courses-phil: use systemd credentials to load the secrets
This commit is contained in:
parent
6e269d8dc7
commit
7b3925deca
|
@ -1,4 +1,4 @@
|
||||||
{ config, lib, sops-nix, course-management, ... }:
|
{ config, lib, course-management, ... }:
|
||||||
let
|
let
|
||||||
hostName = "kurse-phil.${config.networking.domain}";
|
hostName = "kurse-phil.${config.networking.domain}";
|
||||||
in
|
in
|
||||||
|
@ -9,39 +9,39 @@ in
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
sops.secrets = {
|
||||||
|
"course-management-phil/secret-key" = { };
|
||||||
|
"course-management-phil/adminpass" = { };
|
||||||
|
};
|
||||||
containers."courses-phil" = {
|
containers."courses-phil" = {
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
# forbidden sadly, I will copy the keys manually. Not very beautiful but it works
|
extraFlags = [
|
||||||
# bindMounts = {
|
"--load-credential=course-secret-key:${config.sops.secrets."course-management-phil/secret-key".path}"
|
||||||
# hostPath = "/etc/ssh";
|
"--load-credential=course-adminpass:${config.sops.secrets."course-management-phil/adminpass".path}"
|
||||||
# mountPoint = "/etc/ssh";
|
];
|
||||||
# };
|
|
||||||
config = { pkgs, config, ... }: {
|
config = { pkgs, config, ... }: {
|
||||||
system.stateVersion = "23.05";
|
system.stateVersion = "23.05";
|
||||||
networking.domain = "ifsr.de";
|
networking.domain = "ifsr.de";
|
||||||
imports = [
|
imports = [
|
||||||
sops-nix.nixosModules.sops
|
|
||||||
course-management.nixosModules.default
|
course-management.nixosModules.default
|
||||||
];
|
];
|
||||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
systemd.services.course-management = {
|
||||||
sops.age.generateKey = false;
|
after = [ "postgresql.service" ];
|
||||||
sops.defaultSopsFile = ../secrets/quitte.yaml;
|
serviceConfig = {
|
||||||
sops.secrets =
|
LoadCredential = [
|
||||||
let inherit (config.services.course-management) user;
|
"secret-key:course-secret-key"
|
||||||
in
|
"adminpass:course-adminpass"
|
||||||
{
|
];
|
||||||
"course-management-phil/secret-key".owner = user;
|
};
|
||||||
"course-management-phil/adminpass".owner = user;
|
|
||||||
};
|
};
|
||||||
systemd.services.course-management.after = [ "postgresql.service" ];
|
|
||||||
services.course-management = {
|
services.course-management = {
|
||||||
inherit hostName;
|
inherit hostName;
|
||||||
enable = true;
|
enable = true;
|
||||||
listenPort = 5001;
|
listenPort = 5001;
|
||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
secretKeyFile = config.sops.secrets."course-management-phil/secret-key".path;
|
secretKeyFile = "$CREDENTIALS_DIRECTORY/secret-key";
|
||||||
adminPassFile = config.sops.secrets."course-management-phil/adminpass".path;
|
adminPassFile = "$CREDENTIALS_DIRECTORY/adminpass";
|
||||||
admins = [{
|
admins = [{
|
||||||
name = "Root iFSR";
|
name = "Root iFSR";
|
||||||
email = "root@${config.networking.domain}";
|
email = "root@${config.networking.domain}";
|
||||||
|
@ -65,7 +65,6 @@ in
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
enableTCPIP = lib.mkForce false;
|
enableTCPIP = lib.mkForce false;
|
||||||
# port = 55555;
|
|
||||||
ensureUsers = [{
|
ensureUsers = [{
|
||||||
name = "course-management";
|
name = "course-management";
|
||||||
ensurePermissions = {
|
ensurePermissions = {
|
||||||
|
|
Loading…
Reference in a new issue