From fe3d338d1e3e467e95b760e725d8cad14072aa56 Mon Sep 17 00:00:00 2001 From: Tristan Date: Thu, 22 Feb 2024 17:47:44 +0000 Subject: [PATCH] anki ssl & password --- nixos/default.nix | 1 + nixos/services/anki.nix | 23 +++++++++++++++++++++-- secrets/secrets.yaml | 6 ++++-- 3 files changed, 26 insertions(+), 4 deletions(-) diff --git a/nixos/default.nix b/nixos/default.nix index 19bd163..1f0a533 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -79,6 +79,7 @@ in { wget unzip fzf + sops ]; programs.tmux.enable = true; diff --git a/nixos/services/anki.nix b/nixos/services/anki.nix index 0c473c4..7581d1a 100644 --- a/nixos/services/anki.nix +++ b/nixos/services/anki.nix @@ -1,12 +1,31 @@ -{...}: { +{config, ...}: +let + anki = config.services.anki-sync-server; + secrets = config.sops.secrets; + domain = "tristans.cloud"; +in { + sops.secrets."anki/password" = { + owner = "anki"; + }; + services.anki-sync-server = { enable = true; address = "0.0.0.0"; users = [ { username = "tristan"; - password = "password"; + passwordFile = secrets."anki/password".path; } ]; }; + services.nginx.virtualHosts."anki.${domain}" = { + forceSSL = true; + enableACME = true; + locations."~".proxyPass = "http://localhost:${toString anki.port}"; + }; + + # TODO: this really ought to be part of the nixpkgs anki-sync-server module + users.users.anki = { group = "anki"; isSystemUser = true; }; + users.groups.anki = {}; + systemd.services.anki-sync-server.serviceConfig.User = "anki"; } diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 618db05..cc2badd 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -3,6 +3,8 @@ nextcloud: oidc_client_secret: ENC[AES256_GCM,data:nIVLfC+22fEurR6FXdUwz4+rPuXzlM5HG4lnRI/m1lOaiw+C9DA3WV15DP5IXMn6BeBmDMnXbfdGt0hoV32y8bkfcals0C4wUitI63sYRJ6+f+N85IeAolfvYi+6gCwKZZhwRZdZJOQVOoFH8bvC0zLz6dzjL1/C5POX4C57URs=,iv:uV6KssluRg4+aOg7DPewK9c3eIkY3y/7ij7uYBLx9Kw=,tag:gEvApHIStThboRsP0YEoFw==,type:str] grafana: oidc_client_secret: ENC[AES256_GCM,data:XU81XrM/aTZ/RDc3UPunOFQdfjJldKw3usMA5NfQkgxJYSq5NSu1ZQXsMuly4xbcYULiuUtkTAnb7Xzge+yIDoLfrZHab4mQgtLeK6hzZgLHYeSSEtQCXEYsL0p6ulA2OLrW6KoKl/o1EjiA+8htimgc7yNatdo6pBwwUXZFxpQ=,iv:de2P5uu1t0si7s7BqG4ukvouxH1TlCxgR28wRsz7i/I=,tag:1u0Wd9HRzbJRQtNbwDHOIQ==,type:str] +anki: + password: ENC[AES256_GCM,data:dZsz/Z0rdP8vVFEGlck=,iv:rLjrfKXnz7hiYSOOY+uTGQCmvMLZbo3Xle+069hAB+A=,tag:sNuvL9tGBXs9OPoFVfjdSw==,type:str] sops: kms: [] gcp_kms: [] @@ -18,8 +20,8 @@ sops: NUFIN3NPU2pTZ0NZRXdQY0xhWlI5T3cKd5XCj1aNsD+7+MfiAPGb1iAW9AgzyagG A7cwF9kQwWWLud9z4v6epuDkqGF+7uIy7N/CwBaEgi8+AS8o27wo4g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-22T13:04:06Z" - mac: ENC[AES256_GCM,data:iwwc4Yl6W8ALOTrgB+zSl46OxoZ6+fWkPLPQH7+Pmhr+AGA99nBj22a7u97i2DX7dZTzHYfPkmuHNYGAsYh//DBCWZFB/2uT9LasSlyu8Oa3fzseC/IthMNXdxIw6Iw29MvzlMIrLExsC6gk3AAaSgJLJxbUafQ1rBXZIpWnCd4=,iv:qq07Po3S+tQ32xqlUahxWv/WPdJSFOdVntifaG12L3E=,tag:2XByLW2YIe5ufaoT1Vtlrg==,type:str] + lastmodified: "2024-02-22T17:24:48Z" + mac: ENC[AES256_GCM,data:keBxJZqVLaIlSVRKKeOZALAbOPSVhPgenalfAVEC65WV0+8oDSGcsG/8Z66VDTUgbz48m7yNwLE9JAdFr/u2CZfww6IFR0Kz+sr7fNnRvb4HDcEt/47o5/e3UDQ39kfM11FKDzN6fVf6QKweGOUyylbVjpN+ZJ8xuuqucbd/IZA=,iv:EVZnJPEFOCQ7iHn4lY6gkQiHN6lR3WDVzh0pbBXQvqo=,tag:hwVDuxk8/gvPmDpMnZjAeg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1