43 lines
1.2 KiB
Nix
43 lines
1.2 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
let
|
|
# Generate a secret key if it doesn't exist
|
|
secretKeyFile = "/var/lib/docuseal/secret-key-base";
|
|
in
|
|
{
|
|
services.docuseal = {
|
|
enable = true;
|
|
port = 3030;
|
|
host = "docuseal.binning.net";
|
|
|
|
# Point to the secret key file in the state directory
|
|
# The service will have access to this since StateDirectory is set
|
|
secretKeyBaseFile = secretKeyFile;
|
|
};
|
|
|
|
# Create the secret key file if it doesn't exist
|
|
# This runs before the docuseal service starts
|
|
systemd.services.docuseal-init-secret = {
|
|
description = "Initialize DocuSeal secret key";
|
|
wantedBy = [ "docuseal.service" ];
|
|
before = [ "docuseal.service" ];
|
|
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
StateDirectory = "docuseal";
|
|
StateDirectoryMode = "0750";
|
|
DynamicUser = true;
|
|
};
|
|
|
|
script = ''
|
|
if [ ! -f ${secretKeyFile} ]; then
|
|
echo "Generating new secret key for DocuSeal..."
|
|
${pkgs.openssl}/bin/openssl rand -hex 64 > ${secretKeyFile}
|
|
chmod 640 ${secretKeyFile}
|
|
echo "Secret key generated at ${secretKeyFile}"
|
|
else
|
|
echo "Secret key already exists at ${secretKeyFile}"
|
|
fi
|
|
'';
|
|
};
|
|
}
|