Put the S3 secrets into files

...but not everywhere, there remains some FIXMEs where ultimately the secrets do get into the store.
2025-02-14 19:46:12 +01:00 · 2025-02-14 19:46:12 +01:00 · 78a85b27ff
commit 78a85b27ff
parent 8c5bf79ba2
7 changed files with 96 additions and 62 deletions
--- a/deployment/flake-part.nix
+++ b/deployment/flake-part.nix
@ -76,35 +76,41 @@ in
      providers = { inherit (inputs.nixops4.modules.nixops4Provider) local; };

      resources = {
-        fedi101 = makeProcolixVmResource 101 {
-          fediversity = {
-            enable = true;
-            domain = "fedi101.abundos.eu";
-            pixelfed = {
+        fedi101 = makeProcolixVmResource 101 (
+          { pkgs, ... }:
+          {
+            fediversity = {
              enable = true;
+              domain = "fedi101.abundos.eu";
+              pixelfed = {
+                enable = true;

-              ## NOTE: Only ever used for testing anyway.
-              s3AccessKey = "GKb5615457d44214411e673b7b";
-              s3SecretKey = "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
+                ## NOTE: Only ever used for testing anyway.
+                s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b";
+                s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
+              };
            };
-          };
-        };
+          }
+        );

-        fedi102 = makeProcolixVmResource 102 {
-          fediversity = {
-            enable = true;
-            domain = "fedi102.abundos.eu";
-            mastodon = {
+        fedi102 = makeProcolixVmResource 102 (
+          { pkgs, ... }:
+          {
+            fediversity = {
              enable = true;
+              domain = "fedi102.abundos.eu";
+              mastodon = {
+                enable = true;

-              ## NOTE: Only ever used for testing anyway.
-              s3AccessKey = "GK3515373e4c851ebaad366558";
-              s3SecretKey = "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
+                ## NOTE: Only ever used for testing anyway.
+                s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558";
+                s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
+              };
+
+              temp.cores = 1; # FIXME: should come from NixOps4 eventually
            };
-
-            temp.cores = 1; # FIXME: should come from NixOps4 eventually
-          };
-        };
+          }
+        );

        fedi103 = makeProcolixVmResource 103 (
          { pkgs, ... }:
@ -117,8 +123,8 @@ in

                ## NOTE: Only ever used for testing anyway.
                secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24";
-                s3AccessKey = "GK1f9feea9960f6f95ff404c9b";
-                s3SecretKey = "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
+                s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b";
+                s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
              };
            };
          }
--- a/services/fediversity/garage/default.nix
+++ b/services/fediversity/garage/default.nix
@ -83,13 +83,13 @@ let
  ensureKeyScriptFn =
    key:
    {
-      s3AccessKey,
-      s3SecretKey,
+      s3AccessKeyFile,
+      s3SecretKeyFile,
      ensureAccess,
    }:
    ''
      ## FIXME: Check whether the key exist and skip this step if that is the case. Get rid of this `|| :`
-      garage key import --yes -n ${escapeShellArg key} ${escapeShellArg s3AccessKey} ${escapeShellArg s3SecretKey} || :
+      garage key import --yes -n ${escapeShellArg key} $(cat ${escapeShellArg s3AccessKeyFile}) $(cat ${escapeShellArg s3SecretKeyFile}) || :
      ${concatMapAttrs (ensureAccessScriptFn key) ensureAccess}
    '';

--- a/services/fediversity/garage/options.nix
+++ b/services/fediversity/garage/options.nix
@ -43,10 +43,11 @@ in
    ensureKeys = mkOption {
      type = types.attrsOf (
        types.submodule {
-          # TODO: these should be managed as secrets, not in the nix store
          options = {
-            s3AccessKey = mkOption { type = types.str; };
-            s3SecretKey = mkOption { type = types.str; };
+            s3AccessKeyFile = mkOption { type = types.path; };
+
+            s3SecretKeyFile = mkOption { type = types.path; };
+
            # TODO: assert at least one of these is true
            # NOTE: this currently needs to be done at the top level module
            ensureAccess = mkOption {
--- a/services/fediversity/mastodon/default.nix
+++ b/services/fediversity/mastodon/default.nix
@ -1,5 +1,15 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:

+let
+  inherit (lib) readFile;
+  inherit (pkgs) writeText;
+
+in
 {
  imports = [ ./options.nix ];

@ -20,7 +30,7 @@

      ensureKeys = {
        mastodon = {
-          inherit (config.fediversity.mastodon) s3AccessKey s3SecretKey;
+          inherit (config.fediversity.mastodon) s3AccessKeyFile s3SecretKeyFile;
          ensureAccess = {
            mastodon = {
              read = true;
@ -32,26 +42,31 @@
      };
    };

-    services.mastodon = {
-      extraConfig = rec {
-        S3_ENABLED = "true";
-        # TODO: this shouldn't be hard-coded, it should come from the garage configuration
-        S3_ENDPOINT = config.fediversity.garage.api.url;
-        S3_REGION = "garage";
-        S3_BUCKET = "mastodon";
-        # use <S3_BUCKET>.<S3_ENDPOINT>
-        S3_OVERRIDE_PATH_STLE = "true";
-        AWS_ACCESS_KEY_ID = config.fediversity.mastodon.s3AccessKey;
-        AWS_SECRET_ACCESS_KEY = config.fediversity.mastodon.s3SecretKey;
-        S3_PROTOCOL = "http";
-        S3_ALIAS_HOST = "${S3_BUCKET}.${config.fediversity.garage.web.rootDomain}";
-        # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
-        # TODO: can we set up ACLs with garage?
-        S3_PERMISSION = "";
-      };
+    services.mastodon.extraConfig = rec {
+      S3_ENABLED = "true";
+      # TODO: this shouldn't be hard-coded, it should come from the garage configuration
+      S3_ENDPOINT = config.fediversity.garage.api.url;
+      S3_REGION = "garage";
+      S3_BUCKET = "mastodon";
+      # use <S3_BUCKET>.<S3_ENDPOINT>
+      S3_OVERRIDE_PATH_STLE = "true";
+      S3_PROTOCOL = "http";
+      S3_ALIAS_HOST = config.fediversity.garage.web.domainForBucket S3_BUCKET;
+      # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
+      # TODO: can we set up ACLs with garage?
+      S3_PERMISSION = "";
    };

-    #### mastodon setup
+    ## FIXME: secrets management; we should have a service that writes the
+    ## `.env` files based on all the secrets that we need to put there.
+    services.mastodon.extraEnvFiles = [
+      (writeText "s3AccessKey" ''
+        AWS_ACCESS_KEY_ID=${readFile config.fediversity.mastodon.s3AccessKeyFile}
+      '')
+      (writeText "s3SecretKey" ''
+        AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.mastodon.s3SecretKeyFile}
+      '')
+    ];

    # open up access to the mastodon web interface. 80 is necessary if only for ACME
    networking.firewall.allowedTCPPorts = [
--- a/services/fediversity/peertube/default.nix
+++ b/services/fediversity/peertube/default.nix
@ -1,9 +1,13 @@
 { config, lib, ... }:

+let
+  inherit (lib) mkIf readFile;
+
+in
 {
  imports = [ ./options.nix ];

-  config = lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) {
+  config = mkIf (config.fediversity.enable && config.fediversity.peertube.enable) {
    networking.firewall.allowedTCPPorts = [
      80
      443
@ -39,7 +43,7 @@

      ensureKeys = {
        peertube = {
-          inherit (config.fediversity.peertube) s3AccessKey s3SecretKey;
+          inherit (config.fediversity.peertube) s3AccessKeyFile s3SecretKeyFile;
          ensureAccess = {
            peertube-videos = {
              read = true;
@ -97,9 +101,12 @@
      };
      serviceEnvironmentFile = "/etc/peertube-env";
    };
+
+    ## FIXME: secrets management; we should have a service that writes the
+    ## `.env` files based on all the secrets that we need to put there.
    environment.etc.peertube-env.text = ''
-      AWS_ACCESS_KEY_ID=${config.fediversity.peertube.s3AccessKey}
-      AWS_SECRET_ACCESS_KEY=${config.fediversity.peertube.s3SecretKey}
+      AWS_ACCESS_KEY_ID=${readFile config.fediversity.peertube.s3AccessKeyFile}
+      AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.peertube.s3SecretKeyFile}
    '';

    ## Proxying through Nginx
--- a/services/fediversity/pixelfed/default.nix
+++ b/services/fediversity/pixelfed/default.nix
@ -6,7 +6,7 @@
 }:

 let
-  inherit (lib) mkIf;
+  inherit (lib) mkIf readFile;

 in
 {
@ -29,7 +29,7 @@ in

      ensureKeys = {
        pixelfed = {
-          inherit (config.fediversity.pixelfed) s3AccessKey s3SecretKey;
+          inherit (config.fediversity.pixelfed) s3AccessKeyFile s3SecretKeyFile;
          ensureAccess = {
            pixelfed = {
              read = true;
@ -45,9 +45,12 @@ in
      enable = true;
      domain = config.fediversity.pixelfed.domain;

-      # TODO: secrets management!!!
+      ## FIXME: secrets management; we should have a service that writes the
+      ## `.env` file based on all the secrets that we need to put there.
      secretFile = pkgs.writeText "secrets.env" ''
        APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
+        AWS_ACCESS_KEY_ID=${readFile config.fediversity.pixelfed.s3AccessKeyFile}
+        AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.pixelfed.s3SecretKeyFile}
      '';

      ## Taeer feels like this way of configuring Nginx is odd; there should
@ -70,8 +73,6 @@ in

      FILESYSTEM_CLOUD = "s3";
      PF_ENABLE_CLOUD = true;
-      AWS_ACCESS_KEY_ID = config.fediversity.pixelfed.s3AccessKey;
-      AWS_SECRET_ACCESS_KEY = config.fediversity.pixelfed.s3SecretKey;
      AWS_DEFAULT_REGION = "garage";
      AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed";
      AWS_BUCKET = "pixelfed";
--- a/services/fediversity/sharedOptions.nix
+++ b/services/fediversity/sharedOptions.nix
@ -1,3 +1,6 @@
+## NOTE: Not a module, but a helper function to create options for Fediversity
+## services, as they tend to require the same ones.
+
 {
  config,
  lib,
@ -13,8 +16,8 @@ in
 {
  enable = mkEnableOption "Enable a ${serviceDocName} server on the machine";

-  s3AccessKey = mkOption {
-    type = types.str;
+  s3AccessKeyFile = mkOption {
+    type = types.path;
    description = ''
      S3 access key for ${serviceDocName}'s bucket/s

@ -22,7 +25,8 @@ in
    '';
  };

-  s3SecretKey = mkOption {
+  s3SecretKeyFile = mkOption {
+    type = types.path;
    description = ''
      S3 secret key for ${serviceDocName}'s bucket/s