From f5eafee41191a2c5042ff638a247553afd821b3f Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 15 Nov 2021 00:11:19 +0100 Subject: [PATCH] public-cof: secure nextcloud using agenix --- machines/public-cof/nextcloud.nix | 6 ++--- machines/public-cof/secrets/default.nix | 5 ++++ .../secrets/nextcloudAdminPasswordFile.age | 24 ++++++++++++++++++ .../secrets/nextcloudDatabasePasswordFile.age | 25 +++++++++++++++++++ machines/public-cof/secrets/secrets.nix | 13 ++++++++++ 5 files changed, 70 insertions(+), 3 deletions(-) create mode 100644 machines/public-cof/secrets/default.nix create mode 100644 machines/public-cof/secrets/nextcloudAdminPasswordFile.age create mode 100644 machines/public-cof/secrets/nextcloudDatabasePasswordFile.age create mode 100644 machines/public-cof/secrets/secrets.nix diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 31c15ec..eba376b 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -1,4 +1,4 @@ -{ ... }: +{ config, ... }: { services.nextcloud = { enable = true; @@ -11,8 +11,8 @@ dbtype = "pgsql"; dbhost = "/run/postgresql"; - dbpass = "TODO"; - adminpass = "TODO"; + dbpassFile = config.age.secrets.nextcloudDatabasePassword.path; + adminpassFile = config.age.secrets.nextcloudAdminPassword.path; defaultPhoneRegion = "FR"; }; diff --git a/machines/public-cof/secrets/default.nix b/machines/public-cof/secrets/default.nix new file mode 100644 index 0000000..4c4e087 --- /dev/null +++ b/machines/public-cof/secrets/default.nix @@ -0,0 +1,5 @@ +{ ... }: +{ + age.secrets.nextcloudAdminPassword.file = ./nextcloudAdminPasswordFile.age; + age.secrets.nextcloudDatabasePassword.file = ./nextcloudDatabasePasswordFile.age; +} diff --git a/machines/public-cof/secrets/nextcloudAdminPasswordFile.age b/machines/public-cof/secrets/nextcloudAdminPasswordFile.age new file mode 100644 index 0000000..b09f532 --- /dev/null +++ b/machines/public-cof/secrets/nextcloudAdminPasswordFile.age @@ -0,0 +1,24 @@ +age-encryption.org/v1 +-> ssh-ed25519 xbfJnw jGSrM/Yx0LnVlmBml7/7LwZeSL68CPiF7/97OyYnJj0 +66yS5TDLDpMXz6ggOeMyOhSDU2jSKDVoW5zvBvdN83I +-> ssh-ed25519 Wu8JLQ BH68DcAZ/Ruudd2QgREQ1I9YhC/JWOnn7dOkgoVdAgE +cJq/valbiW3xYyXxgmTMos9XQm/+SDIhd3cn32vcgxs +-> ssh-ed25519 cvTB5g qXCbgWmzetHsJTo/nnN9M/dRmYLW7HIHuaphMHXFB00 +WLVPkAJk2D4dca2+QlGFtCArLFjixypXV/P7VmJuK6g +-> ssh-ed25519 /vwQcQ 0aUZckwIHbXv/Uo3gyeAHGwEIzMQyPSh2Ks+s3QBPU8 +zt978+4EwedA6UTLurnjisjbrR/qFZf80IPcAxd3Qxw +-> ssh-ed25519 reTIKw jFGzhLb0YM5dJslCmp7bjRt5JYufGRAJzVmdjMKgdQw +Y9KIYgX2PHCU0/8h4Pn6YLqaZYzvrPUy1pmaLGzY8C4 +-> ssh-ed25519 85WiGg aZRVNM5iSL+BpZfundDVSpPs0mhFxssUA/t5POsi1AU +haYzRumOlDno9UdlcCr/GUoAOEqNrf+iPv9SpP76EYM +-> ssh-rsa krWCLQ +pbjqzOfXUuWlunTcCiwjKAqe5ZZdW+6jE86D3yuPz4PheDEFi6oYAnc0pIPoZOnh +9OkTTB6o9wPhoA5O+SOszvCFVOlS33EHwCFKFwy/lg3LwgsU6qon6YQAQfjOMf57 +yGlFDJhGfKfzoXzAlWIxpY6KQE15pkI2OAv9/1UWmFmGpw1vWOgcyJn0rbHK9Wtk +uGWOPCAsx7n/K4YukvVdB1pHtNlXyj6odMwRch3MmpKl4UlBMtB10NI2fMpqcWp1 +vgCcjsP2JX6zlTTQvu1afV2QMk2R9zfm4iZtk6lqhkFO9hGx12/1WfxFlww6YDyB +HDLu5vZddUtV7Wwm9Wa6Cw +-> H0-z{"-grease bic 5)(&;3`E _&UZCo7 hJ_x +5r9qRqyXOdPxqPPV8uCjaiJveaq0TLioCRMohcBamFx80I2EN/XDkPzeUNSkYyQ/ +--- gQnYjgiBjl7W2nLAvdfGcX8UVMr5RCFSysgp7iGWZlc +(}$11E-(S rlGb3`>K6Be邔 jɓo"{GG=F7 \ No newline at end of file diff --git a/machines/public-cof/secrets/nextcloudDatabasePasswordFile.age b/machines/public-cof/secrets/nextcloudDatabasePasswordFile.age new file mode 100644 index 0000000..1f89548 --- /dev/null +++ b/machines/public-cof/secrets/nextcloudDatabasePasswordFile.age @@ -0,0 +1,25 @@ +age-encryption.org/v1 +-> ssh-ed25519 xbfJnw qeyTMwQ+l90wwNiGxLCvKZ+yIzEjehcr8SIlHrHTERQ +3XTb7giFfF9l/+hDq/TlWKt/Gr1qlMxB2agi1Mzn4Bs +-> ssh-ed25519 Wu8JLQ vrqgvKp+dB2TnZrRriOvvJfqxh7vbSpTL2P+u8zORC4 +7qTNpJw8j4HpjehzoZeMUqCPDBFZRhu3bhdCVbRAUrU +-> ssh-ed25519 cvTB5g 2R6aXhN56nYrEObDuDJdhmH1kMduXUzoEg22C4QjHRA +sIRV6aTkefsy4wdJ1Ay+O/q0Y0MdTPRFKTjWGHlz5xg +-> ssh-ed25519 /vwQcQ xcSn2vFYBkYESWRZqmeWNiP0EV1zWH3SaiYG+6V8xGY +zv2yiZrBlsskeLrvco5w+QPTDRyRGQ3mjGuHFjWcfGI +-> ssh-ed25519 reTIKw Bdc7/F+nWuCQ5aqiuUPqb6mHlQCMafINyWaqVDQG5y0 +Myj64k+s/KIVOfGje3reKeRHrjGL6cE+9knBCsS+rX0 +-> ssh-ed25519 85WiGg PKpNCdpcl+aSuTx13I/Hq9annJ5FRXiONQ/4iqwyZUc +CHUHvPtA5ydOkpHfgOXtvuYMOAhM53YfXbexhW7fbJY +-> ssh-rsa krWCLQ +IhI9bg+jq5y32OaYdes7y1iBUkOAkc2dXdFP2FI0/CAthBBOGs9qyCuf39S8i4YT +pHPRniwOYUUuCjThU1zUA6cboBh13Y381mioqTF656/w8tn2ZGFRnOcOwqp9d0v4 +vPHgdyZFpmD0MUmFlw1YfTWWWMbFyhDPY6C3r4L3dftGuineY3A/+zC+Y1RuCYBw ++Kl/tbIGUBckX+Cqdt8KokPpGw3ZxkHXWx3lMlNembrPpsM44Mbz88mBiHn77Ys3 +auHE7Ff04txLiG9fGo9p3GX6nk2aCz1vT+YJB1cWZErsNSWTSRLILGLHvR37KMMv +daiVtfDwNwoGbEmpw0iVCA +-> ;LK-grease H638S/n +76dNkVvkNr1Y+O2AwEjYyUbmCog7ChnU3U54t/ZyPCAd2Q5vuGSQHe+RxtIh8fux +RvrDH2Qa7jGT0F86FTwrWK7fKQkT +--- r4tKKSFy30F9y4jQzdBB0RjCFJQmy2lFhZDr3enZjeQ +-zyl , j>8ЀԒ%>Mqo)Di0 YL̩ \ No newline at end of file diff --git a/machines/public-cof/secrets/secrets.nix b/machines/public-cof/secrets/secrets.nix new file mode 100644 index 0000000..4fe0e66 --- /dev/null +++ b/machines/public-cof/secrets/secrets.nix @@ -0,0 +1,13 @@ +let + pkgs = import {}; + lib = pkgs.lib; + readPubkeys = user: builtins.filter (k: k != "") (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys"))); + superadmins = (readPubkeys "raito") ++ (readPubkeys "gdd"); + public-cof = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUe/w7e3+KIa1YPFH9FGapDWM/sWOvOCcYXNlnIWypg"; + systems = [ public-cof ]; +in + { + "nextcloudAdminPasswordFile.age".publicKeys = superadmins ++ systems; + "nextcloudDatabasePasswordFile.age".publicKeys = superadmins ++ systems; + } +