set secret via systemd to avoid users entirely

This commit is contained in:
Lillian Violet 2025-01-14 14:56:41 +01:00
parent 0fd416429e
commit 56690ad45f
2 changed files with 5 additions and 15 deletions

View file

@ -14,7 +14,7 @@ sync-secrets: ENC[AES256_GCM,data:AwCgqfSXmYVGnCV5PJ5Ql44IiutTS76F1H7Ow7gB4mQQ8P
writefreely: ENC[AES256_GCM,data:QOj5h/rHCxmgpPNhu3IS4eyruhQokHTJxW6yQM9YDgQ=,iv:qAd+/rAAanzL9FTIX22M+2kwI0WI2d3i86cJrn8MFBo=,tag:3zvpqnovDEoJdvK/qcFDuQ==,type:str]
writefreelymysql: ENC[AES256_GCM,data:1JZwIX04O3DBAo7JvEkeNrFcSdcmk/u4WUf/kkbr2JA=,iv:8H8MR8w1iLfl2r62EbxPnLzs4qWFmwB5gNKEaly8q6c=,tag:K01oKMXkeMOFs3u7frMs0Q==,type:str]
ssh-private-key: ENC[AES256_GCM,data:DK/ggskAyhvotRkf36oZBoPw3hGvVlXneqaJZRPwX2a3YVMy4zgDE3iN65UeR6mfkp9J3OmLejOHeWFB/bRCHY3oTW6GUuZljTe2rI1/x/d2s4zX5UPPEWcy3cXH25d72DzElQBEMDKuZyDe0OZ0/NkR//vEeXgoA2Nr/NKHlTWrq/t26DMD2Vt+kQ+S9b0hh4tgh3OP1lwRu9/mTJOmInd/86gKB9+aD9V0oFvNbMEmgbwIah+ZjQBHB7GEIwjUc/lLmc+3RSn9J0rICIhnhL7NTzHUDHkYd93Tm0L9UHIyi9Oco2sK8tuV5mTDM1OK8CbDg/5FICTQ0H4sstCrDNZd2wE4E1kaZuwYOyxpzQpWJY8jOxxw5oIE0IccvvptM/9vp+0f1F2RIDrkIdHSLpFbGZGvXNVAWlXyv+0qOYS7BGzD0KAh9f74GcAvULq36vdzBahb5e+CqT3JXESne8qhkpsP0G9Z1I1Fy0xpADx/9cTnAm5RmXTw/KBPmBA5IZYZBRbR/C+N7Xyxr7u9RcwFJdIbSpAeT/ew,iv:pHT7DtX1ab7boPboXRaSg9w/4sMgNraEswtEf2tBPkw=,tag:Fbw2/Evf4ZsLFMBPflf9CA==,type:str]
mollysocket-vapid-key: ENC[AES256_GCM,data:w0tcRqjXrhjem+4rfZuSSfeex+Fpi0du3EhUdPsBRCuO7L2OdVml1CU2QA==,iv:bGfYc1T+21/rcGdkHAFqteSffXPUhvoateSqbiSPb10=,tag:XqrU5f5f0sxHTkARFdNVeA==,type:str]
mollysocket-vapid-key: ENC[AES256_GCM,data:8N2hxY6WN6mCcjMIFsw/Vt1RoGvUbYxkVPOOn4WRjXZtEEkkVCIaNevozF4xCnBUEWIukNg8lZk8ake/pHAq,iv:+NHm3hSotcRPRjrwEe9xKnEeYbnUZqJEB1sd5B+tWIE=,tag:Pd2pnJqj771XqdqBREGzJQ==,type:str]
sops:
kms: []
gcp_kms: []
@ -30,8 +30,8 @@ sops:
KzNBMCtUaS9sU21Xc1JUd1FSR29tSkEKyqaDM/WUWjK2l+ahE6sIFYsQ6Qtkf7yz
NWFTzsDZBmm9kpSIjchf+PuBuoRHeEKbEH8jnMlYB3J8boEnUnXMlw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-14T12:47:32Z"
mac: ENC[AES256_GCM,data:HxttRqB9RgMP9xkVTPXUE9MyGon3VJ7DW6gyNIII3svgcZItl39HIG3aYTsS3jAWShZQ/iSxERXbwusAb/wAC8VNXNI04BZGK9WbExSJKXzAzBLXI4ajUsJ27POf+4mi/8fwdSSRpmZdfYhbxuzBs8jI6/CJ40B9Dbp/DtndXTk=,iv:GPSoTNfsBEFNwCqAnOpylbl0LJckrR5lCznzzi/BAI8=,tag:kRwqzIh0TWz4MR66vKwgSA==,type:str]
lastmodified: "2025-01-14T13:43:37Z"
mac: ENC[AES256_GCM,data:GK+WcmMgDbZ5xeqMK06CuquR6/ptd2oXzVJ9V74+n6lBx4XsyPu17puKGKgsGsIHeRYdbwtQh8tm42/XJ0tK8qJz1yGvfQxPasd+ibRBHatWWHzQ/czR3NIRWYqGF9/mxi2uHrftaKtku1/huxjzjb69blopMzn2LEH0vCzXCkc=,iv:K6Fbhmz9FAzLd8KcjDSriVre8MhCYrGTVXh+u6oGLaQ=,tag:4Ylrs+Mm54vAKFQyyo8Njg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.2

View file

@ -1,26 +1,16 @@
{config, ...}: let
mollySocketUser = "mollysocket";
in {
{config, ...}: {
sops.secrets."mollysocket-vapid-key".mode = "0440";
sops.secrets."mollysocket-vapid-key" = {
owner = mollySocketUser;
group = mollySocketUser;
};
services.mollysocket = {
enable = true;
environmentFile = config.sops.secrets."mollysocket-vapid-key".path;
settings = {
port = 4381;
vapid_key_file = config.sops.secrets."mollysocket-vapid-key".path;
allowed_endpoints = ["molly.gladtherescake.eu" "nextcloud.gladtherescake.eu"];
allowed_uuids = ["*"];
webserver = true;
};
};
systemd.services.mollysocket.serviceConfig = {
User = mollySocketUser;
Group = mollySocketUser;
};
services.nginx = {
virtualHosts = {
"molly.gladtherescake.eu" = {