anki ssl & password

2024-02-22 17:47:44 +00:00 · 2024-02-22 17:47:44 +00:00 · fe3d338d1e
commit fe3d338d1e
parent c32ab6ba1f
3 changed files with 26 additions and 4 deletions
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -79,6 +79,7 @@ in {
    wget
    unzip
    fzf
+    sops
  ];

  programs.tmux.enable = true;
--- a/nixos/services/anki.nix
+++ b/nixos/services/anki.nix
@ -1,12 +1,31 @@
-{...}: {
+{config, ...}:
+let
+  anki = config.services.anki-sync-server;
+  secrets = config.sops.secrets;
+  domain = "tristans.cloud";
+in {
+  sops.secrets."anki/password" = {
+    owner = "anki";
+  };
+
  services.anki-sync-server = {
    enable = true;
    address = "0.0.0.0";
    users = [
      {
        username = "tristan";
-        password = "password";
+        passwordFile = secrets."anki/password".path;
      }
    ];
  };
+  services.nginx.virtualHosts."anki.${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."~".proxyPass  = "http://localhost:${toString anki.port}";
+  };
+
+  # TODO: this really ought to be part of the nixpkgs anki-sync-server module
+  users.users.anki = { group = "anki"; isSystemUser = true; };
+  users.groups.anki = {};
+  systemd.services.anki-sync-server.serviceConfig.User = "anki";
 }
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -3,6 +3,8 @@ nextcloud:
    oidc_client_secret: ENC[AES256_GCM,data:nIVLfC+22fEurR6FXdUwz4+rPuXzlM5HG4lnRI/m1lOaiw+C9DA3WV15DP5IXMn6BeBmDMnXbfdGt0hoV32y8bkfcals0C4wUitI63sYRJ6+f+N85IeAolfvYi+6gCwKZZhwRZdZJOQVOoFH8bvC0zLz6dzjL1/C5POX4C57URs=,iv:uV6KssluRg4+aOg7DPewK9c3eIkY3y/7ij7uYBLx9Kw=,tag:gEvApHIStThboRsP0YEoFw==,type:str]
 grafana:
    oidc_client_secret: ENC[AES256_GCM,data:XU81XrM/aTZ/RDc3UPunOFQdfjJldKw3usMA5NfQkgxJYSq5NSu1ZQXsMuly4xbcYULiuUtkTAnb7Xzge+yIDoLfrZHab4mQgtLeK6hzZgLHYeSSEtQCXEYsL0p6ulA2OLrW6KoKl/o1EjiA+8htimgc7yNatdo6pBwwUXZFxpQ=,iv:de2P5uu1t0si7s7BqG4ukvouxH1TlCxgR28wRsz7i/I=,tag:1u0Wd9HRzbJRQtNbwDHOIQ==,type:str]
+anki:
+    password: ENC[AES256_GCM,data:dZsz/Z0rdP8vVFEGlck=,iv:rLjrfKXnz7hiYSOOY+uTGQCmvMLZbo3Xle+069hAB+A=,tag:sNuvL9tGBXs9OPoFVfjdSw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -18,8 +20,8 @@ sops:
            NUFIN3NPU2pTZ0NZRXdQY0xhWlI5T3cKd5XCj1aNsD+7+MfiAPGb1iAW9AgzyagG
            A7cwF9kQwWWLud9z4v6epuDkqGF+7uIy7N/CwBaEgi8+AS8o27wo4g==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-02-22T13:04:06Z"
-    mac: ENC[AES256_GCM,data:iwwc4Yl6W8ALOTrgB+zSl46OxoZ6+fWkPLPQH7+Pmhr+AGA99nBj22a7u97i2DX7dZTzHYfPkmuHNYGAsYh//DBCWZFB/2uT9LasSlyu8Oa3fzseC/IthMNXdxIw6Iw29MvzlMIrLExsC6gk3AAaSgJLJxbUafQ1rBXZIpWnCd4=,iv:qq07Po3S+tQ32xqlUahxWv/WPdJSFOdVntifaG12L3E=,tag:2XByLW2YIe5ufaoT1Vtlrg==,type:str]
+    lastmodified: "2024-02-22T17:24:48Z"
+    mac: ENC[AES256_GCM,data:keBxJZqVLaIlSVRKKeOZALAbOPSVhPgenalfAVEC65WV0+8oDSGcsG/8Z66VDTUgbz48m7yNwLE9JAdFr/u2CZfww6IFR0Kz+sr7fNnRvb4HDcEt/47o5/e3UDQ39kfM11FKDzN6fVf6QKweGOUyylbVjpN+ZJ8xuuqucbd/IZA=,iv:EVZnJPEFOCQ7iHn4lY6gkQiHN6lR3WDVzh0pbBXQvqo=,tag:hwVDuxk8/gvPmDpMnZjAeg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1