lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions

ops/nixos: put more things in Vault

Browse source
This commit is contained in:
Luke Granger-Brown 2022-04-09 21:51:24 +01:00
parent 2536214734
commit 8647af22d7
10 changed files with 91 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
ops/nixos/bvm-matrix/default.nix
View file

@ -3,10 +3,7 @@
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
{ config, depot, pkgs, lib, ... }: { config, depot, pkgs, lib, ... }:
let {
inherit (depot.ops) secrets;
machineSecrets = secrets.machineSpecific.bvm-matrix;
in {
imports = [ imports = [
../lib/bvm.nix ../lib/bvm.nix
]; ];
@ -57,10 +54,19 @@ in {
enable = true; enable = true;
use-auth-secret = true; use-auth-secret = true;
realm = "matrix.zxcvbnm.ninja"; realm = "matrix.zxcvbnm.ninja";
static-auth-secret = machineSecrets.turnSecret; static-auth-secret-file = config.my.vault.secrets.turn.path;
cert = "/var/lib/acme/matrix.zxcvbnm.ninja/fullchain.pem"; cert = "/var/lib/acme/matrix.zxcvbnm.ninja/fullchain.pem";
pkey = "/var/lib/acme/matrix.zxcvbnm.ninja/privkey.pem"; pkey = "/var/lib/acme/matrix.zxcvbnm.ninja/privkey.pem";
}; };
my.vault.secrets.turn = {
restartUnits = ["coturn.service"];
group = "turnserver";
template = ''
{{- with secret "kv/apps/turn" -}}
{{ .Data.data.secret }}
{{- end -}}
'';
};
services.nginx = { services.nginx = {
enable = true; enable = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
@ -119,6 +125,7 @@ in {
}; };
services.matrix-synapse = { services.matrix-synapse = {
enable = true; enable = true;
extraConfigFiles = [ config.my.vault.secrets.matrix-synapse.path ];
settings = { settings = {
server_name = "zxcvbnm.ninja"; server_name = "zxcvbnm.ninja";
url_preview_enabled = true; url_preview_enabled = true;
@ -152,13 +159,20 @@ in {
]; ];
experimental_features.spaces_enabled = true; experimental_features.spaces_enabled = true;
public_baseurl = "https://matrix.zxcvbnm.ninja/"; public_baseurl = "https://matrix.zxcvbnm.ninja/";
macaroon_secret_key = machineSecrets.matrix.macaroonSecretKey;
registration_shared_secret = machineSecrets.matrix.registrationSecret;
turn_shared_secret = machineSecrets.turnSecret;
form_secret = machineSecrets.matrix.formSecret;
}; };
}; };
my.vault.secrets.matrix-synapse = {
restartUnits = ["matrix-synapse.service"];
group = "matrix-synapse";
template = ''
{{ with secret "kv/apps/matrix-synapse" }}
{{ .Data.data.config }}
{{ end }}
{{ with secret "kv/apps/turn" }}
turn_shared_secret: "{{ .Data.data.secret }}"
{{ end }}
'';
};
# Users allowed to use SSL certificate for matrix.zxcvbnm.ninja. # Users allowed to use SSL certificate for matrix.zxcvbnm.ninja.
users.groups.matrixcert = { users.groups.matrixcert = {

31
ops/nixos/bvm-prosody/default.nix
View file

@ -3,10 +3,7 @@
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
{ config, depot, pkgs, ... }: { config, depot, pkgs, ... }:
let {
inherit (depot.ops) secrets;
machineSecrets = secrets.machineSpecific.bvm-prosody;
in {
imports = [ imports = [
../lib/bvm.nix ../lib/bvm.nix
]; ];
@ -35,10 +32,28 @@ in {
enable = true; enable = true;
use-auth-secret = true; use-auth-secret = true;
realm = "turn.lukegb.com"; realm = "turn.lukegb.com";
static-auth-secret = machineSecrets.turnSecret; static-auth-secret-file = config.my.vault.secrets.turn.path;
cert = "/var/lib/acme/turn.lukegb.com/fullchain.pem"; cert = "/var/lib/acme/turn.lukegb.com/fullchain.pem";
pkey = "/var/lib/acme/turn.lukegb.com/privkey.pem"; pkey = "/var/lib/acme/turn.lukegb.com/privkey.pem";
}; };
my.vault.secrets.turn = {
restartUnits = ["coturn.service"];
group = "turnserver";
template = ''
{{- with secret "kv/apps/turn" -}}
{{ .Data.data.secret }}
{{- end -}}
'';
};
my.vault.secrets.turn-prosody = {
restartUnits = ["prosody.service"];
group = "prosody";
template = ''
{{- with secret "kv/apps/turn" -}}
{{ .Data.data.secret }}
{{- end -}}
'';
};
services.prosody = { services.prosody = {
enable = true; enable = true;
@ -73,6 +88,10 @@ in {
legacy_ssl_ports = { 5223 } legacy_ssl_ports = { 5223 }
local turn_secret_file = io.open("${config.my.vault.secrets.turn-prosody.path}", "r")
local turn_secret = turn_secret_file:read()
turn_secret_file:close()
external_services = { external_services = {
{ {
type = "stun", type = "stun",
@ -84,7 +103,7 @@ in {
transport = "udp", transport = "udp",
host = "turn.lukegb.com", host = "turn.lukegb.com",
port = 3478, port = 3478,
secret = "${machineSecrets.turnSecret}", secret = turn_secret,
} }
} }
''; '';

22
ops/nixos/bvm-twitterchiver/default.nix
View file

@ -2,10 +2,8 @@
# #
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
{ depot, pkgs, ... }: { depot, pkgs, config, ... }:
let {
inherit (depot.ops) secrets;
in {
imports = [ imports = [
../lib/bvm.nix ../lib/bvm.nix
]; ];
@ -48,7 +46,7 @@ in {
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
serviceConfig = { serviceConfig = {
ExecStart = "${depot.go.twitterchiver.viewer}/bin/viewer --user_to_twitter=lukegb@lukegb.com:lukegb,bgekul"; ExecStart = "${depot.go.twitterchiver.viewer}/bin/viewer --user_to_twitter=lukegb@lukegb.com:lukegb,bgekul";
EnvironmentFile = secrets.twitterchiver.environment; EnvironmentFile = config.my.vault.secrets.twitterchiver-environment.path;
WorkingDirectory = "${depot.go.twitterchiver.viewer}/share"; WorkingDirectory = "${depot.go.twitterchiver.viewer}/share";
User = "twitterchiver"; User = "twitterchiver";
Restart = "always"; Restart = "always";
@ -60,7 +58,7 @@ in {
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
serviceConfig = { serviceConfig = {
ExecStart = "${depot.go.twitterchiver.relatedfetcher}/bin/relatedfetcher --media_work_at_once 100 --media_tick_interval 10s"; ExecStart = "${depot.go.twitterchiver.relatedfetcher}/bin/relatedfetcher --media_work_at_once 100 --media_tick_interval 10s";
EnvironmentFile = secrets.twitterchiver.environment; EnvironmentFile = config.my.vault.secrets.twitterchiver-environment.path;
User = "twitterchiver"; User = "twitterchiver";
Restart = "always"; Restart = "always";
}; };
@ -71,11 +69,21 @@ in {
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
serviceConfig = { serviceConfig = {
ExecStart = "${depot.go.twitterchiver.archiver}/bin/archiver"; ExecStart = "${depot.go.twitterchiver.archiver}/bin/archiver";
EnvironmentFile = secrets.twitterchiver.environment; EnvironmentFile = config.my.vault.secrets.twitterchiver-environment.path;
User = "twitterchiver"; User = "twitterchiver";
Restart = "always"; Restart = "always";
}; };
}; };
my.vault.secrets.twitterchiver-environment = {
restartUnits = ["twitterchiver-viewer.service" "twitterchiver-relatedfetcher.service" "twitterchiver-archiver.service"];
group = "root";
template = ''
{{ with secret "kv/apps/twitterchiver" }}
{{ .Data.data.environment }}
{{ end }}
'';
};
system.stateVersion = "21.05"; system.stateVersion = "21.05";
} }

3
ops/nixos/clouvider-fra01/default.nix
View file

@ -4,9 +4,6 @@
{ depot, lib, pkgs, config, ... }: { depot, lib, pkgs, config, ... }:
let let
inherit (depot.ops) secrets;
machineSecrets = secrets.machineSpecific.clouvider-fra01;
vhostsConfig = { vhostsConfig = {
int = rec { int = rec {
proxy = _apply (value: { locations."/".proxyPass = value; }) { proxy = _apply (value: { locations."/".proxyPass = value; }) {

9
ops/nixos/clouvider-lon01/default.nix
View file

@ -3,10 +3,7 @@
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
{ depot, lib, pkgs, config, ... }: { depot, lib, pkgs, config, ... }:
let {
inherit (depot.ops) secrets;
machineSecrets = secrets.machineSpecific.clouvider-lon01;
in {
imports = [ imports = [
../lib/zfs.nix ../lib/zfs.nix
../lib/bgp.nix ../lib/bgp.nix
@ -270,7 +267,7 @@ in {
nix.gc.automatic = false; nix.gc.automatic = false;
services.factorio = { services.factorio = {
inherit (secrets.factorio) username token; inherit (depot.ops.secrets.factorio) username token;
enable = true; enable = true;
package = pkgs.factorio-headless-experimental; package = pkgs.factorio-headless-experimental;
saveName = "lukegb20220131-ws"; saveName = "lukegb20220131-ws";
@ -279,7 +276,7 @@ in {
admins = ["lukegb"]; admins = ["lukegb"];
auto_pause = true; auto_pause = true;
only_admins_can_pause_the_game = false; only_admins_can_pause_the_game = false;
game_password = secrets.factorioServerPassword; game_password = depot.ops.secrets.factorioServerPassword;
non_blocking_saving = true; non_blocking_saving = true;
autosave_only_on_server = true; autosave_only_on_server = true;
autosave_interval = 5; autosave_interval = 5;

3
ops/nixos/etheroute-lon01/default.nix
View file

@ -4,9 +4,6 @@
{ depot, lib, pkgs, config, ... }: { depot, lib, pkgs, config, ... }:
let let
inherit (depot.ops) secrets;
machineSecrets = secrets.machineSpecific.etheroute-lon01;
makeIPIPInterface = { makeIPIPInterface = {
name, name,
underlayDevice, underlayDevice,

5
ops/nixos/frantech-nyc01/default.nix
View file

@ -3,10 +3,7 @@
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
{ depot, lib, pkgs, config, ... }: { depot, lib, pkgs, config, ... }:
let {
inherit (depot.ops) secrets;
machineSecrets = secrets.machineSpecific.frantech-nyc01;
in {
imports = [ imports = [
../lib/frantech.nix ../lib/frantech.nix
]; ];

4
ops/nixos/lib/deluge.nix
View file

@ -34,10 +34,10 @@ in {
}; };
my.vault.secrets.deluge-auth-file = { my.vault.secrets.deluge-auth-file = {
reloadOrRestartUnits = ["deluge.service"]; reloadOrRestartUnits = ["deluged.service"];
group = "deluge"; group = "deluge";
template = '' template = ''
{{ with secret "kv/apps/pomerium" }} {{ with secret "kv/apps/deluge" }}
{{ .Data.data.authfile }} {{ .Data.data.authfile }}
{{ end }} {{ end }}
''; '';

12
ops/nixos/lib/quotes.bfob.gg.nix
View file

@ -80,7 +80,7 @@ in
${pkg}/bin/quotes-manage migrate --no-input ${pkg}/bin/quotes-manage migrate --no-input
''; '';
serviceConfig = { serviceConfig = {
EnvironmentFile = secrets.quotesdb.environment; EnvironmentFile = config.my.vault.secrets.quotesdb-environment.path;
RuntimeDirectory = "quotesdb"; RuntimeDirectory = "quotesdb";
ExecStart = "${pkg}/bin/quotes --workers 3 --bind unix:${sock}"; ExecStart = "${pkg}/bin/quotes --workers 3 --bind unix:${sock}";
User = "quotesdb"; User = "quotesdb";
@ -88,5 +88,15 @@ in
UMask = "0007"; UMask = "0007";
}; };
}; };
my.vault.secrets.quotesdb-environment = {
reloadOrRestartUnits = ["quotesdb.service"];
group = "root";
template = ''
{{ with secret "kv/apps/quotesdb" }}
{{ .Data.data.environment }}
{{ end }}
'';
};
}; };
} }

11
ops/vault/cfg/config.nix
View file

@ -42,7 +42,11 @@
}; };
my.apps.deluge = {}; my.apps.deluge = {};
my.apps.matrix-synapse = {};
my.apps.pomerium = {}; my.apps.pomerium = {};
my.apps.quotesdb = {};
my.apps.turn = {};
my.apps.twitterchiver = {};
my.apps.sslrenew-raritan.policy = '' my.apps.sslrenew-raritan.policy = ''
# sslrenew-raritan is permitted to issue certificates. # sslrenew-raritan is permitted to issue certificates.
path "acme/certs/*" { path "acme/certs/*" {
@ -60,6 +64,11 @@
''; '';
my.servers.etheroute-lon01.apps = [ "pomerium" ]; my.servers.etheroute-lon01.apps = [ "pomerium" ];
my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" ]; my.servers.porcorosso.apps = [ "quotesdb" ];
my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" "quotesdb" ];
my.servers.clouvider-fra01.apps = [ "deluge" ]; my.servers.clouvider-fra01.apps = [ "deluge" ];
my.servers.clouvider-lon01.apps = [ "quotesdb" ];
my.servers.bvm-twitterchiver.apps = [ "twitterchiver" ];
my.servers.bvm-matrix.apps = [ "turn" "matrix-synapse" ];
my.servers.bvm-prosody.apps = [ "turn" ];
} }