From 56690ad45f8762f5f0d6608da9981c04a6163441 Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Tue, 14 Jan 2025 14:56:41 +0100 Subject: [PATCH] set secret via systemd to avoid users entirely --- nixos/hosts/queen/secrets/sops.yaml | 6 +++--- .../server/package-configs/mollysocket/default.nix | 14 ++------------ 2 files changed, 5 insertions(+), 15 deletions(-) diff --git a/nixos/hosts/queen/secrets/sops.yaml b/nixos/hosts/queen/secrets/sops.yaml index 0acc33e..dcd0abb 100644 --- a/nixos/hosts/queen/secrets/sops.yaml +++ b/nixos/hosts/queen/secrets/sops.yaml @@ -14,7 +14,7 @@ sync-secrets: ENC[AES256_GCM,data:AwCgqfSXmYVGnCV5PJ5Ql44IiutTS76F1H7Ow7gB4mQQ8P writefreely: ENC[AES256_GCM,data:QOj5h/rHCxmgpPNhu3IS4eyruhQokHTJxW6yQM9YDgQ=,iv:qAd+/rAAanzL9FTIX22M+2kwI0WI2d3i86cJrn8MFBo=,tag:3zvpqnovDEoJdvK/qcFDuQ==,type:str] writefreelymysql: ENC[AES256_GCM,data:1JZwIX04O3DBAo7JvEkeNrFcSdcmk/u4WUf/kkbr2JA=,iv:8H8MR8w1iLfl2r62EbxPnLzs4qWFmwB5gNKEaly8q6c=,tag:K01oKMXkeMOFs3u7frMs0Q==,type:str] ssh-private-key: ENC[AES256_GCM,data:DK/ggskAyhvotRkf36oZBoPw3hGvVlXneqaJZRPwX2a3YVMy4zgDE3iN65UeR6mfkp9J3OmLejOHeWFB/bRCHY3oTW6GUuZljTe2rI1/x/d2s4zX5UPPEWcy3cXH25d72DzElQBEMDKuZyDe0OZ0/NkR//vEeXgoA2Nr/NKHlTWrq/t26DMD2Vt+kQ+S9b0hh4tgh3OP1lwRu9/mTJOmInd/86gKB9+aD9V0oFvNbMEmgbwIah+ZjQBHB7GEIwjUc/lLmc+3RSn9J0rICIhnhL7NTzHUDHkYd93Tm0L9UHIyi9Oco2sK8tuV5mTDM1OK8CbDg/5FICTQ0H4sstCrDNZd2wE4E1kaZuwYOyxpzQpWJY8jOxxw5oIE0IccvvptM/9vp+0f1F2RIDrkIdHSLpFbGZGvXNVAWlXyv+0qOYS7BGzD0KAh9f74GcAvULq36vdzBahb5e+CqT3JXESne8qhkpsP0G9Z1I1Fy0xpADx/9cTnAm5RmXTw/KBPmBA5IZYZBRbR/C+N7Xyxr7u9RcwFJdIbSpAeT/ew,iv:pHT7DtX1ab7boPboXRaSg9w/4sMgNraEswtEf2tBPkw=,tag:Fbw2/Evf4ZsLFMBPflf9CA==,type:str] -mollysocket-vapid-key: ENC[AES256_GCM,data:w0tcRqjXrhjem+4rfZuSSfeex+Fpi0du3EhUdPsBRCuO7L2OdVml1CU2QA==,iv:bGfYc1T+21/rcGdkHAFqteSffXPUhvoateSqbiSPb10=,tag:XqrU5f5f0sxHTkARFdNVeA==,type:str] +mollysocket-vapid-key: ENC[AES256_GCM,data:8N2hxY6WN6mCcjMIFsw/Vt1RoGvUbYxkVPOOn4WRjXZtEEkkVCIaNevozF4xCnBUEWIukNg8lZk8ake/pHAq,iv:+NHm3hSotcRPRjrwEe9xKnEeYbnUZqJEB1sd5B+tWIE=,tag:Pd2pnJqj771XqdqBREGzJQ==,type:str] sops: kms: [] gcp_kms: [] @@ -30,8 +30,8 @@ sops: KzNBMCtUaS9sU21Xc1JUd1FSR29tSkEKyqaDM/WUWjK2l+ahE6sIFYsQ6Qtkf7yz NWFTzsDZBmm9kpSIjchf+PuBuoRHeEKbEH8jnMlYB3J8boEnUnXMlw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-14T12:47:32Z" - mac: ENC[AES256_GCM,data:HxttRqB9RgMP9xkVTPXUE9MyGon3VJ7DW6gyNIII3svgcZItl39HIG3aYTsS3jAWShZQ/iSxERXbwusAb/wAC8VNXNI04BZGK9WbExSJKXzAzBLXI4ajUsJ27POf+4mi/8fwdSSRpmZdfYhbxuzBs8jI6/CJ40B9Dbp/DtndXTk=,iv:GPSoTNfsBEFNwCqAnOpylbl0LJckrR5lCznzzi/BAI8=,tag:kRwqzIh0TWz4MR66vKwgSA==,type:str] + lastmodified: "2025-01-14T13:43:37Z" + mac: ENC[AES256_GCM,data:GK+WcmMgDbZ5xeqMK06CuquR6/ptd2oXzVJ9V74+n6lBx4XsyPu17puKGKgsGsIHeRYdbwtQh8tm42/XJ0tK8qJz1yGvfQxPasd+ibRBHatWWHzQ/czR3NIRWYqGF9/mxi2uHrftaKtku1/huxjzjb69blopMzn2LEH0vCzXCkc=,iv:K6Fbhmz9FAzLd8KcjDSriVre8MhCYrGTVXh+u6oGLaQ=,tag:4Ylrs+Mm54vAKFQyyo8Njg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.2 diff --git a/nixos/server/package-configs/mollysocket/default.nix b/nixos/server/package-configs/mollysocket/default.nix index 2a1bb35..6f2cbb6 100644 --- a/nixos/server/package-configs/mollysocket/default.nix +++ b/nixos/server/package-configs/mollysocket/default.nix @@ -1,26 +1,16 @@ -{config, ...}: let - mollySocketUser = "mollysocket"; -in { +{config, ...}: { sops.secrets."mollysocket-vapid-key".mode = "0440"; - sops.secrets."mollysocket-vapid-key" = { - owner = mollySocketUser; - group = mollySocketUser; - }; services.mollysocket = { enable = true; + environmentFile = config.sops.secrets."mollysocket-vapid-key".path; settings = { port = 4381; - vapid_key_file = config.sops.secrets."mollysocket-vapid-key".path; allowed_endpoints = ["molly.gladtherescake.eu" "nextcloud.gladtherescake.eu"]; allowed_uuids = ["*"]; webserver = true; }; }; - systemd.services.mollysocket.serviceConfig = { - User = mollySocketUser; - Group = mollySocketUser; - }; services.nginx = { virtualHosts = { "molly.gladtherescake.eu" = {