Skip to content

Commit 6542392

Browse files
jhhjhh
committed
Configure website secrets as a nixpkgs option
1 parent c15bd8f commit 6542392

File tree

3 files changed

+51
-44
lines changed

3 files changed

+51
-44
lines changed

README.md

Lines changed: 4 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -21,16 +21,10 @@ rclone -v sync s3://www.strykeforce.org/media/ ./media
2121
```
2222
## Server Management
2323

24-
In production, look up the deployed derivation using `systemctl cat
25-
strykeforce-website` and run `manage.py` as user `strykeforce` with required
26-
environment variable set:
27-
28-
```
29-
sudo -u strykeforce env \
30-
DJANGO_SETTINGS_MODULE=website.settings.production \
31-
TBA_READ_KEY= \
32-
SECRET_KEY=<something> \
33-
$NIX_STORE_PATH/bin/manage.py
24+
```sh
25+
# as root
26+
$ nix registry add strykeforce-manage "github:strykeforce/strykeforce.org"
27+
$ nix run strykeforce-manage
3428
```
3529

3630

deploy/flake.nix

Lines changed: 37 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -18,13 +18,14 @@
1818
};
1919

2020
outputs =
21-
{ self
22-
, agenix
23-
, deploy-rs
24-
, nixos-configs
25-
, nixpkgs
26-
, strykeforce
27-
, ...
21+
{
22+
self,
23+
agenix,
24+
deploy-rs,
25+
nixos-configs,
26+
nixpkgs,
27+
strykeforce,
28+
...
2829
}:
2930
let
3031
system = "x86_64-linux";
@@ -53,40 +54,43 @@
5354
./rclone.nix
5455
agenix.nixosModules.default
5556
strykeforce.nixosModules.default
56-
({ config, pkgs, ... }: {
57-
age.secrets.stryker_website_secrets = {
58-
file = ./strykeforce_website_secrets.age;
59-
};
57+
(
58+
{ config, pkgs, ... }:
59+
{
60+
age.secrets.stryker_website_secrets = {
61+
file = ./strykeforce_website_secrets.age;
62+
};
6063

61-
environment.systemPackages = with pkgs; [
62-
goaccess
63-
redli
64-
strykeforce-manage
65-
];
64+
environment.systemPackages = with pkgs; [
65+
goaccess
66+
redli
67+
strykeforce-manage
68+
];
6669

67-
strykeforce.services.website = {
68-
inherit enable;
69-
settingsModule = "website.settings.production";
70-
};
70+
strykeforce.services.website = {
71+
inherit enable;
72+
settingsModule = "website.settings.production";
73+
secrets = [ config.age.secrets.stryker_website_secrets.path ];
74+
};
7175

72-
services.postgresql = {
73-
inherit enable;
74-
package = pkgs.postgresql_15;
75-
};
76+
services.postgresql = {
77+
inherit enable;
78+
package = pkgs.postgresql_15;
79+
};
7680

77-
services.postgresqlBackup = {
78-
inherit enable;
79-
databases = [ "strykeforce" ];
80-
pgdumpOptions = "--clean";
81-
};
81+
services.postgresqlBackup = {
82+
inherit enable;
83+
databases = [ "strykeforce" ];
84+
pgdumpOptions = "--clean";
85+
};
8286

83-
security.acme.acceptTerms = true;
84-
security.acme.defaults.email = "[email protected]";
85-
})
87+
security.acme.acceptTerms = true;
88+
security.acme.defaults.email = "[email protected]";
89+
}
90+
)
8691
];
8792
};
8893

89-
9094
deploy.nodes =
9195
let
9296
sshUser = "root";

lib/module.nix

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,15 @@ in
2626
default = "website.settings.production";
2727
};
2828

29+
secrets = lib.mkOption {
30+
type = with lib.types; listOf path;
31+
description = ''
32+
A list of files containing the various secrets. Should be in the format
33+
expected by systemd's `EnvironmentFile` directory.
34+
'';
35+
default = [ ];
36+
};
37+
2938
allowedHosts = lib.mkOption {
3039
type = lib.types.str;
3140
default = "strykeforce.org www.strykeforce.org";
@@ -67,7 +76,7 @@ in
6776
preStart = "${website}/bin/strykeforce-manage migrate --no-input";
6877

6978
serviceConfig = {
70-
EnvironmentFile = "/run/agenix/stryker_website_secrets";
79+
EnvironmentFile = cfg.secrets;
7180
ExecStart = "${website}/bin/gunicorn --workers=5 --bind=127.0.0.1:8000 website.wsgi";
7281
User = "strykeforce";
7382
Restart = "on-failure";

0 commit comments

Comments
 (0)