marvin: Don't read auth tokens from plaintext
This commit is contained in:
parent
ad1236f9df
commit
0a06f9073c
6 changed files with 117 additions and 6 deletions
|
@ -111,6 +111,7 @@
|
|||
};
|
||||
in {
|
||||
packages.${system} = {
|
||||
"caddy" = pkgs.callPackage ./pkgs/caddy.nix {};
|
||||
"nerdfont-symbols" = pkgs.callPackage ./pkgs/nerdfont-symbols.nix {};
|
||||
"sway-launcher-desktop" = pkgs.callPackage ./pkgs/sway-launcher-desktop.nix {};
|
||||
"taskwarrior-tui" = pkgs.callPackage ./pkgs/taskwarrior-tui.nix {};
|
||||
|
|
|
@ -5,10 +5,10 @@
|
|||
}: {
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
package = pkgs.callPackage ./custom-caddy.nix {
|
||||
plugins = ["github.com/caddy-dns/cloudflare"];
|
||||
package = pkgs.my-pkgs.caddy.overrideAttrs ( old:{
|
||||
plugins = ["github.com/caddy-dns/cloudflare" "github.com/greenpau/caddy-security"];
|
||||
vendorSha256 = "sha256-1SBOXv2RGLlTT/mguPjTASU5AeQNIVySgVMgvu5BH6w=";
|
||||
};
|
||||
});
|
||||
extraConfig = ''
|
||||
cache.mrhedgehog.xyz {
|
||||
tls {
|
||||
|
@ -29,5 +29,6 @@
|
|||
reverse_proxy http://localhost:4000
|
||||
}
|
||||
'';
|
||||
envFile = config.age.secrets.marvinCfToken.path;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -85,7 +85,7 @@ in {
|
|||
};
|
||||
|
||||
package = mkOption {
|
||||
default = pkgs.caddy;
|
||||
default = pkgs.my-pkgs.caddy;
|
||||
defaultText = literalExpression "pkgs.caddy";
|
||||
type = types.package;
|
||||
description = ''
|
||||
|
@ -262,6 +262,22 @@ in {
|
|||
certificates.
|
||||
'';
|
||||
};
|
||||
|
||||
token = mkOption {
|
||||
default = "";
|
||||
type = types.str;
|
||||
description = ''
|
||||
Cloudflare auth token. Suggested to not store this in plain text.
|
||||
'';
|
||||
|
||||
envFile = mkOption {
|
||||
default = /var/caddy/env;
|
||||
type = types.path;
|
||||
description = ''
|
||||
A file that caddy reads environment variables from.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# implementation
|
||||
|
@ -303,7 +319,7 @@ in {
|
|||
serviceConfig = {
|
||||
# https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart=
|
||||
# If the empty string is assigned to this option, the list of commands to start is reset, prior assignments of this option will have no effect.
|
||||
ExecStart = ["" "${cfg.package}/bin/caddy run --config ${cfg.configFile} --adapter ${cfg.adapter} ${optionalString cfg.resume "--resume"}"];
|
||||
ExecStart = ["" "${cfg.package}/bin/caddy run --config ${cfg.configFile} --adapter ${cfg.adapter} ${optionalString cfg.resume "--resume"} --envfile ${cfg.envFile}"];
|
||||
ExecReload = ["" "${cfg.package}/bin/caddy reload --config ${cfg.configFile} --adapter ${cfg.adapter}"];
|
||||
|
||||
ExecStartPre = "${cfg.package}/bin/caddy validate --config ${cfg.configFile} --adapter ${cfg.adapter}";
|
||||
|
@ -320,7 +336,7 @@ in {
|
|||
PrivateDevices = true;
|
||||
ProtectHome = true;
|
||||
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
||||
Environment = "\"CF_API_TOKEN=2QOiKmpdSykKPJbCCdbnqR0hq4D9K_zzdiOeBM1P\"";
|
||||
Environment = "\"CF_API_TOKEN=${cfg.token}\"";
|
||||
};
|
||||
};
|
||||
|
||||
|
|
59
pkgs/caddy.nix
Normal file
59
pkgs/caddy.nix
Normal file
|
@ -0,0 +1,59 @@
|
|||
{ lib, fetchFromGitHub, buildGoModule, plugins ? [], vendorSha256 ? "" }:
|
||||
|
||||
with lib;
|
||||
|
||||
let imports = flip concatMapStrings plugins (pkg: "\t\t\t_ \"${pkg}\"\n");
|
||||
|
||||
main = ''
|
||||
package main
|
||||
|
||||
import (
|
||||
caddycmd "github.com/caddyserver/caddy/v2/cmd"
|
||||
|
||||
_ "github.com/caddyserver/caddy/v2/modules/standard"
|
||||
${imports}
|
||||
)
|
||||
|
||||
func main() {
|
||||
caddycmd.Main()
|
||||
}
|
||||
'';
|
||||
|
||||
|
||||
in buildGoModule rec {
|
||||
pname = "caddy";
|
||||
version = "2.5.1";
|
||||
runVend = true;
|
||||
subPackages = [ "cmd/caddy" ];
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "caddyserver";
|
||||
repo = "caddy";
|
||||
rev = "v${version}";
|
||||
sha256 = "sha256-xNCxzoNpXkj8WF9+kYJfO18ux8/OhxygkGjA49+Q4vY=";
|
||||
};
|
||||
|
||||
inherit vendorSha256;
|
||||
|
||||
overrideModAttrs = (_: {
|
||||
preBuild = "echo '${main}' > cmd/caddy/main.go";
|
||||
postInstall = "cp go.sum go.mod $out/ && ls $out/";
|
||||
});
|
||||
|
||||
postPatch = ''
|
||||
echo '${main}' > cmd/caddy/main.go
|
||||
cat cmd/caddy/main.go
|
||||
'';
|
||||
|
||||
postConfigure = ''
|
||||
cp vendor/go.sum ./
|
||||
cp vendor/go.mod ./
|
||||
'';
|
||||
|
||||
meta = {
|
||||
homepage = https://caddyserver.com;
|
||||
description = "Fast, cross-platform HTTP/2 web server with automatic HTTPS";
|
||||
license = licenses.asl20;
|
||||
maintainers = with maintainers; [ Br1ght0ne techknowlogick mrhedgehog ];
|
||||
};
|
||||
}
|
27
secrets/marvinCfToken.age
Normal file
27
secrets/marvinCfToken.age
Normal file
|
@ -0,0 +1,27 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-rsa fFaiTA
|
||||
eO/2MjQ73Bk4nE1/Rm7FKY/4LJpxOMeXBhPD8qJLTNy0QJ8yP3ViAZ1sdrjiMDxM
|
||||
F6kaN7in+msSVMsLMnk5/4nvWDedJ7ZwP8xfqplK4h6B/wmdv31DTOvfDT7y/U0y
|
||||
KJD1hyVU7+2nELzeNJBfDpYewnbVuiQbOKsG2jQt80dqlu1TZ6TS6T8oyMiJMD4l
|
||||
B18QJKiiW8sqa1kzuJE9wFy+vWYej0EnuMrs14ZxZv/kvVx8UjGUbSuaVwwOr4/Z
|
||||
EhH0HS50WWV63BeekdBprL4Jcv7KzMw3Z89lh0o41tMgDiVodsbZqpfPd4d5pmI+
|
||||
1p9uv+IcKeJ4vq4N32x6G4MzuuK32QprvQbbI2vMIx/TAo/axJ1YRWlclMN4DGA2
|
||||
qqgJtwwwVa7uIZ+jyRofUNTpjk4ykJuEnWbsMEZYo/jzROpmq97Z9MNsdqF6onpz
|
||||
XglpOKUwyjYFwmJbBI6/aIOmb+1X4IRoLJdeu4YigKgNrPO2hoVlbsq/8BlCuxWK
|
||||
p2z390ku2av/pSbwigNfE05dpHN5DqKko7qQo/JlpV/nFs4WZvC4cPVNCseul3WS
|
||||
xQ1jewCNaNkedV+L40rLxaA3PQYb8cdfhqREduLFVjRRN/h3eaepdE3MblZpriGE
|
||||
7iaZxG4BXozWQSx4UzOJmxaN/ws3kHuO5hQ9/BNIWKY
|
||||
-> ssh-rsa mXlurQ
|
||||
WZHJgiKwuCaDpHCaxf2UEOdBKaLa6GFg48uqV0wDrsvY5uQ05lCYG5Fqf/WlJUMQ
|
||||
K+riYUGdVPObXkWDqjPP7OulBc5PlE/+u+pB7AssKfVqy0thZXSIyMixJ051DqhI
|
||||
tGEZbJ2z1CS7N7naM3uAvXODWMnd3s3gwyYAhz0a1WAjsizAtwsjBGPm/u1u7M2G
|
||||
/gJONIWLc6yN3d5jlFgCt1Yew0qD6QbGjA0LJYLN+1UCl/HXpYrbJKO1XtZBbAmA
|
||||
utw6XeMVP3OxEaF5iGadoomFzmg8Q7QzWIbr4ekR8YMPm0CYgQaP0A5TeNHu9puD
|
||||
IItF0O1C9Xk9xeiEcR9F74Er+ghFLZbVHtvuK2WB/KiEflVYIcXpFTLUO1biua+z
|
||||
1qE3WFi+qV6B8cETtsMKtQuA6aPIsR+E/D0xcp5vobhNqv8c7WWTexgCrS5OCxcz
|
||||
uFudS2sMefQtcGEk/M4F+NcqpbQNF5YhOZCL9BCMIh8ie9kAwbfRoC6uPoB9b49t
|
||||
|
||||
-> V-grease "=~];r
|
||||
QLouAtjBbzDfT9JDDCyGM4ACrlaTD9J/Kqkn
|
||||
--- lWq/maOlPCnPw2IjrT7rpEV+zBayGBrV4vBSpId8/K8
|
||||
¤8·E¾ãÜ«Ã(Y,’1“W÷%õw
QŒm&9]vî7ézV †³$õðAóêCD<43>Ô;8 ÁÇò0‡=p'¹<0B>.©ƒz£3ÈQmÍ™…ãÿY1ŸŸ|σ
|
7
secrets/secrets.nix
Normal file
7
secrets/secrets.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
let
|
||||
yubi = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw==";
|
||||
backup = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM=";
|
||||
me = [yubi backup];
|
||||
in {
|
||||
"marvinCfToken.age".publicKeys = me;
|
||||
}
|
Loading…
Reference in a new issue