tandoor: fix breakages from update and add secretKey to sops.

2024-12-07 21:46:30 +01:00 · 2024-12-07 21:46:30 +01:00 · 0f0cc510f3
commit 0f0cc510f3
parent 925cabde64
2 changed files with 27 additions and 6 deletions
--- a/services/tandoor.nix
+++ b/services/tandoor.nix
@ -1,16 +1,35 @@
 {
  config,
  lib,
-  pkgs,
  ...
 }:
 with lib;
+let
+  mediaRoot = "/var/www/tandoor-recipes/media/";
+in
 mkIf (elem "tandoor" config.machine.services) {
  services.tandoor-recipes = {
    enable = true;
    extraConfig = {
+      # https://docs.tandoor.dev/system/configuration/
      # Set explicitly so it can be referenced by web-server
-      MEDIA_ROOT = "/var/lib/tandoor-recipes/media/";
+      MEDIA_ROOT = mediaRoot;
+      # Upstream likes to break stuff and apparently make it less insecure...
+      GUNICORN_MEDIA = "0";
+      SECRET_KEY_FILE = config.sops.secrets."services/tandoor/secretKey".path;
+      # Useful settings
+      # ENABLE_SIGNUP = "1";
+      # DEBUG = "1";
+      # DEBUG_TOOLBAR = "1";
+      # GUNICORN_LOG_LEVEL="debug";
    };
  };
+  systemd.services.tandoor-recipes.serviceConfig = {
+    ReadWritePaths = [ mediaRoot ];
+    WorkingDirectory = lib.mkForce "/var/lib/tandoor-recipes";
+  };
+  sops.secrets."services/tandoor/secretKey" = {
+    owner = "tandoor_recipes";
+    group = "tandoor_recipes";
+  };
 }