reencrypt secrets and fix nextcloud backups

2024-11-09 23:22:57 +00:00 · 2022-10-16 03:18:58 +00:00 · 2022-10-16 03:18:58 +00:00 · 0f112ea16b
commit 0f112ea16b
parent 69a54b99c8
9 changed files with 104 additions and 112 deletions
--- a/modules/services/backups.nix
+++ b/modules/services/backups.nix
@ -0,0 +1,46 @@
 { config, pkgs, lib, ... }: {
  options = {
    backupS3 = {
      endpoint = lib.mkOption {
        type = lib.types.str;
        description = "S3 endpoint for backups";
      };
      bucket = lib.mkOption {
        type = lib.types.str;
        description = "S3 bucket for backups";
      };
      accessKeyId = lib.mkOption {
        type = lib.types.str;
        description = "S3 access key ID for backups";
      };
    };
  };
  config = {
    secrets.backup = {
      source = ../../private/backup.age;
      dest = "${config.secretsDirectory}/backup";
    };
    # # Backup library to object storage
    # services.restic.backups.calibre = {
    #   user = "calibre-web";
    #   repository =
    #     "s3://${config.backupS3.endpoint}/${config.backupS3.bucket}/calibre";
    #   paths = [
    #     "/var/books"
    #     "/var/lib/calibre-web/app.db"
    #     "/var/lib/calibre-web/gdrive.db"
    #   ];
    #   initialize = true;
    #   timerConfig = { OnCalendar = "00:05:00"; };
    #   environmentFile = backupS3File;
    # };
  };
 }
--- a/modules/services/nextcloud.nix
+++ b/modules/services/nextcloud.nix
@ -1,13 +1,6 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, ... }: {
-let
+  imports = [ ./caddy.nix ./secrets.nix ./backups.nix ];
  adminpassFile = "${config.services.nextcloud.datadir}/creds";
  backupS3File = "${config.services.nextcloud.datadir}/backup-creds";
 in {
  imports = [ ./caddy.nix ../shell/age.nix ];
  options = {
@ -16,22 +9,6 @@ in {
      description = "Hostname for Nextcloud";
    };
    # Options for backup
    backupS3 = {
      endpoint = lib.mkOption {
        type = lib.types.str;
        description = "S3 endpoint for backups";
      };
      bucket = lib.mkOption {
        type = lib.types.str;
        description = "S3 bucket for backups";
      };
      accessKeyId = lib.mkOption {
        type = lib.types.str;
        description = "S3 access key ID for backups";
      };
    };
  };
  config = {
@ -43,7 +20,7 @@ in {
      hostName = "localhost";
      maxUploadSize = "50G";
      config = {
-        adminpassFile = adminpassFile;
+        adminpassFile = config.secrets.nextcloud.dest;
        extraTrustedDomains = [ config.nextcloudServer ];
      };
    };
@ -54,6 +31,7 @@ in {
      port = 8080;
    }];
    # Point Caddy to Nginx
    caddyRoutes = [{
      match = [{ host = [ config.nextcloudServer ]; }];
      handle = [{
@ -63,22 +41,16 @@ in {
    }];
    # Create credentials file for nextcloud
-    systemd.services.nextcloud-creds = {
+    secrets.nextcloud = {
      source = ../../private/nextcloud.age;
      dest = "${config.secretsDirectory}/nextcloud";
      owner = "nextcloud";
      group = "nextcloud";
      permissions = "0440";
    };
    systemd.services.nextcloud-secret = {
      requiredBy = [ "nextcloud-setup.service" ];
      before = [ "nextcloud-setup.service" ];
      serviceConfig = {
        Type = "oneshot";
        User = "root";
      };
      script = ''
        mkdir --parents $(dirname ${adminpassFile})
        ${pkgs.age}/bin/age --decrypt \
          --identity ${config.identityFile} \
          --output ${adminpassFile} \
          ${builtins.toString ../../private/nextcloud.age}
        chown nextcloud:nextcloud ${adminpassFile}
        chmod 0700 ${adminpassFile}
      '';
    };
    ## Backup config
@ -103,30 +75,14 @@ in {
          }];
        }];
      };
-      environmentFile = backupS3File;
+      environmentFile = config.secrets.backup.dest;
    };
    # Don't start litestream unless nextcloud is up
    systemd.services.litestream = {
-      after = [ "phpfpm-nextcloud.service" ];
+      after = [ "phpfpm-nextcloud.service" "backup-secret.service" ];
-      requires = [ "phpfpm-nextcloud.service" ];
+      requires = [ "phpfpm-nextcloud.service" "backup-secret.service" ];
-      environment.LITESTREAM_ACCESS_KEY_ID = config.backupS3.accessKeyId;
+      environment.AWS_ACCESS_KEY_ID = config.backupS3.accessKeyId;
    };
    # Create credentials file for litestream
    systemd.services.litestream-s3 = {
      requiredBy = [ "litestream.service" ];
      before = [ "litestream.service" ];
      serviceConfig = { Type = "oneshot"; };
      script = ''
        echo \
          LITESTREAM_SECRET_ACCESS_KEY=$(${pkgs.age}/bin/age --decrypt \
            --identity ${config.identityFile} \
            ${builtins.toString ../../private/backup.age} \
          ) > ${backupS3File}
        chown litestream:litestream ${backupS3File}
        chmod 0700 ${backupS3File}
      '';
    };
  };
--- a/modules/services/secrets.nix
+++ b/modules/services/secrets.nix
@ -13,11 +13,11 @@
      default = "/etc/ssh/ssh_host_ed25519_key";
    };
-    # secretsDirectory = lib.mkOption {
+    secretsDirectory = lib.mkOption {
-    #   type = lib.types.str;
+      type = lib.types.str;
-    #   description = "Default path to place secrets.";
+      description = "Default path to place secrets.";
-    #   default = "/var/lib/private";
+      default = "/var/private";
-    # };
+    };
    secrets = lib.mkOption {
      type = lib.types.attrsOf (lib.types.submodule {
@ -57,7 +57,7 @@
    # Create a default directory to place secrets
-    # systemd.tmpfiles.rules = [ "d ${config.secretsDirectory} 0750 root wheel" ];
+    systemd.tmpfiles.rules = [ "d ${config.secretsDirectory} 0755 root wheel" ];
    # Declare oneshot service to decrypt secret using SSH host key
    # - Requires that the secret is already encrypted for the host
--- a/modules/services/transmission.nix
+++ b/modules/services/transmission.nix
@ -69,7 +69,7 @@
    # Create credentials file for transmission
    secrets.transmission = {
      source = ../../private/transmission.json.age;
-      dest = "/var/lib/private/transmission.json";
+      dest = "${config.secretsDirectory}/transmission.json";
      owner = "transmission";
      group = "transmission";
    };
--- a/modules/services/wireguard.nix
+++ b/modules/services/wireguard.nix
@ -1,14 +1,6 @@
 { config, pkgs, lib, ... }: {
-  options.networking.wireguard = {
+  imports = [ ./secrets.nix ];
    encryptedPrivateKey = lib.mkOption {
      type = lib.types.path;
      description = "Nix path to age-encrypted client private key";
      default = ../../private/wireguard.age;
    };
  };
  config = {
@ -19,7 +11,7 @@
          # Establishes identity of this machine
          generatePrivateKeyFile = false;
-          privateKeyFile = "/private/wireguard/wg0";
+          privateKeyFile = config.secrets.wireguard.dest;
          # Move to network namespace for isolating programs
          interfaceNamespace = "wg";
@ -42,25 +34,9 @@
    };
    # Create private key file for wireguard
-    systemd.services.wireguard-private-key = {
+    secrets.wireguard = {
-      wantedBy = [ "wireguard-wg0.service" ];
+      source = ../../private/wireguard.age;
-      requiredBy = [ "wireguard-wg0.service" ];
+      dest = "${config.secretsDirectory}/wireguard";
      before = [ "wireguard-wg0.service" ];
      serviceConfig = { Type = "oneshot"; };
      script = let
        encryptedPrivateKey = config.networking.wireguard.encryptedPrivateKey;
        privateKeyFile =
          config.networking.wireguard.interfaces.wg0.privateKeyFile;
      in ''
        mkdir --parents --mode 0755 ${builtins.dirOf privateKeyFile}
        if [ ! -f "${privateKeyFile}" ]; then
          ${pkgs.age}/bin/age --decrypt \
            --identity ${config.identityFile} \
            --output ${privateKeyFile} \
            ${builtins.toString encryptedPrivateKey}
          chmod 0700 ${privateKeyFile}
        fi
      '';
    };
  };
--- a/private/backup.age
+++ b/private/backup.age
@ -1,6 +1,10 @@
-age-encryption.org/v1
+-----BEGIN AGE ENCRYPTED FILE-----
-> ssh-ed25519 MgHaOw 2y5C1sRq3NZqmfGBiPgMS7qcU5v+70wri5xkXbceaHM
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBuMUg4
-zyd7b+OuVi3rxxUEm+QW/80M80SSKaebOwOioRjnYak
+TG5Oa1U5WERGOWJibkRZRVJwZGdEZmRsSVBraHdVYTJwbGpNL1VnCjRYaW1nTUR0
--- yZQxxjYYNouD5wnEj+qNjUSrRU01hXvWUuax4C252i8
+cjR2NHJ1V1lhRHp4a2VOekVTZVl5Rk5CcG1heHhsR2M5SHMKLT4gc3NoLWVkMjU1
-¤à/<2F>2*®ŒM•ûD©ø^ÓœOßÆQ
+MTkgWXlTVU1RIHhEN3o1NzNTTVIvZG1VcERJQitkRk4vTmtFQk9SVUVJQUVOdVY2
-5–<¤áÝM1›8o»‘3´LÓœZiïùºò¹Ö7ð±9ÆTL<54>ø
+YWoxM1UKVVVMWTYzKzE4ZjVDWitGNkUvR2U1Z1VJdVdqOWhWZVAxNWFOaFZvZGpS
 OAotLS0gWlU2TEY0TFZiM3VCM0hWcDAvQlQzTjE3MkZSOGNXaUhDdVQzL2pVRzlT
 VQoP0xMzUx0ozRvXFrNfFNyqwzUoHl7GM1P6VFjjDjuMkuWtQ/+V6DV/rGlXDKJ9
 jidhm8Y0hbjL6cbQrolUSgHSzG5CPD/4pb3zmxTZ9ol7cQuR4PbnPQ==
 -----END AGE ENCRYPTED FILE-----
--- a/private/mailpass.age
+++ b/private/mailpass.age
@ -1,5 +1,10 @@
-age-encryption.org/v1
+-----BEGIN AGE ENCRYPTED FILE-----
-> ssh-ed25519 MgHaOw 8h/ESNjn0gknNXoHM34UobHzPgmRunoP97H+KHOuGQM
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBIRnEy
-qowH+6TlCRECGCscRgKx6kswY+PZezYUD6E+x9e+5pM
+am1HTXptMmpSTjZQa2hQSUxNUU1rdXlod3U3bVZ0VGxQVlE2WldBClg0K3k5MDZH
--- kFj1JzRdh/D13Uq9aNTzMJIFysEE+kzzthjewOIR2+o
+NFlPdHI0VnZSZE9DTTNMeDdldUpFQ3V0V0k0RnRIZHFhdzAKLT4gc3NoLWVkMjU1
-È²²¸6<EFBFBD>Àï}rCìzó™ð øà
ï>&Ä=j‚W^W‰‘l! "}M–SÍå8=‰x’ƒ²÷m =Ð‡øL
+MTkgWXlTVU1RIFlxZFpqNU5kNVY2VUk0Um0zZ1d1M2FlRkYvV1BoTEFSNjZ2Vk9I
 QTVHM0UKY2gvVU9wckVUNEFwdUwyVFJZUGwxOFFKYm12cUlFTEVrb3IvcXI3TnND
 UQotLS0gMHdaajFjV2ozd0g5dWN5YkhiU2NBVWZVSU00aVIzY0VKYjJleVlQTUdX
 QQo7rH6kOTRFP43U/qiBOCHx+hBGlaODFRS1CgzkuqfMOq8PM28RsIN+l3sbwjxE
 W8chE/A0EChjIDtfYTMgsN3cYg==
 -----END AGE ENCRYPTED FILE-----
--- a/private/nextcloud.age
+++ b/private/nextcloud.age
--- a/private/wireguard.age
+++ b/private/wireguard.age
@ -1,5 +1,10 @@
-age-encryption.org/v1
+-----BEGIN AGE ENCRYPTED FILE-----
-> ssh-ed25519 MgHaOw lG6VtLpEU/33egpB9WqJiulVdL3K5a2IGjekIu6HtSI
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBOOXNm
-VsAfCbtQuHU9tptKQR4buD3ydwb89aSbUVdEoetU1gc
+VG5EMHhEU2JLbkYyY1VXdXZJd2VxSEVXUjZaaURnU254QUVzUENzCnhnV21oRFNY
--- kts74pY8NdQh4pTlMT3NTHxU0qnA0txwQKH5FkQCdXA
+NGpMeXlqdDlYRmltN1cxTlJ3eWFTVElpK0ZBalA3QVFoL2MKLT4gc3NoLWVkMjU1
-ø¿SŸÐ8˜A0<>`0åªýÕ$,1*/H¼íÞå³ÏV½þñZtWˆ¬<CB86>ÔBC¯[<¬N@’cûá™h_QtÀÀ(ÞÈ Â£fz
+MTkgWXlTVU1RIDk3TVhDVVBjQU5XNjVTbkxKdUNEU25uZXREeEpHcTF4STg4VXR1
 V2xzRTQKZTBXZUQrbjIwTDEwOEc3MktpQzBjTzhjS3lTNTJ0TEMyMVBOODQ0N0lt
 OAotLS0gODA2L2FpSmxiWDAyM1IvM2Q4U2QrNmRkVjl1bFhURW5sNCtWZ2tiMnZU
 YwoC0chavNt+a/AImm/7bNheZIPghrobp9g+ga+UpRWBtM2snpkyFZrBR0qAkw/f
 3krp5Rrco7IOlEwWx96UzvAUpKlC7CdVI1MFa76ZUg==
 -----END AGE ENCRYPTED FILE-----