From 5c08252e820602e7283eab1b65ab8dbaf3b51b40 Mon Sep 17 00:00:00 2001 From: Ember 'n0emis' Keske Date: Wed, 13 Jul 2022 21:39:57 +0200 Subject: [PATCH] add secret handling via sops, configure nerd --- .sops.yaml | 17 +++++++++++ README.md | 17 +++++++++++ flake.lock | 40 +++++++++++++++++++++++++- flake.nix | 7 ++++- hosts/nerd/nerd.nix | 64 ++++++++++++++++++++++------------------- hosts/nerd/secrets.yaml | 32 +++++++++++++++++++++ 6 files changed, 146 insertions(+), 31 deletions(-) create mode 100644 .sops.yaml create mode 100644 hosts/nerd/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..5cead0a --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,17 @@ +keys: + - &admin_n0emis 6E10217E3187069E057DF5ABE0262A773B824745 + - &host_nerd age1x69924s94z4k7s50utyuqrwshpt8p8yzwaxny2gle7yeyg4w3spqml95mu + - &host_pre_yate_n0emis age1lrujyz4d48yjelmh6eufxjffuvfm9pusen3uxskyhnyf27xyucdqq3jza5 +creation_rules: + - path_regex: hosts/nerd/.* + key_groups: + - pgp: + - *admin_n0emis + age: + - *host_nerd + - path_regex: hosts/pre-yate-n0emis/.* + key_groups: + - pgp: + - *admin_n0emis + age: + - *host_pre_yate_n0emis diff --git a/README.md b/README.md index 3d06363..2b9e2e7 100644 --- a/README.md +++ b/README.md @@ -16,3 +16,20 @@ There is a special case for the nixdeploy-host: ./deploy.sh apply-local switch --sudo --node nixdeploy ``` +## Secrets +Secrets are managed with sops, see https://github.com/Mic92/sops-nix + +To **add yourself**, follow steps 2 and 4 of above mentioned README and add yourself to `.sops.yaml` in `keys` and all creation rules. + +To **add a new host**, configure a creation rule in `.sops.yaml`, +configure the key (e.g. fetch it with `nix-shell -p ssh-to-age --run 'ssh-keyscan hostname.bula22.de | ssh-to-age'` and add it to `keys`. + +Then you can create a secrets file with `nix-shell -p sops --run "sops hosts/hostname/secrets.yaml"`, add your secrets and then configure your secrets. Example: +```nix +sops.secrets.nerd_secret = { + sopsFile = ./secrets.yaml; + owner = "nerd"; + restartUnits = [ "nerd.service" ]; +}; +``` +Your secret will then be available in `/run/secrets/secret_name`. diff --git a/flake.lock b/flake.lock index daf7715..2db87db 100644 --- a/flake.lock +++ b/flake.lock @@ -16,9 +16,47 @@ "type": "github" } }, + "nixpkgs-22_05": { + "locked": { + "lastModified": 1657399715, + "narHash": "sha256-7YX+I8FP3/iJTRs33VhIbdx91YWlZQf8zaEEeM97964=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "0ad6eae04953060dff8ba28af158799c3e13878d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-22.05", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-22_05": "nixpkgs-22_05" + }, + "locked": { + "lastModified": 1657695756, + "narHash": "sha256-5eeq7Itk9gMK6E5u3IrooFd3KswlheIO/L2Cs7Wwj9k=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "912514e60a6e0227d6a2e0ecc8524752337fcde2", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index f8917cd..77a2575 100644 --- a/flake.nix +++ b/flake.nix @@ -1,8 +1,12 @@ { inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = { nixpkgs, ... }: { + outputs = { nixpkgs, sops-nix, ... }: { colmena = { meta = { nixpkgs = import nixpkgs { @@ -16,6 +20,7 @@ (./. + "/hosts/${name}/configuration.nix") ./modules ./common + sops-nix.nixosModules.sops ]; deployment.targetUser = null; diff --git a/hosts/nerd/nerd.nix b/hosts/nerd/nerd.nix index 0a9b24c..05e8b92 100644 --- a/hosts/nerd/nerd.nix +++ b/hosts/nerd/nerd.nix @@ -1,45 +1,50 @@ { config, pkgs, lib, ... }: { - systemd.services.nerd = { + sops.secrets.nerd_secret = { + sopsFile = ./secrets.yaml; + owner = "nerd"; + restartUnits = [ "nerd.service" ]; + }; + + systemd.services.nerd = let + nerdCfg = pkgs.writeText "nerd.cfg" '' + [django] + secret = !!DJANGO_SECRET!! + allowed_hosts = nerd.bula22.de + debug = False + language_code = de-de + time_zone = Europe/Berlin + csrf_trusted_origins = https://nerd.bula22.de + + [database] + engine = postgresql_psycopg2 + name = nerd + user = + password = + host = /run/postgresql + port = + ''; + in { after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; environment = { - NERD_CONFIG_FILE = pkgs.writeText "nerd.cfg" '' - [django] - secret = TODO - allowed_hosts = nerd.bula22.de - debug = False - language_code = de-de - time_zone = Europe/Berlin - csrf_trusted_origins = https://nerd.bula22.de - - [database] - engine = postgresql_psycopg2 - name = nerd - user = - password = - host = /run/postgresql - port = - - [email] - backend = smtp.EmailBackend - host = mail.n0emis.eu - port = 465 - user = no-reply@n0emis.eu - password = TODO - ssl = True - tls = False - from = noreply@n0emis.eu - ''; + NERD_CONFIG_FILE = "/etc/nerd/nerd.cfg"; PYTHONPATH = "${pkgs.python3.pkgs.nerd.pythonPath}:${pkgs.python3.pkgs.nerd}/${pkgs.python3.sitePackages}:${pkgs.python3Packages.psycopg2}/${pkgs.python3.sitePackages}"; }; + preStart = '' + export DJANGO_SECRET=$(cat ${config.sops.secrets.nerd_secret.path}) + ${pkgs.gnused}/bin/sed -e "s/!!DJANGO_SECRET!!/$DJANGO_SECRET/g" ${nerdCfg} > /etc/nerd/nerd.cfg + + ${pkgs.python3.pkgs.nerd}/bin/nerd migrate + ''; + serviceConfig = { User = "nerd"; Group = "nerd"; - ExecStartPre = "${pkgs.python3.pkgs.nerd}/bin/nerd migrate"; + ConfigurationDirectory = "nerd"; ExecStart = '' ${pkgs.python3Packages.gunicorn}/bin/gunicorn \ --bind 0.0.0.0:10510 \ @@ -70,6 +75,7 @@ networking.firewall.allowedTCPPorts = [ 80 443 ]; + services.nginx.enable = lib.mkForce false; services.caddy = { enable = true; virtualHosts."nerd.bula22.de" = { diff --git a/hosts/nerd/secrets.yaml b/hosts/nerd/secrets.yaml new file mode 100644 index 0000000..3b4f6bf --- /dev/null +++ b/hosts/nerd/secrets.yaml @@ -0,0 +1,32 @@ +nerd_secret: ENC[AES256_GCM,data:MyuiltRyRppYa1qON2bTsY2z5tQWauWvsYA39JjfuiIwSDtu2pWSdlnGZQ==,iv:XvjM2UZLPNq/c9zzewIyfNTx28kehQ00CVAiWlqyk4M=,tag:i+NZGqiN9NoX2A9DVqtjvg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1x69924s94z4k7s50utyuqrwshpt8p8yzwaxny2gle7yeyg4w3spqml95mu + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhRk14MEpOY3RYWnNUR1Za + b2VKTUg0anRGcXQxaUp5TFdjUkprYTlpbDJRCi9CVkhLWlhrOE1IT3FITksrbFlP + TVJBeldJOGZiVncvbHFQM0g5Q1NhS3MKLS0tIGlSVDZoNGliT05JRFVzK1dXTzR0 + VW5KK0JiOXAva3AxQW5yWmZUc0JUc3cKQpeCgJ0X4Dj8UVqrOvDihTIp1o4JlrT7 + LKnjj1UY+4mgEHCGCMnbZaBE5BzU2TaZk6KQ9EhihRDXjjR1YNcgXA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-07-13T19:02:49Z" + mac: ENC[AES256_GCM,data:2Sz+FPr1i6bKeC4NpK2D9rGp5HyN5jLnzleaBBJZ9T/p6A4Z7wyiruko8XLUpmGw0TiSsfG5FTj6+FjB90ASW5rv916eWHrADAI1YzyrpVGXtGdzM2dNm8fKRrim3zwld2om6uWe9EJRdsq/aEkMgSZwIka/oSHxZq/s5hrvtEc=,iv:Uwm7oNFtvcJEearMw2avNu9JSYGyiPLo4VzZ8cL/zA0=,tag:CoyNiUfkN+/b18E2JnVGBw==,type:str] + pgp: + - created_at: "2022-07-13T19:02:23Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hE4D6iFd6webPCUSAQdAEoxhdEJ5t3J43TV/EjtCXR+WiEWm9OwB1XRxPX9Njiwg + vZFbfm360/cprIVl6x1FG1TbLh8Vqmptvx9rdLxmTHTSXgH9ccHwk06zeH2mZw9j + qYZeqliSxacuPO/ODwx0aFEPrEL4AZR9k02pQdoPSEHfw5DYkHVl7WOP0UXGKeL2 + ZoJSvb/Jhch79s2hJLTpGGaqvFcc6KHt2BFSMBIlZlg= + =yrp3 + -----END PGP MESSAGE----- + fp: 6E10217E3187069E057DF5ABE0262A773B824745 + unencrypted_suffix: _unencrypted + version: 3.7.1