diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2021-01-02 10:59:09 +0100 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2021-01-29 13:16:06 +0100 |
| commit | 50abe6fce134066851479a0df09a1db0a7219df2 (patch) | |
| tree | daaa219164fbd3079b8a3d1cc32c86cf18a35996 /modules | |
| parent | 0c506c055cb2fe42bcc92e905dc7996a75a66b7e (diff) | |
| download | Nix-50abe6fce134066851479a0df09a1db0a7219df2.tar.gz Nix-50abe6fce134066851479a0df09a1db0a7219df2.tar.zst Nix-50abe6fce134066851479a0df09a1db0a7219df2.zip | |
Use templated secrets to avoid having password in the store
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/private/websites/tools/cloud/default.nix | 2 | ||||
| -rw-r--r-- | modules/secrets.nix | 23 |
2 files changed, 20 insertions, 5 deletions
diff --git a/modules/private/websites/tools/cloud/default.nix b/modules/private/websites/tools/cloud/default.nix index da6ac2f..1a42296 100644 --- a/modules/private/websites/tools/cloud/default.nix +++ b/modules/private/websites/tools/cloud/default.nix | |||
| @@ -84,7 +84,7 @@ in { | |||
| 84 | include('${nextcloud}/version.php'); | 84 | include('${nextcloud}/version.php'); |
| 85 | $CONFIG = array ( | 85 | $CONFIG = array ( |
| 86 | // FIXME: change this value when nextcloud starts getting slow | 86 | // FIXME: change this value when nextcloud starts getting slow |
| 87 | 'instanceid' => '${env.instance_id}1', | 87 | 'instanceid' => '${env.instance_id}', |
| 88 | 'datadirectory' => '/var/lib/nextcloud/', | 88 | 'datadirectory' => '/var/lib/nextcloud/', |
| 89 | 'passwordsalt' => '${env.password_salt}', | 89 | 'passwordsalt' => '${env.password_salt}', |
| 90 | 'debug' => false, | 90 | 'debug' => false, |
diff --git a/modules/secrets.nix b/modules/secrets.nix index a149f02..ecc1ebc 100644 --- a/modules/secrets.nix +++ b/modules/secrets.nix | |||
| @@ -25,11 +25,12 @@ | |||
| 25 | location = config.secrets.location; | 25 | location = config.secrets.location; |
| 26 | keys = config.secrets.keys; | 26 | keys = config.secrets.keys; |
| 27 | empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done"; | 27 | empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done"; |
| 28 | fpath = v: "secrets/${v.dest}${lib.optionalString (v.isTemplated or true) ".gucci.tpl"}"; | ||
| 28 | dumpKey = v: '' | 29 | dumpKey = v: '' |
| 29 | mkdir -p secrets/$(dirname ${v.dest}) | 30 | mkdir -p secrets/$(dirname ${v.dest}) |
| 30 | echo -n ${lib.strings.escapeShellArg v.text} > secrets/${v.dest} | 31 | echo -n ${lib.strings.escapeShellArg v.text} > ${fpath v} |
| 31 | cat >> mods <<EOF | 32 | cat >> mods <<EOF |
| 32 | ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${v.dest} | 33 | ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} ${fpath v} |
| 33 | EOF | 34 | EOF |
| 34 | ''; | 35 | ''; |
| 35 | secrets = pkgs.runCommand "secrets.tar" {} '' | 36 | secrets = pkgs.runCommand "secrets.tar" {} '' |
| @@ -52,16 +53,30 @@ | |||
| 52 | if [ -n "$TMP" ]; then | 53 | if [ -n "$TMP" ]; then |
| 53 | install -m0750 -o root -g keys -d $TMP | 54 | install -m0750 -o root -g keys -d $TMP |
| 54 | ${pkgs.gnutar}/bin/tar --strip-components 1 -C $TMP -xf /run/keys/secrets.tar | 55 | ${pkgs.gnutar}/bin/tar --strip-components 1 -C $TMP -xf /run/keys/secrets.tar |
| 55 | sha512sum /run/keys/secrets.tar > $TMP/currentSecrets | 56 | if [ -f /run/keys/vars.yml ]; then |
| 57 | find $TMP -name "*.gucci.tpl" -exec \ | ||
| 58 | /bin/sh -c 'f="{}"; ${pkgs.gucci}/bin/gucci -f /run/keys/vars.yml "$f" > "''${f%.gucci.tpl}"; touch --reference "$f" ''${f%.gucci.tpl} ; chmod --reference="$f" ''${f%.gucci.tpl} ; chown --reference="$f" ''${f%.gucci.tpl}' \; | ||
| 59 | sha512sum /run/keys/secrets.tar /run/keys/vars.yml > $TMP/currentSecrets | ||
| 60 | else | ||
| 61 | sha512sum /run/keys/secrets.tar > $TMP/currentSecrets | ||
| 62 | fi | ||
| 56 | find $TMP -type d -exec chown root:keys {} \; -exec chmod o-rx {} \; | 63 | find $TMP -type d -exec chown root:keys {} \; -exec chmod o-rx {} \; |
| 57 | ${pkgs.rsync}/bin/rsync -O -c -av --delete $TMP/ ${location} | 64 | ${pkgs.rsync}/bin/rsync --exclude="*.gucci.tpl" -O -c -av --delete $TMP/ ${location} |
| 58 | rm -rf $TMP | 65 | rm -rf $TMP |
| 59 | fi | 66 | fi |
| 60 | fi | 67 | fi |
| 61 | fi | 68 | fi |
| 62 | ''; | 69 | ''; |
| 63 | }; | 70 | }; |
| 71 | |||
| 64 | system.extraDependencies = [ secrets ]; | 72 | system.extraDependencies = [ secrets ]; |
| 73 | deployment.secrets."secret_vars.yml" = { | ||
| 74 | source = builtins.toString <privateFiles/vars.yml>; | ||
| 75 | destination = "/run/keys/vars.yml"; | ||
| 76 | owner.user = "root"; | ||
| 77 | owner.group = "root"; | ||
| 78 | permissions = "0400"; | ||
| 79 | }; | ||
| 65 | deployment.secrets."secrets.tar" = { | 80 | deployment.secrets."secrets.tar" = { |
| 66 | source = "${secrets}"; | 81 | source = "${secrets}"; |
| 67 | destination = "/run/keys/secrets.tar"; | 82 | destination = "/run/keys/secrets.tar"; |