From 117b69d39e161975a68db61526041d748dcf4c70 Mon Sep 17 00:00:00 2001 From: Colin Date: Wed, 8 Jun 2022 16:46:32 -0700 Subject: [PATCH] pleroma: port secrets to sops --- machines/uninsane/services/pleroma.nix | 26 +++++++++++++++----------- secrets/default.nix | 8 -------- secrets/uninsane.yaml | 5 +++-- 3 files changed, 18 insertions(+), 21 deletions(-) diff --git a/machines/uninsane/services/pleroma.nix b/machines/uninsane/services/pleroma.nix index ac7a5c4d..445afc28 100644 --- a/machines/uninsane/services/pleroma.nix +++ b/machines/uninsane/services/pleroma.nix @@ -1,21 +1,20 @@ # docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/pleroma.nix # # to run it in a oci-container: https://github.com/barrucadu/nixfiles/blob/master/services/pleroma.nix -{ pkgs, secrets, ... }: +{ config, pkgs, ... }: { services.pleroma.enable = true; - # TODO: we should write a config file somewhere outside the store... somehow. - services.pleroma.secretConfigFile = "/dev/null"; + services.pleroma.secretConfigFile = config.sops.secrets.pleroma_secrets.path; services.pleroma.configs = [ '' import Config config :pleroma, Pleroma.Web.Endpoint, url: [host: "fed.uninsane.org", scheme: "https", port: 443], - http: [ip: {127, 0, 0, 1}, port: 4000], - secret_key_base: "${secrets.pleroma.secret_key_base}", - signing_salt: "${secrets.pleroma.signing_salt}" + http: [ip: {127, 0, 0, 1}, port: 4000] + # secret_key_base: "{secrets.pleroma.secret_key_base}", + # signing_salt: "{secrets.pleroma.signing_salt}" config :pleroma, :instance, name: "Perfectly Sane", @@ -46,7 +45,6 @@ config :pleroma, Pleroma.Repo, adapter: Ecto.Adapters.Postgres, username: "pleroma", - password: "${secrets.pleroma.db_password}", database: "pleroma", hostname: "localhost", pool_size: 10, @@ -54,14 +52,15 @@ parameters: [ plan_cache_mode: "force_custom_plan" ] + # password: "{secrets.pleroma.db_password}", # Configure web push notifications config :web_push_encryption, :vapid_details, - subject: "mailto:notify.pleroma@uninsane.org", - public_key: "${secrets.pleroma.vapid_public_key}", - private_key: "${secrets.pleroma.vapid_private_key}" + subject: "mailto:notify.pleroma@uninsane.org" + # public_key: "{secrets.pleroma.vapid_public_key}", + # private_key: "{secrets.pleroma.vapid_private_key}" - config :joken, default_signer: "${secrets.pleroma.joken_default_signer}" + # config :joken, default_signer: "{secrets.pleroma.joken_default_signer}" config :pleroma, :database, rum_enabled: false config :pleroma, :instance, static_dir: "/var/lib/pleroma/instance/static" @@ -124,4 +123,9 @@ # PrivateTmp = lib.mkForce false; # CapabilityBoundingSet = lib.mkForce "~"; # }; + + sops.secrets.pleroma_secrets = { + sopsFile = ../../../secrets/uninsane.yaml; + owner = config.users.users.pleroma.name; + }; } diff --git a/secrets/default.nix b/secrets/default.nix index 1e54fe37..fcf09788 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -1,12 +1,4 @@ { - # these would otherwise be found in 'pleroma.secret.exs' - pleroma.secret_key_base = ""; - pleroma.signing_salt = ""; - pleroma.db_password = ""; - pleroma.vapid_public_key = ""; - pleroma.vapid_private_key = ""; - pleroma.joken_default_signer = ""; - # keep this synchronized with the dovecot auth matrix-synapse.smtp_pass = ""; } // import ./local.nix diff --git a/secrets/uninsane.yaml b/secrets/uninsane.yaml index ca077ffc..0ad12f89 100644 --- a/secrets/uninsane.yaml +++ b/secrets/uninsane.yaml @@ -15,6 +15,7 @@ dovecot_passwd: ENC[AES256_GCM,data:GsXT6PQjCibzyr5G4W3IOIRL4xBuYqFYHpRJOjS2TvXI #ENC[AES256_GCM,data:1zQ8X9W4ZGquYEjEsN8YNLhwBt6kaRCKYMjM8GiZbKzsaqwt/cFk+4cC85+QKWF0FNlX38Uba7bI2FvC8fTIO8eoZ5VymJ9Du3NcExE1976FSIze44FhtkSKQkm/vQw5cb2sPNKBGFLSNV/IpdPu,iv:xwv2+Fns0k2STkS760v9p1XZ5s2HAz3wLb8xyIOGTGA=,tag:OGtHxQgyWxGKtg5I9nJAag==,type:comment] nix_serve_privkey: ENC[AES256_GCM,data:JlLuslwyjKARo3Mo36SeRz6ctVuV+jzDMXACekaGs/UjP+Jm8PoxZsWjMcN+qq0tJB9xGMfi7TKHDi+XnK2k60h+7+yDyeqJQfjID6axMYmgxYUivq4CugutFVB27FmDPljUs2M7CRqe1IHrdjc=,iv:1iQVr9rP80hHCRSVD95KW7bpOWj3oZReJAvqa9TllJ8=,tag:6DDGtHF4suOyy2kcnqSDsQ==,type:str] #ENC[AES256_GCM,data:cyptbs4VfXY4P4+W5e2LRZOHkpqvWzn2JEpV80w8cIaQ0lTZa/Hg7IwDNQcsYobmBFO2yLrKawHDKlDos2fMy0KgIhUrw4f8WksxdC06oMqS0mDtgA==,iv:StB34bvA8GWR+7nwOOpsiJ3yqGgeSg5frAgRMhff8nw=,tag:b1LYFzII2Ik1nmGXxgMZuw==,type:comment] +pleroma_secrets: ENC[AES256_GCM,data:TSbNUptz/1vybQAl1cBh6h75JR/yYue/zkAOoCrevQtZLuwOioTNGCesSeD/Y2O387N0BD+reVovdmfDA8WqvUnUZ4KpIjXRe+fxAxw4s14/BNChaSohCtADN0919JrvxjiKACizvgMNKmcP7PXsaoXMLmY1jh1VjK/3xL5+OMa1sHH58fndwgVF7f4XO+7VRRgYfUdyDobLPyE5ESKCYLWA2dUIuGPMo7zYQPVe++mgJ3S44Spx1AmJ+XNOf8z+GhQB3Fcc1yITv+drUHeBGC4Y6vVH1gEQA2K1kqSTEaNcPFhKBnN1ITzee24ULozNotdNPDWvv71K/ZdgZ8qx3hRECUGTgTSpqE5IlCk7kDYyyLcH28+yUurto6sNo4k28tiGh64QM5r4mQepfkFpDs2aNXE+EwF4/+wxlzZj69flIAtkN7i5YTj9tKBf93rs5zNuRpNnNCclcD1XukbUp4mMt4t74TdYH3uN35j/bIApEGliiU8TTBxxLXFLsCSxXJPUhNGdIPwuYivp4m9joezID/U/LBT+0qOB4+tuPk+C2Z2vp4i2a8G+VvBFqCKQWpflZS9hO4flyfOTJ3zquuWozbsqFugLjeqj+/4c0BYOL5gWnvitbqTQJtmzf/XncNL9UjmztbQg+IzCx90xb6OHX77G+beiiyz+ASglXkiN++17Wi5+0PJQFSLgY4JKbQ5Au7X5KzRAHFrB5NpekhaoIno1QULcrl8QJ0jiB3NLW5uE9MPLZDv8kwK01mcR5iaUv/sYP3OXDui4uQ==,iv:FmAx/D4u7XBysO53kbpl9ASnGwTD0w9wSi+9hqQOKl8=,tag:5pngKmp07l2KCjMXUgZqhw==,type:str] sops: kms: [] gcp_kms: [] @@ -48,8 +49,8 @@ sops: U0ZlOUljcE9BL1lhcmIrVVl6eFdTUmMKBHmv96FmkL/oQw9//ATfem6HtORRjcce xJNwnsdrEqrBS3sG6xDkmJYOjaFrg1pwxYZRG87zeLShgkXkMNvz2A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-06-08T23:22:55Z" - mac: ENC[AES256_GCM,data:jFaqskot1Zft5qKoJpaz/0sDSDldw7wIJi4DuUapgVLKKhTxb+gu8FM77bF8yxLqDdAWD2rOQFakFohPFeSLoKXRtVsJi5nrl8dPXdSmcbw7fvaFpeGVY3mX9EoSXyh7aS1lwllvpg0A4bXWaj6VfNbb3NIyXzuGpioVjY5PgXo=,iv:dmGSTtHeCyjQHkaM7oO9WhZSWwSXL2UD5HXm4PMMYsA=,tag:8qyb6RiYj77Hz614t/qGCg==,type:str] + lastmodified: "2022-06-08T23:43:45Z" + mac: ENC[AES256_GCM,data:COQ9icViCWzzIpOuY+4r/pWuVxOaplNf1OxxGdUG+MdFZix3JKOzKnAbiqTOAFY2PnbU2HAERTp9wtH1LN9LWdwNV/kU2q/SRls2xufvjmJ08tuqG1sjvKEk4BSXMXdEWCkZ3syS7DtluDwglg6SoGX+A33nntsP31EhnSn2V94=,iv:BkejtIVGm3S8+oKBetxf1gS9lUaVITIyd9DrlLdW2yA=,tag:EcSYhkx40l9787DTJoK3iQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3