From 508130827911539da936500412c92489efb1ed0f Mon Sep 17 00:00:00 2001 From: kat witch Date: Sun, 8 Aug 2021 21:19:07 +0100 Subject: [PATCH] Pass + Secrets rework in all services --- config/hosts/athame/nixos.nix | 1 - config/modules/home/default.nix | 1 + config/modules/home/secrets.nix | 15 ++++++++++++++ config/modules/meta/secrets.nix | 1 + config/modules/nixos/dyndns.nix | 25 ++++++++---------------- config/services/gitea/default.nix | 29 ++++++++++++++-------------- config/services/mail/default.nix | 9 ++++----- config/services/nginx/default.nix | 4 ++-- config/services/syncplay/default.nix | 19 +++++++----------- config/targets/common/default.nix | 27 +++++++++++--------------- config/targets/personal/default.nix | 17 ++-------------- config/users/kat/base/default.nix | 1 + config/users/kat/base/pass.nix | 12 ++++++++++++ 13 files changed, 78 insertions(+), 83 deletions(-) create mode 100644 config/modules/home/secrets.nix create mode 100644 config/users/kat/base/pass.nix diff --git a/config/hosts/athame/nixos.nix b/config/hosts/athame/nixos.nix index 63d1b9ee..f03091c6 100644 --- a/config/hosts/athame/nixos.nix +++ b/config/hosts/athame/nixos.nix @@ -8,7 +8,6 @@ with lib; imports = [ profiles.hardware.hcloud-imperative users.kat.server - services.asterisk services.fail2ban services.filehost services.gitea diff --git a/config/modules/home/default.nix b/config/modules/home/default.nix index d4df8980..a358084c 100644 --- a/config/modules/home/default.nix +++ b/config/modules/home/default.nix @@ -7,6 +7,7 @@ ./fvwm.nix ./deploy.nix ./theme.nix + ./secrets.nix (sources.tf-nix + "/modules/home/secrets.nix") ]; } diff --git a/config/modules/home/secrets.nix b/config/modules/home/secrets.nix new file mode 100644 index 00000000..ea13d16c --- /dev/null +++ b/config/modules/home/secrets.nix @@ -0,0 +1,15 @@ +{ config, lib, ... }: + +with lib; + +{ + options.kw = { + secrets = mkOption { + type = types.nullOr (types.listOf types.str); + default = null; + }; + }; + config = mkIf (config.kw.secrets != null) { + deploy.tf.variables = genAttrs config.kw.secrets (n: { externalSecret = true; }); + }; +} diff --git a/config/modules/meta/secrets.nix b/config/modules/meta/secrets.nix index 2f37036a..572b9d1d 100644 --- a/config/modules/meta/secrets.nix +++ b/config/modules/meta/secrets.nix @@ -10,6 +10,7 @@ with lib; config = mkIf config.externalSecret { type = "string"; value.shellCommand = "${tf.commandPrefix} ${tf.folderPrefix}${tf.folderDivider}${escapeShellArg name}"; + sensitive = true; }; })); }; diff --git a/config/modules/nixos/dyndns.nix b/config/modules/nixos/dyndns.nix index d227bed8..a2289b1b 100644 --- a/config/modules/nixos/dyndns.nix +++ b/config/modules/nixos/dyndns.nix @@ -8,26 +8,17 @@ with lib; }; config = mkIf (config.kw.dns.dynamic) { - deploy.tf.variables.dyn_username = { - type = "string"; - value.shellCommand = "bitw get infra/hexdns-dynamic -f username"; - }; - - deploy.tf.variables.dyn_password = { - type = "string"; - value.shellCommand = "bitw get infra/hexdns-dynamic -f password"; - }; - - deploy.tf.variables.dyn_hostname = { - type = "string"; - value.shellCommand = "bitw get infra/hexdns-dynamic -f hostname"; - }; + kw.secrets = [ + "hexdns-key" + "hexdns-secret" + "hexdns-host" + ]; secrets.files.kat-glauca-dns = { text = '' - user="${tf.variables.dyn_username.ref}" - pass="${tf.variables.dyn_password.ref}" - hostname="${tf.variables.dyn_hostname.ref}" + user="${tf.variables.hexdns-key.ref}" + pass="${tf.variables.hexdns-secret.ref}" + hostname="${tf.variables.hexdns-host.ref}" ''; }; diff --git a/config/services/gitea/default.nix b/config/services/gitea/default.nix index 09540cc3..be63bc59 100644 --- a/config/services/gitea/default.nix +++ b/config/services/gitea/default.nix @@ -1,6 +1,18 @@ { config, pkgs, tf, ... }: { + kw.secrets = [ + "gitea-mail-pass" + ]; + + secrets.files.gitea-mail-passfile = { + text = '' + ${tf.variables.gitea-mail-pass.ref}; + ''; + owner = "gitea"; + group = "gitea"; + }; + services.postgresql = { enable = true; ensureDatabases = [ "gitea" ]; @@ -10,19 +22,6 @@ }]; }; - deploy.tf.variables.gitea_mail = { - type = "string"; - value.shellCommand = "bitw get infra/gitea-mail -f password"; - }; - - secrets.files.gitea_mail = { - text = '' - ${tf.variables.gitea_mail.ref}; - ''; - owner = "gitea"; - group = "gitea"; - }; - services.gitea = { enable = true; disableRegistration = true; @@ -36,7 +35,7 @@ name = "gitea"; user = "gitea"; }; - mailerPasswordFile = config.secrets.files.gitea_mail.path; + mailerPasswordFile = config.secrets.files.gitea-mail-passfile.path; settings = { security = { DISABLE_GIT_HOOKS = false; }; api = { ENABLE_SWAGGER = true; }; @@ -73,7 +72,7 @@ locations = { "/".proxyPass = "http://127.0.0.1:3000"; }; }; - deploy.tf.dns.records.kittywitch_git = { + deploy.tf.dns.records.services_gitea = { tld = config.kw.dns.tld; domain = "git"; cname.target = "${config.networking.hostName}.${config.kw.dns.tld}"; diff --git a/config/services/mail/default.nix b/config/services/mail/default.nix index f9ef669f..9e3a0867 100644 --- a/config/services/mail/default.nix +++ b/config/services/mail/default.nix @@ -5,10 +5,9 @@ with lib; { imports = [ sources.nixos-mailserver.outPath ]; - deploy.tf.variables.domainkey_kitty = { - type = "string"; - value.shellCommand = "bitw get infra/domainkey-kitty"; - }; + kw.secrets = [ + "mail-domainkey-kitty" + ]; deploy.tf.dns.records.services_mail_mx = { tld = config.kw.dns.tld; @@ -34,7 +33,7 @@ with lib; deploy.tf.dns.records.services_mail_domainkey = { tld = config.kw.dns.tld; domain = "mail._domainkey"; - txt.value = tf.variables.domainkey_kitty.ref; + txt.value = tf.variables.mail-domainkey-kitty.ref; }; mailserver = { diff --git a/config/services/nginx/default.nix b/config/services/nginx/default.nix index fae38918..e3deaa2a 100644 --- a/config/services/nginx/default.nix +++ b/config/services/nginx/default.nix @@ -7,8 +7,8 @@ with lib; text = '' RFC2136_NAMESERVER='ns1.as207960.net' RFC2136_TSIG_ALGORITHM='hmac-sha512.' - RFC2136_TSIG_KEY='${tf.variables.glauca_key.ref}' - RFC2136_TSIG_SECRET='${tf.variables.glauca_secret.ref}' + RFC2136_TSIG_KEY='${tf.variables.rfc2136-key.ref}' + RFC2136_TSIG_SECRET='${tf.variables.rfc2136-secret.ref}' ''; }; diff --git a/config/services/syncplay/default.nix b/config/services/syncplay/default.nix index 6935b1d9..7c1315e1 100644 --- a/config/services/syncplay/default.nix +++ b/config/services/syncplay/default.nix @@ -3,6 +3,11 @@ with lib; { + kw.secrets = [ + "syncplay-pass" + "syncplay-salt" + ]; + users.users.syncplay = { isSystemUser = true; }; users.groups."sync-cert".members = [ "nginx" "syncplay" ]; @@ -29,20 +34,10 @@ with lib; cname.target = "${config.networking.hostName}.${config.kw.dns.tld}"; }; - deploy.tf.variables.syncplay_pass = { - type = "string"; - value.shellCommand = "bitw get infra/syncplay-server -f password"; - }; - - deploy.tf.variables.syncplay_salt = { - type = "string"; - value.shellCommand = "bitw get infra/syncplay-salt -f password"; - }; - secrets.files.syncplay-env = { text = '' - SYNCPLAY_PASSWORD=${tf.variables.syncplay_pass.ref} - SYNCPLAY_SALT=${tf.variables.syncplay_salt.ref} + SYNCPLAY_PASSWORD=${tf.variables.syncplay-pass.ref} + SYNCPLAY_SALT=${tf.variables.syncplay-salt.ref} ''; owner = "syncplay"; group = "sync-cert"; diff --git a/config/targets/common/default.nix b/config/targets/common/default.nix index 404b97fc..35efec70 100644 --- a/config/targets/common/default.nix +++ b/config/targets/common/default.nix @@ -5,30 +5,25 @@ folderPrefix = "secrets"; folderDivider = "/"; - variables.hcloud_token = { - type = "string"; - value.shellCommand = "bitw get infra/hcloud_token"; + variables.rfc2136-key = { + externalSecret = true; + }; + variables.rfc2136-secret = { + externalSecret = true; + }; + variables.hcloud-token = { + externalSecret = true; }; - variables.glauca_key = { - type = "string"; - value.shellCommand = "bitw get infra/rfc2136 -f username"; - }; - - variables.glauca_secret = { - type = "string"; - value.shellCommand = "bitw get infra/rfc2136 -f password"; - }; + providers.hcloud = { inputs.token = config.variables.hcloud-token.ref; }; dns.zones."kittywit.ch." = { provider = "dns"; }; - providers.hcloud = { inputs.token = config.variables.hcloud_token.ref; }; - providers.dns = { inputs.update = { server = "ns1.as207960.net"; - key_name = config.variables.glauca_key.ref; - key_secret = config.variables.glauca_secret.ref; + key_name = config.variables.rfc2136-key.ref; + key_secret = config.variables.rfc2136-secret.ref; key_algorithm = "hmac-sha512"; }; }; diff --git a/config/targets/personal/default.nix b/config/targets/personal/default.nix index 308b6930..c0c84cd5 100644 --- a/config/targets/personal/default.nix +++ b/config/targets/personal/default.nix @@ -4,29 +4,16 @@ deploy.targets.personal = { nodeNames = [ "samhain" "yule"]; tf = { config, ... }: { - # phone (android) - variables.phone_ygg = { - type = "string"; - value.shellCommand = "bitw get infra/phone-ygg"; - }; - dns.records.kittywitch_net_grimoire = { tld = "kittywit.ch."; domain = "grimoire.net"; - aaaa.address = config.variables.phone_ygg.ref; - }; - - # pi (sensors) - - variables.pi_ygg = { - type = "string"; - value.shellCommand = "bitw get infra/pi-ygg"; + aaaa.address = "200:c87d:7960:916:bf0e:a0e1:3da7:4fc6"; }; dns.records.kittywitch_net_boline = { tld = "kittywit.ch."; domain = "boline.net"; - aaaa.address = config.variables.pi_ygg.ref; + aaaa.address = "200:474d:14f7:1d21:f171:4e85:a3fa:9393"; }; }; }; diff --git a/config/users/kat/base/default.nix b/config/users/kat/base/default.nix index 810c3282..048cf81c 100644 --- a/config/users/kat/base/default.nix +++ b/config/users/kat/base/default.nix @@ -14,6 +14,7 @@ ./weechat.nix ./inputrc.nix ./rink.nix + ./pass.nix ./secrets.nix ]; diff --git a/config/users/kat/base/pass.nix b/config/users/kat/base/pass.nix new file mode 100644 index 00000000..352fad04 --- /dev/null +++ b/config/users/kat/base/pass.nix @@ -0,0 +1,12 @@ +{ config, pkgs, ... }: + +{ + programs.password-store = { + enable = true; + package = pkgs.pass-wayland.withExtensions (exts: [ exts.pass-otp exts.pass-import ]); + settings = { + PASSWORD_STORE_DIR = "${config.home.homeDirectory}/.password-store"; + PASSWORD_STORE_CLIP_TIME = "60"; + }; + }; +}