From 003f2f7e44e7ccf44953790c00243420635fbe47 Mon Sep 17 00:00:00 2001
From: stuebinm <stuebinm@disroot.org>
Date: Wed, 3 May 2023 23:04:13 +0200
Subject: [PATCH] move all on-disk secrets into sops

this only concerns secrets which are in a raw file. Some of our
services (e.g. nextclouds) keeps secrets in its database; these remain
untouched.

Not yet deployed because of shitty train internet.
---
 README.md                | 16 ++++++++++++++++
 secrets.yaml             | 10 ++++++++--
 services/mattermost.nix  |  8 +++++++-
 services/tracktrain.nix  |  7 ++++++-
 services/vaultwarden.nix |  6 +++++-
 5 files changed, 42 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 790b280..0b24852 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,22 @@ nix build .#nixosConfigurations.parsons.config.system.build.toplevel
 
 (but you might have trouble deploying it)
 
+## Secret management
+
+We use [sops-nix](https://github.com/Mic92/sops-nix) to manage secrets which we'd
+like to have in Git but don't want to be public. Entires in `secrets.yaml` are
+encrypted for each of the age keys listed in `.sops.yaml`, which are themselves
+derived from ssh keys.
+
+For the initial set up, please take a look at the sops-nix Readme file.
+
+To edit the secrets file, just use `sops secrets.yaml`, which will decrypt the
+file & open it in your $EDITOR, then re-encrypt it when you're done.
+
+To add a new key, use `ssh-to-age` to convert your ssh key to age, and add it to
+`sops.yaml`. Then do `sops updatekeys secrets.yaml` to re-encrypt the file for
+the new set of keys.
+
 ## Working on websites
 
 Websites are exposed as flake outputs: if you're working on a website & want to
diff --git a/secrets.yaml b/secrets.yaml
index ef2cff5..87cacaf 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -1,5 +1,11 @@
 hedgedoc-hacc:
     env: ENC[AES256_GCM,data:e2vSolxJNucya9QNs28gAVDBJQq5AJh7jS1nBh0UTkDnhNL8NPW1KTxcun4rM99EhiNZsz6Z9qHRMejmP4frQw==,iv:DqAGhGWYf/EpGnI79MxKmBlHMhK26zx50vXb1TbvESw=,tag:Xix499XAcAmxhNuGr2ApcA==,type:str]
+mattermost:
+    env: ENC[AES256_GCM,data:4GcV8UOYmVUjZoYc0Nq/vEWtxtYNV81zVTEyFnZIfY1k/Ar1MU+fn5A99JLIMc8U84/QupDU7TcneiN/wqPv2jYqGS7ixSNTk+x5uUPMarzKZ04ynav6FCWEvlSF0Sz4/5s/Pvp1Qi3zdv16ZVGUHbM8/wCcaZBkSS0ofwBTIXVsVYSRPFxLehtBgwjAnD46qS+YJmszmd7V5N/adWWF34vAdfLiO6Y7KDB3jnMLOPU6Drtw9L83AW6NuOtk8crZrI1dkTD/xUC07IvMhZpZVc9ktQJqIvlk/ADs5aIp/QYrjICdYvb8xC16oV7jC/7yzXzC/UuYbCvS5gnHGMK/CsBkmM9HXmQ6mWjrfuOJEkMHSefS7O8HyrNoNDSXq0ivCr6KJmwrz7NXNAE6a6xx9LMjs5DJ8H5fda1l5TGVAdA2tg==,iv:dG4cnEtUgUxw7zS2k15p+6//Bl19WquTfFIiz5Vi/0M=,tag:cMBU8CtFBBjfcfpO709Kpg==,type:str]
+tracktrain:
+    env: ENC[AES256_GCM,data:jaq039FNxBrsPfG/q+InYpiyl1LBdY++DlLM6UpSAwKlINucooTrHz51QrdRWhAZDqXhVTHM55Q/Zm4wazweCABiNjkXDFoZgxc5YJX+pvBct6M533xl109yD6KiYOXDqPY03u71aop8OmOAnKDp1JlzPS1otdlaN8Vd56G+,iv:nYU2rgMMG4QcJo5DnZpYZm1zr82idd7r1uTsqNiXLdA=,tag:9rdxAneYUREacXNunpTuHw==,type:str]
+vaultwarden:
+    env: ENC[AES256_GCM,data:hdm91tI8WBd3es+IUbdBO69kh1pNZTNvZNFIdSZO8lm4yYMPE+Jm7EzVqwOaZRbpQaVDBg7uh5P4ODc=,iv:no7U0wQCwZOeL2pwXf2pUIgrEsEOYwqOT04LvpCl614=,tag:AGSu5M7H69x6pDM062bC6g==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -78,8 +84,8 @@ sops:
             ejdpTEtMNFNIVWlYMGtuMTJZbHZabUEKBGLoMDZQVwENcAXee8m4fsEmwFl/As6H
             346X4tfBghf1tk857h/1j5sXj3ZgyHvMlIavnS3AoVlOIsgxI1BYMg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-05-03T20:22:26Z"
-    mac: ENC[AES256_GCM,data:cWTFvscm8ViB9iqW13bUxc4xJrkNMzRqQE2mWwyG/ttQA4CCqmAzN0Z+0klCFYsOl1Evwp/AFVWhV/8ByduexEwMtkeh+nFL/GmMeuo78wMrswylFKhSoijwhE/+CgD5pT6JgMNfsOdaL5b9unsqq6cXgVQ0gL5TXsNN/b2tk/Q=,iv:1NWna09StYs5LTVmDH56pc0n5rFeyJboMEP0Hn/Pa3w=,tag:kWJLiLKRoSfTtzIpHGxN7A==,type:str]
+    lastmodified: "2023-05-03T20:47:22Z"
+    mac: ENC[AES256_GCM,data:5ks4oj4ILLZoJ8TAGLSktV+TZBt1igMOVTiRssr00xnMs1OpR4u0wqwbkM3e2vNP3Hk51AHn7J0W+Ex6f3/iuGdcpYmY/nmSuu+IRZkLL7UEulPm+FDUcw9wgifpNQ263LqvmtFmPURpx4jkTdvcKItWrN0ovV0Wk3jspQ4/QYA=,iv:Kp0cJCYSXBBD4nNetXs6XrFVEl77D7oPuJYAS91DEbU=,tag:b3KF/SFJf1TxDBJ+7KmFvg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3
diff --git a/services/mattermost.nix b/services/mattermost.nix
index 397d567..7505138 100644
--- a/services/mattermost.nix
+++ b/services/mattermost.nix
@@ -3,6 +3,11 @@
 let
   mattermost = pkgs.mattermost;
 in {
+
+  sops.secrets = {
+    "mattermost/env" = {};
+  };
+
   containers.mattermost = {
     autoStart = true;
     privateNetwork = true;
@@ -14,6 +19,7 @@ in {
         hostPath = "/persist/containers/mattermost";
         isReadOnly = false;
       };
+      "/secrets".hostPath = "/run/secrets/mattermost";
     };
 
     path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
@@ -23,7 +29,7 @@ in {
       nixpkgs.config.allowUnfree = true;
 
       systemd.services.mattermost.serviceConfig.EnvironmentFile =
-        "/persist/mattermost/secrets.env";
+        "/secrets/env";
       # overwrite the -c flag given in the module. this can be removed once we're on nixos 22.05
       systemd.services.mattermost.serviceConfig.ExecStart =
         lib.mkForce "${pkgs.mattermost}/bin/mattermost -c /persist/mattermost/config/config.json";
diff --git a/services/tracktrain.nix b/services/tracktrain.nix
index e6eb67b..548f7ed 100644
--- a/services/tracktrain.nix
+++ b/services/tracktrain.nix
@@ -17,6 +17,10 @@ let
   '';
 in
 {
+  sops.secrets = {
+    "tracktrain/env" = {};
+  };
+
   services.nginx.virtualHosts."tracktrain.ilztalbahn.eu" = {
     enableACME = true;
     forceSSL = true;
@@ -46,6 +50,7 @@ in
         hostPath = "/persist/containers/tracktrain";
         isReadOnly = false;
       };
+      "/secrets".hostPath = "/run/secrets/tracktrain";
     };
 
     path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
@@ -146,7 +151,7 @@ in
       };
 
       systemd.services.grafana.serviceConfig.EnvironmentFile =
-        "/persist/secrets.env";
+        "/secrets/env";
     });
   };
 
diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix
index 38fb26b..580bf0d 100644
--- a/services/vaultwarden.nix
+++ b/services/vaultwarden.nix
@@ -1,6 +1,10 @@
 { config, lib, pkgs, ... }:
 
 {
+  sops.secrets = {
+    "vaultwarden/env" = {};
+  };
+
   services.vaultwarden = {
     enable = true;
     config = {
@@ -27,7 +31,7 @@
       SMTP_USERNAME="noreply@infra4future.de";
 
     };
-    environmentFile = "/persist/var/lib/vaultwarden/vaultwarden.env"; #contains SMTP_PASSWORD
+    environmentFile = "/run/secrets/vaultwarden/env";
     dbBackend = "sqlite";
     backupDir = "/persist/data/vaultwarden_backups/";
   };