From a8a2393357f896285ee8061311c4270b8cd2e458 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cyryl=20P=C5=82otnicki?= Date: Sun, 3 Nov 2024 14:57:33 +0000 Subject: [PATCH] upgrade mastodon, enable db encryption --- .../cupsnet/mastodon.encryption.env.sops | 56 +++++++++++++++++++ nixos/boxes/cupsnet/mastodon.nix | 13 +++++ 2 files changed, 69 insertions(+) create mode 100644 nixos/boxes/cupsnet/mastodon.encryption.env.sops diff --git a/nixos/boxes/cupsnet/mastodon.encryption.env.sops b/nixos/boxes/cupsnet/mastodon.encryption.env.sops new file mode 100644 index 00000000..a07ff4b1 --- /dev/null +++ b/nixos/boxes/cupsnet/mastodon.encryption.env.sops @@ -0,0 +1,56 @@ +{ + "data": "ENC[AES256_GCM,data:CJuq9LW/PF/mUFJ5zB8Gs2rIre3gV++EmEd2GpSXEQ0Rt5UJckkQE2+yMunJqzS9c9s67Iu9R5i1o5nMd5Pze6I0nYmgVhi4aHOqpbdZLn+HuPmmSce+y/w4pEiAGyi8WlWpBTGIgBS5oNDZA0QYoC6rBw6COw4FKsDqj76MYDpT7IxN+PSn7Qs4yctfADQvyMoGw2E3YQKEoU1sGu/TvjRcze50sUNGIEAIiZMtPwAPUwPJ+QBc7LFudBTSc42nIVcsNMneRwx7OEl1zC0gOgzFLTPXP4RmrjYsnaAYY9I=,iv:kwpHJnM9gjFZbU3i4TsPZs0LV+1Sc/UWbpuv5ZKAhao=,tag:I3UNHBCt0nNsi0kDFsQO1w==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1qpxvqf2254vynw7aah2pyd8tm0lqtfqr9maguewdj3uqjp8smqvssjp43n", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2OXREa2hMR1k2aU9SYU1j\nbW9BcVgrZHFObUREU2VPWHVFcE5JbEcxRUdVCkFJRlN0VDVuOTBSbjNqa2oxNGRn\nb3pQaXcrbWhvc2NDRFRQL0JuZi9mOEkKLS0tIGhiNDdEYkJhY1hsc1JMa2RSUU54\nVDlaMndvZktzMjZiNUJ1MXdmNzRjNlkKjpGT5a9GtrPMorOpyIDaXC9ZVbIiB4Er\ncWVdG9Gyaq2SXDs0PXVlHETXqgDwCq1+NAm2L5Nr6y09PxHpr8HcHQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1s3z2rfske90kt93a3z7twp6kew6mqd08sgunupym0gpmuh8ezqqscdrv7m", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJdTJocllDTDUrUWJWTllB\nUmQ2MUI4YlJWcVR4eTVmS205bHZnOENVTlJjCnoxaEd1c0dkQlM3dG12N2VIb1RL\nYnhhYXl6Z1cwaHlqUXhaRlluZVp2V1EKLS0tIDhSWU9XWGJqZGFiZUpGRGx5bU1p\nRDVMeGFiZ1B4czdQVVMxZ1RkMVh3WlUKrnh4gc++tmHf9jSAbNMoeKF8r14Qr55f\ndqTEAfZXA5LwL322e4Dk9O7Ul9dYB3qqel71a/xpY/pop9wexArtlg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidEJ3ZXpreTNjRXVxSkQv\nbENpblBDREY1RVhJY29aWWlvYjkvOW9qVlZBCm1uUmJhWk5tMFlJdXZWalZ4Zmdk\nWmMxdHJUZmJnVnZCeTZGTlZMcG9PQ00KLS0tIHN4OFcxdW1HMEx0NmVsSERIWXJU\nU3dMbEZlTmtTYjFSRGN5Vi9FaWFUdkkKmzAqONXmgsLJWzNRu87NzV4n9i7EfZ5M\nKGtlJcJ950ZepLTcjbjEedWdrtW5OaHxtfqfoBfzuaUKad0wqNyp0w==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1mpgtj57e256q9nqz8jt0jt9ntxrldu0p7aunxx3y5vnerfz04vqqdst2gt", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyVmJHMmxBc1BhQ0ZGVjkw\nbWlQT2JhUzJyZzhjeDFkRnpCUTdSL0xWZEN3Ckx4SUs1VmdnSEdxdnA0ZCtINERt\nY1gvWTNSMmtHVWoyN2VKa2d0Qm52SU0KLS0tIG0zZ1RUaE9rMWY2MSs4RFFvUnZC\nenpJQWVwT2hBV2RVbHdPdDBiTWdVVDgK/8i1xDSpyoTDxEjzDFfhXf07guG8qKBU\n+htXOmuqMayYaRYyXUnY64swMg3BFVBCngxVstnB0rvgFis8mk5Zqg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTNG9SeE9GUVh0WCs1UFpL\nOEFFUzBiUXFyTy9CeWNCKzZSTmFVb0lxQVg0CkM4QW5vM0N3WStBZEVvTGhRSnR4\nTkVyQm9zOFZrVmJiYzFHR0RyZGt4dE0KLS0tIGV1NFQ3YTdjeEtQeG5lL0txR1Nk\nYUhTQzBWQnE3YUFzZy9OSWFoKzZXVVUKSUzhS+/BDiyqV6BOai9mzTpAkL0rEX4f\nx+NL/7IlHjcT5eABG9RyY1BZV2qi30M3B3Y8IVsoHeTxgYNCaqsCtA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmeXlaMmUyMHE4UUFCRlVY\nMWFRUGhLcUFGVC9icTcrdjNIaGNmaDBqUFFBCjFvMElxRjNYRzE5ckZHa3hYV1hY\ndFo2WnZZWFdSaUtxZ1N4SDZSNHpDbjAKLS0tIEdrN1pUcTg1TlM0dHhQU0VLRFNo\nMkJmTWtUTmhiZHpyTTYxUXJ3M2ZSRWcKZI1hR4vVUlj/zPSbQYOszl8d4nLMakmd\nTys856uXePkcdIpO1/zzDnnY8yi2etZ+Lnih8qwtesGw56/qiozLYg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age18vg9wvmj2jc8tdcyc202v46lvfndqfe3dse2hewx0snalpvk43fqc22n6y", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWemd2QlhtdVNhVlkxK29E\nS3ptcXBuSnIyb2FPMXUwdzlrckNPRXcxbkZRCnhSTE0wNDNJR3Vsc2RURVVVYWo0\nY0NwRzlNa2lNT3J4QWJObUJJVUgvRGMKLS0tIDFJNVg1Ti9ubVpmR0MxQUVodlpm\nYVI3ZEdlcmxsR2c2c2Nya0FkOW8rUnMK5l9AMoFrR6p7jLzZR9utBScCO7/bVBow\n7KuuqzP4AsTAVPrl4MX5cFW05xDQeXW0yTxx72jF0aEPRmFT4+f5VQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age108m6yx77k7aqcyesy4zmkulryzvyep6m92pflmldcnv3w5a0k9xqn5h7cx", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SWFUV1dIYU5WNUYxZHNK\nZ3B2ZVBrM3hqaXNCT1l3MUdqNUVPKzNTVmswCmNneW5tN3o0VmViejVTL3g0NVFt\nOEQ3VWMraWcxT250Vmc5ZlVQY0JQOGMKLS0tIEJtU3o3UXVQTlc0T1BXaTFuTFVY\na2hOTkdEWml4WE5xOEFVSnc0VHNhczgK3fKsIrr4/YESkOrSUC8XRnjMmlzbe95X\nBaguzZCEv6gOK16BMNFSZmPiW8dmDFQf12YAuFsYkJu6kA5p2N5cNg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1n09swn3qekcuw23vksp7hv4hpg0krlag3c5qcjjaf08m99c3ysqs6sxeyk", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzbFNEZmJxVUR5UzNMUjN4\naHYyKzZrNG8xazVZeFlEcjE3RFJZd2tXNFVnCktidThVQzZHaUdZRjBRcHVHRXp6\nNHdHNDBQU05iTEs0cEdNWFdJTmpQYkkKLS0tIFlFNXYrYlhXbXk1eGxwMmxaaDdr\nUlNmbE1MUGsyTUVpVm91a1lNY1JoNVEKfAywYmQyNMxnJ62X9qS5TaepRHNJ88Ew\ntTTFkevwgsVkKN094zV/dIguA/q36D0Mf5GzujoOMgC2L8GmAPUJuw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1tt4c8t72fha2fj7xlm0dew5avmkdxujmgplte4qm7sxlcucggedq0eyk7t", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqTW12M1NSQ0RtSnRBaXpn\nT2tQWlBpT0dXVXVNQVZleDI1M3RXZmhWa0VzCjB2Qk1OZHBaajhYU3pqRy9jQ2Y3\nayt3cksvZml4WjFacUw0MnRudGZtNkUKLS0tIFhtYXdLQUdIV0hsVVp1RU5sTENs\nbmpVYXJFalZPYXN5M1lkek5JbVNQRE0KXJwFOAJ8yH6eKbDimB0wDhp6urSDM+Kc\nj+7yMIvgVdJTvxBgDH4sWr8snJWpjIYuNZLcCquzr7V/IUfTumPghQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-11-03T14:54:01Z", + "mac": "ENC[AES256_GCM,data:usxqirIUsVZVeTtITVyyXgqf+Exm0rA4x+iwY5en+yMHxkEoFeMCuQ7FZTwSAq6AiMORgdyKNVzl+slPEnRC8Le2tYcWI7mtzWgZv36Ou3p9V035bI9Ev2XPDeKHr2u++sabv6ZS6FT7gfZROHwWNnmpZ7F1YVSjN4K8RcZpsTg=,iv:H29Hhc9/w8q/MeCupamKahAXMGvrvdhfUsgkwNmEJ5w=,tag:t/YSG6xrYDiLyVaDZHVHaA==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.1" + } +} \ No newline at end of file diff --git a/nixos/boxes/cupsnet/mastodon.nix b/nixos/boxes/cupsnet/mastodon.nix index 5ade9ec1..1d634f53 100644 --- a/nixos/boxes/cupsnet/mastodon.nix +++ b/nixos/boxes/cupsnet/mastodon.nix @@ -13,6 +13,8 @@ mailgunSmtpPasswordPath = "/run/secrets/${mailgunSmtpSecretName}"; mastodonDbSecretName = "mastodon-db"; mastodonDbSecretPath = "/run/secrets/${mastodonDbSecretName}"; + mastodonEncryptionSecretName = "mastodon-encryption"; + mastodonEncryptionSecretPath = "/run/secrets/${mastodonEncryptionSecretName}"; uid = 2049; gid = 3049; systemUserName = "mastodon"; @@ -51,6 +53,14 @@ in { } // secretSettings; + sops.secrets."${mastodonEncryptionSecretName}" = + { + sopsFile = ./mastodon.encryption.env.sops; + format = "binary"; + path = "${mastodonEncryptionSecretPath}"; + } + // secretSettings; + inherit users; systemd.services.mastodon-make-path = { @@ -111,6 +121,9 @@ in { AUTHORIZED_FETCH = "true"; DISALLOW_UNAUTHENTICATED_API_ACCESS = "true"; }; + extraEnvFiles = [ + "${mastodonEncryptionSecretPath}" + ]; configureNginx = true; enableUnixSocket = true; database = {