jalr/nixos-configuration
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Increase session life to 90d and use static secret

Browse source
This commit is contained in:
Jakob Lechner 2025-01-11 17:25:55 +01:00
parent ebbb62a6b2
commit 82cbda5bcd
2 changed files with 26 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

7
hosts/magnesium/secrets.yaml
View file

@ -2,6 +2,7 @@ wireguard_key_hetzner-ha: ENC[AES256_GCM,data:HEW+EalHg6/mq7pRKZkasGz0nqbkSppkf0
turn-static-auth-secret: ENC[AES256_GCM,data:rzhixUemFPwKj1BcVPZd7KtUO9OA6A2R4qEQ1BZGVG0=,iv:uYHYe4Cywxovt3b/Ho1tQVHrpgVic+AKh9AjYMYSZcM=,tag:rr8RW/if06t38GpZCYQB4w==,type:str]
gitlab-runner_fablab-nea-hcloud-labsync: ENC[AES256_GCM,data:+znVO8cQxjDdhch7oUALZvt84iJmWnAx6lTM0+WGkGtaRWTCTPjgnst5waSJpw/Oysrd1PkXZKmLHyHuU7K/CHQij7sWH50G3ZcUum58klJc3dCPztlrLpDVHeSwyYiLpsqkQTfjqLPfrMkxuxBgTEVXlq2ZnFuyOGbFx9hubPxLeyQKakiW3qZWGjbFXYAps7Gl61AVdKJj3y1otX2JbCjG9x2i6FHZpl5ywwQCjKNM,iv:7v+I/oJtWDap6PNIJ4Qm3Si9dGs7a79SaMhnr/tbe1A=,tag:7jgoLtdWAEKMkWoXZ10owA==,type:str]
forgejo-mail: ENC[AES256_GCM,data:eZv9dM0a06wFJaDUZjo=,iv:L32ab5k/AX8HqSACJA5w+WbzLlBijA5++Gcr2SrnYIU=,tag:ddyTXikWTMnxq86IijgyYg==,type:str]
hedgedoc-session-secret: ENC[AES256_GCM,data:AYUiUF7R+5C3F5kNRL0R95e1l3Y59tIP388uY0IYCskBhR0H0XMVvyrX/gIM33Twwkc5it+fQtNPNXsbrAnoKQ==,iv:Q6pDEdFplp845/DCHutwni/g7Ch39pTCvfNs4Eh28CQ=,tag:aqVGs3iThmepT7iJusLOMA==,type:str]
sops:
kms: []
gcp_kms: []
@ -17,8 +18,8 @@ sops:
QTBqZDZLeDFLK0k2MHF4Uk1mQTIxRHcKeLHz+lSnHLyTgw2Aq+IVGpIi9X8SQx+Q
bCSPPMPIZsL4VLInuZmcd2n/kEr80fQM2P3/ktW8RnViQjTU+kKbMg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-17T12:35:12Z"
mac: ENC[AES256_GCM,data:ji+KDLN/7nQG448ZMxOFCuCTrzwnn00xbey84itd2cHpGP3oWYCFDWqdMg18C7koZ8eVtudgi3v6++bYLunAMONcvVwqconiEgEy17GKMzaladkEVDzSTRLipbcby/k4VYzS+iBP02eEn1gHYaNWTeIN/8X+42kIdhq3Itx44fU=,iv:X72KO/yNE1RI8lSPEc5llmCUuO0bZrtD4kizHf4dnzA=,tag:jZOIX1hhF1yfy7U8f47/VA==,type:str]
lastmodified: "2025-01-11T15:28:59Z"
mac: ENC[AES256_GCM,data:1RnyUrbEI2JKpicmA3QV+5ob+vByahMjc4+ZpLbcMyZv/KXn02VP+OQaLm9NgPfpZmSmRgbdPNQAP4f71z/EjcceyANAhnvql3zuYgSXNp5l/IYo5UFZdWgQa14XTGO518969CDLW1zJnlkBtbtLEVlMJiQ/EraV1eNtgCr5UEU=,iv:0fLjboGiejUI9LxHW80ed+/Lf+jlN5UH7tVqfBptq0w=,tag:4Tyrqy9XwQAm0etooVBNZg==,type:str]
pgp:
- created_at: "2024-01-31T01:20:03Z"
enc: |-
@ -32,4 +33,4 @@ sops:
-----END PGP MESSAGE-----
fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9
unencrypted_suffix: _unencrypted
version: 3.8.1
version: 3.9.2

34
hosts/magnesium/services/hedgedoc.nix
View file

@ -6,21 +6,31 @@ let
cfg = config.services.hedgedoc;
in
{
sops.secrets.hedgedoc-session-secret = {
owner = config.systemd.services.hedgedoc.serviceConfig.User;
sopsFile = ../secrets.yaml;
};
services.hedgedoc = {
enable = true;
settings = {
domain = domain;
protocolUseSSL = true;
csp.enable = true;
port = ports.hedgedoc.tcp;
db = {
dialect = "postgres";
host = "/run/postgresql";
user = "hedgedoc";
database = "hedgedoc";
settings =
let
day = 24 * 60 * 60 * 1000;
in
{
domain = domain;
protocolUseSSL = true;
csp.enable = true;
port = ports.hedgedoc.tcp;
db = {
dialect = "postgres";
host = "/run/postgresql";
user = "hedgedoc";
database = "hedgedoc";
};
allowEmailRegister = false;
sessionSecret = config.sops.secrets.hedgedoc-session-secret.path;
sessionLife = 90 * day;
};
allowEmailRegister = false;
};
};
services.postgresql = {