From da30ae4ffdd153a1eb32fb86f9ca9a65aa19e4e2 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Wed, 13 Oct 2021 02:26:54 +0200 Subject: [PATCH] Move secrets to flakes --- flakes/private/openarc/flake.lock | 14 +- flakes/private/openarc/flake.nix | 9 +- flakes/private/opendmarc/flake.lock | 14 +- flakes/private/opendmarc/flake.nix | 9 +- flakes/secrets/flake.nix | 124 ++++++++++++++++++ modules/default.nix | 2 +- modules/duply_backup/default.nix | 7 +- modules/private/buildbot/default.nix | 24 ++-- modules/private/databases/mariadb.nix | 8 +- .../private/databases/mariadb_replication.nix | 6 +- .../private/databases/openldap/default.nix | 15 ++- .../databases/openldap_replication.nix | 2 +- modules/private/databases/postgresql.nix | 8 +- modules/private/databases/redis.nix | 6 +- .../private/databases/redis_replication.nix | 4 +- modules/private/dns.nix | 2 +- modules/private/ftp.nix | 4 +- modules/private/mail/milters.nix | 9 +- modules/private/mail/postfix.nix | 2 +- .../private/monitoring/objects_backup-2.nix | 4 +- modules/private/mpd.nix | 4 +- modules/private/ssh/default.nix | 2 +- modules/private/system.nix | 9 ++ modules/private/system/eldiron.nix | 2 +- modules/private/system/monitoring-1.nix | 2 +- modules/private/system/quatresaisons.nix | 12 +- .../system/quatresaisons/databases.nix | 6 +- modules/private/tasks/default.nix | 6 +- .../websites/connexionswing/app/default.nix | 4 +- modules/private/websites/default.nix | 8 +- .../private/websites/florian/app/default.nix | 4 +- modules/private/websites/immae/temp.nix | 2 +- .../private/websites/ludivine/app/default.nix | 4 +- .../websites/piedsjaloux/app/default.nix | 4 +- .../private/websites/tools/cloud/default.nix | 2 +- .../private/websites/tools/dav/davical.nix | 6 +- .../private/websites/tools/dav/default.nix | 1 + .../websites/tools/diaspora/default.nix | 9 +- .../private/websites/tools/ether/default.nix | 6 +- .../private/websites/tools/git/default.nix | 1 + .../private/websites/tools/git/mantisbt.nix | 6 +- .../private/websites/tools/mail/default.nix | 1 + .../websites/tools/mail/roundcubemail.nix | 6 +- .../websites/tools/mastodon/default.nix | 2 +- .../websites/tools/mgoblin/default.nix | 2 +- .../websites/tools/peertube/default.nix | 2 +- .../websites/tools/performance/default.nix | 2 +- .../private/websites/tools/tools/default.nix | 23 ++-- .../websites/tools/tools/dmarc_reports.nix | 6 +- .../private/websites/tools/tools/kanboard.nix | 6 +- modules/private/websites/tools/tools/ldap.nix | 6 +- .../private/websites/tools/tools/shaarli.nix | 4 +- .../private/websites/tools/tools/ttrss.nix | 6 +- .../private/websites/tools/tools/wallabag.nix | 8 +- .../private/websites/tools/tools/webhooks.nix | 8 +- .../private/websites/tools/tools/yourls.nix | 6 +- modules/secrets.nix | 113 ---------------- nixops/secrets | 2 +- 58 files changed, 330 insertions(+), 246 deletions(-) create mode 100644 flakes/secrets/flake.nix delete mode 100644 modules/secrets.nix diff --git a/flakes/private/openarc/flake.lock b/flakes/private/openarc/flake.lock index f0f56c7..744d002 100644 --- a/flakes/private/openarc/flake.lock +++ b/flakes/private/openarc/flake.lock @@ -140,7 +140,19 @@ "files-watcher": "files-watcher", "my-lib": "my-lib", "nix-lib": "nix-lib", - "openarc": "openarc" + "openarc": "openarc", + "secrets": "secrets" + } + }, + "secrets": { + "locked": { + "narHash": "sha256-aRHKDVHDpnqpmgGhLGQxXwyTwmPuhUJTVcOLBYtY2ks=", + "path": "../../secrets", + "type": "path" + }, + "original": { + "path": "../../secrets", + "type": "path" } } }, diff --git a/flakes/private/openarc/flake.nix b/flakes/private/openarc/flake.nix index 5c4b73c..b4ab4c8 100644 --- a/flakes/private/openarc/flake.nix +++ b/flakes/private/openarc/flake.nix @@ -3,6 +3,10 @@ path = "../../openarc"; type = "path"; }; + inputs.secrets = { + path = "../../secrets"; + type = "path"; + }; inputs.files-watcher = { path = "../../files-watcher"; type = "path"; @@ -14,14 +18,13 @@ inputs.nix-lib.url = "github:NixOS/nixpkgs"; description = "Private configuration for openarc"; - outputs = { self, nix-lib, my-lib, files-watcher, openarc }: + outputs = { self, nix-lib, my-lib, files-watcher, openarc, secrets }: let cfg = name': { config, lib, pkgs, name, ... }: { imports = [ (my-lib.lib.withNarKey files-watcher "nixosModule") (my-lib.lib.withNarKey openarc "nixosModule") - #FIXME: - #(my-lib.lib.withNarKey secrets "nixosModule") + (my-lib.lib.withNarKey secrets "nixosModule") ]; config = lib.mkIf (name == name') { services.openarc = { diff --git a/flakes/private/opendmarc/flake.lock b/flakes/private/opendmarc/flake.lock index 121f51d..bd5019c 100644 --- a/flakes/private/opendmarc/flake.lock +++ b/flakes/private/opendmarc/flake.lock @@ -123,7 +123,19 @@ "files-watcher": "files-watcher", "my-lib": "my-lib", "nix-lib": "nix-lib", - "opendmarc": "opendmarc" + "opendmarc": "opendmarc", + "secrets": "secrets" + } + }, + "secrets": { + "locked": { + "narHash": "sha256-aRHKDVHDpnqpmgGhLGQxXwyTwmPuhUJTVcOLBYtY2ks=", + "path": "../../secrets", + "type": "path" + }, + "original": { + "path": "../../secrets", + "type": "path" } } }, diff --git a/flakes/private/opendmarc/flake.nix b/flakes/private/opendmarc/flake.nix index debcfbd..2b73070 100644 --- a/flakes/private/opendmarc/flake.nix +++ b/flakes/private/opendmarc/flake.nix @@ -3,6 +3,10 @@ path = "../../opendmarc"; type = "path"; }; + inputs.secrets = { + path = "../../secrets"; + type = "path"; + }; inputs.files-watcher = { path = "../../files-watcher"; type = "path"; @@ -14,14 +18,13 @@ inputs.nix-lib.url = "github:NixOS/nixpkgs"; description = "Private configuration for opendmarc"; - outputs = { self, nix-lib, opendmarc, my-lib, files-watcher }: + outputs = { self, nix-lib, opendmarc, my-lib, files-watcher, secrets }: let cfg = name': { config, lib, pkgs, name, ... }: { imports = [ (my-lib.lib.withNarKey files-watcher "nixosModule") (my-lib.lib.withNarKey opendmarc "nixosModule") - #FIXME: - #(my-lib.lib.withNarKey secrets "nixosModule") + (my-lib.lib.withNarKey secrets "nixosModule") ]; config = lib.mkIf (name == name') { users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ]; diff --git a/flakes/secrets/flake.nix b/flakes/secrets/flake.nix new file mode 100644 index 0000000..0ee6a40 --- /dev/null +++ b/flakes/secrets/flake.nix @@ -0,0 +1,124 @@ +{ + description = "Secrets handling"; + + outputs = { self }: { + nixosModule = { config, lib, pkgs, ... }: { + options.secrets = with lib; { + keys = mkOption { + type = types.listOf types.unspecified; + default = []; + description = "Keys to upload to server"; + }; + gpgKeys = mkOption { + type = types.listOf types.path; + default = []; + description = "GPG public keys files to encrypt to"; + }; + ageKeys = mkOption { + type = types.listOf types.str; + default = []; + description = "AGE keys to encrypt to"; + }; + decryptKey = mkOption { + type = types.str; + default = "/etc/ssh/ssh_host_ed25519_key"; + description = "ed25519 key used to decrypt with AGE"; + }; + location = mkOption { + type = types.path; + default = "/var/secrets"; + description = "Location where to put the keys"; + }; + secretsVars = mkOption { + type = types.path; + description = "Location where the secrets variables are defined, to be used to fill the templates in secrets"; + }; + deleteSecretsVars = mkOption { + type = types.bool; + default = false; + description = "Delete secrets file after deployment"; + }; + # Read-only variables + fullPaths = mkOption { + type = types.attrsOf types.path; + default = builtins.listToAttrs + (map (v: { name = v.dest; value = "${config.secrets.location}/${v.dest}"; }) config.secrets.keys); + readOnly = true; + description = "set of full paths to secrets"; + }; + }; + + config = let + location = config.secrets.location; + keys = config.secrets.keys; + empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done"; + fpath = v: "secrets/${v.dest}${lib.optionalString (v.isTemplated or true) ".gucci.tpl"}"; + dumpKey = v: + if v.isDir or false then + '' + mkdir -p secrets/${v.dest} + cat >> mods < ${fpath v} + cat >> mods </dev/null + fingerprints=$fingerprints,$(cat $key | gpg --with-colons --import-options show-only --import 2>/dev/null | grep ^fpr | cut -d: -f10 | head -n1) + done + + sops --age ${builtins.concatStringsSep "," config.secrets.ageKeys} --pgp ''${fingerprints#,} --input-type binary -i -e $out 2>/dev/null + ''; + pathChmodExcl = + let + dirs = builtins.filter (v: v.isDir or false) keys; + exclPath = builtins.concatStringsSep " -o " (map (d: " -path $TMP/${d.dest}") dirs); + in + lib.optionalString (builtins.length dirs > 0) " -not \\( ${exclPath} \\) "; + in lib.mkIf (builtins.length keys > 0) { + system.activationScripts.secrets = { + deps = [ "users" "wrappers" ]; + text = '' + install -m0750 -o root -g keys -d ${location} + TMP=$(${pkgs.coreutils}/bin/mktemp -d) + TMPWORK=$(${pkgs.coreutils}/bin/mktemp -d) + chmod go-rwx $TMPWORK + if [ -n "$TMP" -a -n "$TMPWORK" ]; then + install -m0750 -o root -g keys -d $TMP + ${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i ${config.secrets.decryptKey} -o $TMPWORK/keys.txt + SOPS_AGE_KEY_FILE=$TMPWORK/keys.txt ${pkgs.sops}/bin/sops -d ${secrets} | ${pkgs.gnutar}/bin/tar --strip-components 1 -C $TMP -x + if [ -f ${config.secrets.secretsVars} ]; then + SOPS_AGE_KEY_FILE=$TMPWORK/keys.txt ${pkgs.sops}/bin/sops -d ${config.secrets.secretsVars} > $TMPWORK/vars.yml + fi + if [ -f $TMPWORK/vars.yml ]; then + find $TMP -name "*.gucci.tpl" -exec \ + /bin/sh -c 'f="{}"; ${pkgs.gucci}/bin/gucci -f '$TMPWORK'/vars.yml "$f" > "''${f%.gucci.tpl}"; touch --reference "$f" ''${f%.gucci.tpl} ; chmod --reference="$f" ''${f%.gucci.tpl} ; chown --reference="$f" ''${f%.gucci.tpl}' \; + fi + find $TMP -type d ${pathChmodExcl}-exec chown root:keys {} \; -exec chmod o-rx {} \; + ${pkgs.rsync}/bin/rsync --exclude="*.gucci.tpl" -O -c -av --delete $TMP/ ${location} + rm -rf $TMP $TMPWORK ${lib.optionalString config.secrets.deleteSecretsVars config.secrets.secretsVars} + fi + ''; + }; + + }; + }; + }; +} diff --git a/modules/default.nix b/modules/default.nix index b6ac68a..cb2e7d9 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -4,7 +4,7 @@ let in { myids = (flakeCompat ../flakes/myuids).nixosModule; - secrets = ./secrets.nix; + secrets = flakeLib.withNarKeyCompat flakeCompat ../flakes/secrets "nixosModule"; filesWatcher = flakeLib.withNarKeyCompat flakeCompat ../flakes/files-watcher "nixosModule"; webstats = ./webapps/webstats; diff --git a/modules/duply_backup/default.nix b/modules/duply_backup/default.nix index 88245a2..7034a91 100644 --- a/modules/duply_backup/default.nix +++ b/modules/duply_backup/default.nix @@ -87,6 +87,11 @@ in dest = "backup/${varName k remote}/exclude"; text = v.excludeFile; } + { + permissions = "0500"; + dest = "backup/${varName k remote}"; + isDir = true; + } ]) v.remotes) config.services.duplyBackup.profiles); services.cron = { @@ -99,7 +104,7 @@ in map (remote: [ '' touch ${varDir}/${varName k remote}.log - ${pkgs.duply}/bin/duply ${config.secrets.location}/backup/${varName k remote}/ ${action} --force >> ${varDir}/${varName k remote}.log + ${pkgs.duply}/bin/duply ${config.secrets.fullPaths."backup/${varName k remote}"}/ ${action} --force >> ${varDir}/${varName k remote}.log [[ $? = 0 ]] || echo -e "Error when doing backup for ${varName k remote}, see above\n---------------------------------------" >&2 '' ]) v.remotes diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix index ea0bef6..903f453 100644 --- a/modules/private/buildbot/default.nix +++ b/modules/private/buildbot/default.nix @@ -42,7 +42,7 @@ in }; services.websites.env.tools.watchPaths = lib.attrsets.mapAttrsToList - (k: project: "/var/secrets/buildbot/${project.name}/webhook-httpd-include") + (k: project: config.secrets.fullPaths."buildbot/${project.name}/webhook-httpd-include") config.myEnv.buildbot.projects; services.websites.env.tools.vhostConfs.git.extraConfig = lib.attrsets.mapAttrsToList (k: project: '' @@ -62,7 +62,7 @@ in Require local Require ldap-group cn=users,ou=${project.name},cn=buildbot,ou=services,dc=immae,dc=eu - Include /var/secrets/buildbot/${project.name}/webhook-httpd-include + Include ${config.secrets.fullPaths."buildbot/${project.name}/webhook-httpd-include"} '') config.myEnv.buildbot.projects; @@ -146,11 +146,11 @@ in services.filesWatcher = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" { restart = true; paths = [ - "/var/secrets/buildbot/ldap" - "/var/secrets/buildbot/worker_password" - "/var/secrets/buildbot/ssh_key" - "/var/secrets/buildbot/${project.name}/environment_file" - ] ++ lib.attrsets.mapAttrsToList (k: v: "/var/secrets/buildbot/${project.name}/${k}") project.secrets; + config.secrets.fullPaths."buildbot/ldap" + config.secrets.fullPaths."buildbot/worker_password" + config.secrets.fullPaths."buildbot/ssh_key" + config.secrets.fullPaths."buildbot/${project.name}/environment_file" + ] ++ lib.attrsets.mapAttrsToList (k: v: config.secrets.fullPaths."buildbot/${project.name}/${k}") project.secrets; }) config.myEnv.buildbot.projects; systemd.slices.buildbot = { @@ -206,13 +206,13 @@ in fi ln -sf ${tac_file} ${varDir}/${project.name}/buildbot.tac # different buildbots may be trying that simultaneously, add the || true to avoid complaining in case of race - install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/ssh_key ${varDir}/buildbot_key || true + install -Dm600 -o buildbot -g buildbot -T ${config.secrets.fullPaths."buildbot/ssh_key"} ${varDir}/buildbot_key || true buildbot_secrets=${varDir}/${project.name}/secrets install -m 0700 -o buildbot -g buildbot -d $buildbot_secrets - install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/ldap $buildbot_secrets/ldap - install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/worker_password $buildbot_secrets/worker_password + install -Dm600 -o buildbot -g buildbot -T ${config.secrets.fullPaths."buildbot/ldap"} $buildbot_secrets/ldap + install -Dm600 -o buildbot -g buildbot -T ${config.secrets.fullPaths."buildbot/worker_password"} $buildbot_secrets/worker_password ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList - (k: v: "install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/${project.name}/${k} $buildbot_secrets/${k}") project.secrets + (k: v: "install -Dm600 -o buildbot -g buildbot -T ${config.secrets.fullPaths."buildbot/${project.name}/${k}"} $buildbot_secrets/${k}") project.secrets )} ${buildbot}/bin/buildbot upgrade-master ${varDir}/${project.name} ''; @@ -247,7 +247,7 @@ in SupplementaryGroups = "keys"; WorkingDirectory = "${varDir}/${project.name}"; ExecStart = "${buildbot}/bin/buildbot start"; - EnvironmentFile = "/var/secrets/buildbot/${project.name}/environment_file"; + EnvironmentFile = config.secrets.fullPaths."buildbot/${project.name}/environment_file"; }; }) config.myEnv.buildbot.projects; }; diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix index 36edaeb..75ea747 100644 --- a/modules/private/databases/mariadb.nix +++ b/modules/private/databases/mariadb.nix @@ -169,14 +169,14 @@ in { mysql = { text = '' # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ - auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam - account required ${pam_ldap} config=${config.secrets.location}/mysql/pam + auth required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam"} + account required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam"} ''; }; mysql_replication = { text = '' - auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication - account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication + auth required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam_replication"} + account required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam_replication"} ''; }; }; diff --git a/modules/private/databases/mariadb_replication.nix b/modules/private/databases/mariadb_replication.nix index b89c764..e857c41 100644 --- a/modules/private/databases/mariadb_replication.nix +++ b/modules/private/databases/mariadb_replication.nix @@ -140,7 +140,7 @@ in filename=${backupDir}/$(${pkgs.coreutils}/bin/date -Iminutes).sql ${hcfg.package}/bin/mysqldump \ - --defaults-file=${config.secrets.location}/mysql_replication/${name}/mysqldump \ + --defaults-file=${config.secrets.fullPaths."mysql_replication/${name}/mysqldump"} \ -S /run/mysqld_${name}/mysqld.sock \ --gtid \ --master-data \ @@ -194,7 +194,7 @@ in if ! test -e ${dataDir}/mysql; then if ! test -e ${dataDir}/initial.sql; then ${hcfg.package}/bin/mysqldump \ - --defaults-file=${config.secrets.location}/mysql_replication/${name}/mysqldump_remote \ + --defaults-file=${config.secrets.fullPaths."mysql_replication/${name}/mysqldump_remote"} \ -h ${hcfg.host} \ -P ${hcfg.port} \ --ssl \ @@ -235,7 +235,7 @@ in cat \ ${sql_before} \ ${dataDir}/initial.sql \ - ${config.secrets.location}/mysql_replication/${name}/slave_init_commands \ + ${config.secrets.fullPaths."mysql_replication/${name}/slave_init_commands"} \ | ${hcfg.package}/bin/mysql \ --defaults-file=/etc/mysql/${name}_my.cnf \ -S /run/mysqld_${name}/mysqld.sock \ diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix index e00f4c2..f4851b5 100644 --- a/modules/private/databases/openldap/default.nix +++ b/modules/private/databases/openldap/default.nix @@ -98,7 +98,14 @@ in permissions = "0400"; user = "openldap"; group = "openldap"; - text = builtins.readFile "${cfg.accessFile}"; + text = builtins.readFile cfg.accessFile; + } + { + dest = "ldap"; + permissions = "0500"; + user = "openldap"; + group = "openldap"; + isDir = true; } ]; users.users.openldap.extraGroups = [ "keys" ]; @@ -115,7 +122,7 @@ in services.filesWatcher.openldap = { restart = true; - paths = [ "${config.secrets.location}/ldap/" ]; + paths = [ config.secrets.fullPaths."ldap" ]; }; services.openldap = { @@ -132,9 +139,9 @@ in overlay syncprov syncprov-checkpoint 100 10 - include ${config.secrets.location}/ldap/access + include ${config.secrets.fullPaths."ldap/access"} ''; - rootpwFile = "${config.secrets.location}/ldap/password"; + rootpwFile = config.secrets.fullPaths."ldap/password"; suffix = cfg.baseDn; rootdn = cfg.rootDn; database = "hdb"; diff --git a/modules/private/databases/openldap_replication.nix b/modules/private/databases/openldap_replication.nix index df4101b..350eecf 100644 --- a/modules/private/databases/openldap_replication.nix +++ b/modules/private/databases/openldap_replication.nix @@ -23,7 +23,7 @@ let index uid pres,eq index entryUUID eq - include ${config.secrets.location}/openldap_replication/${name}/replication_config + include ${config.secrets.fullPaths."openldap_replication/${name}/replication_config"} ''; in { diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix index c442a63..e73bf69 100644 --- a/modules/private/databases/postgresql.nix +++ b/modules/private/databases/postgresql.nix @@ -214,14 +214,14 @@ in { in { postgresql = { text = '' - auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam - account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam + auth required ${pam_ldap} config=${config.secrets.fullPaths."postgresql/pam"} + account required ${pam_ldap} config=${config.secrets.fullPaths."postgresql/pam"} ''; }; postgresql_replication = { text = '' - auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication - account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication + auth required ${pam_ldap} config=${config.secrets.fullPaths."postgresql/pam_replication"} + account required ${pam_ldap} config=${config.secrets.fullPaths."postgresql/pam_replication"} ''; }; }; diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix index bc6460f..5c5b8b0 100644 --- a/modules/private/databases/redis.nix +++ b/modules/private/databases/redis.nix @@ -49,7 +49,7 @@ in { decrypt = true; source = "0.0.0.0:16379"; target = "/run/redis/redis.sock"; - keyfile = "${config.secrets.location}/redis/spiped_keyfile"; + keyfile = config.secrets.fullPaths."redis/spiped_keyfile"; }; }; systemd.services.spiped_redis = { @@ -70,7 +70,7 @@ in { services.filesWatcher.predixy = { restart = true; - paths = [ "${config.secrets.location}/redis/predixy.conf" ]; + paths = [ config.secrets.fullPaths."redis/predixy.conf" ]; }; networking.firewall.allowedTCPPorts = [ 7617 16379 ]; @@ -126,7 +126,7 @@ in { SupplementaryGroups = "keys"; Type = "simple"; - ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.location}/redis/predixy.conf"; + ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.fullPaths."redis/predixy.conf"}"; }; }; diff --git a/modules/private/databases/redis_replication.nix b/modules/private/databases/redis_replication.nix index a3fe3bb..3caa7e9 100644 --- a/modules/private/databases/redis_replication.nix +++ b/modules/private/databases/redis_replication.nix @@ -64,7 +64,7 @@ in encrypt = true; source = "127.0.0.1:16379"; target = "${config.myEnv.servers.eldiron.ips.main.ip4}:16379"; - keyfile = "${config.secrets.location}/redis/spiped_eldiron_keyfile"; + keyfile = config.secrets.fullPaths."redis/spiped_eldiron_keyfile"; }; }; @@ -162,7 +162,7 @@ in unitConfig.RequiresMountsFor = dataDir; serviceConfig = { - ExecStart = "${hcfg.package}/bin/redis-server ${config.secrets.location}/redis_replication/${name}/config"; + ExecStart = "${hcfg.package}/bin/redis-server ${config.secrets.fullPaths."redis_replication/${name}/config"}"; User = "redis"; RuntimeDirectory = "redis_${name}"; }; diff --git a/modules/private/dns.nix b/modules/private/dns.nix index 7c59b43..32c52a9 100644 --- a/modules/private/dns.nix +++ b/modules/private/dns.nix @@ -10,7 +10,7 @@ ) listOfAttrs ) [{}] (attrNames attrsOfLists); cfg = config.services.bind; - keyIncludes = builtins.concatStringsSep "\n" (map (v: "include \"/var/secrets/bind/${v}.key\";") (builtins.attrNames config.myEnv.dns.keys)); + keyIncludes = builtins.concatStringsSep "\n" (map (v: "include \"${config.secrets.fullPaths."bind/${v}.key"}\";") (builtins.attrNames config.myEnv.dns.keys)); cartProduct = lib.foldr (s: servers: servers // { ${s.masters} = lib.unique ((servers.${s.masters} or []) ++ [s.keys]); }) {} diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix index 233031a..07db0f4 100644 --- a/modules/private/ftp.nix +++ b/modules/private/ftp.nix @@ -75,7 +75,7 @@ in services.filesWatcher.pure-ftpd = { restart = true; - paths = [ "/var/secrets/pure-ftpd-ldap" ]; + paths = [ config.secrets.fullPaths."pure-ftpd-ldap" ]; }; systemd.services.pure-ftpd = let @@ -94,7 +94,7 @@ in SyslogFacility ftp DontResolve yes MaxIdleTime 15 - LDAPConfigFile /var/secrets/pure-ftpd-ldap + LDAPConfigFile ${config.secrets.fullPaths."pure-ftpd-ldap"} LimitRecursion 10000 8 AnonymousCanCreateDirs no MaxLoad 4 diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix index 4291993..172e216 100644 --- a/modules/private/mail/milters.nix +++ b/modules/private/mail/milters.nix @@ -18,6 +18,13 @@ }; config = lib.mkIf (config.myServices.mail.enable || config.myServices.mailBackup.enable) { secrets.keys = [ + { + dest = "opendkim"; + isDir = true; + user = config.services.opendkim.user; + group = config.services.opendkim.group; + permissions = "0550"; + } { dest = "opendkim/eldiron.private"; user = config.services.opendkim.user; @@ -45,7 +52,7 @@ ) config.myEnv.dns.masterZones )); - keyPath = "${config.secrets.location}/opendkim"; + keyPath = config.secrets.fullPaths."opendkim"; selector = "eldiron"; configFile = pkgs.writeText "opendkim.conf" '' SubDomains yes diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index 70c3f46..de5e59d 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix @@ -220,7 +220,7 @@ fi ''; scripts = lib.attrsets.mapAttrs (n: v: - toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = "/var/secrets/postfix/scripts/${n}-env"; }) + toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = config.secrets.fullPaths."postfix/scripts/${n}-env"; }) ) config.myEnv.mail.scripts // { testmail = pkgs.writeScript "testmail" '' #! ${pkgs.stdenv.shell} diff --git a/modules/private/monitoring/objects_backup-2.nix b/modules/private/monitoring/objects_backup-2.nix index a930a7d..28032a4 100644 --- a/modules/private/monitoring/objects_backup-2.nix +++ b/modules/private/monitoring/objects_backup-2.nix @@ -62,7 +62,7 @@ in passiveInfo = defaultPassiveInfo // { servicegroups = "webstatus-databases"; }; service_description = "Mysql replication for eldiron is up to date"; use = "local-service"; - check_command = ["check_mysql_replication" "/run/mysqld_eldiron/mysqld.sock" "/var/secrets/mysql_replication/eldiron/client"]; + check_command = ["check_mysql_replication" "/run/mysqld_eldiron/mysqld.sock" config.secrets.fullPaths."mysql_replication/eldiron/client"]; } { passiveInfo = defaultPassiveInfo // { servicegroups = "webstatus-databases,webstatus-backup"; }; @@ -96,7 +96,7 @@ in "check_openldap_replication" hcfg.url hcfg.dn - "${config.secrets.location}/openldap_replication/eldiron/replication_password" + config.secrets.fullPaths."openldap_replication/eldiron/replication_password" hcfg.base ldapConfig ]; diff --git a/modules/private/mpd.nix b/modules/private/mpd.nix index 1e6e666..f2e87bb 100644 --- a/modules/private/mpd.nix +++ b/modules/private/mpd.nix @@ -26,7 +26,7 @@ systemd.services.mpd.serviceConfig.RuntimeDirectory = "mpd"; services.filesWatcher.mpd = { restart = true; - paths = [ "/var/secrets/mpd-config" ]; + paths = [ config.secrets.fullPaths."mpd-config" ]; }; services.mpd = { @@ -34,7 +34,7 @@ network.listenAddress = "any"; musicDirectory = config.myEnv.mpd.folder; extraConfig = '' - include "/var/secrets/mpd-config" + include "${config.secrets.fullPaths."mpd-config"}" audio_output { type "null" name "No Output" diff --git a/modules/private/ssh/default.nix b/modules/private/ssh/default.nix index aea3ac0..ca9b6fc 100644 --- a/modules/private/ssh/default.nix +++ b/modules/private/ssh/default.nix @@ -61,7 +61,7 @@ in system.activationScripts.sshd = { deps = [ "secrets" ]; text = '' - install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password + install -Dm400 -o nobody -g nogroup -T ${config.secrets.fullPaths."ssh-ldap"} /etc/ssh/ldap_password ''; }; # ssh is strict about parent directory having correct rights, don't diff --git a/modules/private/system.nix b/modules/private/system.nix index c7e277c..8be7368 100644 --- a/modules/private/system.nix +++ b/modules/private/system.nix @@ -1,6 +1,14 @@ { pkgs, lib, config, name, nodes, ... }: { config = { + deployment.secrets."secret_vars.yml" = { + source = builtins.toString ../../nixops/secrets/vars.yml; + destination = config.secrets.secretsVars; + owner.user = "root"; + owner.group = "root"; + permissions = "0400"; + }; + networking.extraHosts = builtins.concatStringsSep "\n" (lib.mapAttrsToList (n: v: "${v.config.hostEnv.ips.main.ip4} ${n}") nodes); @@ -9,6 +17,7 @@ secrets.gpgKeys = [ ../../nixops/public_keys/Immae.pub ]; + secrets.secretsVars = "/run/keys/vars.yml"; services.openssh.enable = true; diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix index 6c570c8..0830f18 100644 --- a/modules/private/system/eldiron.nix +++ b/modules/private/system/eldiron.nix @@ -125,7 +125,7 @@ services.netdata.config.health."enabled" = "no"; services.netdata.config.web.mode = "none"; users.users."${config.services.netdata.user}".extraGroups = [ "keys" ]; - environment.etc."netdata/stream.conf".source = "/var/secrets/netdata-stream.conf"; + environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf"; secrets.keys = [ { dest = "netdata-stream.conf"; diff --git a/modules/private/system/monitoring-1.nix b/modules/private/system/monitoring-1.nix index e335080..91d30fd 100644 --- a/modules/private/system/monitoring-1.nix +++ b/modules/private/system/monitoring-1.nix @@ -43,7 +43,7 @@ services.netdata.config.web."allow netdata.conf from" = "fd*"; services.netdata.config.web."allow management from" = "fd*"; networking.firewall.allowedTCPPorts = [ 19999 ]; - environment.etc."netdata/stream.conf".source = "/var/secrets/netdata-stream.conf"; + environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf"; secrets.keys = [ { diff --git a/modules/private/system/quatresaisons.nix b/modules/private/system/quatresaisons.nix index 0148650..491e215 100644 --- a/modules/private/system/quatresaisons.nix +++ b/modules/private/system/quatresaisons.nix @@ -53,7 +53,7 @@ let chmod go-rwx /var/lib/nixos/sponsored_users echo "$mygroup $1 $2" >> /var/lib/nixos/sponsored_users (${pkgs.openldap}/bin/ldapadd -c -D cn=root,dc=salle-s,dc=org \ - -y /var/secrets/ldap/sync_password 2>/dev/null >/dev/null || true) </dev/null >/dev/null || true) </dev/null >/dev/null || true + ${pkgs.openldap}/bin/ldapadd -c ${com} -f ${config.secrets.fullPaths."ldap/ldaptree.ldif"} 2>/dev/null >/dev/null || true # Remove obsolete users ${pkgs.openldap}/bin/ldapsearch -LLL ${com} -s one -b "ou=users,dc=salle-s,dc=org" "uid" |\ diff --git a/modules/private/system/quatresaisons/databases.nix b/modules/private/system/quatresaisons/databases.nix index 8748058..68ce274 100644 --- a/modules/private/system/quatresaisons/databases.nix +++ b/modules/private/system/quatresaisons/databases.nix @@ -2,7 +2,7 @@ { config = let serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons; - phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = "/var/secrets/webapps/tools-ldap"; }; + phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; }; in { services.postgresql.enable = true; services.postgresql.package = pkgs.postgresql_12; @@ -94,7 +94,7 @@ by anonymous auth by * break ''; - rootpwFile = "${config.secrets.location}/ldap/password"; + rootpwFile = config.secrets.fullPaths."ldap/password"; suffix = "dc=salle-s,dc=org"; rootdn = "cn=root,dc=salle-s,dc=org"; database = "hdb"; @@ -120,7 +120,7 @@ group = "wwwrun"; settings = let - basedir = builtins.concatStringsSep ":" [ phpLdapAdmin "/var/secrets/webapps/tools-ldap" ]; + basedir = builtins.concatStringsSep ":" [ phpLdapAdmin config.secrets.fullPaths."webapps/tools-ldap" ]; in { "listen.owner" = "wwwrun"; "listen.group" = "wwwrun"; diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix index a678374..b3f1b7b 100644 --- a/modules/private/tasks/default.nix +++ b/modules/private/tasks/default.nix @@ -161,7 +161,7 @@ in { dateformat=${dateFormat} ''; }) env.taskwarrior-web); - services.websites.env.tools.watchPaths = [ "/var/secrets/webapps/tools-taskwarrior-web" ]; + services.websites.env.tools.watchPaths = [ config.secrets.fullPaths."webapps/tools-taskwarrior-web" ]; services.websites.env.tools.modules = [ "proxy_fcgi" "sed" ]; services.websites.env.tools.vhostConfs.task = { certName = "eldiron"; @@ -176,7 +176,7 @@ in { SetHandler "proxy:unix:${config.services.phpfpm.pools.tasks.socket}|fcgi://localhost" - Include /var/secrets/webapps/tools-taskwarrior-web + Include ${config.secrets.fullPaths."webapps/tools-taskwarrior-web"} '' '' @@ -328,7 +328,7 @@ in { after = [ "network.target" ]; path = [ pkgs.taskwarrior ]; - environment.TASKRC = "/var/secrets/webapps/tools-taskwarrior/${name}-taskrc"; + environment.TASKRC = config.secrets.fullPaths."webapps/tools-taskwarrior/${name}-taskrc"; environment.BUNDLE_PATH = "${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}"; environment.BUNDLE_GEMFILE = "${taskwarrior-web.gems.confFiles}/Gemfile"; environment.LC_ALL = "fr_FR.UTF-8"; diff --git a/modules/private/websites/connexionswing/app/default.nix b/modules/private/websites/connexionswing/app/default.nix index 31e88db..b14b03b 100644 --- a/modules/private/websites/connexionswing/app/default.nix +++ b/modules/private/websites/connexionswing/app/default.nix @@ -1,6 +1,4 @@ -{ environment ? "prod" -, varDir ? "/var/lib/connexionswing_${environment}" -, secretsPath ? "/var/secrets/webapps/${environment}-connexionswing" +{ environment, varDir, secretsPath , composerEnv, fetchurl, fetchgit, sources }: let app = composerEnv.buildPackage ( diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix index 809f615..8fb6a4d 100644 --- a/modules/private/websites/default.nix +++ b/modules/private/websites/default.nix @@ -52,7 +52,7 @@ let LDAPOpCacheTTL 600 - Include /var/secrets/apache-ldap + Include ${config.secrets.fullPaths."apache-ldap"} ''; }; global = { @@ -149,9 +149,9 @@ in }; }; - services.filesWatcher.httpdProd.paths = [ "/var/secrets/apache-ldap" ]; - services.filesWatcher.httpdInte.paths = [ "/var/secrets/apache-ldap" ]; - services.filesWatcher.httpdTools.paths = [ "/var/secrets/apache-ldap" ]; + services.filesWatcher.httpdProd.paths = [ config.secrets.fullPaths."apache-ldap" ]; + services.filesWatcher.httpdInte.paths = [ config.secrets.fullPaths."apache-ldap" ]; + services.filesWatcher.httpdTools.paths = [ config.secrets.fullPaths."apache-ldap" ]; services.websites.env.production = { enable = true; diff --git a/modules/private/websites/florian/app/default.nix b/modules/private/websites/florian/app/default.nix index 2ef0e86..28a7ec1 100644 --- a/modules/private/websites/florian/app/default.nix +++ b/modules/private/websites/florian/app/default.nix @@ -1,6 +1,4 @@ -{ environment ? "prod" -, varDir ? "/var/lib/tellesflorian_${environment}" -, secretsPath ? "/var/secrets/webapps/${environment}-tellesflorian" +{ environment, varDir, secretsPath , composerEnv, fetchurl, sources }: let app = composerEnv.buildPackage ( diff --git a/modules/private/websites/immae/temp.nix b/modules/private/websites/immae/temp.nix index fd54f5e..8518283 100644 --- a/modules/private/websites/immae/temp.nix +++ b/modules/private/websites/immae/temp.nix @@ -56,7 +56,7 @@ in { exec ${pkgs.webapps.surfer}/bin/surfer-server ${varDir} ''; serviceConfig = { - EnvironmentFile = "/var/secrets/webapps/surfer"; + EnvironmentFile = config.secrets.fullPaths."webapps/surfer"; User = "wwwrun"; Group = "wwwrun"; StateDirectory = "surfer"; diff --git a/modules/private/websites/ludivine/app/default.nix b/modules/private/websites/ludivine/app/default.nix index 6e751b0..323b6e0 100644 --- a/modules/private/websites/ludivine/app/default.nix +++ b/modules/private/websites/ludivine/app/default.nix @@ -1,6 +1,4 @@ -{ environment ? "prod" -, varDir ? "/var/lib/ludivinecassal_${environment}" -, secretsPath ? "/var/secrets/webapps/${environment}-ludivinecassal" +{ environment, varDir, secretsPath , composerEnv, fetchurl, fetchgit, imagemagick, sass, ruby, sources }: let app = composerEnv.buildPackage ( diff --git a/modules/private/websites/piedsjaloux/app/default.nix b/modules/private/websites/piedsjaloux/app/default.nix index a3d48bd..4525a18 100644 --- a/modules/private/websites/piedsjaloux/app/default.nix +++ b/modules/private/websites/piedsjaloux/app/default.nix @@ -1,6 +1,4 @@ -{ environment ? "prod" -, varDir ? "/var/lib/piedsjaloux_${environment}" -, secretsPath ? "/var/secrets/webapps/${environment}-piedsjaloux" +{ environment, varDir, secretsPath , composerEnv, fetchurl, fetchgit, sources }: let app = composerEnv.buildPackage ( diff --git a/modules/private/websites/tools/cloud/default.nix b/modules/private/websites/tools/cloud/default.nix index c374940..471858a 100644 --- a/modules/private/websites/tools/cloud/default.nix +++ b/modules/private/websites/tools/cloud/default.nix @@ -157,7 +157,7 @@ in { ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: "install -D -m 0644 -o wwwrun -g wwwrun -T ${v} ${varDir}/config/${n}.json" ) confs)} - #install -D -m 0600 -o wwwrun -g wwwrun -T /var/secrets/webapps/tools-nextcloud ${varDir}/config/config.php + #install -D -m 0600 -o wwwrun -g wwwrun -T ${config.secrets.fullPaths."webapps/tools-nextcloud"} ${varDir}/config/config.php ''; }; # FIXME: add a warning when config.php changes diff --git a/modules/private/websites/tools/dav/davical.nix b/modules/private/websites/tools/dav/davical.nix index 9d6cd21..eeac1b5 100644 --- a/modules/private/websites/tools/dav/davical.nix +++ b/modules/private/websites/tools/dav/davical.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, gettext, writeText, env, awl, davical }: +{ stdenv, fetchurl, gettext, writeText, env, awl, davical, config }: rec { activationScript = { deps = [ "httpd" ]; @@ -65,7 +65,7 @@ rec { include('drivers_ldap.php'); ''; }]; - webapp = davical.override { davical_config = "/var/secrets/webapps/dav-davical"; }; + webapp = davical.override { davical_config = config.secrets.fullPaths."webapps/dav-davical"; }; webRoot = "${webapp}/htdocs"; apache = rec { user = "wwwrun"; @@ -110,7 +110,7 @@ rec { }; phpFpm = rec { serviceDeps = [ "postgresql.service" "openldap.service" ]; - basedir = builtins.concatStringsSep ":" [ webapp "/var/secrets/webapps/dav-davical" awl ]; + basedir = builtins.concatStringsSep ":" [ webapp config.secrets.fullPaths."webapps/dav-davical" awl ]; pool = { "listen.owner" = apache.user; "listen.group" = apache.group; diff --git a/modules/private/websites/tools/dav/default.nix b/modules/private/websites/tools/dav/default.nix index f53cf58..c54e152 100644 --- a/modules/private/websites/tools/dav/default.nix +++ b/modules/private/websites/tools/dav/default.nix @@ -18,6 +18,7 @@ let davical = pkgs.callPackage ./davical.nix { env = config.myEnv.tools.davical; inherit (pkgs.webapps) davical awl; + inherit config; }; cfg = config.myServices.websites.tools.dav; diff --git a/modules/private/websites/tools/diaspora/default.nix b/modules/private/websites/tools/diaspora/default.nix index 5d2b19f..663fe88 100644 --- a/modules/private/websites/tools/diaspora/default.nix +++ b/modules/private/websites/tools/diaspora/default.nix @@ -17,6 +17,13 @@ in { users.users.diaspora.extraGroups = [ "keys" ]; secrets.keys = [ + { + dest = "webapps/diaspora"; + isDir = true; + user = "diaspora"; + group = "diaspora"; + permissions = "0500"; + } { dest = "webapps/diaspora/diaspora.yml"; user = "diaspora"; @@ -146,7 +153,7 @@ in { package = pkgs.webapps.diaspora.override { ldap = true; }; dataDir = "/var/lib/diaspora_immae"; adminEmail = "diaspora@tools.immae.eu"; - configDir = "/var/secrets/webapps/diaspora"; + configDir = config.secrets.fullPaths."webapps/diaspora"; }; services.filesWatcher.diaspora = { diff --git a/modules/private/websites/tools/ether/default.nix b/modules/private/websites/tools/ether/default.nix index 3350a4a..64e411d 100644 --- a/modules/private/websites/tools/ether/default.nix +++ b/modules/private/websites/tools/ether/default.nix @@ -166,9 +166,9 @@ in { p.ep_timesliderdiff ]); modules = []; - sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey"; - apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey"; - configFile = "/var/secrets/webapps/tools-etherpad"; + sessionKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-sessionkey"; + apiKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-apikey"; + configFile = config.secrets.fullPaths."webapps/tools-etherpad"; }; systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys"; diff --git a/modules/private/websites/tools/git/default.nix b/modules/private/websites/tools/git/default.nix index 8b1afa8..755bab0 100644 --- a/modules/private/websites/tools/git/default.nix +++ b/modules/private/websites/tools/git/default.nix @@ -3,6 +3,7 @@ let mantisbt = pkgs.callPackage ./mantisbt.nix { inherit (pkgs.webapps) mantisbt_2 mantisbt_2-plugins; env = config.myEnv.tools.mantisbt; + inherit config; }; gitweb = pkgs.callPackage ./gitweb.nix { gitoliteDir = config.myServices.gitolite.gitoliteDir; diff --git a/modules/private/websites/tools/git/mantisbt.nix b/modules/private/websites/tools/git/mantisbt.nix index 9996d23..e6a8da7 100644 --- a/modules/private/websites/tools/git/mantisbt.nix +++ b/modules/private/websites/tools/git/mantisbt.nix @@ -1,4 +1,4 @@ -{ env, mantisbt_2, mantisbt_2-plugins }: +{ env, mantisbt_2, mantisbt_2-plugins, config }: rec { activationScript = { deps = [ "httpd" ]; @@ -46,7 +46,7 @@ rec { $g_ldap_organization = '${env.ldap.filter}'; ''; }]; - webRoot = (mantisbt_2.override { mantis_config = "/var/secrets/webapps/tools-mantisbt"; }).withPlugins (p: [p.slack p.source-integration]); + webRoot = (mantisbt_2.override { mantis_config = config.secrets.fullPaths."webapps/tools-mantisbt"; }).withPlugins (p: [p.slack p.source-integration]); apache = rec { user = "wwwrun"; group = "wwwrun"; @@ -75,7 +75,7 @@ rec { phpFpm = rec { serviceDeps = [ "postgresql.service" "openldap.service" ]; basedir = builtins.concatStringsSep ":" ( - [ webRoot "/var/secrets/webapps/tools-mantisbt" ] + [ webRoot config.secrets.fullPaths."webapps/tools-mantisbt" ] ++ webRoot.plugins); pool = { "listen.owner" = apache.user; diff --git a/modules/private/websites/tools/mail/default.nix b/modules/private/websites/tools/mail/default.nix index 4636a6c..033a587 100644 --- a/modules/private/websites/tools/mail/default.nix +++ b/modules/private/websites/tools/mail/default.nix @@ -3,6 +3,7 @@ let roundcubemail = pkgs.callPackage ./roundcubemail.nix { inherit (pkgs.webapps) roundcubemail; env = config.myEnv.tools.roundcubemail; + inherit config; }; rainloop = pkgs.callPackage ./rainloop.nix { rainloop = pkgs.rainloop-community; diff --git a/modules/private/websites/tools/mail/roundcubemail.nix b/modules/private/websites/tools/mail/roundcubemail.nix index bb7dee9..7d8e733 100644 --- a/modules/private/websites/tools/mail/roundcubemail.nix +++ b/modules/private/websites/tools/mail/roundcubemail.nix @@ -1,4 +1,4 @@ -{ env, roundcubemail, apacheHttpd }: +{ env, roundcubemail, apacheHttpd, config }: rec { varDir = "/var/lib/roundcubemail"; activationScript = { @@ -75,7 +75,7 @@ rec { $config['mime_types'] = '${apacheHttpd}/conf/mime.types'; ''; }]; - webRoot = (roundcubemail.override { roundcube_config = "/var/secrets/webapps/tools-roundcube"; }).withPlugins (p: [ p.automatic_addressbook p.carddav p.contextmenu p.contextmenu_folder p.html5_notifier p.ident_switch p.message_highlight p.thunderbird_labels ]); + webRoot = (roundcubemail.override { roundcube_config = config.secrets.fullPaths."webapps/tools-roundcube"; }).withPlugins (p: [ p.automatic_addressbook p.carddav p.contextmenu p.contextmenu_folder p.html5_notifier p.ident_switch p.message_highlight p.thunderbird_labels ]); apache = rec { user = "wwwrun"; group = "wwwrun"; @@ -99,7 +99,7 @@ rec { phpFpm = rec { serviceDeps = [ "postgresql.service" ]; basedir = builtins.concatStringsSep ":" ( - [ webRoot "/var/secrets/webapps/tools-roundcube" varDir ] + [ webRoot config.secrets.fullPaths."webapps/tools-roundcube" varDir ] ++ webRoot.plugins ++ webRoot.skins); pool = { diff --git a/modules/private/websites/tools/mastodon/default.nix b/modules/private/websites/tools/mastodon/default.nix index 80d7431..cea8710 100644 --- a/modules/private/websites/tools/mastodon/default.nix +++ b/modules/private/websites/tools/mastodon/default.nix @@ -62,7 +62,7 @@ in { }]; services.mastodon = { enable = true; - configFile = "/var/secrets/webapps/tools-mastodon"; + configFile = config.secrets.fullPaths."webapps/tools-mastodon"; socketsPrefix = "live_immae"; dataDir = "/var/lib/mastodon_immae"; }; diff --git a/modules/private/websites/tools/mgoblin/default.nix b/modules/private/websites/tools/mgoblin/default.nix index 719d3d3..6d6a5a4 100644 --- a/modules/private/websites/tools/mgoblin/default.nix +++ b/modules/private/websites/tools/mgoblin/default.nix @@ -84,7 +84,7 @@ in { services.mediagoblin = { enable = true; package = pkgs.webapps.mediagoblin.withPlugins (p: [p.basicsearch]); - configFile = "/var/secrets/webapps/tools-mediagoblin"; + configFile = config.secrets.fullPaths."webapps/tools-mediagoblin"; }; services.filesWatcher.mediagoblin-web = { restart = true; diff --git a/modules/private/websites/tools/peertube/default.nix b/modules/private/websites/tools/peertube/default.nix index d2cbe40..7dcc998 100644 --- a/modules/private/websites/tools/peertube/default.nix +++ b/modules/private/websites/tools/peertube/default.nix @@ -14,7 +14,7 @@ in { }; services.peertube = { enable = true; - configFile = "/var/secrets/webapps/tools-peertube"; + configFile = config.secrets.fullPaths."webapps/tools-peertube"; }; users.users.peertube.extraGroups = [ "keys" ]; diff --git a/modules/private/websites/tools/performance/default.nix b/modules/private/websites/tools/performance/default.nix index df2b58d..5afd639 100644 --- a/modules/private/websites/tools/performance/default.nix +++ b/modules/private/websites/tools/performance/default.nix @@ -80,7 +80,7 @@ in "pm.min_spare_servers" = "1"; "pm.max_spare_servers" = "10"; - "php_admin_value[open_basedir]" = "${package}:/tmp:/var/secrets/status_engine_ui"; + "php_admin_value[open_basedir]" = "${package}:/tmp:${config.secrets.fullPaths."status_engine_ui"}"; }; phpPackage = pkgs.php74; }; diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix index ac92ef4..ada6253 100644 --- a/modules/private/websites/tools/tools/default.nix +++ b/modules/private/websites/tools/tools/default.nix @@ -12,8 +12,10 @@ let inherit (pkgs.webapps) ttrss ttrss-plugins; env = config.myEnv.tools.ttrss; php = pkgs.php72; + inherit config; }; kanboard = pkgs.callPackage ./kanboard.nix { + inherit config; env = config.myEnv.tools.kanboard; }; wallabag = pkgs.callPackage ./wallabag.nix { @@ -23,10 +25,12 @@ let }; }; env = config.myEnv.tools.wallabag; + inherit config; }; yourls = pkgs.callPackage ./yourls.nix { inherit (pkgs.webapps) yourls yourls-plugins; env = config.myEnv.tools.yourls; + inherit config; }; rompr = pkgs.callPackage ./rompr.nix { inherit (pkgs.webapps) rompr; @@ -34,6 +38,7 @@ let }; shaarli = pkgs.callPackage ./shaarli.nix { env = config.myEnv.tools.shaarli; + inherit config; }; dokuwiki = pkgs.callPackage ./dokuwiki.nix { inherit (pkgs.webapps) dokuwiki dokuwiki-plugins; @@ -41,6 +46,7 @@ let ldap = pkgs.callPackage ./ldap.nix { inherit (pkgs.webapps) phpldapadmin; env = config.myEnv.tools.phpldapadmin; + inherit config; }; grocy = pkgs.callPackage ./grocy.nix { grocy = pkgs.webapps.grocy.override { composerEnv = pkgs.composerEnv.override { php = pkgs.php72; }; }; @@ -56,6 +62,7 @@ let }; dmarc-reports = pkgs.callPackage ./dmarc_reports.nix { env = config.myEnv.tools.dmarc_reports; + inherit config; }; csp-reports = pkgs.callPackage ./csp_reports.nix { env = config.myEnv.tools.csp_reports; @@ -188,8 +195,8 @@ in { Require all granted - Alias /webhooks ${config.secrets.location}/webapps/webhooks - + Alias /webhooks ${config.secrets.fullPaths."webapps/webhooks"} + Options -Indexes Require all granted AllowOverride None @@ -271,7 +278,7 @@ in { description = "Standalone MPD Web GUI written in C"; wantedBy = [ "multi-user.target" ]; script = '' - export MPD_PASSWORD=$(cat /var/secrets/mpd) + export MPD_PASSWORD=$(cat ${config.secrets.fullPaths."mpd"}) ${pkgs.ympd}/bin/ympd --host ${ympd.config.host} --port ${toString ympd.config.port} --webport ${ympd.config.webPort} --user nobody ''; }; @@ -293,7 +300,7 @@ in { services.filesWatcher.ympd = { restart = true; - paths = [ "/var/secrets/mpd" ]; + paths = [ config.secrets.fullPaths."mpd" ]; }; services.phpfpm.pools = { @@ -313,9 +320,9 @@ in { "php_value[session.name]" = "ToolsPHPSESSID"; "php_admin_value[open_basedir]" = builtins.concatStringsSep ":" [ "/run/wrappers/bin/sendmail" landing "/tmp" - "${config.secrets.location}/webapps/webhooks" + config.secrets.fullPaths."webapps/webhooks" ]; - "include" = "${config.secrets.location}/webapps/tools-csp-reports.conf"; + "include" = config.secrets.fullPaths."webapps/tools-csp-reports.conf"; }; phpEnv = { CONTACT_EMAIL = config.myEnv.tools.contact; @@ -438,11 +445,11 @@ in { }; services.websites.env.tools.watchPaths = [ - "/var/secrets/webapps/tools-shaarli" + config.secrets.fullPaths."webapps/tools-shaarli" ]; services.filesWatcher.phpfpm-wallabag = { restart = true; - paths = [ "/var/secrets/webapps/tools-wallabag" ]; + paths = [ config.secrets.fullPaths."webapps/tools-wallabag" ]; }; }; diff --git a/modules/private/websites/tools/tools/dmarc_reports.nix b/modules/private/websites/tools/tools/dmarc_reports.nix index e264e80..5fdf0b6 100644 --- a/modules/private/websites/tools/tools/dmarc_reports.nix +++ b/modules/private/websites/tools/tools/dmarc_reports.nix @@ -1,4 +1,4 @@ -{ env }: +{ env, config }: rec { keys = [{ dest = "webapps/tools-dmarc-reports.php"; @@ -43,7 +43,7 @@ rec { }; phpFpm = rec { basedir = builtins.concatStringsSep ":" - [ webRoot "/var/secrets/webapps/tools-dmarc-reports.php" ]; + [ webRoot config.secrets.fullPaths."webapps/tools-dmarc-reports.php" ]; pool = { "listen.owner" = apache.user; "listen.group" = apache.group; @@ -55,7 +55,7 @@ rec { "php_admin_value[open_basedir]" = "${basedir}:/tmp"; }; phpEnv = { - SECRETS_FILE = "/var/secrets/webapps/tools-dmarc-reports.php"; + SECRETS_FILE = config.secrets.fullPaths."webapps/tools-dmarc-reports.php"; }; }; } diff --git a/modules/private/websites/tools/tools/kanboard.nix b/modules/private/websites/tools/tools/kanboard.nix index 0f6fefc..1a70499 100644 --- a/modules/private/websites/tools/tools/kanboard.nix +++ b/modules/private/websites/tools/tools/kanboard.nix @@ -1,4 +1,4 @@ -{ env, kanboard }: +{ env, kanboard, config }: rec { backups = { rootDir = varDir; @@ -42,7 +42,7 @@ rec { ?> ''; }]; - webRoot = kanboard { kanboard_config = "/var/secrets/webapps/tools-kanboard"; }; + webRoot = kanboard { kanboard_config = config.secrets.fullPaths."webapps/tools-kanboard"; }; apache = rec { user = "wwwrun"; group = "wwwrun"; @@ -68,7 +68,7 @@ rec { }; phpFpm = rec { serviceDeps = [ "postgresql.service" "openldap.service" ]; - basedir = builtins.concatStringsSep ":" [ webRoot varDir "/var/secrets/webapps/tools-kanboard" ]; + basedir = builtins.concatStringsSep ":" [ webRoot varDir config.secrets.fullPaths."webapps/tools-kanboard" ]; pool = { "listen.owner" = apache.user; "listen.group" = apache.group; diff --git a/modules/private/websites/tools/tools/ldap.nix b/modules/private/websites/tools/tools/ldap.nix index 0c1a21f..cb90edc 100644 --- a/modules/private/websites/tools/tools/ldap.nix +++ b/modules/private/websites/tools/tools/ldap.nix @@ -1,4 +1,4 @@ -{ lib, php, env, writeText, phpldapadmin }: +{ lib, php, env, writeText, phpldapadmin, config }: rec { activationScript = { deps = [ "httpd" ]; @@ -32,7 +32,7 @@ rec { $servers->setValue('login','fallback_dn',true); ''; }]; - webRoot = phpldapadmin.override { config = "/var/secrets/webapps/tools-ldap"; }; + webRoot = phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; }; apache = rec { user = "wwwrun"; group = "wwwrun"; @@ -54,7 +54,7 @@ rec { }; phpFpm = rec { serviceDeps = [ "openldap.service" ]; - basedir = builtins.concatStringsSep ":" [ webRoot "/var/secrets/webapps/tools-ldap" ]; + basedir = builtins.concatStringsSep ":" [ webRoot config.secrets.fullPaths."webapps/tools-ldap" ]; pool = { "listen.owner" = apache.user; "listen.group" = apache.group; diff --git a/modules/private/websites/tools/tools/shaarli.nix b/modules/private/websites/tools/tools/shaarli.nix index d11f525..80c6a89 100644 --- a/modules/private/websites/tools/tools/shaarli.nix +++ b/modules/private/websites/tools/tools/shaarli.nix @@ -1,4 +1,4 @@ -{ lib, env, stdenv, fetchurl, shaarli }: +{ lib, env, stdenv, fetchurl, shaarli, config }: let varDir = "/var/lib/shaarli"; in rec { @@ -21,7 +21,7 @@ in rec { vhostConf = socket: '' Alias /Shaarli "${root}" - Include /var/secrets/webapps/tools-shaarli + Include ${config.secrets.fullPaths."webapps/tools-shaarli"} Header set Access-Control-Allow-Origin "*" Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" diff --git a/modules/private/websites/tools/tools/ttrss.nix b/modules/private/websites/tools/tools/ttrss.nix index ce1ab8e..eb1d415 100644 --- a/modules/private/websites/tools/tools/ttrss.nix +++ b/modules/private/websites/tools/tools/ttrss.nix @@ -1,4 +1,4 @@ -{ php, env, ttrss, ttrss-plugins }: +{ php, env, ttrss, ttrss-plugins, config }: rec { backups = { rootDir = varDir; @@ -88,7 +88,7 @@ rec { define('LDAP_AUTH_DEBUG', FALSE); ''; }]; - webRoot = (ttrss.override { ttrss_config = "/var/secrets/webapps/tools-ttrss"; }).withPlugins (p: [ + webRoot = (ttrss.override { ttrss_config = config.secrets.fullPaths."webapps/tools-ttrss"; }).withPlugins (p: [ p.auth_ldap p.ff_instagram p.tumblr_gdpr_ua (p.af_feedmod.override { patched = true; }) (p.feediron.override { patched = true; }) @@ -116,7 +116,7 @@ rec { phpFpm = rec { serviceDeps = [ "postgresql.service" "openldap.service" ]; basedir = builtins.concatStringsSep ":" ( - [ webRoot "/var/secrets/webapps/tools-ttrss" varDir ] + [ webRoot config.secrets.fullPaths."webapps/tools-ttrss" varDir ] ++ webRoot.plugins); pool = { "listen.owner" = apache.user; diff --git a/modules/private/websites/tools/tools/wallabag.nix b/modules/private/websites/tools/tools/wallabag.nix index 1cb0645..1a604c7 100644 --- a/modules/private/websites/tools/tools/wallabag.nix +++ b/modules/private/websites/tools/tools/wallabag.nix @@ -1,4 +1,4 @@ -{ env, wallabag, mylibs }: +{ env, wallabag, mylibs, config }: rec { backups = { rootDir = varDir; @@ -69,7 +69,7 @@ rec { arguments: ['/run/wrappers/bin/sendmail -bs'] ''; }]; - webappDir = wallabag.override { ldap = true; wallabag_config = "/var/secrets/webapps/tools-wallabag"; }; + webappDir = wallabag.override { ldap = true; wallabag_config = config.secrets.fullPaths."webapps/tools-wallabag"; }; activationScript = '' install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \ ${varDir}/var ${varDir}/data/db ${varDir}/assets/images @@ -125,11 +125,11 @@ rec { /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod doctrine:migrations:migrate --no-interaction popd > /dev/null echo -n "${webappDir}" > ${varDir}/currentWebappDir - sha512sum /var/secrets/webapps/tools-wallabag > ${varDir}/currentKey + sha512sum ${config.secrets.fullPaths."webapps/tools-wallabag"} > ${varDir}/currentKey fi ''; serviceDeps = [ "postgresql.service" "openldap.service" ]; - basedir = builtins.concatStringsSep ":" [ webappDir "/var/secrets/webapps/tools-wallabag" varDir ]; + basedir = builtins.concatStringsSep ":" [ webappDir config.secrets.fullPaths."webapps/tools-wallabag" varDir ]; pool = { "listen.owner" = apache.user; "listen.group" = apache.group; diff --git a/modules/private/websites/tools/tools/webhooks.nix b/modules/private/websites/tools/tools/webhooks.nix index 885b68b..8ffb81b 100644 --- a/modules/private/websites/tools/tools/webhooks.nix +++ b/modules/private/websites/tools/tools/webhooks.nix @@ -6,5 +6,11 @@ group = "wwwrun"; permissions = "0400"; text = v; - }) env; + }) env ++ [{ + dest = "webapps/webhooks"; + isDir = true; + user = "wwwrun"; + group = "wwwrun"; + permissions = "0500"; + }]; } diff --git a/modules/private/websites/tools/tools/yourls.nix b/modules/private/websites/tools/tools/yourls.nix index 77ac0a3..0f977f2 100644 --- a/modules/private/websites/tools/tools/yourls.nix +++ b/modules/private/websites/tools/tools/yourls.nix @@ -1,4 +1,4 @@ -{ env, yourls, yourls-plugins }: +{ env, yourls, yourls-plugins, config }: rec { activationScript = { deps = [ "httpd" ]; @@ -40,7 +40,7 @@ rec { define( 'LDAPAUTH_USERCACHE_TYPE', 0); ''; }]; - webRoot = (yourls.override { yourls_config = "/var/secrets/webapps/tools-yourls"; }).withPlugins (p: [p.ldap]); + webRoot = (yourls.override { yourls_config = config.secrets.fullPaths."webapps/tools-yourls"; }).withPlugins (p: [p.ldap]); apache = rec { user = "wwwrun"; group = "wwwrun"; @@ -70,7 +70,7 @@ rec { phpFpm = rec { serviceDeps = [ "mysql.service" "openldap.service" ]; basedir = builtins.concatStringsSep ":" ( - [ webRoot "/var/secrets/webapps/tools-yourls" ] + [ webRoot config.secrets.fullPaths."webapps/tools-yourls" ] ++ webRoot.plugins); pool = { "listen.owner" = apache.user; diff --git a/modules/secrets.nix b/modules/secrets.nix deleted file mode 100644 index 86d276a..0000000 --- a/modules/secrets.nix +++ /dev/null @@ -1,113 +0,0 @@ -{ lib, pkgs, config, ... }: -{ - options.secrets = { - keys = lib.mkOption { - type = lib.types.listOf lib.types.unspecified; - default = []; - description = "Keys to upload to server"; - }; - gpgKeys = lib.mkOption { - type = lib.types.listOf lib.types.path; - default = []; - description = "GPG public keys files to encrypt to"; - }; - ageKeys = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = []; - description = "AGE keys to encrypt to"; - }; - decryptKey = lib.mkOption { - type = lib.types.str; - default = "/etc/ssh/ssh_host_ed25519_key"; - description = "ed25519 key used to decrypt with AGE"; - }; - location = lib.mkOption { - type = lib.types.path; - default = "/var/secrets"; - description = "Location where to put the keys"; - }; - secretsVars = lib.mkOption { - type = lib.types.path; - default = "/run/keys/vars.yml"; - description = "Location where the secrets variables are defined, to be used to fill the templates in secrets"; - }; - deleteSecretsVars = lib.mkOption { - type = lib.types.bool; - default = false; - description = "Delete secrets file after deployment"; - }; - # Read-only variables - fullPaths = lib.mkOption { - type = lib.types.attrsOf lib.types.path; - default = builtins.listToAttrs - (map (v: { name = v.dest; value = "${config.secrets.location}/${v.dest}"; }) config.secrets.keys); - readOnly = true; - description = "set of full paths to secrets"; - }; - }; - - config = let - location = config.secrets.location; - keys = config.secrets.keys; - empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done"; - fpath = v: "secrets/${v.dest}${lib.optionalString (v.isTemplated or true) ".gucci.tpl"}"; - dumpKey = v: '' - mkdir -p secrets/$(dirname ${v.dest}) - echo -n ${lib.strings.escapeShellArg v.text} > ${fpath v} - cat >> mods </dev/null - fingerprints=$fingerprints,$(cat $key | gpg --with-colons --import-options show-only --import 2>/dev/null | grep ^fpr | cut -d: -f10 | head -n1) - done - - sops --age ${builtins.concatStringsSep "," config.secrets.ageKeys} --pgp ''${fingerprints#,} --input-type binary -i -e $out 2>/dev/null - ''; - in lib.mkIf (builtins.length keys > 0) { - system.activationScripts.secrets = { - deps = [ "users" "wrappers" ]; - text = '' - install -m0750 -o root -g keys -d ${location} - TMP=$(${pkgs.coreutils}/bin/mktemp -d) - TMPWORK=$(${pkgs.coreutils}/bin/mktemp -d) - chmod go-rwx $TMPWORK - if [ -n "$TMP" -a -n "$TMPWORK" ]; then - install -m0750 -o root -g keys -d $TMP - ${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i ${config.secrets.decryptKey} -o $TMPWORK/keys.txt - SOPS_AGE_KEY_FILE=$TMPWORK/keys.txt ${pkgs.sops}/bin/sops -d ${secrets} | ${pkgs.gnutar}/bin/tar --strip-components 1 -C $TMP -x - if [ -f ${config.secrets.secretsVars} ]; then - SOPS_AGE_KEY_FILE=$TMPWORK/keys.txt ${pkgs.sops}/bin/sops -d ${config.secrets.secretsVars} > $TMPWORK/vars.yml - fi - if [ -f $TMPWORK/vars.yml ]; then - find $TMP -name "*.gucci.tpl" -exec \ - /bin/sh -c 'f="{}"; ${pkgs.gucci}/bin/gucci -f '$TMPWORK'/vars.yml "$f" > "''${f%.gucci.tpl}"; touch --reference "$f" ''${f%.gucci.tpl} ; chmod --reference="$f" ''${f%.gucci.tpl} ; chown --reference="$f" ''${f%.gucci.tpl}' \; - fi - find $TMP -type d -exec chown root:keys {} \; -exec chmod o-rx {} \; - ${pkgs.rsync}/bin/rsync --exclude="*.gucci.tpl" -O -c -av --delete $TMP/ ${location} - rm -rf $TMP $TMPWORK ${lib.optionalString config.secrets.deleteSecretsVars config.secrets.secretsVars} - fi - ''; - }; - - deployment.secrets."secret_vars.yml" = { - source = builtins.toString ../nixops/secrets/vars.yml; - destination = config.secrets.secretsVars; - owner.user = "root"; - owner.group = "root"; - permissions = "0400"; - }; - }; -} diff --git a/nixops/secrets b/nixops/secrets index a1e6498..0b9f489 160000 --- a/nixops/secrets +++ b/nixops/secrets @@ -1 +1 @@ -Subproject commit a1e6498139cc51a3d68e5655480542e6ccd3a45f +Subproject commit 0b9f489a7e2e01208d4285c26348b4fa09607e1b -- 2.41.0