blogs: move plume .env into secrets

2021-12-25 02:02:45 +01:00 · 2021-12-25 02:02:45 +01:00 · fee8477bbe
parent 857650d645
commit fee8477bbe
4 changed files with 17 additions and 27 deletions
--- a/flake.lock
+++ b/flake.lock
@ -327,11 +327,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1637279330,
-        "narHash": "sha256-KVpmVahyEZCv+FBMGTnLr58mLEdaY5TskgXBLcGEmTk=",
+        "lastModified": 1640393547,
+        "narHash": "sha256-UCCzxswpYTBW5Iv56rhtydsgrpvul0cAfxysCWmVgYk=",
        "ref": "master",
-        "rev": "3b8e8c32965dde461833513580ab1bed7becf2fc",
-        "revCount": 111,
+        "rev": "9a1eef32664986af8797eab1b14b273d90faf6e6",
+        "revCount": 114,
        "type": "git",
        "url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
      },
--- a/flake.nix
+++ b/flake.nix
@ -522,7 +522,11 @@
            self.nixosModules.plume
            ./lib/lxc-container.nix
            ./hosts/containers/blogs
+            sops-nix.nixosModules.sops
          ];
+          extraArgs = {
+            secretsFile = "${secrets}/hosts/blogs/secrets.yaml";
+          };
          system = "x86_64-linux";
        };

--- a/hosts/containers/blogs/default.nix
+++ b/hosts/containers/blogs/default.nix
@ -1,4 +1,4 @@
-{ hostRegistry, zentralwerk, config, ... }:
+{ hostRegistry, zentralwerk, secretsFile, config, ... }:
 {
  networking = {
    hostName = "blogs";
@ -13,11 +13,14 @@
    ];
  };

-  services.plume = {
-    enable = true;
-    config.BASE_URL = "blogs.c3d2.de";
-    config.ROCKET_SECRET_KEY = "OIZiemtQLDG2wcVnKgHAJ2kMB0UJpa5Uuoei7C57N5o=";
+  # See secrets/hosts/blogs for the .env file with all settings
+  services.plume.enable = true;
+
+  sops.defaultSopsFile = secretsFile;
+  sops.secrets = {
+    "plume/env".owner = config.systemd.services.plume.serviceConfig.User;
  };
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

  services.nginx.enable = true;
  services.nginx.virtualHosts."blogs.c3d2.de" = {
--- a/lib/plume.nix
+++ b/lib/plume.nix
@ -2,17 +2,6 @@

 { config, lib, pkgs, ... }:
 let
-  defaultConfig = {
-    DATABASE_URL = "postgres://plume:plume@localhost/plume";
-    MIGRATION_DIRECTORY = "migrations/postgres";
-  };
-  mergedConfig = defaultConfig // cfg.config;
-  configFile = builtins.toFile "plume-env" (
-    lib.concatMapStrings (key: ''
-      ${key}=${mergedConfig.${key}}
-    '') (builtins.attrNames mergedConfig)
-  );
-
  plume = self.packages.${pkgs.system}.plume;
  cfg = config.services.plume;
 in
@ -30,18 +19,12 @@ in
      default = "plume";
      description = "System group to run Plume";
    };
-
-    config = mkOption {
-      type = with types; attrsOf str;
-      default = {};
-      description = "Configuration for Plume";
-    };
  };

  config = lib.mkIf cfg.enable {
    systemd.tmpfiles.rules = [
      "d ${config.users.users.${cfg.user}.home} 0700 ${cfg.user} ${cfg.group} -"
-      "L ${config.users.users.${cfg.user}.home}/.env - - - - ${configFile}"
+      "L ${config.users.users.${cfg.user}.home}/.env - - - - /run/secrets/plume/env"
      "L ${config.users.users.${cfg.user}.home}/static - - - - ${plume}/share/plume/static"
    ];