Harald Hoyer
01f42c0851
Wire up restartUnits on secrets whose consumers cache them in memory (daemons read at startup), so sops-nix restarts the affected unit on activation when the decrypted content changes: - firefly: app_key → phpfpm-firefly-iii; auto_import_secret + access_token → phpfpm-firefly-iii-data-importer - searx: secret_key → uwsgi - opencode: web password → opencode-serve - mail: sasl_passwd → postfix - forgejo: gitea_dbpass → forgejo; runner-token → gitea-runner-default Secrets read on demand by oneshots/timers (firefly sparda_pin, ntfy token, restic backup creds, acme dns creds, wg conf) are left as-is.
47 lines
1,017 B
Nix
47 lines
1,017 B
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}:
|
|
|
|
let
|
|
port = 4196;
|
|
user = "harald";
|
|
homeDir = "/home/harald";
|
|
in
|
|
{
|
|
systemd.services.opencode-serve = {
|
|
description = "OpenCode Web Server";
|
|
after = [ "network.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
environment = {
|
|
HOME = homeDir;
|
|
};
|
|
|
|
serviceConfig = {
|
|
Type = "simple";
|
|
User = user;
|
|
Group = "users";
|
|
WorkingDirectory = homeDir;
|
|
ExecStart = "${pkgs.opencode}/bin/opencode serve --hostname 127.0.0.1 --port ${toString port}";
|
|
Restart = "always";
|
|
RestartSec = 5;
|
|
EnvironmentFile = config.sops.secrets.opencode-web-password.path;
|
|
|
|
# Security hardening
|
|
PrivateTmp = true;
|
|
ProtectSystem = "strict";
|
|
ProtectHome = false;
|
|
NoNewPrivileges = true;
|
|
ReadWritePaths = [ homeDir ];
|
|
};
|
|
};
|
|
|
|
sops.secrets.opencode-web-password = {
|
|
sopsFile = ../../../.secrets/sgx/opencode-web.yaml;
|
|
owner = user;
|
|
restartUnits = [ "opencode-serve.service" ];
|
|
};
|
|
}
|