Add sops-secrets, configure oauth
This commit is contained in:
parent
badfd138b7
commit
cf49d5137c
|
@ -1,6 +1,6 @@
|
||||||
keys:
|
keys:
|
||||||
- &user_felixalb age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
|
- &user_felixalb age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
|
||||||
- &host_voyager
|
- &host_voyager age1mlz5xzggpelscxy94eh2v5sjsqeyrqlggz0u90xrwew2x9vfguqs8h2wnr
|
||||||
|
|
||||||
creation_rules:
|
creation_rules:
|
||||||
# Global secrets
|
# Global secrets
|
||||||
|
|
|
@ -0,0 +1,22 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
services.hedgedoc = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
port = 3031;
|
||||||
|
allowFreeURL = true;
|
||||||
|
};
|
||||||
|
config = {
|
||||||
|
domain = "md.feal.no";
|
||||||
|
db = {
|
||||||
|
dialect = "mysql";
|
||||||
|
host = "mysql.home.feal.no";
|
||||||
|
port = 3306;
|
||||||
|
database = "hedgedoc";
|
||||||
|
username = "hedgedoc";
|
||||||
|
password = "DummyPasswordPlzSops";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -5,6 +5,11 @@ let
|
||||||
port = 3000;
|
port = 3000;
|
||||||
host = "0.0.0.0";
|
host = "0.0.0.0";
|
||||||
in {
|
in {
|
||||||
|
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
|
||||||
|
sops.secrets."hedgedoc/env" = {
|
||||||
|
restartUnits = [ "hedgedoc.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
services.hedgedoc = {
|
services.hedgedoc = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
|
@ -15,6 +20,8 @@ in {
|
||||||
dialect = "sqlite";
|
dialect = "sqlite";
|
||||||
storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
|
storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
|
||||||
};
|
};
|
||||||
|
environmentFile = config.sops.secrets."hedgedoc/env".path;
|
||||||
|
|
||||||
email = false;
|
email = false;
|
||||||
oauth2 = let
|
oauth2 = let
|
||||||
authServerUrl = config.services.kanidm.serverSettings.origin;
|
authServerUrl = config.services.kanidm.serverSettings.origin;
|
||||||
|
@ -31,13 +38,10 @@ in {
|
||||||
userProfileDisplayNameAttr = "displayname";
|
userProfileDisplayNameAttr = "displayname";
|
||||||
|
|
||||||
providerName = "KaniDM";
|
providerName = "KaniDM";
|
||||||
# rolesClaim = "roles";
|
|
||||||
# accessRole = "hedgedoc_users";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
#networking.firewall.allowedTCPPorts = [ port ];
|
|
||||||
services.nginx.virtualHosts.${domain} = {
|
services.nginx.virtualHosts.${domain} = {
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://${host}:${toString port}/";
|
proxyPass = "http://${host}:${toString port}/";
|
||||||
|
|
|
@ -0,0 +1,41 @@
|
||||||
|
#ENC[AES256_GCM,data:TQjXsTPIvU+jAxEJ/ywG2BTlL1fdlCudOeyanuyD9kf3/X21/H4YwxBqEEcWhSMGWVkwNqpR,iv:G/msHWm6zQSJU3pB8tqEByZRTOrLir3SVKLjZiT98wo=,tag:ndJjInL70Ciuj8Ol/zp4Og==,type:comment]
|
||||||
|
#ENC[AES256_GCM,data:nuQ8TCJYMOeNNlCUpiz+VWSwg0fmca3lLYfq,iv:xeB+KNDLqHQS3IWDOLt9iMKfKrqq4Buur756KNhquis=,tag:cvdqPKwKoHwuxnr+dGkw+A==,type:comment]
|
||||||
|
#ENC[AES256_GCM,data:XdQrzS2erpgvelGmu6u5cIqa,iv:M9riyTv2sd+0faMjfZ34ZHBstAii9j887XBtIQX4mrA=,tag:89Wb67UwOcwFTqnSP7RLFA==,type:comment]
|
||||||
|
#ENC[AES256_GCM,data:Dz4xG1oTXplvn0Yi/GTN,iv:JlQ3myHw7f2sVzYn3FmP5XIDtYu9TMk32nxmyC02HkI=,tag:5DKkprVm5HMy3rIwdGjPHw==,type:comment]
|
||||||
|
#ENC[AES256_GCM,data:zry1+ReU/SOnuYNap3KXvEvbFYPs,iv:0VUUphFfr6YDzlKhAQqbjcG0C7Hqq43bel1OZsn4kHU=,tag:GrEXH4qz4yu8d33ap1w9XQ==,type:comment]
|
||||||
|
#ENC[AES256_GCM,data:KlKoLppWBl78IaV0ctqll9GicLE8,iv:TRPhTcB5b6VxRrDLYBo0sYgOh997q2bv5lp3ICdb6lw=,tag:B1Uc2vFtqfKaKKUppO9qew==,type:comment]
|
||||||
|
#ENC[AES256_GCM,data:heAA5L0BHcNFZbdZ0e9U397S3ONEdAnkXSR2,iv:lxd7wYK2LSDyKYGW/8qiHPDOivtnmZ45R3neBnpCuuY=,tag:4rAX0WusIcb54yvJP7yvfQ==,type:comment]
|
||||||
|
#ENC[AES256_GCM,data:WvfGA0hjDzJlwMb8gopNkZ+U,iv:mqkwAHWxqvt9XkQX0EKXQyJrK5KOCVDpva1Ok37XvKc=,tag:WPUKuAr5/RImfkp4jmAHOw==,type:comment]
|
||||||
|
#ENC[AES256_GCM,data:NiioWxDPtaRsfxc=,iv:4y5C0S75gp4qFFkJ4lOMcPbftOLyzB12wApqNOFYan4=,tag:HI7NJBn6nsSiqDc5qCsa/A==,type:comment]
|
||||||
|
#ENC[AES256_GCM,data:SFYebFcTT76PxKSj,iv:HlO9MCqBHtz1Hm9tILlEsJ2gfgTPThmmyoCXlGyy/9Y=,tag:WihZZmDBCysoAR9VAmC9yw==,type:comment]
|
||||||
|
hedgedoc:
|
||||||
|
env: ENC[AES256_GCM,data:6iRhiNZu2u8zyyAFx3B+Oo5K0skAoPm3KNtR+wlEcKlYddMSBqJ+tQakgfkx2R0YUgru7wVOmSGK4XIg0ikBOCsDiBxJdYjyHnjyjtVtjga6S7glMQR7Hf6aTsstlYP3pmP8+veD+GJ7D8wJ7x46StXd785PuvJNVirz/zKzP5bkEkzPj7Ta/Vx+WYw2qsNGFDhTvyr7E0HK7Hx+VOc=,iv:VKwB+AAq4kgOYwntHNXK+xdf0kk+sn39jAxJhLFiqdw=,tag:zmn3wZO/TglGDDWupu84aw==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1mlz5xzggpelscxy94eh2v5sjsqeyrqlggz0u90xrwew2x9vfguqs8h2wnr
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoSmI5amlwYWl1VS9VSWxO
|
||||||
|
YWo0NEhpNVRCZHBaWHNjVG9qbDBaUGp0K2xjClljVEpHQk5QZWxqUUFKekJ0OFhS
|
||||||
|
ZXo0aVNCVFUxcnhaU0lqYWQ2ekV6TnMKLS0tIEIxMVdNRHluem5ubmtWcHJGclJO
|
||||||
|
cTZ6VjJodmxyek5mcUtMVGFjblhaRTgKsmX3lTj8dC72CsfuPJ4PwtjE2/7JAKsW
|
||||||
|
4eqlEIRMura8HVZWgvxMjhaJsdx8QXWw0owWhbarye+g2lgTftzhuw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtY1NDL1NlK3l4eGYreGV6
|
||||||
|
dXJtQXo4RjBpdkVBM2JwS0R5Z3pRaHpUUldVCmZyTmJCVXltS3VwTmxXWEhEQ3Fi
|
||||||
|
a3NjY3RQMzN3Szd3S3QxNU9zMktUTFEKLS0tIHI4WmRXY3U1Q0hEa254YmtxZlJy
|
||||||
|
aXFsYkNzOHlYajVnTzgvNkVhdkdacGcKWXve8cFI3xmXugoqiLbaORBlRJ0dSpSc
|
||||||
|
e3NRr1qhK/79BZHREJ6Fu61UgHCX5LljAOkLEdyXGS0SZ4Ha01SGLg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2023-04-26T09:54:55Z"
|
||||||
|
mac: ENC[AES256_GCM,data:NsWvXiqV8tzo0Yvhk0gvupa8HchRpJoYeR9A3JqfrvNVmGD9HxnQJCsgM2Qb7SbFq1KvKP3zt2Q7LntnUf+uB06CiCF+6g5SYDlHKeOw351tdGLGxBt1gdKID5xwRH1PG5jkxThO6ZA70LU5M0BHMK43bYTYWqnNuxlsPVShBhk=,iv:Nhcn7zrwkBvdJeGq03hqDTPBvXrdPCEoyOhEYOsJkVs=,tag:YHyh7X8PJIz4ymK03VamyQ==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.7.3
|
Loading…
Reference in New Issue