From 0f112ea16b4f4a3afe3a9fe7f4919995785dbe63 Mon Sep 17 00:00:00 2001
From: Noah Masur <7386960+nmasur@users.noreply.github.com>
Date: Sun, 16 Oct 2022 03:18:58 +0000
Subject: [PATCH] reencrypt secrets and fix nextcloud backups

---
 modules/services/backups.nix      |  46 ++++++++++++++++++
 modules/services/nextcloud.nix    |  76 +++++++-----------------------
 modules/services/secrets.nix      |  12 ++---
 modules/services/transmission.nix |   2 +-
 modules/services/wireguard.nix    |  34 ++-----------
 private/backup.age                |  16 ++++---
 private/mailpass.age              |  15 ++++--
 private/nextcloud.age             | Bin 246 -> 552 bytes
 private/wireguard.age             |  15 ++++--
 9 files changed, 104 insertions(+), 112 deletions(-)
 create mode 100644 modules/services/backups.nix

diff --git a/modules/services/backups.nix b/modules/services/backups.nix
new file mode 100644
index 0000000..373387c
--- /dev/null
+++ b/modules/services/backups.nix
@@ -0,0 +1,46 @@
+{ config, pkgs, lib, ... }: {
+
+  options = {
+
+    backupS3 = {
+      endpoint = lib.mkOption {
+        type = lib.types.str;
+        description = "S3 endpoint for backups";
+      };
+      bucket = lib.mkOption {
+        type = lib.types.str;
+        description = "S3 bucket for backups";
+      };
+      accessKeyId = lib.mkOption {
+        type = lib.types.str;
+        description = "S3 access key ID for backups";
+      };
+    };
+
+  };
+
+  config = {
+
+    secrets.backup = {
+      source = ../../private/backup.age;
+      dest = "${config.secretsDirectory}/backup";
+    };
+
+    # # Backup library to object storage
+    # services.restic.backups.calibre = {
+    #   user = "calibre-web";
+    #   repository =
+    #     "s3://${config.backupS3.endpoint}/${config.backupS3.bucket}/calibre";
+    #   paths = [
+    #     "/var/books"
+    #     "/var/lib/calibre-web/app.db"
+    #     "/var/lib/calibre-web/gdrive.db"
+    #   ];
+    #   initialize = true;
+    #   timerConfig = { OnCalendar = "00:05:00"; };
+    #   environmentFile = backupS3File;
+    # };
+
+  };
+
+}
diff --git a/modules/services/nextcloud.nix b/modules/services/nextcloud.nix
index 9288d24..60bcbdd 100644
--- a/modules/services/nextcloud.nix
+++ b/modules/services/nextcloud.nix
@@ -1,13 +1,6 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, ... }: {
 
-let
-
-  adminpassFile = "${config.services.nextcloud.datadir}/creds";
-  backupS3File = "${config.services.nextcloud.datadir}/backup-creds";
-
-in {
-
-  imports = [ ./caddy.nix ../shell/age.nix ];
+  imports = [ ./caddy.nix ./secrets.nix ./backups.nix ];
 
   options = {
 
@@ -16,22 +9,6 @@ in {
       description = "Hostname for Nextcloud";
     };
 
-    # Options for backup
-    backupS3 = {
-      endpoint = lib.mkOption {
-        type = lib.types.str;
-        description = "S3 endpoint for backups";
-      };
-      bucket = lib.mkOption {
-        type = lib.types.str;
-        description = "S3 bucket for backups";
-      };
-      accessKeyId = lib.mkOption {
-        type = lib.types.str;
-        description = "S3 access key ID for backups";
-      };
-    };
-
   };
 
   config = {
@@ -43,7 +20,7 @@ in {
       hostName = "localhost";
       maxUploadSize = "50G";
       config = {
-        adminpassFile = adminpassFile;
+        adminpassFile = config.secrets.nextcloud.dest;
         extraTrustedDomains = [ config.nextcloudServer ];
       };
     };
@@ -54,6 +31,7 @@ in {
       port = 8080;
     }];
 
+    # Point Caddy to Nginx
     caddyRoutes = [{
       match = [{ host = [ config.nextcloudServer ]; }];
       handle = [{
@@ -63,22 +41,16 @@ in {
     }];
 
     # Create credentials file for nextcloud
-    systemd.services.nextcloud-creds = {
+    secrets.nextcloud = {
+      source = ../../private/nextcloud.age;
+      dest = "${config.secretsDirectory}/nextcloud";
+      owner = "nextcloud";
+      group = "nextcloud";
+      permissions = "0440";
+    };
+    systemd.services.nextcloud-secret = {
       requiredBy = [ "nextcloud-setup.service" ];
       before = [ "nextcloud-setup.service" ];
-      serviceConfig = {
-        Type = "oneshot";
-        User = "root";
-      };
-      script = ''
-        mkdir --parents $(dirname ${adminpassFile})
-        ${pkgs.age}/bin/age --decrypt \
-          --identity ${config.identityFile} \
-          --output ${adminpassFile} \
-          ${builtins.toString ../../private/nextcloud.age}
-        chown nextcloud:nextcloud ${adminpassFile}
-        chmod 0700 ${adminpassFile}
-      '';
     };
 
     ## Backup config
@@ -103,30 +75,14 @@ in {
           }];
         }];
       };
-      environmentFile = backupS3File;
+      environmentFile = config.secrets.backup.dest;
     };
 
     # Don't start litestream unless nextcloud is up
     systemd.services.litestream = {
-      after = [ "phpfpm-nextcloud.service" ];
-      requires = [ "phpfpm-nextcloud.service" ];
-      environment.LITESTREAM_ACCESS_KEY_ID = config.backupS3.accessKeyId;
-    };
-
-    # Create credentials file for litestream
-    systemd.services.litestream-s3 = {
-      requiredBy = [ "litestream.service" ];
-      before = [ "litestream.service" ];
-      serviceConfig = { Type = "oneshot"; };
-      script = ''
-        echo \
-          LITESTREAM_SECRET_ACCESS_KEY=$(${pkgs.age}/bin/age --decrypt \
-            --identity ${config.identityFile} \
-            ${builtins.toString ../../private/backup.age} \
-          ) > ${backupS3File}
-        chown litestream:litestream ${backupS3File}
-        chmod 0700 ${backupS3File}
-      '';
+      after = [ "phpfpm-nextcloud.service" "backup-secret.service" ];
+      requires = [ "phpfpm-nextcloud.service" "backup-secret.service" ];
+      environment.AWS_ACCESS_KEY_ID = config.backupS3.accessKeyId;
     };
 
   };
diff --git a/modules/services/secrets.nix b/modules/services/secrets.nix
index 79187b6..2583c65 100644
--- a/modules/services/secrets.nix
+++ b/modules/services/secrets.nix
@@ -13,11 +13,11 @@
       default = "/etc/ssh/ssh_host_ed25519_key";
     };
 
-    # secretsDirectory = lib.mkOption {
-    #   type = lib.types.str;
-    #   description = "Default path to place secrets.";
-    #   default = "/var/lib/private";
-    # };
+    secretsDirectory = lib.mkOption {
+      type = lib.types.str;
+      description = "Default path to place secrets.";
+      default = "/var/private";
+    };
 
     secrets = lib.mkOption {
       type = lib.types.attrsOf (lib.types.submodule {
@@ -57,7 +57,7 @@
 
     # Create a default directory to place secrets
 
-    # systemd.tmpfiles.rules = [ "d ${config.secretsDirectory} 0750 root wheel" ];
+    systemd.tmpfiles.rules = [ "d ${config.secretsDirectory} 0755 root wheel" ];
 
     # Declare oneshot service to decrypt secret using SSH host key
     # - Requires that the secret is already encrypted for the host
diff --git a/modules/services/transmission.nix b/modules/services/transmission.nix
index f35088d..7fd56ad 100644
--- a/modules/services/transmission.nix
+++ b/modules/services/transmission.nix
@@ -69,7 +69,7 @@
     # Create credentials file for transmission
     secrets.transmission = {
       source = ../../private/transmission.json.age;
-      dest = "/var/lib/private/transmission.json";
+      dest = "${config.secretsDirectory}/transmission.json";
       owner = "transmission";
       group = "transmission";
     };
diff --git a/modules/services/wireguard.nix b/modules/services/wireguard.nix
index 4b437b9..9b1003d 100644
--- a/modules/services/wireguard.nix
+++ b/modules/services/wireguard.nix
@@ -1,14 +1,6 @@
 { config, pkgs, lib, ... }: {
 
-  options.networking.wireguard = {
-
-    encryptedPrivateKey = lib.mkOption {
-      type = lib.types.path;
-      description = "Nix path to age-encrypted client private key";
-      default = ../../private/wireguard.age;
-    };
-
-  };
+  imports = [ ./secrets.nix ];
 
   config = {
 
@@ -19,7 +11,7 @@
 
           # Establishes identity of this machine
           generatePrivateKeyFile = false;
-          privateKeyFile = "/private/wireguard/wg0";
+          privateKeyFile = config.secrets.wireguard.dest;
 
           # Move to network namespace for isolating programs
           interfaceNamespace = "wg";
@@ -42,25 +34,9 @@
     };
 
     # Create private key file for wireguard
-    systemd.services.wireguard-private-key = {
-      wantedBy = [ "wireguard-wg0.service" ];
-      requiredBy = [ "wireguard-wg0.service" ];
-      before = [ "wireguard-wg0.service" ];
-      serviceConfig = { Type = "oneshot"; };
-      script = let
-        encryptedPrivateKey = config.networking.wireguard.encryptedPrivateKey;
-        privateKeyFile =
-          config.networking.wireguard.interfaces.wg0.privateKeyFile;
-      in ''
-        mkdir --parents --mode 0755 ${builtins.dirOf privateKeyFile}
-        if [ ! -f "${privateKeyFile}" ]; then
-          ${pkgs.age}/bin/age --decrypt \
-            --identity ${config.identityFile} \
-            --output ${privateKeyFile} \
-            ${builtins.toString encryptedPrivateKey}
-          chmod 0700 ${privateKeyFile}
-        fi
-      '';
+    secrets.wireguard = {
+      source = ../../private/wireguard.age;
+      dest = "${config.secretsDirectory}/wireguard";
     };
 
   };
diff --git a/private/backup.age b/private/backup.age
index bc1483a..497ddf6 100644
--- a/private/backup.age
+++ b/private/backup.age
@@ -1,6 +1,10 @@
-age-encryption.org/v1
--> ssh-ed25519 MgHaOw 2y5C1sRq3NZqmfGBiPgMS7qcU5v+70wri5xkXbceaHM
-zyd7b+OuVi3rxxUEm+QW/80M80SSKaebOwOioRjnYak
---- yZQxxjYYNouD5wnEj+qNjUSrRU01hXvWUuax4C252i8
-¤à/2*®ŒM•ûD©ø^ÓœOßÆQ
-5–<¤áÝM1›8o»‘3´LÓœZiïùºò¹Ö7ð±9ÆTLø
\ No newline at end of file
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBuMUg4
+TG5Oa1U5WERGOWJibkRZRVJwZGdEZmRsSVBraHdVYTJwbGpNL1VnCjRYaW1nTUR0
+cjR2NHJ1V1lhRHp4a2VOekVTZVl5Rk5CcG1heHhsR2M5SHMKLT4gc3NoLWVkMjU1
+MTkgWXlTVU1RIHhEN3o1NzNTTVIvZG1VcERJQitkRk4vTmtFQk9SVUVJQUVOdVY2
+YWoxM1UKVVVMWTYzKzE4ZjVDWitGNkUvR2U1Z1VJdVdqOWhWZVAxNWFOaFZvZGpS
+OAotLS0gWlU2TEY0TFZiM3VCM0hWcDAvQlQzTjE3MkZSOGNXaUhDdVQzL2pVRzlT
+VQoP0xMzUx0ozRvXFrNfFNyqwzUoHl7GM1P6VFjjDjuMkuWtQ/+V6DV/rGlXDKJ9
+jidhm8Y0hbjL6cbQrolUSgHSzG5CPD/4pb3zmxTZ9ol7cQuR4PbnPQ==
+-----END AGE ENCRYPTED FILE-----
diff --git a/private/mailpass.age b/private/mailpass.age
index d422efa..a8336c2 100644
--- a/private/mailpass.age
+++ b/private/mailpass.age
@@ -1,5 +1,10 @@
-age-encryption.org/v1
--> ssh-ed25519 MgHaOw 8h/ESNjn0gknNXoHM34UobHzPgmRunoP97H+KHOuGQM
-qowH+6TlCRECGCscRgKx6kswY+PZezYUD6E+x9e+5pM
---- kFj1JzRdh/D13Uq9aNTzMJIFysEE+kzzthjewOIR2+o
-È²²¸6Àï}rCìzó™ð øàï>&Ä=j‚W^W‰‘l! "}M–SÍå8=‰x’ƒ²÷m =Ð‡øL
\ No newline at end of file
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBIRnEy
+am1HTXptMmpSTjZQa2hQSUxNUU1rdXlod3U3bVZ0VGxQVlE2WldBClg0K3k5MDZH
+NFlPdHI0VnZSZE9DTTNMeDdldUpFQ3V0V0k0RnRIZHFhdzAKLT4gc3NoLWVkMjU1
+MTkgWXlTVU1RIFlxZFpqNU5kNVY2VUk0Um0zZ1d1M2FlRkYvV1BoTEFSNjZ2Vk9I
+QTVHM0UKY2gvVU9wckVUNEFwdUwyVFJZUGwxOFFKYm12cUlFTEVrb3IvcXI3TnND
+UQotLS0gMHdaajFjV2ozd0g5dWN5YkhiU2NBVWZVSU00aVIzY0VKYjJleVlQTUdX
+QQo7rH6kOTRFP43U/qiBOCHx+hBGlaODFRS1CgzkuqfMOq8PM28RsIN+l3sbwjxE
+W8chE/A0EChjIDtfYTMgsN3cYg==
+-----END AGE ENCRYPTED FILE-----
diff --git a/private/nextcloud.age b/private/nextcloud.age
index 77526b6596398552bc8d57e1c7b76f2b79683152..e0d8ca807bb1ab6e10f098168c52f6fed95dcc98 100644
GIT binary patch
literal 552
zcmZ{iyLO{607QGf!hMd<N<2>DVv7LcWl(~Ughhve#YVhhL%@7}yxZ@z)6CqN{r)Kv
zxjx>#yJ&~7MZ_mX_RjG`^w--fA}!l6<+IQNqwvUhR`vO;1%0TA)w+Tg-@{vO!8Wsf
zh$%9B1pCBwKFfzWmvZfuY-3PxeibY;Q_iXAU{ZPGcizWF1jNGKK^1M;VwEfcO!p!k
zO{*zE)=goiP8X#_(Jhun%mLacAS0Kxadrn-cqPRf7hGl|-;kbr1ms(N45?lh8Xlgh
zWz;aJL{!%4simAj;ydkEj(jy{xQ`kFDR2-z1%8Br^n*D8J7s#(2J4wQeJrPxrH4gf
zPTMgik0B&Wo~{FSB0Z5~UZ&FnKUt(+**uHg;%)#XI|QsBLDXQQ>iL~@he64fVG0va
zr>s;fN>uL3M@6$IP(0^-bW7Uo$h$(PF#8~A?O1=YlLiBf0*M>BDaCTT&JSVL-$C_C
z$yMur1<UG_V{{)buP<w(n}$=abEBCb(~)0cT_sIxdtA0;nGZtoBa4P#@zj8~pr6A(
WcC``Ldly#p_FMV4G{W|OPw)e*oUudz

literal 246
zcmV<S015wLXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LO=n19Pj?_O
zVtHmZL0U>_K|*h1Ge}u^GjBOeN=i{SQ)XsoI8Rr4R99_LWqK=GFii?FMNczqOJ!kG
zT2(nQc~fd)bY^KwD?v7QVNyXsPi#U?LQYv@No6x-MNJAVEiE8tN^fCrQaEsHPjyo<
zVp>aVNJcU?S#f%1OKNmyK|ym<Sz20aYf>~%Qc(&e#L$H*Wq|4w@}KwsI6eqsKL%(O
w9)AbuS8smQol&)kjaymIZ%)-gKBGgdSdg$w#39g+>lk2Ly9xs!ow8X7n=av2v;Y7A

diff --git a/private/wireguard.age b/private/wireguard.age
index a055a02..17f8112 100644
--- a/private/wireguard.age
+++ b/private/wireguard.age
@@ -1,5 +1,10 @@
-age-encryption.org/v1
--> ssh-ed25519 MgHaOw lG6VtLpEU/33egpB9WqJiulVdL3K5a2IGjekIu6HtSI
-VsAfCbtQuHU9tptKQR4buD3ydwb89aSbUVdEoetU1gc
---- kts74pY8NdQh4pTlMT3NTHxU0qnA0txwQKH5FkQCdXA
-ø¿SŸÐ8˜A0`0åªýÕ$,1*/H¼íÞå³ÏV½þñZtWˆ¬ÔBC¯[<¬N@’cûá™h_QtÀÀ(ÞÈ Â£fz
\ No newline at end of file
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBOOXNm
+VG5EMHhEU2JLbkYyY1VXdXZJd2VxSEVXUjZaaURnU254QUVzUENzCnhnV21oRFNY
+NGpMeXlqdDlYRmltN1cxTlJ3eWFTVElpK0ZBalA3QVFoL2MKLT4gc3NoLWVkMjU1
+MTkgWXlTVU1RIDk3TVhDVVBjQU5XNjVTbkxKdUNEU25uZXREeEpHcTF4STg4VXR1
+V2xzRTQKZTBXZUQrbjIwTDEwOEc3MktpQzBjTzhjS3lTNTJ0TEMyMVBOODQ0N0lt
+OAotLS0gODA2L2FpSmxiWDAyM1IvM2Q4U2QrNmRkVjl1bFhURW5sNCtWZ2tiMnZU
+YwoC0chavNt+a/AImm/7bNheZIPghrobp9g+ga+UpRWBtM2snpkyFZrBR0qAkw/f
+3krp5Rrco7IOlEwWx96UzvAUpKlC7CdVI1MFa76ZUg==
+-----END AGE ENCRYPTED FILE-----