hedgedoc: move from voyaer to sarek

2023-10-06 00:19:04 +02:00 · 2023-10-06 00:19:04 +02:00 · f0749acfc0
commit f0749acfc0
parent 5fb2307cd9
6 changed files with 56 additions and 4 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -2,6 +2,7 @@ keys:
  - &user_felixalb_old age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
  - &user_felixalb age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
  - &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu
+  - &host_sarek age1yjc08ykd5d687p9tmn6mpsna3azryreuuz6akj2p0dtft9xqq5lsuamljk

 creation_rules:
  # Global secrets
@ -18,3 +19,10 @@ creation_rules:
      - *host_voyager
      - *user_felixalb_old
      - *user_felixalb
+
+  - path_regex: secrets/sarek/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_sarek
+      - *user_felixalb_old
+      - *user_felixalb
--- a/hosts/sarek/configuration.nix
+++ b/hosts/sarek/configuration.nix
@ -9,6 +9,7 @@

      ./services/nginx.nix
      ./services/postgresql.nix
+      ./services/hedgedoc.nix
      ./services/flame.nix
  ];

--- a/hosts/voyager/services/hedgedoc.nix
+++ b/hosts/voyager/services/hedgedoc.nix
@ -4,7 +4,7 @@ let
    domain = "md.feal.no";
    port = 3300;
    host = "0.0.0.0";
-    authServerUrl = config.services.kanidm.serverSettings.origin;
+    authServerUrl = "https://auth.feal.no";
 in {
    # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
    sops.secrets."hedgedoc/env" = {
@ -48,7 +48,7 @@ in {
    systemd.services.hedgedoc = {
      requires = [
        "postgresql.service"
-        "kanidm.service"
+        # "kanidm.service"
      ];
      serviceConfig = let
        workDir = "/var/lib/hedgedoc";
@ -93,5 +93,4 @@ in {
        };
      }];
    };
-
 }
--- a/hosts/sarek/services/postgresql.nix
+++ b/hosts/sarek/services/postgresql.nix
@ -3,6 +3,11 @@
  services.postgresql = {
    enable = true;
    enableTCPIP = true; # Expose on the network
+    authentication = pkgs.lib.mkOverride 10 ''
+     local all all trust
+     host all all 127.0.0.1/32 trust
+     host all all ::1/128 trust
+    '';
  };

  services.postgresqlBackup = {
--- a/hosts/voyager/configuration.nix
+++ b/hosts/voyager/configuration.nix
@ -21,7 +21,6 @@
      ./services/transmission.nix
      ./services/metrics
      ./services/gitea.nix
-      ./services/hedgedoc.nix
      ./services/vaultwarden.nix
      ./services/calibre.nix
      ./services/stash.nix
--- a/secrets/sarek/sarek.yaml
+++ b/secrets/sarek/sarek.yaml
@ -0,0 +1,40 @@
+hedgedoc:
+    env: ENC[AES256_GCM,data:IE1Lp1Lx0ctKIyV9z0rJWIouaHvstEyhcFO6KLNliN2FHKYNlfggrXEwxT+UwNUvEyuN6p+nCOLc48pAxODLHdl+DuTtwmqb14lbiwS6s/CPxlkJvcUnkauFOhuk45qXOhu4rz9sdtA7vSjMXEGmi55bJNAB+AD+oIVgtDEYa/cNkAaGJltxClx3KjCyfmOnN69ZuL81ewOnk5dq8ms=,iv:HBdiT0I9vKgs0es3jluYP0j8lr0YS4seLQmZvj7Bs40=,tag:pqEjkBWeSMtA4QDXpYDKSg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1yjc08ykd5d687p9tmn6mpsna3azryreuuz6akj2p0dtft9xqq5lsuamljk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCc3lUVW1PNTNoRm4xbzBI
+            OTlBK1MzaHE1cU1UTEN2TkNlU3dVVXZSUXpBCjhISjdBSnZVSnhyckFoVXdJK3N1
+            cE9GanNRcExpckRJbEtPWkFvVFgwZ3MKLS0tIHhhb1A2dU5BbFpmK0d5Yi9yMDZY
+            c1lwVWNibW1PVTFEYlVkYzNKL2pmR3MK0WEvII7d3VUr53uFf/leic1JsALinG4G
+            PSXfzvhywVf+C1/YgE5HJH9pPhIDigLFins09UWt1RDVuwfdmXPJwA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMYkdUMmpDTmtzZHExT3RM
+            d3UxZy9DTzRjcHVrNHB6OTBNOHFkV25GV1JjCk1BU1poZ090U3ZJV0xuMEdIcDE0
+            MHYrbk9VYWlsdWg0bmpVY1pVUmJFTm8KLS0tIExoUG9aMy8rWlBvUXNZcGhUd0FC
+            dEpEWEJZdTMrOTZxVU1JcFN6Nlo5QzQKdo4cKvw7fBmGqsi2ALOEbdRVngzPGhte
+            5AC1PAX85a8r6DA/8etSKjXVh/wEdEs85+qKDgKKJSNqNG+nlzF+wQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxYU05cHJOUkZib3B3UHc3
+            dDdDTUlFK1pudHFubTNLMTQ3WDZKeERCRld3ClhCOVpEcjhDQWt6NGxDMXNVSlk0
+            QVhSdnFRc2hqZmZQUEFVR25BNWdYMDQKLS0tICt0bXp6SXpqbFlTdkxWMGlGK0Nw
+            enQ5UjA2ZVBGcUFCenhYckVjanVOeE0KT0NPv0yGmreBQzozp9z5tOtY9Awo5ajs
+            y00uxfBVUgQkhNYCUQ5j9vzMv2U5vDncHox07rEl7YqdlzjJzbuupA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-10-05T21:56:24Z"
+    mac: ENC[AES256_GCM,data:7n8WFY6fWEwEeF91CNzDbqJm/hx+Nm+A+uKmHN5r9zbwgkKNPuf+aX3bACkGDyI/B2XN6TxEGl3Gc2MnF3ZTazbRkaZE06gS3bPmosHIZkw1CCkJdgD5KM5y8Nffj4Dzdmu86Z1W74FkV29aAFF1BtYSRalBCJ+2kxWabSPTT2Y=,iv:mfpwBmI11ysnIK+xPt8J3n7FEWedRS1WW5HxTmGxCas=,tag:X8gUuKw+tRTm82NvhC5grw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3