Deploy HedgeDoc to kinda.sus.lol

2023-04-16 10:33:46 +02:00 · 2023-04-16 10:33:46 +02:00 · c7d56d4b2d
parent 002bc4c629
commit c7d56d4b2d
4 changed files with 39 additions and 1 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -8,7 +8,7 @@ keys:
  - &host_nyx_lewd_wtf age1vnyex6qqzwl5laxgww9xzcqy9ht85s0etgq0esry8gk7ad0eaq8qz9p5ya
 creation_rules:
  # kinda.sus.lol
-  - path_regex: hosts/kinda.sus.lol/secrets/.*\.yaml
+  - path_regex: hosts/kinda.sus.lol/secrets/.*
    key_groups:
      - age:
        - *admin_ecchi
--- a/hosts/kinda.sus.lol/secrets.nix
+++ b/hosts/kinda.sus.lol/secrets.nix
@ -14,4 +14,12 @@
    owner = config.users.users.nginx.name;
    group = config.users.users.nginx.group;
  };
+
+  # HedgeDoc
+  sops.secrets."services/hedgedoc/.env" = {
+    mode = "0400";
+    owner = config.users.users.hedgedoc.name;
+    sopsFile = ./secrets/hedgedoc.env;
+    format = "dotenv";
+  };
 }
--- a/hosts/kinda.sus.lol/secrets/hedgedoc.env
+++ b/hosts/kinda.sus.lol/secrets/hedgedoc.env
@ -0,0 +1,13 @@
+CMD_DB_URL=ENC[AES256_GCM,data:LXeHvEPJEqfYyx5Hlq+ThEoSkHZiQG3IMtbQeNVYJOSnaFDL5EJLZ4d+oKG0V2jCEyz5NNzVPR7sjPXNNcmVXCFHrUfF6asS,iv:FcWZs/+KE9fsOiFv9DMs+1GLpm0CV0liSfOs+ND7Y6g=,tag:nLStY7GG5FhfY976YvOIKw==,type:str]
+CMD_SESSION_SECRET=ENC[AES256_GCM,data:WzQSttnr/avqH+540nLLw0OnH0NGhNvzQUD8LH0jIoPC6dpfRJo/M9S+3SulQUeSGqwYlg==,iv:R9fXBVVg4G2ZPsgSLQkLjrFEErMlWVEaLI4n1VT0bIY=,tag:YUJYMf64x9uxAR0Yj4aQjw==,type:str]
+CMD_GITLAB_SCOPE=ENC[AES256_GCM,data:BVRJ,iv:2iArikHiD3D0RAyP2EqWXRRrdo5BN50WSrnzHe2OcO4=,tag:SQcQt8Cp3DjNdbCdtg2uug==,type:str]
+CMD_GITLAB_CLIENTID=ENC[AES256_GCM,data:2CFyRDsGoLOYMbL2L1yg5EyZQm1pd0OUecfnUCSm3drl3dYxOgPhoC2QxeEWrCEZ8h1pWE4qFZanKanWg1IKxw==,iv:OVgKHtfAUJSEuQj3xLBT12wJw9JPiXgE5Vngtsp7rRo=,tag:zMc/NtHnCg+r+ygBsUTH/Q==,type:str]
+CMD_GITLAB_CLIENTSECRET=ENC[AES256_GCM,data:tli/eEp3/AFVku10SwTeDbSuZEdjt0ntC8oQIgVptbshXQs1D1RECXmhNv3KTXC42/JKNlFYPARlH34ilCvbWQ==,iv:/XuDXF4E9wlZd3MIKstYKi7+BF2S9/CfQ4q+JrDhOHc=,tag:GHwXchVTYjesKuKZf8L6gA==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiU0h0b1ZCL3RIMFpyUWRO\nYlA4NEdrV1RyVHFqOTRLMFd3Y1l0bTJhSldzCm1oTTM2OHlyUW9STC9palF3NWJE\nTjNxZUpxTnpRdmJyS2pKeUd1NnVWdFEKLS0tIE9uUDFoWm5ub2N0RjBWajZwVWtq\nRVYrTTUwRFFvN2s1TWpRNGdrTUNBT0EK6UCM8CayfNxIyrmkqZedGpuxFdlh2GgJ\nVSrGZy30e9x+cJZV+6IdbRGv8sm7HZhVbWgnTYWhjYot0gSx2g2fgQ==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age187hkscvxar33wta3zvgypj6kkc02g6sewwmfwmup26z2fuhwpamsa2d8yh
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBaWpOVUJHVUNIalZoV1Ev\nT055K2VHbXlzQ28zbVhFMjd1UmdJWEtpR0RzCkVMYmJPMWk0WHp5TnBYNzdyZ2dh\nelVnTjZoejJWaEc4cGd5MDA1Q256UU0KLS0tIG1YajNzSHVzOExHZHFNUDZtWjEx\ncHltR3BiK3F3em1ZUlo2R0VTcVBXelEKXynCDYoVR+fPSQ4udFGBdgWysPSWd6LO\nJhe6WZ2fmkeAo9BEQXJ0+vtFaA9wEekoo2AdvyYQmAKOyUwkVWy6Ww==\n-----END AGE ENCRYPTED FILE-----\n
+sops_version=3.7.3
+sops_age__list_0__map_recipient=age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv
+sops_mac=ENC[AES256_GCM,data:N1ZhRxi8mjwwGNdNYFNMNy2JBxGqdAQSKgx9TZfvVMJl+vmjv2gX4Jick4Xlg99Y6A0f847NE6JVH81vvtZuBCzCCkwv1DlVyRgWT5zt+tdN+LP81XqFLisSiiqg2myhXQ236dGZWiHnMJYAmGBkZyHtZ8ItQv37iSg9LaCByDc=,iv:smxsFHI+lllXxlWidfIRK30d7LKq02uoOXGqxNOkakM=,tag:BUSmCi0eHLblEbd6Wi7Q3A==,type:str]
+sops_lastmodified=2023-04-16T08:31:12Z
--- a/hosts/kinda.sus.lol/services/hedgedoc.nix
+++ b/hosts/kinda.sus.lol/services/hedgedoc.nix
@ -0,0 +1,17 @@
+{ config, ... }:
+{
+  networking.firewall.allowedTCPPorts = [ 3000 ];
+
+  services.hedgedoc = {
+    enable = true;
+    settings = {
+      domain = "op.pai.wtf";
+      protocolUseSSL = true;
+      email = false;
+      allowEmailRegister = false;
+      allowOrigin = [ "op.pai.wtf" ];
+    };
+    environmentFile = "/run/secrets/services/hedgedoc/.env";
+    groups = [ config.users.groups.keys.name ];
+  };
+}