blogs: move plume .env into secrets
This commit is contained in:
parent
857650d645
commit
fee8477bbe
|
@ -327,11 +327,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1637279330,
|
"lastModified": 1640393547,
|
||||||
"narHash": "sha256-KVpmVahyEZCv+FBMGTnLr58mLEdaY5TskgXBLcGEmTk=",
|
"narHash": "sha256-UCCzxswpYTBW5Iv56rhtydsgrpvul0cAfxysCWmVgYk=",
|
||||||
"ref": "master",
|
"ref": "master",
|
||||||
"rev": "3b8e8c32965dde461833513580ab1bed7becf2fc",
|
"rev": "9a1eef32664986af8797eab1b14b273d90faf6e6",
|
||||||
"revCount": 111,
|
"revCount": 114,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
|
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
|
||||||
},
|
},
|
||||||
|
|
|
@ -522,7 +522,11 @@
|
||||||
self.nixosModules.plume
|
self.nixosModules.plume
|
||||||
./lib/lxc-container.nix
|
./lib/lxc-container.nix
|
||||||
./hosts/containers/blogs
|
./hosts/containers/blogs
|
||||||
|
sops-nix.nixosModules.sops
|
||||||
];
|
];
|
||||||
|
extraArgs = {
|
||||||
|
secretsFile = "${secrets}/hosts/blogs/secrets.yaml";
|
||||||
|
};
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ hostRegistry, zentralwerk, config, ... }:
|
{ hostRegistry, zentralwerk, secretsFile, config, ... }:
|
||||||
{
|
{
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "blogs";
|
hostName = "blogs";
|
||||||
|
@ -13,11 +13,14 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.plume = {
|
# See secrets/hosts/blogs for the .env file with all settings
|
||||||
enable = true;
|
services.plume.enable = true;
|
||||||
config.BASE_URL = "blogs.c3d2.de";
|
|
||||||
config.ROCKET_SECRET_KEY = "OIZiemtQLDG2wcVnKgHAJ2kMB0UJpa5Uuoei7C57N5o=";
|
sops.defaultSopsFile = secretsFile;
|
||||||
|
sops.secrets = {
|
||||||
|
"plume/env".owner = config.systemd.services.plume.serviceConfig.User;
|
||||||
};
|
};
|
||||||
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
|
||||||
services.nginx.enable = true;
|
services.nginx.enable = true;
|
||||||
services.nginx.virtualHosts."blogs.c3d2.de" = {
|
services.nginx.virtualHosts."blogs.c3d2.de" = {
|
||||||
|
|
|
@ -2,17 +2,6 @@
|
||||||
|
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
let
|
let
|
||||||
defaultConfig = {
|
|
||||||
DATABASE_URL = "postgres://plume:plume@localhost/plume";
|
|
||||||
MIGRATION_DIRECTORY = "migrations/postgres";
|
|
||||||
};
|
|
||||||
mergedConfig = defaultConfig // cfg.config;
|
|
||||||
configFile = builtins.toFile "plume-env" (
|
|
||||||
lib.concatMapStrings (key: ''
|
|
||||||
${key}=${mergedConfig.${key}}
|
|
||||||
'') (builtins.attrNames mergedConfig)
|
|
||||||
);
|
|
||||||
|
|
||||||
plume = self.packages.${pkgs.system}.plume;
|
plume = self.packages.${pkgs.system}.plume;
|
||||||
cfg = config.services.plume;
|
cfg = config.services.plume;
|
||||||
in
|
in
|
||||||
|
@ -30,18 +19,12 @@ in
|
||||||
default = "plume";
|
default = "plume";
|
||||||
description = "System group to run Plume";
|
description = "System group to run Plume";
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkOption {
|
|
||||||
type = with types; attrsOf str;
|
|
||||||
default = {};
|
|
||||||
description = "Configuration for Plume";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
"d ${config.users.users.${cfg.user}.home} 0700 ${cfg.user} ${cfg.group} -"
|
"d ${config.users.users.${cfg.user}.home} 0700 ${cfg.user} ${cfg.group} -"
|
||||||
"L ${config.users.users.${cfg.user}.home}/.env - - - - ${configFile}"
|
"L ${config.users.users.${cfg.user}.home}/.env - - - - /run/secrets/plume/env"
|
||||||
"L ${config.users.users.${cfg.user}.home}/static - - - - ${plume}/share/plume/static"
|
"L ${config.users.users.${cfg.user}.home}/static - - - - ${plume}/share/plume/static"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user