thehedgehog/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

marvin: Don't read auth tokens from plaintext

Browse source
This commit is contained in:
Mr Hedgehog 2022-05-14 10:39:19 -04:00
parent ad1236f9df
commit 0a06f9073c
No known key found for this signature in database
GPG key ID: A5F69F6C161FDA7E
6 changed files with 117 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -111,6 +111,7 @@
};
in {
packages.${system} = {
"caddy" = pkgs.callPackage ./pkgs/caddy.nix {};
"nerdfont-symbols" = pkgs.callPackage ./pkgs/nerdfont-symbols.nix {};
"sway-launcher-desktop" = pkgs.callPackage ./pkgs/sway-launcher-desktop.nix {};
"taskwarrior-tui" = pkgs.callPackage ./pkgs/taskwarrior-tui.nix {};

7
hosts/marvin/services/caddy.nix
View file

@ -5,10 +5,10 @@
}: {
services.caddy = {
enable = true;
package = pkgs.callPackage ./custom-caddy.nix {
plugins = ["github.com/caddy-dns/cloudflare"];
package = pkgs.my-pkgs.caddy.overrideAttrs ( old:{
plugins = ["github.com/caddy-dns/cloudflare" "github.com/greenpau/caddy-security"];
vendorSha256 = "sha256-1SBOXv2RGLlTT/mguPjTASU5AeQNIVySgVMgvu5BH6w=";
};
});
extraConfig = ''
cache.mrhedgehog.xyz {
tls {
@ -29,5 +29,6 @@
reverse_proxy http://localhost:4000
}
'';
envFile = config.age.secrets.marvinCfToken.path;
};
}

22
modules/caddy.nix
View file

@ -85,7 +85,7 @@ in {
};
package = mkOption {
default = pkgs.caddy;
default = pkgs.my-pkgs.caddy;
defaultText = literalExpression "pkgs.caddy";
type = types.package;
description = ''
@ -262,6 +262,22 @@ in {
certificates.
'';
};
token = mkOption {
default = "";
type = types.str;
description = ''
Cloudflare auth token. Suggested to not store this in plain text.
'';
envFile = mkOption {
default = /var/caddy/env;
type = types.path;
description = ''
A file that caddy reads environment variables from.
'';
};
};
};
# implementation
@ -303,7 +319,7 @@ in {
serviceConfig = {
# https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart=
# If the empty string is assigned to this option, the list of commands to start is reset, prior assignments of this option will have no effect.
ExecStart = ["" "${cfg.package}/bin/caddy run --config ${cfg.configFile} --adapter ${cfg.adapter} ${optionalString cfg.resume "--resume"}"];
ExecStart = ["" "${cfg.package}/bin/caddy run --config ${cfg.configFile} --adapter ${cfg.adapter} ${optionalString cfg.resume "--resume"} --envfile ${cfg.envFile}"];
ExecReload = ["" "${cfg.package}/bin/caddy reload --config ${cfg.configFile} --adapter ${cfg.adapter}"];
ExecStartPre = "${cfg.package}/bin/caddy validate --config ${cfg.configFile} --adapter ${cfg.adapter}";
@ -320,7 +336,7 @@ in {
PrivateDevices = true;
ProtectHome = true;
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
Environment = "\"CF_API_TOKEN=2QOiKmpdSykKPJbCCdbnqR0hq4D9K_zzdiOeBM1P\"";
Environment = "\"CF_API_TOKEN=${cfg.token}\"";
};
};

59
pkgs/caddy.nix Normal file
View file

@ -0,0 +1,59 @@
{ lib, fetchFromGitHub, buildGoModule, plugins ? [], vendorSha256 ? "" }:
with lib;
let imports = flip concatMapStrings plugins (pkg: "\t\t\t_ \"${pkg}\"\n");
main = ''
package main
import (
caddycmd "github.com/caddyserver/caddy/v2/cmd"
_ "github.com/caddyserver/caddy/v2/modules/standard"
${imports}
)
func main() {
caddycmd.Main()
}
'';
in buildGoModule rec {
pname = "caddy";
version = "2.5.1";
runVend = true;
subPackages = [ "cmd/caddy" ];
src = fetchFromGitHub {
owner = "caddyserver";
repo = "caddy";
rev = "v${version}";
sha256 = "sha256-xNCxzoNpXkj8WF9+kYJfO18ux8/OhxygkGjA49+Q4vY=";
};
inherit vendorSha256;
overrideModAttrs = (_: {
preBuild = "echo '${main}' > cmd/caddy/main.go";
postInstall = "cp go.sum go.mod $out/ && ls $out/";
});
postPatch = ''
echo '${main}' > cmd/caddy/main.go
cat cmd/caddy/main.go
'';
postConfigure = ''
cp vendor/go.sum ./
cp vendor/go.mod ./
'';
meta = {
homepage = https://caddyserver.com;
description = "Fast, cross-platform HTTP/2 web server with automatic HTTPS";
license = licenses.asl20;
maintainers = with maintainers; [ Br1ght0ne techknowlogick mrhedgehog ];
};
}

27
secrets/marvinCfToken.age Normal file
View file

@ -0,0 +1,27 @@
age-encryption.org/v1
-> ssh-rsa fFaiTA
eO/2MjQ73Bk4nE1/Rm7FKY/4LJpxOMeXBhPD8qJLTNy0QJ8yP3ViAZ1sdrjiMDxM
F6kaN7in+msSVMsLMnk5/4nvWDedJ7ZwP8xfqplK4h6B/wmdv31DTOvfDT7y/U0y
KJD1hyVU7+2nELzeNJBfDpYewnbVuiQbOKsG2jQt80dqlu1TZ6TS6T8oyMiJMD4l
B18QJKiiW8sqa1kzuJE9wFy+vWYej0EnuMrs14ZxZv/kvVx8UjGUbSuaVwwOr4/Z
EhH0HS50WWV63BeekdBprL4Jcv7KzMw3Z89lh0o41tMgDiVodsbZqpfPd4d5pmI+
1p9uv+IcKeJ4vq4N32x6G4MzuuK32QprvQbbI2vMIx/TAo/axJ1YRWlclMN4DGA2
qqgJtwwwVa7uIZ+jyRofUNTpjk4ykJuEnWbsMEZYo/jzROpmq97Z9MNsdqF6onpz
XglpOKUwyjYFwmJbBI6/aIOmb+1X4IRoLJdeu4YigKgNrPO2hoVlbsq/8BlCuxWK
p2z390ku2av/pSbwigNfE05dpHN5DqKko7qQo/JlpV/nFs4WZvC4cPVNCseul3WS
xQ1jewCNaNkedV+L40rLxaA3PQYb8cdfhqREduLFVjRRN/h3eaepdE3MblZpriGE
7iaZxG4BXozWQSx4UzOJmxaN/ws3kHuO5hQ9/BNIWKY
-> ssh-rsa mXlurQ
WZHJgiKwuCaDpHCaxf2UEOdBKaLa6GFg48uqV0wDrsvY5uQ05lCYG5Fqf/WlJUMQ
K+riYUGdVPObXkWDqjPP7OulBc5PlE/+u+pB7AssKfVqy0thZXSIyMixJ051DqhI
tGEZbJ2z1CS7N7naM3uAvXODWMnd3s3gwyYAhz0a1WAjsizAtwsjBGPm/u1u7M2G
/gJONIWLc6yN3d5jlFgCt1Yew0qD6QbGjA0LJYLN+1UCl/HXpYrbJKO1XtZBbAmA
utw6XeMVP3OxEaF5iGadoomFzmg8Q7QzWIbr4ekR8YMPm0CYgQaP0A5TeNHu9puD
IItF0O1C9Xk9xeiEcR9F74Er+ghFLZbVHtvuK2WB/KiEflVYIcXpFTLUO1biua+z
1qE3WFi+qV6B8cETtsMKtQuA6aPIsR+E/D0xcp5vobhNqv8c7WWTexgCrS5OCxcz
uFudS2sMefQtcGEk/M4F+NcqpbQNF5YhOZCL9BCMIh8ie9kAwbfRoC6uPoB9b49t
-> V-grease "=~];r
QLouAtjBbzDfT9JDDCyGM4ACrlaTD9J/Kqkn
--- lWq/maOlPCnPw2IjrT7rpEV+zBayGBrV4vBSpId8/K8
¤8·E¾ãÜ«Ã(Y,1“W÷%õw QŒm&9]vî7ézV †³$õðêCD<43>Ô;8 ÁÇò0‡=p'¹ <0B>.©ƒz£3ÈQmÍ™…ãÿY1ŸŸ|σ

7
secrets/secrets.nix Normal file
View file

@ -0,0 +1,7 @@
let
yubi = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw==";
backup = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM=";
me = [yubi backup];
in {
"marvinCfToken.age".publicKeys = me;
}