva4jbRemkFTdfU
8Yedd0J/kNMyeAFSEOJtVM4ADkBdZCpX1QOGy36XKISVbck+rZWoDQ== yP4J5RyUry83aVlHFQ2f7neBpWc6A2rePl3XuEQxSggl13hh71H+nw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw - recipient: age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdWV4bCt1NEZEZHpRMlQ3 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOOG5GSDd4R09mZ2QvT0dy
VVlTcFVScUZBRENHczhwblNQVkk3Q3pwdm1jCmdQMjhJREM1cGJiRk1WZHlIWUxP YnIxMWNBL3huMXNmcjV0a1VlS0FxS1JtSFVjCmthenVlYytjZklxNk43YlR5NExG
d2RZaFlWSWdHVUJaNGpTNmR2WEFWZEUKLS0tIDJCOHh5RmlxT1F1VElPTFhSUWwr aVQ2K1ZsbHdWTm91d1JvNDVsYW1FSEkKLS0tIFpTeG1zcVRpWWlWUE1abllKR1BW
Sk9XMkpDVE4veGgxazRRbVdPZ2NsRUkK8ZYLUD7s5GvW/T4j7W2gie8vyyMJQnfZ THFRNjZXc0RsS0xKK1BkeEU1UzA4MW8KgOIQyL6A9u+Ii8zYkHJDWVAG/EEc61Qh
JT+BnhjvKIz+dj9/V0lOzoNnie01VWF9zJtxB4M6X4J1WFHhwF8iFg== u+VFyGB7esTG56G19u1aCHB/NUxG5HYMG/DEqH/SyCyKUvHrXjEF4g==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-26T11:19:53Z" lastmodified: "2023-04-26T11:53:47Z"
mac: ENC[AES256_GCM,data:UIfUFsrwPcAG74JPPRcpO77AKUQX1s4eKyFZOO5HH3JdCunZkVwet4iFdiYiY4x7GmnO2l4wrhiegUR+N9rjyOioN6AGjUE0GS2q2D6fHs16saWtflvsslk3H896F9oLbALmV8TMJuHL3MvQT6IqaAT6PhT7qrtudmUyW7tLP3o=,iv:uwPhCNPzKnxSkYpt+SPsb3FNT5yBYsi5SgZYeioSz2s=,tag:pQ45sspg8NhlgQ2h18rLLQ==,type:str] mac: ENC[AES256_GCM,data:CQi0+67t6NrYFlpqry7lULIlQs3adLG1L9bH7iYDhAPF/1Bi/A3OrKZfdNozp/VRqBlMnfp2z6UWh9ScvI1V5aOWfsTfEFKF4l945rwN4f7MYYRaYtgSDSefAoZrgE036Fzuh2seDDcvfoeOEnQ1VJ6BD/1wSrMPP1z1F3au1dE=,iv:cMZUXzedX1Gjkqn1uAZ1gufehtYQ9X/A8m/GRF5TLZw=,tag:C231MYSPUvYnAYiJ4TjdFA==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.3 version: 3.7.3