From 0a06f9073c5acf64f51e0b86df55d84c714b366a Mon Sep 17 00:00:00 2001 From: Mr Hedgehog Date: Sat, 14 May 2022 10:39:19 -0400 Subject: [PATCH] marvin: Don't read auth tokens from plaintext --- flake.nix | 1 + hosts/marvin/services/caddy.nix | 7 ++-- modules/caddy.nix | 22 ++++++++++-- pkgs/caddy.nix | 59 +++++++++++++++++++++++++++++++++ secrets/marvinCfToken.age | 27 +++++++++++++++ secrets/secrets.nix | 7 ++++ 6 files changed, 117 insertions(+), 6 deletions(-) create mode 100644 pkgs/caddy.nix create mode 100644 secrets/marvinCfToken.age create mode 100644 secrets/secrets.nix diff --git a/flake.nix b/flake.nix index 1af289f..2bf334f 100644 --- a/flake.nix +++ b/flake.nix @@ -111,6 +111,7 @@ }; in { packages.${system} = { + "caddy" = pkgs.callPackage ./pkgs/caddy.nix {}; "nerdfont-symbols" = pkgs.callPackage ./pkgs/nerdfont-symbols.nix {}; "sway-launcher-desktop" = pkgs.callPackage ./pkgs/sway-launcher-desktop.nix {}; "taskwarrior-tui" = pkgs.callPackage ./pkgs/taskwarrior-tui.nix {}; diff --git a/hosts/marvin/services/caddy.nix b/hosts/marvin/services/caddy.nix index 67abd2c..5f2f60d 100644 --- a/hosts/marvin/services/caddy.nix +++ b/hosts/marvin/services/caddy.nix @@ -5,10 +5,10 @@ }: { services.caddy = { enable = true; - package = pkgs.callPackage ./custom-caddy.nix { - plugins = ["github.com/caddy-dns/cloudflare"]; + package = pkgs.my-pkgs.caddy.overrideAttrs ( old:{ + plugins = ["github.com/caddy-dns/cloudflare" "github.com/greenpau/caddy-security"]; vendorSha256 = "sha256-1SBOXv2RGLlTT/mguPjTASU5AeQNIVySgVMgvu5BH6w="; - }; + }); extraConfig = '' cache.mrhedgehog.xyz { tls { @@ -29,5 +29,6 @@ reverse_proxy http://localhost:4000 } ''; + envFile = config.age.secrets.marvinCfToken.path; }; } diff --git a/modules/caddy.nix b/modules/caddy.nix index 4fc8987..35ea56f 100644 --- a/modules/caddy.nix +++ b/modules/caddy.nix @@ -85,7 +85,7 @@ in { }; package = mkOption { - default = pkgs.caddy; + default = pkgs.my-pkgs.caddy; defaultText = literalExpression "pkgs.caddy"; type = types.package; description = '' @@ -262,6 +262,22 @@ in { certificates. ''; }; + + token = mkOption { + default = ""; + type = types.str; + description = '' + Cloudflare auth token. Suggested to not store this in plain text. + ''; + + envFile = mkOption { + default = /var/caddy/env; + type = types.path; + description = '' + A file that caddy reads environment variables from. + ''; + }; + }; }; # implementation @@ -303,7 +319,7 @@ in { serviceConfig = { # https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart= # If the empty string is assigned to this option, the list of commands to start is reset, prior assignments of this option will have no effect. - ExecStart = ["" "${cfg.package}/bin/caddy run --config ${cfg.configFile} --adapter ${cfg.adapter} ${optionalString cfg.resume "--resume"}"]; + ExecStart = ["" "${cfg.package}/bin/caddy run --config ${cfg.configFile} --adapter ${cfg.adapter} ${optionalString cfg.resume "--resume"} --envfile ${cfg.envFile}"]; ExecReload = ["" "${cfg.package}/bin/caddy reload --config ${cfg.configFile} --adapter ${cfg.adapter}"]; ExecStartPre = "${cfg.package}/bin/caddy validate --config ${cfg.configFile} --adapter ${cfg.adapter}"; @@ -320,7 +336,7 @@ in { PrivateDevices = true; ProtectHome = true; AmbientCapabilities = "CAP_NET_BIND_SERVICE"; - Environment = "\"CF_API_TOKEN=2QOiKmpdSykKPJbCCdbnqR0hq4D9K_zzdiOeBM1P\""; + Environment = "\"CF_API_TOKEN=${cfg.token}\""; }; }; diff --git a/pkgs/caddy.nix b/pkgs/caddy.nix new file mode 100644 index 0000000..5768f64 --- /dev/null +++ b/pkgs/caddy.nix @@ -0,0 +1,59 @@ +{ lib, fetchFromGitHub, buildGoModule, plugins ? [], vendorSha256 ? "" }: + +with lib; + +let imports = flip concatMapStrings plugins (pkg: "\t\t\t_ \"${pkg}\"\n"); + + main = '' + package main + + import ( + caddycmd "github.com/caddyserver/caddy/v2/cmd" + + _ "github.com/caddyserver/caddy/v2/modules/standard" +${imports} + ) + + func main() { + caddycmd.Main() + } + ''; + + +in buildGoModule rec { + pname = "caddy"; + version = "2.5.1"; + runVend = true; + subPackages = [ "cmd/caddy" ]; + + src = fetchFromGitHub { + owner = "caddyserver"; + repo = "caddy"; + rev = "v${version}"; + sha256 = "sha256-xNCxzoNpXkj8WF9+kYJfO18ux8/OhxygkGjA49+Q4vY="; + }; + + inherit vendorSha256; + + overrideModAttrs = (_: { + preBuild = "echo '${main}' > cmd/caddy/main.go"; + postInstall = "cp go.sum go.mod $out/ && ls $out/"; + }); + + postPatch = '' + echo '${main}' > cmd/caddy/main.go + cat cmd/caddy/main.go + ''; + + postConfigure = '' + cp vendor/go.sum ./ + cp vendor/go.mod ./ + ''; + + meta = { + homepage = https://caddyserver.com; + description = "Fast, cross-platform HTTP/2 web server with automatic HTTPS"; + license = licenses.asl20; + maintainers = with maintainers; [ Br1ght0ne techknowlogick mrhedgehog ]; + }; +} diff --git a/secrets/marvinCfToken.age b/secrets/marvinCfToken.age new file mode 100644 index 0000000..28a9b21 --- /dev/null +++ b/secrets/marvinCfToken.age @@ -0,0 +1,27 @@ +age-encryption.org/v1 +-> ssh-rsa fFaiTA +eO/2MjQ73Bk4nE1/Rm7FKY/4LJpxOMeXBhPD8qJLTNy0QJ8yP3ViAZ1sdrjiMDxM +F6kaN7in+msSVMsLMnk5/4nvWDedJ7ZwP8xfqplK4h6B/wmdv31DTOvfDT7y/U0y +KJD1hyVU7+2nELzeNJBfDpYewnbVuiQbOKsG2jQt80dqlu1TZ6TS6T8oyMiJMD4l +B18QJKiiW8sqa1kzuJE9wFy+vWYej0EnuMrs14ZxZv/kvVx8UjGUbSuaVwwOr4/Z +EhH0HS50WWV63BeekdBprL4Jcv7KzMw3Z89lh0o41tMgDiVodsbZqpfPd4d5pmI+ +1p9uv+IcKeJ4vq4N32x6G4MzuuK32QprvQbbI2vMIx/TAo/axJ1YRWlclMN4DGA2 +qqgJtwwwVa7uIZ+jyRofUNTpjk4ykJuEnWbsMEZYo/jzROpmq97Z9MNsdqF6onpz +XglpOKUwyjYFwmJbBI6/aIOmb+1X4IRoLJdeu4YigKgNrPO2hoVlbsq/8BlCuxWK +p2z390ku2av/pSbwigNfE05dpHN5DqKko7qQo/JlpV/nFs4WZvC4cPVNCseul3WS +xQ1jewCNaNkedV+L40rLxaA3PQYb8cdfhqREduLFVjRRN/h3eaepdE3MblZpriGE +7iaZxG4BXozWQSx4UzOJmxaN/ws3kHuO5hQ9/BNIWKY +-> ssh-rsa mXlurQ +WZHJgiKwuCaDpHCaxf2UEOdBKaLa6GFg48uqV0wDrsvY5uQ05lCYG5Fqf/WlJUMQ +K+riYUGdVPObXkWDqjPP7OulBc5PlE/+u+pB7AssKfVqy0thZXSIyMixJ051DqhI +tGEZbJ2z1CS7N7naM3uAvXODWMnd3s3gwyYAhz0a1WAjsizAtwsjBGPm/u1u7M2G +/gJONIWLc6yN3d5jlFgCt1Yew0qD6QbGjA0LJYLN+1UCl/HXpYrbJKO1XtZBbAmA +utw6XeMVP3OxEaF5iGadoomFzmg8Q7QzWIbr4ekR8YMPm0CYgQaP0A5TeNHu9puD +IItF0O1C9Xk9xeiEcR9F74Er+ghFLZbVHtvuK2WB/KiEflVYIcXpFTLUO1biua+z +1qE3WFi+qV6B8cETtsMKtQuA6aPIsR+E/D0xcp5vobhNqv8c7WWTexgCrS5OCxcz +uFudS2sMefQtcGEk/M4F+NcqpbQNF5YhOZCL9BCMIh8ie9kAwbfRoC6uPoB9b49t + +-> V-grease "=~];r +QLouAtjBbzDfT9JDDCyGM4ACrlaTD9J/Kqkn +--- lWq/maOlPCnPw2IjrT7rpEV+zBayGBrV4vBSpId8/K8 +8Eܫ(Y,1W%w Qm&9]v7zV$ACD;80=p' .z3Qm͙Y1|σ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..ee42b04 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,7 @@ +let + yubi = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw=="; + backup = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM="; + me = [yubi backup]; +in { + "marvinCfToken.age".publicKeys = me; +}