ops/nixos: put more things in Vault

2022-04-09 21:51:24 +01:00 · 2022-04-09 21:51:24 +01:00 · 8647af22d7
commit 8647af22d7
parent 2536214734
10 changed files with 91 additions and 43 deletions
--- a/ops/nixos/bvm-matrix/default.nix
+++ b/ops/nixos/bvm-matrix/default.nix
@ -3,10 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0

 { config, depot, pkgs, lib, ... }:
-let
-  inherit (depot.ops) secrets;
-  machineSecrets = secrets.machineSpecific.bvm-matrix;
-in {
+{
  imports = [
    ../lib/bvm.nix
  ];
@ -57,10 +54,19 @@ in {
    enable = true;
    use-auth-secret = true;
    realm = "matrix.zxcvbnm.ninja";
-    static-auth-secret = machineSecrets.turnSecret;
+    static-auth-secret-file = config.my.vault.secrets.turn.path;
    cert = "/var/lib/acme/matrix.zxcvbnm.ninja/fullchain.pem";
    pkey = "/var/lib/acme/matrix.zxcvbnm.ninja/privkey.pem";
  };
+  my.vault.secrets.turn = {
+    restartUnits = ["coturn.service"];
+    group = "turnserver";
+    template = ''
+      {{- with secret "kv/apps/turn" -}}
+      {{ .Data.data.secret }}
+      {{- end -}}
+    '';
+  };
  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
@ -119,6 +125,7 @@ in {
  };
  services.matrix-synapse = {
    enable = true;
+    extraConfigFiles = [ config.my.vault.secrets.matrix-synapse.path ];
    settings = {
      server_name = "zxcvbnm.ninja";
      url_preview_enabled = true;
@ -152,13 +159,20 @@ in {
      ];
      experimental_features.spaces_enabled = true;
      public_baseurl = "https://matrix.zxcvbnm.ninja/";
-
-      macaroon_secret_key = machineSecrets.matrix.macaroonSecretKey;
-      registration_shared_secret = machineSecrets.matrix.registrationSecret;
-      turn_shared_secret = machineSecrets.turnSecret;
-      form_secret = machineSecrets.matrix.formSecret;
    };
  };
+  my.vault.secrets.matrix-synapse = {
+    restartUnits = ["matrix-synapse.service"];
+    group = "matrix-synapse";
+    template = ''
+      {{ with secret "kv/apps/matrix-synapse" }}
+      {{ .Data.data.config }}
+      {{ end }}
+      {{ with secret "kv/apps/turn" }}
+      turn_shared_secret: "{{ .Data.data.secret }}"
+      {{ end }}
+    '';
+  };

  # Users allowed to use SSL certificate for matrix.zxcvbnm.ninja.
  users.groups.matrixcert = {
--- a/ops/nixos/bvm-prosody/default.nix
+++ b/ops/nixos/bvm-prosody/default.nix
@ -3,10 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0

 { config, depot, pkgs, ... }:
-let
-  inherit (depot.ops) secrets;
-  machineSecrets = secrets.machineSpecific.bvm-prosody;
-in {
+{
  imports = [
    ../lib/bvm.nix
  ];
@ -35,10 +32,28 @@ in {
    enable = true;
    use-auth-secret = true;
    realm = "turn.lukegb.com";
-    static-auth-secret = machineSecrets.turnSecret;
+    static-auth-secret-file = config.my.vault.secrets.turn.path;
    cert = "/var/lib/acme/turn.lukegb.com/fullchain.pem";
    pkey = "/var/lib/acme/turn.lukegb.com/privkey.pem";
  };
+  my.vault.secrets.turn = {
+    restartUnits = ["coturn.service"];
+    group = "turnserver";
+    template = ''
+      {{- with secret "kv/apps/turn" -}}
+      {{ .Data.data.secret }}
+      {{- end -}}
+    '';
+  };
+  my.vault.secrets.turn-prosody = {
+    restartUnits = ["prosody.service"];
+    group = "prosody";
+    template = ''
+      {{- with secret "kv/apps/turn" -}}
+      {{ .Data.data.secret }}
+      {{- end -}}
+    '';
+  };

  services.prosody = {
    enable = true;
@ -73,6 +88,10 @@ in {

      legacy_ssl_ports = { 5223 }

+      local turn_secret_file = io.open("${config.my.vault.secrets.turn-prosody.path}", "r")
+      local turn_secret = turn_secret_file:read()
+      turn_secret_file:close()
+
      external_services = {
              {
                      type = "stun",
@ -84,7 +103,7 @@ in {
                      transport = "udp",
                      host = "turn.lukegb.com",
                      port = 3478,
-                      secret = "${machineSecrets.turnSecret}",
+                      secret = turn_secret,
              }
      }
    '';
--- a/ops/nixos/bvm-twitterchiver/default.nix
+++ b/ops/nixos/bvm-twitterchiver/default.nix
@ -2,10 +2,8 @@
 #
 # SPDX-License-Identifier: Apache-2.0

-{ depot, pkgs, ... }:
-let
-  inherit (depot.ops) secrets;
-in {
+{ depot, pkgs, config, ... }:
+{
  imports = [
    ../lib/bvm.nix
  ];
@ -48,7 +46,7 @@ in {
    wantedBy = ["multi-user.target"];
    serviceConfig = {
      ExecStart = "${depot.go.twitterchiver.viewer}/bin/viewer --user_to_twitter=lukegb@lukegb.com:lukegb,bgekul";
-      EnvironmentFile = secrets.twitterchiver.environment;
+      EnvironmentFile = config.my.vault.secrets.twitterchiver-environment.path;
      WorkingDirectory = "${depot.go.twitterchiver.viewer}/share";
      User = "twitterchiver";
      Restart = "always";
@ -60,7 +58,7 @@ in {
    wantedBy = ["multi-user.target"];
    serviceConfig = {
      ExecStart = "${depot.go.twitterchiver.relatedfetcher}/bin/relatedfetcher --media_work_at_once 100 --media_tick_interval 10s";
-      EnvironmentFile = secrets.twitterchiver.environment;
+      EnvironmentFile = config.my.vault.secrets.twitterchiver-environment.path;
      User = "twitterchiver";
      Restart = "always";
    };
@ -71,11 +69,21 @@ in {
    wantedBy = ["multi-user.target"];
    serviceConfig = {
      ExecStart = "${depot.go.twitterchiver.archiver}/bin/archiver";
-      EnvironmentFile = secrets.twitterchiver.environment;
+      EnvironmentFile = config.my.vault.secrets.twitterchiver-environment.path;
      User = "twitterchiver";
      Restart = "always";
    };
  };

+  my.vault.secrets.twitterchiver-environment = {
+    restartUnits = ["twitterchiver-viewer.service" "twitterchiver-relatedfetcher.service" "twitterchiver-archiver.service"];
+    group = "root";
+    template = ''
+      {{ with secret "kv/apps/twitterchiver" }}
+      {{ .Data.data.environment }}
+      {{ end }}
+    '';
+  };
+
  system.stateVersion = "21.05";
 }
--- a/ops/nixos/clouvider-fra01/default.nix
+++ b/ops/nixos/clouvider-fra01/default.nix
@ -4,9 +4,6 @@

 { depot, lib, pkgs, config, ... }:
 let
-  inherit (depot.ops) secrets;
-  machineSecrets = secrets.machineSpecific.clouvider-fra01;
-
  vhostsConfig = {
    int = rec {
      proxy = _apply (value: { locations."/".proxyPass = value; }) {
--- a/ops/nixos/clouvider-lon01/default.nix
+++ b/ops/nixos/clouvider-lon01/default.nix
@ -3,10 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0

 { depot, lib, pkgs, config, ... }:
-let
-  inherit (depot.ops) secrets;
-  machineSecrets = secrets.machineSpecific.clouvider-lon01;
-in {
+{
  imports = [
    ../lib/zfs.nix
    ../lib/bgp.nix
@ -270,7 +267,7 @@ in {
  nix.gc.automatic = false;

  services.factorio = {
-    inherit (secrets.factorio) username token;
+    inherit (depot.ops.secrets.factorio) username token;
    enable = true;
    package = pkgs.factorio-headless-experimental;
    saveName = "lukegb20220131-ws";
@ -279,7 +276,7 @@ in {
      admins = ["lukegb"];
      auto_pause = true;
      only_admins_can_pause_the_game = false;
-      game_password = secrets.factorioServerPassword;
+      game_password = depot.ops.secrets.factorioServerPassword;
      non_blocking_saving = true;
      autosave_only_on_server = true;
      autosave_interval = 5;
--- a/ops/nixos/etheroute-lon01/default.nix
+++ b/ops/nixos/etheroute-lon01/default.nix
@ -4,9 +4,6 @@

 { depot, lib, pkgs, config, ... }:
 let
-  inherit (depot.ops) secrets;
-  machineSecrets = secrets.machineSpecific.etheroute-lon01;
-
  makeIPIPInterface = {
    name,
    underlayDevice,
--- a/ops/nixos/frantech-nyc01/default.nix
+++ b/ops/nixos/frantech-nyc01/default.nix
@ -3,10 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0

 { depot, lib, pkgs, config, ... }:
-let
-  inherit (depot.ops) secrets;
-  machineSecrets = secrets.machineSpecific.frantech-nyc01;
-in {
+{
  imports = [
    ../lib/frantech.nix
  ];
--- a/ops/nixos/lib/deluge.nix
+++ b/ops/nixos/lib/deluge.nix
@ -34,10 +34,10 @@ in {
  };

  my.vault.secrets.deluge-auth-file = {
-    reloadOrRestartUnits = ["deluge.service"];
+    reloadOrRestartUnits = ["deluged.service"];
    group = "deluge";
    template = ''
-      {{ with secret "kv/apps/pomerium" }}
+      {{ with secret "kv/apps/deluge" }}
      {{ .Data.data.authfile }}
      {{ end }}
    '';
--- a/ops/nixos/lib/quotes.bfob.gg.nix
+++ b/ops/nixos/lib/quotes.bfob.gg.nix
@ -80,7 +80,7 @@ in
        ${pkg}/bin/quotes-manage migrate --no-input
      '';
      serviceConfig = {
-        EnvironmentFile = secrets.quotesdb.environment;
+        EnvironmentFile = config.my.vault.secrets.quotesdb-environment.path;
        RuntimeDirectory = "quotesdb";
        ExecStart = "${pkg}/bin/quotes --workers 3 --bind unix:${sock}";
        User = "quotesdb";
@ -88,5 +88,15 @@ in
        UMask = "0007";
      };
    };
+
+    my.vault.secrets.quotesdb-environment = {
+      reloadOrRestartUnits = ["quotesdb.service"];
+      group = "root";
+      template = ''
+        {{ with secret "kv/apps/quotesdb" }}
+        {{ .Data.data.environment }}
+        {{ end }}
+      '';
+    };
  };
 }
--- a/ops/vault/cfg/config.nix
+++ b/ops/vault/cfg/config.nix
@ -42,7 +42,11 @@
  };

  my.apps.deluge = {};
+  my.apps.matrix-synapse = {};
  my.apps.pomerium = {};
+  my.apps.quotesdb = {};
+  my.apps.turn = {};
+  my.apps.twitterchiver = {};
  my.apps.sslrenew-raritan.policy = ''
    # sslrenew-raritan is permitted to issue certificates.
    path "acme/certs/*" {
@ -60,6 +64,11 @@
  '';

  my.servers.etheroute-lon01.apps = [ "pomerium" ];
-  my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" ];
+  my.servers.porcorosso.apps = [ "quotesdb" ];
+  my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" "quotesdb" ];
  my.servers.clouvider-fra01.apps = [ "deluge" ];
+  my.servers.clouvider-lon01.apps = [ "quotesdb" ];
+  my.servers.bvm-twitterchiver.apps = [ "twitterchiver" ];
+  my.servers.bvm-matrix.apps = [ "turn" "matrix-synapse" ];
+  my.servers.bvm-prosody.apps = [ "turn" ];
 }