Implemented secure passwords

2019-09-06 16:50:59 +10:00 · 2019-09-06 16:50:59 +10:00 · 2b6a8951e6
parent b36a86ed33
commit 2b6a8951e6
1 changed files with 19 additions and 19 deletions
--- a/Deployments/gitea.nix
+++ b/Deployments/gitea.nix
@ -1,20 +1,26 @@
-# NixOps configuration for the VMs running Gitea
+# NixOps configuration for the hosts running Gitea

 { config, pkgs, lib, ... }:

 {

  services.gitea = {
-    enable = true;                              # Enable Gitea
-    appName = "mcwhirter.io: Gitea Service";    # Give the site a name
+    enable = true;                               # Enable Gitea
+    appName = "mcwhirter.io: Gitea Service";     # Give the site a name
    database = {
-      type = "postgres";                        # Database type
-      password = "gitea";                       # Set the password
+      type = "postgres";                         # Database type
+      passwordFile = "/run/keys/gitea-dbpass";   # Where to find the password
    };
-    domain = "source.mcwhirter.io";             # Domain name
-    rootUrl = "https://source.mcwhirter.io/";   # Root web URL
-    httpPort = 3001;                            # Provided unique port
-    extraConfig = ''
+    domain = "source.mcwhirter.io";              # Domain name
+    rootUrl = "https://source.mcwhirter.io/";    # Root web URL
+    httpPort = 3001;                             # Provided unique port
+    extraConfig = let
+      docutils =
+        pkgs.python37.withPackages (ps: with ps; [
+          docutils                               # Provides rendering of ReStructured Text files
+          pygments                               # Provides syntax highlighting
+      ]);
+    in ''
      [mailer]
      ENABLED = true
      FROM = "gitea@mcwhirter.io"
@ -23,13 +29,16 @@
      [markup.restructuredtext]
      ENABLED = true
      FILE_EXTENSIONS = .rst
-      RENDER_COMMAND = /run/current-system/sw/bin/rst2html.py
+      RENDER_COMMAND = ${docutils}/bin/rst2html.py
      IS_INPUT_FILE = false
    '';
  };

  services.postgresql = {
    enable = true;                # Ensure postgresql is enabled
+    authentication = ''
+      local gitea all ident map=gitea-users
+    '';
    identMap =                    # Map the gitea user to postgresql
      ''
        gitea-users gitea gitea
@ -53,13 +62,4 @@
      "source.mcwhirter.io".email = "craige@mcwhirter.io";
  };

-  environment.systemPackages = with pkgs; [
-    ((
-      python37.withPackages (ps: with ps; [
-        docutils                    # Provides rendering of ReStructured Text files
-        pygments                    # Provides syntax highlighting
-      ])
-    ))
-  ];
-
 }