derped/nixos
1
0
Fork 0
Code Releases Activity

tandoor: fix breakages from update and add secretKey to sops.

Browse source
This commit is contained in:
Kevin Baensch 2024-12-07 21:46:30 +01:00
parent 925cabde64
commit 0f0cc510f3
Signed by: derped
GPG key ID: C0F1D326C7626543
2 changed files with 27 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
machines/Ophanim/secrets.yaml
View file

@ -5,12 +5,14 @@ users:
publicKey: ENC[AES256_GCM,data:n1o+2pBdstnnC7b3Oub8Cen6JYZzR4ouaVlANsqxr2B8apPgY3ZaWoYO7b773MiKlhfPGPDpnL6H+jBGRc+adUjuaLFl2fnWwHCo8bIe/esIMf+bgyMefodg35R6j02bT0BM8dQGRyU/Qw==,iv:zCZdEvdTNvz/pAG6fAlsG5ZTCzOyfpo5OJswFa9n0ws=,tag:efQOpShXKmTJeK3odLt7cw==,type:str] publicKey: ENC[AES256_GCM,data:n1o+2pBdstnnC7b3Oub8Cen6JYZzR4ouaVlANsqxr2B8apPgY3ZaWoYO7b773MiKlhfPGPDpnL6H+jBGRc+adUjuaLFl2fnWwHCo8bIe/esIMf+bgyMefodg35R6j02bT0BM8dQGRyU/Qw==,iv:zCZdEvdTNvz/pAG6fAlsG5ZTCzOyfpo5OJswFa9n0ws=,tag:efQOpShXKmTJeK3odLt7cw==,type:str]
services: services:
forgejo: forgejo:
dbPass: ENC[AES256_GCM,data:uiggWHQRiUjNxSs1Akt4NkbtexklrYSGn5kwgQSShd2EQM97KS0TrME=,iv:rja2v1xdI9XWO+7CRg/7YXxa/KM6dX9zIPUFfJFpOkQ=,tag:oSllrmCldQpIhPfVE2k0kA==,type:str] dbPass: ENC[AES256_GCM,data:TStfvP4VP9StXzxPU0GKyxZqXCj/+OLc2nE+FZWKbi95yn9BEFAyFQ==,iv:ZmM1+I1ipE5yHXMX4GYh6GqBr3B3Cycym24obHQG59M=,tag:C9kdJlEZUdGTS/N2NtuWdw==,type:str]
hydra: hydra:
secretKey: ENC[AES256_GCM,data:TkAFImyj7ESA72aPjUTvUwTVzZ3KpXNdw41Bk2yGOJrNRiP3aA/+iK45BzJdeAssc5evZyvhFE+JE4ovOSuaWUz4YFH/TH41N5dkhSmPTND+hU6u24rv/gTcCH9BH/8uvFOnWCBmkKmFopE=,iv:NSCINUwyNCRMsGNjwfO/P1nMpYDQLxt448W2AfCBmLI=,tag:pfMpTExIabCmsHOiOIf6Qg==,type:str] secretKey: ENC[AES256_GCM,data:TkAFImyj7ESA72aPjUTvUwTVzZ3KpXNdw41Bk2yGOJrNRiP3aA/+iK45BzJdeAssc5evZyvhFE+JE4ovOSuaWUz4YFH/TH41N5dkhSmPTND+hU6u24rv/gTcCH9BH/8uvFOnWCBmkKmFopE=,iv:NSCINUwyNCRMsGNjwfO/P1nMpYDQLxt448W2AfCBmLI=,tag:pfMpTExIabCmsHOiOIf6Qg==,type:str]
nextcloud: nextcloud:
adminPass: ENC[AES256_GCM,data:OEqdKKwpDdnlFA5mTOTaow==,iv:DFHIYqqNNBzmtE+ZbXy1ga2UQyQ9YXE+jYprdEJwYjI=,tag:Rc1viogmOxaK9d60lmGlgg==,type:str] adminPass: ENC[AES256_GCM,data:OEqdKKwpDdnlFA5mTOTaow==,iv:DFHIYqqNNBzmtE+ZbXy1ga2UQyQ9YXE+jYprdEJwYjI=,tag:Rc1viogmOxaK9d60lmGlgg==,type:str]
dbPass: ENC[AES256_GCM,data:M5hqFQi3zUjKL2ZezMg5D7luJyUsPkZvFKgFS5hDw7v2iNH3cA3Pog==,iv:DaABDCPcZOuNuFl5nK1ub/NKerdizGjDP/QBP8B/gnA=,tag:GR9eY3nLRFhAO8tBYIRt2Q==,type:str] dbPass: ENC[AES256_GCM,data:M5hqFQi3zUjKL2ZezMg5D7luJyUsPkZvFKgFS5hDw7v2iNH3cA3Pog==,iv:DaABDCPcZOuNuFl5nK1ub/NKerdizGjDP/QBP8B/gnA=,tag:GR9eY3nLRFhAO8tBYIRt2Q==,type:str]
tandoor:
secretKey: ENC[AES256_GCM,data:2rYXdcPnzKzn9KzReVY+SNpIadxZDnziW1TuN0jHUNNIYDq9HmJWo+fMR7eHX+LOTzI=,iv:0jZ6kGYszCc957x2N/5E30GdS4I3fXaVribYNNEB1Ec=,tag:8wgKa1Ovdgk7oGo8xinQaA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -26,8 +28,8 @@ sops:
Mzh6aFZKM2k3TTZveWRPc2ZkKzNvYm8KpNozbSJDJ3Yd2FsR0krsPXsn1beIyniD Mzh6aFZKM2k3TTZveWRPc2ZkKzNvYm8KpNozbSJDJ3Yd2FsR0krsPXsn1beIyniD
0tJNmBFphav57LDQrYz5D+J4pMKKQI1P/USCPDDu1km2dJF/RJzeJQ== 0tJNmBFphav57LDQrYz5D+J4pMKKQI1P/USCPDDu1km2dJF/RJzeJQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-23T12:03:03Z" lastmodified: "2024-11-21T11:05:34Z"
mac: ENC[AES256_GCM,data:ACcby/NsXKa3dbHpWCVvsKrd+uQixSVKHK/kiafllWCu/yMUSp+70iQZI22XaLywTB/xzLqaLbY6kOsxDzbMUPFhENoYqaaMWtnKrxMvH7ealgCiEVl8jLSZ1Aqin2iSp0v4YiXGDTzu6Ldx7IVlaW7ufm99kHxtm+jfABqX8Pg=,iv:mcOgx+UvgzC1AvFKTKX3/DnKOuepuIm0zA0gd245T5A=,tag:4Vx7WXD5nCfl1jN64Epb5Q==,type:str] mac: ENC[AES256_GCM,data:50Qe5aBO/xT5VFxfyIvB1hB32MlxSsXdIrG2zwDf5lGyk8cYKr8i5LZX7TQfzaREW9CgwPt7K4bxbGqAPG6wOVCgN+GYbVqpWgORfftMRzy0oVFY+zbb+oewmy7lh/Da0z1+6+P+GECoGakduChOcWYfrjxQk7ODEz0RE4aX1Cs=,iv:+DSaPLZTrYHTY0LpUKjBn+NlhO+QKQh2wrVfNNLZoOc=,tag:d1ixNV6w1vJlHJHcjS64ow==,type:str]
pgp: pgp:
- created_at: "2023-09-10T17:32:58Z" - created_at: "2023-09-10T17:32:58Z"
enc: | enc: |
@ -42,4 +44,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2 fp: 1F2EA6D9A57A9BE5A7F3AA035BEBEE4EE57DC7E2
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.0 version: 3.9.1

23
services/tandoor.nix
View file

@ -1,16 +1,35 @@
{ {
config, config,
lib, lib,
pkgs,
... ...
}: }:
with lib; with lib;
let
mediaRoot = "/var/www/tandoor-recipes/media/";
in
mkIf (elem "tandoor" config.machine.services) { mkIf (elem "tandoor" config.machine.services) {
services.tandoor-recipes = { services.tandoor-recipes = {
enable = true; enable = true;
extraConfig = { extraConfig = {
# https://docs.tandoor.dev/system/configuration/
# Set explicitly so it can be referenced by web-server # Set explicitly so it can be referenced by web-server
MEDIA_ROOT = "/var/lib/tandoor-recipes/media/"; MEDIA_ROOT = mediaRoot;
# Upstream likes to break stuff and apparently make it less insecure...
GUNICORN_MEDIA = "0";
SECRET_KEY_FILE = config.sops.secrets."services/tandoor/secretKey".path;
# Useful settings
# ENABLE_SIGNUP = "1";
# DEBUG = "1";
# DEBUG_TOOLBAR = "1";
# GUNICORN_LOG_LEVEL="debug";
}; };
}; };
systemd.services.tandoor-recipes.serviceConfig = {
ReadWritePaths = [ mediaRoot ];
WorkingDirectory = lib.mkForce "/var/lib/tandoor-recipes";
};
sops.secrets."services/tandoor/secretKey" = {
owner = "tandoor_recipes";
group = "tandoor_recipes";
};
} }