deployment: sops + basicAuth

created with htpasswd from pkgs.apache2-utils + ensured the database is not seeded with test logins
2022-03-10 16:01:44 +01:00 · 2022-03-10 16:01:44 +01:00 · 7e763ee267
parent 64be1ecd70
commit 7e763ee267
12 changed files with 168 additions and 7 deletions
--- a/backend/src/beherbergung/db/seed/example.edn
+++ b/backend/src/beherbergung/db/seed/example.edn
--- a/backend/src/beherbergung/db/state.clj
+++ b/backend/src/beherbergung/db/state.clj
@ -63,12 +63,14 @@

       (export-named-by-date db_ctx "start")  ;; before seeding

-       (let [seed-file (if (not-empty (:db-seed env))
-                           (:db-seed env)
-                           (io/resource "beherbergung/db/seed/example.edn"))]
+       (let [seed-file (when (not-empty (:db-seed env))
+                             (:db-seed env)
+                             ;; TODO configuration for tests
+                             #_(io/resource "beherbergung/db/seed/test.edn"))]
            (when (:verbose env)
                  (println "Seed the database from:" seed-file))
-            (seed seed-file db_ctx))
+            (when seed-file
+                  (seed seed-file db_ctx)))
      
       (if (:db-validate env)
           (or (validate-db db_ctx)
--- a/backend/src/beherbergung/resolver/root/admin/Export.md
+++ b/backend/src/beherbergung/resolver/root/admin/Export.md
@ -8,3 +8,11 @@ curl 'https://URL/graphql' -H 'Content-Type: application/json' --data '{"query":
 cd backend
 gpg --decrypt /tmp/export.gpg | DB_SEED=/dev/stdin DB_INMEMORY=true lein run
 ```
+
+## Preparation at server
+
+Ensure, your server trusts the admin-keyid:
+
+```sh
+echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key $ADMIN_GPG_ID trust
+```
--- a/backend/src/beherbergung/resolver/root/ngo/get_offers.clj
+++ b/backend/src/beherbergung/resolver/root/ngo/get_offers.clj
@ -103,6 +103,7 @@
        [ngo:id] (auth+role->entity ctx (:auth opt) ::ngo/record)]
       (when ngo:id
         ;; TODO: take it from the db and filter it by visibility to the ngo
+         ;; When importing, we want define to which ngo the imported dataset is visible
         (if (:import-file env)
             (unify (clojure.edn/read-string (slurp (:import-file env)))
                    mapping_lifeline_wpforms)
--- a/deployment/.sops.yaml
+++ b/deployment/.sops.yaml
@ -0,0 +1,9 @@
+keys:
+  - &beherbergung-lifeline 8d7c2caf71c02de02980dba3fdda92b5591c3b27
+  - &j03 9EA68B7F21204979645182E4287B083353C3241C
+creation_rules:
+  - path_regex: sops/secrets/.*
+    key_groups:
+    - pgp:
+      - *beherbergung-lifeline
+      - *j03
--- a/deployment/modules/default.nix
+++ b/deployment/modules/default.nix
@ -7,7 +7,7 @@
    wget curl
    htop atop iotop iftop
    file bc jq
-    git
+    git gnupg
    bind.dnsutils
  ];

--- a/deployment/modules/nginx/beherbergung.nix
+++ b/deployment/modules/nginx/beherbergung.nix
@ -15,6 +15,9 @@
      #default = true;  ## we would need cors settings supporting multiple hosts
      forceSSL = true;
      useACMEHost = config.networking.domain;
+      basicAuthFile = config.sops.secrets."nginx-passwd".path;  # Required as a quick+dirty hack while the !changed! backend password is delivered from the frontend :/
+                                                                # Todo: integrate LoginForm into frontend
+                                                                # Later: For defence in depth
      locations."/" = {
        proxyPass = "http://localhost:3000";
        #proxyWebsockets = true;
--- a/deployment/modules/sops.nix
+++ b/deployment/modules/sops.nix
@ -0,0 +1,15 @@
+{ config, lib, pkgs, ... }:
+{
+  sops.gnupg.sshKeyPaths = [ "/etc/ssh/ssh_host_rsa_key" ];
+
+  sops.defaultSopsFile = ../sops/secrets/default.json;
+  sops.defaultSopsFormat = "json";
+
+  ## Nginx passwd (basic auth of frontend/search for defence in depth)
+
+  sops.secrets."nginx-passwd" = {
+    sopsFile = ../sops/secrets/nginx-passwd;
+    format = "binary";
+    owner = "nginx";
+  };
+}
--- a/deployment/sops/keys/admins/j03.asc
+++ b/deployment/sops/keys/admins/j03.asc
@ -0,0 +1,69 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFHTETsBCACv/dL0zE9nAqYLLvVUzZZzrCGsQkIKxs72hV0JNRmXLc7YuQCf
+r1alO/UhDOXMqSJKWcG6bLSI6Hf0QxTMCVAj3Hhb0ext58+LryAGYHUZPSaFtdu2
+Tg14WGk9rlyDEUFBhX6Ptn9fHb6nBOoPccc3HQS512hF4il/Z4t9uDPZato0psRh
+8MWRWNSW4Ph6lMrW965+zVuYScJy72N2T8E4HJ18m5qScvKKcbH8AUViAaKvCsAK
+kfCEP0mZ+W7B2WWYFlyPze2kLWWAh9nU2y6NWUbOCPthjV00xC60KCKiZAqg9ACu
+tvipT3EVRr3ZL3ziI8VfEwSSuGyETHbKejvxABEBAAG0LEpvaGFubmVzIEzDtnR6
+c2NoIDxtYWlsQGpvaGFubmVzbG9ldHpzY2guZGU+iQE+BBMBAgAoAhsjBgsJCAcD
+AgYVCAIJCgsEFgIDAQIeAQIXgAUCW0x+vAUJEt9u8AAKCRAoewgzU8MkHJ91CACT
+ducLvPQILvrrLDqB/gE2SpmG4X1ZYW3KEKSgU3V5V85l+xGq1u/L8DzODzCC6lYc
+RiMLzAcW4aml8j6cDVCpXjZ1M2L7Kf4R06bOSrrBU5H0+vWVcIM10CzhdB0C2XC1
+G1Mm875clTrLJG5neyNIJOs+UB7FuxTLriqo8zxpY++TnuoOPDkVDGmOvJnXOtPx
+fgWHEC48C+JBwe2PxOHAKk12kjQnlLBskQ/6nNgVybL5gJRaZ1P6UDhrTn+EJJtp
+M1eIk3jNtVbjQ8KNSP1lnFjbPgNO9pJE+xNIp0zYsbrwpjwkkVZHzJZglWuXHbSc
+io7oSJhZFT2YDchNzGf7iQEcBBMBAgAGBQJR0x56AAoJEGqU0DLQ7yOMILEIAKur
+up7q0vnQW70u48eR2VStWPubqCAGfut1oCxvm6OjPVhavlAqj96woQsmweiCFgmO
+L8+WfWW+R/Z5x85ciftHwoTM9pAnLlrUrNZxSI48HP2Uk69ywEqUl2pBs+BvqNwO
+/Xtf3UJpECBjc5C1zHJA4lpufzVmMbU6IH7j1UtnfWPb5e47qRGOdq0DWGkoP6ER
+X27AF1meKMWXG+eRfUapRHde6xkhfve7ri1UbgRCIpu1+XBgXXXL6Nc0PVr52n1R
+4KXrbMhXEr1buV+eh4IAok3rB7SHaUjPF12wsboADK+yyxG3tCUKjupwZwwzVJox
+V7uXxHQV+/GjtyRAvliJARwEEwECAAYFAlHTJ+MACgkQlZOMlp92uGT4FQf/cdJZ
+PboYPW5Q6TTw3YHfsnRKwZqIQf4mn9vEWk3yiWUFw4MYp0Ey6nUAeH0SveQmmub1
+T9/fj+pav5RdYfB02YkmmF+5yU9sTjD9zHQ9+EselIhoULwQDo1eyPS0KQJ5fdEn
+Z1HpV72+xJt2Q7pQE0RDRW8+Ha6gN7i++lJBcB+ZO5aVjyn75b4FvoslhJIftA0w
+oxZGyUUksfdZhAl5kUTSLqxKolrWTmr5LfzSO6FU9fJhf85U0hlS97XBdPhpF9lW
+lp6g4kBUvMYsGbcM6YFs4D/XATywSaUPkbTOrLhqFFwSU9w3FtVvcsbZoqoYIy8V
+fnxE/gRNUyCWgSjEwokBHAQTAQoABgUCVkpMjwAKCRCSXvugi3bUcNjfB/9q+t2w
+3mF4KxGsGi4JCB05KpZ4ns8t0DatCx6L2qEXaeJDf85UUtYlaVEdzuLIL1H6HFIt
+FHMdgiH2sR6x+4P8WSpfMQZ2RpIqrpIVorPBOEEXelyQTKllShU3ndEizAZm5tQm
+5S4be5BdWzw1dyEncABnbjeiUWVWzRPJi0NWgj16hOeaZv/6L+ORqH/+OT/VDhBV
+pWw0jKj0aDQK8hcjetYo2RXK3H0dZrqj/nR4XW9ByfxfUvtb1gl3oeOsK/h/r5U4
+29+8AJU9NtkBS9jTdsezAV+q704uiXqFPDe6fpGp4DUz+z9pWSGrhq2EzCNzTAa/
+Yi0Tr4CPKwglCxOoiQEcBBABCAAGBQJWitRSAAoJEJzNC13zMNkRgkMH/RA/2Xzq
+h2KG0uL1BzO3lYKfcZN0a1prnejbkCkssu85gaqfimuzaOEMNrKbkJzZsXgGkOru
+IoHXGGlBToFxI07K8sc8RKQWQHSfJWuvOJqodC9sPMRCaPw6SPP+GSvkl4DZ8RE0
+2SvVUUU+gCNMnlJbHM/LdJqIXpOaWLqh28K9FGwbTfiopU0GGYtwRcFSgUTLYiW9
+HTpr9IiZmnkij6Y/KDy4B2GvKrk757K0eg0NfYsLVFDqfdjfY9pEljhDRJwYNrrp
+9UIF6uAynXA5AyErL2mBwT25D9ROhrzcTktpIBnoh8P6Sf0kDE9MGoqUymsi4nE7
+/7u9klo+ZJwx9EuJAT4EEwECACgFAlHTETsCGyMFCQlmAYAGCwkIBwMCBhUIAgkK
+CwQWAgMBAh4BAheAAAoJECh7CDNTwyQcyHQH/3Hj7L0+ERgwMQQnDV+I+MdE3RyW
+v8K+XfeflGY5IK9ogp6TjCyLaHM4pJOtjnSBMQw7yhpabNzAJvv+ibNuQoznAcRA
+823jCW6jyznPeW+eYqlMM0gycPN6CbCVjL6AbEp/hlCt4fQQfXX889I1RW28Uqo7
+GW2/fNan3qhSG3EEeo70qTpjwkQ1tR9V7YKkUmPfvDKA/7Pdai5eVLQSSuXafTec
+cOwABWAEQZFzlBizBsn9d3+atNys4l1KZDkEf72QdHCGXBzlqEuGsIgUdCXbig95
+ZrRZCZOUBHif+EljwhC/KHg4ce0+C3h8YI1SGTYxSdan9/c/1Hphqzgf/GG0OUpv
+aGFubmVzIEzDtnR6c2NoIDxqb2hhbm5lcy5sb2V0enNjaEBtaXNzaW9uLWxpZmVs
+aW5lLmRlPokBVAQTAQgAPhYhBJ6mi38hIEl5ZFGC5Ch7CDNTwyQcBQJgPq+zAhsj
+BQkS327wBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJECh7CDNTwyQco3UIAJI5
+p4RKLxGhSJCUd0Gkd3fuMC/4ZXa+rM/CcmliLPQjWkHPAhBahIPKekeqoohMtn2R
+RBIXilUl8qToL+Q6XGrniRKnzcaxl1/B3RQpGocNcypQO1vXErnBi+og0fNtbIIu
+EJs7Ddg3dUeiAOcwZpqc4zLEE/gloxCFjLj9OhJCX5rdD6kG+CKVKK0oW15kx6+g
+9+qYDXO49GJGTzzZ1me/QDraiY4FefaA+B6BAs2clffA6s8If9SDeVF6NVAxuoPf
+i3kHiKM6R9daB3X0JVI0QjI3DkX2sz1KbbtvfT1WC17hQ3pW8uLShchKOuGAo9M0
+em6f5f6bDKpO1Jf+1Uu5AQ0EUdMROwEIAKN+YDgQxxvMkEfDr9zgzAseb/UgMqU2
+O95FCLMlGYCMbeCA/8xdM/xvW5Bpo2a2CUMd5t8YqVt6PJ9Txvk8eeOCgBwYf7B/
+XT0LKPqc90rzLKfWQjJ6rIyrZkt/Jsq7rhWqg63LZvwPxzmSQ1j6HSoPihB8LWFa
+6VIa9PXKC3RS2VuSzHAHGklvys1/F/LFQR64O8a3n4ubis2locwGoZLL3z+dYHqR
+AG44Z4RqDLisJloV5iAMIJXrN3ln89BUtZ6WyPq5QgAq0/nMnjnmoEC7cXCK7gBa
+h6bUCi8YM0bBMbu8y4pAaGGnGXH78DaPqKbW5RMxxmKTt+0CWwrSY+EAEQEAAYkB
+JQQYAQIADwIbDAUCW0x+9AUJEt9vNAAKCRAoewgzU8MkHKvwB/4yiaiJp9PMttGb
+CNhtkeURObCQ8L43uLt4U4qPD8fREE2BxamSQgH/rXKoO7IbNS8eXAmZJcQ5lsMy
+XJ6DJ7AC0T+2jsgSN0EwbgROQ3FuQZna7YL1O14S27X7N0BNJKxapxZXvmgTCS9d
+4s7Px8pq3+hJQCF7zKKqDqxgjXS5cL7Kk4mmCTVhjpKqxea4u9Rp9/+H9BxLMuDh
+oCdQ8v+TMuRMYir5+KqIDz764VOsK/kk87FVqo72J856drc8bnlIyHMOHVtXbLRD
+W5X+d7yX1/TJJXgXdP1l68iUW4U/zBaYMXImRDoFTYTK/+ZvZLp4fahOmUtvJr1o
+PxlSdJ1X
+=5tRJ
+-----END PGP PUBLIC KEY BLOCK-----
--- a/deployment/sops/keys/hosts/beherbergung-lifeline.asc
+++ b/deployment/sops/keys/hosts/beherbergung-lifeline.asc
@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsFNBAAAAAABEACdX34gzRPFhai0+2aXf9WkNGmrv58ZETD5/xSdSbroqXHMBUCg
+HVU5ByKg6SqHaSu0H5xxvUzAgX3WFGXiVVlGGstB2WIoGMjqlEKzb3EKiwP2ch3Y
+7KLuapHJIkzLXk0vUDKM12cYqRjQGdwf8JwNxUDcW4hEuOYS2LOTwmcgJmn31g7T
+QUo8qpSK3cowszkOgCXaAoCptn0lOE618Waa6AQMPWhEhRsC44FpqXAVGqCvoVZD
+5+ja1tHY+td459nG7rb79ketMAzn7A6nTJg381nJP6aMXrTSvLOcfejRJ/epld4j
+/C8/H19abCBkJ1aA5ERp1RckjZlzHeLVp6pvUPr9SCkkz720FoqNHYTSE83/ag0y
+YmMg1nje2zy1ntPGbjXoBzZFfq5k721NW0rjsv0ZxgtDr4IjOEBpGf93aoCmaun7
+7EjgwJSta7RmOrbIkPzVYWQiT1Xhc2R/KpLxc327W88pK14Q4WQeZds+2PDNCojD
+g5AW3HRpEy9ExSwONVRGa8Oq41yumAWKIJdfN0VSKiDiciF2l6ONi7B7ygmZoa5q
+Po836CwXysTDDpbPmASqSGyQ+i5DlztrxFv5Lh/aRv625Sg1A67l953kDEXQpxv+
+zBemaRLOCsSsVKt7D5melw0rhNDRxPbssB61OVGyetbKTqhiYvdjfJvMaQARAQAB
+zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
+AQgAFgUCAAAAAAkQ/dqStVkcOycCGw8CGQEAADAnEAAdGe47mNyQ4DWflOnL9SeS
+c1J9GdyjMiqDey0QYoB/E01gem9Hu3CUAjUJ/NGxF5qi/BlcbLU4maRM5akUQI/W
+ejBsZa84pamVY3U9ZxjNDNyA765oADJlBWIrUD52g8T3eeKKwURHTC7ncDTXesAz
+C6TamaHPy4f7tdvfA8KubD68g9tyy2C4nWBrJyov+FfcMcFRhpQAvFiNXmOYTnTm
+ylmVGCv9tAtzlmJ02jt3BPeL98EsCIAJ3S1D75Q5wFSuSPhGDLfhGdkHtXAeswLK
+s+j3+4qHrCkE1NoaLcnHgWt4sKCtAju0eai/LY7AH1CEGJDSbpeEz4uTctK93iKb
+bz1bvKlgGf3byqUfje5mRLgVWZwKH5m16SuIMBLU4vPUzTY6XTu2QpX6W9cTB5r1
+/Gpp45sI43fFVkCTZq+qTRogX+j5EElpk5d1wDAEyHTU8EeiqHrJOrrmPrOXJQGr
+f89lbi+tGbs0XmlT8J0hVr6SxyUjOlQScQcvlZi4+ewrWTDsndGjCLFTzEK0yKRo
+Q1ZxyE7o+WDgjiKuvaiH4iTyUQ4aCsfGNybQ0885gt1sLzk8aV2e0Ex3f6luH+W7
+TY+silE/jPHHCW66PoWOc2nIzfMOHXBQjpKr3h9cJ9F5stQfFlpNpPUFjGRayQ5x
+2oEhzxK1JhulVJ9ojN37nQ==
+=a4ad
+-----END PGP PUBLIC KEY BLOCK-----
--- a/deployment/sops/secrets/nginx-passwd
+++ b/deployment/sops/secrets/nginx-passwd
@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:m16wyh6ruLGXyVOzcGHLlAfeubguGZL6FpgLyBIxk1iai4KrYoZ5r+y+eSTddg==,iv:FhiZjUwkp019wW7RT6T4AxGqNZ6HFHluAt8/z7r3Oz8=,tag:T1GNuBxuAdq97tm45l05dQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2022-03-10T14:53:47Z",
+		"mac": "ENC[AES256_GCM,data:fU70SEXq2Qa9rZvwa6/KrFqecx8bTORySXnKDLlTNIAk/hgjuw8Hevxazpqum074Zh3e7KrpWkmiA02PPoVdMAmNpzL37dTiyzVJoOF3SSq6BXJ1IpnIQtdQl0MZqTbCdRFf96WMq0AXc2TNIPGd1L0Acf3p0AvVJS62kYkkhX4=,iv:96YVf6tJ3qEmz6E0eGcHU3NS+0Ct1TWJoTTER5+c4B8=,tag:7d/GAUe1LE2fEHjZ+6iCVg==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2022-03-10T12:50:11Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA/3akrVZHDsnAQ/9FhBUrNeemuywlWRJIE9IgQEz3CTtOyIHluk8Af0RNvdo\naZXd6XTHM+vip25dRKsXhJkVjFvYibwoj35LvIcKISIwJcFlwEO6BWTUeyfuwofB\ny4Ig+4sh6nSzBi0REBu8DNROBHWJfKVtZ2TI+705AP9SnZlKmfgtIrdct3bVpTqk\nnriYjiCRahzCnQ/7JJvOkKDIWbaGiv0NZm4CXpl164DeN3AnKE6Wg45Q8GPgg31I\n1F+GE2kSwD9wgtwlnyYiN/9Ngx09K486CE2/qo3FePNpk5QgFaxTmHnv/1CTvNu0\nZjOab8ENwLn1TPr/uvXUWfTi4j8auk768Q7+bIFG1xp6BQ+hR6/5r4GVsnAyzdE1\ntcjNIAoiXwbcNcsvV0jvjc/VkyPWhOS7rPW6uZ6hT3OEWVo3e9HPe84N5FjmLIPN\nGFGHHxtJXs7CRHLx1vxCEfzKC2UFW6+fyF+hVEzNV0ThDPpSBxiUnzENfTpgEaBF\nmJjlTg4kmvVzDCdlUdkU8ID5pqoHg0xtVUllxB5FFOlNUsBtpLwjb0CaNVXxSbC5\nYJi+SS6JIzw+C+Hg2pBEuxxWDIGWrq8TOxLn4fVWQz2A8Fz1nKjmqwKRSfdBAuia\nq1Pc0LVXZCFd+PeZ0RL/rcN5MPSRwdiyPZTXY2NexU07WZ/YjmFoLSwhiKim9xnS\nUAFpcSXaOUAiqA/s5dWsw4nCLuR8VS1DTBKqovHJOB+lQkYKzNRJ5gWwY77L+M7F\n2ObqQsP+dvMwDY15ZV7YHAHED+K5Xf/4rpPgSExh6Umr\n=EbV6\n-----END PGP MESSAGE-----\n",
+				"fp": "8d7c2caf71c02de02980dba3fdda92b5591c3b27"
+			},
+			{
+				"created_at": "2022-03-10T12:50:11Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMA/Z87ylQaotQAQgABf6ptkC0Sqrta+jzY9PJwOEkZRz9arPzpdVCPg9PqrqR\n4F3bFghd1PHoijCNfKCFnDFGwGhH/lxtQvqox+xc83iBc8B+mt8ydDnXBPS3ff5V\n1/obWuG71AIUAZPEHvzs3a3KbQ4lt7hsvSlkfHoAXbRvl/A3Ly8Z7ji7Ql4r2K71\neOARuxATmPKmgjMB1rWsaNkIwiazcr2YXPJJoA284DGOZw6W0Rptv9RFNm9PttC0\nKecwKUVxqR0atTd3bG6+CTTcKH7sSCKhui+LWkX6kWt26cnT2dNxYF83shVojCJ3\nhpj5MHfvbsbPCNzoefrYWE+Gk4qhmwWS5VFTJrqfO9LmAWI/eHwaK/e2uK4xyrqB\nvFFm/BNoK9x17tRDBHo75M/SLkm1Xqg+UW4TpjjjYDH6RYU8n3P2fB15fjy3yVeH\nS+T6o0eFl6hW886pq9Akvmar4mtUYFcA\n=goup\n-----END PGP MESSAGE-----",
+				"fp": "9EA68B7F21204979645182E4287B083353C3241C"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.1"
+	}
+}
--- a/flake.nix
+++ b/flake.nix
@ -31,8 +31,8 @@
    commonModules = [
      ./deployment/modules/nix.nix
      ./deployment/modules/default.nix
-      #sops-nix.nixosModules.sops
-      #./deployment/modules/sops.nix
+      sops-nix.nixosModules.sops
+      ./deployment/modules/sops.nix
      ./deployment/modules/dns.nix
      #./deployment/modules/monitoring/client.nix
      ./deployment/modules/nginx/beherbergung.nix