pleroma: port to secrets.nix

2022-05-26 23:09:54 -07:00 · 2022-05-26 23:09:54 -07:00 · 243a8e1e4c
parent a407bd9920
commit 243a8e1e4c
2 changed files with 23 additions and 5 deletions
--- a/machines/uninsane/services/pleroma.nix
+++ b/machines/uninsane/services/pleroma.nix
@ -1,20 +1,21 @@
 # docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/pleroma.nix
 #
 # to run it in a oci-container: https://github.com/barrucadu/nixfiles/blob/master/services/pleroma.nix
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, secrets, ... }:

 {
  services.pleroma.enable = true;
-  # XXX colin: this isn't checked into git, so make sure to create it first:
-  services.pleroma.secretConfigFile = "/etc/nixos/secrets/pleroma.secret.exs";
-  # services.pleroma.secretConfigFile = "/var/lib/pleroma/prod.secret.exs";
+  # TODO: we should write a config file somewhere outside the store... somehow.
+  services.pleroma.secretConfigFile = "/dev/null";
  services.pleroma.configs = [
    ''
    import Config
    
    config :pleroma, Pleroma.Web.Endpoint,
      url: [host: "fed.uninsane.org", scheme: "https", port: 443],
-      http: [ip: {127, 0, 0, 1}, port: 4000]
+      http: [ip: {127, 0, 0, 1}, port: 4000],
+      secret_key_base: "${secrets.pleroma.secret_key_base}",
+      signing_salt: "${secrets.pleroma.signing_salt}"
    
    config :pleroma, :instance,
      name: "Perfectly Sane",
@ -45,6 +46,7 @@
    config :pleroma, Pleroma.Repo,
      adapter: Ecto.Adapters.Postgres,
      username: "pleroma",
+      password: "${secrets.pleroma.db_password}",
      database: "pleroma",
      hostname: "localhost",
      pool_size: 10,
@ -52,6 +54,14 @@
      parameters: [
          plan_cache_mode: "force_custom_plan"
      ]
+
+    # Configure web push notifications
+    config :web_push_encryption, :vapid_details,
+      subject: "mailto:notify.pleroma@uninsane.org",
+      public_key: "${secrets.pleroma.vapid_public_key}",
+      private_key: "${secrets.pleroma.vapid_private_key}"
+
+    config :joken, default_signer: "${secrets.pleroma.joken_default_signer}"
    
    config :pleroma, :database, rum_enabled: false
    config :pleroma, :instance, static_dir: "/var/lib/pleroma/instance/static"
--- a/secrets.nix
+++ b/secrets.nix
@ -11,4 +11,12 @@
  # wg genkey > wg0.private
  # wg pubkey < wg0.private > wg0.public
  wireguard.privateKey = "<REPLACEME>";
+
+  # these would otherwise be found in 'pleroma.secret.exs'
+  pleroma.secret_key_base = "<REPLACEME>";
+  pleroma.signing_salt = "<REPLACEME>";
+  pleroma.db_password = "<REPLACEME>";
+  pleroma.vapid_public_key = "<REPLACEME>";
+  pleroma.vapid_private_key = "<REPLACEME>";
+  pleroma.joken_default_signer = "<REPLACEME>";
 }