add secret handling via sops, configure nerd

.sops.yaml

@@ -0,0 +1,17 @@
+keys:
+  - &admin_n0emis 6E10217E3187069E057DF5ABE0262A773B824745
+  - &host_nerd age1x69924s94z4k7s50utyuqrwshpt8p8yzwaxny2gle7yeyg4w3spqml95mu
+  - &host_pre_yate_n0emis age1lrujyz4d48yjelmh6eufxjffuvfm9pusen3uxskyhnyf27xyucdqq3jza5
+creation_rules:
+  - path_regex: hosts/nerd/.*
+    key_groups:
+    - pgp:
+      - *admin_n0emis
+      age:
+      - *host_nerd
+  - path_regex: hosts/pre-yate-n0emis/.*
+    key_groups:
+    - pgp:
+      - *admin_n0emis
+      age:
+      - *host_pre_yate_n0emis

README.md

@@ -16,3 +16,20 @@ There is a special case for the nixdeploy-host:
 ./deploy.sh apply-local switch --sudo --node nixdeploy
 ```
 
+## Secrets
+Secrets are managed with sops, see https://github.com/Mic92/sops-nix
+
+To **add yourself**, follow steps 2 and 4 of above mentioned README and add yourself to `.sops.yaml` in `keys` and all creation rules.
+
+To **add a new host**, configure a creation rule in `.sops.yaml`,
+configure the key (e.g. fetch it with `nix-shell -p ssh-to-age --run 'ssh-keyscan hostname.bula22.de | ssh-to-age'` and add it to `keys`.
+
+Then you can create a secrets file with `nix-shell -p sops --run "sops hosts/hostname/secrets.yaml"`, add your secrets and then configure your secrets. Example:
+```nix
+sops.secrets.nerd_secret = {
+  sopsFile = ./secrets.yaml;
+  owner = "nerd";
+  restartUnits = [ "nerd.service" ];
+};
+```
+Your secret will then be available in `/run/secrets/secret_name`.

flake.lock

@@ -16,9 +16,47 @@
         "type": "github"
       }
     },
+    "nixpkgs-22_05": {
+      "locked": {
+        "lastModified": 1657399715,
+        "narHash": "sha256-7YX+I8FP3/iJTRs33VhIbdx91YWlZQf8zaEEeM97964=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "0ad6eae04953060dff8ba28af158799c3e13878d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-22.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-22_05": "nixpkgs-22_05"
+      },
+      "locked": {
+        "lastModified": 1657695756,
+        "narHash": "sha256-5eeq7Itk9gMK6E5u3IrooFd3KswlheIO/L2Cs7Wwj9k=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "912514e60a6e0227d6a2e0ecc8524752337fcde2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     }
   },

flake.nix

@@ -1,8 +1,12 @@
 {
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
     };
-  outputs = { nixpkgs, ... }: {
+  };
+  outputs = { nixpkgs, sops-nix, ... }: {
     colmena = {
       meta = {
         nixpkgs = import nixpkgs {
@@ -16,6 +20,7 @@
           (./. + "/hosts/${name}/configuration.nix")
           ./modules
           ./common
+          sops-nix.nixosModules.sops
         ];
 
         deployment.targetUser = null;

hosts/nerd/nerd.nix

@@ -1,14 +1,16 @@
 { config, pkgs, lib, ... }:
 
 {
-  systemd.services.nerd = {
+  sops.secrets.nerd_secret = {
-    after = [ "network.target" ];
+    sopsFile = ./secrets.yaml;
-    wantedBy = [ "multi-user.target" ];
+    owner = "nerd";
+    restartUnits = [ "nerd.service" ];
+  };
 
-    environment = {
+  systemd.services.nerd = let
-      NERD_CONFIG_FILE = pkgs.writeText "nerd.cfg" ''
+    nerdCfg = pkgs.writeText "nerd.cfg" ''
       [django]
-        secret = TODO
+      secret = !!DJANGO_SECRET!!
       allowed_hosts = nerd.bula22.de
       debug = False
       language_code = de-de
@@ -22,24 +24,27 @@
       password =
       host = /run/postgresql
       port =
-
-        [email]
-        backend = smtp.EmailBackend
-        host = mail.n0emis.eu
-        port = 465
-        user = no-reply@n0emis.eu
-        password = TODO
-        ssl = True
-        tls = False
-        from = noreply@n0emis.eu
     '';
+  in {
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    environment = {
+      NERD_CONFIG_FILE = "/etc/nerd/nerd.cfg";
       PYTHONPATH = "${pkgs.python3.pkgs.nerd.pythonPath}:${pkgs.python3.pkgs.nerd}/${pkgs.python3.sitePackages}:${pkgs.python3Packages.psycopg2}/${pkgs.python3.sitePackages}";
     };
 
+    preStart = ''
+      export DJANGO_SECRET=$(cat ${config.sops.secrets.nerd_secret.path})
+      ${pkgs.gnused}/bin/sed -e "s/!!DJANGO_SECRET!!/$DJANGO_SECRET/g" ${nerdCfg} > /etc/nerd/nerd.cfg
+
+      ${pkgs.python3.pkgs.nerd}/bin/nerd migrate
+    '';
+
     serviceConfig = {
       User = "nerd";
       Group = "nerd";
-      ExecStartPre = "${pkgs.python3.pkgs.nerd}/bin/nerd migrate";
+      ConfigurationDirectory = "nerd";
       ExecStart = ''
         ${pkgs.python3Packages.gunicorn}/bin/gunicorn \
           --bind 0.0.0.0:10510 \
@@ -70,6 +75,7 @@
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];
 
+  services.nginx.enable = lib.mkForce false;
   services.caddy = {
     enable = true;
     virtualHosts."nerd.bula22.de" = {

hosts/nerd/secrets.yaml

@@ -0,0 +1,32 @@
+nerd_secret: ENC[AES256_GCM,data:MyuiltRyRppYa1qON2bTsY2z5tQWauWvsYA39JjfuiIwSDtu2pWSdlnGZQ==,iv:XvjM2UZLPNq/c9zzewIyfNTx28kehQ00CVAiWlqyk4M=,tag:i+NZGqiN9NoX2A9DVqtjvg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1x69924s94z4k7s50utyuqrwshpt8p8yzwaxny2gle7yeyg4w3spqml95mu
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhRk14MEpOY3RYWnNUR1Za
+            b2VKTUg0anRGcXQxaUp5TFdjUkprYTlpbDJRCi9CVkhLWlhrOE1IT3FITksrbFlP
+            TVJBeldJOGZiVncvbHFQM0g5Q1NhS3MKLS0tIGlSVDZoNGliT05JRFVzK1dXTzR0
+            VW5KK0JiOXAva3AxQW5yWmZUc0JUc3cKQpeCgJ0X4Dj8UVqrOvDihTIp1o4JlrT7
+            LKnjj1UY+4mgEHCGCMnbZaBE5BzU2TaZk6KQ9EhihRDXjjR1YNcgXA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-07-13T19:02:49Z"
+    mac: ENC[AES256_GCM,data:2Sz+FPr1i6bKeC4NpK2D9rGp5HyN5jLnzleaBBJZ9T/p6A4Z7wyiruko8XLUpmGw0TiSsfG5FTj6+FjB90ASW5rv916eWHrADAI1YzyrpVGXtGdzM2dNm8fKRrim3zwld2om6uWe9EJRdsq/aEkMgSZwIka/oSHxZq/s5hrvtEc=,iv:Uwm7oNFtvcJEearMw2avNu9JSYGyiPLo4VzZ8cL/zA0=,tag:CoyNiUfkN+/b18E2JnVGBw==,type:str]
+    pgp:
+        - created_at: "2022-07-13T19:02:23Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hE4D6iFd6webPCUSAQdAEoxhdEJ5t3J43TV/EjtCXR+WiEWm9OwB1XRxPX9Njiwg
+            vZFbfm360/cprIVl6x1FG1TbLh8Vqmptvx9rdLxmTHTSXgH9ccHwk06zeH2mZw9j
+            qYZeqliSxacuPO/ODwx0aFEPrEL4AZR9k02pQdoPSEHfw5DYkHVl7WOP0UXGKeL2
+            ZoJSvb/Jhch79s2hJLTpGGaqvFcc6KHt2BFSMBIlZlg=
+            =yrp3
+            -----END PGP MESSAGE-----
+          fp: 6E10217E3187069E057DF5ABE0262A773B824745
+    unencrypted_suffix: _unencrypted
+    version: 3.7.1