SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-01-21 22:11:33 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Treat hedgedoc seesion-secret as data

Browse source
This commit is contained in:
SebastianStork 2025-05-19 01:04:18 +02:00
parent d610349204
commit f58ae84c6e
2 changed files with 24 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

5
hosts/cirrus/secrets.yaml
View file

@ -2,7 +2,6 @@ seb-password: ENC[AES256_GCM,data:/J83cgpBhjl6VveVZTX0ElEyexn3G3pZp6RKgfbR39QoG/
tailscale-auth-key: ENC[AES256_GCM,data:u4F4B7cxqX5S+25lsB/X3WUYJFlLrIcqA+pWABDn0j08nL6a1Vg4n94LjkWYlcLIj9Axj9UCRurgPVwNpA0=,iv:iKZzHTD00h9/vwkewo14Ox+9EMuo5GawemRVjn1gLuM=,tag:ikLoAEbMDNlRZ3PGke2OZQ==,type:str] tailscale-auth-key: ENC[AES256_GCM,data:u4F4B7cxqX5S+25lsB/X3WUYJFlLrIcqA+pWABDn0j08nL6a1Vg4n94LjkWYlcLIj9Axj9UCRurgPVwNpA0=,iv:iKZzHTD00h9/vwkewo14Ox+9EMuo5GawemRVjn1gLuM=,tag:ikLoAEbMDNlRZ3PGke2OZQ==,type:str]
hedgedoc: hedgedoc:
seb-password: ENC[AES256_GCM,data:hzUFWZ3m6oIUOySTHfRyEDSNqYIfJndYSg==,iv:wg8aMAEbvCYVfqMhikF1tbEdB+CYzLB4azlLN6OU/HE=,tag:Yf7xUBwIetnkUnncOi/V8Q==,type:str] seb-password: ENC[AES256_GCM,data:hzUFWZ3m6oIUOySTHfRyEDSNqYIfJndYSg==,iv:wg8aMAEbvCYVfqMhikF1tbEdB+CYzLB4azlLN6OU/HE=,tag:Yf7xUBwIetnkUnncOi/V8Q==,type:str]
session-secret: ENC[AES256_GCM,data:AZSrGeU0zCTnMbNzvH2aQQzfN/t3xkoylTr1wZrGVXKiPdqDxuGym07TPIDfdjTtPXTaCEELlV+gNOqmhiQwUA==,iv:Oqy6O4rq3GwYq24I5Gxg3tlbrskRUAkrX4LgfUSExlY=,tag:J8J/SvfSQ2W9yEpjPQcsUQ==,type:str]
restic: restic:
environment: ENC[AES256_GCM,data:oPgJ20N7eO0W+SnRPA/uaGDbYBpKX3jWixuVIG0+eBRRlaPWBFpJKA7CK9oVvwuqQUtGiRnoR2gqO42C22WRSiHXqe1zoarhvQMcXy8CTQd6Y+k5iMspSzMZynfkMapooK4=,iv:Ub1ONOcoEZ52E8W1qK93xpmYXMUiVszFbHoO/pUa/Mo=,tag:2yTJZmirhPIN01cB5F0Lsw==,type:str] environment: ENC[AES256_GCM,data:oPgJ20N7eO0W+SnRPA/uaGDbYBpKX3jWixuVIG0+eBRRlaPWBFpJKA7CK9oVvwuqQUtGiRnoR2gqO42C22WRSiHXqe1zoarhvQMcXy8CTQd6Y+k5iMspSzMZynfkMapooK4=,iv:Ub1ONOcoEZ52E8W1qK93xpmYXMUiVszFbHoO/pUa/Mo=,tag:2yTJZmirhPIN01cB5F0Lsw==,type:str]
password: ENC[AES256_GCM,data:gMd4G8o83r3sTZEH1kRkn05Mye96sHV2mdRWNbbS,iv:E2hBYbvpCMDul81lgUBNVr5Fm7x0u1f9cEkma9jKwYE=,tag:CeFrP3pO1VmGxcvj7b7pYA==,type:str] password: ENC[AES256_GCM,data:gMd4G8o83r3sTZEH1kRkn05Mye96sHV2mdRWNbbS,iv:E2hBYbvpCMDul81lgUBNVr5Fm7x0u1f9cEkma9jKwYE=,tag:CeFrP3pO1VmGxcvj7b7pYA==,type:str]
@ -31,8 +30,8 @@ sops:
aHNody9YR2ZKTDNINmNvbGNHb0dCRVkKXcUQxU0Craqkze0l0mH75MKTnkf7a/ae aHNody9YR2ZKTDNINmNvbGNHb0dCRVkKXcUQxU0Craqkze0l0mH75MKTnkf7a/ae
XeqWVJRO1WpG+UhF3QB3yMq9uy0vlc3JnD3LsE0inWUSl0s6AgDZOg== XeqWVJRO1WpG+UhF3QB3yMq9uy0vlc3JnD3LsE0inWUSl0s6AgDZOg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-16T16:21:08Z" lastmodified: "2025-05-18T23:03:03Z"
mac: ENC[AES256_GCM,data:sk+nKOVUziRwtmIMGbX0jkQ+ZrreXaOyUhxMltOSy6uE/vKfUI96UwBdGZdEUtVi5cjzSI7VPl+qMch28PxbODX9GJZK0/O1uLZTeBShkfDQNRJzv9zNNKeHJddTVaAhlIdI+z7aAWfr4B+XjE5OwCf9xe9ey1/RflaVyVbYMg0=,iv:78FZ6EALnFw5bkZGAlr/ct7eOHqPH0hu75kPb3vfbJ8=,tag:pjsFGR0aS6b56QSuY9WKPQ==,type:str] mac: ENC[AES256_GCM,data:gLqjsRMjDl3ajmnKlwarUfCCJ+IyiNru5PXQvcsPI8QZTs4W24h3Addhrvz0B6/LlfH9KsE1Jt1WT0BIiCsFE0yn6caiVOgW/LQWl8OxAsfe9oNdF7IDNO7qwf3C8KbPJvmOB7RFwRp06RV/AM+AX8ECHfTi+lBgJKr2hzXcIxU=,iv:fL+SphEEX7U+nam055YXqs3iXlMD7QXknl7c5JPhU1g=,tag:xgQVKaUIzTwwkHM6Ex3skg==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.4 version: 3.9.4

47
modules/system/hedgedoc/default.nix
View file

@ -26,27 +26,14 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
sops = { sops.secrets."hedgedoc/seb-password" = {
secrets = { owner = user;
"hedgedoc/session-secret" = { inherit group;
owner = user;
inherit group;
};
"hedgedoc/seb-password" = {
owner = user;
inherit group;
};
};
templates."hedgedoc/environment".content = ''
SESSION_SECRET=${config.sops.placeholder."hedgedoc/session-secret"}
'';
}; };
services.hedgedoc = { services.hedgedoc = {
enable = true; enable = true;
environmentFile = config.sops.templates."hedgedoc/environment".path;
settings = { settings = {
domain = "${cfg.subdomain}.${config.networking.domain}"; domain = "${cfg.subdomain}.${config.networking.domain}";
inherit (cfg) port; inherit (cfg) port;
@ -58,15 +45,25 @@ in
}; };
}; };
systemd.services.hedgedoc.postStart = systemd.services.hedgedoc = {
let # Ensure session-secret
manageUserSeb = preStart = lib.mkBefore ''
mode: if [ ! -f /var/lib/hedgedoc/session-secret ]; then
"${manage_users} --${mode} sebastian.stork@pm.me --pass \"$(cat ${ ${lib.getExe pkgs.pwgen} -s 64 1 > /var/lib/hedgedoc/session-secret
config.sops.secrets."hedgedoc/seb-password".path fi
})\""; export SESSION_SECRET=$(cat /var/lib/hedgedoc/session-secret)
in '';
"${manageUserSeb "add"} || ${manageUserSeb "reset"}";
postStart =
let
manageUserSeb =
mode:
"${manage_users} --${mode} sebastian.stork@pm.me --pass \"$(cat ${
config.sops.secrets."hedgedoc/seb-password".path
})\"";
in
"${manageUserSeb "add"} || ${manageUserSeb "reset"}";
};
environment.shellAliases.hedgedoc-manage-users = "sudo --user=${user} ${manage_users}"; environment.shellAliases.hedgedoc-manage-users = "sudo --user=${user} ${manage_users}";
}; };