diff --git a/machines/Ophanim/secrets.yaml b/machines/Ophanim/secrets.yaml index 51e3745..34c3d05 100644 --- a/machines/Ophanim/secrets.yaml +++ b/machines/Ophanim/secrets.yaml @@ -5,12 +5,14 @@ users: publicKey: ENC[AES256_GCM,data:n1o+2pBdstnnC7b3Oub8Cen6JYZzR4ouaVlANsqxr2B8apPgY3ZaWoYO7b773MiKlhfPGPDpnL6H+jBGRc+adUjuaLFl2fnWwHCo8bIe/esIMf+bgyMefodg35R6j02bT0BM8dQGRyU/Qw==,iv:zCZdEvdTNvz/pAG6fAlsG5ZTCzOyfpo5OJswFa9n0ws=,tag:efQOpShXKmTJeK3odLt7cw==,type:str] services: forgejo: - dbPass: ENC[AES256_GCM,data:uiggWHQRiUjNxSs1Akt4NkbtexklrYSGn5kwgQSShd2EQM97KS0TrME=,iv:rja2v1xdI9XWO+7CRg/7YXxa/KM6dX9zIPUFfJFpOkQ=,tag:oSllrmCldQpIhPfVE2k0kA==,type:str] + dbPass: ENC[AES256_GCM,data:TStfvP4VP9StXzxPU0GKyxZqXCj/+OLc2nE+FZWKbi95yn9BEFAyFQ==,iv:ZmM1+I1ipE5yHXMX4GYh6GqBr3B3Cycym24obHQG59M=,tag:C9kdJlEZUdGTS/N2NtuWdw==,type:str] hydra: secretKey: ENC[AES256_GCM,data:TkAFImyj7ESA72aPjUTvUwTVzZ3KpXNdw41Bk2yGOJrNRiP3aA/+iK45BzJdeAssc5evZyvhFE+JE4ovOSuaWUz4YFH/TH41N5dkhSmPTND+hU6u24rv/gTcCH9BH/8uvFOnWCBmkKmFopE=,iv:NSCINUwyNCRMsGNjwfO/P1nMpYDQLxt448W2AfCBmLI=,tag:pfMpTExIabCmsHOiOIf6Qg==,type:str] nextcloud: adminPass: ENC[AES256_GCM,data:OEqdKKwpDdnlFA5mTOTaow==,iv:DFHIYqqNNBzmtE+ZbXy1ga2UQyQ9YXE+jYprdEJwYjI=,tag:Rc1viogmOxaK9d60lmGlgg==,type:str] dbPass: ENC[AES256_GCM,data:M5hqFQi3zUjKL2ZezMg5D7luJyUsPkZvFKgFS5hDw7v2iNH3cA3Pog==,iv:DaABDCPcZOuNuFl5nK1ub/NKerdizGjDP/QBP8B/gnA=,tag:GR9eY3nLRFhAO8tBYIRt2Q==,type:str] + tandoor: + secretKey: ENC[AES256_GCM,data:2rYXdcPnzKzn9KzReVY+SNpIadxZDnziW1TuN0jHUNNIYDq9HmJWo+fMR7eHX+LOTzI=,iv:0jZ6kGYszCc957x2N/5E30GdS4I3fXaVribYNNEB1Ec=,tag:8wgKa1Ovdgk7oGo8xinQaA==,type:str] sops: kms: [] gcp_kms: [] @@ -26,8 +28,8 @@ sops: Mzh6aFZKM2k3TTZveWRPc2ZkKzNvYm8KpNozbSJDJ3Yd2FsR0krsPXsn1beIyniD 0tJNmBFphav57LDQrYz5D+J4pMKKQI1P/USCPDDu1km2dJF/RJzeJQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-07-23T12:03:03Z" - mac: ENC[AES256_GCM,data:ACcby/NsXKa3dbHpWCVvsKrd+uQixSVKHK/kiafllWCu/yMUSp+70iQZI22XaLywTB/xzLqaLbY6kOsxDzbMUPFhENoYqaaMWtnKrxMvH7ealgCiEVl8jLSZ1Aqin2iSp0v4YiXGDTzu6Ldx7IVlaW7ufm99kHxtm+jfABqX8Pg=,iv:mcOgx+UvgzC1AvFKTKX3/DnKOuepuIm0zA0gd245T5A=,tag:4Vx7WXD5nCfl1jN64Epb5Q==,type:str] + lastmodified: "2024-11-21T11:05:34Z" + mac: ENC[AES256_GCM,data:50Qe5aBO/xT5VFxfyIvB1hB32MlxSsXdIrG2zwDf5lGyk8cYKr8i5LZX7TQfzaREW9CgwPt7K4bxbGqAPG6wOVCgN+GYbVqpWgORfftMRzy0oVFY+zbb+oewmy7lh/Da0z1+6+P+GECoGakduChOcWYfrjxQk7ODEz0RE4aX1Cs=,iv:+DSaPLZTrYHTY0LpUKjBn+NlhO+QKQh2wrVfNNLZoOc=,tag:d1ixNV6w1vJlHJHcjS64ow==,type:str] pgp: - created_at: "2023-09-10T17:32:58Z" enc: | @@ -42,4 +44,4 @@ sops: -----END PGP MESSAGE----- fp: 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2 unencrypted_suffix: _unencrypted - version: 3.9.0 + version: 3.9.1 diff --git a/services/tandoor.nix b/services/tandoor.nix index 41af252..cbfb2df 100644 --- a/services/tandoor.nix +++ b/services/tandoor.nix @@ -1,16 +1,35 @@ { config, lib, - pkgs, ... }: with lib; +let + mediaRoot = "/var/www/tandoor-recipes/media/"; +in mkIf (elem "tandoor" config.machine.services) { services.tandoor-recipes = { enable = true; extraConfig = { + # https://docs.tandoor.dev/system/configuration/ # Set explicitly so it can be referenced by web-server - MEDIA_ROOT = "/var/lib/tandoor-recipes/media/"; + MEDIA_ROOT = mediaRoot; + # Upstream likes to break stuff and apparently make it less insecure... + GUNICORN_MEDIA = "0"; + SECRET_KEY_FILE = config.sops.secrets."services/tandoor/secretKey".path; + # Useful settings + # ENABLE_SIGNUP = "1"; + # DEBUG = "1"; + # DEBUG_TOOLBAR = "1"; + # GUNICORN_LOG_LEVEL="debug"; }; }; + systemd.services.tandoor-recipes.serviceConfig = { + ReadWritePaths = [ mediaRoot ]; + WorkingDirectory = lib.mkForce "/var/lib/tandoor-recipes"; + }; + sops.secrets."services/tandoor/secretKey" = { + owner = "tandoor_recipes"; + group = "tandoor_recipes"; + }; }