Compare commits

..

2 Commits

Author SHA1 Message Date
Vegard Bieker Matthey 6cca1db3b3 bekkalokk: fix permissions for mediawiki secrets 2026-05-22 20:21:24 +02:00
Vegard Bieker Matthey bfd83c4c64 uptime-kuma: wants to use /var/lib/private for state 2026-05-22 17:58:00 +02:00
2 changed files with 3 additions and 5 deletions
@@ -210,6 +210,8 @@ in {
# EXT:WikiEditor # EXT:WikiEditor
$wgWikiEditorRealtimePreview = true; $wgWikiEditorRealtimePreview = true;
$wgSecretKey = file_get_contents("${config.sops.secrets."mediawiki/secret-key".path}");
''; '';
}; };
@@ -273,8 +275,6 @@ in {
systemd.services.mediawiki-init = lib.mkIf cfg.enable { systemd.services.mediawiki-init = lib.mkIf cfg.enable {
after = [ "sops-install-secrets.service" ]; after = [ "sops-install-secrets.service" ];
serviceConfig = { serviceConfig = {
BindReadOnlyPaths = [ "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key" ];
LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
UMask = lib.mkForce "0007"; UMask = lib.mkForce "0007";
}; };
}; };
@@ -282,8 +282,6 @@ in {
systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable { systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable {
after = [ "sops-install-secrets.service" ]; after = [ "sops-install-secrets.service" ];
serviceConfig = { serviceConfig = {
BindReadOnlyPaths = [ "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key" ];
LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
UMask = lib.mkForce "0007"; UMask = lib.mkForce "0007";
}; };
}; };
@@ -19,7 +19,7 @@ in {
locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}"; locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
}; };
fileSystems."/var/lib/uptime-kuma" = { fileSystems."/var/lib/private/uptime-kuma" = {
device = stateDir; device = stateDir;
fsType = "bind"; fsType = "bind";
options = [ "bind" ]; options = [ "bind" ];