Use templated secrets to avoid having password in the store

diff --git a/modules/private/websites/tools/cloud/default.nix b/modules/private/websites/tools/cloud/default.nix
index da6ac2f29dce5a0e80358a6c3104ebc87fc86f94..1a422966d0864569b75851d606ecb47942db4e4c 100644 (file)
--- a/modules/private/websites/tools/cloud/default.nix
+++ b/modules/private/websites/tools/cloud/default.nix
@@ -84,7 +84,7 @@ in {
         include('${nextcloud}/version.php');
         $CONFIG = array (
           // FIXME: change this value when nextcloud starts getting slow
-          'instanceid' => '${env.instance_id}1',
+          'instanceid' => '${env.instance_id}',
           'datadirectory' => '/var/lib/nextcloud/',
           'passwordsalt' => '${env.password_salt}',
           'debug' => false,

diff --git a/modules/secrets.nix b/modules/secrets.nix
index a149f02ca9baeb873b26d6732102b5944caf8c4d..ecc1ebc56a976023911fb1ac8b88968b6e9e85df 100644 (file)
--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -25,11 +25,12 @@
     location = config.secrets.location;
     keys = config.secrets.keys;
     empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
+    fpath = v: "secrets/${v.dest}${lib.optionalString (v.isTemplated or true) ".gucci.tpl"}";
     dumpKey = v: ''
         mkdir -p secrets/$(dirname ${v.dest})
-        echo -n ${lib.strings.escapeShellArg v.text} > secrets/${v.dest}
+        echo -n ${lib.strings.escapeShellArg v.text} > ${fpath v}
         cat >> mods <<EOF
-        ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${v.dest}
+        ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} ${fpath v}
         EOF
         '';
     secrets = pkgs.runCommand "secrets.tar" {} ''
@@ -52,16 +53,30 @@
             if [ -n "$TMP" ]; then
               install -m0750 -o root -g keys -d $TMP
               ${pkgs.gnutar}/bin/tar --strip-components 1 -C $TMP -xf /run/keys/secrets.tar
-              sha512sum /run/keys/secrets.tar > $TMP/currentSecrets
+              if [ -f /run/keys/vars.yml ]; then
+                find $TMP -name "*.gucci.tpl" -exec \
+                  /bin/sh -c 'f="{}"; ${pkgs.gucci}/bin/gucci -f /run/keys/vars.yml "$f" > "''${f%.gucci.tpl}"; touch --reference "$f" ''${f%.gucci.tpl} ; chmod --reference="$f" ''${f%.gucci.tpl} ; chown --reference="$f" ''${f%.gucci.tpl}' \;
+                sha512sum /run/keys/secrets.tar /run/keys/vars.yml > $TMP/currentSecrets
+              else
+                sha512sum /run/keys/secrets.tar > $TMP/currentSecrets
+              fi
               find $TMP -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
-              ${pkgs.rsync}/bin/rsync -O -c -av --delete $TMP/ ${location}
+              ${pkgs.rsync}/bin/rsync --exclude="*.gucci.tpl" -O -c -av --delete $TMP/ ${location}
               rm -rf $TMP
             fi
           fi
         fi
         '';
     };
+
     system.extraDependencies = [ secrets ];
+    deployment.secrets."secret_vars.yml" = {
+      source = builtins.toString <privateFiles/vars.yml>;
+      destination = "/run/keys/vars.yml";
+      owner.user = "root";
+      owner.group = "root";
+      permissions = "0400";
+     };
     deployment.secrets."secrets.tar" = {
       source = "${secrets}";
       destination = "/run/keys/secrets.tar";

diff --git a/nixops/secrets b/nixops/secrets
index c16489e0bcb8785afa2b4c19d2c44e164ef4b7eb..3a74f309999f47dc843a61a23bd4799a23f8ffae 160000 (submodule)
--- a/nixops/secrets
+++ b/nixops/secrets
@@ -1 +1 @@
-Subproject commit c16489e0bcb8785afa2b4c19d2c44e164ef4b7eb
+Subproject commit 3a74f309999f47dc843a61a23bd4799a23f8ffae