besaid.zone
+9
-6
flake.nix
+9
-6
flake.nix
···
279
279
description = "Internal address for inter-service communication";
280
280
};
281
281
282
-
secret = mkOption {
283
-
type = types.str;
284
-
example = "super-secret-key";
285
-
description = "Secret key provided by appview (required)";
282
+
secretFile = mkOption {
283
+
type = lib.types.path;
284
+
example = "KNOT_SERVER_SECRET=<hash>";
285
+
description = "File containing secret key provided by appview (required)";
286
286
};
287
287
288
288
dbPath = mkOption {
···
359
359
"APPVIEW_ENDPOINT=${config.services.tangled-knotserver.appviewEndpoint}"
360
360
"KNOT_SERVER_INTERNAL_LISTEN_ADDR=${config.services.tangled-knotserver.server.internalListenAddr}"
361
361
"KNOT_SERVER_LISTEN_ADDR=${config.services.tangled-knotserver.server.listenAddr}"
362
-
"KNOT_SERVER_SECRET=${config.services.tangled-knotserver.server.secret}"
363
362
"KNOT_SERVER_HOSTNAME=${config.services.tangled-knotserver.server.hostname}"
364
363
];
364
+
EnvironmentFile = config.services.tangled-knotserver.server.secretFile;
365
365
ExecStart = "${self.packages.${pkgs.system}.knotserver}/bin/knotserver";
366
366
Restart = "always";
367
367
};
···
384
384
virtualisation.cores = 2;
385
385
services.getty.autologinUser = "root";
386
386
environment.systemPackages = with pkgs; [curl vim git];
387
+
systemd.tmpfiles.rules = [
388
+
"w /var/lib/knotserver/secret 0660 git git - KNOT_SERVER_SECRET=6995e040e80e2d593b5e5e9ca611a70140b9ef8044add0a28b48b1ee34aa3e85"
389
+
];
387
390
services.tangled-knotserver = {
388
391
enable = true;
389
392
server = {
390
-
secret = "6995e040e80e2d593b5e5e9ca611a70140b9ef8044add0a28b48b1ee34aa3e85";
393
+
secretFile = "/var/lib/knotserver/secret";
391
394
hostname = "localhost:6000";
392
395
listenAddr = "0.0.0.0:6000";
393
396
};