mirror of
https://github.com/nmasur/dotfiles
synced 2024-12-24 02:34:52 +00:00
reencrypt secrets and fix nextcloud backups
This commit is contained in:
parent
69a54b99c8
commit
0f112ea16b
46
modules/services/backups.nix
Normal file
46
modules/services/backups.nix
Normal file
@ -0,0 +1,46 @@
|
||||
{ config, pkgs, lib, ... }: {
|
||||
|
||||
options = {
|
||||
|
||||
backupS3 = {
|
||||
endpoint = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "S3 endpoint for backups";
|
||||
};
|
||||
bucket = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "S3 bucket for backups";
|
||||
};
|
||||
accessKeyId = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "S3 access key ID for backups";
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config = {
|
||||
|
||||
secrets.backup = {
|
||||
source = ../../private/backup.age;
|
||||
dest = "${config.secretsDirectory}/backup";
|
||||
};
|
||||
|
||||
# # Backup library to object storage
|
||||
# services.restic.backups.calibre = {
|
||||
# user = "calibre-web";
|
||||
# repository =
|
||||
# "s3://${config.backupS3.endpoint}/${config.backupS3.bucket}/calibre";
|
||||
# paths = [
|
||||
# "/var/books"
|
||||
# "/var/lib/calibre-web/app.db"
|
||||
# "/var/lib/calibre-web/gdrive.db"
|
||||
# ];
|
||||
# initialize = true;
|
||||
# timerConfig = { OnCalendar = "00:05:00"; };
|
||||
# environmentFile = backupS3File;
|
||||
# };
|
||||
|
||||
};
|
||||
|
||||
}
|
@ -1,13 +1,6 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
{ config, pkgs, lib, ... }: {
|
||||
|
||||
let
|
||||
|
||||
adminpassFile = "${config.services.nextcloud.datadir}/creds";
|
||||
backupS3File = "${config.services.nextcloud.datadir}/backup-creds";
|
||||
|
||||
in {
|
||||
|
||||
imports = [ ./caddy.nix ../shell/age.nix ];
|
||||
imports = [ ./caddy.nix ./secrets.nix ./backups.nix ];
|
||||
|
||||
options = {
|
||||
|
||||
@ -16,22 +9,6 @@ in {
|
||||
description = "Hostname for Nextcloud";
|
||||
};
|
||||
|
||||
# Options for backup
|
||||
backupS3 = {
|
||||
endpoint = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "S3 endpoint for backups";
|
||||
};
|
||||
bucket = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "S3 bucket for backups";
|
||||
};
|
||||
accessKeyId = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "S3 access key ID for backups";
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config = {
|
||||
@ -43,7 +20,7 @@ in {
|
||||
hostName = "localhost";
|
||||
maxUploadSize = "50G";
|
||||
config = {
|
||||
adminpassFile = adminpassFile;
|
||||
adminpassFile = config.secrets.nextcloud.dest;
|
||||
extraTrustedDomains = [ config.nextcloudServer ];
|
||||
};
|
||||
};
|
||||
@ -54,6 +31,7 @@ in {
|
||||
port = 8080;
|
||||
}];
|
||||
|
||||
# Point Caddy to Nginx
|
||||
caddyRoutes = [{
|
||||
match = [{ host = [ config.nextcloudServer ]; }];
|
||||
handle = [{
|
||||
@ -63,22 +41,16 @@ in {
|
||||
}];
|
||||
|
||||
# Create credentials file for nextcloud
|
||||
systemd.services.nextcloud-creds = {
|
||||
secrets.nextcloud = {
|
||||
source = ../../private/nextcloud.age;
|
||||
dest = "${config.secretsDirectory}/nextcloud";
|
||||
owner = "nextcloud";
|
||||
group = "nextcloud";
|
||||
permissions = "0440";
|
||||
};
|
||||
systemd.services.nextcloud-secret = {
|
||||
requiredBy = [ "nextcloud-setup.service" ];
|
||||
before = [ "nextcloud-setup.service" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "root";
|
||||
};
|
||||
script = ''
|
||||
mkdir --parents $(dirname ${adminpassFile})
|
||||
${pkgs.age}/bin/age --decrypt \
|
||||
--identity ${config.identityFile} \
|
||||
--output ${adminpassFile} \
|
||||
${builtins.toString ../../private/nextcloud.age}
|
||||
chown nextcloud:nextcloud ${adminpassFile}
|
||||
chmod 0700 ${adminpassFile}
|
||||
'';
|
||||
};
|
||||
|
||||
## Backup config
|
||||
@ -103,30 +75,14 @@ in {
|
||||
}];
|
||||
}];
|
||||
};
|
||||
environmentFile = backupS3File;
|
||||
environmentFile = config.secrets.backup.dest;
|
||||
};
|
||||
|
||||
# Don't start litestream unless nextcloud is up
|
||||
systemd.services.litestream = {
|
||||
after = [ "phpfpm-nextcloud.service" ];
|
||||
requires = [ "phpfpm-nextcloud.service" ];
|
||||
environment.LITESTREAM_ACCESS_KEY_ID = config.backupS3.accessKeyId;
|
||||
};
|
||||
|
||||
# Create credentials file for litestream
|
||||
systemd.services.litestream-s3 = {
|
||||
requiredBy = [ "litestream.service" ];
|
||||
before = [ "litestream.service" ];
|
||||
serviceConfig = { Type = "oneshot"; };
|
||||
script = ''
|
||||
echo \
|
||||
LITESTREAM_SECRET_ACCESS_KEY=$(${pkgs.age}/bin/age --decrypt \
|
||||
--identity ${config.identityFile} \
|
||||
${builtins.toString ../../private/backup.age} \
|
||||
) > ${backupS3File}
|
||||
chown litestream:litestream ${backupS3File}
|
||||
chmod 0700 ${backupS3File}
|
||||
'';
|
||||
after = [ "phpfpm-nextcloud.service" "backup-secret.service" ];
|
||||
requires = [ "phpfpm-nextcloud.service" "backup-secret.service" ];
|
||||
environment.AWS_ACCESS_KEY_ID = config.backupS3.accessKeyId;
|
||||
};
|
||||
|
||||
};
|
||||
|
@ -13,11 +13,11 @@
|
||||
default = "/etc/ssh/ssh_host_ed25519_key";
|
||||
};
|
||||
|
||||
# secretsDirectory = lib.mkOption {
|
||||
# type = lib.types.str;
|
||||
# description = "Default path to place secrets.";
|
||||
# default = "/var/lib/private";
|
||||
# };
|
||||
secretsDirectory = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "Default path to place secrets.";
|
||||
default = "/var/private";
|
||||
};
|
||||
|
||||
secrets = lib.mkOption {
|
||||
type = lib.types.attrsOf (lib.types.submodule {
|
||||
@ -57,7 +57,7 @@
|
||||
|
||||
# Create a default directory to place secrets
|
||||
|
||||
# systemd.tmpfiles.rules = [ "d ${config.secretsDirectory} 0750 root wheel" ];
|
||||
systemd.tmpfiles.rules = [ "d ${config.secretsDirectory} 0755 root wheel" ];
|
||||
|
||||
# Declare oneshot service to decrypt secret using SSH host key
|
||||
# - Requires that the secret is already encrypted for the host
|
||||
|
@ -69,7 +69,7 @@
|
||||
# Create credentials file for transmission
|
||||
secrets.transmission = {
|
||||
source = ../../private/transmission.json.age;
|
||||
dest = "/var/lib/private/transmission.json";
|
||||
dest = "${config.secretsDirectory}/transmission.json";
|
||||
owner = "transmission";
|
||||
group = "transmission";
|
||||
};
|
||||
|
@ -1,14 +1,6 @@
|
||||
{ config, pkgs, lib, ... }: {
|
||||
|
||||
options.networking.wireguard = {
|
||||
|
||||
encryptedPrivateKey = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = "Nix path to age-encrypted client private key";
|
||||
default = ../../private/wireguard.age;
|
||||
};
|
||||
|
||||
};
|
||||
imports = [ ./secrets.nix ];
|
||||
|
||||
config = {
|
||||
|
||||
@ -19,7 +11,7 @@
|
||||
|
||||
# Establishes identity of this machine
|
||||
generatePrivateKeyFile = false;
|
||||
privateKeyFile = "/private/wireguard/wg0";
|
||||
privateKeyFile = config.secrets.wireguard.dest;
|
||||
|
||||
# Move to network namespace for isolating programs
|
||||
interfaceNamespace = "wg";
|
||||
@ -42,25 +34,9 @@
|
||||
};
|
||||
|
||||
# Create private key file for wireguard
|
||||
systemd.services.wireguard-private-key = {
|
||||
wantedBy = [ "wireguard-wg0.service" ];
|
||||
requiredBy = [ "wireguard-wg0.service" ];
|
||||
before = [ "wireguard-wg0.service" ];
|
||||
serviceConfig = { Type = "oneshot"; };
|
||||
script = let
|
||||
encryptedPrivateKey = config.networking.wireguard.encryptedPrivateKey;
|
||||
privateKeyFile =
|
||||
config.networking.wireguard.interfaces.wg0.privateKeyFile;
|
||||
in ''
|
||||
mkdir --parents --mode 0755 ${builtins.dirOf privateKeyFile}
|
||||
if [ ! -f "${privateKeyFile}" ]; then
|
||||
${pkgs.age}/bin/age --decrypt \
|
||||
--identity ${config.identityFile} \
|
||||
--output ${privateKeyFile} \
|
||||
${builtins.toString encryptedPrivateKey}
|
||||
chmod 0700 ${privateKeyFile}
|
||||
fi
|
||||
'';
|
||||
secrets.wireguard = {
|
||||
source = ../../private/wireguard.age;
|
||||
dest = "${config.secretsDirectory}/wireguard";
|
||||
};
|
||||
|
||||
};
|
||||
|
@ -1,6 +1,10 @@
|
||||
age-encryption.org/v1
|
||||
-> ssh-ed25519 MgHaOw 2y5C1sRq3NZqmfGBiPgMS7qcU5v+70wri5xkXbceaHM
|
||||
zyd7b+OuVi3rxxUEm+QW/80M80SSKaebOwOioRjnYak
|
||||
--- yZQxxjYYNouD5wnEj+qNjUSrRU01hXvWUuax4C252i8
|
||||
¤à/<2F>2*®ŒM•ûD©ø^ÓœOßÆQ
|
||||
5–<¤áÝM1›8o»‘3´LÓœZiïùºò¹Ö7ð±9ÆTL<54>ø
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBuMUg4
|
||||
TG5Oa1U5WERGOWJibkRZRVJwZGdEZmRsSVBraHdVYTJwbGpNL1VnCjRYaW1nTUR0
|
||||
cjR2NHJ1V1lhRHp4a2VOekVTZVl5Rk5CcG1heHhsR2M5SHMKLT4gc3NoLWVkMjU1
|
||||
MTkgWXlTVU1RIHhEN3o1NzNTTVIvZG1VcERJQitkRk4vTmtFQk9SVUVJQUVOdVY2
|
||||
YWoxM1UKVVVMWTYzKzE4ZjVDWitGNkUvR2U1Z1VJdVdqOWhWZVAxNWFOaFZvZGpS
|
||||
OAotLS0gWlU2TEY0TFZiM3VCM0hWcDAvQlQzTjE3MkZSOGNXaUhDdVQzL2pVRzlT
|
||||
VQoP0xMzUx0ozRvXFrNfFNyqwzUoHl7GM1P6VFjjDjuMkuWtQ/+V6DV/rGlXDKJ9
|
||||
jidhm8Y0hbjL6cbQrolUSgHSzG5CPD/4pb3zmxTZ9ol7cQuR4PbnPQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
|
@ -1,5 +1,10 @@
|
||||
age-encryption.org/v1
|
||||
-> ssh-ed25519 MgHaOw 8h/ESNjn0gknNXoHM34UobHzPgmRunoP97H+KHOuGQM
|
||||
qowH+6TlCRECGCscRgKx6kswY+PZezYUD6E+x9e+5pM
|
||||
--- kFj1JzRdh/D13Uq9aNTzMJIFysEE+kzzthjewOIR2+o
|
||||
Ȳ²¸6<EFBFBD>Àï}rCìzó™ð øà
ï>&Ä=j‚W^W‰‘l! "}M–SÍå8=‰x’ƒ²÷m =ЇøL
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBIRnEy
|
||||
am1HTXptMmpSTjZQa2hQSUxNUU1rdXlod3U3bVZ0VGxQVlE2WldBClg0K3k5MDZH
|
||||
NFlPdHI0VnZSZE9DTTNMeDdldUpFQ3V0V0k0RnRIZHFhdzAKLT4gc3NoLWVkMjU1
|
||||
MTkgWXlTVU1RIFlxZFpqNU5kNVY2VUk0Um0zZ1d1M2FlRkYvV1BoTEFSNjZ2Vk9I
|
||||
QTVHM0UKY2gvVU9wckVUNEFwdUwyVFJZUGwxOFFKYm12cUlFTEVrb3IvcXI3TnND
|
||||
UQotLS0gMHdaajFjV2ozd0g5dWN5YkhiU2NBVWZVSU00aVIzY0VKYjJleVlQTUdX
|
||||
QQo7rH6kOTRFP43U/qiBOCHx+hBGlaODFRS1CgzkuqfMOq8PM28RsIN+l3sbwjxE
|
||||
W8chE/A0EChjIDtfYTMgsN3cYg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
|
Binary file not shown.
@ -1,5 +1,10 @@
|
||||
age-encryption.org/v1
|
||||
-> ssh-ed25519 MgHaOw lG6VtLpEU/33egpB9WqJiulVdL3K5a2IGjekIu6HtSI
|
||||
VsAfCbtQuHU9tptKQR4buD3ydwb89aSbUVdEoetU1gc
|
||||
--- kts74pY8NdQh4pTlMT3NTHxU0qnA0txwQKH5FkQCdXA
|
||||
ø¿SŸÐ8˜A0<>`0åªýÕ$,1*/H¼íÞå³ÏV½þñZtWˆ¬<CB86>ÔBC¯[<¬N@’cûá™h_QtÀÀ(ÞÈ Â£fz
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBOOXNm
|
||||
VG5EMHhEU2JLbkYyY1VXdXZJd2VxSEVXUjZaaURnU254QUVzUENzCnhnV21oRFNY
|
||||
NGpMeXlqdDlYRmltN1cxTlJ3eWFTVElpK0ZBalA3QVFoL2MKLT4gc3NoLWVkMjU1
|
||||
MTkgWXlTVU1RIDk3TVhDVVBjQU5XNjVTbkxKdUNEU25uZXREeEpHcTF4STg4VXR1
|
||||
V2xzRTQKZTBXZUQrbjIwTDEwOEc3MktpQzBjTzhjS3lTNTJ0TEMyMVBOODQ0N0lt
|
||||
OAotLS0gODA2L2FpSmxiWDAyM1IvM2Q4U2QrNmRkVjl1bFhURW5sNCtWZ2tiMnZU
|
||||
YwoC0chavNt+a/AImm/7bNheZIPghrobp9g+ga+UpRWBtM2snpkyFZrBR0qAkw/f
|
||||
3krp5Rrco7IOlEwWx96UzvAUpKlC7CdVI1MFa76ZUg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
|
Loading…
Reference in New Issue
Block a user