forked from hacc/haccfiles
move all on-disk secrets into sops
this only concerns secrets which are in a raw file. Some of our services (e.g. nextclouds) keeps secrets in its database; these remain untouched. Not yet deployed because of shitty train internet.
This commit is contained in:
parent
0d75469590
commit
003f2f7e44
5 changed files with 42 additions and 5 deletions
16
README.md
16
README.md
|
@ -36,6 +36,22 @@ nix build .#nixosConfigurations.parsons.config.system.build.toplevel
|
|||
|
||||
(but you might have trouble deploying it)
|
||||
|
||||
## Secret management
|
||||
|
||||
We use [sops-nix](https://github.com/Mic92/sops-nix) to manage secrets which we'd
|
||||
like to have in Git but don't want to be public. Entires in `secrets.yaml` are
|
||||
encrypted for each of the age keys listed in `.sops.yaml`, which are themselves
|
||||
derived from ssh keys.
|
||||
|
||||
For the initial set up, please take a look at the sops-nix Readme file.
|
||||
|
||||
To edit the secrets file, just use `sops secrets.yaml`, which will decrypt the
|
||||
file & open it in your $EDITOR, then re-encrypt it when you're done.
|
||||
|
||||
To add a new key, use `ssh-to-age` to convert your ssh key to age, and add it to
|
||||
`sops.yaml`. Then do `sops updatekeys secrets.yaml` to re-encrypt the file for
|
||||
the new set of keys.
|
||||
|
||||
## Working on websites
|
||||
|
||||
Websites are exposed as flake outputs: if you're working on a website & want to
|
||||
|
|
10
secrets.yaml
10
secrets.yaml
|
@ -1,5 +1,11 @@
|
|||
hedgedoc-hacc:
|
||||
env: ENC[AES256_GCM,data:e2vSolxJNucya9QNs28gAVDBJQq5AJh7jS1nBh0UTkDnhNL8NPW1KTxcun4rM99EhiNZsz6Z9qHRMejmP4frQw==,iv:DqAGhGWYf/EpGnI79MxKmBlHMhK26zx50vXb1TbvESw=,tag:Xix499XAcAmxhNuGr2ApcA==,type:str]
|
||||
mattermost:
|
||||
env: ENC[AES256_GCM,data:4GcV8UOYmVUjZoYc0Nq/vEWtxtYNV81zVTEyFnZIfY1k/Ar1MU+fn5A99JLIMc8U84/QupDU7TcneiN/wqPv2jYqGS7ixSNTk+x5uUPMarzKZ04ynav6FCWEvlSF0Sz4/5s/Pvp1Qi3zdv16ZVGUHbM8/wCcaZBkSS0ofwBTIXVsVYSRPFxLehtBgwjAnD46qS+YJmszmd7V5N/adWWF34vAdfLiO6Y7KDB3jnMLOPU6Drtw9L83AW6NuOtk8crZrI1dkTD/xUC07IvMhZpZVc9ktQJqIvlk/ADs5aIp/QYrjICdYvb8xC16oV7jC/7yzXzC/UuYbCvS5gnHGMK/CsBkmM9HXmQ6mWjrfuOJEkMHSefS7O8HyrNoNDSXq0ivCr6KJmwrz7NXNAE6a6xx9LMjs5DJ8H5fda1l5TGVAdA2tg==,iv:dG4cnEtUgUxw7zS2k15p+6//Bl19WquTfFIiz5Vi/0M=,tag:cMBU8CtFBBjfcfpO709Kpg==,type:str]
|
||||
tracktrain:
|
||||
env: ENC[AES256_GCM,data:jaq039FNxBrsPfG/q+InYpiyl1LBdY++DlLM6UpSAwKlINucooTrHz51QrdRWhAZDqXhVTHM55Q/Zm4wazweCABiNjkXDFoZgxc5YJX+pvBct6M533xl109yD6KiYOXDqPY03u71aop8OmOAnKDp1JlzPS1otdlaN8Vd56G+,iv:nYU2rgMMG4QcJo5DnZpYZm1zr82idd7r1uTsqNiXLdA=,tag:9rdxAneYUREacXNunpTuHw==,type:str]
|
||||
vaultwarden:
|
||||
env: ENC[AES256_GCM,data:hdm91tI8WBd3es+IUbdBO69kh1pNZTNvZNFIdSZO8lm4yYMPE+Jm7EzVqwOaZRbpQaVDBg7uh5P4ODc=,iv:no7U0wQCwZOeL2pwXf2pUIgrEsEOYwqOT04LvpCl614=,tag:AGSu5M7H69x6pDM062bC6g==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
@ -78,8 +84,8 @@ sops:
|
|||
ejdpTEtMNFNIVWlYMGtuMTJZbHZabUEKBGLoMDZQVwENcAXee8m4fsEmwFl/As6H
|
||||
346X4tfBghf1tk857h/1j5sXj3ZgyHvMlIavnS3AoVlOIsgxI1BYMg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-05-03T20:22:26Z"
|
||||
mac: ENC[AES256_GCM,data:cWTFvscm8ViB9iqW13bUxc4xJrkNMzRqQE2mWwyG/ttQA4CCqmAzN0Z+0klCFYsOl1Evwp/AFVWhV/8ByduexEwMtkeh+nFL/GmMeuo78wMrswylFKhSoijwhE/+CgD5pT6JgMNfsOdaL5b9unsqq6cXgVQ0gL5TXsNN/b2tk/Q=,iv:1NWna09StYs5LTVmDH56pc0n5rFeyJboMEP0Hn/Pa3w=,tag:kWJLiLKRoSfTtzIpHGxN7A==,type:str]
|
||||
lastmodified: "2023-05-03T20:47:22Z"
|
||||
mac: ENC[AES256_GCM,data:5ks4oj4ILLZoJ8TAGLSktV+TZBt1igMOVTiRssr00xnMs1OpR4u0wqwbkM3e2vNP3Hk51AHn7J0W+Ex6f3/iuGdcpYmY/nmSuu+IRZkLL7UEulPm+FDUcw9wgifpNQ263LqvmtFmPURpx4jkTdvcKItWrN0ovV0Wk3jspQ4/QYA=,iv:Kp0cJCYSXBBD4nNetXs6XrFVEl77D7oPuJYAS91DEbU=,tag:b3KF/SFJf1TxDBJ+7KmFvg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
|
|
|
@ -3,6 +3,11 @@
|
|||
let
|
||||
mattermost = pkgs.mattermost;
|
||||
in {
|
||||
|
||||
sops.secrets = {
|
||||
"mattermost/env" = {};
|
||||
};
|
||||
|
||||
containers.mattermost = {
|
||||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
|
@ -14,6 +19,7 @@ in {
|
|||
hostPath = "/persist/containers/mattermost";
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/secrets".hostPath = "/run/secrets/mattermost";
|
||||
};
|
||||
|
||||
path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
|
||||
|
@ -23,7 +29,7 @@ in {
|
|||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
systemd.services.mattermost.serviceConfig.EnvironmentFile =
|
||||
"/persist/mattermost/secrets.env";
|
||||
"/secrets/env";
|
||||
# overwrite the -c flag given in the module. this can be removed once we're on nixos 22.05
|
||||
systemd.services.mattermost.serviceConfig.ExecStart =
|
||||
lib.mkForce "${pkgs.mattermost}/bin/mattermost -c /persist/mattermost/config/config.json";
|
||||
|
|
|
@ -17,6 +17,10 @@ let
|
|||
'';
|
||||
in
|
||||
{
|
||||
sops.secrets = {
|
||||
"tracktrain/env" = {};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."tracktrain.ilztalbahn.eu" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
@ -46,6 +50,7 @@ in
|
|||
hostPath = "/persist/containers/tracktrain";
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/secrets".hostPath = "/run/secrets/tracktrain";
|
||||
};
|
||||
|
||||
path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
|
||||
|
@ -146,7 +151,7 @@ in
|
|||
};
|
||||
|
||||
systemd.services.grafana.serviceConfig.EnvironmentFile =
|
||||
"/persist/secrets.env";
|
||||
"/secrets/env";
|
||||
});
|
||||
};
|
||||
|
||||
|
|
|
@ -1,6 +1,10 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
sops.secrets = {
|
||||
"vaultwarden/env" = {};
|
||||
};
|
||||
|
||||
services.vaultwarden = {
|
||||
enable = true;
|
||||
config = {
|
||||
|
@ -27,7 +31,7 @@
|
|||
SMTP_USERNAME="noreply@infra4future.de";
|
||||
|
||||
};
|
||||
environmentFile = "/persist/var/lib/vaultwarden/vaultwarden.env"; #contains SMTP_PASSWORD
|
||||
environmentFile = "/run/secrets/vaultwarden/env";
|
||||
dbBackend = "sqlite";
|
||||
backupDir = "/persist/data/vaultwarden_backups/";
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue