deployment: sops + basicAuth

created with htpasswd from pkgs.apache2-utils

+ ensured the database is not seeded with test logins
main
Johannes Lötzsch 7 months ago
parent 64be1ecd70
commit 7e763ee267
  1. 0
      backend/src/beherbergung/db/seed/test.edn
  2. 10
      backend/src/beherbergung/db/state.clj
  3. 8
      backend/src/beherbergung/resolver/root/admin/Export.md
  4. 1
      backend/src/beherbergung/resolver/root/ngo/get_offers.clj
  5. 9
      deployment/.sops.yaml
  6. 2
      deployment/modules/default.nix
  7. 3
      deployment/modules/nginx/beherbergung.nix
  8. 15
      deployment/modules/sops.nix
  9. 69
      deployment/sops/keys/admins/j03.asc
  10. 28
      deployment/sops/keys/hosts/beherbergung-lifeline.asc
  11. 26
      deployment/sops/secrets/nginx-passwd
  12. 4
      flake.nix

@ -63,12 +63,14 @@
(export-named-by-date db_ctx "start") ;; before seeding
(let [seed-file (if (not-empty (:db-seed env))
(:db-seed env)
(io/resource "beherbergung/db/seed/example.edn"))]
(let [seed-file (when (not-empty (:db-seed env))
(:db-seed env)
;; TODO configuration for tests
#_(io/resource "beherbergung/db/seed/test.edn"))]
(when (:verbose env)
(println "Seed the database from:" seed-file))
(seed seed-file db_ctx))
(when seed-file
(seed seed-file db_ctx)))
(if (:db-validate env)
(or (validate-db db_ctx)

@ -8,3 +8,11 @@ curl 'https://URL/graphql' -H 'Content-Type: application/json' --data '{"query":
cd backend
gpg --decrypt /tmp/export.gpg | DB_SEED=/dev/stdin DB_INMEMORY=true lein run
```
## Preparation at server
Ensure, your server trusts the admin-keyid:
```sh
echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key $ADMIN_GPG_ID trust
```

@ -103,6 +103,7 @@
[ngo:id] (auth+role->entity ctx (:auth opt) ::ngo/record)]
(when ngo:id
;; TODO: take it from the db and filter it by visibility to the ngo
;; When importing, we want define to which ngo the imported dataset is visible
(if (:import-file env)
(unify (clojure.edn/read-string (slurp (:import-file env)))
mapping_lifeline_wpforms)

@ -0,0 +1,9 @@
keys:
- &beherbergung-lifeline 8d7c2caf71c02de02980dba3fdda92b5591c3b27
- &j03 9EA68B7F21204979645182E4287B083353C3241C
creation_rules:
- path_regex: sops/secrets/.*
key_groups:
- pgp:
- *beherbergung-lifeline
- *j03

@ -7,7 +7,7 @@
wget curl
htop atop iotop iftop
file bc jq
git
git gnupg
bind.dnsutils
];

@ -15,6 +15,9 @@
#default = true; ## we would need cors settings supporting multiple hosts
forceSSL = true;
useACMEHost = config.networking.domain;
basicAuthFile = config.sops.secrets."nginx-passwd".path; # Required as a quick+dirty hack while the !changed! backend password is delivered from the frontend :/
# Todo: integrate LoginForm into frontend
# Later: For defence in depth
locations."/" = {
proxyPass = "http://localhost:3000";
#proxyWebsockets = true;

@ -0,0 +1,15 @@
{ config, lib, pkgs, ... }:
{
sops.gnupg.sshKeyPaths = [ "/etc/ssh/ssh_host_rsa_key" ];
sops.defaultSopsFile = ../sops/secrets/default.json;
sops.defaultSopsFormat = "json";
## Nginx passwd (basic auth of frontend/search for defence in depth)
sops.secrets."nginx-passwd" = {
sopsFile = ../sops/secrets/nginx-passwd;
format = "binary";
owner = "nginx";
};
}

@ -0,0 +1,69 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFHTETsBCACv/dL0zE9nAqYLLvVUzZZzrCGsQkIKxs72hV0JNRmXLc7YuQCf
r1alO/UhDOXMqSJKWcG6bLSI6Hf0QxTMCVAj3Hhb0ext58+LryAGYHUZPSaFtdu2
Tg14WGk9rlyDEUFBhX6Ptn9fHb6nBOoPccc3HQS512hF4il/Z4t9uDPZato0psRh
8MWRWNSW4Ph6lMrW965+zVuYScJy72N2T8E4HJ18m5qScvKKcbH8AUViAaKvCsAK
kfCEP0mZ+W7B2WWYFlyPze2kLWWAh9nU2y6NWUbOCPthjV00xC60KCKiZAqg9ACu
tvipT3EVRr3ZL3ziI8VfEwSSuGyETHbKejvxABEBAAG0LEpvaGFubmVzIEzDtnR6
c2NoIDxtYWlsQGpvaGFubmVzbG9ldHpzY2guZGU+iQE+BBMBAgAoAhsjBgsJCAcD
AgYVCAIJCgsEFgIDAQIeAQIXgAUCW0x+vAUJEt9u8AAKCRAoewgzU8MkHJ91CACT
ducLvPQILvrrLDqB/gE2SpmG4X1ZYW3KEKSgU3V5V85l+xGq1u/L8DzODzCC6lYc
RiMLzAcW4aml8j6cDVCpXjZ1M2L7Kf4R06bOSrrBU5H0+vWVcIM10CzhdB0C2XC1
G1Mm875clTrLJG5neyNIJOs+UB7FuxTLriqo8zxpY++TnuoOPDkVDGmOvJnXOtPx
fgWHEC48C+JBwe2PxOHAKk12kjQnlLBskQ/6nNgVybL5gJRaZ1P6UDhrTn+EJJtp
M1eIk3jNtVbjQ8KNSP1lnFjbPgNO9pJE+xNIp0zYsbrwpjwkkVZHzJZglWuXHbSc
io7oSJhZFT2YDchNzGf7iQEcBBMBAgAGBQJR0x56AAoJEGqU0DLQ7yOMILEIAKur
up7q0vnQW70u48eR2VStWPubqCAGfut1oCxvm6OjPVhavlAqj96woQsmweiCFgmO
L8+WfWW+R/Z5x85ciftHwoTM9pAnLlrUrNZxSI48HP2Uk69ywEqUl2pBs+BvqNwO
/Xtf3UJpECBjc5C1zHJA4lpufzVmMbU6IH7j1UtnfWPb5e47qRGOdq0DWGkoP6ER
X27AF1meKMWXG+eRfUapRHde6xkhfve7ri1UbgRCIpu1+XBgXXXL6Nc0PVr52n1R
4KXrbMhXEr1buV+eh4IAok3rB7SHaUjPF12wsboADK+yyxG3tCUKjupwZwwzVJox
V7uXxHQV+/GjtyRAvliJARwEEwECAAYFAlHTJ+MACgkQlZOMlp92uGT4FQf/cdJZ
PboYPW5Q6TTw3YHfsnRKwZqIQf4mn9vEWk3yiWUFw4MYp0Ey6nUAeH0SveQmmub1
T9/fj+pav5RdYfB02YkmmF+5yU9sTjD9zHQ9+EselIhoULwQDo1eyPS0KQJ5fdEn
Z1HpV72+xJt2Q7pQE0RDRW8+Ha6gN7i++lJBcB+ZO5aVjyn75b4FvoslhJIftA0w
oxZGyUUksfdZhAl5kUTSLqxKolrWTmr5LfzSO6FU9fJhf85U0hlS97XBdPhpF9lW
lp6g4kBUvMYsGbcM6YFs4D/XATywSaUPkbTOrLhqFFwSU9w3FtVvcsbZoqoYIy8V
fnxE/gRNUyCWgSjEwokBHAQTAQoABgUCVkpMjwAKCRCSXvugi3bUcNjfB/9q+t2w
3mF4KxGsGi4JCB05KpZ4ns8t0DatCx6L2qEXaeJDf85UUtYlaVEdzuLIL1H6HFIt
FHMdgiH2sR6x+4P8WSpfMQZ2RpIqrpIVorPBOEEXelyQTKllShU3ndEizAZm5tQm
5S4be5BdWzw1dyEncABnbjeiUWVWzRPJi0NWgj16hOeaZv/6L+ORqH/+OT/VDhBV
pWw0jKj0aDQK8hcjetYo2RXK3H0dZrqj/nR4XW9ByfxfUvtb1gl3oeOsK/h/r5U4
29+8AJU9NtkBS9jTdsezAV+q704uiXqFPDe6fpGp4DUz+z9pWSGrhq2EzCNzTAa/
Yi0Tr4CPKwglCxOoiQEcBBABCAAGBQJWitRSAAoJEJzNC13zMNkRgkMH/RA/2Xzq
h2KG0uL1BzO3lYKfcZN0a1prnejbkCkssu85gaqfimuzaOEMNrKbkJzZsXgGkOru
IoHXGGlBToFxI07K8sc8RKQWQHSfJWuvOJqodC9sPMRCaPw6SPP+GSvkl4DZ8RE0
2SvVUUU+gCNMnlJbHM/LdJqIXpOaWLqh28K9FGwbTfiopU0GGYtwRcFSgUTLYiW9
HTpr9IiZmnkij6Y/KDy4B2GvKrk757K0eg0NfYsLVFDqfdjfY9pEljhDRJwYNrrp
9UIF6uAynXA5AyErL2mBwT25D9ROhrzcTktpIBnoh8P6Sf0kDE9MGoqUymsi4nE7
/7u9klo+ZJwx9EuJAT4EEwECACgFAlHTETsCGyMFCQlmAYAGCwkIBwMCBhUIAgkK
CwQWAgMBAh4BAheAAAoJECh7CDNTwyQcyHQH/3Hj7L0+ERgwMQQnDV+I+MdE3RyW
v8K+XfeflGY5IK9ogp6TjCyLaHM4pJOtjnSBMQw7yhpabNzAJvv+ibNuQoznAcRA
823jCW6jyznPeW+eYqlMM0gycPN6CbCVjL6AbEp/hlCt4fQQfXX889I1RW28Uqo7
GW2/fNan3qhSG3EEeo70qTpjwkQ1tR9V7YKkUmPfvDKA/7Pdai5eVLQSSuXafTec
cOwABWAEQZFzlBizBsn9d3+atNys4l1KZDkEf72QdHCGXBzlqEuGsIgUdCXbig95
ZrRZCZOUBHif+EljwhC/KHg4ce0+C3h8YI1SGTYxSdan9/c/1Hphqzgf/GG0OUpv
aGFubmVzIEzDtnR6c2NoIDxqb2hhbm5lcy5sb2V0enNjaEBtaXNzaW9uLWxpZmVs
aW5lLmRlPokBVAQTAQgAPhYhBJ6mi38hIEl5ZFGC5Ch7CDNTwyQcBQJgPq+zAhsj
BQkS327wBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJECh7CDNTwyQco3UIAJI5
p4RKLxGhSJCUd0Gkd3fuMC/4ZXa+rM/CcmliLPQjWkHPAhBahIPKekeqoohMtn2R
RBIXilUl8qToL+Q6XGrniRKnzcaxl1/B3RQpGocNcypQO1vXErnBi+og0fNtbIIu
EJs7Ddg3dUeiAOcwZpqc4zLEE/gloxCFjLj9OhJCX5rdD6kG+CKVKK0oW15kx6+g
9+qYDXO49GJGTzzZ1me/QDraiY4FefaA+B6BAs2clffA6s8If9SDeVF6NVAxuoPf
i3kHiKM6R9daB3X0JVI0QjI3DkX2sz1KbbtvfT1WC17hQ3pW8uLShchKOuGAo9M0
em6f5f6bDKpO1Jf+1Uu5AQ0EUdMROwEIAKN+YDgQxxvMkEfDr9zgzAseb/UgMqU2
O95FCLMlGYCMbeCA/8xdM/xvW5Bpo2a2CUMd5t8YqVt6PJ9Txvk8eeOCgBwYf7B/
XT0LKPqc90rzLKfWQjJ6rIyrZkt/Jsq7rhWqg63LZvwPxzmSQ1j6HSoPihB8LWFa
6VIa9PXKC3RS2VuSzHAHGklvys1/F/LFQR64O8a3n4ubis2locwGoZLL3z+dYHqR
AG44Z4RqDLisJloV5iAMIJXrN3ln89BUtZ6WyPq5QgAq0/nMnjnmoEC7cXCK7gBa
h6bUCi8YM0bBMbu8y4pAaGGnGXH78DaPqKbW5RMxxmKTt+0CWwrSY+EAEQEAAYkB
JQQYAQIADwIbDAUCW0x+9AUJEt9vNAAKCRAoewgzU8MkHKvwB/4yiaiJp9PMttGb
CNhtkeURObCQ8L43uLt4U4qPD8fREE2BxamSQgH/rXKoO7IbNS8eXAmZJcQ5lsMy
XJ6DJ7AC0T+2jsgSN0EwbgROQ3FuQZna7YL1O14S27X7N0BNJKxapxZXvmgTCS9d
4s7Px8pq3+hJQCF7zKKqDqxgjXS5cL7Kk4mmCTVhjpKqxea4u9Rp9/+H9BxLMuDh
oCdQ8v+TMuRMYir5+KqIDz764VOsK/kk87FVqo72J856drc8bnlIyHMOHVtXbLRD
W5X+d7yX1/TJJXgXdP1l68iUW4U/zBaYMXImRDoFTYTK/+ZvZLp4fahOmUtvJr1o
PxlSdJ1X
=5tRJ
-----END PGP PUBLIC KEY BLOCK-----

@ -0,0 +1,28 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBAAAAAABEACdX34gzRPFhai0+2aXf9WkNGmrv58ZETD5/xSdSbroqXHMBUCg
HVU5ByKg6SqHaSu0H5xxvUzAgX3WFGXiVVlGGstB2WIoGMjqlEKzb3EKiwP2ch3Y
7KLuapHJIkzLXk0vUDKM12cYqRjQGdwf8JwNxUDcW4hEuOYS2LOTwmcgJmn31g7T
QUo8qpSK3cowszkOgCXaAoCptn0lOE618Waa6AQMPWhEhRsC44FpqXAVGqCvoVZD
5+ja1tHY+td459nG7rb79ketMAzn7A6nTJg381nJP6aMXrTSvLOcfejRJ/epld4j
/C8/H19abCBkJ1aA5ERp1RckjZlzHeLVp6pvUPr9SCkkz720FoqNHYTSE83/ag0y
YmMg1nje2zy1ntPGbjXoBzZFfq5k721NW0rjsv0ZxgtDr4IjOEBpGf93aoCmaun7
7EjgwJSta7RmOrbIkPzVYWQiT1Xhc2R/KpLxc327W88pK14Q4WQeZds+2PDNCojD
g5AW3HRpEy9ExSwONVRGa8Oq41yumAWKIJdfN0VSKiDiciF2l6ONi7B7ygmZoa5q
Po836CwXysTDDpbPmASqSGyQ+i5DlztrxFv5Lh/aRv625Sg1A67l953kDEXQpxv+
zBemaRLOCsSsVKt7D5melw0rhNDRxPbssB61OVGyetbKTqhiYvdjfJvMaQARAQAB
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
AQgAFgUCAAAAAAkQ/dqStVkcOycCGw8CGQEAADAnEAAdGe47mNyQ4DWflOnL9SeS
c1J9GdyjMiqDey0QYoB/E01gem9Hu3CUAjUJ/NGxF5qi/BlcbLU4maRM5akUQI/W
ejBsZa84pamVY3U9ZxjNDNyA765oADJlBWIrUD52g8T3eeKKwURHTC7ncDTXesAz
C6TamaHPy4f7tdvfA8KubD68g9tyy2C4nWBrJyov+FfcMcFRhpQAvFiNXmOYTnTm
ylmVGCv9tAtzlmJ02jt3BPeL98EsCIAJ3S1D75Q5wFSuSPhGDLfhGdkHtXAeswLK
s+j3+4qHrCkE1NoaLcnHgWt4sKCtAju0eai/LY7AH1CEGJDSbpeEz4uTctK93iKb
bz1bvKlgGf3byqUfje5mRLgVWZwKH5m16SuIMBLU4vPUzTY6XTu2QpX6W9cTB5r1
/Gpp45sI43fFVkCTZq+qTRogX+j5EElpk5d1wDAEyHTU8EeiqHrJOrrmPrOXJQGr
f89lbi+tGbs0XmlT8J0hVr6SxyUjOlQScQcvlZi4+ewrWTDsndGjCLFTzEK0yKRo
Q1ZxyE7o+WDgjiKuvaiH4iTyUQ4aCsfGNybQ0885gt1sLzk8aV2e0Ex3f6luH+W7
TY+silE/jPHHCW66PoWOc2nIzfMOHXBQjpKr3h9cJ9F5stQfFlpNpPUFjGRayQ5x
2oEhzxK1JhulVJ9ojN37nQ==
=a4ad
-----END PGP PUBLIC KEY BLOCK-----

@ -0,0 +1,26 @@
{
"data": "ENC[AES256_GCM,data:m16wyh6ruLGXyVOzcGHLlAfeubguGZL6FpgLyBIxk1iai4KrYoZ5r+y+eSTddg==,iv:FhiZjUwkp019wW7RT6T4AxGqNZ6HFHluAt8/z7r3Oz8=,tag:T1GNuBxuAdq97tm45l05dQ==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": null,
"lastmodified": "2022-03-10T14:53:47Z",
"mac": "ENC[AES256_GCM,data:fU70SEXq2Qa9rZvwa6/KrFqecx8bTORySXnKDLlTNIAk/hgjuw8Hevxazpqum074Zh3e7KrpWkmiA02PPoVdMAmNpzL37dTiyzVJoOF3SSq6BXJ1IpnIQtdQl0MZqTbCdRFf96WMq0AXc2TNIPGd1L0Acf3p0AvVJS62kYkkhX4=,iv:96YVf6tJ3qEmz6E0eGcHU3NS+0Ct1TWJoTTER5+c4B8=,tag:7d/GAUe1LE2fEHjZ+6iCVg==,type:str]",
"pgp": [
{
"created_at": "2022-03-10T12:50:11Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA/3akrVZHDsnAQ/9FhBUrNeemuywlWRJIE9IgQEz3CTtOyIHluk8Af0RNvdo\naZXd6XTHM+vip25dRKsXhJkVjFvYibwoj35LvIcKISIwJcFlwEO6BWTUeyfuwofB\ny4Ig+4sh6nSzBi0REBu8DNROBHWJfKVtZ2TI+705AP9SnZlKmfgtIrdct3bVpTqk\nnriYjiCRahzCnQ/7JJvOkKDIWbaGiv0NZm4CXpl164DeN3AnKE6Wg45Q8GPgg31I\n1F+GE2kSwD9wgtwlnyYiN/9Ngx09K486CE2/qo3FePNpk5QgFaxTmHnv/1CTvNu0\nZjOab8ENwLn1TPr/uvXUWfTi4j8auk768Q7+bIFG1xp6BQ+hR6/5r4GVsnAyzdE1\ntcjNIAoiXwbcNcsvV0jvjc/VkyPWhOS7rPW6uZ6hT3OEWVo3e9HPe84N5FjmLIPN\nGFGHHxtJXs7CRHLx1vxCEfzKC2UFW6+fyF+hVEzNV0ThDPpSBxiUnzENfTpgEaBF\nmJjlTg4kmvVzDCdlUdkU8ID5pqoHg0xtVUllxB5FFOlNUsBtpLwjb0CaNVXxSbC5\nYJi+SS6JIzw+C+Hg2pBEuxxWDIGWrq8TOxLn4fVWQz2A8Fz1nKjmqwKRSfdBAuia\nq1Pc0LVXZCFd+PeZ0RL/rcN5MPSRwdiyPZTXY2NexU07WZ/YjmFoLSwhiKim9xnS\nUAFpcSXaOUAiqA/s5dWsw4nCLuR8VS1DTBKqovHJOB+lQkYKzNRJ5gWwY77L+M7F\n2ObqQsP+dvMwDY15ZV7YHAHED+K5Xf/4rpPgSExh6Umr\n=EbV6\n-----END PGP MESSAGE-----\n",
"fp": "8d7c2caf71c02de02980dba3fdda92b5591c3b27"
},
{
"created_at": "2022-03-10T12:50:11Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMA/Z87ylQaotQAQgABf6ptkC0Sqrta+jzY9PJwOEkZRz9arPzpdVCPg9PqrqR\n4F3bFghd1PHoijCNfKCFnDFGwGhH/lxtQvqox+xc83iBc8B+mt8ydDnXBPS3ff5V\n1/obWuG71AIUAZPEHvzs3a3KbQ4lt7hsvSlkfHoAXbRvl/A3Ly8Z7ji7Ql4r2K71\neOARuxATmPKmgjMB1rWsaNkIwiazcr2YXPJJoA284DGOZw6W0Rptv9RFNm9PttC0\nKecwKUVxqR0atTd3bG6+CTTcKH7sSCKhui+LWkX6kWt26cnT2dNxYF83shVojCJ3\nhpj5MHfvbsbPCNzoefrYWE+Gk4qhmwWS5VFTJrqfO9LmAWI/eHwaK/e2uK4xyrqB\nvFFm/BNoK9x17tRDBHo75M/SLkm1Xqg+UW4TpjjjYDH6RYU8n3P2fB15fjy3yVeH\nS+T6o0eFl6hW886pq9Akvmar4mtUYFcA\n=goup\n-----END PGP MESSAGE-----",
"fp": "9EA68B7F21204979645182E4287B083353C3241C"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.7.1"
}
}

@ -31,8 +31,8 @@
commonModules = [
./deployment/modules/nix.nix
./deployment/modules/default.nix
#sops-nix.nixosModules.sops
#./deployment/modules/sops.nix
sops-nix.nixosModules.sops
./deployment/modules/sops.nix
./deployment/modules/dns.nix
#./deployment/modules/monitoring/client.nix
./deployment/modules/nginx/beherbergung.nix

Loading…
Cancel
Save