thohlt/archtika
1
0
Fork 0
mirror of https://github.com/thiloho/archtika.git synced 2025-11-22 02:41:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Automatically generate jwt secret

Browse Source
This commit is contained in:
thiloho
2024-09-14 20:28:27 +02:00
parent 38ad33a53d
commit 36ec24731d
4 changed files with 36 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
flake.nix
View File

@@ -61,11 +61,13 @@
api = { api = {
type = "app"; type = "app";
program = "${pkgs.writeShellScriptBin "api-setup" '' program = "${pkgs.writeShellScriptBin "api-setup" ''
${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:15432/archtika -c "ALTER DATABASE archtika SET \"app.jwt_secret\" TO 'a42kVyAhTImYxZeebZkApoAZLmf0VtDA'" JWT_SECRET=$(head -c 64 /dev/urandom | base64 | tr -d '/+=' | head -c 64)
${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:15432/archtika -c "ALTER DATABASE archtika SET \"app.jwt_secret\" TO '$JWT_SECRET'"
${pkgs.dbmate}/bin/dbmate --url postgres://postgres@localhost:15432/archtika?sslmode=disable --migrations-dir ${self.outPath}/rest-api/db/migrations up ${pkgs.dbmate}/bin/dbmate --url postgres://postgres@localhost:15432/archtika?sslmode=disable --migrations-dir ${self.outPath}/rest-api/db/migrations up
PGRST_ADMIN_SERVER_PORT=3001 PGRST_DB_SCHEMAS="api" PGRST_DB_ANON_ROLE="anon" PGRST_OPENAPI_MODE="ignore-privileges" PGRST_DB_URI="postgres://authenticator@localhost:15432/archtika" PGRST_JWT_SECRET="a42kVyAhTImYxZeebZkApoAZLmf0VtDA" ${pkgs.postgrest}/bin/postgrest PGRST_ADMIN_SERVER_PORT=3001 PGRST_DB_SCHEMAS="api" PGRST_DB_ANON_ROLE="anon" PGRST_OPENAPI_MODE="ignore-privileges" PGRST_DB_URI="postgres://authenticator@localhost:15432/archtika" PGRST_JWT_SECRET="$JWT_SECRET" ${pkgs.postgrest}/bin/postgrest
''}/bin/api-setup"; ''}/bin/api-setup";
}; };
} }

1
nix/demo-server/default.nix
View File

@@ -65,7 +65,6 @@
services.archtika = { services.archtika = {
enable = true; enable = true;
package = localArchtikaPackage; package = localArchtikaPackage;
jwtSecret = /var/lib/archtika-jwt-secret.txt;
domain = "qs.archtika.com"; domain = "qs.archtika.com";
acmeEmail = "thilo.hohlt@tutanota.com"; acmeEmail = "thilo.hohlt@tutanota.com";
dnsProvider = "porkbun"; dnsProvider = "porkbun";

43
nix/demo-server/hardware-configuration.nix
View File

@@ -1,32 +1,41 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: {
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_scsi" "sr_mod" ]; boot.initrd.availableKernelModules = [
"xhci_pci"
"virtio_scsi"
"sr_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/04fa460b-c39f-47f8-bece-c044d767209c"; device = "/dev/disk/by-uuid/04fa460b-c39f-47f8-bece-c044d767209c";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-uuid/BA11-3E3D"; device = "/dev/disk/by-uuid/BA11-3E3D";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ]; options = [
}; "fmask=0077"
"dmask=0077"
swapDevices =
[ { device = "/dev/disk/by-uuid/abace260-6904-4b38-8532-0235f77cb2bf"; }
]; ];
};
swapDevices = [ { device = "/dev/disk/by-uuid/abace260-6904-4b38-8532-0235f77cb2bf"; } ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

21
nix/module.nix
View File

@@ -34,11 +34,6 @@ in
description = "Name of the PostgreSQL database for archtika."; description = "Name of the PostgreSQL database for archtika.";
}; };
jwtSecret = mkOption {
type = types.either types.str types.path;
description = "JWT secret for archtika. Can be a string or a path to a file containing the secret";
};
apiPort = mkOption { apiPort = mkOption {
type = types.port; type = types.port;
default = 5000; default = 5000;
@@ -106,19 +101,15 @@ in
Restart = "always"; Restart = "always";
}; };
script = script = ''
let JWT_SECRET=$(head -c 64 /dev/urandom | base64 | tr -d '/+=' | head -c 64)
getSecret = if isPath cfg.jwtSecret then "cat ${cfg.jwtSecret}" else "echo -n '${cfg.jwtSecret}'";
in
''
JWT_SECRET=$(${getSecret})
${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:5432/${cfg.databaseName} -c "ALTER DATABASE ${cfg.databaseName} SET \"app.jwt_secret\" TO '$JWT_SECRET'" ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:5432/${cfg.databaseName} -c "ALTER DATABASE ${cfg.databaseName} SET \"app.jwt_secret\" TO '$JWT_SECRET'"
${pkgs.dbmate}/bin/dbmate --url postgres://postgres@localhost:5432/archtika?sslmode=disable --migrations-dir ${cfg.package}/rest-api/db/migrations up ${pkgs.dbmate}/bin/dbmate --url postgres://postgres@localhost:5432/archtika?sslmode=disable --migrations-dir ${cfg.package}/rest-api/db/migrations up
PGRST_ADMIN_SERVER_PORT=${toString cfg.apiAdminPort} PGRST_SERVER_PORT=${toString cfg.apiPort} PGRST_DB_SCHEMAS="api" PGRST_DB_ANON_ROLE="anon" PGRST_OPENAPI_MODE="ignore-privileges" PGRST_DB_URI="postgres://authenticator@localhost:5432/${cfg.databaseName}" PGRST_JWT_SECRET="$JWT_SECRET" ${pkgs.postgrest}/bin/postgrest PGRST_ADMIN_SERVER_PORT=${toString cfg.apiAdminPort} PGRST_SERVER_PORT=${toString cfg.apiPort} PGRST_DB_SCHEMAS="api" PGRST_DB_ANON_ROLE="anon" PGRST_OPENAPI_MODE="ignore-privileges" PGRST_DB_URI="postgres://authenticator@localhost:5432/${cfg.databaseName}" PGRST_JWT_SECRET="$JWT_SECRET" ${pkgs.postgrest}/bin/postgrest
''; '';
}; };
systemd.services.archtika-web = { systemd.services.archtika-web = {