From 498aa3b51ee48131f41ffaeb0cddbb7f4f286875 Mon Sep 17 00:00:00 2001 From: Joshua Potter Date: Fri, 8 Dec 2023 14:27:54 -0700 Subject: [PATCH] Add SECRET_KEY_BASE for phoenix project. --- .sops.yaml | 2 +- flake.lock | 8 ++++---- phobos/flake.lock | 6 +++--- phobos/flake.nix | 44 +++++++++++++++++++++++++++++++------------- phobos/secrets.yaml | 32 +++++++++++++------------------- 5 files changed, 52 insertions(+), 40 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 25be703..dbc635d 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,7 +2,7 @@ keys: - &admin_jrpotter age1huyyxsy4g0e5svmcejxvvdjnnk6qkulgd3qfpue59exnfrnqzudspxnn62 - &server_phobos age1lmx6334s0y2ecfpve00vcjemyechycda2g8c5nnpzs5py2qay9pqx8m3vs creation_rules: - - path_regex: phobos/[^/]+\.(yaml|json|env|ini)$ + - path_regex: phobos/[^/]+\.(yaml|json|env|ini|enc)$ key_groups: - age: - *admin_jrpotter diff --git a/flake.lock b/flake.lock index 1fc6c28..ef0f052 100644 --- a/flake.lock +++ b/flake.lock @@ -152,11 +152,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1701615100, - "narHash": "sha256-7VI84NGBvlCTduw2aHLVB62NvCiZUlALLqBe5v684Aw=", + "lastModified": 1701805708, + "narHash": "sha256-hh0S14E816Img0tPaNQSEKFvSscSIrvu1ypubtfh6M4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e9f06adb793d1cca5384907b3b8a4071d5d7cb19", + "rev": "0561103cedb11e7554cf34cea81e5f5d578a4753", "type": "github" }, "original": { @@ -208,7 +208,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-/ZJi6zwrTNAJihWJDtLqmvnJEoZFXI2BqVesNqLP1xM=", + "narHash": "sha256-Gze86YwZxMbiW01weBEoPXyNEdAuj+hBTtT/shr/wSo=", "path": "./phobos", "type": "path" }, diff --git a/phobos/flake.lock b/phobos/flake.lock index 4f49e5a..8a552d9 100644 --- a/phobos/flake.lock +++ b/phobos/flake.lock @@ -87,11 +87,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1701615100, - "narHash": "sha256-7VI84NGBvlCTduw2aHLVB62NvCiZUlALLqBe5v684Aw=", + "lastModified": 1701805708, + "narHash": "sha256-hh0S14E816Img0tPaNQSEKFvSscSIrvu1ypubtfh6M4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e9f06adb793d1cca5384907b3b8a4071d5d7cb19", + "rev": "0561103cedb11e7554cf34cea81e5f5d578a4753", "type": "github" }, "original": { diff --git a/phobos/flake.nix b/phobos/flake.nix index 52eb4be..41ce1b0 100644 --- a/phobos/flake.nix +++ b/phobos/flake.nix @@ -3,9 +3,7 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05"; - boardwise = { - url = "github:boardwise-gg/website/v0.1.0"; - }; + boardwise.url = "github:boardwise-gg/website/v0.1.0"; sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; @@ -34,23 +32,43 @@ package = pkgs.postgresql_15; ensureDatabases = [ "boardwise" ]; authentication = lib.mkOverride 10 '' - # TYPE DATABASE USER ADDRESS METHOD - local all all trust + # TYPE DATABASE USER ADDRESS METHOD + local all all trust + host all all 127.0.0.1/32 trust ''; }; - environment = { - systemPackages = [ - boardwise.packages.${system}.app - ]; - variables = { - DATABASE_URL="ecto://postgres:postgres@localhost/boardwise"; + systemd = { + services.boardwise = { + enable = true; + description = "BoardWise Server"; + after = [ "postgresql.service" ]; + requires = [ "postgresql.service" ]; + serviceConfig = { + Environment = [ + "PORT=80" + "DATABASE_URL=ecto://postgres:postgres@localhost/boardwise" + ]; + EnvironmentFile = "/run/secrets/SECRET_KEY_BASE"; + ExecStartPre = "${boardwise.packages.${system}.app}/bin/migrate"; + ExecStart = "${boardwise.packages.${system}.app}/bin/boardwise start"; + Restart = "on-failure"; + }; + unitConfig = { + ConditionPathExists = "/run/secrets/SECRET_KEY_BASE"; + }; + }; + paths.SECRET_KEY_BASE = { + enable = true; + pathConfig = { + PathExists = "/run/secrets/SECRET_KEY_BASE"; + Unit = "boardwise.service"; + }; }; }; sops.defaultSopsFile = ./secrets.yaml; - sops.secrets.example-key = {}; - sops.secrets."myservice/my_subdir/my_secret" = {}; + sops.secrets.SECRET_KEY_BASE = {}; system.stateVersion = "23.11"; }; diff --git a/phobos/secrets.yaml b/phobos/secrets.yaml index 2ade98a..82784cb 100644 --- a/phobos/secrets.yaml +++ b/phobos/secrets.yaml @@ -1,10 +1,4 @@ -#ENC[AES256_GCM,data:pkTmy1WX4sI6CHkuiMO/873FBuGKjtDyDuqGIY69b7LYXAyOeKU=,iv:CjqG2mlzIieeTJqrwAGklZQ1l7upH4dXTT0aoqKWQFY=,tag:25gMrm0gi21DhgnIdrki4A==,type:comment] -example-key: ENC[AES256_GCM,data:1ywkHMSLq1aAiZl9JA==,iv:1ip/LHeptLnpYq3O29xjNeDIUZr77xiAdGFmPPKIy3c=,tag:Q5BeX1XS6ySIqKcLv86yrg==,type:str] -#ENC[AES256_GCM,data:t4SrnsLqfNlxLqoEwuDtameoUYBZ4TpUDYQ2nQ133vEig6MuNgsKVQPs+3J3K3jXSqJHu8TvV9k=,iv:IDhuYa6LnPLREq3TFUBdkkdbFoxWxRuDw4rNYX+Q294=,tag:H+1n+P4NN4/4MHyXjDsOEg==,type:comment] -#ENC[AES256_GCM,data:DHudM+N5MDuM/tRKFcUNHn1pkSdSzJRgg4ROkAxOlWQy03x6up3MtTCbuZ1gW2aLAA8sHxB3ki1WOLQ6jeU67Hk6DMsP+sOS,iv:p9ry0MmeUXXdtmZYKlqs4dJ9uopHD4Z9YVf25PVKjIc=,tag:3WmKGQyrIpL2Aw+b2ANIxA==,type:comment] -myservice: - my_subdir: - my_secret: ENC[AES256_GCM,data:uZOzai2mhtkM,iv:Uo+RuNxwaaMPr56pcNfN7stZXterbvfbhbwr3gyH+PI=,tag:kzQav/0gDRELwdmOMJjn7g==,type:str] +SECRET_KEY_BASE: ENC[AES256_GCM,data:1p8IKwVEPRCtrhIitv3WztJmCo9LsbWgYuroQ2DzdHJWEtN1Ye/0sIhmrjEBugiRT5zVUEKip16VQRvq9i6DkVFi3cF2qlvslc1dycGtbtQ=,iv:Q2Tm87vSH8JLQbHcKU649X3KcLJtEOPcneHEYBjmSPY=,tag:RYOXrShhwBvdrguq/lbSKQ==,type:str] sops: kms: [] gcp_kms: [] @@ -14,23 +8,23 @@ sops: - recipient: age1huyyxsy4g0e5svmcejxvvdjnnk6qkulgd3qfpue59exnfrnqzudspxnn62 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyN0d4VDcvZ085Sm9SL2ZE - MW5rUlpNQWdLV3UrVHlkMDFQazRuaGZLUlVVClo4a0ZreVU3MGV4MUovZXZVWm10 - dTZ3OEc4ZlJqQ21TYmJEc2FJNDAyazAKLS0tIEZxVzk4ZEo3MjFHMVZDV0JTWmRo - YzRDWjZ2ZFlQdEw5N2N5SG9oVDdPMFkKHPz6J4TL6lPSH1a806iVBrgJUnV297uh - 1sacjMW5ncEktozngq7gqQnrKEfapYqq3rAVpxGLY3C6mxwPDTgT5g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCbXdCWVllY0xzaVJ4K3VL + anJsd0FFN1J1amlKTVpzaHE1dlVKL05ObDJBCnVKa1ZFZmNyTS9mRlJyM0NiaGFO + TDh2ak1wZmNqSXYwOEF4M1ZlY1BlcjAKLS0tIDZWbXVpSzkyS2lBK1hZVUI0Zklk + RDMveTJ0UkdmRE1HV3BaQlpvWTlXOUkKwrhRj5eqNafOUqYrwT20hMm+ocJxSv+X + eV4+7r6m4Y142XsQENvfk4ow0fLO8h1Fuvh09GHLoBAZGAfbNCop9Q== -----END AGE ENCRYPTED FILE----- - recipient: age1lmx6334s0y2ecfpve00vcjemyechycda2g8c5nnpzs5py2qay9pqx8m3vs enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNYmtQcWF5Rm50MWxQYjRB - bHBYK25BMThvN3Ivd1JxSTJKOThxS0N6TEZFCnVvS2RKZEQ3WEpCN1V6ekd3Sjhv - N0UwbUJTck9PSXhDcGI3aDNUYmNPVVEKLS0tIDBuc2xmdEpYZVZpbGczQ2RlRS9U - YXV1UEl0Q3RTZSt0ak1sU3BkcFIwdWcKwfNMcaDdud0Ve+ibJq5bRc63hiDgaTp9 - 5GKaIaU4TOkB2K3/N8DIU3KW0scl+5foWTaQbrVSMy9x31H0jTdlgQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVb3oyOW9mUmp5YWg1Ulln + bXgxRlhxQi9lZGFhK3NpblRVS0lRTDNtK2pzCnVFdzBHSGUyNGlDV2VaLzhEeS8x + a0txMU0zNHMyRnlrTlMvT09vVG5GTWsKLS0tIGNyRWVsRTFOYkhxY0J2Qks4ZFYv + VmhpRjhXZEQ0WlZaOVhXZWx6SXpPczAKNJh8yms/llCJanKKcTBHmnUgUdwzRFfJ + /jB3RhjIAehrt3zFl7b6hW8sWJipjkhwXkl9KmXGkmgVvrEdfmM5kg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-08T18:51:48Z" - mac: ENC[AES256_GCM,data:/pnQDn4ADDkyYNRYAMzOnxc6HkyJ94izk8Em+v6oY3oKEw8m0I51ClS1glaXTL+FFocYnKAu/TuuX49QI8mnY3qhHrg1s2ruGtjRhDJGEvsCCgK6BcuclktTS7r046rRa7S0kahotI9C9ZHKilRoc5tTGNVKnGg+Xq+zG2ch6Cc=,iv:muBqr7RR0taT9VYwZoBMJn76kc5Zk0h6d8vcZJOxwT8=,tag:wF/6Q6fkDzyJ+XtEB9Vzog==,type:str] + lastmodified: "2023-12-09T00:29:20Z" + mac: ENC[AES256_GCM,data:jVA9UKjBfLJzlOnU0Wvzq8MTsIXURpB3d5ER9OuFz9t/aBuMzPsFcOE5zzgYYisc1s4UnHowuGz72ZAAbIZTP6GaaJ2Mta3rbqUvJrYZMmD+1AujedGzKHbwD6Pc8V70v17PoMCiX3psJy8B+COksIX4nhJEnh4rpgv4HHRehGk=,iv:LA4Zgpbyd8AaKhsN7ei72sSWJr5Qpt8AbON7F99Qyv4=,tag:1DCjPbQldhGIwSGNpKvgNQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3