From 78a85b27ffe8c4765002ed107b30514eb169a782 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 14 Feb 2025 19:46:12 +0100 Subject: [PATCH] Put the S3 secrets into files ...but not everywhere, there remains some FIXMEs where ultimately the secrets do get into the store. --- deployment/flake-part.nix | 54 ++++++++++++---------- services/fediversity/garage/default.nix | 6 +-- services/fediversity/garage/options.nix | 7 +-- services/fediversity/mastodon/default.nix | 55 ++++++++++++++--------- services/fediversity/peertube/default.nix | 15 +++++-- services/fediversity/pixelfed/default.nix | 11 ++--- services/fediversity/sharedOptions.nix | 10 +++-- 7 files changed, 96 insertions(+), 62 deletions(-) diff --git a/deployment/flake-part.nix b/deployment/flake-part.nix index d215a22b..c903f8a1 100644 --- a/deployment/flake-part.nix +++ b/deployment/flake-part.nix @@ -76,35 +76,41 @@ in providers = { inherit (inputs.nixops4.modules.nixops4Provider) local; }; resources = { - fedi101 = makeProcolixVmResource 101 { - fediversity = { - enable = true; - domain = "fedi101.abundos.eu"; - pixelfed = { + fedi101 = makeProcolixVmResource 101 ( + { pkgs, ... }: + { + fediversity = { enable = true; + domain = "fedi101.abundos.eu"; + pixelfed = { + enable = true; - ## NOTE: Only ever used for testing anyway. - s3AccessKey = "GKb5615457d44214411e673b7b"; - s3SecretKey = "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987"; + ## NOTE: Only ever used for testing anyway. + s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b"; + s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987"; + }; }; - }; - }; + } + ); - fedi102 = makeProcolixVmResource 102 { - fediversity = { - enable = true; - domain = "fedi102.abundos.eu"; - mastodon = { + fedi102 = makeProcolixVmResource 102 ( + { pkgs, ... }: + { + fediversity = { enable = true; + domain = "fedi102.abundos.eu"; + mastodon = { + enable = true; - ## NOTE: Only ever used for testing anyway. - s3AccessKey = "GK3515373e4c851ebaad366558"; - s3SecretKey = "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34"; + ## NOTE: Only ever used for testing anyway. + s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558"; + s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34"; + }; + + temp.cores = 1; # FIXME: should come from NixOps4 eventually }; - - temp.cores = 1; # FIXME: should come from NixOps4 eventually - }; - }; + } + ); fedi103 = makeProcolixVmResource 103 ( { pkgs, ... }: @@ -117,8 +123,8 @@ in ## NOTE: Only ever used for testing anyway. secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24"; - s3AccessKey = "GK1f9feea9960f6f95ff404c9b"; - s3SecretKey = "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395"; + s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b"; + s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395"; }; }; } diff --git a/services/fediversity/garage/default.nix b/services/fediversity/garage/default.nix index da0a7e46..6915cb50 100644 --- a/services/fediversity/garage/default.nix +++ b/services/fediversity/garage/default.nix @@ -83,13 +83,13 @@ let ensureKeyScriptFn = key: { - s3AccessKey, - s3SecretKey, + s3AccessKeyFile, + s3SecretKeyFile, ensureAccess, }: '' ## FIXME: Check whether the key exist and skip this step if that is the case. Get rid of this `|| :` - garage key import --yes -n ${escapeShellArg key} ${escapeShellArg s3AccessKey} ${escapeShellArg s3SecretKey} || : + garage key import --yes -n ${escapeShellArg key} $(cat ${escapeShellArg s3AccessKeyFile}) $(cat ${escapeShellArg s3SecretKeyFile}) || : ${concatMapAttrs (ensureAccessScriptFn key) ensureAccess} ''; diff --git a/services/fediversity/garage/options.nix b/services/fediversity/garage/options.nix index c93534e5..baeda2c9 100644 --- a/services/fediversity/garage/options.nix +++ b/services/fediversity/garage/options.nix @@ -43,10 +43,11 @@ in ensureKeys = mkOption { type = types.attrsOf ( types.submodule { - # TODO: these should be managed as secrets, not in the nix store options = { - s3AccessKey = mkOption { type = types.str; }; - s3SecretKey = mkOption { type = types.str; }; + s3AccessKeyFile = mkOption { type = types.path; }; + + s3SecretKeyFile = mkOption { type = types.path; }; + # TODO: assert at least one of these is true # NOTE: this currently needs to be done at the top level module ensureAccess = mkOption { diff --git a/services/fediversity/mastodon/default.nix b/services/fediversity/mastodon/default.nix index cd1846a0..63e536d9 100644 --- a/services/fediversity/mastodon/default.nix +++ b/services/fediversity/mastodon/default.nix @@ -1,5 +1,15 @@ -{ config, lib, ... }: +{ + config, + lib, + pkgs, + ... +}: +let + inherit (lib) readFile; + inherit (pkgs) writeText; + +in { imports = [ ./options.nix ]; @@ -20,7 +30,7 @@ ensureKeys = { mastodon = { - inherit (config.fediversity.mastodon) s3AccessKey s3SecretKey; + inherit (config.fediversity.mastodon) s3AccessKeyFile s3SecretKeyFile; ensureAccess = { mastodon = { read = true; @@ -32,26 +42,31 @@ }; }; - services.mastodon = { - extraConfig = rec { - S3_ENABLED = "true"; - # TODO: this shouldn't be hard-coded, it should come from the garage configuration - S3_ENDPOINT = config.fediversity.garage.api.url; - S3_REGION = "garage"; - S3_BUCKET = "mastodon"; - # use . - S3_OVERRIDE_PATH_STLE = "true"; - AWS_ACCESS_KEY_ID = config.fediversity.mastodon.s3AccessKey; - AWS_SECRET_ACCESS_KEY = config.fediversity.mastodon.s3SecretKey; - S3_PROTOCOL = "http"; - S3_ALIAS_HOST = "${S3_BUCKET}.${config.fediversity.garage.web.rootDomain}"; - # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/ - # TODO: can we set up ACLs with garage? - S3_PERMISSION = ""; - }; + services.mastodon.extraConfig = rec { + S3_ENABLED = "true"; + # TODO: this shouldn't be hard-coded, it should come from the garage configuration + S3_ENDPOINT = config.fediversity.garage.api.url; + S3_REGION = "garage"; + S3_BUCKET = "mastodon"; + # use . + S3_OVERRIDE_PATH_STLE = "true"; + S3_PROTOCOL = "http"; + S3_ALIAS_HOST = config.fediversity.garage.web.domainForBucket S3_BUCKET; + # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/ + # TODO: can we set up ACLs with garage? + S3_PERMISSION = ""; }; - #### mastodon setup + ## FIXME: secrets management; we should have a service that writes the + ## `.env` files based on all the secrets that we need to put there. + services.mastodon.extraEnvFiles = [ + (writeText "s3AccessKey" '' + AWS_ACCESS_KEY_ID=${readFile config.fediversity.mastodon.s3AccessKeyFile} + '') + (writeText "s3SecretKey" '' + AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.mastodon.s3SecretKeyFile} + '') + ]; # open up access to the mastodon web interface. 80 is necessary if only for ACME networking.firewall.allowedTCPPorts = [ diff --git a/services/fediversity/peertube/default.nix b/services/fediversity/peertube/default.nix index cf7c6205..3c18486e 100644 --- a/services/fediversity/peertube/default.nix +++ b/services/fediversity/peertube/default.nix @@ -1,9 +1,13 @@ { config, lib, ... }: +let + inherit (lib) mkIf readFile; + +in { imports = [ ./options.nix ]; - config = lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) { + config = mkIf (config.fediversity.enable && config.fediversity.peertube.enable) { networking.firewall.allowedTCPPorts = [ 80 443 @@ -39,7 +43,7 @@ ensureKeys = { peertube = { - inherit (config.fediversity.peertube) s3AccessKey s3SecretKey; + inherit (config.fediversity.peertube) s3AccessKeyFile s3SecretKeyFile; ensureAccess = { peertube-videos = { read = true; @@ -97,9 +101,12 @@ }; serviceEnvironmentFile = "/etc/peertube-env"; }; + + ## FIXME: secrets management; we should have a service that writes the + ## `.env` files based on all the secrets that we need to put there. environment.etc.peertube-env.text = '' - AWS_ACCESS_KEY_ID=${config.fediversity.peertube.s3AccessKey} - AWS_SECRET_ACCESS_KEY=${config.fediversity.peertube.s3SecretKey} + AWS_ACCESS_KEY_ID=${readFile config.fediversity.peertube.s3AccessKeyFile} + AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.peertube.s3SecretKeyFile} ''; ## Proxying through Nginx diff --git a/services/fediversity/pixelfed/default.nix b/services/fediversity/pixelfed/default.nix index e12a5e1c..b845d92a 100644 --- a/services/fediversity/pixelfed/default.nix +++ b/services/fediversity/pixelfed/default.nix @@ -6,7 +6,7 @@ }: let - inherit (lib) mkIf; + inherit (lib) mkIf readFile; in { @@ -29,7 +29,7 @@ in ensureKeys = { pixelfed = { - inherit (config.fediversity.pixelfed) s3AccessKey s3SecretKey; + inherit (config.fediversity.pixelfed) s3AccessKeyFile s3SecretKeyFile; ensureAccess = { pixelfed = { read = true; @@ -45,9 +45,12 @@ in enable = true; domain = config.fediversity.pixelfed.domain; - # TODO: secrets management!!! + ## FIXME: secrets management; we should have a service that writes the + ## `.env` file based on all the secrets that we need to put there. secretFile = pkgs.writeText "secrets.env" '' APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA + AWS_ACCESS_KEY_ID=${readFile config.fediversity.pixelfed.s3AccessKeyFile} + AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.pixelfed.s3SecretKeyFile} ''; ## Taeer feels like this way of configuring Nginx is odd; there should @@ -70,8 +73,6 @@ in FILESYSTEM_CLOUD = "s3"; PF_ENABLE_CLOUD = true; - AWS_ACCESS_KEY_ID = config.fediversity.pixelfed.s3AccessKey; - AWS_SECRET_ACCESS_KEY = config.fediversity.pixelfed.s3SecretKey; AWS_DEFAULT_REGION = "garage"; AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed"; AWS_BUCKET = "pixelfed"; diff --git a/services/fediversity/sharedOptions.nix b/services/fediversity/sharedOptions.nix index 0d6317e9..10ddd5cc 100644 --- a/services/fediversity/sharedOptions.nix +++ b/services/fediversity/sharedOptions.nix @@ -1,3 +1,6 @@ +## NOTE: Not a module, but a helper function to create options for Fediversity +## services, as they tend to require the same ones. + { config, lib, @@ -13,8 +16,8 @@ in { enable = mkEnableOption "Enable a ${serviceDocName} server on the machine"; - s3AccessKey = mkOption { - type = types.str; + s3AccessKeyFile = mkOption { + type = types.path; description = '' S3 access key for ${serviceDocName}'s bucket/s @@ -22,7 +25,8 @@ in ''; }; - s3SecretKey = mkOption { + s3SecretKeyFile = mkOption { + type = types.path; description = '' S3 secret key for ${serviceDocName}'s bucket/s