forked from hacc/haccfiles
move all on-disk secrets into sops
this only concerns secrets which are in a raw file. Some of our services (e.g. nextclouds) keeps secrets in its database; these remain untouched. Not yet deployed because of shitty train internet.
This commit is contained in:
parent
0d75469590
commit
003f2f7e44
5 changed files with 42 additions and 5 deletions
16
README.md
16
README.md
|
@ -36,6 +36,22 @@ nix build .#nixosConfigurations.parsons.config.system.build.toplevel
|
||||||
|
|
||||||
(but you might have trouble deploying it)
|
(but you might have trouble deploying it)
|
||||||
|
|
||||||
|
## Secret management
|
||||||
|
|
||||||
|
We use [sops-nix](https://github.com/Mic92/sops-nix) to manage secrets which we'd
|
||||||
|
like to have in Git but don't want to be public. Entires in `secrets.yaml` are
|
||||||
|
encrypted for each of the age keys listed in `.sops.yaml`, which are themselves
|
||||||
|
derived from ssh keys.
|
||||||
|
|
||||||
|
For the initial set up, please take a look at the sops-nix Readme file.
|
||||||
|
|
||||||
|
To edit the secrets file, just use `sops secrets.yaml`, which will decrypt the
|
||||||
|
file & open it in your $EDITOR, then re-encrypt it when you're done.
|
||||||
|
|
||||||
|
To add a new key, use `ssh-to-age` to convert your ssh key to age, and add it to
|
||||||
|
`sops.yaml`. Then do `sops updatekeys secrets.yaml` to re-encrypt the file for
|
||||||
|
the new set of keys.
|
||||||
|
|
||||||
## Working on websites
|
## Working on websites
|
||||||
|
|
||||||
Websites are exposed as flake outputs: if you're working on a website & want to
|
Websites are exposed as flake outputs: if you're working on a website & want to
|
||||||
|
|
10
secrets.yaml
10
secrets.yaml
|
@ -1,5 +1,11 @@
|
||||||
hedgedoc-hacc:
|
hedgedoc-hacc:
|
||||||
env: ENC[AES256_GCM,data:e2vSolxJNucya9QNs28gAVDBJQq5AJh7jS1nBh0UTkDnhNL8NPW1KTxcun4rM99EhiNZsz6Z9qHRMejmP4frQw==,iv:DqAGhGWYf/EpGnI79MxKmBlHMhK26zx50vXb1TbvESw=,tag:Xix499XAcAmxhNuGr2ApcA==,type:str]
|
env: ENC[AES256_GCM,data:e2vSolxJNucya9QNs28gAVDBJQq5AJh7jS1nBh0UTkDnhNL8NPW1KTxcun4rM99EhiNZsz6Z9qHRMejmP4frQw==,iv:DqAGhGWYf/EpGnI79MxKmBlHMhK26zx50vXb1TbvESw=,tag:Xix499XAcAmxhNuGr2ApcA==,type:str]
|
||||||
|
mattermost:
|
||||||
|
env: ENC[AES256_GCM,data:4GcV8UOYmVUjZoYc0Nq/vEWtxtYNV81zVTEyFnZIfY1k/Ar1MU+fn5A99JLIMc8U84/QupDU7TcneiN/wqPv2jYqGS7ixSNTk+x5uUPMarzKZ04ynav6FCWEvlSF0Sz4/5s/Pvp1Qi3zdv16ZVGUHbM8/wCcaZBkSS0ofwBTIXVsVYSRPFxLehtBgwjAnD46qS+YJmszmd7V5N/adWWF34vAdfLiO6Y7KDB3jnMLOPU6Drtw9L83AW6NuOtk8crZrI1dkTD/xUC07IvMhZpZVc9ktQJqIvlk/ADs5aIp/QYrjICdYvb8xC16oV7jC/7yzXzC/UuYbCvS5gnHGMK/CsBkmM9HXmQ6mWjrfuOJEkMHSefS7O8HyrNoNDSXq0ivCr6KJmwrz7NXNAE6a6xx9LMjs5DJ8H5fda1l5TGVAdA2tg==,iv:dG4cnEtUgUxw7zS2k15p+6//Bl19WquTfFIiz5Vi/0M=,tag:cMBU8CtFBBjfcfpO709Kpg==,type:str]
|
||||||
|
tracktrain:
|
||||||
|
env: ENC[AES256_GCM,data:jaq039FNxBrsPfG/q+InYpiyl1LBdY++DlLM6UpSAwKlINucooTrHz51QrdRWhAZDqXhVTHM55Q/Zm4wazweCABiNjkXDFoZgxc5YJX+pvBct6M533xl109yD6KiYOXDqPY03u71aop8OmOAnKDp1JlzPS1otdlaN8Vd56G+,iv:nYU2rgMMG4QcJo5DnZpYZm1zr82idd7r1uTsqNiXLdA=,tag:9rdxAneYUREacXNunpTuHw==,type:str]
|
||||||
|
vaultwarden:
|
||||||
|
env: ENC[AES256_GCM,data:hdm91tI8WBd3es+IUbdBO69kh1pNZTNvZNFIdSZO8lm4yYMPE+Jm7EzVqwOaZRbpQaVDBg7uh5P4ODc=,iv:no7U0wQCwZOeL2pwXf2pUIgrEsEOYwqOT04LvpCl614=,tag:AGSu5M7H69x6pDM062bC6g==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -78,8 +84,8 @@ sops:
|
||||||
ejdpTEtMNFNIVWlYMGtuMTJZbHZabUEKBGLoMDZQVwENcAXee8m4fsEmwFl/As6H
|
ejdpTEtMNFNIVWlYMGtuMTJZbHZabUEKBGLoMDZQVwENcAXee8m4fsEmwFl/As6H
|
||||||
346X4tfBghf1tk857h/1j5sXj3ZgyHvMlIavnS3AoVlOIsgxI1BYMg==
|
346X4tfBghf1tk857h/1j5sXj3ZgyHvMlIavnS3AoVlOIsgxI1BYMg==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2023-05-03T20:22:26Z"
|
lastmodified: "2023-05-03T20:47:22Z"
|
||||||
mac: ENC[AES256_GCM,data:cWTFvscm8ViB9iqW13bUxc4xJrkNMzRqQE2mWwyG/ttQA4CCqmAzN0Z+0klCFYsOl1Evwp/AFVWhV/8ByduexEwMtkeh+nFL/GmMeuo78wMrswylFKhSoijwhE/+CgD5pT6JgMNfsOdaL5b9unsqq6cXgVQ0gL5TXsNN/b2tk/Q=,iv:1NWna09StYs5LTVmDH56pc0n5rFeyJboMEP0Hn/Pa3w=,tag:kWJLiLKRoSfTtzIpHGxN7A==,type:str]
|
mac: ENC[AES256_GCM,data:5ks4oj4ILLZoJ8TAGLSktV+TZBt1igMOVTiRssr00xnMs1OpR4u0wqwbkM3e2vNP3Hk51AHn7J0W+Ex6f3/iuGdcpYmY/nmSuu+IRZkLL7UEulPm+FDUcw9wgifpNQ263LqvmtFmPURpx4jkTdvcKItWrN0ovV0Wk3jspQ4/QYA=,iv:Kp0cJCYSXBBD4nNetXs6XrFVEl77D7oPuJYAS91DEbU=,tag:b3KF/SFJf1TxDBJ+7KmFvg==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.7.3
|
version: 3.7.3
|
||||||
|
|
|
@ -3,6 +3,11 @@
|
||||||
let
|
let
|
||||||
mattermost = pkgs.mattermost;
|
mattermost = pkgs.mattermost;
|
||||||
in {
|
in {
|
||||||
|
|
||||||
|
sops.secrets = {
|
||||||
|
"mattermost/env" = {};
|
||||||
|
};
|
||||||
|
|
||||||
containers.mattermost = {
|
containers.mattermost = {
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
privateNetwork = true;
|
privateNetwork = true;
|
||||||
|
@ -14,6 +19,7 @@ in {
|
||||||
hostPath = "/persist/containers/mattermost";
|
hostPath = "/persist/containers/mattermost";
|
||||||
isReadOnly = false;
|
isReadOnly = false;
|
||||||
};
|
};
|
||||||
|
"/secrets".hostPath = "/run/secrets/mattermost";
|
||||||
};
|
};
|
||||||
|
|
||||||
path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
|
path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
|
||||||
|
@ -23,7 +29,7 @@ in {
|
||||||
nixpkgs.config.allowUnfree = true;
|
nixpkgs.config.allowUnfree = true;
|
||||||
|
|
||||||
systemd.services.mattermost.serviceConfig.EnvironmentFile =
|
systemd.services.mattermost.serviceConfig.EnvironmentFile =
|
||||||
"/persist/mattermost/secrets.env";
|
"/secrets/env";
|
||||||
# overwrite the -c flag given in the module. this can be removed once we're on nixos 22.05
|
# overwrite the -c flag given in the module. this can be removed once we're on nixos 22.05
|
||||||
systemd.services.mattermost.serviceConfig.ExecStart =
|
systemd.services.mattermost.serviceConfig.ExecStart =
|
||||||
lib.mkForce "${pkgs.mattermost}/bin/mattermost -c /persist/mattermost/config/config.json";
|
lib.mkForce "${pkgs.mattermost}/bin/mattermost -c /persist/mattermost/config/config.json";
|
||||||
|
|
|
@ -17,6 +17,10 @@ let
|
||||||
'';
|
'';
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
sops.secrets = {
|
||||||
|
"tracktrain/env" = {};
|
||||||
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."tracktrain.ilztalbahn.eu" = {
|
services.nginx.virtualHosts."tracktrain.ilztalbahn.eu" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
@ -46,6 +50,7 @@ in
|
||||||
hostPath = "/persist/containers/tracktrain";
|
hostPath = "/persist/containers/tracktrain";
|
||||||
isReadOnly = false;
|
isReadOnly = false;
|
||||||
};
|
};
|
||||||
|
"/secrets".hostPath = "/run/secrets/tracktrain";
|
||||||
};
|
};
|
||||||
|
|
||||||
path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
|
path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
|
||||||
|
@ -146,7 +151,7 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.grafana.serviceConfig.EnvironmentFile =
|
systemd.services.grafana.serviceConfig.EnvironmentFile =
|
||||||
"/persist/secrets.env";
|
"/secrets/env";
|
||||||
});
|
});
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,10 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
|
sops.secrets = {
|
||||||
|
"vaultwarden/env" = {};
|
||||||
|
};
|
||||||
|
|
||||||
services.vaultwarden = {
|
services.vaultwarden = {
|
||||||
enable = true;
|
enable = true;
|
||||||
config = {
|
config = {
|
||||||
|
@ -27,7 +31,7 @@
|
||||||
SMTP_USERNAME="noreply@infra4future.de";
|
SMTP_USERNAME="noreply@infra4future.de";
|
||||||
|
|
||||||
};
|
};
|
||||||
environmentFile = "/persist/var/lib/vaultwarden/vaultwarden.env"; #contains SMTP_PASSWORD
|
environmentFile = "/run/secrets/vaultwarden/env";
|
||||||
dbBackend = "sqlite";
|
dbBackend = "sqlite";
|
||||||
backupDir = "/persist/data/vaultwarden_backups/";
|
backupDir = "/persist/data/vaultwarden_backups/";
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue