From 2df8c52bcb1943751f4701cefac48be9142a739c Mon Sep 17 00:00:00 2001 From: Peder Bergebakken Sundt Date: Sun, 15 Oct 2023 03:35:35 +0200 Subject: [PATCH] secrets in domeneshop-updater --- .sops.yaml | 37 ++++++++++------ README.md | 2 +- profiles/domeneshop-dyndns/default.nix | 32 +++++++++----- secrets/dns.yaml | 59 ++++++++++++++++++++++++++ 4 files changed, 107 insertions(+), 23 deletions(-) create mode 100644 secrets/dns.yaml diff --git a/.sops.yaml b/.sops.yaml index d6f1633..3ed09f9 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,25 +1,38 @@ -key: +# sops updatekeys +keys: # https://github.com/getsops/sops/pull/1123 + user_pbsds: &user_pbsds # test -s ~/.config/sops/age/keys.txt || ( mkdir -p ~/.config/sops/age; age-keygen -o ~/.config/sops/age/keys.txt >/dev/null ); age-keygen -y ~/.config/sops/age/keys.txt - &user_pbsds_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn - &user_pbsds_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs + hosts: &hosts # ssh host cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age - &host_sopp age1zvqjaanff7x3f2a7853sd9ylna99khw4x6qfpf6am4yupsc44phsr2vfy3 - &host_nox age1zh3nmy2a7s2v7g9t7zg56p8sjqwmvqv5s7dn2v22x5nxyl5wfdcsaf5tw7 - &host_bolle age14d0ahjjk02jyc25hhx9ws333r0yk5e06yf4ys8xhz2um7jp6qqaqfcdksg - &host_garp age14qunhxz08gmw5r8ky0ez9rjf9dj3ue9hrzz580gwwj4cms46vd7ss4rutf - &host_nord age19xrvt0gjl4fcfjyy62mrl9uuzrq9e0wgemtkykr07ewz7nqn9cwshngel5 +# https://github.com/getsops/sops#key-groups creation_rules: -# # global -# - path_regex: secrets/default.yaml$ -# key_groups: -# - age: -# - *user_pbsds_sopp -# - *user_pbsds_nord -# - *host_sopp -# - *host_nox -# - *host_bolle -# - *host_garp -# - *host_nord + # global + - path_regex: secrets/default.yaml$ + key_groups: + - age: + - *user_pbsds_sopp + - *user_pbsds_nord + - *host_sopp + - *host_nox + - *host_bolle + - *host_garp + - *host_nord + # dns + - path_regex: secrets/dns.yaml$ + key_groups: + - age: + - *user_pbsds_sopp + - *user_pbsds_nord + - *host_nox + - *host_bolle + - *host_garp # sopp only - path_regex: secrets/sopp(/[^/]+)?\.yaml$ key_groups: diff --git a/README.md b/README.md index cb67a2d..13e3736 100644 --- a/README.md +++ b/README.md @@ -68,7 +68,7 @@ * [x] flexget * [ ] transmission * [ ] transmission remote gui - * [ ] domeneshop + * [x] domeneshop * [ ] webdav * [ ] code-remote * [ ] add .netrc diff --git a/profiles/domeneshop-dyndns/default.nix b/profiles/domeneshop-dyndns/default.nix index e8d2618..7440f02 100644 --- a/profiles/domeneshop-dyndns/default.nix +++ b/profiles/domeneshop-dyndns/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, inputs, ... }: let cfg = config.services.domeneshop-updater; in @@ -12,7 +12,18 @@ in }; }; - config = { + config = lib.mkIf (cfg.targets != []) { + + users.users.domeneshop.isSystemUser = true; + users.users.domeneshop.group = "domeneshop"; + users.groups.domeneshop = {}; + + sops.secrets."domeneshop/token".sopsFile = "${inputs.self}/secrets/dns.yaml"; + sops.secrets."domeneshop/token".owner = "domeneshop"; + sops.secrets."domeneshop/token".group = "domeneshop"; + sops.secrets."domeneshop/secret".sopsFile = "${inputs.self}/secrets/dns.yaml"; + sops.secrets."domeneshop/secret".owner = "domeneshop"; + sops.secrets."domeneshop/secret".group = "domeneshop"; systemd.services.domeneshop-updater = { description = "domene.shop dyndns domain updater"; @@ -24,14 +35,18 @@ in name = "domeneshop-dyndns-updater.sh"; runtimeInputs = with pkgs; [ curl yq ]; text = '' - test -s /var/lib/secrets/domeneshop.toml || { - >&2 echo "ERROR: /var/lib/secrets/domeneshop.toml not found!" + test -s /run/secrets/domeneshop/token || { + >&2 echo "ERROR: /run/secrets/domeneshop/token not found!" exit 1 } - DOMENESHOP_TOKEN="$( tomlq &2 echo "ERROR: /run/secrets/domeneshop/secret not found!" + exit 1 + } + DOMENESHOP_TOKEN="$( cat /run/secrets/domeneshop/token)" + DOMENESHOP_SECRET="$(cat /run/secrets/domeneshop/secret)" ${lib.concatMapStringsSep "\n" (target: '' - curl https://"$DOMENESHOP_TOKEN":"$DOMENESHOP_SECRET"@api.domeneshop.no/v0/dyndns/update?hostname=${target} + curl https://"$DOMENESHOP_TOKEN":"$DOMENESHOP_SECRET"@api.domeneshop.no/v0/dyndns/update?hostname="${target}" '') cfg.targets} ''; }; @@ -52,9 +67,6 @@ in Unit = "domeneshop-updater.service"; }; }; - users.users.domeneshop.isSystemUser = true; - users.users.domeneshop.group = "domeneshop"; - users.groups.domeneshop = {}; }; } diff --git a/secrets/dns.yaml b/secrets/dns.yaml new file mode 100644 index 0000000..8ce5b6f --- /dev/null +++ b/secrets/dns.yaml @@ -0,0 +1,59 @@ +domeneshop: + token: ENC[AES256_GCM,data:oBI/EV6++KALnb8PHSTaig==,iv:KIjkdB1YoI2TNHOcWCfAs0jUvUMFW6+on6RkQxciwo4=,tag:GvX0yD2iVqupcR3nFkhHyQ==,type:str] + secret: ENC[AES256_GCM,data:xjcSZ7Qjubos8GT6W9MRpsQ1+ZUcQt+pbhB233p7+0jGbNI17imbeX2seVneaQl1/BUgRtesotkxSYZZJdGhew==,iv:RUDjftpHo2nBHleCYgXATLoLFntFNjV4FssXviqZLzg=,tag:7qFoalSPO+A8Xhvc7GUgSQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmNng3M1ZNY0I5V1ZGcm5U + b1RJck5LcCtLelZGUzIwbWFqcTlTQ2h3NXhNCkpaSE9CWTdsV3pHM0FNRFcwekth + dGFUaEVIdEFjaWQ1Q0dkdWd2ZHpDMWcKLS0tIFZ4VUd6enJwejc5OTBsbmIvWUFm + a2NNUHRnVFViV2JpTDZLMU0zaUxpQVkKxgz4avHqZjtsjm7igvwm51NGt1IzIQsL + 0IScUFg53W11BNwoTXDNWT7Kb3pk03QSMd57ldk3me2VJ4BNopen3w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJSnpwTlh4bjFLd29Sc2VM + T1dITlBRUnZuaE9yd2ZMaTlIeDNYZEZTeXgwClJvNGwxNmxxYmZPYlNjbzlIeS93 + Z0VpUXNXNXpocXl6a25pMklOR21QbG8KLS0tIHJOVUVHUGw5RE1XQ0tUSUhFVW5j + YjIrVVI1TnozZW5WU3dybjNmWTRya3MKon/o6kl/F7PpPn+fs1BeUs3mejM6EH5S + muw0/UWsb5a5q/7Gzp3340PKrXfNWvU4wveXpWN6aWfUOwRWY3c7Kg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1zh3nmy2a7s2v7g9t7zg56p8sjqwmvqv5s7dn2v22x5nxyl5wfdcsaf5tw7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAySDhuNWtYWHJhRlRaWWt5 + NUkzUGd4d0VmVW1BRzNKQmJTZVpQYmVqc1dnClg5N1lMRlM4alFad0NJVE9jZVo4 + VVBVRnRKM3hEZ0F5UXRvV094aEtaazAKLS0tIG5Uc2p2MUI5dFZsaXhtUzFUaGE1 + ZlpYcWE5MXlFMHlCaW5jdmt5NzRGUFUKocHdzkY8M/6h2EyM7bujwAHyMi/E41Cb + WkKCaAKkailS+GkM/TweI16OqT93jduFnl8uTPAvbPLHy0GyDVjNrA== + -----END AGE ENCRYPTED FILE----- + - recipient: age14d0ahjjk02jyc25hhx9ws333r0yk5e06yf4ys8xhz2um7jp6qqaqfcdksg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjTUE1RmlHQ0tucUQxREJk + Wkxtc21PS3R6bHoxL1JLcm15bXBvSXdHeXdBCkxGMFhzUlpJeEdYcVlRY3B2ckY1 + ODJIYWR1SjlOdTNxOGRDZTVHNnpZMjgKLS0tIDEvRVBld0Iyc1RlVWJvdy9USTBo + STVJTUgvRUFBWjc3SndYdXJsbmFLR2cK1OqMn3+n6gAza3zhQOqzo64eW5tdfLo0 + KKkujO4USdicxVgVlo6sxYiSqTUSxZPXyuu0NE5yx7tYbIWyAgjumg== + -----END AGE ENCRYPTED FILE----- + - recipient: age14qunhxz08gmw5r8ky0ez9rjf9dj3ue9hrzz580gwwj4cms46vd7ss4rutf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUQ0kyZWNucW5QQnB2dzNX + clJISStmUlNuMGc1N01hYytDU0FORStJZFE4CmlydE90d2I5eTVvdFpxYUFHSkxH + bU81SGxLYXA3Ukx3Mm5lV2RCajdOU2cKLS0tIGRHYzRFZEUxdTIxS2gzY1VEZ2Jv + c1BTeXpyRGZtQU1LUm1iMzErMDluSDQKBu9cm3fTH8gKi6kHUC/RIxMnSRyHYWRU + e5SXS9RtstQAPGcBt3677iZJrgAXJwB61OPUn8WIDpV6wckx32JLsg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-10-14T23:49:28Z" + mac: ENC[AES256_GCM,data:R8cw4lMSaI3Gjmii1rimQ0GEC3VK4eARjPpGehE/GoNMoFGMracnOwEToBAK9iQQwtHp3i48Bc0LoUt/xhG5ajbTUW7x/HzxnzFsRfrfTizfe4C7fc4B6gIp7Jhw3RVxOODVZHlbWcIJbQRJ4quS5vLnj8yGO29E+cDWrkqB3Gc=,iv:EkV1MXpJNdL2gY5s76QwvaFeb6jS7XDDhJ53RnRrofY=,tag:EH+1IuBztv7JUaNLwu7ZOQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3