From 8647af22d7e0855a3a8110267da085aa2356b4d2 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sat, 9 Apr 2022 21:51:24 +0100 Subject: [PATCH] ops/nixos: put more things in Vault --- ops/nixos/bvm-matrix/default.nix | 34 +++++++++++++++++-------- ops/nixos/bvm-prosody/default.nix | 31 +++++++++++++++++----- ops/nixos/bvm-twitterchiver/default.nix | 22 +++++++++++----- ops/nixos/clouvider-fra01/default.nix | 3 --- ops/nixos/clouvider-lon01/default.nix | 9 +++---- ops/nixos/etheroute-lon01/default.nix | 3 --- ops/nixos/frantech-nyc01/default.nix | 5 +--- ops/nixos/lib/deluge.nix | 4 +-- ops/nixos/lib/quotes.bfob.gg.nix | 12 ++++++++- ops/vault/cfg/config.nix | 11 +++++++- 10 files changed, 91 insertions(+), 43 deletions(-) diff --git a/ops/nixos/bvm-matrix/default.nix b/ops/nixos/bvm-matrix/default.nix index d604ae1856..b0c27b8ca0 100644 --- a/ops/nixos/bvm-matrix/default.nix +++ b/ops/nixos/bvm-matrix/default.nix @@ -3,10 +3,7 @@ # SPDX-License-Identifier: Apache-2.0 { config, depot, pkgs, lib, ... }: -let - inherit (depot.ops) secrets; - machineSecrets = secrets.machineSpecific.bvm-matrix; -in { +{ imports = [ ../lib/bvm.nix ]; @@ -57,10 +54,19 @@ in { enable = true; use-auth-secret = true; realm = "matrix.zxcvbnm.ninja"; - static-auth-secret = machineSecrets.turnSecret; + static-auth-secret-file = config.my.vault.secrets.turn.path; cert = "/var/lib/acme/matrix.zxcvbnm.ninja/fullchain.pem"; pkey = "/var/lib/acme/matrix.zxcvbnm.ninja/privkey.pem"; }; + my.vault.secrets.turn = { + restartUnits = ["coturn.service"]; + group = "turnserver"; + template = '' + {{- with secret "kv/apps/turn" -}} + {{ .Data.data.secret }} + {{- end -}} + ''; + }; services.nginx = { enable = true; recommendedTlsSettings = true; @@ -119,6 +125,7 @@ in { }; services.matrix-synapse = { enable = true; + extraConfigFiles = [ config.my.vault.secrets.matrix-synapse.path ]; settings = { server_name = "zxcvbnm.ninja"; url_preview_enabled = true; @@ -152,13 +159,20 @@ in { ]; experimental_features.spaces_enabled = true; public_baseurl = "https://matrix.zxcvbnm.ninja/"; - - macaroon_secret_key = machineSecrets.matrix.macaroonSecretKey; - registration_shared_secret = machineSecrets.matrix.registrationSecret; - turn_shared_secret = machineSecrets.turnSecret; - form_secret = machineSecrets.matrix.formSecret; }; }; + my.vault.secrets.matrix-synapse = { + restartUnits = ["matrix-synapse.service"]; + group = "matrix-synapse"; + template = '' + {{ with secret "kv/apps/matrix-synapse" }} + {{ .Data.data.config }} + {{ end }} + {{ with secret "kv/apps/turn" }} + turn_shared_secret: "{{ .Data.data.secret }}" + {{ end }} + ''; + }; # Users allowed to use SSL certificate for matrix.zxcvbnm.ninja. users.groups.matrixcert = { diff --git a/ops/nixos/bvm-prosody/default.nix b/ops/nixos/bvm-prosody/default.nix index 6aa6de10a1..d85e64e0e4 100644 --- a/ops/nixos/bvm-prosody/default.nix +++ b/ops/nixos/bvm-prosody/default.nix @@ -3,10 +3,7 @@ # SPDX-License-Identifier: Apache-2.0 { config, depot, pkgs, ... }: -let - inherit (depot.ops) secrets; - machineSecrets = secrets.machineSpecific.bvm-prosody; -in { +{ imports = [ ../lib/bvm.nix ]; @@ -35,10 +32,28 @@ in { enable = true; use-auth-secret = true; realm = "turn.lukegb.com"; - static-auth-secret = machineSecrets.turnSecret; + static-auth-secret-file = config.my.vault.secrets.turn.path; cert = "/var/lib/acme/turn.lukegb.com/fullchain.pem"; pkey = "/var/lib/acme/turn.lukegb.com/privkey.pem"; }; + my.vault.secrets.turn = { + restartUnits = ["coturn.service"]; + group = "turnserver"; + template = '' + {{- with secret "kv/apps/turn" -}} + {{ .Data.data.secret }} + {{- end -}} + ''; + }; + my.vault.secrets.turn-prosody = { + restartUnits = ["prosody.service"]; + group = "prosody"; + template = '' + {{- with secret "kv/apps/turn" -}} + {{ .Data.data.secret }} + {{- end -}} + ''; + }; services.prosody = { enable = true; @@ -73,6 +88,10 @@ in { legacy_ssl_ports = { 5223 } + local turn_secret_file = io.open("${config.my.vault.secrets.turn-prosody.path}", "r") + local turn_secret = turn_secret_file:read() + turn_secret_file:close() + external_services = { { type = "stun", @@ -84,7 +103,7 @@ in { transport = "udp", host = "turn.lukegb.com", port = 3478, - secret = "${machineSecrets.turnSecret}", + secret = turn_secret, } } ''; diff --git a/ops/nixos/bvm-twitterchiver/default.nix b/ops/nixos/bvm-twitterchiver/default.nix index 87cedb0cba..1f172b56ef 100644 --- a/ops/nixos/bvm-twitterchiver/default.nix +++ b/ops/nixos/bvm-twitterchiver/default.nix @@ -2,10 +2,8 @@ # # SPDX-License-Identifier: Apache-2.0 -{ depot, pkgs, ... }: -let - inherit (depot.ops) secrets; -in { +{ depot, pkgs, config, ... }: +{ imports = [ ../lib/bvm.nix ]; @@ -48,7 +46,7 @@ in { wantedBy = ["multi-user.target"]; serviceConfig = { ExecStart = "${depot.go.twitterchiver.viewer}/bin/viewer --user_to_twitter=lukegb@lukegb.com:lukegb,bgekul"; - EnvironmentFile = secrets.twitterchiver.environment; + EnvironmentFile = config.my.vault.secrets.twitterchiver-environment.path; WorkingDirectory = "${depot.go.twitterchiver.viewer}/share"; User = "twitterchiver"; Restart = "always"; @@ -60,7 +58,7 @@ in { wantedBy = ["multi-user.target"]; serviceConfig = { ExecStart = "${depot.go.twitterchiver.relatedfetcher}/bin/relatedfetcher --media_work_at_once 100 --media_tick_interval 10s"; - EnvironmentFile = secrets.twitterchiver.environment; + EnvironmentFile = config.my.vault.secrets.twitterchiver-environment.path; User = "twitterchiver"; Restart = "always"; }; @@ -71,11 +69,21 @@ in { wantedBy = ["multi-user.target"]; serviceConfig = { ExecStart = "${depot.go.twitterchiver.archiver}/bin/archiver"; - EnvironmentFile = secrets.twitterchiver.environment; + EnvironmentFile = config.my.vault.secrets.twitterchiver-environment.path; User = "twitterchiver"; Restart = "always"; }; }; + my.vault.secrets.twitterchiver-environment = { + restartUnits = ["twitterchiver-viewer.service" "twitterchiver-relatedfetcher.service" "twitterchiver-archiver.service"]; + group = "root"; + template = '' + {{ with secret "kv/apps/twitterchiver" }} + {{ .Data.data.environment }} + {{ end }} + ''; + }; + system.stateVersion = "21.05"; } diff --git a/ops/nixos/clouvider-fra01/default.nix b/ops/nixos/clouvider-fra01/default.nix index c4f56513c8..e1d2100257 100644 --- a/ops/nixos/clouvider-fra01/default.nix +++ b/ops/nixos/clouvider-fra01/default.nix @@ -4,9 +4,6 @@ { depot, lib, pkgs, config, ... }: let - inherit (depot.ops) secrets; - machineSecrets = secrets.machineSpecific.clouvider-fra01; - vhostsConfig = { int = rec { proxy = _apply (value: { locations."/".proxyPass = value; }) { diff --git a/ops/nixos/clouvider-lon01/default.nix b/ops/nixos/clouvider-lon01/default.nix index 1e07c03098..d2d64197c5 100644 --- a/ops/nixos/clouvider-lon01/default.nix +++ b/ops/nixos/clouvider-lon01/default.nix @@ -3,10 +3,7 @@ # SPDX-License-Identifier: Apache-2.0 { depot, lib, pkgs, config, ... }: -let - inherit (depot.ops) secrets; - machineSecrets = secrets.machineSpecific.clouvider-lon01; -in { +{ imports = [ ../lib/zfs.nix ../lib/bgp.nix @@ -270,7 +267,7 @@ in { nix.gc.automatic = false; services.factorio = { - inherit (secrets.factorio) username token; + inherit (depot.ops.secrets.factorio) username token; enable = true; package = pkgs.factorio-headless-experimental; saveName = "lukegb20220131-ws"; @@ -279,7 +276,7 @@ in { admins = ["lukegb"]; auto_pause = true; only_admins_can_pause_the_game = false; - game_password = secrets.factorioServerPassword; + game_password = depot.ops.secrets.factorioServerPassword; non_blocking_saving = true; autosave_only_on_server = true; autosave_interval = 5; diff --git a/ops/nixos/etheroute-lon01/default.nix b/ops/nixos/etheroute-lon01/default.nix index d959908a44..546053992b 100644 --- a/ops/nixos/etheroute-lon01/default.nix +++ b/ops/nixos/etheroute-lon01/default.nix @@ -4,9 +4,6 @@ { depot, lib, pkgs, config, ... }: let - inherit (depot.ops) secrets; - machineSecrets = secrets.machineSpecific.etheroute-lon01; - makeIPIPInterface = { name, underlayDevice, diff --git a/ops/nixos/frantech-nyc01/default.nix b/ops/nixos/frantech-nyc01/default.nix index 6febeaa5a6..ffc4464a3b 100644 --- a/ops/nixos/frantech-nyc01/default.nix +++ b/ops/nixos/frantech-nyc01/default.nix @@ -3,10 +3,7 @@ # SPDX-License-Identifier: Apache-2.0 { depot, lib, pkgs, config, ... }: -let - inherit (depot.ops) secrets; - machineSecrets = secrets.machineSpecific.frantech-nyc01; -in { +{ imports = [ ../lib/frantech.nix ]; diff --git a/ops/nixos/lib/deluge.nix b/ops/nixos/lib/deluge.nix index 93fb90370f..2acd878e28 100644 --- a/ops/nixos/lib/deluge.nix +++ b/ops/nixos/lib/deluge.nix @@ -34,10 +34,10 @@ in { }; my.vault.secrets.deluge-auth-file = { - reloadOrRestartUnits = ["deluge.service"]; + reloadOrRestartUnits = ["deluged.service"]; group = "deluge"; template = '' - {{ with secret "kv/apps/pomerium" }} + {{ with secret "kv/apps/deluge" }} {{ .Data.data.authfile }} {{ end }} ''; diff --git a/ops/nixos/lib/quotes.bfob.gg.nix b/ops/nixos/lib/quotes.bfob.gg.nix index 8df0990e72..130033281e 100644 --- a/ops/nixos/lib/quotes.bfob.gg.nix +++ b/ops/nixos/lib/quotes.bfob.gg.nix @@ -80,7 +80,7 @@ in ${pkg}/bin/quotes-manage migrate --no-input ''; serviceConfig = { - EnvironmentFile = secrets.quotesdb.environment; + EnvironmentFile = config.my.vault.secrets.quotesdb-environment.path; RuntimeDirectory = "quotesdb"; ExecStart = "${pkg}/bin/quotes --workers 3 --bind unix:${sock}"; User = "quotesdb"; @@ -88,5 +88,15 @@ in UMask = "0007"; }; }; + + my.vault.secrets.quotesdb-environment = { + reloadOrRestartUnits = ["quotesdb.service"]; + group = "root"; + template = '' + {{ with secret "kv/apps/quotesdb" }} + {{ .Data.data.environment }} + {{ end }} + ''; + }; }; } diff --git a/ops/vault/cfg/config.nix b/ops/vault/cfg/config.nix index 9d83202d21..592cfec952 100644 --- a/ops/vault/cfg/config.nix +++ b/ops/vault/cfg/config.nix @@ -42,7 +42,11 @@ }; my.apps.deluge = {}; + my.apps.matrix-synapse = {}; my.apps.pomerium = {}; + my.apps.quotesdb = {}; + my.apps.turn = {}; + my.apps.twitterchiver = {}; my.apps.sslrenew-raritan.policy = '' # sslrenew-raritan is permitted to issue certificates. path "acme/certs/*" { @@ -60,6 +64,11 @@ ''; my.servers.etheroute-lon01.apps = [ "pomerium" ]; - my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" ]; + my.servers.porcorosso.apps = [ "quotesdb" ]; + my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" "quotesdb" ]; my.servers.clouvider-fra01.apps = [ "deluge" ]; + my.servers.clouvider-lon01.apps = [ "quotesdb" ]; + my.servers.bvm-twitterchiver.apps = [ "twitterchiver" ]; + my.servers.bvm-matrix.apps = [ "turn" "matrix-synapse" ]; + my.servers.bvm-prosody.apps = [ "turn" ]; }