From 1ea91a0166bf244fd40184592550e96ca2b1f649 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Wed, 22 Jun 2022 00:42:06 +0200
Subject: [PATCH] hedgedoc: persists session secret

---
 flake.nix                             | 3 +++
 hosts/containers/hedgedoc/default.nix | 8 ++++++++
 2 files changed, 11 insertions(+)

diff --git a/flake.nix b/flake.nix
index 15338a45..36f7a7d4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -397,6 +397,9 @@
         hedgedoc = nixosSystem' {
           modules = [
             self.nixosModules.microvm
+            {
+              sops.defaultSopsFile = "${secrets}/hosts/hedgedoc/secrets.yaml";
+            }
             ./hosts/containers/hedgedoc
           ];
         };
diff --git a/hosts/containers/hedgedoc/default.nix b/hosts/containers/hedgedoc/default.nix
index e52e2fba..1d5b202f 100644
--- a/hosts/containers/hedgedoc/default.nix
+++ b/hosts/containers/hedgedoc/default.nix
@@ -33,6 +33,7 @@
         };
         defaultPermission = "freely";
         domain = "codimd.c3d2.de";
+        sessionSecret = "$sessionSecret";
         useSSL = true;
       };
     };
@@ -74,4 +75,11 @@
       package = pkgs.postgresql_14;
     };
   };
+
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    secrets = {
+      "hedgedoc".owner = config.systemd.services.hedgedoc.serviceConfig.User;
+    };
+  };
 }