felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-05-25 07:41:13 +02:00
Code Issues Projects Releases Wiki Activity

bekkalokk: fix permissions for mediawiki secrets

Browse Source
This commit is contained in:
Vegard Bieker Matthey
2026-05-22 20:21:24 +02:00
parent bfd83c4c64
commit 6cca1db3b3
1 changed files with 2 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
hosts/bekkalokk/services/mediawiki/default.nix
View File

@@ -210,6 +210,8 @@ in {
# EXT:WikiEditor # EXT:WikiEditor
$wgWikiEditorRealtimePreview = true; $wgWikiEditorRealtimePreview = true;
$wgSecretKey = file_get_contents("${config.sops.secrets."mediawiki/secret-key".path}");
''; '';
}; };
@@ -273,8 +275,6 @@ in {
systemd.services.mediawiki-init = lib.mkIf cfg.enable { systemd.services.mediawiki-init = lib.mkIf cfg.enable {
after = [ "sops-install-secrets.service" ]; after = [ "sops-install-secrets.service" ];
serviceConfig = { serviceConfig = {
BindReadOnlyPaths = [ "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key" ];
LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
UMask = lib.mkForce "0007"; UMask = lib.mkForce "0007";
}; };
}; };
@@ -282,8 +282,6 @@ in {
systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable { systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable {
after = [ "sops-install-secrets.service" ]; after = [ "sops-install-secrets.service" ];
serviceConfig = { serviceConfig = {
BindReadOnlyPaths = [ "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key" ];
LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
UMask = lib.mkForce "0007"; UMask = lib.mkForce "0007";
}; };
}; };