SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-01-21 19:51:34 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Set hedgedoc session secret to avoid logout on restart

Browse source
This commit is contained in:
SebastianStork 2025-05-16 18:55:29 +02:00
parent 5a3a0a4279
commit af82e42b85
2 changed files with 22 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

5
hosts/cirrus/secrets.yaml
View file

@ -2,6 +2,7 @@ seb-password: ENC[AES256_GCM,data:/J83cgpBhjl6VveVZTX0ElEyexn3G3pZp6RKgfbR39QoG/
tailscale-auth-key: ENC[AES256_GCM,data:u4F4B7cxqX5S+25lsB/X3WUYJFlLrIcqA+pWABDn0j08nL6a1Vg4n94LjkWYlcLIj9Axj9UCRurgPVwNpA0=,iv:iKZzHTD00h9/vwkewo14Ox+9EMuo5GawemRVjn1gLuM=,tag:ikLoAEbMDNlRZ3PGke2OZQ==,type:str] tailscale-auth-key: ENC[AES256_GCM,data:u4F4B7cxqX5S+25lsB/X3WUYJFlLrIcqA+pWABDn0j08nL6a1Vg4n94LjkWYlcLIj9Axj9UCRurgPVwNpA0=,iv:iKZzHTD00h9/vwkewo14Ox+9EMuo5GawemRVjn1gLuM=,tag:ikLoAEbMDNlRZ3PGke2OZQ==,type:str]
hedgedoc: hedgedoc:
seb-password: ENC[AES256_GCM,data:hzUFWZ3m6oIUOySTHfRyEDSNqYIfJndYSg==,iv:wg8aMAEbvCYVfqMhikF1tbEdB+CYzLB4azlLN6OU/HE=,tag:Yf7xUBwIetnkUnncOi/V8Q==,type:str] seb-password: ENC[AES256_GCM,data:hzUFWZ3m6oIUOySTHfRyEDSNqYIfJndYSg==,iv:wg8aMAEbvCYVfqMhikF1tbEdB+CYzLB4azlLN6OU/HE=,tag:Yf7xUBwIetnkUnncOi/V8Q==,type:str]
session-secret: ENC[AES256_GCM,data:AZSrGeU0zCTnMbNzvH2aQQzfN/t3xkoylTr1wZrGVXKiPdqDxuGym07TPIDfdjTtPXTaCEELlV+gNOqmhiQwUA==,iv:Oqy6O4rq3GwYq24I5Gxg3tlbrskRUAkrX4LgfUSExlY=,tag:J8J/SvfSQ2W9yEpjPQcsUQ==,type:str]
restic: restic:
environment: ENC[AES256_GCM,data:oPgJ20N7eO0W+SnRPA/uaGDbYBpKX3jWixuVIG0+eBRRlaPWBFpJKA7CK9oVvwuqQUtGiRnoR2gqO42C22WRSiHXqe1zoarhvQMcXy8CTQd6Y+k5iMspSzMZynfkMapooK4=,iv:Ub1ONOcoEZ52E8W1qK93xpmYXMUiVszFbHoO/pUa/Mo=,tag:2yTJZmirhPIN01cB5F0Lsw==,type:str] environment: ENC[AES256_GCM,data:oPgJ20N7eO0W+SnRPA/uaGDbYBpKX3jWixuVIG0+eBRRlaPWBFpJKA7CK9oVvwuqQUtGiRnoR2gqO42C22WRSiHXqe1zoarhvQMcXy8CTQd6Y+k5iMspSzMZynfkMapooK4=,iv:Ub1ONOcoEZ52E8W1qK93xpmYXMUiVszFbHoO/pUa/Mo=,tag:2yTJZmirhPIN01cB5F0Lsw==,type:str]
password: ENC[AES256_GCM,data:gMd4G8o83r3sTZEH1kRkn05Mye96sHV2mdRWNbbS,iv:E2hBYbvpCMDul81lgUBNVr5Fm7x0u1f9cEkma9jKwYE=,tag:CeFrP3pO1VmGxcvj7b7pYA==,type:str] password: ENC[AES256_GCM,data:gMd4G8o83r3sTZEH1kRkn05Mye96sHV2mdRWNbbS,iv:E2hBYbvpCMDul81lgUBNVr5Fm7x0u1f9cEkma9jKwYE=,tag:CeFrP3pO1VmGxcvj7b7pYA==,type:str]
@ -30,8 +31,8 @@ sops:
aHNody9YR2ZKTDNINmNvbGNHb0dCRVkKXcUQxU0Craqkze0l0mH75MKTnkf7a/ae aHNody9YR2ZKTDNINmNvbGNHb0dCRVkKXcUQxU0Craqkze0l0mH75MKTnkf7a/ae
XeqWVJRO1WpG+UhF3QB3yMq9uy0vlc3JnD3LsE0inWUSl0s6AgDZOg== XeqWVJRO1WpG+UhF3QB3yMq9uy0vlc3JnD3LsE0inWUSl0s6AgDZOg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-12T19:21:12Z" lastmodified: "2025-05-16T16:21:08Z"
mac: ENC[AES256_GCM,data:kZ90RoJrtsaz/y/EStMcGQPwqA9DdzdDXHJKLm+fZkannyBTU3nJWjuCrZPcWwAQwmMe/R6On2gJPoafWlo0TRS+XrMSbeVirNxjPurTzBHPMTAa3IjVu4N1Lb76NoTdOTY5P2jI0OM3bAnmY3wFtmbu8BjM/bt5V+UmmJCUhQs=,iv:uq5wTXMlWuqxvhB/GlAcovHGBvZRoi6fyRb/i4dsW7M=,tag:nu4Fu3CMaCYy8bhWzTpZOA==,type:str] mac: ENC[AES256_GCM,data:sk+nKOVUziRwtmIMGbX0jkQ+ZrreXaOyUhxMltOSy6uE/vKfUI96UwBdGZdEUtVi5cjzSI7VPl+qMch28PxbODX9GJZK0/O1uLZTeBShkfDQNRJzv9zNNKeHJddTVaAhlIdI+z7aAWfr4B+XjE5OwCf9xe9ey1/RflaVyVbYMg0=,iv:78FZ6EALnFw5bkZGAlr/ct7eOHqPH0hu75kPb3vfbJ8=,tag:pjsFGR0aS6b56QSuY9WKPQ==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.4 version: 3.9.4

25
modules/system/hedgedoc/default.nix
View file

@ -26,25 +26,38 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
sops = {
secrets = {
"hedgedoc/session-secret" = {
owner = user;
inherit group;
};
"hedgedoc/seb-password" = {
owner = user;
inherit group;
};
};
templates."hedgedoc/environment".content = ''
SESSION_SECRET=${config.sops.placeholder."hedgedoc/session-secret"}
'';
};
services.hedgedoc = { services.hedgedoc = {
enable = true; enable = true;
environmentFile = config.sops.templates."hedgedoc/environment".path;
settings = { settings = {
domain = "${cfg.subdomain}.${config.networking.domain}"; domain = "${cfg.subdomain}.${config.networking.domain}";
inherit (cfg) port; inherit (cfg) port;
protocolUseSSL = true; protocolUseSSL = true;
allowAnonymous = false; allowAnonymous = false;
allowEmailRegister = false; allowEmailRegister = false;
defaultPermission = "limited"; defaultPermission = "limited";
sessionSecret = "$SESSION_SECRET";
}; };
}; };
sops.secrets."hedgedoc/seb-password" = {
owner = user;
inherit group;
};
systemd.services.hedgedoc.postStart = systemd.services.hedgedoc.postStart =
let let
manageUserSeb = manageUserSeb =