fix(secrets): fix permissions

Also moves key references into respective configs where they are used.
2022-05-06 03:16:17 +02:00 · 2022-05-06 03:16:17 +02:00 · 0dee8b4fa7
parent 7f3a5317bd
commit 0dee8b4fa7
15 changed files with 125 additions and 96 deletions
--- a/flake.nix
+++ b/flake.nix
@ -88,6 +88,9 @@
                _module.args = { inherit self inputs; };
              }
            ];
+
+            environment.systemPackages = with pkgs;
+              [ agenix.defaultPackage.x86_64-linux ];
          });
        createUser' = import ./lib/createUser.nix;
        createUser = name: args:
@ -111,17 +114,9 @@
            modules = [ homeManagerModules.git ];
            config = ./home/felschr.nix;
          })
-          ({ config, pkgs, ... }: {
-            age.secrets = {
-              restic-b2.file = ./secrets/restic/b2.age;
-              restic-password.file = ./secrets/restic/password.age;
-              samba.file = ./secrets/samba.age;
-              smtp.file = ./secrets/smtp.age;
-            };
-            environment.systemPackages = with pkgs; [
-              agenix.defaultPackage.x86_64-linux
-              deploy-rs.defaultPackage.x86_64-linux
-            ];
+          ({ pkgs, ... }: {
+            environment.systemPackages = with pkgs;
+              [ deploy-rs.defaultPackage.x86_64-linux ];
          })
        ];
      };
@ -161,33 +156,6 @@
            modules = [ homeManagerModules.git ];
            config = ./home/felschr-rpi4.nix;
          })
-          ({ config, pkgs, ... }: {
-            age.secrets = {
-              hostKey.file = ./secrets/home-server/hostKey.age;
-              cfdyndns.file = ./secrets/cfdyndns.age;
-              restic-b2.file = ./secrets/restic/b2.age;
-              restic-password.file = ./secrets/restic/password.age;
-              # samba.file = ./secrets/samba.age;
-              smtp.file = ./secrets/smtp.age;
-              mqtt-felix.file = ./secrets/mqtt/felix.age;
-              mqtt-birgit.file = ./secrets/mqtt/birgit.age;
-              mqtt-hass.file = ./secrets/mqtt/hass.age;
-              mqtt-tasmota.file = ./secrets/mqtt/tasmota.age;
-              mqtt-owntracks.file = ./secrets/mqtt/owntracks.age;
-              mqtt-owntracks-plain.file = ./secrets/mqtt/owntracks-plain.age;
-              owntracks-htpasswd.file = ./secrets/owntracks/htpasswd.age;
-              etebase-server.file = ./secrets/etebase-server.age;
-              miniflux.file = ./secrets/miniflux.age;
-              paperless.file = ./secrets/paperless.age;
-              nextcloud-admin = {
-                file = ./secrets/nextcloud/admin.age;
-                owner = "nextcloud";
-                group = "nextcloud";
-              };
-            };
-            environment.systemPackages = with pkgs;
-              [ agenix.defaultPackage.x86_64-linux ];
-          })
        ];
      };

--- a/rpi4.nix
+++ b/rpi4.nix
@ -32,6 +32,13 @@ in with builtins; {
    ./services/nextcloud.nix
  ];

+  age.secrets.cfdyndns = {
+    file = ./secrets/cfdyndns.age;
+    owner = "cfdyndns";
+    group = "cfdyndns";
+  };
+  age.secrets.hostKey.file = ./secrets/home-server/hostKey.age;
+
  nixpkgs.config.allowUnfree = true;

  # rpi4 base config
--- a/services/etebase.nix
+++ b/services/etebase.nix
@ -2,6 +2,12 @@

 let etebaseHost = "etebase.felschr.com";
 in {
+  age.secrets.etebase-server = {
+    file = ../secrets/etebase-server.age;
+    owner = config.services.etebase-server.user;
+    group = config.services.etebase-server.user;
+  };
+
  services.etebase-server.enable = true;
  services.etebase-server.openFirewall = true;
  services.etebase-server.settings = {
--- a/services/mail.nix
+++ b/services/mail.nix
@ -1,6 +1,8 @@
 { config, pkgs, ... }:

 {
+  age.secrets.smtp.file = ../secrets/smtp.age;
+
  programs.msmtp = {
    enable = true;
    defaults = {
--- a/services/miniflux.nix
+++ b/services/miniflux.nix
@ -2,6 +2,8 @@

 let port = 8002;
 in {
+  age.secrets.miniflux.file = ../secrets/miniflux.age;
+
  services.miniflux = {
    enable = true;
    adminCredentialsFile = config.age.secrets.miniflux.path;
--- a/services/mosquitto.nix
+++ b/services/mosquitto.nix
@ -5,7 +5,22 @@ with pkgs;
 let
  port = 1883;
  wsPort = 9001;
+
+  mkSecret = file: {
+    inherit file;
+    owner = "mosquitto";
+    group = "mosquitto";
+  };
 in {
+  age.secrets = {
+    mqtt-felix = mkSecret ../secrets/mqtt/felix.age;
+    mqtt-birgit = mkSecret ../secrets/mqtt/birgit.age;
+    mqtt-hass = mkSecret ../secrets/mqtt/hass.age;
+    mqtt-tasmota = mkSecret ../secrets/mqtt/tasmota.age;
+    mqtt-owntracks = mkSecret ../secrets/mqtt/owntracks.age;
+    mqtt-owntracks-plain = mkSecret ../secrets/mqtt/owntracks-plain.age;
+  };
+
  services.nginx = {
    virtualHosts."mqtt.felschr.com" = {
      enableACME = true;
--- a/services/nextcloud.nix
+++ b/services/nextcloud.nix
@ -2,6 +2,12 @@

 let host = "cloud.felschr.com";
 in {
+  age.secrets.nextcloud-admin = {
+    file = ../secrets/nextcloud/admin.age;
+    owner = "nextcloud";
+    group = "nextcloud";
+  };
+
  services.nextcloud = {
    enable = true;
    package = pkgs.nextcloud23;
--- a/services/owntracks.nix
+++ b/services/owntracks.nix
@ -6,6 +6,8 @@ let
    window.owntracks.config = {};
  '';
 in {
+  age.secrets.owntracks-htpasswd.file = ../secrets/owntracks/htpasswd.age;
+
  virtualisation.oci-containers.containers = {
    owntracks-recorder = {
      # official image does not support aarch64
--- a/services/paperless.nix
+++ b/services/paperless.nix
@ -2,7 +2,13 @@

 let port = 28981;
 in {
-  /* services.paperless-ng = {
+  age.secrets.paperless = {
+    file = ../secrets/paperless.age;
+    owner = config.services.paperless.user;
+    group = config.services.paperless.user;
+  };
+
+  /* services.paperless = {
     enable = true;
     inherit port;
     passwordFile = config.age.secrets.paperless.path;
--- a/services/restic/common.nix
+++ b/services/restic/common.nix
@ -1,55 +1,6 @@
-{ config, lib, pkgs, ... }:
+{ config, pkgs, lib, ... }:

-# using the restic cli:
-# load credentials into shell via: export $(cat /path/to/credentials/file | xargs)
-# useful commands for analysing restic stats [snapshot-id], restic diff [s1] [s2],
-
-with lib;
-with builtins;
-let hasAnyAttr = flip (attrset: any (flip hasAttr attrset));
-in {
-  resticConfig = args@{ name, ripgrep ? false, paths ? [ ], ignorePatterns ? [ ]
-    , extraPruneOpts ? [ ], ... }:
-    assert !hasAnyAttr [
-      "initialize"
-      "repository"
-      "s3CredentialsFile"
-      "passwordFile"
-      "pruneOpts"
-    ] args;
-    assert (args ? paths);
-    assert (ripgrep || (!ripgrep && !(args ? ignorePatterns)));
-    {
-      initialize = true;
-      repository = "b2:felschr-backups:/${name}";
-      environmentFile = config.age.secrets.restic-b2.path;
-      passwordFile = config.age.secrets.restic-password.path;
-      timerConfig.OnCalendar = "daily";
-      paths = if ripgrep then null else paths;
-      dynamicFilesFrom = if ripgrep then
-        let
-          files = foldl (a: b: "${a} ${b}") "" paths;
-          ignoreFile = builtins.toFile "ignore"
-            (foldl (a: b: a + "\n" + b) "" ignorePatterns);
-        in ''
-          ${pkgs.ripgrep}/bin/rg \
-            --files ${files} \
-            --ignore-file ${ignoreFile} \
-            | sed "s/\[/\\\[/" | sed "s/\]/\\\]/"
-        ''
-      else
-        null;
-      pruneOpts = [
-        "--keep-daily 7"
-        "--keep-weekly 4"
-        "--keep-monthly 3"
-        "--keep-yearly 1"
-      ] ++ extraPruneOpts;
-    } // (removeAttrs args [
-      "name"
-      "ripgrep"
-      "paths"
-      "ignorePatterns"
-      "extraPruneOpts"
-    ]);
+{
+  age.secrets.restic-b2.file = ../../secrets/restic/b2.age;
+  age.secrets.restic-password.file = ../../secrets/restic/password.age;
 }
--- a/services/restic/home-pc.nix
+++ b/services/restic/home-pc.nix
@ -6,11 +6,13 @@

 with lib;
 with builtins;
-let common = import ./common.nix { inherit config lib pkgs; };
+let resticLib = import ./lib.nix { inherit config lib pkgs; };
 in {
+  imports = [ ./common.nix ];
+
  environment.systemPackages = with pkgs; [ restic ];

-  services.restic.backups.full = common.resticConfig {
+  services.restic.backups.full = resticLib.resticConfig {
    name = "home-pc";
    ripgrep = true;
    paths = [ "/etc/nixos" "/var/lib" "/home" ];
--- a/services/restic/lib.nix
+++ b/services/restic/lib.nix
@ -0,0 +1,55 @@
+{ config, lib, pkgs, ... }:
+
+# using the restic cli:
+# load credentials into shell via: export $(cat /path/to/credentials/file | xargs)
+# useful commands for analysing restic stats [snapshot-id], restic diff [s1] [s2],
+
+with lib;
+with builtins;
+let hasAnyAttr = flip (attrset: any (flip hasAttr attrset));
+in {
+  resticConfig = args@{ name, ripgrep ? false, paths ? [ ], ignorePatterns ? [ ]
+    , extraPruneOpts ? [ ], ... }:
+    assert !hasAnyAttr [
+      "initialize"
+      "repository"
+      "s3CredentialsFile"
+      "passwordFile"
+      "pruneOpts"
+    ] args;
+    assert (args ? paths);
+    assert (ripgrep || (!ripgrep && !(args ? ignorePatterns)));
+    {
+      initialize = true;
+      repository = "b2:felschr-backups:/${name}";
+      environmentFile = config.age.secrets.restic-b2.path;
+      passwordFile = config.age.secrets.restic-password.path;
+      timerConfig.OnCalendar = "daily";
+      paths = if ripgrep then null else paths;
+      dynamicFilesFrom = if ripgrep then
+        let
+          files = foldl (a: b: "${a} ${b}") "" paths;
+          ignoreFile = builtins.toFile "ignore"
+            (foldl (a: b: a + "\n" + b) "" ignorePatterns);
+        in ''
+          ${pkgs.ripgrep}/bin/rg \
+            --files ${files} \
+            --ignore-file ${ignoreFile} \
+            | sed "s/\[/\\\[/" | sed "s/\]/\\\]/"
+        ''
+      else
+        null;
+      pruneOpts = [
+        "--keep-daily 7"
+        "--keep-weekly 4"
+        "--keep-monthly 3"
+        "--keep-yearly 1"
+      ] ++ extraPruneOpts;
+    } // (removeAttrs args [
+      "name"
+      "ripgrep"
+      "paths"
+      "ignorePatterns"
+      "extraPruneOpts"
+    ]);
+}
--- a/services/restic/rpi4.nix
+++ b/services/restic/rpi4.nix
@ -6,12 +6,16 @@

 with lib;
 with builtins;
-let common = import ./common.nix { inherit config lib pkgs; };
+let resticLib = import ./lib.nix { inherit config lib pkgs; };
 in {
+  imports = [ ./common.nix ];
+
  environment.systemPackages = with pkgs; [ restic ];

-  services.restic.backups.full = common.resticConfig {
+  services.restic.backups.full = resticLib.resticConfig {
    name = "rpi4";
+    # TODO migrate old repository
+    # repository = "b2:felschr-rpi4-backup:/full";
    ripgrep = true;
    paths = [ "/etc/nixos" "/var/lib" "/home" ];
    ignorePatterns = [
--- a/services/samba/home-pc.nix
+++ b/services/samba/home-pc.nix
@ -1,6 +1,8 @@
 { config, lib, pkgs, ... }:

 {
+  age.secrets.samba.file = ../../secrets/samba.age;
+
  fileSystems."/home/felschr/media" = {
    device = "//192.168.1.234/media";
    fsType = "cifs";
--- a/services/samba/rpi4.nix
+++ b/services/samba/rpi4.nix
@ -2,6 +2,7 @@

 {
  # Use `smbpasswd -a <user>` to set passwords
+  # age.secrets.samba.file = ../../secrets/samba.age;

  services.samba = {
    enable = true;