move all on-disk secrets into sops

this only concerns secrets which are in a raw file. Some of our services (e.g. nextclouds) keeps secrets in its database; these remain untouched. Not yet deployed because of shitty train internet.
2023-05-03 23:04:13 +02:00 · 2023-05-03 23:04:13 +02:00 · 003f2f7e44
commit 003f2f7e44
parent 0d75469590
5 changed files with 42 additions and 5 deletions
--- a/README.md
+++ b/README.md
@ -36,6 +36,22 @@ nix build .#nixosConfigurations.parsons.config.system.build.toplevel
 (but you might have trouble deploying it)
 ## Secret management
 We use [sops-nix](https://github.com/Mic92/sops-nix) to manage secrets which we'd
 like to have in Git but don't want to be public. Entires in `secrets.yaml` are
 encrypted for each of the age keys listed in `.sops.yaml`, which are themselves
 derived from ssh keys.
 For the initial set up, please take a look at the sops-nix Readme file.
 To edit the secrets file, just use `sops secrets.yaml`, which will decrypt the
 file & open it in your $EDITOR, then re-encrypt it when you're done.
 To add a new key, use `ssh-to-age` to convert your ssh key to age, and add it to
 `sops.yaml`. Then do `sops updatekeys secrets.yaml` to re-encrypt the file for
 the new set of keys.
 ## Working on websites
 Websites are exposed as flake outputs: if you're working on a website & want to
--- a/secrets.yaml
+++ b/secrets.yaml
@ -1,5 +1,11 @@
 hedgedoc-hacc:
    env: ENC[AES256_GCM,data:e2vSolxJNucya9QNs28gAVDBJQq5AJh7jS1nBh0UTkDnhNL8NPW1KTxcun4rM99EhiNZsz6Z9qHRMejmP4frQw==,iv:DqAGhGWYf/EpGnI79MxKmBlHMhK26zx50vXb1TbvESw=,tag:Xix499XAcAmxhNuGr2ApcA==,type:str]
 mattermost:
    env: ENC[AES256_GCM,data:4GcV8UOYmVUjZoYc0Nq/vEWtxtYNV81zVTEyFnZIfY1k/Ar1MU+fn5A99JLIMc8U84/QupDU7TcneiN/wqPv2jYqGS7ixSNTk+x5uUPMarzKZ04ynav6FCWEvlSF0Sz4/5s/Pvp1Qi3zdv16ZVGUHbM8/wCcaZBkSS0ofwBTIXVsVYSRPFxLehtBgwjAnD46qS+YJmszmd7V5N/adWWF34vAdfLiO6Y7KDB3jnMLOPU6Drtw9L83AW6NuOtk8crZrI1dkTD/xUC07IvMhZpZVc9ktQJqIvlk/ADs5aIp/QYrjICdYvb8xC16oV7jC/7yzXzC/UuYbCvS5gnHGMK/CsBkmM9HXmQ6mWjrfuOJEkMHSefS7O8HyrNoNDSXq0ivCr6KJmwrz7NXNAE6a6xx9LMjs5DJ8H5fda1l5TGVAdA2tg==,iv:dG4cnEtUgUxw7zS2k15p+6//Bl19WquTfFIiz5Vi/0M=,tag:cMBU8CtFBBjfcfpO709Kpg==,type:str]
 tracktrain:
    env: ENC[AES256_GCM,data:jaq039FNxBrsPfG/q+InYpiyl1LBdY++DlLM6UpSAwKlINucooTrHz51QrdRWhAZDqXhVTHM55Q/Zm4wazweCABiNjkXDFoZgxc5YJX+pvBct6M533xl109yD6KiYOXDqPY03u71aop8OmOAnKDp1JlzPS1otdlaN8Vd56G+,iv:nYU2rgMMG4QcJo5DnZpYZm1zr82idd7r1uTsqNiXLdA=,tag:9rdxAneYUREacXNunpTuHw==,type:str]
 vaultwarden:
    env: ENC[AES256_GCM,data:hdm91tI8WBd3es+IUbdBO69kh1pNZTNvZNFIdSZO8lm4yYMPE+Jm7EzVqwOaZRbpQaVDBg7uh5P4ODc=,iv:no7U0wQCwZOeL2pwXf2pUIgrEsEOYwqOT04LvpCl614=,tag:AGSu5M7H69x6pDM062bC6g==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -78,8 +84,8 @@ sops:
            ejdpTEtMNFNIVWlYMGtuMTJZbHZabUEKBGLoMDZQVwENcAXee8m4fsEmwFl/As6H
            346X4tfBghf1tk857h/1j5sXj3ZgyHvMlIavnS3AoVlOIsgxI1BYMg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-05-03T20:22:26Z"
+    lastmodified: "2023-05-03T20:47:22Z"
-    mac: ENC[AES256_GCM,data:cWTFvscm8ViB9iqW13bUxc4xJrkNMzRqQE2mWwyG/ttQA4CCqmAzN0Z+0klCFYsOl1Evwp/AFVWhV/8ByduexEwMtkeh+nFL/GmMeuo78wMrswylFKhSoijwhE/+CgD5pT6JgMNfsOdaL5b9unsqq6cXgVQ0gL5TXsNN/b2tk/Q=,iv:1NWna09StYs5LTVmDH56pc0n5rFeyJboMEP0Hn/Pa3w=,tag:kWJLiLKRoSfTtzIpHGxN7A==,type:str]
+    mac: ENC[AES256_GCM,data:5ks4oj4ILLZoJ8TAGLSktV+TZBt1igMOVTiRssr00xnMs1OpR4u0wqwbkM3e2vNP3Hk51AHn7J0W+Ex6f3/iuGdcpYmY/nmSuu+IRZkLL7UEulPm+FDUcw9wgifpNQ263LqvmtFmPURpx4jkTdvcKItWrN0ovV0Wk3jspQ4/QYA=,iv:Kp0cJCYSXBBD4nNetXs6XrFVEl77D7oPuJYAS91DEbU=,tag:b3KF/SFJf1TxDBJ+7KmFvg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/services/mattermost.nix
+++ b/services/mattermost.nix
@ -3,6 +3,11 @@
 let
  mattermost = pkgs.mattermost;
 in {
  sops.secrets = {
    "mattermost/env" = {};
  };
  containers.mattermost = {
    autoStart = true;
    privateNetwork = true;
@ -14,6 +19,7 @@ in {
        hostPath = "/persist/containers/mattermost";
        isReadOnly = false;
      };
      "/secrets".hostPath = "/run/secrets/mattermost";
    };
    path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
@ -23,7 +29,7 @@ in {
      nixpkgs.config.allowUnfree = true;
      systemd.services.mattermost.serviceConfig.EnvironmentFile =
-        "/persist/mattermost/secrets.env";
+        "/secrets/env";
      # overwrite the -c flag given in the module. this can be removed once we're on nixos 22.05
      systemd.services.mattermost.serviceConfig.ExecStart =
        lib.mkForce "${pkgs.mattermost}/bin/mattermost -c /persist/mattermost/config/config.json";
--- a/services/tracktrain.nix
+++ b/services/tracktrain.nix
@ -17,6 +17,10 @@ let
  '';
 in
 {
  sops.secrets = {
    "tracktrain/env" = {};
  };
  services.nginx.virtualHosts."tracktrain.ilztalbahn.eu" = {
    enableACME = true;
    forceSSL = true;
@ -46,6 +50,7 @@ in
        hostPath = "/persist/containers/tracktrain";
        isReadOnly = false;
      };
      "/secrets".hostPath = "/run/secrets/tracktrain";
    };
    path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
@ -146,7 +151,7 @@ in
      };
      systemd.services.grafana.serviceConfig.EnvironmentFile =
-        "/persist/secrets.env";
+        "/secrets/env";
    });
  };
--- a/services/vaultwarden.nix
+++ b/services/vaultwarden.nix
@ -1,6 +1,10 @@
 { config, lib, pkgs, ... }:
 {
  sops.secrets = {
    "vaultwarden/env" = {};
  };
  services.vaultwarden = {
    enable = true;
    config = {
@ -27,7 +31,7 @@
      SMTP_USERNAME="noreply@infra4future.de";
    };
-    environmentFile = "/persist/var/lib/vaultwarden/vaultwarden.env"; #contains SMTP_PASSWORD
+    environmentFile = "/run/secrets/vaultwarden/env";
    dbBackend = "sqlite";
    backupDir = "/persist/data/vaultwarden_backups/";
  };