From fe0c442a7c5cfa513e470cd9bf6e439a1a32a835 Mon Sep 17 00:00:00 2001 From: DavHau Date: Tue, 18 Jul 2023 02:13:33 +0200 Subject: [PATCH 1/3] homepage: allow deployment via gitea actions runner --- flake.lock | 12 ++++++------ flake.nix | 2 +- modules/web01/gitea/actions-runner.nix | 22 +++++++++++++++++++++- modules/web01/homepage.nix | 16 +++++++++++++++- targets/web01/secrets.yaml | 1 + 5 files changed, 44 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 2da7a9e..06a5250 100644 --- a/flake.lock +++ b/flake.lock @@ -82,16 +82,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1689247091, - "narHash": "sha256-sg6yVZGU4yQ8vx/u/jeR7etUIQZhcc4Ss6PHNHAFZjU=", - "owner": "Mic92", + "lastModified": 1689638193, + "narHash": "sha256-7SCl/TEswRCtVSFD9p2SXKH4iWbXDmly2O1oYsxidDc=", + "owner": "DavHau", "repo": "nixpkgs", - "rev": "dc54601ce60a6e7b427d124550d43067ee605b53", + "rev": "2ab9f837047affd23ebf27b0175aff34d6b9e7e3", "type": "github" }, "original": { - "owner": "Mic92", - "ref": "daemon", + "owner": "DavHau", + "ref": "gitea", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index e457ba1..a224d37 100644 --- a/flake.nix +++ b/flake.nix @@ -8,7 +8,7 @@ inputs = { # https://github.com/NixOS/nixpkgs/pull/243252 - nixpkgs.url = "github:Mic92/nixpkgs/daemon"; + nixpkgs.url = "github:DavHau/nixpkgs/gitea"; flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs"; treefmt-nix.url = "github:numtide/treefmt-nix"; diff --git a/modules/web01/gitea/actions-runner.nix b/modules/web01/gitea/actions-runner.nix index a599b1b..52d6d2a 100644 --- a/modules/web01/gitea/actions-runner.nix +++ b/modules/web01/gitea/actions-runner.nix @@ -1,6 +1,8 @@ { config, self, pkgs, lib, ... }: { + sops.secrets.ssh-homepage-key.owner = config.users.users.gitea.name; + systemd.services.gitea-runner-nix-token = { wantedBy = [ "multi-user.target" ]; after = [ "gitea.service" ]; @@ -12,8 +14,14 @@ set -euo pipefail token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token) echo "TOKEN=$token" > /var/lib/gitea-actions-runner/token + mkdir -p /var/lib/gitea-actions-runner/secrets + cp ${config.sops.secrets.ssh-homepage-key.path} /var/lib/gitea-actions-runner/secrets/ssh-homepage-key + chmod 600 -R /var/lib/gitea-actions-runner/secrets/ssh-homepage-key ''; - unitConfig.ConditionPathExists = [ "!/var/lib/gitea-actions-runner/token" ]; + unitConfig.ConditionPathExists = [ + "|!/var/lib/gitea-actions-runner/token" + "|!/var/lib/gitea-actions-runner/secrets/ssh-homepage-key" + ]; serviceConfig = { User = "gitea"; Group = "gitea"; @@ -27,8 +35,15 @@ after = [ "gitea-runner-nix-token.service" ]; requires = [ "gitea-runner-nix-token.service" ]; + # TODO: systemd confinment serviceConfig = { + # User is set to gitea-runner in upstream nixos module + # This user only gets created on service startup. We cannot chown the file + # any time earlier + ExecStartPre = [ + "+${pkgs.coreutils}/bin/chown -R ${config.systemd.services.gitea-runner-nix.serviceConfig.User} /var/lib/gitea-actions-runner/secrets" + ]; # Hardening (may overlap with DynamicUser=) # The following options are only for optimizing output of systemd-analyze AmbientCapabilities = ""; @@ -98,6 +113,9 @@ # "/run/nscd/socket" # "/var/lib/drone" # ]; + BindPaths = [ + "/var/lib/gitea-actions-runner/secrets" + ]; }; }; @@ -133,6 +151,8 @@ # unset the token so it doesn't leak into the runner TOKEN = ""; PAGER = "cat"; + SSH_HOMEPAGE_KEY = + "/var/lib/gitea-actions-runner/secrets/ssh-homepage-key"; }; }; }; diff --git a/modules/web01/homepage.nix b/modules/web01/homepage.nix index 66c0a94..e2e9ec7 100644 --- a/modules/web01/homepage.nix +++ b/modules/web01/homepage.nix @@ -1,7 +1,21 @@ -{ pkgs, self, ... }: { +{ config, pkgs, self, ... }: { security.acme.defaults.email = "admins@clan.lol"; security.acme.acceptTerms = true; + # www user to push website artifacts via ssh + users.users.www = { + openssh.authorizedKeys.keys = [ + # ssh-homepage-key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcQi7FThpE2dFcb08d7DSQzhit8e/0W9OUZXasH0JJA ssh-homepage-key" + ]; + isNormalUser = true; + }; + + # ensure /var/www can be accessed by nginx and www user + systemd.tmpfiles.rules = [ + "d /var/www 0755 www nginx" + ]; + services.nginx = { virtualHosts."clan.lol" = { forceSSL = true; diff --git a/targets/web01/secrets.yaml b/targets/web01/secrets.yaml index 77b86a0..ab6cabb 100644 --- a/targets/web01/secrets.yaml +++ b/targets/web01/secrets.yaml @@ -10,6 +10,7 @@ harmonia-key: ENC[AES256_GCM,data:pZObqfbLogp0DYs47Tg2STKT9HptPSiP4sgcf31FD68PKS matrix-server-key: ENC[AES256_GCM,data:0148ezOFk8jX5KPQPCG0jQK9ajSfe/iOdUqlvys5/M8DrIwPXH9GzrkknwH+l8kF9ViTRDC/q5md8J2bj3/FBR/RW4rwjDrYx9cBEFm8wjHrywUlwON8kNKtj9ycJmXgtRyCrVGv7sBmODy0ZC5ZfWbhIQh6xWBkX2/rsSh4zwi/1PoHLpOO3u4=,iv:IwHPDi1E3R9LAY/seGpvx1U+N8mB9NMrUjLg4KMA1UA=,tag:pwRJ/CqkFN2eedrnMAaj2w==,type:str] registration-secret: ENC[AES256_GCM,data:EvPearZAxxb2irZFYgvy/tFA72h+IABuzwCbvy94IYR0eoHjuYw6GBde8CNUWG4SUiwyXJr4v438o/YThDhehsZ/cZFjg2o=,iv:ogN4/Iia5Zl95a3HP1KZoy86K8LyBFYw50cZUpkDNQo=,tag:5wU2OrNi7b5gWPfFZcGLjg==,type:str] gitea-actions-runner: ENC[AES256_GCM,data:JKXAa7J1V3GH8lp3UtHTBmiezJlqxX1ItHLE7UcaIeNFQH8We2imaOMVftMpVCeXTpRX,iv:W9+4wH4asw3+w28i5om0OcJFHrABC85bhjhbgGWEs8E=,tag:Rf9XBeiEoJ1Pt8Z1TDIyJA==,type:str] +ssh-homepage-key: ENC[AES256_GCM,data:TjC6k2X2kMwMn7oe61p8VyPaP0886BJWLU01LgT71NrDhvVQJbSrx5GgIflZunyCqeDzSoT4+U9EtGZKP/ZhST5TC45MdodpNrIq83rQ63o9pM94uRqxZTpWtwZ4zlFHN1Ei2Y5K7TD7mhB+FFeYORWq3El6nNwCB2sVNR2NYZlDJwYT4hCGoVjxvoa4gOKq7kxVb/jOVvQ19ASrK4NHWGRT7JoxbXq08s56UQcEiJMIzKhFREKhheIHLtasRXouRouV+NKdXzoyVKvcFCzqyUJAY2UEAL7/Cm3Bwa5QfHEn343VLfUF8h4yeNWNk2/pqDClvzF6Pehj4HSy5XNxSUsFT1C7IE7uAf7dZivnEkuD8pKNDGrwl8QdY1ApD19LOmgQ7iJaLCEs1L/vRAnlOv3RQXzZW2zWzs4HaC9cH2hfwdkIvo2VrYkGM5fhZ2lYIpjEpogjNbb0Fxlu4JEtd9oF5uNFgmiryrBQcUZxOZXMmumZiuKd4ijY1ztjyr4t+GX9iK8zTUhGjjl9iB/09kb6yUw6weA0hWmN,iv:oHTmugUvMYLirTfNfAHz854feTIpkLUKC3OvE6CWhOY=,tag:94NSVbi0L19KMI+2l4QnIA==,type:str] sops: kms: [] gcp_kms: [] -- 2.45.1 From ae28874208b34fed573c5f651f92b3a22e420393 Mon Sep 17 00:00:00 2001 From: DavHau Date: Wed, 19 Jul 2023 19:48:40 +0200 Subject: [PATCH 2/3] homepage: remove ssh-homepage-key --- modules/web01/gitea/actions-runner.nix | 19 +------------------ modules/web01/homepage.nix | 2 +- targets/web01/secrets.yaml | 5 ++--- 3 files changed, 4 insertions(+), 22 deletions(-) diff --git a/modules/web01/gitea/actions-runner.nix b/modules/web01/gitea/actions-runner.nix index 52d6d2a..550be49 100644 --- a/modules/web01/gitea/actions-runner.nix +++ b/modules/web01/gitea/actions-runner.nix @@ -1,8 +1,6 @@ { config, self, pkgs, lib, ... }: { - sops.secrets.ssh-homepage-key.owner = config.users.users.gitea.name; - systemd.services.gitea-runner-nix-token = { wantedBy = [ "multi-user.target" ]; after = [ "gitea.service" ]; @@ -14,13 +12,9 @@ set -euo pipefail token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token) echo "TOKEN=$token" > /var/lib/gitea-actions-runner/token - mkdir -p /var/lib/gitea-actions-runner/secrets - cp ${config.sops.secrets.ssh-homepage-key.path} /var/lib/gitea-actions-runner/secrets/ssh-homepage-key - chmod 600 -R /var/lib/gitea-actions-runner/secrets/ssh-homepage-key ''; unitConfig.ConditionPathExists = [ - "|!/var/lib/gitea-actions-runner/token" - "|!/var/lib/gitea-actions-runner/secrets/ssh-homepage-key" + "!/var/lib/gitea-actions-runner/token" ]; serviceConfig = { User = "gitea"; @@ -38,12 +32,6 @@ # TODO: systemd confinment serviceConfig = { - # User is set to gitea-runner in upstream nixos module - # This user only gets created on service startup. We cannot chown the file - # any time earlier - ExecStartPre = [ - "+${pkgs.coreutils}/bin/chown -R ${config.systemd.services.gitea-runner-nix.serviceConfig.User} /var/lib/gitea-actions-runner/secrets" - ]; # Hardening (may overlap with DynamicUser=) # The following options are only for optimizing output of systemd-analyze AmbientCapabilities = ""; @@ -113,9 +101,6 @@ # "/run/nscd/socket" # "/var/lib/drone" # ]; - BindPaths = [ - "/var/lib/gitea-actions-runner/secrets" - ]; }; }; @@ -151,8 +136,6 @@ # unset the token so it doesn't leak into the runner TOKEN = ""; PAGER = "cat"; - SSH_HOMEPAGE_KEY = - "/var/lib/gitea-actions-runner/secrets/ssh-homepage-key"; }; }; }; diff --git a/modules/web01/homepage.nix b/modules/web01/homepage.nix index e2e9ec7..2f39389 100644 --- a/modules/web01/homepage.nix +++ b/modules/web01/homepage.nix @@ -6,7 +6,7 @@ users.users.www = { openssh.authorizedKeys.keys = [ # ssh-homepage-key - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcQi7FThpE2dFcb08d7DSQzhit8e/0W9OUZXasH0JJA ssh-homepage-key" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxZ3Av30M6Sh6NU1mnCskB16bYtNP8vskc/+ud0AU1C ssh-homepage-key" ]; isNormalUser = true; }; diff --git a/targets/web01/secrets.yaml b/targets/web01/secrets.yaml index ab6cabb..dfc5011 100644 --- a/targets/web01/secrets.yaml +++ b/targets/web01/secrets.yaml @@ -10,7 +10,6 @@ harmonia-key: ENC[AES256_GCM,data:pZObqfbLogp0DYs47Tg2STKT9HptPSiP4sgcf31FD68PKS matrix-server-key: ENC[AES256_GCM,data:0148ezOFk8jX5KPQPCG0jQK9ajSfe/iOdUqlvys5/M8DrIwPXH9GzrkknwH+l8kF9ViTRDC/q5md8J2bj3/FBR/RW4rwjDrYx9cBEFm8wjHrywUlwON8kNKtj9ycJmXgtRyCrVGv7sBmODy0ZC5ZfWbhIQh6xWBkX2/rsSh4zwi/1PoHLpOO3u4=,iv:IwHPDi1E3R9LAY/seGpvx1U+N8mB9NMrUjLg4KMA1UA=,tag:pwRJ/CqkFN2eedrnMAaj2w==,type:str] registration-secret: ENC[AES256_GCM,data:EvPearZAxxb2irZFYgvy/tFA72h+IABuzwCbvy94IYR0eoHjuYw6GBde8CNUWG4SUiwyXJr4v438o/YThDhehsZ/cZFjg2o=,iv:ogN4/Iia5Zl95a3HP1KZoy86K8LyBFYw50cZUpkDNQo=,tag:5wU2OrNi7b5gWPfFZcGLjg==,type:str] gitea-actions-runner: ENC[AES256_GCM,data:JKXAa7J1V3GH8lp3UtHTBmiezJlqxX1ItHLE7UcaIeNFQH8We2imaOMVftMpVCeXTpRX,iv:W9+4wH4asw3+w28i5om0OcJFHrABC85bhjhbgGWEs8E=,tag:Rf9XBeiEoJ1Pt8Z1TDIyJA==,type:str] -ssh-homepage-key: ENC[AES256_GCM,data:TjC6k2X2kMwMn7oe61p8VyPaP0886BJWLU01LgT71NrDhvVQJbSrx5GgIflZunyCqeDzSoT4+U9EtGZKP/ZhST5TC45MdodpNrIq83rQ63o9pM94uRqxZTpWtwZ4zlFHN1Ei2Y5K7TD7mhB+FFeYORWq3El6nNwCB2sVNR2NYZlDJwYT4hCGoVjxvoa4gOKq7kxVb/jOVvQ19ASrK4NHWGRT7JoxbXq08s56UQcEiJMIzKhFREKhheIHLtasRXouRouV+NKdXzoyVKvcFCzqyUJAY2UEAL7/Cm3Bwa5QfHEn343VLfUF8h4yeNWNk2/pqDClvzF6Pehj4HSy5XNxSUsFT1C7IE7uAf7dZivnEkuD8pKNDGrwl8QdY1ApD19LOmgQ7iJaLCEs1L/vRAnlOv3RQXzZW2zWzs4HaC9cH2hfwdkIvo2VrYkGM5fhZ2lYIpjEpogjNbb0Fxlu4JEtd9oF5uNFgmiryrBQcUZxOZXMmumZiuKd4ijY1ztjyr4t+GX9iK8zTUhGjjl9iB/09kb6yUw6weA0hWmN,iv:oHTmugUvMYLirTfNfAHz854feTIpkLUKC3OvE6CWhOY=,tag:94NSVbi0L19KMI+2l4QnIA==,type:str] sops: kms: [] gcp_kms: [] @@ -53,8 +52,8 @@ sops: TGk4dUlwcE9XWWIzZE1nQXdXcWY0V0kKJi5yXdrsEOP4Z8K6k/sPA7yadNPKQtzo Iyt//Y+Y7n55KwuO8Doogu42SiVTUhHDICM9lezQmcugFqCoh3Lk4A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-19T12:39:56Z" - mac: ENC[AES256_GCM,data:baVe7FXbyJ7qAiTFtSB6YO/cNZTaHskRiut7XjmvqIltLGvMAkmOKYYzjPgSZ+RHz2az/MAF+05npP0Poy/jgR3qQ8s+Z3ml6u+Ze53bZFBofnNf8oxKp5uZ7RjDnPKwh3Uz3x4hTW2QbC2s1ik+LdxMpwuU641y0N32UkODU44=,iv:oYtjQUjL7pkxE7gpdDv9SGpJAl1UellVXztvKG5mH+U=,tag:U7bL1zr2y74LSDXQzmqRtw==,type:str] + lastmodified: "2023-07-19T17:46:20Z" + mac: ENC[AES256_GCM,data:TP13I8Ssg+OwgMrRb1SKzxD6RJRipr/rkZwjY3TMVmJDp0GDipXzWFXZmiIpe2t76BxeRLTfgc9fmEflxhlcV+SVxLYZzXax6OT6rniDkAshlIdYR0H0LsgE9gfAYHGnvQW6dM1S8z+NFifvBeJM76FugM9IXjcVSYq7iaDY5fU=,iv:CktTCdtfpOfprMuOVfmfCO/2MAlV46DHEHSM8C0gfpA=,tag:V2EjkVXoRgtX81KbLXZCcA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 -- 2.45.1 From 4d6a5469c8763c487756266bd7bc744e1d06cccc Mon Sep 17 00:00:00 2001 From: DavHau Date: Wed, 19 Jul 2023 20:26:42 +0200 Subject: [PATCH 3/3] cleanup --- modules/web01/gitea/actions-runner.nix | 5 +---- modules/web01/homepage.nix | 2 +- targets/web01/secrets.yaml | 4 ++-- 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/modules/web01/gitea/actions-runner.nix b/modules/web01/gitea/actions-runner.nix index 550be49..a599b1b 100644 --- a/modules/web01/gitea/actions-runner.nix +++ b/modules/web01/gitea/actions-runner.nix @@ -13,9 +13,7 @@ token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token) echo "TOKEN=$token" > /var/lib/gitea-actions-runner/token ''; - unitConfig.ConditionPathExists = [ - "!/var/lib/gitea-actions-runner/token" - ]; + unitConfig.ConditionPathExists = [ "!/var/lib/gitea-actions-runner/token" ]; serviceConfig = { User = "gitea"; Group = "gitea"; @@ -29,7 +27,6 @@ after = [ "gitea-runner-nix-token.service" ]; requires = [ "gitea-runner-nix-token.service" ]; - # TODO: systemd confinment serviceConfig = { # Hardening (may overlap with DynamicUser=) diff --git a/modules/web01/homepage.nix b/modules/web01/homepage.nix index 2f39389..6ede065 100644 --- a/modules/web01/homepage.nix +++ b/modules/web01/homepage.nix @@ -1,4 +1,4 @@ -{ config, pkgs, self, ... }: { +{ pkgs, self, ... }: { security.acme.defaults.email = "admins@clan.lol"; security.acme.acceptTerms = true; diff --git a/targets/web01/secrets.yaml b/targets/web01/secrets.yaml index dfc5011..77b86a0 100644 --- a/targets/web01/secrets.yaml +++ b/targets/web01/secrets.yaml @@ -52,8 +52,8 @@ sops: TGk4dUlwcE9XWWIzZE1nQXdXcWY0V0kKJi5yXdrsEOP4Z8K6k/sPA7yadNPKQtzo Iyt//Y+Y7n55KwuO8Doogu42SiVTUhHDICM9lezQmcugFqCoh3Lk4A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-19T17:46:20Z" - mac: ENC[AES256_GCM,data:TP13I8Ssg+OwgMrRb1SKzxD6RJRipr/rkZwjY3TMVmJDp0GDipXzWFXZmiIpe2t76BxeRLTfgc9fmEflxhlcV+SVxLYZzXax6OT6rniDkAshlIdYR0H0LsgE9gfAYHGnvQW6dM1S8z+NFifvBeJM76FugM9IXjcVSYq7iaDY5fU=,iv:CktTCdtfpOfprMuOVfmfCO/2MAlV46DHEHSM8C0gfpA=,tag:V2EjkVXoRgtX81KbLXZCcA==,type:str] + lastmodified: "2023-07-19T12:39:56Z" + mac: ENC[AES256_GCM,data:baVe7FXbyJ7qAiTFtSB6YO/cNZTaHskRiut7XjmvqIltLGvMAkmOKYYzjPgSZ+RHz2az/MAF+05npP0Poy/jgR3qQ8s+Z3ml6u+Ze53bZFBofnNf8oxKp5uZ7RjDnPKwh3Uz3x4hTW2QbC2s1ik+LdxMpwuU641y0N32UkODU44=,iv:oYtjQUjL7pkxE7gpdDv9SGpJAl1UellVXztvKG5mH+U=,tag:U7bL1zr2y74LSDXQzmqRtw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 -- 2.45.1