Add sops-secrets, configure oauth

This commit is contained in:
Felix Albrigtsen 2023-04-26 12:07:36 +02:00
parent badfd138b7
commit cf49d5137c
4 changed files with 71 additions and 4 deletions

View File

@ -1,6 +1,6 @@
keys:
- &user_felixalb age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
- &host_voyager
- &host_voyager age1mlz5xzggpelscxy94eh2v5sjsqeyrqlggz0u90xrwew2x9vfguqs8h2wnr
creation_rules:
# Global secrets

View File

@ -0,0 +1,22 @@
{ config, pkgs, ... }:
{
services.hedgedoc = {
enable = true;
settings = {
port = 3031;
allowFreeURL = true;
};
config = {
domain = "md.feal.no";
db = {
dialect = "mysql";
host = "mysql.home.feal.no";
port = 3306;
database = "hedgedoc";
username = "hedgedoc";
password = "DummyPasswordPlzSops";
};
};
};
}

View File

@ -5,6 +5,11 @@ let
port = 3000;
host = "0.0.0.0";
in {
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
sops.secrets."hedgedoc/env" = {
restartUnits = [ "hedgedoc.service" ];
};
services.hedgedoc = {
enable = true;
@ -15,6 +20,8 @@ in {
dialect = "sqlite";
storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
};
environmentFile = config.sops.secrets."hedgedoc/env".path;
email = false;
oauth2 = let
authServerUrl = config.services.kanidm.serverSettings.origin;
@ -31,13 +38,10 @@ in {
userProfileDisplayNameAttr = "displayname";
providerName = "KaniDM";
# rolesClaim = "roles";
# accessRole = "hedgedoc_users";
};
};
};
#networking.firewall.allowedTCPPorts = [ port ];
services.nginx.virtualHosts.${domain} = {
locations."/" = {
proxyPass = "http://${host}:${toString port}/";

View File

@ -0,0 +1,41 @@
#ENC[AES256_GCM,data:TQjXsTPIvU+jAxEJ/ywG2BTlL1fdlCudOeyanuyD9kf3/X21/H4YwxBqEEcWhSMGWVkwNqpR,iv:G/msHWm6zQSJU3pB8tqEByZRTOrLir3SVKLjZiT98wo=,tag:ndJjInL70Ciuj8Ol/zp4Og==,type:comment]
#ENC[AES256_GCM,data:nuQ8TCJYMOeNNlCUpiz+VWSwg0fmca3lLYfq,iv:xeB+KNDLqHQS3IWDOLt9iMKfKrqq4Buur756KNhquis=,tag:cvdqPKwKoHwuxnr+dGkw+A==,type:comment]
#ENC[AES256_GCM,data:XdQrzS2erpgvelGmu6u5cIqa,iv:M9riyTv2sd+0faMjfZ34ZHBstAii9j887XBtIQX4mrA=,tag:89Wb67UwOcwFTqnSP7RLFA==,type:comment]
#ENC[AES256_GCM,data:Dz4xG1oTXplvn0Yi/GTN,iv:JlQ3myHw7f2sVzYn3FmP5XIDtYu9TMk32nxmyC02HkI=,tag:5DKkprVm5HMy3rIwdGjPHw==,type:comment]
#ENC[AES256_GCM,data:zry1+ReU/SOnuYNap3KXvEvbFYPs,iv:0VUUphFfr6YDzlKhAQqbjcG0C7Hqq43bel1OZsn4kHU=,tag:GrEXH4qz4yu8d33ap1w9XQ==,type:comment]
#ENC[AES256_GCM,data:KlKoLppWBl78IaV0ctqll9GicLE8,iv:TRPhTcB5b6VxRrDLYBo0sYgOh997q2bv5lp3ICdb6lw=,tag:B1Uc2vFtqfKaKKUppO9qew==,type:comment]
#ENC[AES256_GCM,data:heAA5L0BHcNFZbdZ0e9U397S3ONEdAnkXSR2,iv:lxd7wYK2LSDyKYGW/8qiHPDOivtnmZ45R3neBnpCuuY=,tag:4rAX0WusIcb54yvJP7yvfQ==,type:comment]
#ENC[AES256_GCM,data:WvfGA0hjDzJlwMb8gopNkZ+U,iv:mqkwAHWxqvt9XkQX0EKXQyJrK5KOCVDpva1Ok37XvKc=,tag:WPUKuAr5/RImfkp4jmAHOw==,type:comment]
#ENC[AES256_GCM,data:NiioWxDPtaRsfxc=,iv:4y5C0S75gp4qFFkJ4lOMcPbftOLyzB12wApqNOFYan4=,tag:HI7NJBn6nsSiqDc5qCsa/A==,type:comment]
#ENC[AES256_GCM,data:SFYebFcTT76PxKSj,iv:HlO9MCqBHtz1Hm9tILlEsJ2gfgTPThmmyoCXlGyy/9Y=,tag:WihZZmDBCysoAR9VAmC9yw==,type:comment]
hedgedoc:
env: ENC[AES256_GCM,data:6iRhiNZu2u8zyyAFx3B+Oo5K0skAoPm3KNtR+wlEcKlYddMSBqJ+tQakgfkx2R0YUgru7wVOmSGK4XIg0ikBOCsDiBxJdYjyHnjyjtVtjga6S7glMQR7Hf6aTsstlYP3pmP8+veD+GJ7D8wJ7x46StXd785PuvJNVirz/zKzP5bkEkzPj7Ta/Vx+WYw2qsNGFDhTvyr7E0HK7Hx+VOc=,iv:VKwB+AAq4kgOYwntHNXK+xdf0kk+sn39jAxJhLFiqdw=,tag:zmn3wZO/TglGDDWupu84aw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1mlz5xzggpelscxy94eh2v5sjsqeyrqlggz0u90xrwew2x9vfguqs8h2wnr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoSmI5amlwYWl1VS9VSWxO
YWo0NEhpNVRCZHBaWHNjVG9qbDBaUGp0K2xjClljVEpHQk5QZWxqUUFKekJ0OFhS
ZXo0aVNCVFUxcnhaU0lqYWQ2ekV6TnMKLS0tIEIxMVdNRHluem5ubmtWcHJGclJO
cTZ6VjJodmxyek5mcUtMVGFjblhaRTgKsmX3lTj8dC72CsfuPJ4PwtjE2/7JAKsW
4eqlEIRMura8HVZWgvxMjhaJsdx8QXWw0owWhbarye+g2lgTftzhuw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtY1NDL1NlK3l4eGYreGV6
dXJtQXo4RjBpdkVBM2JwS0R5Z3pRaHpUUldVCmZyTmJCVXltS3VwTmxXWEhEQ3Fi
a3NjY3RQMzN3Szd3S3QxNU9zMktUTFEKLS0tIHI4WmRXY3U1Q0hEa254YmtxZlJy
aXFsYkNzOHlYajVnTzgvNkVhdkdacGcKWXve8cFI3xmXugoqiLbaORBlRJ0dSpSc
e3NRr1qhK/79BZHREJ6Fu61UgHCX5LljAOkLEdyXGS0SZ4Ha01SGLg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-26T09:54:55Z"
mac: ENC[AES256_GCM,data:NsWvXiqV8tzo0Yvhk0gvupa8HchRpJoYeR9A3JqfrvNVmGD9HxnQJCsgM2Qb7SbFq1KvKP3zt2Q7LntnUf+uB06CiCF+6g5SYDlHKeOw351tdGLGxBt1gdKID5xwRH1PG5jkxThO6ZA70LU5M0BHMK43bYTYWqnNuxlsPVShBhk=,iv:Nhcn7zrwkBvdJeGq03hqDTPBvXrdPCEoyOhEYOsJkVs=,tag:YHyh7X8PJIz4ymK03VamyQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3