37 lines
1.2 KiB
Nix
37 lines
1.2 KiB
Nix
{
|
|
domainName,
|
|
...
|
|
}:
|
|
{
|
|
services.tide = {
|
|
enable = true;
|
|
domain = "tide.${domainName}";
|
|
apiDomain = "apitide.${domainName}";
|
|
secretsFile = "/run/secrets/tide-env";
|
|
# Reuse the wildcard cert already issued for *.${domainName}
|
|
# in configuration.nix instead of requesting a new one per
|
|
# subdomain.
|
|
nginx.useACMEHost = null;
|
|
};
|
|
|
|
# Don't fail evaluation when secrets/tide.yaml is missing (e.g.
|
|
# before the operator has encrypted it on a fresh checkout).
|
|
# sops-install-secrets will still error at activation time if
|
|
# the file is absent, which is the right place for that failure.
|
|
sops.validateSopsFiles = false;
|
|
|
|
# Use the host's age key generated with age-keygen, not the
|
|
# SSH-host-key-derived identity sops-nix falls back to by default.
|
|
# The encrypted file's recipient is the public key paired with
|
|
# this private key.
|
|
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
|
sops.age.sshKeyPaths = [ ];
|
|
sops.gnupg.sshKeyPaths = [ ];
|
|
|
|
sops.secrets."tide-env" = {
|
|
sopsFile = ./secrets/tide.yaml;
|
|
# phpfpm reads this via EnvironmentFile, which runs as root
|
|
# before dropping to the tide user, so root readable is enough.
|
|
mode = "0400";
|
|
};
|
|
}
|