diff --git a/flake.nix b/flake.nix index 15da2a6..808648d 100755 --- a/flake.nix +++ b/flake.nix @@ -12,7 +12,7 @@ #packages."x86_64-linux".sanddorn = self.nixosConfigurations.sanddorn.config.system.build.sdImage; nixosConfigurations = { - /*birne = nixpkgs.lib.nixosSystem { + birne = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ ./hosts/birne/configuration.nix @@ -50,16 +50,16 @@ } ]; }; - */ - durian = nixpkgs.lib.nixosSystem { + quitte = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ inputs.sops-nix.nixosModules.sops - ./hosts/durian/configuration.nix + ./hosts/quitte/configuration.nix ./modules/base.nix ./modules/sops.nix ./modules/keycloak.nix - ./modules/nginx.nix + ./modules/nginx.nix + ./modules/hedgedoc.nix { sops.defaultSopsFile = ./secrets/durian.yaml; } diff --git a/hosts/birne/configuration.nix b/hosts/birne/configuration.nix index df3eb13..2c0b96e 100755 --- a/hosts/birne/configuration.nix +++ b/hosts/birne/configuration.nix @@ -5,9 +5,9 @@ { config, pkgs, ... }: { - imports = - [ # Include the results of the hardware scan. - ]; + imports =[ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; diff --git a/hosts/durian/configuration.nix b/hosts/quitte/configuration.nix similarity index 98% rename from hosts/durian/configuration.nix rename to hosts/quitte/configuration.nix index d0bbe07..af7db7f 100644 --- a/hosts/durian/configuration.nix +++ b/hosts/quitte/configuration.nix @@ -30,7 +30,7 @@ networking.defaultGateway = "141.30.30.129"; networking.nameservers = [ "141.30.1.1" ]; - networking.hostName = "durian"; # Define your hostname. + networking.hostName = "quitte"; # Define your hostname. # Pick only one of the below networking options. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. diff --git a/hosts/durian/hardware-configuration.nix b/hosts/quitte/hardware-configuration.nix similarity index 100% rename from hosts/durian/hardware-configuration.nix rename to hosts/quitte/hardware-configuration.nix diff --git a/modules/hedgedoc.nix b/modules/hedgedoc.nix new file mode 100644 index 0000000..323ac0c --- /dev/null +++ b/modules/hedgedoc.nix @@ -0,0 +1,76 @@ +{ config, pkgs, lib, ... }: +let + domain = "pad.quitte.tassilo-tanneberger.de"; +in { + services = { + postgresql = { + enable = true; + ensureUsers = [ + { + name = "hedgedoc"; + ensurePermissions = { + "DATABASE hedgedoc" = "ALL PRIVILEGES"; + }; + } + ]; + ensureDatabases = [ "hedgedoc" ]; + }; + + hedgedoc = { + enable = true; + configuration = { + port = 3002; + domain = "${domain}"; + protocolUseSSL = true; + dbURL = "postgres://hedgedoc:\${DB_PASSWORD}@localhost:5432/hedgedoc"; + sessionSecret = "\${SESSION_SECRET}"; + allowAnonymousEdits = true; + csp = { + enable = true; + directives = { + scriptSrc = "${domain}"; + }; + upgradeInsecureRequest = "auto"; + addDefaults = true; + }; + }; + }; + + nginx = { + recommendedProxySettings = true; + virtualHosts = { + "${domain}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:3002"; + proxyWebsockets = true; + }; + }; + }; + }; + }; + + sops.secrets.postgres_hedgedoc.owner = config.systemd.services.hedgedoc.serviceConfig.User; + sops.secrets.hedgedoc_session_secret.owner = config.systemd.services.hedgedoc.serviceConfig.User; + sops.secrets.restic_hedgedoc.owner = config.systemd.services.hedgedoc.serviceConfig.User; + sops.secrets.kaki_private_key.group = "remote-backups"; + + systemd.services.hedgedoc.preStart = lib.mkBefore '' + export DB_PASSWORD="$(cat ${config.sops.secrets.postgres_hedgedoc.path})" + export SESSION_SECRET="$(cat ${config.sops.secrets.hedgedoc_session_secret.path})" + ''; + systemd.services.hedgedoc.after = [ "hedgedoc-pgsetup.service" ]; + + systemd.services.hedgedoc-pgsetup = { + description = "Prepare HedgeDoc postgres database"; + wantedBy = [ "multi-user.target" ]; + after = [ "networking.target" "postgresql.service" ]; + serviceConfig.Type = "oneshot"; + + path = [ pkgs.sudo config.services.postgresql.package ]; + script = '' + sudo -u ${config.services.postgresql.superUser} psql -c "ALTER ROLE hedgedoc WITH PASSWORD '$(cat ${config.sops.secrets.postgres_hedgedoc.path})'" + ''; + }; +} diff --git a/secrets/durian.yaml b/secrets/durian.yaml index be24dc6..8fae867 100644 --- a/secrets/durian.yaml +++ b/secrets/durian.yaml @@ -1,4 +1,6 @@ postgres_keycloak: ENC[AES256_GCM,data:Vi0NLjpYDvFGIYYL/VPdgOqAS51KXQynBFlBjK64elU=,iv:JY65V7b8zWSX4aNEK5pD7iyxnqIr8jexcG3pIBNbmvg=,tag:auDyPClH1VbWbFoWWK5E9w==,type:str] +postgres_hedgedoc: ENC[AES256_GCM,data:VCoWXZbNGWfmorTNZRFWkDUp0B5JMmsA+bJFVrUREj0=,iv:fnSs3FOgmFn5/BqKTODpwIq023ZRMF8s/JiDyf2ZqkE=,tag:oit5sHf6QffhYYi/WJk5SQ==,type:str] +hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str] sops: kms: [] gcp_kms: [] @@ -14,8 +16,8 @@ sops: bzNnbFZnZnZiY0xsbVlvUStBblBMWGcK7HSz9iFQiH0BJ3etF09opJreBoBtiBZ0 L74EBGuEV4+dNWqY3QwAASmDYJJ8ocQMuAgctjsgstKBKUeOrkhDRg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-08-16T13:03:32Z" - mac: ENC[AES256_GCM,data:2exwH5VVfOOZ4SCwOcwFhg8Pwtmm936Cfn6A91YfyWu7tTkFq3vzFj0P3mG7RI0CyCTg1ptHt9j2zGKzy+mSO8Cb5ohPAJE/cuVkI998+D84uPkjLHHOq1wJRZxza9RHFiENPK0AOx3jSlAeFZqmIQPExX3gVRyJManU32OVu4o=,iv:xUXek6g9ayI5E7Exxq9EapesSfkD+AM3LWSVHPv2rLM=,tag:MpfvDuNse4UvOmcXASga0A==,type:str] + lastmodified: "2022-09-06T13:02:09Z" + mac: ENC[AES256_GCM,data:9lbw83A7J9VUTrNsrTVNJQAfjK9ItMPAlNlsB5jOBXafBL0xMSWRhWVfgCwbmgmJ5SP6kpS8emCiHudqxdDLEReWomrBp3t0uabPiODIiI1AxB6DT6O+/9Dlnq5eXc1l/gw0xOPGRUZ+/WaHHddE8rhGFn/DhKrr3X0mZRwE18w=,iv:7DnEKYHlx3ZONSBsVY29+yNnCSvMCzgE6mP85frie6M=,tag:jSsXEiXXcMjgAxU9rp2soA==,type:str] pgp: - created_at: "2022-08-16T13:01:34Z" enc: |