From f328cf8929244a0bb30de21af7a9b51ba0936f84 Mon Sep 17 00:00:00 2001 From: Guanran Wang Date: Thu, 20 Jun 2024 16:35:49 +0800 Subject: [PATCH] nixos/frp: don't expose secrets --- hosts/blacksteel/default.nix | 10 ++++++++-- hosts/blacksteel/secrets.yaml | 6 ++++-- hosts/lightsail-tokyo/default.nix | 9 ++++++++- hosts/lightsail-tokyo/secrets.yaml | 6 ++++-- 4 files changed, 24 insertions(+), 7 deletions(-) diff --git a/hosts/blacksteel/default.nix b/hosts/blacksteel/default.nix index a8591d1..cc8102b 100644 --- a/hosts/blacksteel/default.nix +++ b/hosts/blacksteel/default.nix @@ -43,6 +43,9 @@ "mastodon/environment" = { restartUnits = ["mastodon-web.service"]; }; + "frp/environment" = { + restartUnits = ["frp.service"]; + }; }; }; @@ -61,7 +64,7 @@ serverAddr = "18.177.132.61"; # TODO: can I use a domain name? serverPort = 7000; auth.method = "token"; - auth.token = "p4$m93060THuwtYaF0Jnr(RvYGZkI*Lqvh!kGXNesZCm4JQubMQlFDzr#F7rAycE"; # FIXME: secret! + auth.token = "{{ .Envs.FRP_AUTH_TOKEN }}"; proxies = [ { name = "synapse"; @@ -113,7 +116,10 @@ }; }; - systemd.services.frp.serviceConfig.SupplementaryGroups = ["mastodon" "matrix-synapse"]; + systemd.services.frp.serviceConfig = { + EnvironmentFile = [config.sops.secrets."frp/environment".path]; + SupplementaryGroups = ["mastodon" "matrix-synapse"]; + }; services.postgresql = { enable = true; diff --git a/hosts/blacksteel/secrets.yaml b/hosts/blacksteel/secrets.yaml index da7a6c3..d35e69c 100644 --- a/hosts/blacksteel/secrets.yaml +++ b/hosts/blacksteel/secrets.yaml @@ -5,6 +5,8 @@ syncv3: environment: ENC[AES256_GCM,data:xVBXP3+w38T700OYu6XL1R1I0NWzcKeORWk5GE2lkWS+kooplcQb/wbov40H+DB522cRzCRutMXmrvGVWO86kIH/jT5tq5iWrdxbSKjTxA==,iv:6rtSdSMYtGnZl8WMmqxaCxbDG7SXhKy0LCXJJkorTvU=,tag:3PE5R31oU3ClL7elK/ca0g==,type:str] mastodon: environment: ENC[AES256_GCM,data:cEGz8ZEPUmtPXyJx5oB1xOUvya7lSCW4vQKCp6F6WpgakZdrarez0cOzM8VsfNe3lFe6VQ==,iv:17k4EWB4v/79ApfKw5e8FyqJ1zKEn9xxewkrsRbya9A=,tag:dJjVjhEQGjSrxD9FO2hYEw==,type:str] +frp: + environment: ENC[AES256_GCM,data:TLVqVpVMTFzvs8JS31cPhhqeLRGcUOQBeGENvBd8e1RRt2mQY5VTP8lQYrgtXMRGMHLu0ByPjmL8aFZRlukBc77wAIhtETo238Hn62vJz3I=,iv:kMRF5BAzvhKWtKQyPSIWGeSjgmcEfvcbCJa9wQxSjjU=,tag:DViCejZvRo4cqJosE28lsA==,type:str] sops: kms: [] gcp_kms: [] @@ -29,8 +31,8 @@ sops: bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-21T10:09:01Z" - mac: ENC[AES256_GCM,data:HwZxrU64AQ9icbPWi5E8wQOfVDuSXF9/S9s9BoWpX4yewarKS/k2kRagaW4pBHeL3QUDXxQuTazaLEb06LyWezuS/ij1InCZu4D4DPe7EQ/YfQTDj/r1iCEvo1X2fLuSQ8+H8p5KXy0iV7rZbFLPYY3puYJTVwVJbI3m2rSU9bw=,iv:MzoOmFFTPbfA8FxPRZ2gL4HcYbBWxFJ+LfBB2fL0CSk=,tag:kIqgrNow4u2sbMKijyAKfg==,type:str] + lastmodified: "2024-06-20T08:12:17Z" + mac: ENC[AES256_GCM,data:kkQnNrldWFWCORK4eeVDg4fUQ/FNUPjxHpZb9i+okxlTHpYOPLHf1oDWpOTvUyIE7gHPkU0Knb7bD5OL3g/40O2/MjXzNTNWBws94NNRrY2Z6V6ixSI58tNT2NRSFqQFcDHx8Cvte+7rJoElN15Ejh3a4Pmm+ID70iSQu7mdFAI=,iv:jCTsHhY2HQjE3GvG0S/twSojuyX9e4LfhHTxRY3k8Tg=,tag:x2PkHgYi0XheTqC95BTGHA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/hosts/lightsail-tokyo/default.nix b/hosts/lightsail-tokyo/default.nix index adb62f5..13f077d 100644 --- a/hosts/lightsail-tokyo/default.nix +++ b/hosts/lightsail-tokyo/default.nix @@ -39,6 +39,9 @@ "searx/environment" = { restartUnits = ["searx.service"]; }; + "frp/environment" = { + restartUnits = ["frp.service"]; + }; }; templates = { @@ -121,10 +124,14 @@ settings = { bindPort = 7000; auth.method = "token"; - auth.token = "p4$m93060THuwtYaF0Jnr(RvYGZkI*Lqvh!kGXNesZCm4JQubMQlFDzr#F7rAycE"; + auth.token = "{{ .Envs.FRP_AUTH_TOKEN }}"; }; }; + systemd.services.frp.serviceConfig = { + EnvironmentFile = [config.sops.secrets."frp/environment".path]; + }; + # `journalctl -u murmur.service | grep Password` services.murmur = { enable = true; diff --git a/hosts/lightsail-tokyo/secrets.yaml b/hosts/lightsail-tokyo/secrets.yaml index d7a07f5..700d288 100644 --- a/hosts/lightsail-tokyo/secrets.yaml +++ b/hosts/lightsail-tokyo/secrets.yaml @@ -4,6 +4,8 @@ searx: environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str] pixivfe: environment: ENC[AES256_GCM,data:/Q/rShBXlXkWOOP+7OhKtKTSrp2zNizMaAOyKfWbKgJMHTjNfmMtRuGKRez9KXM5MDIMIF9iJSQ=,iv:whIAkaWiZcZT4HfmJw4qA+fbQ9zHFp+kTuHxQDE3XoU=,tag:FroLTMtNwGlvZw3osftj3A==,type:str] +frp: + environment: ENC[AES256_GCM,data:6XWjUPuJt6fPiIO7mrMjIoR0VHsiy77GqJu/CXVqMEi+EEmXgUN2l6m5vTkttmZICXb5M9ANpdTYOB3nEwCYBJvmFe8kFIZ77rYRVt3C4l0=,iv:5UHJQTanNvk5BsZzH0JeGKP8sDFjTIuc7sGRcReF1+4=,tag:sBYa9RFaMGrh6HZudqZVVA==,type:str] sops: kms: [] gcp_kms: [] @@ -28,8 +30,8 @@ sops: R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3 3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-15T07:19:59Z" - mac: ENC[AES256_GCM,data:kaOXFVuCPG0enPjvhJRWyHqOrVnlm1+ifFd/ore3WbB0IjDvC3UAuPHQEG/V/wZJOgqx/BmaL31GQWuHHDYgeRqjmcmCFofI4262fuf4XAaCS/vkZCRGTUgqQxmLNBpGNRMxy+Oyk2wCW92Q9HOJl7Suc8snufdext3Nn7AL+TA=,iv:8n6tNsHnwF8iGyTGo15MrpHfWkY4Fuu/Q3DfCFQgGv4=,tag:EbiACYHI14GMQhIBudzgzw==,type:str] + lastmodified: "2024-06-20T08:14:22Z" + mac: ENC[AES256_GCM,data:hqCsHztVoTvRoJ+HyODPrYJKwCWusLzap0tVRxnQlAaqIp1ln9AyxLRuQetDkF5nN97S0BW1z1Uf910wlAe5VxsENrIDMYeUq1PnbQ2ijLttGOnLJVS0aJgcFqNOir2tbflH3fbzDCiSmrT+xQ8ytgX+MEtXpxH7OlVFohjXBCo=,iv:ztALlEtd9cGBY0Sx9yzSngNMaHX3kgkRMTruXDXXVHQ=,tag:hztHafyj4nu3npWyBPhxGw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1