feat: use agenix to manage secrets

2024-08-20 17:06:36 +02:00 · 2024-08-20 17:06:36 +02:00 · 48d6b6a5b9
commit 48d6b6a5b9
parent 3630cc995e
10 changed files with 184 additions and 22 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,48 @@
 {
  "nodes": {
    "agenix": {
      "inputs": {
        "darwin": "darwin",
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs",
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1723293904,
        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
        "owner": "ryantm",
        "repo": "agenix",
        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
        "type": "github"
      },
      "original": {
        "owner": "ryantm",
        "repo": "agenix",
        "type": "github"
      }
    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1700795494,
        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
        "owner": "lnl7",
        "repo": "nix-darwin",
        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
        "ref": "master",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "disko": {
      "inputs": {
        "nixpkgs": [
@ -42,7 +85,7 @@
    },
    "flake-utils": {
      "inputs": {
-        "systems": "systems"
+        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1710146030,
@ -59,6 +102,27 @@
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1703113217,
        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
@ -95,6 +159,22 @@
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1703013332,
        "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1723175592,
        "narHash": "sha256-M0xJ3FbDUc4fRZ84dPGx5VvgFsOzds77KiBMW/mMTnI=",
@ -110,7 +190,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_2": {
+    "nixpkgs_3": {
      "locked": {
        "lastModified": 1718428119,
        "narHash": "sha256-WdWDpNaq6u1IPtxtYHHWpl5BmabtpmLnMAx0RdJ/vo8=",
@ -150,17 +230,18 @@
    },
    "root": {
      "inputs": {
        "agenix": "agenix",
        "disko": "disko",
        "flake-parts": "flake-parts",
-        "home-manager": "home-manager",
+        "home-manager": "home-manager_2",
        "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
        "rofi-obsidian": "rofi-obsidian"
      }
    },
    "rust-overlay": {
      "inputs": {
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
        "lastModified": 1720318855,
@ -190,6 +271,21 @@
        "repo": "default",
        "type": "github"
      }
    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -3,7 +3,9 @@
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
    home-manager = {
      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
@ -19,6 +21,8 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    agenix.url = "github:ryantm/agenix";
    rofi-obsidian = {
      url = "github:nydragon/rofi-obsidian";
      inputs.nixpkgs.follows = "nixpkgs";
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -23,7 +23,10 @@ in
    raptus = lib.my.mkSystem {
      hostname = "raptus";
      system = "x86_64-linux";
-      extraModules = [ inputs.disko.nixosModules.disko ];
+      extraModules = [
        inputs.disko.nixosModules.disko
        inputs.agenix.nixosModules.default
      ];
    };
  };
 }
--- a/hosts/raptus/configuration.nix
+++ b/hosts/raptus/configuration.nix
@ -13,6 +13,8 @@
    ../../modules/nix
  ];
  age.secrets.couchdb.file = ../../secrets/couchdb.age;
  device.type = {
    vm.enable = true;
    server.enable = true;
@ -25,7 +27,11 @@
  networking.firewall = lib.mkForce {
    enable = true;
-    allowedTCPPorts = [ 80 ];
+    allowedTCPPorts = [
      80
      22
      5984 # couchdb
    ];
  };
  services.nginx = {
@ -33,12 +39,10 @@
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts."rusty.ccnlc.eu" = {
-      #enableACME = true;
+      # TODO: Enable https
      #forceSSL = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8000";
        proxyWebsockets = true; # needed if you need to use WebSocket
        extraConfig = ''
          proxy_ssl_server_name on;
          proxy_pass_header Authorization;'';
--- a/hosts/raptus/disk-config.nix
+++ b/hosts/raptus/disk-config.nix
@ -32,7 +32,6 @@
              mountOptions = [ "defaults" ];
            };
          };
        };
      };
    };
--- a/hosts/raptus/docker-compose.nix
+++ b/hosts/raptus/docker-compose.nix
@ -1,5 +1,10 @@
 # Auto-generated using compose2nix v0.2.2-pre.
-{ pkgs, lib, ... }:
+{
  pkgs,
  lib,
  config,
  ...
 }:
 {
  # Runtime
@ -17,12 +22,9 @@
  # Containers
  virtualisation.oci-containers.containers."obsidian-livesync" = {
    image = "couchdb";
-    environment = {
+    environmentFiles = [ config.age.secrets.couchdb.path ];
      "COUCHDB_PASSWORD" = "";
      "COUCHDB_USER" = "";
    };
    volumes = [
-      "${./local.ini}:/opt/couchdb/etc/local.ini:ro"
+      "${./local.ini}:/opt/couchdb/etc/local.ini:rw"
      "test_dbdata:/opt/couchdb/data:rw"
    ];
    ports = [ "5984:5984/tcp" ];
--- a/hosts/raptus/docker-compose.yml
+++ b/hosts/raptus/docker-compose.yml
@ -0,0 +1,28 @@
 services:
  couchserver:
    image: couchdb
    container_name: obsidian-livesync
    restart: always
    ports:
      - 5984:5984
    environment:
      - COUCHDB_USER=USERNAME
      - COUCHDB_PASSWORD=PASSWORD
    volumes:
      - dbdata:/opt/couchdb/data
      - ./local.ini:/opt/couchdb/etc/local.ini
  rustypaste:
    image: orhunp/rustypaste:${IMAGE_TAG:-latest}
    build: .
    container_name: rustypaste
    restart: always
    environment:
      - RUST_LOG=debug
    ports:
      - "8000:8000"
    volumes:
      - rustypaste-data:/app/upload
      - ./rusty.toml:/app/config.toml
 volumes:
  dbdata:
  rustypaste-data:
--- a/hosts/raptus/rusty.toml
+++ b/hosts/raptus/rusty.toml
@ -3,9 +3,9 @@ refresh_rate = "1s"
 [server]
 address = "127.0.0.1:8000"
-url = "https://vps.ccnlc.eu"
+url = "http://rusty.ccnlc.eu"
-#workers=4
+workers = 4
-max_content_length = "10MB"
+max_content_length = "50MB"
 upload_path = "./upload"
 timeout = "30s"
 expose_version = false
@ -65,6 +65,6 @@ mime_blacklist = [
  "application/java-archive",
  "application/java-vm",
 ]
-duplicate_files = true
+duplicate_files = false
-# default_expiry = "1h"
+default_expiry = "1h"
 delete_expired_files = { enabled = true, interval = "1h" }
--- a/secrets/couchdb.age
+++ b/secrets/couchdb.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> ssh-ed25519 JjL30A 1/KAH0fjeZMgw4Dk/bC+CEf2NDQKdtfjSWxictQp5HI
 6JHuy5vMZ6+v8G3PWfIEb3swCR59Tk0bDKKWya61LmM
 -> ssh-ed25519 nueAfA MnaKgyOTgK1mPfjeZ4eb4MFj1zuOPDJhgzmCn5GaG3Y
 Qh/hMUMNiCsgSiG7yisCnGixuWEvcK9X0OKhuzonIj8
 -> ssh-ed25519 WcjW5A J4391GLRJBvK2j6K7uuFOlQSAvohDSGJCKff3yTwkGY
 spDoDXT5elna781WJK+fynbSHaXsQacX+ED5Q1KDrfA
 --- ZM3EXe2MWKhl9NfO0r8vKaC0dfCE75GB03+s9RkQye4
 f4Ø,EWYYòG£ÜUÛ³«Í˜¨úÌ1Gnó³háQÉ^v TïDŒÉò†²Ÿ^X¹šc+Úÿ
 QdÒ†	EÚ»n«ýèªN”\ÒÎ‘iôÀFÓGþ]çrÞE*éš¡‡—qølç¾ËMÿgÉü’£•:¿«ŒŠ¥È¯ÏpÛìà|ƒ6D=Ÿ<ñ5,rÐr½×ö:wÞG–µÀ
KÈpY]mhå?ŽD ˜sTÞ2
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,16 @@
 let
  userBrontes = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvPqWPXEUOSMGMIRmirQfbrzq//NkPlEI2TmFpIkSfw";
  userMarr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGwlScEmVbdc0EH93XLX+K8yP5FKUKzMf/bWTSO+rMiO";
  users = [
    userMarr
    userBrontes
  ];
  raptus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIErbhkpCL0DuJQTxeTqxtrGvELCQFkyZmhTZ8fagszOU";
  systems = [ raptus ];
 in
 {
  "couchdb.age".publicKeys = [ raptus ] ++ users;
 }