forked from fediversity/fediversity
		
	Put the S3 secrets into files
...but not everywhere, there remains some FIXMEs where ultimately the secrets do get into the store.
This commit is contained in:
		
							parent
							
								
									8c5bf79ba2
								
							
						
					
					
						commit
						78a85b27ff
					
				
					 7 changed files with 96 additions and 62 deletions
				
			
		|  | @ -76,7 +76,9 @@ in | ||||||
|       providers = { inherit (inputs.nixops4.modules.nixops4Provider) local; }; |       providers = { inherit (inputs.nixops4.modules.nixops4Provider) local; }; | ||||||
| 
 | 
 | ||||||
|       resources = { |       resources = { | ||||||
|         fedi101 = makeProcolixVmResource 101 { |         fedi101 = makeProcolixVmResource 101 ( | ||||||
|  |           { pkgs, ... }: | ||||||
|  |           { | ||||||
|             fediversity = { |             fediversity = { | ||||||
|               enable = true; |               enable = true; | ||||||
|               domain = "fedi101.abundos.eu"; |               domain = "fedi101.abundos.eu"; | ||||||
|  | @ -84,13 +86,16 @@ in | ||||||
|                 enable = true; |                 enable = true; | ||||||
| 
 | 
 | ||||||
|                 ## NOTE: Only ever used for testing anyway. |                 ## NOTE: Only ever used for testing anyway. | ||||||
|               s3AccessKey = "GKb5615457d44214411e673b7b"; |                 s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b"; | ||||||
|               s3SecretKey = "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987"; |                 s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987"; | ||||||
|             }; |  | ||||||
|               }; |               }; | ||||||
|             }; |             }; | ||||||
|  |           } | ||||||
|  |         ); | ||||||
| 
 | 
 | ||||||
|         fedi102 = makeProcolixVmResource 102 { |         fedi102 = makeProcolixVmResource 102 ( | ||||||
|  |           { pkgs, ... }: | ||||||
|  |           { | ||||||
|             fediversity = { |             fediversity = { | ||||||
|               enable = true; |               enable = true; | ||||||
|               domain = "fedi102.abundos.eu"; |               domain = "fedi102.abundos.eu"; | ||||||
|  | @ -98,13 +103,14 @@ in | ||||||
|                 enable = true; |                 enable = true; | ||||||
| 
 | 
 | ||||||
|                 ## NOTE: Only ever used for testing anyway. |                 ## NOTE: Only ever used for testing anyway. | ||||||
|               s3AccessKey = "GK3515373e4c851ebaad366558"; |                 s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558"; | ||||||
|               s3SecretKey = "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34"; |                 s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34"; | ||||||
|               }; |               }; | ||||||
| 
 | 
 | ||||||
|               temp.cores = 1; # FIXME: should come from NixOps4 eventually |               temp.cores = 1; # FIXME: should come from NixOps4 eventually | ||||||
|             }; |             }; | ||||||
|         }; |           } | ||||||
|  |         ); | ||||||
| 
 | 
 | ||||||
|         fedi103 = makeProcolixVmResource 103 ( |         fedi103 = makeProcolixVmResource 103 ( | ||||||
|           { pkgs, ... }: |           { pkgs, ... }: | ||||||
|  | @ -117,8 +123,8 @@ in | ||||||
| 
 | 
 | ||||||
|                 ## NOTE: Only ever used for testing anyway. |                 ## NOTE: Only ever used for testing anyway. | ||||||
|                 secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24"; |                 secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24"; | ||||||
|                 s3AccessKey = "GK1f9feea9960f6f95ff404c9b"; |                 s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b"; | ||||||
|                 s3SecretKey = "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395"; |                 s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395"; | ||||||
|               }; |               }; | ||||||
|             }; |             }; | ||||||
|           } |           } | ||||||
|  |  | ||||||
|  | @ -83,13 +83,13 @@ let | ||||||
|   ensureKeyScriptFn = |   ensureKeyScriptFn = | ||||||
|     key: |     key: | ||||||
|     { |     { | ||||||
|       s3AccessKey, |       s3AccessKeyFile, | ||||||
|       s3SecretKey, |       s3SecretKeyFile, | ||||||
|       ensureAccess, |       ensureAccess, | ||||||
|     }: |     }: | ||||||
|     '' |     '' | ||||||
|       ## FIXME: Check whether the key exist and skip this step if that is the case. Get rid of this `|| :` |       ## FIXME: Check whether the key exist and skip this step if that is the case. Get rid of this `|| :` | ||||||
|       garage key import --yes -n ${escapeShellArg key} ${escapeShellArg s3AccessKey} ${escapeShellArg s3SecretKey} || : |       garage key import --yes -n ${escapeShellArg key} $(cat ${escapeShellArg s3AccessKeyFile}) $(cat ${escapeShellArg s3SecretKeyFile}) || : | ||||||
|       ${concatMapAttrs (ensureAccessScriptFn key) ensureAccess} |       ${concatMapAttrs (ensureAccessScriptFn key) ensureAccess} | ||||||
|     ''; |     ''; | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -43,10 +43,11 @@ in | ||||||
|     ensureKeys = mkOption { |     ensureKeys = mkOption { | ||||||
|       type = types.attrsOf ( |       type = types.attrsOf ( | ||||||
|         types.submodule { |         types.submodule { | ||||||
|           # TODO: these should be managed as secrets, not in the nix store |  | ||||||
|           options = { |           options = { | ||||||
|             s3AccessKey = mkOption { type = types.str; }; |             s3AccessKeyFile = mkOption { type = types.path; }; | ||||||
|             s3SecretKey = mkOption { type = types.str; }; | 
 | ||||||
|  |             s3SecretKeyFile = mkOption { type = types.path; }; | ||||||
|  | 
 | ||||||
|             # TODO: assert at least one of these is true |             # TODO: assert at least one of these is true | ||||||
|             # NOTE: this currently needs to be done at the top level module |             # NOTE: this currently needs to be done at the top level module | ||||||
|             ensureAccess = mkOption { |             ensureAccess = mkOption { | ||||||
|  |  | ||||||
|  | @ -1,5 +1,15 @@ | ||||||
| { config, lib, ... }: | { | ||||||
|  |   config, | ||||||
|  |   lib, | ||||||
|  |   pkgs, | ||||||
|  |   ... | ||||||
|  | }: | ||||||
| 
 | 
 | ||||||
|  | let | ||||||
|  |   inherit (lib) readFile; | ||||||
|  |   inherit (pkgs) writeText; | ||||||
|  | 
 | ||||||
|  | in | ||||||
| { | { | ||||||
|   imports = [ ./options.nix ]; |   imports = [ ./options.nix ]; | ||||||
| 
 | 
 | ||||||
|  | @ -20,7 +30,7 @@ | ||||||
| 
 | 
 | ||||||
|       ensureKeys = { |       ensureKeys = { | ||||||
|         mastodon = { |         mastodon = { | ||||||
|           inherit (config.fediversity.mastodon) s3AccessKey s3SecretKey; |           inherit (config.fediversity.mastodon) s3AccessKeyFile s3SecretKeyFile; | ||||||
|           ensureAccess = { |           ensureAccess = { | ||||||
|             mastodon = { |             mastodon = { | ||||||
|               read = true; |               read = true; | ||||||
|  | @ -32,8 +42,7 @@ | ||||||
|       }; |       }; | ||||||
|     }; |     }; | ||||||
| 
 | 
 | ||||||
|     services.mastodon = { |     services.mastodon.extraConfig = rec { | ||||||
|       extraConfig = rec { |  | ||||||
|       S3_ENABLED = "true"; |       S3_ENABLED = "true"; | ||||||
|       # TODO: this shouldn't be hard-coded, it should come from the garage configuration |       # TODO: this shouldn't be hard-coded, it should come from the garage configuration | ||||||
|       S3_ENDPOINT = config.fediversity.garage.api.url; |       S3_ENDPOINT = config.fediversity.garage.api.url; | ||||||
|  | @ -41,17 +50,23 @@ | ||||||
|       S3_BUCKET = "mastodon"; |       S3_BUCKET = "mastodon"; | ||||||
|       # use <S3_BUCKET>.<S3_ENDPOINT> |       # use <S3_BUCKET>.<S3_ENDPOINT> | ||||||
|       S3_OVERRIDE_PATH_STLE = "true"; |       S3_OVERRIDE_PATH_STLE = "true"; | ||||||
|         AWS_ACCESS_KEY_ID = config.fediversity.mastodon.s3AccessKey; |  | ||||||
|         AWS_SECRET_ACCESS_KEY = config.fediversity.mastodon.s3SecretKey; |  | ||||||
|       S3_PROTOCOL = "http"; |       S3_PROTOCOL = "http"; | ||||||
|         S3_ALIAS_HOST = "${S3_BUCKET}.${config.fediversity.garage.web.rootDomain}"; |       S3_ALIAS_HOST = config.fediversity.garage.web.domainForBucket S3_BUCKET; | ||||||
|       # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/ |       # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/ | ||||||
|       # TODO: can we set up ACLs with garage? |       # TODO: can we set up ACLs with garage? | ||||||
|       S3_PERMISSION = ""; |       S3_PERMISSION = ""; | ||||||
|     }; |     }; | ||||||
|     }; |  | ||||||
| 
 | 
 | ||||||
|     #### mastodon setup |     ## FIXME: secrets management; we should have a service that writes the | ||||||
|  |     ## `.env` files based on all the secrets that we need to put there. | ||||||
|  |     services.mastodon.extraEnvFiles = [ | ||||||
|  |       (writeText "s3AccessKey" '' | ||||||
|  |         AWS_ACCESS_KEY_ID=${readFile config.fediversity.mastodon.s3AccessKeyFile} | ||||||
|  |       '') | ||||||
|  |       (writeText "s3SecretKey" '' | ||||||
|  |         AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.mastodon.s3SecretKeyFile} | ||||||
|  |       '') | ||||||
|  |     ]; | ||||||
| 
 | 
 | ||||||
|     # open up access to the mastodon web interface. 80 is necessary if only for ACME |     # open up access to the mastodon web interface. 80 is necessary if only for ACME | ||||||
|     networking.firewall.allowedTCPPorts = [ |     networking.firewall.allowedTCPPorts = [ | ||||||
|  |  | ||||||
|  | @ -1,9 +1,13 @@ | ||||||
| { config, lib, ... }: | { config, lib, ... }: | ||||||
| 
 | 
 | ||||||
|  | let | ||||||
|  |   inherit (lib) mkIf readFile; | ||||||
|  | 
 | ||||||
|  | in | ||||||
| { | { | ||||||
|   imports = [ ./options.nix ]; |   imports = [ ./options.nix ]; | ||||||
| 
 | 
 | ||||||
|   config = lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) { |   config = mkIf (config.fediversity.enable && config.fediversity.peertube.enable) { | ||||||
|     networking.firewall.allowedTCPPorts = [ |     networking.firewall.allowedTCPPorts = [ | ||||||
|       80 |       80 | ||||||
|       443 |       443 | ||||||
|  | @ -39,7 +43,7 @@ | ||||||
| 
 | 
 | ||||||
|       ensureKeys = { |       ensureKeys = { | ||||||
|         peertube = { |         peertube = { | ||||||
|           inherit (config.fediversity.peertube) s3AccessKey s3SecretKey; |           inherit (config.fediversity.peertube) s3AccessKeyFile s3SecretKeyFile; | ||||||
|           ensureAccess = { |           ensureAccess = { | ||||||
|             peertube-videos = { |             peertube-videos = { | ||||||
|               read = true; |               read = true; | ||||||
|  | @ -97,9 +101,12 @@ | ||||||
|       }; |       }; | ||||||
|       serviceEnvironmentFile = "/etc/peertube-env"; |       serviceEnvironmentFile = "/etc/peertube-env"; | ||||||
|     }; |     }; | ||||||
|  | 
 | ||||||
|  |     ## FIXME: secrets management; we should have a service that writes the | ||||||
|  |     ## `.env` files based on all the secrets that we need to put there. | ||||||
|     environment.etc.peertube-env.text = '' |     environment.etc.peertube-env.text = '' | ||||||
|       AWS_ACCESS_KEY_ID=${config.fediversity.peertube.s3AccessKey} |       AWS_ACCESS_KEY_ID=${readFile config.fediversity.peertube.s3AccessKeyFile} | ||||||
|       AWS_SECRET_ACCESS_KEY=${config.fediversity.peertube.s3SecretKey} |       AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.peertube.s3SecretKeyFile} | ||||||
|     ''; |     ''; | ||||||
| 
 | 
 | ||||||
|     ## Proxying through Nginx |     ## Proxying through Nginx | ||||||
|  |  | ||||||
|  | @ -6,7 +6,7 @@ | ||||||
| }: | }: | ||||||
| 
 | 
 | ||||||
| let | let | ||||||
|   inherit (lib) mkIf; |   inherit (lib) mkIf readFile; | ||||||
| 
 | 
 | ||||||
| in | in | ||||||
| { | { | ||||||
|  | @ -29,7 +29,7 @@ in | ||||||
| 
 | 
 | ||||||
|       ensureKeys = { |       ensureKeys = { | ||||||
|         pixelfed = { |         pixelfed = { | ||||||
|           inherit (config.fediversity.pixelfed) s3AccessKey s3SecretKey; |           inherit (config.fediversity.pixelfed) s3AccessKeyFile s3SecretKeyFile; | ||||||
|           ensureAccess = { |           ensureAccess = { | ||||||
|             pixelfed = { |             pixelfed = { | ||||||
|               read = true; |               read = true; | ||||||
|  | @ -45,9 +45,12 @@ in | ||||||
|       enable = true; |       enable = true; | ||||||
|       domain = config.fediversity.pixelfed.domain; |       domain = config.fediversity.pixelfed.domain; | ||||||
| 
 | 
 | ||||||
|       # TODO: secrets management!!! |       ## FIXME: secrets management; we should have a service that writes the | ||||||
|  |       ## `.env` file based on all the secrets that we need to put there. | ||||||
|       secretFile = pkgs.writeText "secrets.env" '' |       secretFile = pkgs.writeText "secrets.env" '' | ||||||
|         APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA |         APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA | ||||||
|  |         AWS_ACCESS_KEY_ID=${readFile config.fediversity.pixelfed.s3AccessKeyFile} | ||||||
|  |         AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.pixelfed.s3SecretKeyFile} | ||||||
|       ''; |       ''; | ||||||
| 
 | 
 | ||||||
|       ## Taeer feels like this way of configuring Nginx is odd; there should |       ## Taeer feels like this way of configuring Nginx is odd; there should | ||||||
|  | @ -70,8 +73,6 @@ in | ||||||
| 
 | 
 | ||||||
|       FILESYSTEM_CLOUD = "s3"; |       FILESYSTEM_CLOUD = "s3"; | ||||||
|       PF_ENABLE_CLOUD = true; |       PF_ENABLE_CLOUD = true; | ||||||
|       AWS_ACCESS_KEY_ID = config.fediversity.pixelfed.s3AccessKey; |  | ||||||
|       AWS_SECRET_ACCESS_KEY = config.fediversity.pixelfed.s3SecretKey; |  | ||||||
|       AWS_DEFAULT_REGION = "garage"; |       AWS_DEFAULT_REGION = "garage"; | ||||||
|       AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed"; |       AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed"; | ||||||
|       AWS_BUCKET = "pixelfed"; |       AWS_BUCKET = "pixelfed"; | ||||||
|  |  | ||||||
|  | @ -1,3 +1,6 @@ | ||||||
|  | ## NOTE: Not a module, but a helper function to create options for Fediversity | ||||||
|  | ## services, as they tend to require the same ones. | ||||||
|  | 
 | ||||||
| { | { | ||||||
|   config, |   config, | ||||||
|   lib, |   lib, | ||||||
|  | @ -13,8 +16,8 @@ in | ||||||
| { | { | ||||||
|   enable = mkEnableOption "Enable a ${serviceDocName} server on the machine"; |   enable = mkEnableOption "Enable a ${serviceDocName} server on the machine"; | ||||||
| 
 | 
 | ||||||
|   s3AccessKey = mkOption { |   s3AccessKeyFile = mkOption { | ||||||
|     type = types.str; |     type = types.path; | ||||||
|     description = '' |     description = '' | ||||||
|       S3 access key for ${serviceDocName}'s bucket/s |       S3 access key for ${serviceDocName}'s bucket/s | ||||||
| 
 | 
 | ||||||
|  | @ -22,7 +25,8 @@ in | ||||||
|     ''; |     ''; | ||||||
|   }; |   }; | ||||||
| 
 | 
 | ||||||
|   s3SecretKey = mkOption { |   s3SecretKeyFile = mkOption { | ||||||
|  |     type = types.path; | ||||||
|     description = '' |     description = '' | ||||||
|       S3 secret key for ${serviceDocName}'s bucket/s |       S3 secret key for ${serviceDocName}'s bucket/s | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		
		Reference in a new issue