From f0749acfc05289c269ae27d141c059b2e8648cf8 Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Fri, 6 Oct 2023 00:19:04 +0200 Subject: [PATCH] hedgedoc: move from voyaer to sarek --- .sops.yaml | 8 ++++ hosts/sarek/configuration.nix | 1 + .../{voyager => sarek}/services/hedgedoc.nix | 5 +-- hosts/sarek/services/postgresql.nix | 5 +++ hosts/voyager/configuration.nix | 1 - secrets/sarek/sarek.yaml | 40 +++++++++++++++++++ 6 files changed, 56 insertions(+), 4 deletions(-) rename hosts/{voyager => sarek}/services/hedgedoc.nix (96%) create mode 100644 secrets/sarek/sarek.yaml diff --git a/.sops.yaml b/.sops.yaml index 26b50bb..db9b5b3 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,6 +2,7 @@ keys: - &user_felixalb_old age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw - &user_felixalb age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf - &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu + - &host_sarek age1yjc08ykd5d687p9tmn6mpsna3azryreuuz6akj2p0dtft9xqq5lsuamljk creation_rules: # Global secrets @@ -18,3 +19,10 @@ creation_rules: - *host_voyager - *user_felixalb_old - *user_felixalb + + - path_regex: secrets/sarek/[^/]+\.yaml$ + key_groups: + - age: + - *host_sarek + - *user_felixalb_old + - *user_felixalb diff --git a/hosts/sarek/configuration.nix b/hosts/sarek/configuration.nix index 32be195..66bda29 100644 --- a/hosts/sarek/configuration.nix +++ b/hosts/sarek/configuration.nix @@ -9,6 +9,7 @@ ./services/nginx.nix ./services/postgresql.nix + ./services/hedgedoc.nix ./services/flame.nix ]; diff --git a/hosts/voyager/services/hedgedoc.nix b/hosts/sarek/services/hedgedoc.nix similarity index 96% rename from hosts/voyager/services/hedgedoc.nix rename to hosts/sarek/services/hedgedoc.nix index 2fa0c79..37b9506 100644 --- a/hosts/voyager/services/hedgedoc.nix +++ b/hosts/sarek/services/hedgedoc.nix @@ -4,7 +4,7 @@ let domain = "md.feal.no"; port = 3300; host = "0.0.0.0"; - authServerUrl = config.services.kanidm.serverSettings.origin; + authServerUrl = "https://auth.feal.no"; in { # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET sops.secrets."hedgedoc/env" = { @@ -48,7 +48,7 @@ in { systemd.services.hedgedoc = { requires = [ "postgresql.service" - "kanidm.service" + # "kanidm.service" ]; serviceConfig = let workDir = "/var/lib/hedgedoc"; @@ -93,5 +93,4 @@ in { }; }]; }; - } diff --git a/hosts/sarek/services/postgresql.nix b/hosts/sarek/services/postgresql.nix index 5f73283..c7c804b 100644 --- a/hosts/sarek/services/postgresql.nix +++ b/hosts/sarek/services/postgresql.nix @@ -3,6 +3,11 @@ services.postgresql = { enable = true; enableTCPIP = true; # Expose on the network + authentication = pkgs.lib.mkOverride 10 '' + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + ''; }; services.postgresqlBackup = { diff --git a/hosts/voyager/configuration.nix b/hosts/voyager/configuration.nix index 21923f7..80217cc 100644 --- a/hosts/voyager/configuration.nix +++ b/hosts/voyager/configuration.nix @@ -21,7 +21,6 @@ ./services/transmission.nix ./services/metrics ./services/gitea.nix - ./services/hedgedoc.nix ./services/vaultwarden.nix ./services/calibre.nix ./services/stash.nix diff --git a/secrets/sarek/sarek.yaml b/secrets/sarek/sarek.yaml new file mode 100644 index 0000000..736a3f0 --- /dev/null +++ b/secrets/sarek/sarek.yaml @@ -0,0 +1,40 @@ +hedgedoc: + env: ENC[AES256_GCM,data:IE1Lp1Lx0ctKIyV9z0rJWIouaHvstEyhcFO6KLNliN2FHKYNlfggrXEwxT+UwNUvEyuN6p+nCOLc48pAxODLHdl+DuTtwmqb14lbiwS6s/CPxlkJvcUnkauFOhuk45qXOhu4rz9sdtA7vSjMXEGmi55bJNAB+AD+oIVgtDEYa/cNkAaGJltxClx3KjCyfmOnN69ZuL81ewOnk5dq8ms=,iv:HBdiT0I9vKgs0es3jluYP0j8lr0YS4seLQmZvj7Bs40=,tag:pqEjkBWeSMtA4QDXpYDKSg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1yjc08ykd5d687p9tmn6mpsna3azryreuuz6akj2p0dtft9xqq5lsuamljk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCc3lUVW1PNTNoRm4xbzBI + OTlBK1MzaHE1cU1UTEN2TkNlU3dVVXZSUXpBCjhISjdBSnZVSnhyckFoVXdJK3N1 + cE9GanNRcExpckRJbEtPWkFvVFgwZ3MKLS0tIHhhb1A2dU5BbFpmK0d5Yi9yMDZY + c1lwVWNibW1PVTFEYlVkYzNKL2pmR3MK0WEvII7d3VUr53uFf/leic1JsALinG4G + PSXfzvhywVf+C1/YgE5HJH9pPhIDigLFins09UWt1RDVuwfdmXPJwA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMYkdUMmpDTmtzZHExT3RM + d3UxZy9DTzRjcHVrNHB6OTBNOHFkV25GV1JjCk1BU1poZ090U3ZJV0xuMEdIcDE0 + MHYrbk9VYWlsdWg0bmpVY1pVUmJFTm8KLS0tIExoUG9aMy8rWlBvUXNZcGhUd0FC + dEpEWEJZdTMrOTZxVU1JcFN6Nlo5QzQKdo4cKvw7fBmGqsi2ALOEbdRVngzPGhte + 5AC1PAX85a8r6DA/8etSKjXVh/wEdEs85+qKDgKKJSNqNG+nlzF+wQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxYU05cHJOUkZib3B3UHc3 + dDdDTUlFK1pudHFubTNLMTQ3WDZKeERCRld3ClhCOVpEcjhDQWt6NGxDMXNVSlk0 + QVhSdnFRc2hqZmZQUEFVR25BNWdYMDQKLS0tICt0bXp6SXpqbFlTdkxWMGlGK0Nw + enQ5UjA2ZVBGcUFCenhYckVjanVOeE0KT0NPv0yGmreBQzozp9z5tOtY9Awo5ajs + y00uxfBVUgQkhNYCUQ5j9vzMv2U5vDncHox07rEl7YqdlzjJzbuupA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-10-05T21:56:24Z" + mac: ENC[AES256_GCM,data:7n8WFY6fWEwEeF91CNzDbqJm/hx+Nm+A+uKmHN5r9zbwgkKNPuf+aX3bACkGDyI/B2XN6TxEGl3Gc2MnF3ZTazbRkaZE06gS3bPmosHIZkw1CCkJdgD5KM5y8Nffj4Dzdmu86Z1W74FkV29aAFF1BtYSRalBCJ+2kxWabSPTT2Y=,iv:mfpwBmI11ysnIK+xPt8J3n7FEWedRS1WW5HxTmGxCas=,tag:X8gUuKw+tRTm82NvhC5grw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3