Remove all secrets from nix store

2024-11-25 20:41:27 +00:00 · 2022-07-14 20:42:42 +03:00 · 2022-07-14 20:42:42 +03:00 · ea383780b6
parent 17b927f700
commit ea383780b6
8 changed files with 141 additions and 109 deletions
--- a/api/api-module.nix
+++ b/api/api-module.nix
@ -12,18 +12,12 @@ in
 {
  options.services.selfprivacy-api = {
    enable = mkOption {
-      default = false;
+      default = true;
      type = types.bool;
      description = ''
        Enable SelfPrivacy API service
      '';
    };
-    token = mkOption {
-      type = types.str;
-      description = ''
-        SelfPrivacy API token
-      '';
-    };
    enableSwagger = mkOption {
      default = false;
      type = types.bool;
@ -37,12 +31,6 @@ in
        B2 bucket
      '';
    };
-    resticPassword = mkOption {
-      type = types.str;
-      description = ''
-        Restic password
-      '';
-    };
  };
  config = lib.mkIf cfg.enable {

@ -52,10 +40,8 @@ in
        inherit (config.environment.sessionVariables) NIX_PATH;
        HOME = "/root";
        PYTHONUNBUFFERED = "1";
-        AUTH_TOKEN = cfg.token;
        ENABLE_SWAGGER = (if cfg.enableSwagger then "1" else "0");
        B2_BUCKET = cfg.b2Bucket;
-        RESTIC_PASSWORD = cfg.resticPassword;
      } // config.networking.proxy.envVars;
      path = [ "/var/" "/var/dkim/" pkgs.coreutils pkgs.gnutar pkgs.xz.bin pkgs.gzip pkgs.gitMinimal config.nix.package.out pkgs.nixos-rebuild pkgs.restic pkgs.mkpasswd ];
      after = [ "network-online.target" ];
--- a/api/api.nix
+++ b/api/api.nix
@ -2,10 +2,8 @@
 {
  services.selfprivacy-api = {
    enable = true;
-    token = config.services.userdata.api.token;
    enableSwagger = config.services.userdata.api.enableSwagger;
    b2Bucket = config.services.userdata.backblaze.bucket;
-    resticPassword = config.services.userdata.resticPassword;
  };

  users.users."selfprivacy-api" = {
--- a/files.nix
+++ b/files.nix
@ -15,48 +15,62 @@ in
      (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
      "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
    ];
-  system.activationScripts = let
-    jq = "${pkgs.jq}/bin/jq";
-    sed = "${pkgs.gnused}/bin/sed";
-  in
-  {
-    nextcloudSecrets =
-      if cfg.nextcloud.enable then ''
-        cat /etc/nixos/userdata/userdata.json | ${jq} -r '.nextcloud.databasePassword' > /var/lib/nextcloud/db-pass
-        chmod 0440 /var/lib/nextcloud/db-pass
-        chown nextcloud:nextcloud /var/lib/nextcloud/db-pass
+  system.activationScripts =
+    let
+      jq = "${pkgs.jq}/bin/jq";
+      sed = "${pkgs.gnused}/bin/sed";
+    in
+    {
+      nextcloudSecrets =
+        if cfg.nextcloud.enable then ''
+          cat /etc/nixos/userdata/userdata.json | ${jq} -r '.nextcloud.databasePassword' > /var/lib/nextcloud/db-pass
+          chmod 0440 /var/lib/nextcloud/db-pass
+          chown nextcloud:nextcloud /var/lib/nextcloud/db-pass

-        cat /etc/nixos/userdata/userdata.json | ${jq} -r '.nextcloud.adminPassword' > /var/lib/nextcloud/admin-pass
-        chmod 0440 /var/lib/nextcloud/admin-pass
-        chown nextcloud:nextcloud /var/lib/nextcloud/admin-pass
-      ''
-      else ''
-        rm -f /var/lib/nextcloud/db-pass
-        rm -f /var/lib/nextcloud/admin-pass
+          cat /etc/nixos/userdata/userdata.json | ${jq} -r '.nextcloud.adminPassword' > /var/lib/nextcloud/admin-pass
+          chmod 0440 /var/lib/nextcloud/admin-pass
+          chown nextcloud:nextcloud /var/lib/nextcloud/admin-pass
+        ''
+        else ''
+          rm -f /var/lib/nextcloud/db-pass
+          rm -f /var/lib/nextcloud/admin-pass
+        '';
+      cloudflareCredentials = ''
+        echo 'CF_API_KEY=REPLACEME' > /var/lib/cloudflare/Credentials.ini
+        echo 'CLOUDFLARE_DNS_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
+        echo 'CLOUDFLARE_ZONE_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
+        ${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.cloudflare.apiKey')/g" /var/lib/cloudflare/Credentials.ini
+        chmod 0440 /var/lib/cloudflare/Credentials.ini
+        chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini
      '';
-    cloudflareCredentials = ''
-      echo 'CF_API_KEY=REPLACEME' > /var/lib/cloudflare/Credentials.ini
-      echo 'CLOUDFLARE_DNS_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
-      echo 'CLOUDFLARE_ZONE_API_TOKEN=REPLACEME' >> /var/lib/cloudflare/Credentials.ini
-      ${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.cloudflare.apiKey')/g" /var/lib/cloudflare/Credentials.ini
-      chmod 0440 /var/lib/cloudflare/Credentials.ini
-      chown nginx:acmerecievers /var/lib/cloudflare/Credentials.ini
-    '';
-    resticCredentials = ''
-      echo '[backblaze]' > /root/.config/rclone/rclone.conf
-      echo 'type = b2' >> /root/.config/rclone/rclone.conf
-      echo 'account = REPLACEME1' >> /root/.config/rclone/rclone.conf
-      echo 'key = REPLACEME2' >> /root/.config/rclone/rclone.conf
+      resticCredentials = ''
+        echo '[backblaze]' > /root/.config/rclone/rclone.conf
+        echo 'type = b2' >> /root/.config/rclone/rclone.conf
+        echo 'account = REPLACEME1' >> /root/.config/rclone/rclone.conf
+        echo 'key = REPLACEME2' >> /root/.config/rclone/rclone.conf

-      ${sed} -i "s/REPLACEME1/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountId')/g" /root/.config/rclone/rclone.conf
-      ${sed} -i "s/REPLACEME2/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountKey')/g" /root/.config/rclone/rclone.conf
+        ${sed} -i "s/REPLACEME1/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountId')/g" /root/.config/rclone/rclone.conf
+        ${sed} -i "s/REPLACEME2/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.backblaze.accountKey')/g" /root/.config/rclone/rclone.conf

-      chmod 0400 /root/.config/rclone/rclone.conf
-      chown root:root /root/.config/rclone/rclone.conf
+        chmod 0400 /root/.config/rclone/rclone.conf
+        chown root:root /root/.config/rclone/rclone.conf

-      cat /etc/nixos/userdata/userdata.json | ${jq} -r '.resticPassword' > /var/lib/restic/pass
-      chmod 0400 /var/lib/restic/pass
-      chown restic /var/lib/restic/pass
-    '';
-  };
+        cat /etc/nixos/userdata/userdata.json | ${jq} -r '.resticPassword' > /var/lib/restic/pass
+        chmod 0400 /var/lib/restic/pass
+        chown restic /var/lib/restic/pass
+      '';
+      pleromaCredentials =
+        if cfg.pleroma.enable then ''
+          echo 'import Config' > /var/lib/pleroma/secrets.exs
+          echo 'config :pleroma, Pleroma.Repo,' >> /var/lib/pleroma/secrets.exs
+          echo '  password: "REPLACEME",' >> /var/lib/pleroma/secrets.exs
+
+          ${sed} -i "s/REPLACEME/$(cat /etc/nixos/userdata/userdata.json | ${jq} -r '.databasePassword')/g" /var/lib/pleroma/secrets.exs
+
+          chmod 0750 /var/lib/pleroma/secrets.exs
+          chown pleroma:pleroma /var/lib/pleroma/secrets.exs
+        '' else ''
+          rm -f /var/lib/pleroma/secrets.exs
+        '';
+    };
 }
--- a/social/config.exs
+++ b/social/config.exs
@ -22,9 +22,8 @@ config :pleroma, :media_proxy,
 config :pleroma, Pleroma.Repo,
  adapter: Ecto.Adapters.Postgres,
  username: "pleroma",
-  password: "$DB_PASSWORD",
  database: "pleroma",
-  hostname: "localhost",
+  socket_dir: "/run/postgresql",
  pool_size: 10

 #config :web_push_encryption, :vapid_details,
@ -41,4 +40,4 @@ config :pleroma, :http_security,

 #config :joken, default_signer: ""

-config :pleroma, configurable_from_database: false
+config :pleroma, configurable_from_database: true
--- a/social/pleroma.nix
+++ b/social/pleroma.nix
@ -10,8 +10,8 @@ in
      group = "pleroma";
      configs = [
        (builtins.replaceStrings
-          [ "$DOMAIN" "$LUSER" "$DB_PASSWORD" ]
-          [ cfg.domain cfg.username cfg.databasePassword ]
+          [ "$DOMAIN" "$LUSER" ]
+          [ cfg.domain cfg.username ]
          (builtins.readFile ./config.exs))
      ];
    };
@ -19,11 +19,20 @@ in
      enable = true;
      package = pkgs.postgresql_12;
      initialScript = "/etc/setup.psql";
+      ensureDatabases = [
+        "pleroma"
+      ];
+      ensureUsers = [
+        {
+          name = "pleroma";
+          ensurePermissions = {
+            "DATABASE pleroma" = "ALL PRIVILEGES";
+          };
+        };
+      ];
    };
  };
  environment.etc."setup.psql".text = ''
-    CREATE USER pleroma WITH ENCRYPTED PASSWORD '${cfg.databasePassword}';
-    CREATE DATABASE pleroma OWNER pleroma;
    \c pleroma;
    --Extensions made by ecto.migrate that need superuser access
    CREATE EXTENSION IF NOT EXISTS citext;
--- a/userdata/tokens_schema.json
+++ b/userdata/tokens_schema.json
@ -0,0 +1,72 @@
+{
+    "$schema": "http://json-schema.org/schema#",
+    "$id": "https://git.selfprivacy.org/inex/selfprivacy-nixos-config/raw/branch/master/userdata/tokens_schema.json",
+    "type": "object",
+    "properties": {
+        "tokens": {
+            "type": "array",
+            "items": {
+                "type": "object",
+                "properties": {
+                    "token": {
+                        "type": "string"
+                    },
+                    "name": {
+                        "type": "string"
+                    },
+                    "date": {
+                        "type": "string"
+                    }
+                },
+                "required": [
+                    "token",
+                    "name",
+                    "date"
+                ]
+            }
+        },
+        "recovery_token": {
+            "type": "object",
+            "properties": {
+                "token": {
+                    "type": "string"
+                },
+                "date": {
+                    "type": "string"
+                },
+                "expiration": {
+                    "type": "string"
+                },
+                "uses_left": {
+                    "type": "integer"
+                }
+            },
+            "required": [
+                "token",
+                "date"
+            ]
+        },
+        "new_device": {
+            "type": "object",
+            "properties": {
+                "token": {
+                    "type": "string"
+                },
+                "date": {
+                    "type": "string"
+                },
+                "expiration": {
+                    "type": "string"
+                }
+            },
+            "required": [
+                "token",
+                "date",
+                "expiration"
+            ]
+        }
+    },
+    "required": [
+        "tokens"
+    ]
+}
--- a/variables-module.nix
+++ b/variables-module.nix
@ -67,12 +67,6 @@ in
    # API options #
    ###############
    api = {
-      token = mkOption {
-        description = ''
-          API token used to authenticate with the server
-        '';
-        type = types.nullOr types.str;
-      };
      enableSwagger = mkOption {
        default = true;
        description = ''
@ -97,21 +91,9 @@ in
        type = types.nullOr types.str;
      };
    };
-    cloudflare = {
-      apiKey = mkOption {
-        description = "Cloudflare API Key.";
-        type = types.nullOr types.str;
-      };
-    };
    ##############
    #  Services  #
    ##############
-    databasePassword = mkOption {
-      description = ''
-        Password for the database
-      '';
-      type = types.nullOr types.str;
-    };
    bitwarden = {
      enable = mkOption {
        default = false;
@ -129,18 +111,6 @@ in
        default = true;
        type = types.nullOr types.bool;
      };
-      # databasePassword = mkOption {
-      #   description = ''
-      #     Password for the nextcloud database
-      #   '';
-      #   type = types.nullOr types.str;
-      # };
-      adminPassword = mkOption {
-        description = ''
-          Password for the nextcloud admin user
-        '';
-        type = types.nullOr types.str;
-      };
    };
    pleroma = {
      enable = mkOption {
@ -160,15 +130,6 @@ in
        type = types.nullOr types.bool;
      };
    };
-    #############
-    #  Backups  #
-    #############
-    resticPassword = mkOption {
-      description = ''
-        Password for the restic
-      '';
-      type = types.nullOr types.str;
-    };
    #########
    #  SSH  #
    #########
--- a/variables.nix
+++ b/variables.nix
@ -15,17 +15,12 @@ in
    hashedMasterPassword = lib.attrsets.attrByPath [ "hashedMasterPassword" ] null jsonData;
    sshKeys = lib.attrsets.attrByPath [ "sshKeys" ] [] jsonData;
    api = {
-      token = jsonData.api.token;
      enableSwagger = lib.attrsets.attrByPath [ "api" "enableSwagger" ] false jsonData;
      skippedMigrations = lib.attrsets.attrByPath [ "api" "skippedMigrations" ] [] jsonData;
    };
    backblaze = {
      bucket = lib.attrsets.attrByPath [ "backblaze" "bucket" ] "" jsonData;
    };
-    cloudflare = {
-      apiKey = lib.attrsets.attrByPath [ "cloudflare" "apiKey" ] "" jsonData;
-    };
-    databasePassword = lib.attrsets.attrByPath [ "databasePassword" ] null jsonData;
    bitwarden = {
      enable = lib.attrsets.attrByPath [ "bitwarden" "enable" ] false jsonData;
    };
@ -34,7 +29,6 @@ in
    };
    nextcloud = {
      enable = lib.attrsets.attrByPath [ "nextcloud" "enable" ] false jsonData;
-      adminPassword = lib.attrsets.attrByPath [ "nextcloud" "adminPassword" ] "" jsonData;
    };
    pleroma = {
      enable = lib.attrsets.attrByPath [ "pleroma" "enable" ] false jsonData;
@ -45,7 +39,6 @@ in
    ocserv = {
      enable = lib.attrsets.attrByPath [ "ocserv" "enable" ] false jsonData;
    };
-    resticPassword = lib.attrsets.attrByPath [ "resticPassword" ] null jsonData;
    ssh = {
      enable = lib.attrsets.attrByPath [ "ssh" "enable" ] true jsonData;
      rootKeys = lib.attrsets.attrByPath [ "ssh" "rootKeys" ] [ "" ] jsonData;