From 3d927f8372d16181d52f20b34fafb74f7ea67d7d Mon Sep 17 00:00:00 2001 From: cy Date: Mon, 16 Dec 2024 23:20:51 -0500 Subject: [PATCH] secrets/chunk: add missing secrets and rewrite everything to new structure --- .sops.yaml | 8 +++++ hosts/chunk/borg.nix | 10 ++++-- hosts/chunk/default.nix | 54 +++++++++++++++++++++---------- hosts/chunk/gitlab.nix | 12 +++---- hosts/chunk/hedgedoc.nix | 4 +-- hosts/chunk/miniflux.nix | 4 +-- hosts/chunk/rclone.nix | 10 ++++-- hosts/chunk/vaultwarden.nix | 4 +-- hosts/chunk/wireguard.nix | 12 ++++--- secrets/rclone/chunk.yaml | 22 +++++++++++++ secrets/services/vaultwarden.yaml | 22 +++++++++++++ 11 files changed, 123 insertions(+), 39 deletions(-) create mode 100644 secrets/rclone/chunk.yaml create mode 100644 secrets/services/vaultwarden.yaml diff --git a/.sops.yaml b/.sops.yaml index e094326..8499766 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -51,3 +51,11 @@ creation_rules: key_groups: - age: - *chunk + - path_regex: secrets/services/vaultwarden.yaml + key_groups: + - age: + - *chunk + - path_regex: secrets/rclone/chunk.yaml + key_groups: + - age: + - *chunk diff --git a/hosts/chunk/borg.nix b/hosts/chunk/borg.nix index e06d83e..6e2110b 100644 --- a/hosts/chunk/borg.nix +++ b/hosts/chunk/borg.nix @@ -1,4 +1,8 @@ -{pkgs, ...}: { +{ + pkgs, + config, + ... +}: { services.borgbackup.jobs = { crashRsync = { paths = ["/root" "/home" "/var/backup" "/var/lib" "/var/log" "/opt" "/etc" "/vw-data"]; @@ -6,7 +10,7 @@ repo = "de3911@de3911.rsync.net:borg/crash"; encryption = { mode = "repokey-blake2"; - passCommand = "cat /run/secrets/borg/crash"; + passCommand = "cat ${config.sops.secrets."borg/rsyncnet".path}"; }; environment = { BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519"; @@ -18,7 +22,7 @@ # warnings are often not that serious failOnWarnings = false; postHook = '' - ${pkgs.curl}/bin/curl -u $(cat /run/secrets/ntfy) -d "chunk: backup completed with exit code: $exitStatus + ${pkgs.curl}/bin/curl -u $(cat ${config.sops.secrets."services/ntfy".path}) -d "chunk: backup completed with exit code: $exitStatus $(journalctl -u borgbackup-job-crashRsync.service|tail -n 5)" \ https://ntfy.cything.io/chunk ''; diff --git a/hosts/chunk/default.nix b/hosts/chunk/default.nix index e0286bb..94d384a 100644 --- a/hosts/chunk/default.nix +++ b/hosts/chunk/default.nix @@ -2,7 +2,6 @@ config, lib, pkgs, - inputs, ... }: { imports = [ @@ -24,36 +23,57 @@ ./tor.nix ]; + sops.age.keyFile = "/root/.config/sops/age/keys.txt"; sops.secrets = { - "borg/crash" = {}; - "ntfy" = {}; - "rclone" = {}; - "vaultwarden" = {}; - "caddy" = {}; - "hedgedoc" = {}; - "wireguard/private" = {}; - "wireguard/psk" = {}; - "wireguard/pskphone" = {}; - "miniflux" = {}; + "borg/rsyncnet" = { + sopsFile = ../../secrets/borg/chunk.yaml; + }; + "services/ntfy" = { + sopsFile = ../../secrets/services/ntfy.yaml; + }; + "rclone/env" = { + sopsFile = ../../secrets/rclone/chunk.yaml; + }; + "vaultwarden/env" = { + sopsFile = ../../secrets/services/vaultwarden.yaml; + }; + "caddy/env" = { + sopsFile = ../../secrets/services/caddy.yaml; + }; + "hedgedoc/env" = { + sopsFile = ../../secrets/services/hedgedoc.yaml; + }; + "wireguard/private" = { + sopsFile = ../../secrets/wireguard/chunk.yaml; + }; + "wireguard/psk-yt" = { + sopsFile = ../../secrets/wireguard/chunk.yaml; + }; + "wireguard/psk-phone" = { + sopsFile = ../../secrets/wireguard/chunk.yaml; + }; + "miniflux/env" = { + sopsFile = ../../secrets/services/miniflux.yaml; + }; "gitlab/root" = { + sopsFile = ../../secrets/services/gitlab.yaml; owner = config.users.users.git.name; - group = config.users.users.git.group; }; "gitlab/secret" = { + sopsFile = ../../secrets/services/gitlab.yaml; owner = config.users.users.git.name; - group = config.users.users.git.group; }; "gitlab/jws" = { + sopsFile = ../../secrets/services/gitlab.yaml; owner = config.users.users.git.name; - group = config.users.users.git.group; }; "gitlab/db" = { + sopsFile = ../../secrets/services/gitlab.yaml; owner = config.users.users.git.name; - group = config.users.users.git.group; }; "gitlab/otp" = { + sopsFile = ../../secrets/services/gitlab.yaml; owner = config.users.users.git.name; - group = config.users.users.git.group; }; }; @@ -146,7 +166,7 @@ services.caddy = { enable = true; configFile = ./Caddyfile; - environmentFile = "/run/secrets/caddy"; + environmentFile = config.sops.secrets."caddy/env".path; logFormat = lib.mkForce "level INFO"; }; diff --git a/hosts/chunk/gitlab.nix b/hosts/chunk/gitlab.nix index 7ce1425..9a4b7a6 100644 --- a/hosts/chunk/gitlab.nix +++ b/hosts/chunk/gitlab.nix @@ -1,4 +1,4 @@ -{...}: { +{config, ...}: { services.gitlab = { enable = true; https = true; @@ -10,12 +10,12 @@ sidekiq.concurrency = 10; databaseUsername = "git"; # needs to be same as user initialRootEmail = "hi@cything.io"; - initialRootPasswordFile = "/run/secrets/gitlab/root"; + initialRootPasswordFile = config.sops.secrets."gitlab/root".path; secrets = { - secretFile = "/run/secrets/gitlab/secret"; - otpFile = "/run/secrets/gitlab/otp"; - jwsFile = "/run/secrets/gitlab/jws"; - dbFile = "/run/secrets/gitlab/db"; + secretFile = config.sops.secrets."gitlab/secret".path; + otpFile = config.sops.secrets."gitlab/otp".path; + jwsFile = config.sops.secrets."gitlab/jws".path; + dbFile = config.sops.secrets."gitlab/db".path; }; }; } diff --git a/hosts/chunk/hedgedoc.nix b/hosts/chunk/hedgedoc.nix index 6aed82b..001bf37 100644 --- a/hosts/chunk/hedgedoc.nix +++ b/hosts/chunk/hedgedoc.nix @@ -1,7 +1,7 @@ -{...}: { +{config, ...}: { services.hedgedoc = { enable = true; - environmentFile = "/run/secrets/hedgedoc"; + environmentFile = config.sops.secrets."hedgedoc/env".path; settings = { db = { username = "hedgedoc"; diff --git a/hosts/chunk/miniflux.nix b/hosts/chunk/miniflux.nix index fff4967..b6f2d59 100644 --- a/hosts/chunk/miniflux.nix +++ b/hosts/chunk/miniflux.nix @@ -1,7 +1,7 @@ -{...}: { +{config, ...}: { services.miniflux = { enable = true; - adminCredentialsFile = "/run/secrets/miniflux"; + adminCredentialsFile = config.sops.secrets."miniflux/env".path; config = { PORT = 8080; BASE_URL = "https://rss.cything.io"; diff --git a/hosts/chunk/rclone.nix b/hosts/chunk/rclone.nix index 0e4e84d..f70bc83 100644 --- a/hosts/chunk/rclone.nix +++ b/hosts/chunk/rclone.nix @@ -1,4 +1,8 @@ -{pkgs, ...}: { +{ + pkgs, + config, + ... +}: { systemd.services.immich-mount = { enable = true; description = "Mount the immich data remote"; @@ -10,7 +14,7 @@ ExecStartPre = "/usr/bin/env mkdir -p /mnt/photos"; ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --transfers=32 --dir-cache-time 720h --poll-interval 0 --vfs-cache-mode writes photos: /mnt/photos "; ExecStop = "/bin/fusermount -u /mnt/photos"; - EnvironmentFile = "/run/secrets/rclone"; + EnvironmentFile = config.sops.secrets."rclone/env".path; }; }; @@ -24,7 +28,7 @@ Type = "notify"; ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --uid 33 --gid 0 --allow-other --file-perms 0770 --dir-perms 0770 --transfers=32 rsyncnet:nextcloud /mnt/nextcloud"; ExecStop = "/bin/fusermount -u /mnt/nextcloud"; - EnvironmentFile = "/run/secrets/rclone"; + EnvironmentFile = config.sops.secrets."rclone/env".path; }; }; programs.fuse.userAllowOther = true; diff --git a/hosts/chunk/vaultwarden.nix b/hosts/chunk/vaultwarden.nix index 581ca88..af2acce 100644 --- a/hosts/chunk/vaultwarden.nix +++ b/hosts/chunk/vaultwarden.nix @@ -1,8 +1,8 @@ -{...}: { +{config, ...}: { services.vaultwarden = { enable = true; dbBackend = "postgresql"; - environmentFile = "/run/secrets/vaultwarden"; + environmentFile = config.sops.secrets."vaultwarden/env".path; config = { ROCKET_ADDRESS = "127.0.0.1"; ROCKET_PORT = "8081"; diff --git a/hosts/chunk/wireguard.nix b/hosts/chunk/wireguard.nix index cfb8f7c..37a0b00 100644 --- a/hosts/chunk/wireguard.nix +++ b/hosts/chunk/wireguard.nix @@ -1,4 +1,8 @@ -{pkgs, ...}: { +{ + pkgs, + config, + ... +}: { networking.nat = { enable = true; enableIPv6 = true; @@ -9,7 +13,7 @@ networking.wg-quick.interfaces.wg0 = { address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"]; listenPort = 51820; - privateKeyFile = "/run/secrets/wireguard/private"; + privateKeyFile = config.sops.secrets."wireguard/private".path; postUp = '' ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/iptables -A FORWARD -o wg0 -j ACCEPT @@ -30,12 +34,12 @@ { publicKey = "qUhWoTPVC7jJdDEJLYY92OeiwPkaf8I5pv5kkMcSW3g="; allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"]; - presharedKeyFile = "/run/secrets/wireguard/psk"; + presharedKeyFile = config.sops.secrets."wireguard/psk-yt".path; } { publicKey = "JIGi60wzLw717Cim1dSFoLCdJz5rePa5AIFfuisJI0k="; allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"]; - presharedKeyFile = "/run/secrets/wireguard/pskphone"; + presharedKeyFile = config.sops.secrets."wireguard/psk-phone".path; } ]; }; diff --git a/secrets/rclone/chunk.yaml b/secrets/rclone/chunk.yaml new file mode 100644 index 0000000..9149cb7 --- /dev/null +++ b/secrets/rclone/chunk.yaml @@ -0,0 +1,22 @@ +rclone: + env: ENC[AES256_GCM,data:e8O4cUbgFMseJTvzGyBhsD/beCkhuh/Sl4ZHqV/kQodcuKi3V9XHyeCAnBb/,iv:rOySfX7vQ1mduFEL4gSbM8rYk9Gp7aEcieV1CW+aGDk=,tag:aWmdde3Xv9IqLRigPZBH1w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTUnBqMU56ZS9QZnpETmZ6 + a2tVRURyTU1LakR3bi90QXNpR21JcEI0ZFZzCm9jTDlCNk1xSTgwcmRqc3ZNbkJG + RzloNTZHQUJXU2J4UUttcjdIdFl6dWMKLS0tIDNaTUpZQ3lwYk1lNTlZMjF5d2VR + U09rb0kvcU1FdVBsanQyM3grTWdKRkEKAxZyWISPu4XUBevUhdOwd6ZJHfbvpAch + +jGrLXGBYlvp2oKdWHBXjv3HZ3N0IyEj07LyYsPBLchmUxhOCn4Piw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-17T03:32:29Z" + mac: ENC[AES256_GCM,data:TTaw6wv7cidgcB7c2igUPo6urQ87d0btr5puTr9yA8ppJ0iTKdLQT2nIZI0OHnP/cFE/at0YrhDNNk5AL1y9fuATRWveu1Y2KmjlYNXLlZS4PdAr3rsUs3FqSECdTqXR8ZYGodA5mOSjzWu1eYuoubVk2wtXV0alMUY7bwrnr6E=,iv:1zslrT0FX6SIEIRHPloLa2Fy8pVJVqMDIghR46l5+xg=,tag:qpw9iQAetUIoqvDQzufh8w==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.2 diff --git a/secrets/services/vaultwarden.yaml b/secrets/services/vaultwarden.yaml new file mode 100644 index 0000000..62ed08d --- /dev/null +++ b/secrets/services/vaultwarden.yaml @@ -0,0 +1,22 @@ +vaultwarden: + env: ENC[AES256_GCM,data:VBYfmsrB5LLcEyFqKGvMz9U7LRix8Yo5IBoyIelwKY0g/TfaaFO8QTo84CQrkgB1faFex2xX/nbnsaUslSgxYu36f4XmaMUzMJ6FneDUnbAU2wp09bxek7iEqfRSrennfwAa3cTpOr3RkWG8AfW9xDMFhduqSSr3emqrXSGSnPSI5BuDjru5NbVmcPSdw9U396rkGZd5znxnIa+2f63+ox45tHxsOsC9iVlnnX4KMfJl+8QufX19atxGZwH2OVWn7ehesOd+DuvRMWkProoUERbGz51EvBQm3Ixm4WSQ3M9vFSIuup3ppNBYKHG6a9XAGiEyFDZEEiYhVQ==,iv:tCE83OE3c9bUXb8Z4sPJc/YwjOCftj4dmW0M//3ncQU=,tag:TyLR+5hNcQnXLZUxZiIKmg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGcFBzNi9lcFNyYVM0VzF2 + UGtralRTNi9qVG9waElST05BZTU2U1Y1endvCjFRT2FtbEFKZUt5Wm1WQ2lITzlL + TXNjZlMrNnB4K0NsSVd4TnFKa0thSTQKLS0tIElkR28wMUNKd090Z1M5eG9nVzFO + L0I2TWZackFkbDMzRnN6NXV2eXNjOGMK3jJFBU/aMtH11l9V2FgHgAJdGRJvYfIQ + DAwMwUM+pz7/uJJ/PmDx1aF8SRGPbG+CjcNz2SSo/u99GX5q08jVkg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-17T03:33:07Z" + mac: ENC[AES256_GCM,data:Voh0c1sqoT3CBGyjDXkFAjuHRlQG8JwNLwWF0TMBaQ/Ihz1zplEeHfsM23IceEhBggbEHqhcRipqTkSH24tkXD9wqvg0GsZZLiQ52o+JYPmPCaXZFqfLqjNKFS1y6+rokQaFy4rphWSBv0uS52MaOx8WIZr7m7s3/NNnaEy059E=,iv:Q8EswVeJdsQUDxnj4fTJESCYYHXn648sKVghLtRtBpU=,tag:cveD+MXcTn+xfU8fBkRZYQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.2