nixfiles/hosts/hetzner-arm/secrets.nix

{pkgs, ...}: {
  services.secrets = {
    enable = true;

    vaultLogin = {
      enable = true;
      loginUsername = "hetzner-arm";
    };

    packages = with pkgs; [
      apacheHttpd
      rclone
    ];

    requiredVaultPaths = [
      "private-public-keys/data/ssh/root@hetzner-arm"
      "private-public-keys/data/ssh/root@hetzner-arm-decrypt"

      "api-keys/data/backblaze/Backblaze"

      "private-public-keys/data/restic/Social-02"
      "api-keys/data/chaos_mail/gotosocial"

      "private-public-keys/data/restic/Forgejo"

      "private-public-keys/data/rclone/Chaos-Photos-Crypt"

      "api-keys/data/mpd"
      "api-keys/data/music-stream"

      "api-keys/data/radicale"
      "private-public-keys/data/restic/Radicale"

      "private-public-keys/data/restic/Vault"
    ];

    extraFunctions = ''
      replace_slash_for_sed() {
        sed "s#/#\\\/#"
      }

      simple_get_obscure() {
        rclone obscure "$(simple_get "$@")"
      }

      simple_get_replace_b2() {
        api_account=$(simple_get "$1" .keyID | replace_slash_for_sed)
        api_key=$(simple_get "$1" .applicationKey | replace_slash_for_sed)

        replace_account=''${2}_ACCOUNT
        replace_key=''${2}_KEY

        sed -i "s/$replace_account/$api_account/" "$3"
        sed -i "s/$replace_key/$api_key/" "$3"
      }

      simple_get_replace_crypt() {
        password=$(simple_get_obscure "$1" .password)
        salt=$(simple_get_obscure "$1" .salt)

        replace_password=''${2}_PASSWORD
        replace_salt=''${2}_SALT

        sed -i "s/$replace_password/$password/" "$3"
        sed -i "s/$replace_salt/$salt/" "$3"
      }
    '';

    secrets = {
      vault_password = {
        manual = true;
      };

      ssh_host_ed25519_key = {
        path = "/etc/ssh/ssh_host_ed25519_key";
        permissions = "600";
        fetchScript = ''
          [ ! -d "$SYSROOT/etc/ssh" ] && mkdir -p "$SYSROOT/etc/ssh/"
          simple_get "/private-public-keys/ssh/root@hetzner-arm" .private | base64 -d > "$secretFile"
        '';
      };
      ssh_host_ed25519_key_pub = {
        path = "/etc/ssh/ssh_host_ed25519_key.pub";
        permissions = "600";
        fetchScript = ''
          [ ! -d "$SYSROOT/etc/ssh" ] && mkdir -p "$SYSROOT/etc/ssh/"
          simple_get "/private-public-keys/ssh/root@hetzner-arm" .private | base64 -d > "$secretFile"
        '';
      };

      # this doesn't need to be a secret and can be generated at install time
      # but it makes it easier to install.
      # it's stored in /nix store anyway
      initrd_ssh_host_ed25519_key = {
        path = "/initrd_ssh_host_ed25519_key";
        permissions = "600";
        fetchScript = ''
          simple_get "/private-public-keys/ssh/root@hetzner-arm-decrypt" .private | base64 -d > "$secretFile"
        '';
      };

      # B2 Keys for all backups
      restic_backups_env = {
        fetchScript = ''
          cat << EOF > "$secretFile"
          AWS_ACCESS_KEY_ID=$(simple_get "/api-keys/backblaze/Backblaze" .keyID)
          AWS_SECRET_ACCESS_KEY=$(simple_get "/api-keys/backblaze/Backblaze" .applicationKey)
          EOF
        '';
      };

      restic_password_social = {
        fetchScript = ''
          simple_get "/private-public-keys/restic/Social-02" .password > "$secretFile"
        '';
      };

      gotosocial_env = {
        fetchScript = ''
          smtp_password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password)
          echo "GTS_SMTP_PASSWORD=$smtp_password" > "$secretFile"
        '';
      };

      restic_password_forgejo = {
        fetchScript = ''
          simple_get "/private-public-keys/restic/Forgejo" .password > "$secretFile"
        '';
      };

      mpd_control_password = {
        user = "mpd";
        group = "mpd";
        fetchScript = ''
          simple_get "/api-keys/mpd" .password > "$secretFile"
        '';
      };

      music_stream_passwd = {
        user = "nginx";
        group = "nginx";
        fetchScript = ''
          username=$(simple_get "/api-keys/music-stream" .username)
          password=$(simple_get "/api-keys/music-stream" .password)
          htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null
        '';
      };

      radicale_htpasswd = {
        user = "radicale";
        group = "radicale";
        fetchScript = ''
          if [ -f "$secretFile" ]; then
            rm "$secretFile"
          fi

          touch "$secretFile"

          data=$(kv_get "/api-keys/radicale" | base64)
          for username in $(echo "$data" | base64 -d | jq -r ".data.data | keys | .[]"); do
            password=$(echo "$data" | base64 -d | jq -r ".data.data.\"$username\"")
            htpasswd -bB "$secretFile" "$username" "$password" 2>/dev/null
          done
        '';
      };

      restic_password_radicale = {
        fetchScript = ''
          simple_get "/private-public-keys/restic/Radicale" .password > "$secretFile"
        '';
      };

      restic_password_vault = {
        fetchScript = ''
          simple_get "/private-public-keys/restic/Vault" .password > "$secretFile"
        '';
      };

      photos_rclone_config = {
        user = "photoprism";
        group = "photoprism";
        fetchScript = let
          template = builtins.toFile "template.conf" ''
            [B2]
            type = b2
            account = B2_ACCOUNT
            key = B2_KEY
            hard_delete = true

            [Photos-Crypt]
            type = crypt
            remote = B2:Chaos-Photos
            password = PHOTOS_CRYPT_PASSWORD
            password2 = PHOTOS_CRYPT_SALT

            [Photos]
            type = chunker
            remote = Photos-Crypt:
            chunk_size = 128Mi
          '';
        in ''
          cat ${template} > "$secretFile"
          simple_get_replace_b2 "/api-keys/backblaze/Backblaze" "B2" "$secretFile"
          simple_get_replace_crypt "/private-public-keys/rclone/Chaos-Photos-Crypt" "PHOTOS_CRYPT" "$secretFile"
        '';
      };
    };
  };
}
move mpd to host 2024-07-20 13:11:15 +01:00			`{pkgs, ...}: {`
start work on hetzner-arm for real now 2023-09-20 18:44:24 +01:00			`services.secrets = {`
			`enable = true;`

			`vaultLogin = {`
			`enable = true;`
			`loginUsername = "hetzner-arm";`
			`};`

move mpd to host 2024-07-20 13:11:15 +01:00			`packages = with pkgs; [`
			`apacheHttpd`
start work on photoprism 2024-12-16 14:21:37 +00:00			`rclone`
move mpd to host 2024-07-20 13:11:15 +01:00			`];`

start work on hetzner-arm for real now 2023-09-20 18:44:24 +01:00			`requiredVaultPaths = [`
migrate hetzner-vm to hetzner-arm; piped currently dead 2023-09-21 05:06:27 +01:00			`"private-public-keys/data/ssh/root@hetzner-arm"`
add the ssh host key 2023-09-20 19:02:27 +01:00			`"private-public-keys/data/ssh/root@hetzner-arm-decrypt"`
move gotosocial to host 2024-07-20 12:24:27 +01:00
update 2024-11-08 20:50:43 +00:00			`"api-keys/data/backblaze/Backblaze"`
move gotosocial to host 2024-07-20 12:24:27 +01:00
update 2024-11-20 22:42:06 +00:00			`"private-public-keys/data/restic/Social-02"`
update requiredVaultPaths 2024-07-20 12:33:03 +01:00			`"api-keys/data/chaos_mail/gotosocial"`
move forgejo to host 2024-07-20 12:58:45 +01:00
			`"private-public-keys/data/restic/Forgejo"`
move mpd to host 2024-07-20 13:11:15 +01:00
start work on photoprism 2024-12-16 14:21:37 +00:00			`"private-public-keys/data/rclone/Chaos-Photos-Crypt"`

move mpd to host 2024-07-20 13:11:15 +01:00			`"api-keys/data/mpd"`
			`"api-keys/data/music-stream"`
move radicale to host 2024-07-20 13:23:50 +01:00
			`"api-keys/data/radicale"`
			`"private-public-keys/data/restic/Radicale"`
move vault to host 2024-07-21 20:40:28 +01:00
			`"private-public-keys/data/restic/Vault"`
start work on hetzner-arm for real now 2023-09-20 18:44:24 +01:00			`];`

start work on photoprism 2024-12-16 14:21:37 +00:00			`extraFunctions = ''`
			`replace_slash_for_sed() {`
			`sed "s#/#\\\/#"`
			`}`

			`simple_get_obscure() {`
			`rclone obscure "$(simple_get "$@")"`
			`}`

			`simple_get_replace_b2() {`
			`api_account=$(simple_get "$1" .keyID \| replace_slash_for_sed)`
			`api_key=$(simple_get "$1" .applicationKey \| replace_slash_for_sed)`

			`replace_account=''${2}_ACCOUNT`
			`replace_key=''${2}_KEY`

			`sed -i "s/$replace_account/$api_account/" "$3"`
			`sed -i "s/$replace_key/$api_key/" "$3"`
			`}`

			`simple_get_replace_crypt() {`
			`password=$(simple_get_obscure "$1" .password)`
			`salt=$(simple_get_obscure "$1" .salt)`

			`replace_password=''${2}_PASSWORD`
			`replace_salt=''${2}_SALT`

			`sed -i "s/$replace_password/$password/" "$3"`
			`sed -i "s/$replace_salt/$salt/" "$3"`
			`}`
			`'';`

start work on hetzner-arm for real now 2023-09-20 18:44:24 +01:00			`secrets = {`
			`vault_password = {`
			`manual = true;`
			`};`

migrate hetzner-vm to hetzner-arm; piped currently dead 2023-09-21 05:06:27 +01:00			`ssh_host_ed25519_key = {`
			`path = "/etc/ssh/ssh_host_ed25519_key";`
			`permissions = "600";`
			`fetchScript = ''`
			`[ ! -d "$SYSROOT/etc/ssh" ] && mkdir -p "$SYSROOT/etc/ssh/"`
			`simple_get "/private-public-keys/ssh/root@hetzner-arm" .private \| base64 -d > "$secretFile"`
			`'';`
			`};`
			`ssh_host_ed25519_key_pub = {`
			`path = "/etc/ssh/ssh_host_ed25519_key.pub";`
			`permissions = "600";`
			`fetchScript = ''`
			`[ ! -d "$SYSROOT/etc/ssh" ] && mkdir -p "$SYSROOT/etc/ssh/"`
			`simple_get "/private-public-keys/ssh/root@hetzner-arm" .private \| base64 -d > "$secretFile"`
			`'';`
			`};`

add the ssh host key 2023-09-20 19:02:27 +01:00			`# this doesn't need to be a secret and can be generated at install time`
			`# but it makes it easier to install.`
			`# it's stored in /nix store anyway`
migrate hetzner-vm to hetzner-arm; piped currently dead 2023-09-21 05:06:27 +01:00			`initrd_ssh_host_ed25519_key = {`
			`path = "/initrd_ssh_host_ed25519_key";`
add the ssh host key 2023-09-20 19:02:27 +01:00			`permissions = "600";`
			`fetchScript = ''`
			`simple_get "/private-public-keys/ssh/root@hetzner-arm-decrypt" .private \| base64 -d > "$secretFile"`
			`'';`
			`};`
move gotosocial to host 2024-07-20 12:24:27 +01:00
			`# B2 Keys for all backups`
			`restic_backups_env = {`
			`fetchScript = ''`
			`cat << EOF > "$secretFile"`
update 2024-11-08 20:50:43 +00:00			`AWS_ACCESS_KEY_ID=$(simple_get "/api-keys/backblaze/Backblaze" .keyID)`
			`AWS_SECRET_ACCESS_KEY=$(simple_get "/api-keys/backblaze/Backblaze" .applicationKey)`
move gotosocial to host 2024-07-20 12:24:27 +01:00			`EOF`
			`'';`
			`};`

			`restic_password_social = {`
			`fetchScript = ''`
update 2024-11-20 22:42:06 +00:00			`simple_get "/private-public-keys/restic/Social-02" .password > "$secretFile"`
move gotosocial to host 2024-07-20 12:24:27 +01:00			`'';`
			`};`

			`gotosocial_env = {`
			`fetchScript = ''`
			`smtp_password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password)`
			`echo "GTS_SMTP_PASSWORD=$smtp_password" > "$secretFile"`
			`'';`
			`};`
move forgejo to host 2024-07-20 12:58:45 +01:00
			`restic_password_forgejo = {`
			`fetchScript = ''`
			`simple_get "/private-public-keys/restic/Forgejo" .password > "$secretFile"`
			`'';`
			`};`
move mpd to host 2024-07-20 13:11:15 +01:00
			`mpd_control_password = {`
			`user = "mpd";`
			`group = "mpd";`
			`fetchScript = ''`
			`simple_get "/api-keys/mpd" .password > "$secretFile"`
			`'';`
			`};`

			`music_stream_passwd = {`
			`user = "nginx";`
			`group = "nginx";`
			`fetchScript = ''`
			`username=$(simple_get "/api-keys/music-stream" .username)`
			`password=$(simple_get "/api-keys/music-stream" .password)`
			`htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null`
			`'';`
			`};`
move radicale to host 2024-07-20 13:23:50 +01:00
			`radicale_htpasswd = {`
			`user = "radicale";`
			`group = "radicale";`
			`fetchScript = ''`
			`if [ -f "$secretFile" ]; then`
			`rm "$secretFile"`
			`fi`

			`touch "$secretFile"`

			`data=$(kv_get "/api-keys/radicale" \| base64)`
			`for username in $(echo "$data" \| base64 -d \| jq -r ".data.data \| keys \| .[]"); do`
			`password=$(echo "$data" \| base64 -d \| jq -r ".data.data.\"$username\"")`
			`htpasswd -bB "$secretFile" "$username" "$password" 2>/dev/null`
			`done`
			`'';`
			`};`

			`restic_password_radicale = {`
			`fetchScript = ''`
			`simple_get "/private-public-keys/restic/Radicale" .password > "$secretFile"`
			`'';`
			`};`
move vault to host 2024-07-21 20:40:28 +01:00
			`restic_password_vault = {`
			`fetchScript = ''`
			`simple_get "/private-public-keys/restic/Vault" .password > "$secretFile"`
			`'';`
			`};`
start work on photoprism 2024-12-16 14:21:37 +00:00
			`photos_rclone_config = {`
			`user = "photoprism";`
			`group = "photoprism";`
			`fetchScript = let`
			`template = builtins.toFile "template.conf" ''`
			`[B2]`
			`type = b2`
			`account = B2_ACCOUNT`
			`key = B2_KEY`
			`hard_delete = true`

			`[Photos-Crypt]`
			`type = crypt`
			`remote = B2:Chaos-Photos`
			`password = PHOTOS_CRYPT_PASSWORD`
			`password2 = PHOTOS_CRYPT_SALT`

			`[Photos]`
			`type = chunker`
			`remote = Photos-Crypt:`
			`chunk_size = 128Mi`
			`'';`
			`in ''`
			`cat ${template} > "$secretFile"`
			`simple_get_replace_b2 "/api-keys/backblaze/Backblaze" "B2" "$secretFile"`
			`simple_get_replace_crypt "/private-public-keys/rclone/Chaos-Photos-Crypt" "PHOTOS_CRYPT" "$secretFile"`
			`'';`
			`};`
start work on hetzner-arm for real now 2023-09-20 18:44:24 +01:00			`};`
			`};`
			`}`