courses-phil: use systemd credentials to load the secrets

This commit is contained in:
Rouven Seifert 2023-10-23 15:08:33 +02:00
parent 6e269d8dc7
commit 7b3925deca
Signed by: rouven.seifert
GPG key ID: B95E8FE6B11C4D09

View file

@ -1,4 +1,4 @@
{ config, lib, sops-nix, course-management, ... }: { config, lib, course-management, ... }:
let let
hostName = "kurse-phil.${config.networking.domain}"; hostName = "kurse-phil.${config.networking.domain}";
in in
@ -9,39 +9,39 @@ in
forceSSL = true; forceSSL = true;
}; };
sops.secrets = {
"course-management-phil/secret-key" = { };
"course-management-phil/adminpass" = { };
};
containers."courses-phil" = { containers."courses-phil" = {
autoStart = true; autoStart = true;
# forbidden sadly, I will copy the keys manually. Not very beautiful but it works extraFlags = [
# bindMounts = { "--load-credential=course-secret-key:${config.sops.secrets."course-management-phil/secret-key".path}"
# hostPath = "/etc/ssh"; "--load-credential=course-adminpass:${config.sops.secrets."course-management-phil/adminpass".path}"
# mountPoint = "/etc/ssh"; ];
# };
config = { pkgs, config, ... }: { config = { pkgs, config, ... }: {
system.stateVersion = "23.05"; system.stateVersion = "23.05";
networking.domain = "ifsr.de"; networking.domain = "ifsr.de";
imports = [ imports = [
sops-nix.nixosModules.sops
course-management.nixosModules.default course-management.nixosModules.default
]; ];
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; systemd.services.course-management = {
sops.age.generateKey = false; after = [ "postgresql.service" ];
sops.defaultSopsFile = ../secrets/quitte.yaml; serviceConfig = {
sops.secrets = LoadCredential = [
let inherit (config.services.course-management) user; "secret-key:course-secret-key"
in "adminpass:course-adminpass"
{ ];
"course-management-phil/secret-key".owner = user; };
"course-management-phil/adminpass".owner = user;
}; };
systemd.services.course-management.after = [ "postgresql.service" ];
services.course-management = { services.course-management = {
inherit hostName; inherit hostName;
enable = true; enable = true;
listenPort = 5001; listenPort = 5001;
settings = { settings = {
secretKeyFile = config.sops.secrets."course-management-phil/secret-key".path; secretKeyFile = "$CREDENTIALS_DIRECTORY/secret-key";
adminPassFile = config.sops.secrets."course-management-phil/adminpass".path; adminPassFile = "$CREDENTIALS_DIRECTORY/adminpass";
admins = [{ admins = [{
name = "Root iFSR"; name = "Root iFSR";
email = "root@${config.networking.domain}"; email = "root@${config.networking.domain}";
@ -65,7 +65,6 @@ in
services.postgresql = { services.postgresql = {
enable = true; enable = true;
enableTCPIP = lib.mkForce false; enableTCPIP = lib.mkForce false;
# port = 55555;
ensureUsers = [{ ensureUsers = [{
name = "course-management"; name = "course-management";
ensurePermissions = { ensurePermissions = {