felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-02-04 01:00:04 +01:00
Code Issues Projects Releases Wiki Activity

bekkalokk/mediawiki: move secret.key to sops

Browse Source
This commit is contained in:
h7x4
2026-01-26 17:48:53 +09:00
parent ce8d759f79
commit e01fd902eb
2 changed files with 24 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
hosts/bekkalokk/services/mediawiki/default.nix
View File

@@ -34,6 +34,7 @@ in {
services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
sops.secrets = lib.pipe [
"mediawiki/secret-key"
"mediawiki/password"
"mediawiki/postgres_password"
"mediawiki/simplesamlphp/postgres_password"
@@ -179,15 +180,15 @@ in {
# Cache directory for simplesamlphp
# systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = lib.mkIf cfg.enable {
user = "mediawiki";
group = "mediawiki";
mode = "0770";
};
users.groups.mediawiki.members = [ "nginx" ];
users.groups.mediawiki.members = lib.mkIf cfg.enable [ "nginx" ];
services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
services.nginx.virtualHosts."wiki.pvv.ntnu.no" = lib.mkIf cfg.enable {
kTLS = true;
forceSSL = true;
enableACME = true;
@@ -233,4 +234,20 @@ in {
};
};
systemd.services.mediawiki-init = lib.mkIf cfg.enable {
after = [ "sops-install-secrets.service" ];
serviceConfig = {
BindReadOnlyPaths = [ "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key" ];
LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
};
};
systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable {
after = [ "sops-install-secrets.service" ];
serviceConfig = {
BindReadOnlyPaths = [ "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key" ];
LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
};
};
}

7
secrets/bekkalokk/bekkalokk.yaml
View File

@@ -9,6 +9,7 @@ gitea:
ssh-known-hosts: ENC[AES256_GCM,data:zlRLoelQeumMxGqPmgMTB69X1RVWXIs2jWwc67lk0wrdNOHUs5UzV5TUA1JnQ43RslBU92+js7DkyvE5enGzw7zZE5F1ZYdGv/eCgvkTMC9BoLfzHzP6OzayPLYEt3xJ5PRocN8JUAD55cuu4LgsuebuydHPi2oWOfpbSUBKSeCh6dvk5Pp1XRDprPS5SzGLW8Xjq98QlzmfGv50meI9CDJZVF9Wq/72gkyfgtb3YVdr,iv:AF06TBitHegfWk6w07CdkHklh4ripQCmA45vswDQgss=,tag:zKh7WVXMJN2o9ZIwIkby3Q==,type:str]
import-user-env: ENC[AES256_GCM,data:wArFwTd0ZoB4VXHPpichfnmykxGxN8y2EQsMgOPHv7zsm6A+m2rG9BWDGskQPr5Ns9o=,iv:gPUzYFSNoALJb1N0dsbNlgHIb7+xG7E9ANpmVNZURQ0=,tag:JghfRy2OcDFWKS9zX1XJ9A==,type:str]
mediawiki:
secret-key: ENC[AES256_GCM,data:ixG9vGifYcz44y/copU+eHIjWLcxJ4v7pi8l1P3YHIdGwAk5DNZQWlaA/L3w0g50zM0ESEXL9k2r3jNI1nLGJw==,iv:fwHV4hYDEjP9f/8Bw74EhYDUN8UV+qIwqd6yXa5KtFs=,tag:3c9J/lVoJeRE1b/TTWJNZw==,type:str]
password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
postgres_password: ENC[AES256_GCM,data:XIOmrOVXWvMMcPJtmovhdyZvLlhmrsrwjuMMkdEY1NIXWjevj5XEkp6Cpw==,iv:KMPTRzu3H/ewfEhc/O0q3o230QNkABfPYF/D1SYL2R8=,tag:sFZiFPHWxwzD9HndPmH3pQ==,type:str]
simplesamlphp:
@@ -99,8 +100,8 @@ sops:
SU5zanlva1p2QjVndVJwUnlkdkFuTDAKbQRrSfG9MGsGvF2ywoGhDSuriDsbQ+k2
29mxere0efSSGGq8y9YrPC8UX5hZRfqg/dfbL+PFc4NHfbxB/oSzQw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-09T21:18:23Z"
mac: ENC[AES256_GCM,data:scdduZPcJZgeT9LarRgxVr/obYsGrJAbMoLGJPPPp19qxOJMTdvYfMz8bxPjCikB4MacEgVZmcnKIn5aCzHJAnCI/7F2wm1DDtW9ZI5qbhDJKSSld+m2leOSPfR8VY/0qj6UNgGnwkwx7dfcAlv8cP2Sp3o1M2oyQxeXPr5FWEg=,iv:JEAwkCewMp0ERmYU62kZkbl7+FET1ZeRr6xeEwt6ioM=,tag:jxvli935X3JyZYe7fFbnLg==,type:str]
lastmodified: "2026-01-26T08:40:13Z"
mac: ENC[AES256_GCM,data:ppgpARft/YDKP24QF4bLYVhxN4nRrCsf4wBug3UD4MXgQwdFyWPAHn086uONeMbVOvH8IdwlaNBc8h36I7M66cqwK1VsRc/vf9Ud2VnD/WkWijMSrJ80frIvuvREp7aMNlYbD20bjrp4sYohjcJ8KPqyPUFPj71dA+9LZvXJthQ=,iv:lr3R14lRx7RzclknKbOa/bHa6axGbMPqj1FRTjx34xE=,tag:pBHzSArxYs4bqq355T4yog==,type:str]
pgp:
- created_at: "2026-01-16T06:34:44Z"
enc: |-
@@ -123,4 +124,4 @@ sops:
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.9.1
version: 3.11.0