more secrets

hosts/hetzner-vm/hetzner-vm.nix

@@ -14,7 +14,6 @@
     hosts.hetzner-vm.services.invidious
     hosts.hetzner-vm.services.quassel
     hosts.hetzner-vm.services.mpd
-    hosts.hetzner-vm.services.storage-sftp
     hosts.hetzner-vm.services.mail
     hosts.hetzner-vm.services.gitlab-static-sites
     hosts.hetzner-vm.services.lappy-dev
@@ -22,6 +21,7 @@
 
     ./networking.nix
     ./hardware.nix
+    ./secrets.nix
   ];
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];

hosts/hetzner-vm/ports.nix

@@ -0,0 +1,21 @@
+{ }: {
+  mpd = 6600; # default
+  mpd-opus = 8012;
+  mpd-flac = 8013;
+
+  quassel = 4242; # default
+
+  misskey = 3020;
+  misskey-redis = 3021;
+
+  invidious = 3000;
+
+  smtp = 25;
+  submission = 587;
+  submission_ssl = 465;
+  imap = 143;
+  imap_ssl = 993;
+  sieve = 4190;
+
+  rspamd-redis = 6380;
+}

hosts/hetzner-vm/secrets-db.nix

@@ -0,0 +1,38 @@
+{ }: {
+  mpd_control_password = {
+    user = "mpd";
+    group = "mpd";
+    permissions = "660";
+    path = "/secrets/mpd_control_password";
+  };
+  music_stream_passwd = {
+    user = "nginx";
+    group = "nginx";
+    permissions = "660";
+    path = "/secrets/music_stream_passwd";
+  };
+  chaos_mail_passwd = {
+    user = "dovecot2";
+    group = "dovecot2";
+    permissions = "660";
+    path = "/secrets/chaos_mail_passwd";
+  };
+  gitlab_env = {
+    user = "gitlab_artifacts_sync";
+    group = "gitlab_artifacts_sync";
+    permissions = "660";
+    path = "/secrets/gitlab_env";
+  };
+  restic_password = {
+    user = "root";
+    group = "root";
+    permissions = "660";
+    path = "/secrets/restic_password";
+  };
+  restic_env = {
+    user = "root";
+    group = "root";
+    permissions = "660";
+    path = "/secrets/restic_env";
+  };
+}

hosts/hetzner-vm/secrets.nix

@@ -0,0 +1,67 @@
+{ pkgs, ... }:
+let secrets-db = (import ./secrets-db.nix { });
+in {
+  systemd.tmpfiles.rules = [ "d /secrets - root root" ];
+  environment.systemPackages = [
+    (pkgs.writeShellScriptBin "init-secrets" ''
+      set -e -o pipefail
+
+      VAULT_ADDR_DEFAULT="https://vault.owo.monster"
+      [ -n "$VAULT_ADDR" ] && export VAULT_ADDR="$VAULT_ADDR_DEFAULT"
+
+      export PATH=$PATH:${pkgs.vault}/bin
+      export PATH=$PATH:${pkgs.jq}/bin
+      export PATH=$PATH:${pkgs.apacheHttpd}/bin
+
+      kv_get() {
+        vault kv get -format json $1
+      }
+
+      simple_get() {
+        kv_get $1 | jq .data.data$2 -r
+      }
+
+      file=${secrets-db.mpd_control_password.path}
+      echo $file
+      simple_get "/api-keys/mpd" .password > $file 
+      chown ${secrets-db.mpd_control_password.user}:${secrets-db.mpd_control_password.group} $file
+      chmod ${secrets-db.mpd_control_password.permissions} $file
+
+      file=${secrets-db.music_stream_passwd.path}
+      echo $file
+      username=$(simple_get "/api-keys/music-stream" .username)
+      password=$(simple_get "/api-keys/music-stream" .password)
+      htpasswd -bc $file "$username" "$password"
+      chown ${secrets-db.music_stream_passwd.user}:${secrets-db.music_stream_passwd.group} $file
+      chmod ${secrets-db.music_stream_passwd.permissions} $file
+
+      file=${secrets-db.chaos_mail_passwd.path}
+      echo $file
+      password=$(simple_get "/passwords/mail" .password)
+      htpasswd -nbB "" "$password" | cut -d: -f2 > $file
+      chown ${secrets-db.chaos_mail_passwd.user}:${secrets-db.chaos_mail_passwd.group} $file
+      chmod ${secrets-db.chaos_mail_passwd.permissions} $file
+
+      file=${secrets-db.gitlab_env.path}
+      echo $file
+      token=$(simple_get "/api-keys/gitlab/gitlab_pages_serve" .token)
+      echo "GITLAB_TOKEN=$token" > $file
+      chown ${secrets-db.gitlab_env.user}:${secrets-db.gitlab_env.group} $file
+      chmod ${secrets-db.gitlab_env.permissions} $file
+
+      file=${secrets-db.restic_password.path}
+      echo $file
+      simple_get "/private-public-keys/restic/HetznerVM" .password > $file
+      chown ${secrets-db.restic_password.user}:${secrets-db.restic_password.group} $file
+      chmod ${secrets-db.restic_password.permissions} $file
+
+      file=${secrets-db.restic_env.path}
+      echo $file
+      RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/HetznerVM" .username)
+      RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/HetznerVM" .password)
+      echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/HetznerVM" > $file
+      chown ${secrets-db.restic_env.user}:${secrets-db.restic_env.group} $file
+      chmod ${secrets-db.restic_env.permissions} $file
+    '')
+  ];
+}

hosts/hetzner-vm/services/gitlab-static-sites.nix

@@ -1,7 +1,9 @@
-{ ... }: {
+{ ... }:
+let secrets-db = (import ../secrets-db.nix { });
+in {
   services.gitlab_artifacts_sync = {
     enable = true;
-    credentialsEnvironmentFile = "/secrets/gitlab-env";
+    credentialsEnvironmentFile = "${secrets-db.gitlab_env.path}";
     repos = [
       {
         repoName = "ChaotiCryptidz/VaultUI";

hosts/hetzner-vm/services/invidious.nix

@@ -1,9 +1,11 @@
-{ inputs, pkgs, ... }: {
+{ inputs, pkgs, ... }:
+let ports = (import ../ports.nix { });
+in {
   services.invidious = {
     enable = true;
     #package =
     #  inputs.nixpkgs-stable.outputs.legacyPackages.${pkgs.system}.invidious;
-    port = 3000;
+    port = ports.invidious;
     settings = {
       full_refresh = true;
       https_only = true;
@@ -42,17 +44,17 @@
   services.nginx.virtualHosts."invidious.owo.monster" = {
     forceSSL = true;
     enableACME = true;
-    locations = { "/".proxyPass = "http://127.0.0.1:3000"; };
+    locations = {
+      "/".proxyPass = "http://127.0.0.1:${toString ports.invidious}";
+    };
   };
 
   services.nginx.virtualHosts."invidious-nojs.owo.monster" = {
     forceSSL = true;
     enableACME = true;
     locations = {
-      "/".proxyPass = "http://127.0.0.1:3000";
+      "/".proxyPass = "http://127.0.0.1:${toString ports.invidious}";
       "/js/".extraConfig = "deny all;";
     };
   };
-
-  #networking.firewall.allowedTCPPorts = [ 3000 ];
 }

hosts/hetzner-vm/services/mailserver/config.nix

@@ -1,4 +1,6 @@
-{ }: rec {
+{ }: let 
+  secrets-db = (import ../../secrets-db.nix { });
+in rec {
   fqdn = "mail.owo.monster";
   domains = [
     "owo.monster"
@@ -19,18 +21,13 @@
   accounts = {
     "chaoticryptidz@owo.monster" = {
       name = "chaoticryptidz@owo.monster";
-      passwordFile = "/secrets/chaos-mail-password";
+      passwordFile = "${secrets-db.chaos_mail_passwd.path}";
       aliases = [
         "all@owo.monster"
         # for sending from
         "chaos@owo.monster"
 
-        # for websites not liking .monster
-        #"all@mailchaos.net"
-        #"chaoticryptidz@mailchaos.net"
-        #"chaos@mailchaos.net"
-
-        # legacy - to be deprecated by 2023-01-01 
+        # TODO: legacy - to be deprecated by 2023-01-01 
         "kitteh@owo.monster"
         "kitteh@kitteh.pw"
       ];

hosts/hetzner-vm/services/mailserver/rspamd.nix

@@ -3,6 +3,9 @@
 let
   mail_config = (import ./config.nix { });
 
+  ports = (import ../../ports.nix { });
+
+
   postfixCfg = config.services.postfix;
   rspamdCfg = config.services.rspamd;
   rspamdSocket = "rspamd.service";
@@ -19,7 +22,7 @@ in {
       };
       "redis.conf" = {
         text = ''
-          servers = "127.0.0.1:6380";
+          servers = "127.0.0.1:${toString ports.rspamd-redis}";
         '';
       };
       "classifier-bayes.conf" = {
@@ -77,7 +80,7 @@ in {
 
   services.redis.servers.rspamd = {
     enable = true;
-    port = 6380;
+    port = ports.rspamd-redis;
   };
 
   systemd.services.rspamd = {

hosts/hetzner-vm/services/misskey.nix

@@ -1,8 +1,10 @@
 { pkgs, tree, ... }:
 let
+  ports = (import ../ports.nix { });
+
   misskeyDomain = "social.owo.monster";
-  misskeyPort = 3020;
-  redisPort = 3019;
+  misskeyPort = ports.misskey;
+  redisPort = ports.misskey-redis;
 
   misskeyPackages = with pkgs; [
     nodejs

hosts/hetzner-vm/services/mpd.nix

@@ -1,16 +1,16 @@
-{ pkgs, lib, tree, ... }: {
-  #imports = [ ./mpd-broadcast/broadcast.nix ];
-
+{ pkgs, lib, tree, ... }:
+let
+  ports = (import ../ports.nix { });
+  secrets-db = (import ../secrets-db.nix { });
+in {
   environment.systemPackages = with pkgs; [ mpc_cli ];
 
   services.mpd = {
     enable = true;
     network.listenAddress = "0.0.0.0";
-    dataDir = "/mpd";
     musicDirectory = "/storage/music";
-    playlistDirectory = "/mpd/playlists";
     credentials = [{
-      passwordFile = "/secrets/mpd-password";
+      passwordFile = "${secrets-db.mpd_control_password.path}";
       permissions = [ "read" "add" "control" "admin" ];
     }];
     extraConfig = ''
@@ -25,7 +25,7 @@
         type		"httpd"
         name		"HTTP Opus"
         encoder		"opus"
-        port		"8012"
+        port		"${toString ports.mpd-opus}"
         bitrate		"96000"
         format		"44100:16:2"
         always_on       "yes"
@@ -37,7 +37,7 @@
         type		"httpd"
         name		"HTTP FLAC"
         encoder		"flac"
-        port		"8013"
+        port		"${toString ports.mpd-flac}"
         format		"44100:16:2"
         always_on       "yes"
         tags            "yes"
@@ -45,24 +45,22 @@
     '';
   };
 
-  systemd.services.mpd.serviceConfig.StateDirectory = [ "/mpd" ];
-
   services.nginx.virtualHosts."stream.owo.monster" = {
     forceSSL = true;
     enableACME = true;
     locations = {
       "/" = {
-        proxyPass = "http://127.0.0.1:8012";
+        proxyPass = "http://127.0.0.1:${toString ports.mpd-opus}";
         extraConfig = ''
           auth_basic "Music Password";
-          auth_basic_user_file /secrets/music-stream-passwd; 
+          auth_basic_user_file ${secrets-db.music_stream_passwd.path}; 
         '';
       };
       "/flac" = {
-        proxyPass = "http://127.0.0.1:8013";
+        proxyPass = "http://127.0.0.1:${toString ports.mpd-flac}";
         extraConfig = ''
           auth_basic "Music Password";
-          auth_basic_user_file /secrets/music-stream-passwd; 
+          auth_basic_user_file ${secrets-db.music_stream_passwd.path}; 
         '';
       };
     };

hosts/hetzner-vm/services/quassel.nix

@@ -4,16 +4,6 @@ _: {
     interfaces = [ "0.0.0.0" ];
   };
 
-  # needed so quassel can access SSL certs
-  # TODO: set up SSL
-  # users.groups.acme.members = [ "quassel" ];
-
-  # Not gonna serve anything there but shrug.
-  #services.nginx.virtualHosts."quassel.owo.monster" = {
-  #  forceSSL = true;
-  #  enableACME = true;
-  #};
-
   services.postgresql.ensureDatabases = [ "quassel" ];
   services.postgresql.ensureUsers = [{
     name = "quassel";

hosts/hetzner-vm/services/restic.nix

@@ -1,6 +1,6 @@
 { lib, config, pkgs, ... }:
 let
-
+  secrets-db = (import ../secrets-db.nix { });
   mail_config = (import ./mailserver/config.nix { });
 
   backupPrepareCommand = "${
@@ -27,10 +27,6 @@ in {
       # Quassel & Invidious
       "/var/backup/postgresql"
       "/home/quassel/.config/quassel-irc.org"
-      # MPD State
-      "/mpd"
-      # doesn't work for restoring might as well not backup
-      # "/var/lib/tailscale"
 
       # mail
       mail_config.vmail_config.directory
@@ -46,8 +42,8 @@ in {
     # repository is overrided in environmentFile to contain auth
     # make sure to keep up to date when changing repository
     repository = "rest:https://storage-restic.owo.monster/HetznerVM";
-    passwordFile = "/secrets/restic-Chaos-Backups-HetznerVM-password";
-    environmentFile = "/secrets/restic-Chaos-Backups-HetznerVM-env";
+    passwordFile = "${secrets-db.restic_password.path}";
+    environmentFile = "${secrets-db.restic_env.path}";
 
     timerConfig = {
       OnBootSec = "1m";

hosts/hetzner-vm/services/storage-sftp.nix

@@ -1,25 +0,0 @@
-_: {
-  services.vsftpd = {
-    enable = false;
-    extraConfig = ''
-      listen_port=4220
-      pasv_enable=Yes
-      pasv_min_port=51000
-      pasv_max_port=51999
-    '';
-    localUsers = true;
-    userlistEnable = true;
-    userlist = [ "ftp-user" ];
-    localRoot = "/storage";
-  };
-  users.users.ftp-user = {
-    isSystemUser = true;
-    group = "ftp-user";
-  };
-  users.groups.ftp-user = { };
-  networking.firewall.allowedTCPPortRanges = [{
-    from = 51000;
-    to = 51999;
-  }];
-  networking.firewall.allowedTCPPorts = [ 4220 ];
-}

hosts/lappy/profiles/mpd-music-sync.nix

@@ -1,20 +0,0 @@
-{ pkgs, ... }:
-let passwordFile = "/secrets/mpd-music-sync-password";
-in {
-  systemd.tmpfiles.rules = [ "d /music 0755 mpd users -" ];
-  systemd.services.mpd-music-sync = {
-    startAt = "daily";
-    requires = [ "network.target" ];
-    after = [ "network.target" ];
-    path = [ pkgs.rclone ];
-    script = ''
-      export PASSWORD=$(cat ${passwordFile})
-      rclone sync :ftp:/storage/music /music \
-        --ftp-host=hetzner-vm.servers.owo.monster \
-        --ftp-port=4220 \
-        --ftp-user=ftp-user \
-        --ftp-pass=$(rclone obscure $PASSWORD)
-        chown mpd:users -R /music
-    '';
-  };
-}