modules: services: nginx: allow sso secret files

This is in preparation of the migration to agenix, which does not allow access to the secrets at build time.
2021-09-25 13:41:43 +02:00 · 2021-09-25 13:41:43 +02:00 · c7766afe90
commit c7766afe90
parent dc5a44ce82
2 changed files with 71 additions and 6 deletions
--- a/machines/porthos/services.nix
+++ b/machines/porthos/services.nix
@ -109,6 +109,22 @@ in
      acme = {
        credentialsFile = builtins.toFile "gandi-key.env" my.secrets.acme.key;
      };
+      sso = {
+        authKeyFile = secrets."sso/auth-key".path;
+        users = {
+          ambroisie = {
+            passwordHashFile = builtins.toFile
+              "ambroisie-sso-pass.txt"
+              my.secrets.sso.ambroisie.passwordHash;
+            totpSecretFile = builtins.toFile
+              "ambroisie-sso-totp.txt"
+              my.secrets.sso.ambroisie.totpSecret;
+          };
+        };
+        groups = {
+          root = [ "ambroisie" ];
+        };
+      };
    };
    paperless = {
      enable = true;