From 0dee8b4fa73eec3b0b9986b265a9a17408de6f62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= Date: Fri, 6 May 2022 03:16:17 +0200 Subject: [PATCH] fix(secrets): fix permissions Also moves key references into respective configs where they are used. --- flake.nix | 44 ++++------------------------ rpi4.nix | 7 +++++ services/etebase.nix | 6 ++++ services/mail.nix | 2 ++ services/miniflux.nix | 2 ++ services/mosquitto.nix | 15 ++++++++++ services/nextcloud.nix | 6 ++++ services/owntracks.nix | 2 ++ services/paperless.nix | 8 +++++- services/restic/common.nix | 57 +++---------------------------------- services/restic/home-pc.nix | 6 ++-- services/restic/lib.nix | 55 +++++++++++++++++++++++++++++++++++ services/restic/rpi4.nix | 8 ++++-- services/samba/home-pc.nix | 2 ++ services/samba/rpi4.nix | 1 + 15 files changed, 125 insertions(+), 96 deletions(-) create mode 100644 services/restic/lib.nix diff --git a/flake.nix b/flake.nix index 4bcf537..240008a 100644 --- a/flake.nix +++ b/flake.nix @@ -88,6 +88,9 @@ _module.args = { inherit self inputs; }; } ]; + + environment.systemPackages = with pkgs; + [ agenix.defaultPackage.x86_64-linux ]; }); createUser' = import ./lib/createUser.nix; createUser = name: args: @@ -111,17 +114,9 @@ modules = [ homeManagerModules.git ]; config = ./home/felschr.nix; }) - ({ config, pkgs, ... }: { - age.secrets = { - restic-b2.file = ./secrets/restic/b2.age; - restic-password.file = ./secrets/restic/password.age; - samba.file = ./secrets/samba.age; - smtp.file = ./secrets/smtp.age; - }; - environment.systemPackages = with pkgs; [ - agenix.defaultPackage.x86_64-linux - deploy-rs.defaultPackage.x86_64-linux - ]; + ({ pkgs, ... }: { + environment.systemPackages = with pkgs; + [ deploy-rs.defaultPackage.x86_64-linux ]; }) ]; }; @@ -161,33 +156,6 @@ modules = [ homeManagerModules.git ]; config = ./home/felschr-rpi4.nix; }) - ({ config, pkgs, ... }: { - age.secrets = { - hostKey.file = ./secrets/home-server/hostKey.age; - cfdyndns.file = ./secrets/cfdyndns.age; - restic-b2.file = ./secrets/restic/b2.age; - restic-password.file = ./secrets/restic/password.age; - # samba.file = ./secrets/samba.age; - smtp.file = ./secrets/smtp.age; - mqtt-felix.file = ./secrets/mqtt/felix.age; - mqtt-birgit.file = ./secrets/mqtt/birgit.age; - mqtt-hass.file = ./secrets/mqtt/hass.age; - mqtt-tasmota.file = ./secrets/mqtt/tasmota.age; - mqtt-owntracks.file = ./secrets/mqtt/owntracks.age; - mqtt-owntracks-plain.file = ./secrets/mqtt/owntracks-plain.age; - owntracks-htpasswd.file = ./secrets/owntracks/htpasswd.age; - etebase-server.file = ./secrets/etebase-server.age; - miniflux.file = ./secrets/miniflux.age; - paperless.file = ./secrets/paperless.age; - nextcloud-admin = { - file = ./secrets/nextcloud/admin.age; - owner = "nextcloud"; - group = "nextcloud"; - }; - }; - environment.systemPackages = with pkgs; - [ agenix.defaultPackage.x86_64-linux ]; - }) ]; }; diff --git a/rpi4.nix b/rpi4.nix index 2aafc77..34b19ee 100644 --- a/rpi4.nix +++ b/rpi4.nix @@ -32,6 +32,13 @@ in with builtins; { ./services/nextcloud.nix ]; + age.secrets.cfdyndns = { + file = ./secrets/cfdyndns.age; + owner = "cfdyndns"; + group = "cfdyndns"; + }; + age.secrets.hostKey.file = ./secrets/home-server/hostKey.age; + nixpkgs.config.allowUnfree = true; # rpi4 base config diff --git a/services/etebase.nix b/services/etebase.nix index 1468ac0..67fde22 100644 --- a/services/etebase.nix +++ b/services/etebase.nix @@ -2,6 +2,12 @@ let etebaseHost = "etebase.felschr.com"; in { + age.secrets.etebase-server = { + file = ../secrets/etebase-server.age; + owner = config.services.etebase-server.user; + group = config.services.etebase-server.user; + }; + services.etebase-server.enable = true; services.etebase-server.openFirewall = true; services.etebase-server.settings = { diff --git a/services/mail.nix b/services/mail.nix index 835f0ef..df7cc5e 100644 --- a/services/mail.nix +++ b/services/mail.nix @@ -1,6 +1,8 @@ { config, pkgs, ... }: { + age.secrets.smtp.file = ../secrets/smtp.age; + programs.msmtp = { enable = true; defaults = { diff --git a/services/miniflux.nix b/services/miniflux.nix index a01e44b..f278712 100644 --- a/services/miniflux.nix +++ b/services/miniflux.nix @@ -2,6 +2,8 @@ let port = 8002; in { + age.secrets.miniflux.file = ../secrets/miniflux.age; + services.miniflux = { enable = true; adminCredentialsFile = config.age.secrets.miniflux.path; diff --git a/services/mosquitto.nix b/services/mosquitto.nix index b106cc9..4014ef4 100644 --- a/services/mosquitto.nix +++ b/services/mosquitto.nix @@ -5,7 +5,22 @@ with pkgs; let port = 1883; wsPort = 9001; + + mkSecret = file: { + inherit file; + owner = "mosquitto"; + group = "mosquitto"; + }; in { + age.secrets = { + mqtt-felix = mkSecret ../secrets/mqtt/felix.age; + mqtt-birgit = mkSecret ../secrets/mqtt/birgit.age; + mqtt-hass = mkSecret ../secrets/mqtt/hass.age; + mqtt-tasmota = mkSecret ../secrets/mqtt/tasmota.age; + mqtt-owntracks = mkSecret ../secrets/mqtt/owntracks.age; + mqtt-owntracks-plain = mkSecret ../secrets/mqtt/owntracks-plain.age; + }; + services.nginx = { virtualHosts."mqtt.felschr.com" = { enableACME = true; diff --git a/services/nextcloud.nix b/services/nextcloud.nix index 69f2efd..e1dc27e 100644 --- a/services/nextcloud.nix +++ b/services/nextcloud.nix @@ -2,6 +2,12 @@ let host = "cloud.felschr.com"; in { + age.secrets.nextcloud-admin = { + file = ../secrets/nextcloud/admin.age; + owner = "nextcloud"; + group = "nextcloud"; + }; + services.nextcloud = { enable = true; package = pkgs.nextcloud23; diff --git a/services/owntracks.nix b/services/owntracks.nix index 8ad80ed..1589d54 100644 --- a/services/owntracks.nix +++ b/services/owntracks.nix @@ -6,6 +6,8 @@ let window.owntracks.config = {}; ''; in { + age.secrets.owntracks-htpasswd.file = ../secrets/owntracks/htpasswd.age; + virtualisation.oci-containers.containers = { owntracks-recorder = { # official image does not support aarch64 diff --git a/services/paperless.nix b/services/paperless.nix index 6f949ca..1204b25 100644 --- a/services/paperless.nix +++ b/services/paperless.nix @@ -2,7 +2,13 @@ let port = 28981; in { - /* services.paperless-ng = { + age.secrets.paperless = { + file = ../secrets/paperless.age; + owner = config.services.paperless.user; + group = config.services.paperless.user; + }; + + /* services.paperless = { enable = true; inherit port; passwordFile = config.age.secrets.paperless.path; diff --git a/services/restic/common.nix b/services/restic/common.nix index c6766e3..04fa699 100644 --- a/services/restic/common.nix +++ b/services/restic/common.nix @@ -1,55 +1,6 @@ -{ config, lib, pkgs, ... }: +{ config, pkgs, lib, ... }: -# using the restic cli: -# load credentials into shell via: export $(cat /path/to/credentials/file | xargs) -# useful commands for analysing restic stats [snapshot-id], restic diff [s1] [s2], - -with lib; -with builtins; -let hasAnyAttr = flip (attrset: any (flip hasAttr attrset)); -in { - resticConfig = args@{ name, ripgrep ? false, paths ? [ ], ignorePatterns ? [ ] - , extraPruneOpts ? [ ], ... }: - assert !hasAnyAttr [ - "initialize" - "repository" - "s3CredentialsFile" - "passwordFile" - "pruneOpts" - ] args; - assert (args ? paths); - assert (ripgrep || (!ripgrep && !(args ? ignorePatterns))); - { - initialize = true; - repository = "b2:felschr-backups:/${name}"; - environmentFile = config.age.secrets.restic-b2.path; - passwordFile = config.age.secrets.restic-password.path; - timerConfig.OnCalendar = "daily"; - paths = if ripgrep then null else paths; - dynamicFilesFrom = if ripgrep then - let - files = foldl (a: b: "${a} ${b}") "" paths; - ignoreFile = builtins.toFile "ignore" - (foldl (a: b: a + "\n" + b) "" ignorePatterns); - in '' - ${pkgs.ripgrep}/bin/rg \ - --files ${files} \ - --ignore-file ${ignoreFile} \ - | sed "s/\[/\\\[/" | sed "s/\]/\\\]/" - '' - else - null; - pruneOpts = [ - "--keep-daily 7" - "--keep-weekly 4" - "--keep-monthly 3" - "--keep-yearly 1" - ] ++ extraPruneOpts; - } // (removeAttrs args [ - "name" - "ripgrep" - "paths" - "ignorePatterns" - "extraPruneOpts" - ]); +{ + age.secrets.restic-b2.file = ../../secrets/restic/b2.age; + age.secrets.restic-password.file = ../../secrets/restic/password.age; } diff --git a/services/restic/home-pc.nix b/services/restic/home-pc.nix index cfe4a6f..585cedf 100644 --- a/services/restic/home-pc.nix +++ b/services/restic/home-pc.nix @@ -6,11 +6,13 @@ with lib; with builtins; -let common = import ./common.nix { inherit config lib pkgs; }; +let resticLib = import ./lib.nix { inherit config lib pkgs; }; in { + imports = [ ./common.nix ]; + environment.systemPackages = with pkgs; [ restic ]; - services.restic.backups.full = common.resticConfig { + services.restic.backups.full = resticLib.resticConfig { name = "home-pc"; ripgrep = true; paths = [ "/etc/nixos" "/var/lib" "/home" ]; diff --git a/services/restic/lib.nix b/services/restic/lib.nix new file mode 100644 index 0000000..c6766e3 --- /dev/null +++ b/services/restic/lib.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: + +# using the restic cli: +# load credentials into shell via: export $(cat /path/to/credentials/file | xargs) +# useful commands for analysing restic stats [snapshot-id], restic diff [s1] [s2], + +with lib; +with builtins; +let hasAnyAttr = flip (attrset: any (flip hasAttr attrset)); +in { + resticConfig = args@{ name, ripgrep ? false, paths ? [ ], ignorePatterns ? [ ] + , extraPruneOpts ? [ ], ... }: + assert !hasAnyAttr [ + "initialize" + "repository" + "s3CredentialsFile" + "passwordFile" + "pruneOpts" + ] args; + assert (args ? paths); + assert (ripgrep || (!ripgrep && !(args ? ignorePatterns))); + { + initialize = true; + repository = "b2:felschr-backups:/${name}"; + environmentFile = config.age.secrets.restic-b2.path; + passwordFile = config.age.secrets.restic-password.path; + timerConfig.OnCalendar = "daily"; + paths = if ripgrep then null else paths; + dynamicFilesFrom = if ripgrep then + let + files = foldl (a: b: "${a} ${b}") "" paths; + ignoreFile = builtins.toFile "ignore" + (foldl (a: b: a + "\n" + b) "" ignorePatterns); + in '' + ${pkgs.ripgrep}/bin/rg \ + --files ${files} \ + --ignore-file ${ignoreFile} \ + | sed "s/\[/\\\[/" | sed "s/\]/\\\]/" + '' + else + null; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 4" + "--keep-monthly 3" + "--keep-yearly 1" + ] ++ extraPruneOpts; + } // (removeAttrs args [ + "name" + "ripgrep" + "paths" + "ignorePatterns" + "extraPruneOpts" + ]); +} diff --git a/services/restic/rpi4.nix b/services/restic/rpi4.nix index f72a94e..da5800d 100644 --- a/services/restic/rpi4.nix +++ b/services/restic/rpi4.nix @@ -6,12 +6,16 @@ with lib; with builtins; -let common = import ./common.nix { inherit config lib pkgs; }; +let resticLib = import ./lib.nix { inherit config lib pkgs; }; in { + imports = [ ./common.nix ]; + environment.systemPackages = with pkgs; [ restic ]; - services.restic.backups.full = common.resticConfig { + services.restic.backups.full = resticLib.resticConfig { name = "rpi4"; + # TODO migrate old repository + # repository = "b2:felschr-rpi4-backup:/full"; ripgrep = true; paths = [ "/etc/nixos" "/var/lib" "/home" ]; ignorePatterns = [ diff --git a/services/samba/home-pc.nix b/services/samba/home-pc.nix index 68a3fb5..e9faac4 100644 --- a/services/samba/home-pc.nix +++ b/services/samba/home-pc.nix @@ -1,6 +1,8 @@ { config, lib, pkgs, ... }: { + age.secrets.samba.file = ../../secrets/samba.age; + fileSystems."/home/felschr/media" = { device = "//192.168.1.234/media"; fsType = "cifs"; diff --git a/services/samba/rpi4.nix b/services/samba/rpi4.nix index 7d017e7..f3f986d 100644 --- a/services/samba/rpi4.nix +++ b/services/samba/rpi4.nix @@ -2,6 +2,7 @@ { # Use `smbpasswd -a ` to set passwords + # age.secrets.samba.file = ../../secrets/samba.age; services.samba = { enable = true;