From 58c435f98b916ce6b879e5206ec380eecd5cdc48 Mon Sep 17 00:00:00 2001 From: pigeonmoelleux Date: Fri, 21 Jun 2024 18:44:26 +0200 Subject: [PATCH] Finalisation onlyoffice --- modules/crans/default.nix | 2 + modules/services/onlyoffice.nix | 68 ++++++++++++++++++++++- secrets/chene.yaml | 96 +++++++++++++-------------------- 3 files changed, 106 insertions(+), 60 deletions(-) diff --git a/modules/crans/default.nix b/modules/crans/default.nix index 4398919..0beaa9a 100644 --- a/modules/crans/default.nix +++ b/modules/crans/default.nix @@ -17,6 +17,8 @@ enable = true; }; + nixpkgs.config.allowUnfree = true; + # Enable some utility programs. programs.git.enable = true; programs.neovim.enable = true; diff --git a/modules/services/onlyoffice.nix b/modules/services/onlyoffice.nix index 1f34604..6084160 100644 --- a/modules/services/onlyoffice.nix +++ b/modules/services/onlyoffice.nix @@ -1,12 +1,76 @@ -{ ... }: +{ config, pkgs, ... }: +let + format = pkgs.formats.json { }; + + jwtSecretFileTemplate = format.generate "local.json" { + services = { + CoAuthoring = { + token = { + enable = { + request = { + inbox = true; + outbox = true; + }; + browser = true; + }; + }; + secret = { + inbox = { + string = "$ONLYOFFICE_PASS"; + }; + outbox = { + string = "$ONLYOFFICE_PASS"; + }; + session = { + string = "$ONLYOFFICE_PASS"; + }; + }; + }; + }; + }; + jwtSecretFile = "/var/lib/onlyoffice/local.json"; +in { + sops.secrets = { + onlyoffice-pass = { + sopsFile = ../../secrets/chene.yaml; + owner = "onlyoffice"; + }; + }; + services.onlyoffice = { enable = true; + + port = 8000; + hostname = "onlyoffice.crans.org"; postgresHost = "tealc.adm.crans.org"; postgresName = "onlyoffice"; postgresUser = "onlyoffice"; - postgresPasswordFile = sops.secrets.onlyoffice-sliding-sync-pass-file.path; + postgresPasswordFile = config.sops.secrets.onlyoffice-pass.path; + + jwtSecretFile = jwtSecretFile; + }; + + systemd.services.onlyoffice-docservice-secret = { + description = "Écriture du JWT Secret File pour OnlyOffice"; + + wantedBy = [ "onlyoffice-docservice.service" ]; + before = [ "onlyoffice-docservice.service" ]; + + path = [ pkgs.envsubst ]; + script = '' + ONLYOFFICE_PASS="$(<${config.sops.secrets.onlyoffice-pass.path})"; + "envsubst -i ${jwtSecretFileTemplate} -o ${jwtSecretFile}" + ''; + + serviceConfig = { + User = "onlyoffice"; + Group = "onlyoffice"; + + Type = "simple"; + StateDirectory = "onlyoffice"; + }; }; } diff --git a/secrets/chene.yaml b/secrets/chene.yaml index 73e8976..f079a34 100644 --- a/secrets/chene.yaml +++ b/secrets/chene.yaml @@ -1,4 +1,4 @@ -onlyoffice-sliding-sync-pass-file: ENC[AES256_GCM,data:3m/OrDKvFDVeJjBag3jAIn4plGf5zrD9XQ==,iv:2cupGLGuNYN7WgYiQz8hADPrdyUgOeO3Vnw1bXh+22U=,tag:bacRGACFnbmHpWJQsYPBIw==,type:str] +onlyoffice-pass: ENC[AES256_GCM,data:+BoxNQR+dunewcQJFpJCNPcOfcjaz5JS+A==,iv:/NYnwZrPWkzNSFAlMw1tAKSHcdzRCYuNjNqKcoieyYs=,tag:g90i7FneDpN/lM27hXFnjg==,type:str] sops: kms: [] gcp_kms: [] @@ -8,74 +8,54 @@ sops: - recipient: age1p9h7wl3j2fl40gacknt4y95rqkaat8gntrqesx05xcg6yav8tuuqxrqv7h enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzVlFralVZZVBVejc4NzhB - Szc1SDJWZmQrdGYzbktpRzh4bG82RWh3Y0ZVClhaWHdlcEtiWkV4RmJBNXd3cDBz - YlArU1VOS2ppV3NVbFBDOTdTWjVxQmMKLS0tIDdOdU43NXJRZGs4U3NxbFF4a0RE - MXFoQXhZN3NkSHJNZUluRnVLZmFFRkEK019fLNm4xuH1Y1XLsfpvjC7uS7mE6ZEc - EJ/0Ml2xaQ/pRg9tN9AbGUZi0dx6jQmKqCTlglZM/ZDcg87oDAFzJA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQOVNlMzJVWGk2TDNzQ0RB + SnRRanVuc29YWS9ub2JBTGFXaE9pYWJXU0ZJCko3WCtwRVQ1V2JYTmM1RC9vQWl4 + TXBwM1ZoK1lyTUlmTkd5WjhVVE5uYUkKLS0tIENhRmR3NTZNT1NZT3EvaHhpcDds + R0t6N3Rud2tkUWdTS0drMHdNOWNXWVkKq7wZ+ipcmbgQbriC7tvk6zADOreIMtMN + eWZWmxRL5aI7zeWe0/AbryatgurmYSoat4sTRembZkUOELmNPcwUlw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-03T21:34:58Z" - mac: ENC[AES256_GCM,data:wqm8TcapmQKin4tzAuUzxM0cmS7AxH41tFZrBDNO5ArEhhlcYRD8wVPDeO0HeH8g5cA0Tx2flAPQ10eH1WF9wtZ0X6z+wzDkzcCUVvtw+eCxKIOo4/hkBBM9hr81GGTdsqdem++qUuOCUG0ztnPKsyONMUFBmQkfNTtw1+JY7Qo=,iv:mjuU02qFTgSbiJgWdPE3khpYxF/k2EBJZfmhz+HDY0U=,tag:GakVe+hHzOdXVGDamhQ6qg==,type:str] + lastmodified: "2024-06-21T18:07:38Z" + mac: ENC[AES256_GCM,data:7LBKELXBVj4iyTjp5lpRjLew80TurDMcu5Dv6gpnKedDxijqTtO/WEwXii1ySllRVwoErfDedpN2hervGEGii7a3+rQazHYxc9lQNdGouHEBI60bJpkeozLsdF1ePkQYrCxCZCIQnXj6rb3ib4Uxh9rkaojw3dIENmfKgFaGUFI=,iv:m0Hktx/XOJXh8vqt+M1XsRCUNtqFN7F+r/RusNg1wbs=,tag:nu+W4JzbYDCaAeBfSyGtQQ==,type:str] pgp: - - created_at: "2024-06-03T21:32:58Z" + - created_at: "2024-06-21T18:07:20Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAwEdD9k5IbiyARAAqGXoRluDnOZXgkA/TWWvxHI84NAKgnXd45qk26/GtouV - ihODq+ggXJbI4hj//0GwFq2oVt1cFB+7Rzbnah/F37jzLgApbDbtHBX2J3wkyTwW - 1lKjXGv6CjzzddOEXAUznM+WoHkczBZ+2EN60B5jTd09vzj7pih3E7lZmr4/nuiW - c86F34bdkLBv0XVDoAfmjHJpg565hCY7mesD8JcMO7nhy0LojgsgbRNvuCLGi/qX - cNxgS9/lp2bSfFK0SoRzoYpJwAzPpx/hSqX9IfBihxmChoHLozyOy4bkxNM5DF02 - CYuysUjOYmsuXV5DBa4/VEhZ4izkeoXgrJxpdCGJbPSxDsdcroLlYLaP34M5GYqN - HKmciIlRA5M7Sz3TewmCwHN6oDoiEIIYfj8Hdkmx7sF6yGs95HnTNZ7X0VemrT+G - oQ49gQfketU1ufXcLzXukjlkC+TAm2G9Pu8oTrr6hA2p6JvEc9UUbbpwJtTf1msj - wkckOFdYJzFZwH1oUP8N3WIIX1b1iYGNGuJhYT4hYM6JoaxQOBOoXvI8qIuISWZv - 3wSaRme5dMBQL38SkhzyJIOhLSCtit5z33EXuNDQsN3PTgGczmQuqTpuS3wLuqNg - gYDYTledqZAKBHaByGtsWLYdN6hJOc4QNqq7N205xyCCRCF1jfzczJytKu4IVHbS - XgG2pidGNW/g88VOFE+arlxeub1of5uPln7g2Q0cV91Xu1CW7Jp++qSfpEKZbxZR - vKQ7A6ko2URhcLmIGhyYW6Mw5Frmx4Fc9ipJsOejE/HoHsYiMvgUgsjzMUQc7l8= - =HBu2 + hQIMAwEdD9k5IbiyAQ/9GIzyP4luwkNoZ5RXFCruzqmM15H+Lq5rpKsXB31j6aW0 + xzA7SMyH3qTNBANJrFpmrAXxdAz5Vy7+VbaGPG74jDSe228xbzwGjY6olxuxAoR3 + MtFaIpySNtW4jXXrL7XwJre1NtIndxaJncw4pObrYGORXMhyXYchEscPRumgX+Rf + pPiYOnyhExZQvhGPumzJlcBypiCVlfJnvMtg4ACmyMIZFSe62kPyrpYZCHJYE3T1 + oSdkK94eV1LlqwcQiB0Fib2rWA8Mj7tU4LTfrTcYXTH87Gd68xo5M8Mnbj13+MLz + juFR5vjWwKVHA29hzI7JJQm4r/8othFJdFel4rn0z+aPI4ladlL+l5o+FQ2hoMWg + TsPXBE5S7nMNDQuDUCAWYcydJ3wuNcbh8yKusLN2KeDo/ShjuzHMrlzYtz7hxW4K + 0NEVflqnginHtndjDPHj4C+K8074LP7uQ/W+ikSWLkIAX9h2JW3Q/0IOrEN2nggJ + NuLMCqf5o54dcO7AWBVXvDbik/ADcbXrsINUTsvpv2TAQ/ID4sYVvJTVbluXqnwx + 9lRGO1mZvahvZN+DQ0keF3TV8G1ocHCVWUPRXQDXcWB9rMOh3xF1tKDMYhAZOJlg + ah812H1gPrHyF04Ohi5lc0cO2aUMBSey1rqhue2VjwwBdSIrFrpoYq3Vkt+UnkPS + XAGIWm+RXjwzI1QYYafFXN35FAScb1O9o9hOJT/tT3FEKuEWItTKt4boPrP6qfeY + ngbHQ1F76diVOGFHqsMdU+dioJpwELBuT6+/OxR3YAc1Wa5XMdJSQlhsjfRH + =2kF0 -----END PGP MESSAGE----- fp: "0xDF6D6CE9E95E26E8" - - created_at: "2024-06-03T21:32:58Z" + - created_at: "2024-06-21T18:07:20Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA/HTIsSK0VBlARAAr+thV3Du1fuzYCupxnspHAS2njh8Fsseo9RneFaPN1me - suenAQDpyZQ9ESa2dk2E/Hz82YspaurZ1lzU/WhX/3vCb2GquH/51XFIsQ6e1KCi - JPArsTZQs+UdjIN3J8GzTywkvhk3/q/ib6m0gc5AHwxsgkpd/fqgLLBlVMbasa7Y - 4QOyy5+nS9huat1l2K27+YgqOptw7snR58iDES9X+o4dN3A7LUud9dUhWckBDuRZ - KyI/eEDvyFSzS3LqiPcM45Xo+PnGYXI4Bbr+8AkUF+4KHJJsQncL7BkPOVS6l0U0 - 1ALpUvPJgUiCKX6eI+1vvSJ18YLPWWz4zZD1FMkOQpf9LMyO1XlTeaAxdLhEGs9S - Cd8+y6KRGvzTHGRJLJVCg0J4Mshf8unYAiQZBa+i0jc6iQVrCW+B34TSXp8JlYbg - LhnU1GXe9TVYIzVjPpxg6kSjU9kgZCvphyKmCtR+HfLL+5lYMbHumx5dnF6XC4B3 - ceKN8ewj549cCPbkbY1mRu8Ulnz+1DfBxZDLcVW/omXjWSJ0OVFyxMsHYo7rZ7Qc - 1z9lCDd5dq3zjchOTwTPf0GR4c8sSDlNJGQqQ2AZDzowcRwi1s31R/HlPSHsnFOE - wdi8a7xlBOdhSdJ1pcfH2T3KG9st6SduvxnFrxitJYfWfk8xmKldT2yEOw98UgvS - XgEbBt0zMVEJxF/oy/5WAr0REJx33bapuRxscCFvZOW3EzdaB9w3ICx208zQggcj - aJnLx0b4dJKypzFhECSA6zHHR1rPZzQRcRTnrxR5QC4lmA6m5GbC4bRZk/Ry+CA= - =/gY3 + hQIMA/HTIsSK0VBlARAAqMcFp7WL19VRmhZHXS6mmbABRuiPRLQ+Of+LpA7hRrlw + YI7qPcTqNHUgOl9uwuv3mSustX370mWBNaT7B8S/5URZCnvdtxqrVH/rGJUOk79x + sMkiyEHCJmkm/iykef1XF6tCZUoAMjuTNQbn1dn+bcj1AKdR9pVZcKvjmR90J2Ho + pfoSRxYcFI2zN8SN7EesMUJ59mOw3q8fLQAHlPi/QQI3fN09HG4PiV2q26QrlNTM + aru+y95kOBpsA/mFyjTG4axNG4cuKFMmq0mp1RJMeXpYB5MGBnKAhkP7jGAcDK9o + SUk5t+vRLD/KKj8ozDcjrM/YIGLZ+LNdfKO/eJL3yXSBZ7yZ2VWO4FlEXzEACusx + 8H+EXVy3++0zFUQlcLgYrulwtJfEV0GhtB86pKsu5QQwvHz3EvK3sTLSQXNpkp8r + Z/0+Ja6ZMWT9wIfD34+HRvKScUSRm2SwcFnQx+Wp15pCA8lY/Vr39KkVolCNFB5O + gJ9pVQM02IH1Oc0x37/dOyDFQ0wvCx7lmxzyeuOrhq2i+Q8r4s9VU6MTbU/b/pZg + rbVwz0aiuOB54Q9IuXPyR0EGvkWjWvjrRseBOtHOkeqnH7Ri+swNBww07fYiqR76 + EHvdLUuGWxz2TvDHgq/TnhDjA6VYv23x+Ip9Unlp3Et6ry0yLyia3Fb2HuRXJFvS + XAF2YtYgA2Hz7RjaL3Pm96LsTg6cDWdf5d1wtVG5nubrs44eKB+pJ2UlWWLKFrf3 + 48fkhzzWZ5DftwBI3hKiy1kZPvbOhydCCGS6t5ZqkEmWSHkyRX2TXOu+WqOh + =cmCK -----END PGP MESSAGE----- fp: "0xFA47BDA260489ADA" - - created_at: "2024-06-03T21:32:58Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA4Uty74yOFxLAQ/+Nf44U9p6/26oYB83v/fZTYSF49TYussSNXWCl85FUS5h - GW7FxqjsjiiBdabMg4tqNqg9c559hF3ICZjbCuEo5rYYaSHqCRVc3k7bi5LQ2uY2 - dVJqVtboOGsYCFO6L/FnCeaCIHSiT5/1KVxh7T5LzQYxpuMxid8381uRJm2tSnBj - C+k9ocn5NEepwqT2QUIjS/0UwgiAZMuvZ6WDud92hawQw7ZSokLTRvkeJ0dRv2Ti - dCX43mIEFR+KgjfooHErL39HLKFIG7k52uhPXEN4Dlzi7/OvJwrmLp0NR6hbwp/3 - iWv2/W9I0mrVZS9UP0QffmzgHHpNGia2/LHKw4AdFAY0n1OpvLNdXZ77aw8YlwA3 - k7GG7+w8EvCt8ZzPDV1QfrB+RkD7Z3VibxBPxHbA0qPKyfSPMa+2YttEdjNDujob - USQktA4Ew62sLjUrRxPZjxrjkuKQv8wRgdkAggaveZWZLRMk9/gA6M38ibDMf9Rj - pRlNr9Jdi1avb6y+FOTSyNyrSctwwAyBgy5SLWuV/ZE71A67RMhRX/tAxXMB7BEW - trL01cbiraehg8biCHjcK5NQxtHgVSpY660m5r4OHFiyXD9G8JC1ryufdHdlqY6z - nHU8ZMGA3I549CITsVU4QlCDr/sVvrGZmQOPqxOaf8O/N0wOfRjbrsNiOkgMc0XS - XgE/z1dDPBOU4/Yppm58RLqx3l8XjvzakA/fPCBJmKoVkqF7sp55WlB5SoxwDzk/ - oM6PIncAqT0ZcBESJ9AgolpmvIswJ0u3MgGAe8AZ7Un6oNLE2ukpkIyvnqXURYA= - =/xDA - -----END PGP MESSAGE----- - fp: 0xA534E46682DD8C35377352C88DD28608BE411065 unencrypted_suffix: _unencrypted version: 3.8.1