From a41e86290ff75a8c621a9b3dd05f6fc119c0b2ef Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 2 Jul 2023 17:09:35 +0200 Subject: treewide: replace with sops.secrets --- 2configs/bgt/download.binaergewitter.de.nix | 3 ++- 2configs/bgt/hidden_service.nix | 4 ++-- 2configs/binary-cache/server.nix | 3 ++- 2configs/nginx/dl.euer.krebsco.de.nix | 6 ++++-- 2configs/nginx/euer.wiki.nix | 4 ++-- 2configs/nix-community/mediawiki-matrix-bot.nix | 22 ++++++++++++---------- 2configs/torrent/rtorrent.nix | 10 ++++------ 2configs/wireguard/server.nix | 5 ++++- 8 files changed, 32 insertions(+), 25 deletions(-) diff --git a/2configs/bgt/download.binaergewitter.de.nix b/2configs/bgt/download.binaergewitter.de.nix index 7664dacaa..ae8ae627a 100644 --- a/2configs/bgt/download.binaergewitter.de.nix +++ b/2configs/bgt/download.binaergewitter.de.nix @@ -56,9 +56,10 @@ in { systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/spool/nginx/logs/" ]; + sops.secrets."lego-binaergewitter" = {}; security.acme.certs."download.binaergewitter.de" = { dnsProvider = "cloudflare"; - credentialsFile = toString ; + credentialsFile = config.sops.secrets."lego-binaergewitter".path; webroot = lib.mkForce null; }; diff --git a/2configs/bgt/hidden_service.nix b/2configs/bgt/hidden_service.nix index 5c997336d..35ae99265 100644 --- a/2configs/bgt/hidden_service.nix +++ b/2configs/bgt/hidden_service.nix @@ -6,12 +6,12 @@ let srvdir = "/var/lib/tor/onion/"; in { - sops.secrets."bgt_cyberwar_hidden_service/private_key" = { + sops.secrets."${name}/private_key" = { path = "${srvdir}/${name}/private_key"; owner = "tor"; restartUnits = [ "tor.service" ]; }; - sops.secrets."bgt_cyberwar_hidden_service/hostname" = { + sops.secrets."${name}/hostname" = { path = "${srvdir}/${name}/hostname"; owner = "tor"; restartUnits = [ "tor.service" ]; diff --git a/2configs/binary-cache/server.nix b/2configs/binary-cache/server.nix index c1ae16e29..f8355bb95 100644 --- a/2configs/binary-cache/server.nix +++ b/2configs/binary-cache/server.nix @@ -1,12 +1,13 @@ { config, lib, pkgs, ...}: { + sops.secrets."nix-serve.key" = {}; # generate private key with: # nix-store --generate-binary-cache-key gum nix-serve.key nix-serve.pub services.nix-serve = { enable = true; port = 5001; - secretKeyFile = toString + "/nix-serve.key"; + secretKeyFile = config.sops.secrets."nix-serve.key".path; }; services.nginx = { diff --git a/2configs/nginx/dl.euer.krebsco.de.nix b/2configs/nginx/dl.euer.krebsco.de.nix index e31d355a7..fd2515ccc 100644 --- a/2configs/nginx/dl.euer.krebsco.de.nix +++ b/2configs/nginx/dl.euer.krebsco.de.nix @@ -1,6 +1,8 @@ { config, lib, pkgs, ... }: { + sops.secrets."dl.euer.krebsco.de-auth" = {}; + sops.secrets."dl.gum-auth" = {}; users.groups.download.members = [ "nginx" ]; services.nginx = { enable = lib.mkDefault true; @@ -11,13 +13,13 @@ extraConfig = "autoindex on;"; forceSSL = true; enableACME = true; - basicAuth = import ; + basicAuthFile = config.sops.secrets."dl.euer.krebsco.de-auth".path; }; virtualHosts."dl.gum.r" = { serverAliases = [ "dl.gum" "dl.makefu.r" "dl.makefu" ]; root = config.makefu.dl-dir; extraConfig = "autoindex on;"; - basicAuth = import ; + basicAuthFile = config.sops.secrets."dl.gum-auth".path; }; }; } diff --git a/2configs/nginx/euer.wiki.nix b/2configs/nginx/euer.wiki.nix index bd1744325..ccf3e8844 100644 --- a/2configs/nginx/euer.wiki.nix +++ b/2configs/nginx/euer.wiki.nix @@ -2,7 +2,6 @@ with pkgs.stockholm.lib; let - sec = toString ; ext-dom = "wiki.euer.krebsco.de"; user = config.services.nginx.user; @@ -18,9 +17,10 @@ let # user1 = pass1 # userN = passN # afterwards put /var/www//user1.html as tiddlywiki - tw-pass-file = "${sec}/tw-pass.ini"; + tw-pass-file = config.sops.secrets."tw-pass.ini".path; in { + sops.secrets."tw-pass.ini" = {}; state = [ base-dir ]; # hotfix for broken wiki after reboot systemd.services."phpfpm-euer-wiki".serviceConfig.RequiresMountFor = [ "/media/cloud" ]; diff --git a/2configs/nix-community/mediawiki-matrix-bot.nix b/2configs/nix-community/mediawiki-matrix-bot.nix index 6dff64121..919bfcea7 100644 --- a/2configs/nix-community/mediawiki-matrix-bot.nix +++ b/2configs/nix-community/mediawiki-matrix-bot.nix @@ -1,8 +1,12 @@ -{ pkgs, ... }: -let - seccfg = toString ; - statecfg = "/var/lib/mediawiki-matrix-bot/config.json"; -in { +{ pkgs, config, ... }: + +{ + sops.secrets."mediawikibot-config.json" = { + mode = "0440"; + group = config.users.groups.mediawiki.name; + }; + users.groups.mediawiki = {}; + systemd.services.mediawiki-matrix-bot = { description = "Mediawiki Matrix Bot"; after = [ "network-online.target" ]; @@ -12,11 +16,9 @@ in { RestartSec = "60s"; DynamicUser = true; StateDirectory = "mediawiki-matrix-bot"; - PermissionsStartOnly = true; - ExecStartPre = pkgs.writeDash "mediawikibot-copy-config" '' - install -D -m644 ${seccfg} ${statecfg} - ''; - ExecStart = "${pkgs.mediawiki-matrix-bot}/bin/mediawiki-matrix-bot ${statecfg}"; + SupplementaryGroups = [ config.users.groups.mediawiki.name ]; + + ExecStart = "${pkgs.mediawiki-matrix-bot}/bin/mediawiki-matrix-bot ${config.sops.secrets."mediawikibot-config.json".path}"; PrivateTmp = true; }; }; diff --git a/2configs/torrent/rtorrent.nix b/2configs/torrent/rtorrent.nix index 87ecc1e19..1c6742eb5 100644 --- a/2configs/torrent/rtorrent.nix +++ b/2configs/torrent/rtorrent.nix @@ -1,7 +1,6 @@ { config, lib, pkgs, ... }: let - basicAuth = import ; peer-port = 51412; web-port = 8112; daemon-port = 58846; @@ -30,14 +29,13 @@ in { }; #security.acme.certs."torrent.${config.krebs.build.host.name}.r".server = config.krebs.ssl.acmeURL; - + sops.secrets."torrent-auth" = { + owner = "nginx"; + }; services.nginx = { enable = true; virtualHosts."torrent.${config.krebs.build.host.name}.r" = { - # TODO - inherit basicAuth; - #enableACME = true; - #addSSL = true; + basicAuthFile = config.sops.secrets."torrent-auth".path; root = "${pkgs.nodePackages.flood}/lib/node_modules/flood/dist/assets"; locations."/api".extraConfig = '' proxy_pass http://localhost:${toString web-port}; diff --git a/2configs/wireguard/server.nix b/2configs/wireguard/server.nix index bb3198178..426403df2 100644 --- a/2configs/wireguard/server.nix +++ b/2configs/wireguard/server.nix @@ -7,6 +7,9 @@ in { # wireguard server # boot.kernel.sysctl."net.ipv4.ip_forward" = 1; # conf.all.proxy_arp =1 + + sops.secrets."wireguard.key" = {}; + networking.firewall = { allowedUDPPorts = [ 51820 ]; }; @@ -20,7 +23,7 @@ in { # wireguard server networking.wireguard.interfaces.wg0 = { ips = [ "10.244.0.1/24" ]; listenPort = 51820; - privateKeyFile = (toString ) + "/wireguard.key"; + privateKeyFile = config.sops.secrets."wireguard.key".path; # allowedIPsAsRoutes = true; postSetup = '' ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE -- cgit v1.2.3