feat: migrate all containers and hosts to sops

nix/os/devices/sj-vps-htz0: bump versions nix/os/devices/elias-e525: bump versions nix/os/devices/steveej-t14: bump versions nix/os/devices/justyna-p300: bump versions
2023-07-09 20:15:06 +02:00 · 2023-07-09 20:15:06 +02:00 · ea7caae226
commit ea7caae226
parent 4e0d0c3abd
25 changed files with 241 additions and 180 deletions
--- a/nix/os/containers/webserver.nix
+++ b/nix/os/containers/webserver.nix
@ -1,12 +1,11 @@
 {
+  repoFlake,
  hostAddress,
  localAddress,
  httpPort ? 80,
  httpsPort ? 443,
  autoStart ? false,
-}: let
-  passwords = import ../../variables/passwords.crypt.nix;
-in {
+}: {
  config = {
    config,
    pkgs,
@ -15,7 +14,11 @@ in {
  }: {
    system.stateVersion = "22.05"; # Did you read the comment?

-    imports = [../profiles/containers/configuration.nix];
+    imports = [
+      ../profiles/containers/configuration.nix
+
+      repoFlake.inputs.sops-nix.nixosModules.sops
+    ];

    networking.firewall.enable = false;

@ -33,6 +36,12 @@ in {
      # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
    };

+    sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+    sops.secrets.hedgedoc_environment_file = {
+      sopsFile = ./webserver_secrets.yaml;
+      owner = config.users.users.hedgedoc.name;
+    };
+
    services.nginx.enable = true;
    services.nginx.recommendedProxySettings = true;
    services.nginx.virtualHosts."www.stefanjunker.de" = {
@ -81,21 +90,26 @@ in {
        defaultPermission = "private";
        allowEmailRegister = false;

-        # oauth2 provider config
-        inherit (passwords.www_stefanjunker_de_hedgedoc) dropbox;
+        # these are set via the `environmentFile`
+        dropbox = {
+          appKey = "$DROPBOX_APPKEY";
+          clientID = "$DROPBOX_CLIENTID";
+          clientSecret = "$DROPBOX_CLIENTSECRET";
+        };

        uploadsPath = "/var/lib/hedgedoc/uploads";
      };
+
+      environmentFile = config.sops.secrets.hedgedoc_environment_file.path;
    };
  };

  inherit autoStart;

  bindMounts = {
-    "/etc/secrets/" = {
-      hostPath = "/var/lib/container-volumes/webserver/etc-secrets";
-      isReadOnly = true;
-    };
+    # FIXME/REMINDER: this is used so that the container can decrypt the secrets that are deployed to the host
+    "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
+    "/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true;

    "/var/www" = {
      hostPath = "/var/lib/container-volumes/webserver/var-www";