c3d2/nix-config
c3d2/nix-config
23
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

blogs: move plume .env into secrets

Browse Source
This commit is contained in:
Astro 2021-12-25 02:02:45 +01:00
parent 857650d645
commit fee8477bbe
4 changed files with 17 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
flake.lock
View File

@ -327,11 +327,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1637279330, "lastModified": 1640393547,
"narHash": "sha256-KVpmVahyEZCv+FBMGTnLr58mLEdaY5TskgXBLcGEmTk=", "narHash": "sha256-UCCzxswpYTBW5Iv56rhtydsgrpvul0cAfxysCWmVgYk=",
"ref": "master", "ref": "master",
"rev": "3b8e8c32965dde461833513580ab1bed7becf2fc", "rev": "9a1eef32664986af8797eab1b14b273d90faf6e6",
"revCount": 111, "revCount": 114,
"type": "git", "type": "git",
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git" "url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
}, },

4
flake.nix
View File

@ -522,7 +522,11 @@
self.nixosModules.plume self.nixosModules.plume
./lib/lxc-container.nix ./lib/lxc-container.nix
./hosts/containers/blogs ./hosts/containers/blogs
sops-nix.nixosModules.sops
]; ];
extraArgs = {
secretsFile = "${secrets}/hosts/blogs/secrets.yaml";
};
system = "x86_64-linux"; system = "x86_64-linux";
}; };

13
hosts/containers/blogs/default.nix
View File

@ -1,4 +1,4 @@
{ hostRegistry, zentralwerk, config, ... }: { hostRegistry, zentralwerk, secretsFile, config, ... }:
{ {
networking = { networking = {
hostName = "blogs"; hostName = "blogs";
@ -13,11 +13,14 @@
]; ];
}; };
services.plume = { # See secrets/hosts/blogs for the .env file with all settings
enable = true; services.plume.enable = true;
config.BASE_URL = "blogs.c3d2.de";
config.ROCKET_SECRET_KEY = "OIZiemtQLDG2wcVnKgHAJ2kMB0UJpa5Uuoei7C57N5o="; sops.defaultSopsFile = secretsFile;
sops.secrets = {
"plume/env".owner = config.systemd.services.plume.serviceConfig.User;
}; };
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
services.nginx.enable = true; services.nginx.enable = true;
services.nginx.virtualHosts."blogs.c3d2.de" = { services.nginx.virtualHosts."blogs.c3d2.de" = {

19
lib/plume.nix
View File

@ -2,17 +2,6 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
defaultConfig = {
DATABASE_URL = "postgres://plume:plume@localhost/plume";
MIGRATION_DIRECTORY = "migrations/postgres";
};
mergedConfig = defaultConfig // cfg.config;
configFile = builtins.toFile "plume-env" (
lib.concatMapStrings (key: ''
${key}=${mergedConfig.${key}}
'') (builtins.attrNames mergedConfig)
);
plume = self.packages.${pkgs.system}.plume; plume = self.packages.${pkgs.system}.plume;
cfg = config.services.plume; cfg = config.services.plume;
in in
@ -30,18 +19,12 @@ in
default = "plume"; default = "plume";
description = "System group to run Plume"; description = "System group to run Plume";
}; };
config = mkOption {
type = with types; attrsOf str;
default = {};
description = "Configuration for Plume";
};
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d ${config.users.users.${cfg.user}.home} 0700 ${cfg.user} ${cfg.group} -" "d ${config.users.users.${cfg.user}.home} 0700 ${cfg.user} ${cfg.group} -"
"L ${config.users.users.${cfg.user}.home}/.env - - - - ${configFile}" "L ${config.users.users.${cfg.user}.home}/.env - - - - /run/secrets/plume/env"
"L ${config.users.users.${cfg.user}.home}/static - - - - ${plume}/share/plume/static" "L ${config.users.users.${cfg.user}.home}/static - - - - ${plume}/share/plume/static"
]; ];