add secret handling via sops, configure nerd
This commit is contained in:
parent
e1ec254cf0
commit
5c08252e82
17
.sops.yaml
Normal file
17
.sops.yaml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
keys:
|
||||||
|
- &admin_n0emis 6E10217E3187069E057DF5ABE0262A773B824745
|
||||||
|
- &host_nerd age1x69924s94z4k7s50utyuqrwshpt8p8yzwaxny2gle7yeyg4w3spqml95mu
|
||||||
|
- &host_pre_yate_n0emis age1lrujyz4d48yjelmh6eufxjffuvfm9pusen3uxskyhnyf27xyucdqq3jza5
|
||||||
|
creation_rules:
|
||||||
|
- path_regex: hosts/nerd/.*
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *admin_n0emis
|
||||||
|
age:
|
||||||
|
- *host_nerd
|
||||||
|
- path_regex: hosts/pre-yate-n0emis/.*
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *admin_n0emis
|
||||||
|
age:
|
||||||
|
- *host_pre_yate_n0emis
|
17
README.md
17
README.md
@ -16,3 +16,20 @@ There is a special case for the nixdeploy-host:
|
|||||||
./deploy.sh apply-local switch --sudo --node nixdeploy
|
./deploy.sh apply-local switch --sudo --node nixdeploy
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Secrets
|
||||||
|
Secrets are managed with sops, see https://github.com/Mic92/sops-nix
|
||||||
|
|
||||||
|
To **add yourself**, follow steps 2 and 4 of above mentioned README and add yourself to `.sops.yaml` in `keys` and all creation rules.
|
||||||
|
|
||||||
|
To **add a new host**, configure a creation rule in `.sops.yaml`,
|
||||||
|
configure the key (e.g. fetch it with `nix-shell -p ssh-to-age --run 'ssh-keyscan hostname.bula22.de | ssh-to-age'` and add it to `keys`.
|
||||||
|
|
||||||
|
Then you can create a secrets file with `nix-shell -p sops --run "sops hosts/hostname/secrets.yaml"`, add your secrets and then configure your secrets. Example:
|
||||||
|
```nix
|
||||||
|
sops.secrets.nerd_secret = {
|
||||||
|
sopsFile = ./secrets.yaml;
|
||||||
|
owner = "nerd";
|
||||||
|
restartUnits = [ "nerd.service" ];
|
||||||
|
};
|
||||||
|
```
|
||||||
|
Your secret will then be available in `/run/secrets/secret_name`.
|
||||||
|
40
flake.lock
40
flake.lock
@ -16,9 +16,47 @@
|
|||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nixpkgs-22_05": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1657399715,
|
||||||
|
"narHash": "sha256-7YX+I8FP3/iJTRs33VhIbdx91YWlZQf8zaEEeM97964=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "0ad6eae04953060dff8ba28af158799c3e13878d",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "release-22.05",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": "nixpkgs"
|
"nixpkgs": "nixpkgs",
|
||||||
|
"sops-nix": "sops-nix"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"sops-nix": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
],
|
||||||
|
"nixpkgs-22_05": "nixpkgs-22_05"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1657695756,
|
||||||
|
"narHash": "sha256-5eeq7Itk9gMK6E5u3IrooFd3KswlheIO/L2Cs7Wwj9k=",
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"rev": "912514e60a6e0227d6a2e0ecc8524752337fcde2",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "Mic92",
|
||||||
|
"repo": "sops-nix",
|
||||||
|
"type": "github"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -1,8 +1,12 @@
|
|||||||
{
|
{
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||||
|
sops-nix = {
|
||||||
|
url = "github:Mic92/sops-nix";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
outputs = { nixpkgs, ... }: {
|
outputs = { nixpkgs, sops-nix, ... }: {
|
||||||
colmena = {
|
colmena = {
|
||||||
meta = {
|
meta = {
|
||||||
nixpkgs = import nixpkgs {
|
nixpkgs = import nixpkgs {
|
||||||
@ -16,6 +20,7 @@
|
|||||||
(./. + "/hosts/${name}/configuration.nix")
|
(./. + "/hosts/${name}/configuration.nix")
|
||||||
./modules
|
./modules
|
||||||
./common
|
./common
|
||||||
|
sops-nix.nixosModules.sops
|
||||||
];
|
];
|
||||||
|
|
||||||
deployment.targetUser = null;
|
deployment.targetUser = null;
|
||||||
|
@ -1,45 +1,50 @@
|
|||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
systemd.services.nerd = {
|
sops.secrets.nerd_secret = {
|
||||||
|
sopsFile = ./secrets.yaml;
|
||||||
|
owner = "nerd";
|
||||||
|
restartUnits = [ "nerd.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.nerd = let
|
||||||
|
nerdCfg = pkgs.writeText "nerd.cfg" ''
|
||||||
|
[django]
|
||||||
|
secret = !!DJANGO_SECRET!!
|
||||||
|
allowed_hosts = nerd.bula22.de
|
||||||
|
debug = False
|
||||||
|
language_code = de-de
|
||||||
|
time_zone = Europe/Berlin
|
||||||
|
csrf_trusted_origins = https://nerd.bula22.de
|
||||||
|
|
||||||
|
[database]
|
||||||
|
engine = postgresql_psycopg2
|
||||||
|
name = nerd
|
||||||
|
user =
|
||||||
|
password =
|
||||||
|
host = /run/postgresql
|
||||||
|
port =
|
||||||
|
'';
|
||||||
|
in {
|
||||||
after = [ "network.target" ];
|
after = [ "network.target" ];
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
|
||||||
environment = {
|
environment = {
|
||||||
NERD_CONFIG_FILE = pkgs.writeText "nerd.cfg" ''
|
NERD_CONFIG_FILE = "/etc/nerd/nerd.cfg";
|
||||||
[django]
|
|
||||||
secret = TODO
|
|
||||||
allowed_hosts = nerd.bula22.de
|
|
||||||
debug = False
|
|
||||||
language_code = de-de
|
|
||||||
time_zone = Europe/Berlin
|
|
||||||
csrf_trusted_origins = https://nerd.bula22.de
|
|
||||||
|
|
||||||
[database]
|
|
||||||
engine = postgresql_psycopg2
|
|
||||||
name = nerd
|
|
||||||
user =
|
|
||||||
password =
|
|
||||||
host = /run/postgresql
|
|
||||||
port =
|
|
||||||
|
|
||||||
[email]
|
|
||||||
backend = smtp.EmailBackend
|
|
||||||
host = mail.n0emis.eu
|
|
||||||
port = 465
|
|
||||||
user = no-reply@n0emis.eu
|
|
||||||
password = TODO
|
|
||||||
ssl = True
|
|
||||||
tls = False
|
|
||||||
from = noreply@n0emis.eu
|
|
||||||
'';
|
|
||||||
PYTHONPATH = "${pkgs.python3.pkgs.nerd.pythonPath}:${pkgs.python3.pkgs.nerd}/${pkgs.python3.sitePackages}:${pkgs.python3Packages.psycopg2}/${pkgs.python3.sitePackages}";
|
PYTHONPATH = "${pkgs.python3.pkgs.nerd.pythonPath}:${pkgs.python3.pkgs.nerd}/${pkgs.python3.sitePackages}:${pkgs.python3Packages.psycopg2}/${pkgs.python3.sitePackages}";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
preStart = ''
|
||||||
|
export DJANGO_SECRET=$(cat ${config.sops.secrets.nerd_secret.path})
|
||||||
|
${pkgs.gnused}/bin/sed -e "s/!!DJANGO_SECRET!!/$DJANGO_SECRET/g" ${nerdCfg} > /etc/nerd/nerd.cfg
|
||||||
|
|
||||||
|
${pkgs.python3.pkgs.nerd}/bin/nerd migrate
|
||||||
|
'';
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
User = "nerd";
|
User = "nerd";
|
||||||
Group = "nerd";
|
Group = "nerd";
|
||||||
ExecStartPre = "${pkgs.python3.pkgs.nerd}/bin/nerd migrate";
|
ConfigurationDirectory = "nerd";
|
||||||
ExecStart = ''
|
ExecStart = ''
|
||||||
${pkgs.python3Packages.gunicorn}/bin/gunicorn \
|
${pkgs.python3Packages.gunicorn}/bin/gunicorn \
|
||||||
--bind 0.0.0.0:10510 \
|
--bind 0.0.0.0:10510 \
|
||||||
@ -70,6 +75,7 @@
|
|||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
|
|
||||||
|
services.nginx.enable = lib.mkForce false;
|
||||||
services.caddy = {
|
services.caddy = {
|
||||||
enable = true;
|
enable = true;
|
||||||
virtualHosts."nerd.bula22.de" = {
|
virtualHosts."nerd.bula22.de" = {
|
||||||
|
32
hosts/nerd/secrets.yaml
Normal file
32
hosts/nerd/secrets.yaml
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
nerd_secret: ENC[AES256_GCM,data:MyuiltRyRppYa1qON2bTsY2z5tQWauWvsYA39JjfuiIwSDtu2pWSdlnGZQ==,iv:XvjM2UZLPNq/c9zzewIyfNTx28kehQ00CVAiWlqyk4M=,tag:i+NZGqiN9NoX2A9DVqtjvg==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1x69924s94z4k7s50utyuqrwshpt8p8yzwaxny2gle7yeyg4w3spqml95mu
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhRk14MEpOY3RYWnNUR1Za
|
||||||
|
b2VKTUg0anRGcXQxaUp5TFdjUkprYTlpbDJRCi9CVkhLWlhrOE1IT3FITksrbFlP
|
||||||
|
TVJBeldJOGZiVncvbHFQM0g5Q1NhS3MKLS0tIGlSVDZoNGliT05JRFVzK1dXTzR0
|
||||||
|
VW5KK0JiOXAva3AxQW5yWmZUc0JUc3cKQpeCgJ0X4Dj8UVqrOvDihTIp1o4JlrT7
|
||||||
|
LKnjj1UY+4mgEHCGCMnbZaBE5BzU2TaZk6KQ9EhihRDXjjR1YNcgXA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2022-07-13T19:02:49Z"
|
||||||
|
mac: ENC[AES256_GCM,data:2Sz+FPr1i6bKeC4NpK2D9rGp5HyN5jLnzleaBBJZ9T/p6A4Z7wyiruko8XLUpmGw0TiSsfG5FTj6+FjB90ASW5rv916eWHrADAI1YzyrpVGXtGdzM2dNm8fKRrim3zwld2om6uWe9EJRdsq/aEkMgSZwIka/oSHxZq/s5hrvtEc=,iv:Uwm7oNFtvcJEearMw2avNu9JSYGyiPLo4VzZ8cL/zA0=,tag:CoyNiUfkN+/b18E2JnVGBw==,type:str]
|
||||||
|
pgp:
|
||||||
|
- created_at: "2022-07-13T19:02:23Z"
|
||||||
|
enc: |
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hE4D6iFd6webPCUSAQdAEoxhdEJ5t3J43TV/EjtCXR+WiEWm9OwB1XRxPX9Njiwg
|
||||||
|
vZFbfm360/cprIVl6x1FG1TbLh8Vqmptvx9rdLxmTHTSXgH9ccHwk06zeH2mZw9j
|
||||||
|
qYZeqliSxacuPO/ODwx0aFEPrEL4AZR9k02pQdoPSEHfw5DYkHVl7WOP0UXGKeL2
|
||||||
|
ZoJSvb/Jhch79s2hJLTpGGaqvFcc6KHt2BFSMBIlZlg=
|
||||||
|
=yrp3
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: 6E10217E3187069E057DF5ABE0262A773B824745
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.7.1
|
Loading…
Reference in New Issue
Block a user