gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

Pass + Secrets rework in all services

Browse source
This commit is contained in:
kat witch 2021-08-08 21:19:07 +01:00
parent 5dd38fac70
commit 5081308279
No known key found for this signature in database
GPG key ID: 1B477797DCA5EC72
13 changed files with 78 additions and 83 deletions
Download patch file Download diff file Expand all files Collapse all files

1
config/hosts/athame/nixos.nix
View file

@ -8,7 +8,6 @@ with lib;
imports = [
profiles.hardware.hcloud-imperative
users.kat.server
services.asterisk
services.fail2ban
services.filehost
services.gitea

1
config/modules/home/default.nix
View file

@ -7,6 +7,7 @@
./fvwm.nix
./deploy.nix
./theme.nix
./secrets.nix
(sources.tf-nix + "/modules/home/secrets.nix")
];
}

15
config/modules/home/secrets.nix Normal file
View file

@ -0,0 +1,15 @@
{ config, lib, ... }:
with lib;
{
options.kw = {
secrets = mkOption {
type = types.nullOr (types.listOf types.str);
default = null;
};
};
config = mkIf (config.kw.secrets != null) {
deploy.tf.variables = genAttrs config.kw.secrets (n: { externalSecret = true; });
};
}

1
config/modules/meta/secrets.nix
View file

@ -10,6 +10,7 @@ with lib;
config = mkIf config.externalSecret {
type = "string";
value.shellCommand = "${tf.commandPrefix} ${tf.folderPrefix}${tf.folderDivider}${escapeShellArg name}";
sensitive = true;
};
}));
};

25
config/modules/nixos/dyndns.nix
View file

@ -8,26 +8,17 @@ with lib;
};
config = mkIf (config.kw.dns.dynamic) {
deploy.tf.variables.dyn_username = {
type = "string";
value.shellCommand = "bitw get infra/hexdns-dynamic -f username";
};
deploy.tf.variables.dyn_password = {
type = "string";
value.shellCommand = "bitw get infra/hexdns-dynamic -f password";
};
deploy.tf.variables.dyn_hostname = {
type = "string";
value.shellCommand = "bitw get infra/hexdns-dynamic -f hostname";
};
kw.secrets = [
"hexdns-key"
"hexdns-secret"
"hexdns-host"
];
secrets.files.kat-glauca-dns = {
text = ''
user="${tf.variables.dyn_username.ref}"
pass="${tf.variables.dyn_password.ref}"
hostname="${tf.variables.dyn_hostname.ref}"
user="${tf.variables.hexdns-key.ref}"
pass="${tf.variables.hexdns-secret.ref}"
hostname="${tf.variables.hexdns-host.ref}"
'';
};

29
config/services/gitea/default.nix
View file

@ -1,6 +1,18 @@
{ config, pkgs, tf, ... }:
{
kw.secrets = [
"gitea-mail-pass"
];
secrets.files.gitea-mail-passfile = {
text = ''
${tf.variables.gitea-mail-pass.ref};
'';
owner = "gitea";
group = "gitea";
};
services.postgresql = {
enable = true;
ensureDatabases = [ "gitea" ];
@ -10,19 +22,6 @@
}];
};
deploy.tf.variables.gitea_mail = {
type = "string";
value.shellCommand = "bitw get infra/gitea-mail -f password";
};
secrets.files.gitea_mail = {
text = ''
${tf.variables.gitea_mail.ref};
'';
owner = "gitea";
group = "gitea";
};
services.gitea = {
enable = true;
disableRegistration = true;
@ -36,7 +35,7 @@
name = "gitea";
user = "gitea";
};
mailerPasswordFile = config.secrets.files.gitea_mail.path;
mailerPasswordFile = config.secrets.files.gitea-mail-passfile.path;
settings = {
security = { DISABLE_GIT_HOOKS = false; };
api = { ENABLE_SWAGGER = true; };
@ -73,7 +72,7 @@
locations = { "/".proxyPass = "http://127.0.0.1:3000"; };
};
deploy.tf.dns.records.kittywitch_git = {
deploy.tf.dns.records.services_gitea = {
tld = config.kw.dns.tld;
domain = "git";
cname.target = "${config.networking.hostName}.${config.kw.dns.tld}";

9
config/services/mail/default.nix
View file

@ -5,10 +5,9 @@ with lib;
{
imports = [ sources.nixos-mailserver.outPath ];
deploy.tf.variables.domainkey_kitty = {
type = "string";
value.shellCommand = "bitw get infra/domainkey-kitty";
};
kw.secrets = [
"mail-domainkey-kitty"
];
deploy.tf.dns.records.services_mail_mx = {
tld = config.kw.dns.tld;
@ -34,7 +33,7 @@ with lib;
deploy.tf.dns.records.services_mail_domainkey = {
tld = config.kw.dns.tld;
domain = "mail._domainkey";
txt.value = tf.variables.domainkey_kitty.ref;
txt.value = tf.variables.mail-domainkey-kitty.ref;
};
mailserver = {

4
config/services/nginx/default.nix
View file

@ -7,8 +7,8 @@ with lib;
text = ''
RFC2136_NAMESERVER='ns1.as207960.net'
RFC2136_TSIG_ALGORITHM='hmac-sha512.'
RFC2136_TSIG_KEY='${tf.variables.glauca_key.ref}'
RFC2136_TSIG_SECRET='${tf.variables.glauca_secret.ref}'
RFC2136_TSIG_KEY='${tf.variables.rfc2136-key.ref}'
RFC2136_TSIG_SECRET='${tf.variables.rfc2136-secret.ref}'
'';
};

19
config/services/syncplay/default.nix
View file

@ -3,6 +3,11 @@
with lib;
{
kw.secrets = [
"syncplay-pass"
"syncplay-salt"
];
users.users.syncplay = { isSystemUser = true; };
users.groups."sync-cert".members = [ "nginx" "syncplay" ];
@ -29,20 +34,10 @@ with lib;
cname.target = "${config.networking.hostName}.${config.kw.dns.tld}";
};
deploy.tf.variables.syncplay_pass = {
type = "string";
value.shellCommand = "bitw get infra/syncplay-server -f password";
};
deploy.tf.variables.syncplay_salt = {
type = "string";
value.shellCommand = "bitw get infra/syncplay-salt -f password";
};
secrets.files.syncplay-env = {
text = ''
SYNCPLAY_PASSWORD=${tf.variables.syncplay_pass.ref}
SYNCPLAY_SALT=${tf.variables.syncplay_salt.ref}
SYNCPLAY_PASSWORD=${tf.variables.syncplay-pass.ref}
SYNCPLAY_SALT=${tf.variables.syncplay-salt.ref}
'';
owner = "syncplay";
group = "sync-cert";

27
config/targets/common/default.nix
View file

@ -5,30 +5,25 @@
folderPrefix = "secrets";
folderDivider = "/";
variables.hcloud_token = {
type = "string";
value.shellCommand = "bitw get infra/hcloud_token";
variables.rfc2136-key = {
externalSecret = true;
};
variables.rfc2136-secret = {
externalSecret = true;
};
variables.hcloud-token = {
externalSecret = true;
};
variables.glauca_key = {
type = "string";
value.shellCommand = "bitw get infra/rfc2136 -f username";
};
variables.glauca_secret = {
type = "string";
value.shellCommand = "bitw get infra/rfc2136 -f password";
};
providers.hcloud = { inputs.token = config.variables.hcloud-token.ref; };
dns.zones."kittywit.ch." = { provider = "dns"; };
providers.hcloud = { inputs.token = config.variables.hcloud_token.ref; };
providers.dns = {
inputs.update = {
server = "ns1.as207960.net";
key_name = config.variables.glauca_key.ref;
key_secret = config.variables.glauca_secret.ref;
key_name = config.variables.rfc2136-key.ref;
key_secret = config.variables.rfc2136-secret.ref;
key_algorithm = "hmac-sha512";
};
};

17
config/targets/personal/default.nix
View file

@ -4,29 +4,16 @@
deploy.targets.personal = {
nodeNames = [ "samhain" "yule"];
tf = { config, ... }: {
# phone (android)
variables.phone_ygg = {
type = "string";
value.shellCommand = "bitw get infra/phone-ygg";
};
dns.records.kittywitch_net_grimoire = {
tld = "kittywit.ch.";
domain = "grimoire.net";
aaaa.address = config.variables.phone_ygg.ref;
};
# pi (sensors)
variables.pi_ygg = {
type = "string";
value.shellCommand = "bitw get infra/pi-ygg";
aaaa.address = "200:c87d:7960:916:bf0e:a0e1:3da7:4fc6";
};
dns.records.kittywitch_net_boline = {
tld = "kittywit.ch.";
domain = "boline.net";
aaaa.address = config.variables.pi_ygg.ref;
aaaa.address = "200:474d:14f7:1d21:f171:4e85:a3fa:9393";
};
};
};

1
config/users/kat/base/default.nix
View file

@ -14,6 +14,7 @@
./weechat.nix
./inputrc.nix
./rink.nix
./pass.nix
./secrets.nix
];

12
config/users/kat/base/pass.nix Normal file
View file

@ -0,0 +1,12 @@
{ config, pkgs, ... }:
{
programs.password-store = {
enable = true;
package = pkgs.pass-wayland.withExtensions (exts: [ exts.pass-otp exts.pass-import ]);
settings = {
PASSWORD_STORE_DIR = "${config.home.homeDirectory}/.password-store";
PASSWORD_STORE_CLIP_TIME = "60";
};
};
}