From 78a85b27ffe8c4765002ed107b30514eb169a782 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?=
<nicolas.jeannerod@moduscreate.com>
Date: Fri, 14 Feb 2025 19:46:12 +0100
Subject: [PATCH] Put the S3 secrets into files
...but not everywhere, there remains some FIXMEs where ultimately the
secrets do get into the store.
---
deployment/flake-part.nix | 54 ++++++++++++----------
services/fediversity/garage/default.nix | 6 +--
services/fediversity/garage/options.nix | 7 +--
services/fediversity/mastodon/default.nix | 55 ++++++++++++++---------
services/fediversity/peertube/default.nix | 15 +++++--
services/fediversity/pixelfed/default.nix | 11 ++---
services/fediversity/sharedOptions.nix | 10 +++--
7 files changed, 96 insertions(+), 62 deletions(-)
diff --git a/deployment/flake-part.nix b/deployment/flake-part.nix
index d215a22b..c903f8a1 100644
--- a/deployment/flake-part.nix
+++ b/deployment/flake-part.nix
@@ -76,35 +76,41 @@ in
providers = { inherit (inputs.nixops4.modules.nixops4Provider) local; };
resources = {
- fedi101 = makeProcolixVmResource 101 {
- fediversity = {
- enable = true;
- domain = "fedi101.abundos.eu";
- pixelfed = {
+ fedi101 = makeProcolixVmResource 101 (
+ { pkgs, ... }:
+ {
+ fediversity = {
enable = true;
+ domain = "fedi101.abundos.eu";
+ pixelfed = {
+ enable = true;
- ## NOTE: Only ever used for testing anyway.
- s3AccessKey = "GKb5615457d44214411e673b7b";
- s3SecretKey = "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
+ ## NOTE: Only ever used for testing anyway.
+ s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b";
+ s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
+ };
};
- };
- };
+ }
+ );
- fedi102 = makeProcolixVmResource 102 {
- fediversity = {
- enable = true;
- domain = "fedi102.abundos.eu";
- mastodon = {
+ fedi102 = makeProcolixVmResource 102 (
+ { pkgs, ... }:
+ {
+ fediversity = {
enable = true;
+ domain = "fedi102.abundos.eu";
+ mastodon = {
+ enable = true;
- ## NOTE: Only ever used for testing anyway.
- s3AccessKey = "GK3515373e4c851ebaad366558";
- s3SecretKey = "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
+ ## NOTE: Only ever used for testing anyway.
+ s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558";
+ s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
+ };
+
+ temp.cores = 1; # FIXME: should come from NixOps4 eventually
};
-
- temp.cores = 1; # FIXME: should come from NixOps4 eventually
- };
- };
+ }
+ );
fedi103 = makeProcolixVmResource 103 (
{ pkgs, ... }:
@@ -117,8 +123,8 @@ in
## NOTE: Only ever used for testing anyway.
secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24";
- s3AccessKey = "GK1f9feea9960f6f95ff404c9b";
- s3SecretKey = "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
+ s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b";
+ s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
};
};
}
diff --git a/services/fediversity/garage/default.nix b/services/fediversity/garage/default.nix
index da0a7e46..6915cb50 100644
--- a/services/fediversity/garage/default.nix
+++ b/services/fediversity/garage/default.nix
@@ -83,13 +83,13 @@ let
ensureKeyScriptFn =
key:
{
- s3AccessKey,
- s3SecretKey,
+ s3AccessKeyFile,
+ s3SecretKeyFile,
ensureAccess,
}:
''
## FIXME: Check whether the key exist and skip this step if that is the case. Get rid of this `|| :`
- garage key import --yes -n ${escapeShellArg key} ${escapeShellArg s3AccessKey} ${escapeShellArg s3SecretKey} || :
+ garage key import --yes -n ${escapeShellArg key} $(cat ${escapeShellArg s3AccessKeyFile}) $(cat ${escapeShellArg s3SecretKeyFile}) || :
${concatMapAttrs (ensureAccessScriptFn key) ensureAccess}
'';
diff --git a/services/fediversity/garage/options.nix b/services/fediversity/garage/options.nix
index c93534e5..baeda2c9 100644
--- a/services/fediversity/garage/options.nix
+++ b/services/fediversity/garage/options.nix
@@ -43,10 +43,11 @@ in
ensureKeys = mkOption {
type = types.attrsOf (
types.submodule {
- # TODO: these should be managed as secrets, not in the nix store
options = {
- s3AccessKey = mkOption { type = types.str; };
- s3SecretKey = mkOption { type = types.str; };
+ s3AccessKeyFile = mkOption { type = types.path; };
+
+ s3SecretKeyFile = mkOption { type = types.path; };
+
# TODO: assert at least one of these is true
# NOTE: this currently needs to be done at the top level module
ensureAccess = mkOption {
diff --git a/services/fediversity/mastodon/default.nix b/services/fediversity/mastodon/default.nix
index cd1846a0..63e536d9 100644
--- a/services/fediversity/mastodon/default.nix
+++ b/services/fediversity/mastodon/default.nix
@@ -1,5 +1,15 @@
-{ config, lib, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
+let
+ inherit (lib) readFile;
+ inherit (pkgs) writeText;
+
+in
{
imports = [ ./options.nix ];
@@ -20,7 +30,7 @@
ensureKeys = {
mastodon = {
- inherit (config.fediversity.mastodon) s3AccessKey s3SecretKey;
+ inherit (config.fediversity.mastodon) s3AccessKeyFile s3SecretKeyFile;
ensureAccess = {
mastodon = {
read = true;
@@ -32,26 +42,31 @@
};
};
- services.mastodon = {
- extraConfig = rec {
- S3_ENABLED = "true";
- # TODO: this shouldn't be hard-coded, it should come from the garage configuration
- S3_ENDPOINT = config.fediversity.garage.api.url;
- S3_REGION = "garage";
- S3_BUCKET = "mastodon";
- # use <S3_BUCKET>.<S3_ENDPOINT>
- S3_OVERRIDE_PATH_STLE = "true";
- AWS_ACCESS_KEY_ID = config.fediversity.mastodon.s3AccessKey;
- AWS_SECRET_ACCESS_KEY = config.fediversity.mastodon.s3SecretKey;
- S3_PROTOCOL = "http";
- S3_ALIAS_HOST = "${S3_BUCKET}.${config.fediversity.garage.web.rootDomain}";
- # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
- # TODO: can we set up ACLs with garage?
- S3_PERMISSION = "";
- };
+ services.mastodon.extraConfig = rec {
+ S3_ENABLED = "true";
+ # TODO: this shouldn't be hard-coded, it should come from the garage configuration
+ S3_ENDPOINT = config.fediversity.garage.api.url;
+ S3_REGION = "garage";
+ S3_BUCKET = "mastodon";
+ # use <S3_BUCKET>.<S3_ENDPOINT>
+ S3_OVERRIDE_PATH_STLE = "true";
+ S3_PROTOCOL = "http";
+ S3_ALIAS_HOST = config.fediversity.garage.web.domainForBucket S3_BUCKET;
+ # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
+ # TODO: can we set up ACLs with garage?
+ S3_PERMISSION = "";
};
- #### mastodon setup
+ ## FIXME: secrets management; we should have a service that writes the
+ ## `.env` files based on all the secrets that we need to put there.
+ services.mastodon.extraEnvFiles = [
+ (writeText "s3AccessKey" ''
+ AWS_ACCESS_KEY_ID=${readFile config.fediversity.mastodon.s3AccessKeyFile}
+ '')
+ (writeText "s3SecretKey" ''
+ AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.mastodon.s3SecretKeyFile}
+ '')
+ ];
# open up access to the mastodon web interface. 80 is necessary if only for ACME
networking.firewall.allowedTCPPorts = [
diff --git a/services/fediversity/peertube/default.nix b/services/fediversity/peertube/default.nix
index cf7c6205..3c18486e 100644
--- a/services/fediversity/peertube/default.nix
+++ b/services/fediversity/peertube/default.nix
@@ -1,9 +1,13 @@
{ config, lib, ... }:
+let
+ inherit (lib) mkIf readFile;
+
+in
{
imports = [ ./options.nix ];
- config = lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) {
+ config = mkIf (config.fediversity.enable && config.fediversity.peertube.enable) {
networking.firewall.allowedTCPPorts = [
80
443
@@ -39,7 +43,7 @@
ensureKeys = {
peertube = {
- inherit (config.fediversity.peertube) s3AccessKey s3SecretKey;
+ inherit (config.fediversity.peertube) s3AccessKeyFile s3SecretKeyFile;
ensureAccess = {
peertube-videos = {
read = true;
@@ -97,9 +101,12 @@
};
serviceEnvironmentFile = "/etc/peertube-env";
};
+
+ ## FIXME: secrets management; we should have a service that writes the
+ ## `.env` files based on all the secrets that we need to put there.
environment.etc.peertube-env.text = ''
- AWS_ACCESS_KEY_ID=${config.fediversity.peertube.s3AccessKey}
- AWS_SECRET_ACCESS_KEY=${config.fediversity.peertube.s3SecretKey}
+ AWS_ACCESS_KEY_ID=${readFile config.fediversity.peertube.s3AccessKeyFile}
+ AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.peertube.s3SecretKeyFile}
'';
## Proxying through Nginx
diff --git a/services/fediversity/pixelfed/default.nix b/services/fediversity/pixelfed/default.nix
index e12a5e1c..b845d92a 100644
--- a/services/fediversity/pixelfed/default.nix
+++ b/services/fediversity/pixelfed/default.nix
@@ -6,7 +6,7 @@
}:
let
- inherit (lib) mkIf;
+ inherit (lib) mkIf readFile;
in
{
@@ -29,7 +29,7 @@ in
ensureKeys = {
pixelfed = {
- inherit (config.fediversity.pixelfed) s3AccessKey s3SecretKey;
+ inherit (config.fediversity.pixelfed) s3AccessKeyFile s3SecretKeyFile;
ensureAccess = {
pixelfed = {
read = true;
@@ -45,9 +45,12 @@ in
enable = true;
domain = config.fediversity.pixelfed.domain;
- # TODO: secrets management!!!
+ ## FIXME: secrets management; we should have a service that writes the
+ ## `.env` file based on all the secrets that we need to put there.
secretFile = pkgs.writeText "secrets.env" ''
APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
+ AWS_ACCESS_KEY_ID=${readFile config.fediversity.pixelfed.s3AccessKeyFile}
+ AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.pixelfed.s3SecretKeyFile}
'';
## Taeer feels like this way of configuring Nginx is odd; there should
@@ -70,8 +73,6 @@ in
FILESYSTEM_CLOUD = "s3";
PF_ENABLE_CLOUD = true;
- AWS_ACCESS_KEY_ID = config.fediversity.pixelfed.s3AccessKey;
- AWS_SECRET_ACCESS_KEY = config.fediversity.pixelfed.s3SecretKey;
AWS_DEFAULT_REGION = "garage";
AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed";
AWS_BUCKET = "pixelfed";
diff --git a/services/fediversity/sharedOptions.nix b/services/fediversity/sharedOptions.nix
index 0d6317e9..10ddd5cc 100644
--- a/services/fediversity/sharedOptions.nix
+++ b/services/fediversity/sharedOptions.nix
@@ -1,3 +1,6 @@
+## NOTE: Not a module, but a helper function to create options for Fediversity
+## services, as they tend to require the same ones.
+
{
config,
lib,
@@ -13,8 +16,8 @@ in
{
enable = mkEnableOption "Enable a ${serviceDocName} server on the machine";
- s3AccessKey = mkOption {
- type = types.str;
+ s3AccessKeyFile = mkOption {
+ type = types.path;
description = ''
S3 access key for ${serviceDocName}'s bucket/s
@@ -22,7 +25,8 @@ in
'';
};
- s3SecretKey = mkOption {
+ s3SecretKeyFile = mkOption {
+ type = types.path;
description = ''
S3 secret key for ${serviceDocName}'s bucket/s