blogs: move plume .env into secrets
This commit is contained in:
parent
857650d645
commit
fee8477bbe
|
@ -327,11 +327,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1637279330,
|
||||
"narHash": "sha256-KVpmVahyEZCv+FBMGTnLr58mLEdaY5TskgXBLcGEmTk=",
|
||||
"lastModified": 1640393547,
|
||||
"narHash": "sha256-UCCzxswpYTBW5Iv56rhtydsgrpvul0cAfxysCWmVgYk=",
|
||||
"ref": "master",
|
||||
"rev": "3b8e8c32965dde461833513580ab1bed7becf2fc",
|
||||
"revCount": 111,
|
||||
"rev": "9a1eef32664986af8797eab1b14b273d90faf6e6",
|
||||
"revCount": 114,
|
||||
"type": "git",
|
||||
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
|
||||
},
|
||||
|
|
|
@ -522,7 +522,11 @@
|
|||
self.nixosModules.plume
|
||||
./lib/lxc-container.nix
|
||||
./hosts/containers/blogs
|
||||
sops-nix.nixosModules.sops
|
||||
];
|
||||
extraArgs = {
|
||||
secretsFile = "${secrets}/hosts/blogs/secrets.yaml";
|
||||
};
|
||||
system = "x86_64-linux";
|
||||
};
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ hostRegistry, zentralwerk, config, ... }:
|
||||
{ hostRegistry, zentralwerk, secretsFile, config, ... }:
|
||||
{
|
||||
networking = {
|
||||
hostName = "blogs";
|
||||
|
@ -13,11 +13,14 @@
|
|||
];
|
||||
};
|
||||
|
||||
services.plume = {
|
||||
enable = true;
|
||||
config.BASE_URL = "blogs.c3d2.de";
|
||||
config.ROCKET_SECRET_KEY = "OIZiemtQLDG2wcVnKgHAJ2kMB0UJpa5Uuoei7C57N5o=";
|
||||
# See secrets/hosts/blogs for the .env file with all settings
|
||||
services.plume.enable = true;
|
||||
|
||||
sops.defaultSopsFile = secretsFile;
|
||||
sops.secrets = {
|
||||
"plume/env".owner = config.systemd.services.plume.serviceConfig.User;
|
||||
};
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
|
||||
services.nginx.enable = true;
|
||||
services.nginx.virtualHosts."blogs.c3d2.de" = {
|
||||
|
|
|
@ -2,17 +2,6 @@
|
|||
|
||||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
defaultConfig = {
|
||||
DATABASE_URL = "postgres://plume:plume@localhost/plume";
|
||||
MIGRATION_DIRECTORY = "migrations/postgres";
|
||||
};
|
||||
mergedConfig = defaultConfig // cfg.config;
|
||||
configFile = builtins.toFile "plume-env" (
|
||||
lib.concatMapStrings (key: ''
|
||||
${key}=${mergedConfig.${key}}
|
||||
'') (builtins.attrNames mergedConfig)
|
||||
);
|
||||
|
||||
plume = self.packages.${pkgs.system}.plume;
|
||||
cfg = config.services.plume;
|
||||
in
|
||||
|
@ -30,18 +19,12 @@ in
|
|||
default = "plume";
|
||||
description = "System group to run Plume";
|
||||
};
|
||||
|
||||
config = mkOption {
|
||||
type = with types; attrsOf str;
|
||||
default = {};
|
||||
description = "Configuration for Plume";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
systemd.tmpfiles.rules = [
|
||||
"d ${config.users.users.${cfg.user}.home} 0700 ${cfg.user} ${cfg.group} -"
|
||||
"L ${config.users.users.${cfg.user}.home}/.env - - - - ${configFile}"
|
||||
"L ${config.users.users.${cfg.user}.home}/.env - - - - /run/secrets/plume/env"
|
||||
"L ${config.users.users.${cfg.user}.home}/static - - - - ${plume}/share/plume/static"
|
||||
];
|
||||
|
||||
|
|
Loading…
Reference in New Issue