From ed26839078229ff4bb1e3d7ef5826fdb3c87fdab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Wed, 11 Dec 2024 13:25:31 +0100 Subject: [PATCH 01/14] Add Agenix to the environment --- flake.lock | 118 ++++++++++++++++++++++++++++++++++++++++++++++++----- flake.nix | 2 + 2 files changed, 109 insertions(+), 11 deletions(-) diff --git a/flake.lock b/flake.lock index c8e7fa7..0bbdc67 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,26 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1723293904, + "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", + "owner": "ryantm", + "repo": "agenix", + "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "crane": { "flake": false, "locked": { @@ -34,9 +55,31 @@ "type": "github" } }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "disko": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1731274291, @@ -266,7 +309,7 @@ "inputs": { "flake-compat": "flake-compat", "gitignore": "gitignore", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "nixpkgs-stable": "nixpkgs-stable" }, "locked": { @@ -339,6 +382,27 @@ "type": "github" } }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "libgit2": { "flake": false, "locked": { @@ -519,7 +583,7 @@ "flake-parts": "flake-parts_2", "nix": "nix", "nix-cargo-integration": "nix-cargo-integration", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_4", "nixpkgs-old": "nixpkgs-old" }, "locked": { @@ -541,7 +605,7 @@ "flake-parts": "flake-parts_4", "nix": "nix_2", "nix-cargo-integration": "nix-cargo-integration_2", - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_5" }, "locked": { "lastModified": 1727424043, @@ -560,16 +624,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1730958623, - "narHash": "sha256-JwQZIGSYnRNOgDDoIgqKITrPVil+RMWHsZH1eE1VGN0=", + "lastModified": 1703013332, + "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "85f7e662eda4fa3a995556527c87b2524b691933", + "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixpkgs-unstable", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -723,6 +787,22 @@ } }, "nixpkgs_3": { + "locked": { + "lastModified": 1730958623, + "narHash": "sha256-JwQZIGSYnRNOgDDoIgqKITrPVil+RMWHsZH1eE1VGN0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "85f7e662eda4fa3a995556527c87b2524b691933", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { "locked": { "lastModified": 1732837521, "narHash": "sha256-jNRNr49UiuIwaarqijgdTR2qLPifxsVhlJrKzQ8XUIE=", @@ -738,7 +818,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1724819573, "narHash": "sha256-GnR7/ibgIH1vhoy8cYdmXE6iyZqKqFxQSVkFgosBh6w=", @@ -754,7 +834,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_6": { "locked": { "lastModified": 1732350895, "narHash": "sha256-GcOQbOgmwlsRhpLGSwZJwLbo3pu9ochMETuRSS1xpz4=", @@ -934,12 +1014,13 @@ }, "root": { "inputs": { + "agenix": "agenix", "disko": "disko", "flake-parts": "flake-parts", "git-hooks": "git-hooks", "nixops4": "nixops4", "nixops4-nixos": "nixops4-nixos", - "nixpkgs": "nixpkgs_5" + "nixpkgs": "nixpkgs_6" } }, "rust-overlay": { @@ -1028,6 +1109,21 @@ "type": "github" } }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 4187e6e..ca28251 100644 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,7 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; flake-parts.url = "github:hercules-ci/flake-parts"; git-hooks.url = "github:cachix/git-hooks.nix"; + agenix.url = "github:ryantm/agenix"; disko.url = "github:nix-community/disko"; @@ -69,6 +70,7 @@ devShells.default = pkgs.mkShell { packages = [ pkgs.nil + inputs'.agenix.packages.default inputs'.nixops4.packages.default ]; shellHook = config.pre-commit.installationScript; From 5771c14249eb22092cde15388605b958d71b1ebe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Wed, 11 Dec 2024 13:26:38 +0100 Subject: [PATCH 02/14] Set up a first secret --- README.md | 3 ++ flake.nix | 1 + secrets/README.md | 49 ++++++++++++++++++++++++++++++++ secrets/forgejo-runner-token.age | 11 +++++++ secrets/secrets.nix | 43 ++++++++++++++++++++++++++++ 5 files changed, 107 insertions(+) create mode 100644 secrets/README.md create mode 100644 secrets/forgejo-runner-token.age create mode 100644 secrets/secrets.nix diff --git a/README.md b/README.md index c87beb5..77e15fe 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,9 @@ details as to what they are for. As an overview: - [`matrix/`](./matrix) contains everything having to do with setting up a fully-featured Matrix server. +- [`secrets/`](./secrets) contains the secrets that need to get injected into + machine configurations. + - [`server/`](./server) contains the configuration of the VM hosting the website. This should be integrated into `infra/` shortly in the future, as tracked in https://git.fediversity.eu/Fediversity/Fediversity/issues/31. diff --git a/flake.nix b/flake.nix index ca28251..4cdf14e 100644 --- a/flake.nix +++ b/flake.nix @@ -48,6 +48,7 @@ optin = [ "deployment" "infra" + "secrets" "services" ]; files = "^((" + concatStringsSep "|" optin + ")/.*\\.nix|[^/]*\\.nix)$"; diff --git a/secrets/README.md b/secrets/README.md new file mode 100644 index 0000000..8c3a4c1 --- /dev/null +++ b/secrets/README.md @@ -0,0 +1,49 @@ +# Secrets + +Secrets are handled using [Agenix](https://github.com/ryantm/agenix). + +## Cheat sheet + +### Adding a secret + +As an example, let us add a secret in a file “cheeses” whose content should be +“best ones come unpasteurised”. + +1. Edit [`secrets.nix`](./secrets.nix), adding a field to the final record with + the file name mapped to the systems that should be able to decrypt the + secret, for instance: + ```nix + cheeses = [ vm02116 forgejo-ci ]; + ``` + +2. Run Agenix to add the content of the file. Agenix is provided by the + development Shell but can also be run directly with `nix run + github:ryantm/agenix --`. Run `agenix -e cheeses.age` (with the `.age` + extension); this will open your `$EDITOR` ; enter “best ones come + unpasteurised”, save and close. + +3. If you are doing something flake-related such as NixOps4, do not forget to + commit or at least stage the secret. + +4. In the machine's configuration, load the Agenix NixOS module, declare your + secret, possibly with owner/group, and use it where necessary, eg.: + ```nix + { config, ... }: + { + imports = [ inputs.agenix.x86_64-linux.nixosModules.default ]; + age.secrets.cheeses.file = ../secrets/cheeses.age; + # age.secrets.cheeses.owner = "jeanpierre"; + # age.secrets.cheeses.group = "france"; + # age.secrets.cheeses.mode = "440"; + services.imaginaryCheeseFactory.frenchSecretFile = config.age.secrets.cheeses.path; + } + ``` + +5. Never read the content of the file in Nix, that is never do anything like: + ```nix + services.imaginaryCheeseFactory.frenchSecret = readFile config.age.secrets.cheeses.path; + ``` + This will put the secret as a world-readable file in the Nix store. The + service that you are using must be able to read from a file at runtime, and + if the NixOS default module options do not provide that, you must find a way + around it. diff --git a/secrets/forgejo-runner-token.age b/secrets/forgejo-runner-token.age new file mode 100644 index 0000000..a0e126a --- /dev/null +++ b/secrets/forgejo-runner-token.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 1MUEqQ 5Bvi8UvLbifM2vlDOr4NRaZLRfIg6kAPY0oiwiSy50o +TnbS5BHO4hmjs7Ux9rRMzK9ahsIkU9GpmAx59MzIpI0 +-> ssh-ed25519 h0QWFg 4Cu85VZM6zyysIYwMFccXUWUGejkylHiytJA4+2nN1Q +e8XuOUfrOZ6xoWNK4gvVgs0H5pgtqUfrv/DBeh1WIsU +-> ssh-ed25519 pJV4iw JQgQMTxfDZ/26In72UHPU+k0ZGBK1DRQWoOwfxS0xwI +8De1c3d95ySwjqjQn9rHlYDfMDTHct1kbyjVx+8EZyA +--- neht26C0cEHeTGVa+epEwoO+oqXvyO94xwp25zAX6wY +DN+VU8ؼQvҐA~+āLw`EXfV0@qHj +RGOY +.?D9O[%\ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..3ef18c8 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,43 @@ +let + pkgs = import { system = builtins.currentSystem; }; + inherit (pkgs.lib.attrsets) concatMapAttrs; + + ############################################################################## + ## Contributor personal keys + ## + ## All the contributors in this list WILL be able to decrypt ALL the encrypted + ## `.age` files. + + contributors = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY niols@wallace" + ]; + + ############################################################################## + ## System host keys + ## + ## Machines in this list MAY be mentioned later on as able to decrypt some of + ## the encrypted `.age` files. + + vm02179 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAsOCOsJ0vNL9fGj0XC25ir8B+k2NlVJzsiVUx+0eWM"; + vm02186 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6mnBgEeyYE4tzHeFNHVNBV6KR+hAqh3PYSqlh0QViW"; + + ############################################################################## + +in +concatMapAttrs + (name: keys: { + "${name}.age".publicKeys = contributors ++ keys; + }) + + ############################################################################## + ## File name <-> system host keys mapping + ## + ## This attribute set defines precisely which secrets exist and which systems + ## are able to decrypt them. + + { + forgejo-runner-token = [ + vm02179 + vm02186 + ]; + } From 32378d917d83f928bc2fe7ccde9c5b96236d3146 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Wed, 11 Dec 2024 13:32:41 +0100 Subject: [PATCH 03/14] Make token secret for actions runners --- infra/flake-part.nix | 10 ++++++++-- infra/vm02179/gitea-runner.nix | 9 +++++---- infra/vm02179/token.txt | 1 - infra/vm02186/gitea-runner.nix | 4 +++- 4 files changed, 16 insertions(+), 8 deletions(-) delete mode 100644 infra/vm02179/token.txt diff --git a/infra/flake-part.nix b/infra/flake-part.nix index f98b35c..76329a6 100644 --- a/infra/flake-part.nix +++ b/infra/flake-part.nix @@ -31,7 +31,10 @@ }; nixpkgs = inputs.nixpkgs; nixos.module = { - imports = [ ./vm02179 ]; + imports = [ + ./vm02179 + inputs.agenix.nixosModules.default + ]; }; }; @@ -45,7 +48,10 @@ }; nixpkgs = inputs.nixpkgs; nixos.module = { - imports = [ ./vm02186 ]; + imports = [ + ./vm02186 + inputs.agenix.nixosModules.default + ]; }; }; }; diff --git a/infra/vm02179/gitea-runner.nix b/infra/vm02179/gitea-runner.nix index b471bd4..dd3565c 100644 --- a/infra/vm02179/gitea-runner.nix +++ b/infra/vm02179/gitea-runner.nix @@ -1,6 +1,6 @@ -{ pkgs, ... }: -{ +{ config, pkgs, ... }: +{ virtualisation.docker.enable = true; services.gitea-actions-runner = { @@ -9,8 +9,7 @@ enable = true; name = "vm02179.procolix.com"; url = "https://git.fediversity.eu"; - # Obtaining the path to the runner token file may differ - token = "MKmFPY4nxfR4zPYHIRLoiJdrrfkGmcRymj0GWOAk"; + tokenFile = config.age.secrets.forgejo-runner-token.path; labels = [ "docker:docker://node:16-bullseye" "native:host" @@ -35,6 +34,8 @@ }; }; + age.secrets.forgejo-runner-token.file = ../../secrets/forgejo-runner-token.age; + ## The Nix configuration of the system influences the Nix configuration ## in the workflow, and our workflows are often flake-based. nix.extraOptions = '' diff --git a/infra/vm02179/token.txt b/infra/vm02179/token.txt deleted file mode 100644 index 680567c..0000000 --- a/infra/vm02179/token.txt +++ /dev/null @@ -1 +0,0 @@ -MKmFPY4nxfR4zPYHIRLoiJdrrfkGmcRymj0GWOAk diff --git a/infra/vm02186/gitea-runner.nix b/infra/vm02186/gitea-runner.nix index 58434b7..2d2a7b1 100644 --- a/infra/vm02186/gitea-runner.nix +++ b/infra/vm02186/gitea-runner.nix @@ -9,7 +9,7 @@ name = config.networking.fqdn; url = "https://git.fediversity.eu"; - token = "MKmFPY4nxfR4zPYHIRLoiJdrrfkGmcRymj0GWOAk"; + tokenFile = config.age.secrets.forgejo-runner-token.path; settings = { log.level = "info"; @@ -38,6 +38,8 @@ }; }; + age.secrets.forgejo-runner-token.file = ../../secrets/forgejo-runner-token.age; + ## For the Docker mode of the runner. virtualisation.docker.enable = true; From 36b5351f0ac217d6c4209accee677df4c59a2e23 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Wed, 11 Dec 2024 13:27:37 +0100 Subject: [PATCH 04/14] Handle Forgejo's secrets cleanly --- infra/flake-part.nix | 5 ++++- infra/vm02116/forgejo.nix | 14 +++++++++++--- secrets/forgejo-database-password.age | Bin 0 -> 337 bytes secrets/forgejo-email-password.age | 8 ++++++++ secrets/secrets.nix | 3 +++ 5 files changed, 26 insertions(+), 4 deletions(-) create mode 100644 secrets/forgejo-database-password.age create mode 100644 secrets/forgejo-email-password.age diff --git a/infra/flake-part.nix b/infra/flake-part.nix index 76329a6..9926af6 100644 --- a/infra/flake-part.nix +++ b/infra/flake-part.nix @@ -17,7 +17,10 @@ }; nixpkgs = inputs.nixpkgs; nixos.module = { - imports = [ ./vm02116 ]; + imports = [ + ./vm02116 + inputs.agenix.nixosModules.default + ]; }; }; diff --git a/infra/vm02116/forgejo.nix b/infra/vm02116/forgejo.nix index 157e8d6..b72466b 100644 --- a/infra/vm02116/forgejo.nix +++ b/infra/vm02116/forgejo.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ config, pkgs, ... }: let domain = "git.fediversity.eu"; in @@ -27,15 +27,23 @@ in FROM = "git@fediversity.eu"; USER = "git@fediversity.eu"; }; - secrets.mailer.PASSWD = "/var/lib/forgejo/data/keys/forgejo-mailpw"; + secrets.mailer.PASSWD = config.age.secrets.forgejo-email-password.path; database = { type = "mysql"; socket = "/run/mysqld/mysqld.sock"; - passwordFile = "/var/lib/forgejo/data/keys/forgejo-dbpassword"; + passwordFile = config.age.secrets.forgejo-database-password.path; }; }; + age.secrets.forgejo-database-password = { + file = ../../secrets/forgejo-database-password.age; + owner = "forgejo"; + group = "forgejo"; + mode = "440"; + }; + age.secrets.forgejo-email-password.file = ../../secrets/forgejo-email-password.age; + users.groups.keys.members = [ "forgejo" ]; services.mysql = { diff --git a/secrets/forgejo-database-password.age b/secrets/forgejo-database-password.age new file mode 100644 index 0000000000000000000000000000000000000000..435d5a0de67d5e1b16912d305f31fdaefbc74f84 GIT binary patch literal 337 zcmZ9_Jx+sA007`_CQK&AI5sM_Rj?w$Mu8SueDnc*K>b-9dH~}M zJcPTq&{-2t;HtA1_&#?QFah$?YMDm~I!e-6lK_f2rL!z#0-qHGAkhGtJ#5e|l)6Pu zI>r^WAhE{E2+m4n3I+vO6tW)Wwh*gYNqE+zxRz;WimJGNA(L42+ey&7T9s2g8CE8? zrL@rhplAZ)?EltxS)p6dX*=w&0;jk8ZqqU~NsiX?I^={omi!e#y~cE+mOKi>3!V~h z799^)3o&#C{P22eYh-22yIFYNg$?8@-pCvAGN{VXq!@;wO~)re<_;WBRLzEt^s%#a z9dKr3Vvge$4gi;EP9;ZbLgBr-3STzM>K5(ZJ?~J~cmM74^5^(tyM8FuHV?He2A;e= My;}#?{nz9EFXjDkxc~qF literal 0 HcmV?d00001 diff --git a/secrets/forgejo-email-password.age b/secrets/forgejo-email-password.age new file mode 100644 index 0000000..9de91e3 --- /dev/null +++ b/secrets/forgejo-email-password.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 1MUEqQ Y+wylE1yiRBPh5aX3LNeX7/5YQ/EfPOplCBmIoR69yA +Vfvi1DZo927okyWLcfoVhVOada5bVdgcLXWzroIycGU +-> ssh-ed25519 Fa25Dw PFDPqt30lbvvf1Mu/AVMKfv/XyC2fIfnpvKrmyjDiRw +S9Qn+jNMpS4T5OlTIq0SFMTyKlq4Sz7ADdtKDuQoGB4 +--- 8/wxDtoP6ZfHqvQS8ld264jPEunSzbFP7Yqy664fyQ0 +~Cs%}+ xΥNX^ +s$bbٝN \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 3ef18c8..54a86bc 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -18,6 +18,7 @@ let ## Machines in this list MAY be mentioned later on as able to decrypt some of ## the encrypted `.age` files. + vm02116 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriawl1za2jbxzelkL5v8KPmcvuj7xVBgwFxuM/zhYr"; vm02179 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAsOCOsJ0vNL9fGj0XC25ir8B+k2NlVJzsiVUx+0eWM"; vm02186 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6mnBgEeyYE4tzHeFNHVNBV6KR+hAqh3PYSqlh0QViW"; @@ -36,6 +37,8 @@ concatMapAttrs ## are able to decrypt them. { + forgejo-database-password = [ vm02116 ]; + forgejo-email-password = [ vm02116 ]; forgejo-runner-token = [ vm02179 vm02186 From 7908affaab80fd09da408582b400fc52fa685dbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Thu, 12 Dec 2024 10:39:49 +0100 Subject: [PATCH 05/14] Keys in separate files in own directory --- README.md | 3 +++ flake.nix | 1 + keys/contributors/niols | 1 + keys/default.nix | 16 +++++++++++ keys/systems/vm02116 | 1 + keys/systems/vm02179 | 1 + keys/systems/vm02186 | 1 + secrets/secrets.nix | 60 ++++++++++++++++------------------------- 8 files changed, 47 insertions(+), 37 deletions(-) create mode 100644 keys/contributors/niols create mode 100644 keys/default.nix create mode 100644 keys/systems/vm02116 create mode 100644 keys/systems/vm02179 create mode 100644 keys/systems/vm02186 diff --git a/README.md b/README.md index 77e15fe..71ce749 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,9 @@ details as to what they are for. As an overview: - [`infra/`](./infra) contains the configurations for the various VMs that are in production for the project, for instance the Git instances or the Wiki. +- [`keys/`](./keys) contains the public keys of the contributors to this project + as well as the systems that we administrate. + - [`matrix/`](./matrix) contains everything having to do with setting up a fully-featured Matrix server. diff --git a/flake.nix b/flake.nix index 4cdf14e..6c4f9c2 100644 --- a/flake.nix +++ b/flake.nix @@ -48,6 +48,7 @@ optin = [ "deployment" "infra" + "keys" "secrets" "services" ]; diff --git a/keys/contributors/niols b/keys/contributors/niols new file mode 100644 index 0000000..d8d9475 --- /dev/null +++ b/keys/contributors/niols @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY niols@wallace diff --git a/keys/default.nix b/keys/default.nix new file mode 100644 index 0000000..3bc08d1 --- /dev/null +++ b/keys/default.nix @@ -0,0 +1,16 @@ +let + inherit (builtins) + elemAt + mapAttrs + match + readDir + readFile + ; + removeTrailingWhitespace = s: elemAt (match "(.*[^[:space:]])[[:space:]]*" s) 0; + collectKeys = + dir: mapAttrs (name: _: removeTrailingWhitespace (readFile (dir + "/${name}"))) (readDir dir); +in +{ + contributors = collectKeys ./contributors; + systems = collectKeys ./systems; +} diff --git a/keys/systems/vm02116 b/keys/systems/vm02116 new file mode 100644 index 0000000..95d0e9d --- /dev/null +++ b/keys/systems/vm02116 @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriawl1za2jbxzelkL5v8KPmcvuj7xVBgwFxuM/zhYr diff --git a/keys/systems/vm02179 b/keys/systems/vm02179 new file mode 100644 index 0000000..d3e0494 --- /dev/null +++ b/keys/systems/vm02179 @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAsOCOsJ0vNL9fGj0XC25ir8B+k2NlVJzsiVUx+0eWM diff --git a/keys/systems/vm02186 b/keys/systems/vm02186 new file mode 100644 index 0000000..a3a78b6 --- /dev/null +++ b/keys/systems/vm02186 @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6mnBgEeyYE4tzHeFNHVNBV6KR+hAqh3PYSqlh0QViW diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 54a86bc..2190481 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,46 +1,32 @@ let pkgs = import { system = builtins.currentSystem; }; + inherit (builtins) attrValues; inherit (pkgs.lib.attrsets) concatMapAttrs; - ############################################################################## - ## Contributor personal keys - ## - ## All the contributors in this list WILL be able to decrypt ALL the encrypted - ## `.age` files. - - contributors = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY niols@wallace" - ]; - - ############################################################################## - ## System host keys - ## - ## Machines in this list MAY be mentioned later on as able to decrypt some of - ## the encrypted `.age` files. - - vm02116 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriawl1za2jbxzelkL5v8KPmcvuj7xVBgwFxuM/zhYr"; - vm02179 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAsOCOsJ0vNL9fGj0XC25ir8B+k2NlVJzsiVUx+0eWM"; - vm02186 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6mnBgEeyYE4tzHeFNHVNBV6KR+hAqh3PYSqlh0QViW"; - - ############################################################################## - + keys = import ../keys; + contributors = attrValues keys.contributors; in + concatMapAttrs - (name: keys: { - "${name}.age".publicKeys = contributors ++ keys; + (name: systems: { + "${name}.age".publicKeys = contributors ++ systems; }) - ############################################################################## - ## File name <-> system host keys mapping - ## - ## This attribute set defines precisely which secrets exist and which systems - ## are able to decrypt them. + ( + with keys.systems; - { - forgejo-database-password = [ vm02116 ]; - forgejo-email-password = [ vm02116 ]; - forgejo-runner-token = [ - vm02179 - vm02186 - ]; - } + ############################################################################## + ## File name <-> system host keys mapping + ## + ## This attribute set defines precisely which secrets exist and which systems + ## are able to decrypt them. + + { + forgejo-database-password = [ vm02116 ]; + forgejo-email-password = [ vm02116 ]; + forgejo-runner-token = [ + vm02179 + vm02186 + ]; + } + ) From 109284b98b35eb4cb86b401c501dfe37249c8b08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Thu, 12 Dec 2024 11:05:11 +0100 Subject: [PATCH 06/14] Expose keys and secrets in the global flake --- flake.nix | 2 ++ keys/flake-part.nix | 3 +++ secrets/flake-part.nix | 36 ++++++++++++++++++++++++++++++++++++ secrets/secrets.nix | 8 +++++--- 4 files changed, 46 insertions(+), 3 deletions(-) create mode 100644 keys/flake-part.nix create mode 100644 secrets/flake-part.nix diff --git a/flake.nix b/flake.nix index 6c4f9c2..f7251cc 100644 --- a/flake.nix +++ b/flake.nix @@ -27,7 +27,9 @@ ./deployment/flake-part.nix ./infra/flake-part.nix + ./keys/flake-part.nix ./services/flake-part.nix + ./secrets/flake-part.nix ]; perSystem = diff --git a/keys/flake-part.nix b/keys/flake-part.nix new file mode 100644 index 0000000..7e01c8f --- /dev/null +++ b/keys/flake-part.nix @@ -0,0 +1,3 @@ +{ + flake.keys = import ./.; +} diff --git a/secrets/flake-part.nix b/secrets/flake-part.nix new file mode 100644 index 0000000..9f9b7f4 --- /dev/null +++ b/secrets/flake-part.nix @@ -0,0 +1,36 @@ +{ + inputs, + lib, + ... +}: + +let + inherit (builtins) elem; + inherit (lib.attrsets) concatMapAttrs filterAttrs; + inherit (lib.strings) removeSuffix; + + secrets = import ./secrets.nix; +in +{ + flake = { + inherit secrets; + + nixosModules.ageSecrets = ( + { config, ... }: + { + imports = [ inputs.agenix.nixosModules.default ]; + + options.x_fediversity.hostPublicKey = lib.mkOption { + description = '' + The host public key of the machine. It is used in particular + to filter Age secrets and only keep the relevant ones. + ''; + }; + + config.age.secrets = concatMapAttrs (name: _: { + ${removeSuffix ".age" name}.file = ./. + "/${name}"; + }) (filterAttrs (_: secret: elem config.x_fediversity.hostPublicKey secret.publicKeys) secrets); + } + ); + }; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 2190481..5a2bde8 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,7 +1,9 @@ let - pkgs = import { system = builtins.currentSystem; }; - inherit (builtins) attrValues; - inherit (pkgs.lib.attrsets) concatMapAttrs; + inherit (builtins) attrValues foldl' mapAttrs; + ## `mergeAttrs` and `concatMapAttrs` are in `lib.trivial` and `lib.attrsets`, + ## but we would rather avoid a dependency in nixpkgs for this file. + mergeAttrs = x: y: x // y; + concatMapAttrs = f: v: foldl' mergeAttrs { } (attrValues (mapAttrs f v)); keys = import ../keys; contributors = attrValues keys.contributors; From f75342229561a148f7343e730bc42656f78fc53a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Thu, 12 Dec 2024 11:14:03 +0100 Subject: [PATCH 07/14] Use shared keys attrset in `infra/` --- infra/flake-part.nix | 10 +++++----- keys/systems/vm02187 | 1 + 2 files changed, 6 insertions(+), 5 deletions(-) create mode 100644 keys/systems/vm02187 diff --git a/infra/flake-part.nix b/infra/flake-part.nix index 9926af6..de0dc33 100644 --- a/infra/flake-part.nix +++ b/infra/flake-part.nix @@ -1,4 +1,4 @@ -{ inputs, ... }: +{ self, inputs, ... }: { nixops4Deployments.git = @@ -13,7 +13,7 @@ ssh = { host = "185.206.232.34"; opts = ""; - hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriawl1za2jbxzelkL5v8KPmcvuj7xVBgwFxuM/zhYr"; + hostPublicKey = self.keys.systems.vm02116; }; nixpkgs = inputs.nixpkgs; nixos.module = { @@ -30,7 +30,7 @@ ssh = { host = "185.206.232.179"; opts = ""; - hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAsOCOsJ0vNL9fGj0XC25ir8B+k2NlVJzsiVUx+0eWM"; + hostPublicKey = self.keys.systems.vm02179; }; nixpkgs = inputs.nixpkgs; nixos.module = { @@ -47,7 +47,7 @@ ssh = { host = "185.206.232.186"; opts = ""; - hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6mnBgEeyYE4tzHeFNHVNBV6KR+hAqh3PYSqlh0QViW"; + hostPublicKey = self.keys.systems.vm02186; }; nixpkgs = inputs.nixpkgs; nixos.module = { @@ -72,7 +72,7 @@ ssh = { host = "185.206.232.187"; opts = ""; - hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN24ZfdQNklKkIqfMg/+0vqENuDcy6fhT6SfAq01ae83"; + hostPublicKey = self.keys.systems.vm02187; }; nixpkgs = inputs.nixpkgs; nixos.module = { diff --git a/keys/systems/vm02187 b/keys/systems/vm02187 new file mode 100644 index 0000000..b79a78f --- /dev/null +++ b/keys/systems/vm02187 @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN24ZfdQNklKkIqfMg/+0vqENuDcy6fhT6SfAq01ae83 From 9407af8ac8be7bdcb8d8a56c0a70bafcd0017c7d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Thu, 12 Dec 2024 18:16:57 +0100 Subject: [PATCH 08/14] Use secrets module to clean up configurations --- infra/flake-part.nix | 15 +++++++++++---- infra/vm02116/forgejo.nix | 2 -- infra/vm02179/gitea-runner.nix | 2 -- infra/vm02186/gitea-runner.nix | 2 -- 4 files changed, 11 insertions(+), 10 deletions(-) diff --git a/infra/flake-part.nix b/infra/flake-part.nix index de0dc33..4f06895 100644 --- a/infra/flake-part.nix +++ b/infra/flake-part.nix @@ -19,7 +19,8 @@ nixos.module = { imports = [ ./vm02116 - inputs.agenix.nixosModules.default + self.nixosModules.ageSecrets + { x_fediversity.hostPublicKey = self.keys.systems.vm02116; } ]; }; }; @@ -36,7 +37,8 @@ nixos.module = { imports = [ ./vm02179 - inputs.agenix.nixosModules.default + self.nixosModules.ageSecrets + { x_fediversity.hostPublicKey = self.keys.systems.vm02179; } ]; }; }; @@ -53,7 +55,8 @@ nixos.module = { imports = [ ./vm02186 - inputs.agenix.nixosModules.default + self.nixosModules.ageSecrets + { x_fediversity.hostPublicKey = self.keys.systems.vm02186; } ]; }; }; @@ -76,7 +79,11 @@ }; nixpkgs = inputs.nixpkgs; nixos.module = { - imports = [ ./vm02187 ]; + imports = [ + ./vm02187 + self.nixosModules.ageSecrets + { x_fediversity.hostPublicKey = self.keys.systems.vm02187; } + ]; }; }; }; diff --git a/infra/vm02116/forgejo.nix b/infra/vm02116/forgejo.nix index b72466b..78357eb 100644 --- a/infra/vm02116/forgejo.nix +++ b/infra/vm02116/forgejo.nix @@ -37,12 +37,10 @@ in }; age.secrets.forgejo-database-password = { - file = ../../secrets/forgejo-database-password.age; owner = "forgejo"; group = "forgejo"; mode = "440"; }; - age.secrets.forgejo-email-password.file = ../../secrets/forgejo-email-password.age; users.groups.keys.members = [ "forgejo" ]; diff --git a/infra/vm02179/gitea-runner.nix b/infra/vm02179/gitea-runner.nix index dd3565c..2b1a0d9 100644 --- a/infra/vm02179/gitea-runner.nix +++ b/infra/vm02179/gitea-runner.nix @@ -34,8 +34,6 @@ }; }; - age.secrets.forgejo-runner-token.file = ../../secrets/forgejo-runner-token.age; - ## The Nix configuration of the system influences the Nix configuration ## in the workflow, and our workflows are often flake-based. nix.extraOptions = '' diff --git a/infra/vm02186/gitea-runner.nix b/infra/vm02186/gitea-runner.nix index 2d2a7b1..598a2a5 100644 --- a/infra/vm02186/gitea-runner.nix +++ b/infra/vm02186/gitea-runner.nix @@ -38,8 +38,6 @@ }; }; - age.secrets.forgejo-runner-token.file = ../../secrets/forgejo-runner-token.age; - ## For the Docker mode of the runner. virtualisation.docker.enable = true; From 377ad0ea6efe164bf586836768e97035fc820d48 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 13 Dec 2024 12:19:26 +0100 Subject: [PATCH 09/14] Optionally remove `.pub` suffix from file names --- keys/default.nix | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/keys/default.nix b/keys/default.nix index 3bc08d1..9c1a2bd 100644 --- a/keys/default.nix +++ b/keys/default.nix @@ -1,14 +1,30 @@ let inherit (builtins) + attrValues elemAt + foldl' mapAttrs match readDir readFile ; + ## `mergeAttrs` and `concatMapAttrs` are in `lib.trivial` and `lib.attrsets`, + ## but we would rather avoid a dependency in nixpkgs for this file. + mergeAttrs = x: y: x // y; + concatMapAttrs = f: v: foldl' mergeAttrs { } (attrValues (mapAttrs f v)); + removePubSuffix = + s: + let + maybeMatch = match "(.*)\.pub" s; + in + if maybeMatch == null then s else elemAt maybeMatch 0; removeTrailingWhitespace = s: elemAt (match "(.*[^[:space:]])[[:space:]]*" s) 0; + collectKeys = - dir: mapAttrs (name: _: removeTrailingWhitespace (readFile (dir + "/${name}"))) (readDir dir); + dir: + concatMapAttrs (name: _: { + "${removePubSuffix name}" = removeTrailingWhitespace (readFile (dir + "/${name}")); + }) (readDir dir); in { contributors = collectKeys ./contributors; From 3f0cdaf0aab074e9c3622edb27fdcf19c2975702 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 13 Dec 2024 12:34:58 +0100 Subject: [PATCH 10/14] Replace `concatMapAttrs` + `filterAttrs` by `concatMapAttrs` + `optionalAttrs` --- secrets/flake-part.nix | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/secrets/flake-part.nix b/secrets/flake-part.nix index 9f9b7f4..aa7a2eb 100644 --- a/secrets/flake-part.nix +++ b/secrets/flake-part.nix @@ -6,7 +6,7 @@ let inherit (builtins) elem; - inherit (lib.attrsets) concatMapAttrs filterAttrs; + inherit (lib.attrsets) concatMapAttrs optionalAttrs; inherit (lib.strings) removeSuffix; secrets = import ./secrets.nix; @@ -27,9 +27,12 @@ in ''; }; - config.age.secrets = concatMapAttrs (name: _: { - ${removeSuffix ".age" name}.file = ./. + "/${name}"; - }) (filterAttrs (_: secret: elem config.x_fediversity.hostPublicKey secret.publicKeys) secrets); + config.age.secrets = concatMapAttrs ( + name: secret: + optionalAttrs (elem config.x_fediversity.hostPublicKey secret.publicKeys) ({ + ${removeSuffix ".age" name}.file = ./. + "/${name}"; + }) + ) secrets; } ); }; From ccee13c58156d26eee7e3bf3f55f731618abc0d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 13 Dec 2024 12:35:48 +0100 Subject: [PATCH 11/14] s/do not forget/remember/ --- secrets/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/secrets/README.md b/secrets/README.md index 8c3a4c1..c0fcc17 100644 --- a/secrets/README.md +++ b/secrets/README.md @@ -22,8 +22,8 @@ As an example, let us add a secret in a file “cheeses” whose content should extension); this will open your `$EDITOR` ; enter “best ones come unpasteurised”, save and close. -3. If you are doing something flake-related such as NixOps4, do not forget to - commit or at least stage the secret. +3. If you are doing something flake-related such as NixOps4, remember to commit + or at least stage the secret. 4. In the machine's configuration, load the Agenix NixOS module, declare your secret, possibly with owner/group, and use it where necessary, eg.: From 21e8c962bf4c5361cff474d6bca46aa58f6891c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 13 Dec 2024 12:37:25 +0100 Subject: [PATCH 12/14] s/x_fediversity/fediversity/ --- infra/flake-part.nix | 8 ++++---- secrets/flake-part.nix | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/infra/flake-part.nix b/infra/flake-part.nix index 4f06895..bed71fc 100644 --- a/infra/flake-part.nix +++ b/infra/flake-part.nix @@ -20,7 +20,7 @@ imports = [ ./vm02116 self.nixosModules.ageSecrets - { x_fediversity.hostPublicKey = self.keys.systems.vm02116; } + { fediversity.hostPublicKey = self.keys.systems.vm02116; } ]; }; }; @@ -38,7 +38,7 @@ imports = [ ./vm02179 self.nixosModules.ageSecrets - { x_fediversity.hostPublicKey = self.keys.systems.vm02179; } + { fediversity.hostPublicKey = self.keys.systems.vm02179; } ]; }; }; @@ -56,7 +56,7 @@ imports = [ ./vm02186 self.nixosModules.ageSecrets - { x_fediversity.hostPublicKey = self.keys.systems.vm02186; } + { fediversity.hostPublicKey = self.keys.systems.vm02186; } ]; }; }; @@ -82,7 +82,7 @@ imports = [ ./vm02187 self.nixosModules.ageSecrets - { x_fediversity.hostPublicKey = self.keys.systems.vm02187; } + { fediversity.hostPublicKey = self.keys.systems.vm02187; } ]; }; }; diff --git a/secrets/flake-part.nix b/secrets/flake-part.nix index aa7a2eb..b2e1874 100644 --- a/secrets/flake-part.nix +++ b/secrets/flake-part.nix @@ -20,7 +20,7 @@ in { imports = [ inputs.agenix.nixosModules.default ]; - options.x_fediversity.hostPublicKey = lib.mkOption { + options.fediversity.hostPublicKey = lib.mkOption { description = '' The host public key of the machine. It is used in particular to filter Age secrets and only keep the relevant ones. @@ -29,7 +29,7 @@ in config.age.secrets = concatMapAttrs ( name: secret: - optionalAttrs (elem config.x_fediversity.hostPublicKey secret.publicKeys) ({ + optionalAttrs (elem config.fediversity.hostPublicKey secret.publicKeys) ({ ${removeSuffix ".age" name}.file = ./. + "/${name}"; }) ) secrets; From d9c5da6f8bcfb2424ccc802f25fb524c6fd87683 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 13 Dec 2024 13:03:07 +0100 Subject: [PATCH 13/14] Update secrets' README --- secrets/README.md | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/secrets/README.md b/secrets/README.md index c0fcc17..08b135e 100644 --- a/secrets/README.md +++ b/secrets/README.md @@ -25,19 +25,21 @@ As an example, let us add a secret in a file “cheeses” whose content should 3. If you are doing something flake-related such as NixOps4, remember to commit or at least stage the secret. -4. In the machine's configuration, load the Agenix NixOS module, declare your - secret, possibly with owner/group, and use it where necessary, eg.: +4. In the machine's configuration, load our `ageSecrets` NixOS module, declare the machine's host key and start using your secrets, eg.: ```nix - { config, ... }: + { self, config, ... }: { - imports = [ inputs.agenix.x86_64-linux.nixosModules.default ]; - age.secrets.cheeses.file = ../secrets/cheeses.age; - # age.secrets.cheeses.owner = "jeanpierre"; - # age.secrets.cheeses.group = "france"; - # age.secrets.cheeses.mode = "440"; + imports = [ self.nixosModules.ageSecrets ]; + fediversity.hostPublicKey = self.keys.systems.vmFromage; services.imaginaryCheeseFactory.frenchSecretFile = config.age.secrets.cheeses.path; } ``` + If the secrets requires specific owner/group/mode, those can be set with: + ```nix + age.secrets.cheeses.owner = "jeanpierre"; + age.secrets.cheeses.group = "france"; + age.secrets.cheeses.mode = "440"; + ``` 5. Never read the content of the file in Nix, that is never do anything like: ```nix From a9f9d4f1a017d30344cd64ba12afe5cb336e85c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 22 Nov 2024 17:40:26 +0100 Subject: [PATCH 14/14] Enable mailing for Mediawiki --- infra/vm02187/wiki.nix | 27 +++++++++++++++++++++------ secrets/secrets.nix | 3 +++ secrets/wiki-basicauth-htpasswd.age | Bin 0 -> 389 bytes secrets/wiki-password.age | 7 +++++++ secrets/wiki-smtp-password.age | 7 +++++++ 5 files changed, 38 insertions(+), 6 deletions(-) create mode 100644 secrets/wiki-basicauth-htpasswd.age create mode 100644 secrets/wiki-password.age create mode 100644 secrets/wiki-smtp-password.age diff --git a/infra/vm02187/wiki.nix b/infra/vm02187/wiki.nix index 858790d..afb4464 100644 --- a/infra/vm02187/wiki.nix +++ b/infra/vm02187/wiki.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ config, ... }: { services.phpfpm.pools.mediawiki.phpOptions = '' @@ -11,7 +11,7 @@ name = "Fediversity Wiki"; webserver = "nginx"; nginx.hostName = "wiki.fediversity.eu"; - passwordFile = pkgs.writeText "password" "eiM9etha8ohmo9Ohphahpesiux0ahda6"; + passwordFile = config.age.secrets.wiki-password.path; extraConfig = '' # Disable anonymous editing $wgGroupPermissions['*']['edit'] = false; @@ -24,7 +24,7 @@ ## Permissions $wgGroupPermissions['*']['edit'] = false; - $wgGroupPermissions['*']['createaccount'] = false; + $wgGroupPermissions['*']['createaccount'] = true; $wgGroupPermissions['*']['autocreateaccount'] = true; $wgGroupPermissions['user']['edit'] = true; $wgGroupPermissions['user']['createaccount'] = true; @@ -35,6 +35,19 @@ $wgUploadSizeWarning = 1024*1024*512; $wgMaxUploadSize = 1024*1024*1024; + $wgEnableEmail = true; + $wgPasswordSender = "wiki@fediversity.eu"; + $wgEmergencyContact = "wiki@fediversity.eu"; + $wgSMTP = [ + 'host' => 'mail.protagio.nl', + 'IDHost' => 'fediversity.eu', + 'localhost' => 'fediversity.eu', + 'port' => 587, + 'auth' => true, + 'username' => 'wiki@fediversity.eu', + ]; + require_once("${config.age.secrets.wiki-smtp-password.path}"); + $wgHeadScriptCode = <<<'END' END; @@ -45,17 +58,19 @@ }; }; + age.secrets.wiki-smtp-password.owner = "mediawiki"; + services.nginx = { enable = true; virtualHosts."wiki.fediversity.eu" = { - basicAuth = { - fediv = "SecretSauce123!"; - }; + basicAuthFile = config.age.secrets.wiki-basicauth-htpasswd.path; forceSSL = true; enableACME = true; }; }; + age.secrets.wiki-basicauth-htpasswd.owner = "nginx"; + security.acme = { acceptTerms = true; defaults.email = "systeemmail@procolix.com"; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 5a2bde8..3bc5281 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -30,5 +30,8 @@ concatMapAttrs vm02179 vm02186 ]; + wiki-basicauth-htpasswd = [ vm02187 ]; + wiki-password = [ vm02187 ]; + wiki-smtp-password = [ vm02187 ]; } ) diff --git a/secrets/wiki-basicauth-htpasswd.age b/secrets/wiki-basicauth-htpasswd.age new file mode 100644 index 0000000000000000000000000000000000000000..274899618f364d36b5be6de9cbc0d2f5e7013a47 GIT binary patch literal 389 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSP^bK__3{-IRbTc%` zvj{7%N-_!0@(l`eDk-ltaSb%haC1xda?P$V@=MQfanDbRh~zR3iF7G6%`Eit_BC>J zv^1#<%FWJBP0Mxn4R^IDc6M~hFLBBU@l3Lea7DK*CEckwt6U+{(4*KX$0yR#qaw)D zI61r0H{0DjBP%=D!q_y>EU+rVEI1%7B{?~;DxE7UH7dk4Juxjj)UP5aG0@z|DJmz( z&o|1@z*XPG**U$~Jh9T;#XZZ|+=NS4S64whG&!=!(bPQ0y`Ur@LOUoixV*wFtum>y zBEToeCBV?!J2|;L(lX1~$%0Fy@YIVRjl4HsR{#7dTYl%{%-ye)I&HWaNXi< z1{FC%HOD;-DuPz7+U%loyMMjzS+57O?d@a&M=DRY5s#q@*PcQQ`~aF}bxZxu2& Ydv5!S#gBpeTy3<$w%vPpj>ZWB01%;z_W%F@ literal 0 HcmV?d00001 diff --git a/secrets/wiki-password.age b/secrets/wiki-password.age new file mode 100644 index 0000000..d180694 --- /dev/null +++ b/secrets/wiki-password.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 1MUEqQ yJ53uyB0OqgbyZS+0Qu/glWZGqx8ALEr2Z0hKUrQgUg +Ewvye5oREhNCASqyql56m2mNbAGnK69fVkjZ0N2ILMk +-> ssh-ed25519 dgBsjw glI8t7C/N4BqpnuZlCnv6TFb+YUQn+0oAjbJI7GrzWw +qFxxFVt2R6FkupbP7qErZ+VFHYwEHVmY4iC6hyEf+Vg +--- fQbt68Fdj7wk8mWFx0W0Z1iRbkWxxK7+zIKw/v+BCE0 +O+Q׋F^0縿9?\Te˖B(gs'7(O=><)h`q&^ \ No newline at end of file diff --git a/secrets/wiki-smtp-password.age b/secrets/wiki-smtp-password.age new file mode 100644 index 0000000..997a6e6 --- /dev/null +++ b/secrets/wiki-smtp-password.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 1MUEqQ 4BpvvqFr+tmHeapy7bk3uS6fCS/CbeYkAJuxb5r1g00 +YVGpim5rYSzHMTA85lcTy22Fr5464Axdy/nKR3/z8RA +-> ssh-ed25519 dgBsjw mF++5ewvC+oordjFMR82SvGukQTYhqnH80nIgzUkunA +siCm1cQfuzs0I1xl1ACv6gomHmfONqGcxmj2fa4oABY +--- 2dszG1nnnEflzPy+dRj/0CW39mq49QPdgw+to8T1fRg +&;D÷3s[-0=xy#+&MD ie/|q3r|iI~ĢRfC`J \ No newline at end of file