kiara/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

Put the S3 secrets into files

Browse source 
...but not everywhere, there remains some FIXMEs where ultimately the
secrets do get into the store.
This commit is contained in:
Nicolas Jeannerod 2025-02-14 19:46:12 +01:00
parent 8c5bf79ba2
commit 78a85b27ff
Signed by untrusted user: Niols
GPG key ID: 35DB9EC8886E1CB8
7 changed files with 96 additions and 62 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

54
deployment/flake-part.nix
View file

@ -76,35 +76,41 @@ in
providers = { inherit (inputs.nixops4.modules.nixops4Provider) local; }; providers = { inherit (inputs.nixops4.modules.nixops4Provider) local; };
resources = { resources = {
fedi101 = makeProcolixVmResource 101 { fedi101 = makeProcolixVmResource 101 (
fediversity = { { pkgs, ... }:
enable = true; {
domain = "fedi101.abundos.eu"; fediversity = {
pixelfed = {
enable = true; enable = true;
domain = "fedi101.abundos.eu";
pixelfed = {
enable = true;
## NOTE: Only ever used for testing anyway. ## NOTE: Only ever used for testing anyway.
s3AccessKey = "GKb5615457d44214411e673b7b"; s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b";
s3SecretKey = "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987"; s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
};
}; };
}; }
}; );
fedi102 = makeProcolixVmResource 102 { fedi102 = makeProcolixVmResource 102 (
fediversity = { { pkgs, ... }:
enable = true; {
domain = "fedi102.abundos.eu"; fediversity = {
mastodon = {
enable = true; enable = true;
domain = "fedi102.abundos.eu";
mastodon = {
enable = true;
## NOTE: Only ever used for testing anyway. ## NOTE: Only ever used for testing anyway.
s3AccessKey = "GK3515373e4c851ebaad366558"; s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558";
s3SecretKey = "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34"; s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
};
temp.cores = 1; # FIXME: should come from NixOps4 eventually
}; };
}
temp.cores = 1; # FIXME: should come from NixOps4 eventually );
};
};
fedi103 = makeProcolixVmResource 103 ( fedi103 = makeProcolixVmResource 103 (
{ pkgs, ... }: { pkgs, ... }:
@ -117,8 +123,8 @@ in
## NOTE: Only ever used for testing anyway. ## NOTE: Only ever used for testing anyway.
secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24"; secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24";
s3AccessKey = "GK1f9feea9960f6f95ff404c9b"; s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b";
s3SecretKey = "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395"; s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
}; };
}; };
} }

6
services/fediversity/garage/default.nix
View file

@ -83,13 +83,13 @@ let
ensureKeyScriptFn = ensureKeyScriptFn =
key: key:
{ {
s3AccessKey, s3AccessKeyFile,
s3SecretKey, s3SecretKeyFile,
ensureAccess, ensureAccess,
}: }:
'' ''
## FIXME: Check whether the key exist and skip this step if that is the case. Get rid of this `|| :` ## FIXME: Check whether the key exist and skip this step if that is the case. Get rid of this `|| :`
garage key import --yes -n ${escapeShellArg key} ${escapeShellArg s3AccessKey} ${escapeShellArg s3SecretKey} || : garage key import --yes -n ${escapeShellArg key} $(cat ${escapeShellArg s3AccessKeyFile}) $(cat ${escapeShellArg s3SecretKeyFile}) || :
${concatMapAttrs (ensureAccessScriptFn key) ensureAccess} ${concatMapAttrs (ensureAccessScriptFn key) ensureAccess}
''; '';

7
services/fediversity/garage/options.nix
View file

@ -43,10 +43,11 @@ in
ensureKeys = mkOption { ensureKeys = mkOption {
type = types.attrsOf ( type = types.attrsOf (
types.submodule { types.submodule {
# TODO: these should be managed as secrets, not in the nix store
options = { options = {
s3AccessKey = mkOption { type = types.str; }; s3AccessKeyFile = mkOption { type = types.path; };
s3SecretKey = mkOption { type = types.str; };
s3SecretKeyFile = mkOption { type = types.path; };
# TODO: assert at least one of these is true # TODO: assert at least one of these is true
# NOTE: this currently needs to be done at the top level module # NOTE: this currently needs to be done at the top level module
ensureAccess = mkOption { ensureAccess = mkOption {

55
services/fediversity/mastodon/default.nix
View file

@ -1,5 +1,15 @@
{ config, lib, ... }: {
config,
lib,
pkgs,
...
}:
let
inherit (lib) readFile;
inherit (pkgs) writeText;
in
{ {
imports = [ ./options.nix ]; imports = [ ./options.nix ];
@ -20,7 +30,7 @@
ensureKeys = { ensureKeys = {
mastodon = { mastodon = {
inherit (config.fediversity.mastodon) s3AccessKey s3SecretKey; inherit (config.fediversity.mastodon) s3AccessKeyFile s3SecretKeyFile;
ensureAccess = { ensureAccess = {
mastodon = { mastodon = {
read = true; read = true;
@ -32,26 +42,31 @@
}; };
}; };
services.mastodon = { services.mastodon.extraConfig = rec {
extraConfig = rec { S3_ENABLED = "true";
S3_ENABLED = "true"; # TODO: this shouldn't be hard-coded, it should come from the garage configuration
# TODO: this shouldn't be hard-coded, it should come from the garage configuration S3_ENDPOINT = config.fediversity.garage.api.url;
S3_ENDPOINT = config.fediversity.garage.api.url; S3_REGION = "garage";
S3_REGION = "garage"; S3_BUCKET = "mastodon";
S3_BUCKET = "mastodon"; # use <S3_BUCKET>.<S3_ENDPOINT>
# use <S3_BUCKET>.<S3_ENDPOINT> S3_OVERRIDE_PATH_STLE = "true";
S3_OVERRIDE_PATH_STLE = "true"; S3_PROTOCOL = "http";
AWS_ACCESS_KEY_ID = config.fediversity.mastodon.s3AccessKey; S3_ALIAS_HOST = config.fediversity.garage.web.domainForBucket S3_BUCKET;
AWS_SECRET_ACCESS_KEY = config.fediversity.mastodon.s3SecretKey; # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
S3_PROTOCOL = "http"; # TODO: can we set up ACLs with garage?
S3_ALIAS_HOST = "${S3_BUCKET}.${config.fediversity.garage.web.rootDomain}"; S3_PERMISSION = "";
# SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
# TODO: can we set up ACLs with garage?
S3_PERMISSION = "";
};
}; };
#### mastodon setup ## FIXME: secrets management; we should have a service that writes the
## `.env` files based on all the secrets that we need to put there.
services.mastodon.extraEnvFiles = [
(writeText "s3AccessKey" ''
AWS_ACCESS_KEY_ID=${readFile config.fediversity.mastodon.s3AccessKeyFile}
'')
(writeText "s3SecretKey" ''
AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.mastodon.s3SecretKeyFile}
'')
];
# open up access to the mastodon web interface. 80 is necessary if only for ACME # open up access to the mastodon web interface. 80 is necessary if only for ACME
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [

15
services/fediversity/peertube/default.nix
View file

@ -1,9 +1,13 @@
{ config, lib, ... }: { config, lib, ... }:
let
inherit (lib) mkIf readFile;
in
{ {
imports = [ ./options.nix ]; imports = [ ./options.nix ];
config = lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) { config = mkIf (config.fediversity.enable && config.fediversity.peertube.enable) {
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
80 80
443 443
@ -39,7 +43,7 @@
ensureKeys = { ensureKeys = {
peertube = { peertube = {
inherit (config.fediversity.peertube) s3AccessKey s3SecretKey; inherit (config.fediversity.peertube) s3AccessKeyFile s3SecretKeyFile;
ensureAccess = { ensureAccess = {
peertube-videos = { peertube-videos = {
read = true; read = true;
@ -97,9 +101,12 @@
}; };
serviceEnvironmentFile = "/etc/peertube-env"; serviceEnvironmentFile = "/etc/peertube-env";
}; };
## FIXME: secrets management; we should have a service that writes the
## `.env` files based on all the secrets that we need to put there.
environment.etc.peertube-env.text = '' environment.etc.peertube-env.text = ''
AWS_ACCESS_KEY_ID=${config.fediversity.peertube.s3AccessKey} AWS_ACCESS_KEY_ID=${readFile config.fediversity.peertube.s3AccessKeyFile}
AWS_SECRET_ACCESS_KEY=${config.fediversity.peertube.s3SecretKey} AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.peertube.s3SecretKeyFile}
''; '';
## Proxying through Nginx ## Proxying through Nginx

11
services/fediversity/pixelfed/default.nix
View file

@ -6,7 +6,7 @@
}: }:
let let
inherit (lib) mkIf; inherit (lib) mkIf readFile;
in in
{ {
@ -29,7 +29,7 @@ in
ensureKeys = { ensureKeys = {
pixelfed = { pixelfed = {
inherit (config.fediversity.pixelfed) s3AccessKey s3SecretKey; inherit (config.fediversity.pixelfed) s3AccessKeyFile s3SecretKeyFile;
ensureAccess = { ensureAccess = {
pixelfed = { pixelfed = {
read = true; read = true;
@ -45,9 +45,12 @@ in
enable = true; enable = true;
domain = config.fediversity.pixelfed.domain; domain = config.fediversity.pixelfed.domain;
# TODO: secrets management!!! ## FIXME: secrets management; we should have a service that writes the
## `.env` file based on all the secrets that we need to put there.
secretFile = pkgs.writeText "secrets.env" '' secretFile = pkgs.writeText "secrets.env" ''
APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
AWS_ACCESS_KEY_ID=${readFile config.fediversity.pixelfed.s3AccessKeyFile}
AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.pixelfed.s3SecretKeyFile}
''; '';
## Taeer feels like this way of configuring Nginx is odd; there should ## Taeer feels like this way of configuring Nginx is odd; there should
@ -70,8 +73,6 @@ in
FILESYSTEM_CLOUD = "s3"; FILESYSTEM_CLOUD = "s3";
PF_ENABLE_CLOUD = true; PF_ENABLE_CLOUD = true;
AWS_ACCESS_KEY_ID = config.fediversity.pixelfed.s3AccessKey;
AWS_SECRET_ACCESS_KEY = config.fediversity.pixelfed.s3SecretKey;
AWS_DEFAULT_REGION = "garage"; AWS_DEFAULT_REGION = "garage";
AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed"; AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed";
AWS_BUCKET = "pixelfed"; AWS_BUCKET = "pixelfed";

10
services/fediversity/sharedOptions.nix
View file

@ -1,3 +1,6 @@
## NOTE: Not a module, but a helper function to create options for Fediversity
## services, as they tend to require the same ones.
{ {
config, config,
lib, lib,
@ -13,8 +16,8 @@ in
{ {
enable = mkEnableOption "Enable a ${serviceDocName} server on the machine"; enable = mkEnableOption "Enable a ${serviceDocName} server on the machine";
s3AccessKey = mkOption { s3AccessKeyFile = mkOption {
type = types.str; type = types.path;
description = '' description = ''
S3 access key for ${serviceDocName}'s bucket/s S3 access key for ${serviceDocName}'s bucket/s
@ -22,7 +25,8 @@ in
''; '';
}; };
s3SecretKey = mkOption { s3SecretKeyFile = mkOption {
type = types.path;
description = '' description = ''
S3 secret key for ${serviceDocName}'s bucket/s S3 secret key for ${serviceDocName}'s bucket/s