clerie/vcp-bula-nixfiles
1
0
Fork 0
Code Releases Activity

add secret handling via sops, configure nerd

Browse Source
This commit is contained in:
Ember 'n0emis' Keske
2022-07-13 21:39:57 +02:00
parent e1ec254cf0
commit 5c08252e82
6 changed files with 146 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
hosts/nerd/nerd.nix
View File

@@ -1,45 +1,50 @@
{ config, pkgs, lib, ... }:
{
systemd.services.nerd = {
sops.secrets.nerd_secret = {
sopsFile = ./secrets.yaml;
owner = "nerd";
restartUnits = [ "nerd.service" ];
};
systemd.services.nerd = let
nerdCfg = pkgs.writeText "nerd.cfg" ''
[django]
secret = !!DJANGO_SECRET!!
allowed_hosts = nerd.bula22.de
debug = False
language_code = de-de
time_zone = Europe/Berlin
csrf_trusted_origins = https://nerd.bula22.de
[database]
engine = postgresql_psycopg2
name = nerd
user =
password =
host = /run/postgresql
port =
'';
in {
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = {
NERD_CONFIG_FILE = pkgs.writeText "nerd.cfg" ''
[django]
secret = TODO
allowed_hosts = nerd.bula22.de
debug = False
language_code = de-de
time_zone = Europe/Berlin
csrf_trusted_origins = https://nerd.bula22.de
[database]
engine = postgresql_psycopg2
name = nerd
user =
password =
host = /run/postgresql
port =
[email]
backend = smtp.EmailBackend
host = mail.n0emis.eu
port = 465
user = no-reply@n0emis.eu
password = TODO
ssl = True
tls = False
from = noreply@n0emis.eu
'';
NERD_CONFIG_FILE = "/etc/nerd/nerd.cfg";
PYTHONPATH = "${pkgs.python3.pkgs.nerd.pythonPath}:${pkgs.python3.pkgs.nerd}/${pkgs.python3.sitePackages}:${pkgs.python3Packages.psycopg2}/${pkgs.python3.sitePackages}";
};
preStart = ''
export DJANGO_SECRET=$(cat ${config.sops.secrets.nerd_secret.path})
${pkgs.gnused}/bin/sed -e "s/!!DJANGO_SECRET!!/$DJANGO_SECRET/g" ${nerdCfg} > /etc/nerd/nerd.cfg
${pkgs.python3.pkgs.nerd}/bin/nerd migrate
'';
serviceConfig = {
User = "nerd";
Group = "nerd";
ExecStartPre = "${pkgs.python3.pkgs.nerd}/bin/nerd migrate";
ConfigurationDirectory = "nerd";
ExecStart = ''
${pkgs.python3Packages.gunicorn}/bin/gunicorn \
--bind 0.0.0.0:10510 \
@@ -70,6 +75,7 @@
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx.enable = lib.mkForce false;
services.caddy = {
enable = true;
virtualHosts."nerd.bula22.de" = {

32
hosts/nerd/secrets.yaml Normal file
View File

@@ -0,0 +1,32 @@
nerd_secret: ENC[AES256_GCM,data:MyuiltRyRppYa1qON2bTsY2z5tQWauWvsYA39JjfuiIwSDtu2pWSdlnGZQ==,iv:XvjM2UZLPNq/c9zzewIyfNTx28kehQ00CVAiWlqyk4M=,tag:i+NZGqiN9NoX2A9DVqtjvg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1x69924s94z4k7s50utyuqrwshpt8p8yzwaxny2gle7yeyg4w3spqml95mu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhRk14MEpOY3RYWnNUR1Za
b2VKTUg0anRGcXQxaUp5TFdjUkprYTlpbDJRCi9CVkhLWlhrOE1IT3FITksrbFlP
TVJBeldJOGZiVncvbHFQM0g5Q1NhS3MKLS0tIGlSVDZoNGliT05JRFVzK1dXTzR0
VW5KK0JiOXAva3AxQW5yWmZUc0JUc3cKQpeCgJ0X4Dj8UVqrOvDihTIp1o4JlrT7
LKnjj1UY+4mgEHCGCMnbZaBE5BzU2TaZk6KQ9EhihRDXjjR1YNcgXA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-07-13T19:02:49Z"
mac: ENC[AES256_GCM,data:2Sz+FPr1i6bKeC4NpK2D9rGp5HyN5jLnzleaBBJZ9T/p6A4Z7wyiruko8XLUpmGw0TiSsfG5FTj6+FjB90ASW5rv916eWHrADAI1YzyrpVGXtGdzM2dNm8fKRrim3zwld2om6uWe9EJRdsq/aEkMgSZwIka/oSHxZq/s5hrvtEc=,iv:Uwm7oNFtvcJEearMw2avNu9JSYGyiPLo4VzZ8cL/zA0=,tag:CoyNiUfkN+/b18E2JnVGBw==,type:str]
pgp:
- created_at: "2022-07-13T19:02:23Z"
enc: |
-----BEGIN PGP MESSAGE-----
hE4D6iFd6webPCUSAQdAEoxhdEJ5t3J43TV/EjtCXR+WiEWm9OwB1XRxPX9Njiwg
vZFbfm360/cprIVl6x1FG1TbLh8Vqmptvx9rdLxmTHTSXgH9ccHwk06zeH2mZw9j
qYZeqliSxacuPO/ODwx0aFEPrEL4AZR9k02pQdoPSEHfw5DYkHVl7WOP0UXGKeL2
ZoJSvb/Jhch79s2hJLTpGGaqvFcc6KHt2BFSMBIlZlg=
=yrp3
-----END PGP MESSAGE-----
fp: 6E10217E3187069E057DF5ABE0262A773B824745
unencrypted_suffix: _unencrypted
version: 3.7.1