deployment: sops + basicAuth
created with htpasswd from pkgs.apache2-utils + ensured the database is not seeded with test logins
This commit is contained in:
parent
64be1ecd70
commit
7e763ee267
|
@ -63,12 +63,14 @@
|
|||
|
||||
(export-named-by-date db_ctx "start") ;; before seeding
|
||||
|
||||
(let [seed-file (if (not-empty (:db-seed env))
|
||||
(let [seed-file (when (not-empty (:db-seed env))
|
||||
(:db-seed env)
|
||||
(io/resource "beherbergung/db/seed/example.edn"))]
|
||||
;; TODO configuration for tests
|
||||
#_(io/resource "beherbergung/db/seed/test.edn"))]
|
||||
(when (:verbose env)
|
||||
(println "Seed the database from:" seed-file))
|
||||
(seed seed-file db_ctx))
|
||||
(when seed-file
|
||||
(seed seed-file db_ctx)))
|
||||
|
||||
(if (:db-validate env)
|
||||
(or (validate-db db_ctx)
|
||||
|
|
|
@ -8,3 +8,11 @@ curl 'https://URL/graphql' -H 'Content-Type: application/json' --data '{"query":
|
|||
cd backend
|
||||
gpg --decrypt /tmp/export.gpg | DB_SEED=/dev/stdin DB_INMEMORY=true lein run
|
||||
```
|
||||
|
||||
## Preparation at server
|
||||
|
||||
Ensure, your server trusts the admin-keyid:
|
||||
|
||||
```sh
|
||||
echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key $ADMIN_GPG_ID trust
|
||||
```
|
||||
|
|
|
@ -103,6 +103,7 @@
|
|||
[ngo:id] (auth+role->entity ctx (:auth opt) ::ngo/record)]
|
||||
(when ngo:id
|
||||
;; TODO: take it from the db and filter it by visibility to the ngo
|
||||
;; When importing, we want define to which ngo the imported dataset is visible
|
||||
(if (:import-file env)
|
||||
(unify (clojure.edn/read-string (slurp (:import-file env)))
|
||||
mapping_lifeline_wpforms)
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
keys:
|
||||
- &beherbergung-lifeline 8d7c2caf71c02de02980dba3fdda92b5591c3b27
|
||||
- &j03 9EA68B7F21204979645182E4287B083353C3241C
|
||||
creation_rules:
|
||||
- path_regex: sops/secrets/.*
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *beherbergung-lifeline
|
||||
- *j03
|
|
@ -7,7 +7,7 @@
|
|||
wget curl
|
||||
htop atop iotop iftop
|
||||
file bc jq
|
||||
git
|
||||
git gnupg
|
||||
bind.dnsutils
|
||||
];
|
||||
|
||||
|
|
|
@ -15,6 +15,9 @@
|
|||
#default = true; ## we would need cors settings supporting multiple hosts
|
||||
forceSSL = true;
|
||||
useACMEHost = config.networking.domain;
|
||||
basicAuthFile = config.sops.secrets."nginx-passwd".path; # Required as a quick+dirty hack while the !changed! backend password is delivered from the frontend :/
|
||||
# Todo: integrate LoginForm into frontend
|
||||
# Later: For defence in depth
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:3000";
|
||||
#proxyWebsockets = true;
|
||||
|
|
|
@ -0,0 +1,15 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
sops.gnupg.sshKeyPaths = [ "/etc/ssh/ssh_host_rsa_key" ];
|
||||
|
||||
sops.defaultSopsFile = ../sops/secrets/default.json;
|
||||
sops.defaultSopsFormat = "json";
|
||||
|
||||
## Nginx passwd (basic auth of frontend/search for defence in depth)
|
||||
|
||||
sops.secrets."nginx-passwd" = {
|
||||
sopsFile = ../sops/secrets/nginx-passwd;
|
||||
format = "binary";
|
||||
owner = "nginx";
|
||||
};
|
||||
}
|
|
@ -0,0 +1,69 @@
|
|||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQENBFHTETsBCACv/dL0zE9nAqYLLvVUzZZzrCGsQkIKxs72hV0JNRmXLc7YuQCf
|
||||
r1alO/UhDOXMqSJKWcG6bLSI6Hf0QxTMCVAj3Hhb0ext58+LryAGYHUZPSaFtdu2
|
||||
Tg14WGk9rlyDEUFBhX6Ptn9fHb6nBOoPccc3HQS512hF4il/Z4t9uDPZato0psRh
|
||||
8MWRWNSW4Ph6lMrW965+zVuYScJy72N2T8E4HJ18m5qScvKKcbH8AUViAaKvCsAK
|
||||
kfCEP0mZ+W7B2WWYFlyPze2kLWWAh9nU2y6NWUbOCPthjV00xC60KCKiZAqg9ACu
|
||||
tvipT3EVRr3ZL3ziI8VfEwSSuGyETHbKejvxABEBAAG0LEpvaGFubmVzIEzDtnR6
|
||||
c2NoIDxtYWlsQGpvaGFubmVzbG9ldHpzY2guZGU+iQE+BBMBAgAoAhsjBgsJCAcD
|
||||
AgYVCAIJCgsEFgIDAQIeAQIXgAUCW0x+vAUJEt9u8AAKCRAoewgzU8MkHJ91CACT
|
||||
ducLvPQILvrrLDqB/gE2SpmG4X1ZYW3KEKSgU3V5V85l+xGq1u/L8DzODzCC6lYc
|
||||
RiMLzAcW4aml8j6cDVCpXjZ1M2L7Kf4R06bOSrrBU5H0+vWVcIM10CzhdB0C2XC1
|
||||
G1Mm875clTrLJG5neyNIJOs+UB7FuxTLriqo8zxpY++TnuoOPDkVDGmOvJnXOtPx
|
||||
fgWHEC48C+JBwe2PxOHAKk12kjQnlLBskQ/6nNgVybL5gJRaZ1P6UDhrTn+EJJtp
|
||||
M1eIk3jNtVbjQ8KNSP1lnFjbPgNO9pJE+xNIp0zYsbrwpjwkkVZHzJZglWuXHbSc
|
||||
io7oSJhZFT2YDchNzGf7iQEcBBMBAgAGBQJR0x56AAoJEGqU0DLQ7yOMILEIAKur
|
||||
up7q0vnQW70u48eR2VStWPubqCAGfut1oCxvm6OjPVhavlAqj96woQsmweiCFgmO
|
||||
L8+WfWW+R/Z5x85ciftHwoTM9pAnLlrUrNZxSI48HP2Uk69ywEqUl2pBs+BvqNwO
|
||||
/Xtf3UJpECBjc5C1zHJA4lpufzVmMbU6IH7j1UtnfWPb5e47qRGOdq0DWGkoP6ER
|
||||
X27AF1meKMWXG+eRfUapRHde6xkhfve7ri1UbgRCIpu1+XBgXXXL6Nc0PVr52n1R
|
||||
4KXrbMhXEr1buV+eh4IAok3rB7SHaUjPF12wsboADK+yyxG3tCUKjupwZwwzVJox
|
||||
V7uXxHQV+/GjtyRAvliJARwEEwECAAYFAlHTJ+MACgkQlZOMlp92uGT4FQf/cdJZ
|
||||
PboYPW5Q6TTw3YHfsnRKwZqIQf4mn9vEWk3yiWUFw4MYp0Ey6nUAeH0SveQmmub1
|
||||
T9/fj+pav5RdYfB02YkmmF+5yU9sTjD9zHQ9+EselIhoULwQDo1eyPS0KQJ5fdEn
|
||||
Z1HpV72+xJt2Q7pQE0RDRW8+Ha6gN7i++lJBcB+ZO5aVjyn75b4FvoslhJIftA0w
|
||||
oxZGyUUksfdZhAl5kUTSLqxKolrWTmr5LfzSO6FU9fJhf85U0hlS97XBdPhpF9lW
|
||||
lp6g4kBUvMYsGbcM6YFs4D/XATywSaUPkbTOrLhqFFwSU9w3FtVvcsbZoqoYIy8V
|
||||
fnxE/gRNUyCWgSjEwokBHAQTAQoABgUCVkpMjwAKCRCSXvugi3bUcNjfB/9q+t2w
|
||||
3mF4KxGsGi4JCB05KpZ4ns8t0DatCx6L2qEXaeJDf85UUtYlaVEdzuLIL1H6HFIt
|
||||
FHMdgiH2sR6x+4P8WSpfMQZ2RpIqrpIVorPBOEEXelyQTKllShU3ndEizAZm5tQm
|
||||
5S4be5BdWzw1dyEncABnbjeiUWVWzRPJi0NWgj16hOeaZv/6L+ORqH/+OT/VDhBV
|
||||
pWw0jKj0aDQK8hcjetYo2RXK3H0dZrqj/nR4XW9ByfxfUvtb1gl3oeOsK/h/r5U4
|
||||
29+8AJU9NtkBS9jTdsezAV+q704uiXqFPDe6fpGp4DUz+z9pWSGrhq2EzCNzTAa/
|
||||
Yi0Tr4CPKwglCxOoiQEcBBABCAAGBQJWitRSAAoJEJzNC13zMNkRgkMH/RA/2Xzq
|
||||
h2KG0uL1BzO3lYKfcZN0a1prnejbkCkssu85gaqfimuzaOEMNrKbkJzZsXgGkOru
|
||||
IoHXGGlBToFxI07K8sc8RKQWQHSfJWuvOJqodC9sPMRCaPw6SPP+GSvkl4DZ8RE0
|
||||
2SvVUUU+gCNMnlJbHM/LdJqIXpOaWLqh28K9FGwbTfiopU0GGYtwRcFSgUTLYiW9
|
||||
HTpr9IiZmnkij6Y/KDy4B2GvKrk757K0eg0NfYsLVFDqfdjfY9pEljhDRJwYNrrp
|
||||
9UIF6uAynXA5AyErL2mBwT25D9ROhrzcTktpIBnoh8P6Sf0kDE9MGoqUymsi4nE7
|
||||
/7u9klo+ZJwx9EuJAT4EEwECACgFAlHTETsCGyMFCQlmAYAGCwkIBwMCBhUIAgkK
|
||||
CwQWAgMBAh4BAheAAAoJECh7CDNTwyQcyHQH/3Hj7L0+ERgwMQQnDV+I+MdE3RyW
|
||||
v8K+XfeflGY5IK9ogp6TjCyLaHM4pJOtjnSBMQw7yhpabNzAJvv+ibNuQoznAcRA
|
||||
823jCW6jyznPeW+eYqlMM0gycPN6CbCVjL6AbEp/hlCt4fQQfXX889I1RW28Uqo7
|
||||
GW2/fNan3qhSG3EEeo70qTpjwkQ1tR9V7YKkUmPfvDKA/7Pdai5eVLQSSuXafTec
|
||||
cOwABWAEQZFzlBizBsn9d3+atNys4l1KZDkEf72QdHCGXBzlqEuGsIgUdCXbig95
|
||||
ZrRZCZOUBHif+EljwhC/KHg4ce0+C3h8YI1SGTYxSdan9/c/1Hphqzgf/GG0OUpv
|
||||
aGFubmVzIEzDtnR6c2NoIDxqb2hhbm5lcy5sb2V0enNjaEBtaXNzaW9uLWxpZmVs
|
||||
aW5lLmRlPokBVAQTAQgAPhYhBJ6mi38hIEl5ZFGC5Ch7CDNTwyQcBQJgPq+zAhsj
|
||||
BQkS327wBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJECh7CDNTwyQco3UIAJI5
|
||||
p4RKLxGhSJCUd0Gkd3fuMC/4ZXa+rM/CcmliLPQjWkHPAhBahIPKekeqoohMtn2R
|
||||
RBIXilUl8qToL+Q6XGrniRKnzcaxl1/B3RQpGocNcypQO1vXErnBi+og0fNtbIIu
|
||||
EJs7Ddg3dUeiAOcwZpqc4zLEE/gloxCFjLj9OhJCX5rdD6kG+CKVKK0oW15kx6+g
|
||||
9+qYDXO49GJGTzzZ1me/QDraiY4FefaA+B6BAs2clffA6s8If9SDeVF6NVAxuoPf
|
||||
i3kHiKM6R9daB3X0JVI0QjI3DkX2sz1KbbtvfT1WC17hQ3pW8uLShchKOuGAo9M0
|
||||
em6f5f6bDKpO1Jf+1Uu5AQ0EUdMROwEIAKN+YDgQxxvMkEfDr9zgzAseb/UgMqU2
|
||||
O95FCLMlGYCMbeCA/8xdM/xvW5Bpo2a2CUMd5t8YqVt6PJ9Txvk8eeOCgBwYf7B/
|
||||
XT0LKPqc90rzLKfWQjJ6rIyrZkt/Jsq7rhWqg63LZvwPxzmSQ1j6HSoPihB8LWFa
|
||||
6VIa9PXKC3RS2VuSzHAHGklvys1/F/LFQR64O8a3n4ubis2locwGoZLL3z+dYHqR
|
||||
AG44Z4RqDLisJloV5iAMIJXrN3ln89BUtZ6WyPq5QgAq0/nMnjnmoEC7cXCK7gBa
|
||||
h6bUCi8YM0bBMbu8y4pAaGGnGXH78DaPqKbW5RMxxmKTt+0CWwrSY+EAEQEAAYkB
|
||||
JQQYAQIADwIbDAUCW0x+9AUJEt9vNAAKCRAoewgzU8MkHKvwB/4yiaiJp9PMttGb
|
||||
CNhtkeURObCQ8L43uLt4U4qPD8fREE2BxamSQgH/rXKoO7IbNS8eXAmZJcQ5lsMy
|
||||
XJ6DJ7AC0T+2jsgSN0EwbgROQ3FuQZna7YL1O14S27X7N0BNJKxapxZXvmgTCS9d
|
||||
4s7Px8pq3+hJQCF7zKKqDqxgjXS5cL7Kk4mmCTVhjpKqxea4u9Rp9/+H9BxLMuDh
|
||||
oCdQ8v+TMuRMYir5+KqIDz764VOsK/kk87FVqo72J856drc8bnlIyHMOHVtXbLRD
|
||||
W5X+d7yX1/TJJXgXdP1l68iUW4U/zBaYMXImRDoFTYTK/+ZvZLp4fahOmUtvJr1o
|
||||
PxlSdJ1X
|
||||
=5tRJ
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
|
@ -0,0 +1,28 @@
|
|||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
xsFNBAAAAAABEACdX34gzRPFhai0+2aXf9WkNGmrv58ZETD5/xSdSbroqXHMBUCg
|
||||
HVU5ByKg6SqHaSu0H5xxvUzAgX3WFGXiVVlGGstB2WIoGMjqlEKzb3EKiwP2ch3Y
|
||||
7KLuapHJIkzLXk0vUDKM12cYqRjQGdwf8JwNxUDcW4hEuOYS2LOTwmcgJmn31g7T
|
||||
QUo8qpSK3cowszkOgCXaAoCptn0lOE618Waa6AQMPWhEhRsC44FpqXAVGqCvoVZD
|
||||
5+ja1tHY+td459nG7rb79ketMAzn7A6nTJg381nJP6aMXrTSvLOcfejRJ/epld4j
|
||||
/C8/H19abCBkJ1aA5ERp1RckjZlzHeLVp6pvUPr9SCkkz720FoqNHYTSE83/ag0y
|
||||
YmMg1nje2zy1ntPGbjXoBzZFfq5k721NW0rjsv0ZxgtDr4IjOEBpGf93aoCmaun7
|
||||
7EjgwJSta7RmOrbIkPzVYWQiT1Xhc2R/KpLxc327W88pK14Q4WQeZds+2PDNCojD
|
||||
g5AW3HRpEy9ExSwONVRGa8Oq41yumAWKIJdfN0VSKiDiciF2l6ONi7B7ygmZoa5q
|
||||
Po836CwXysTDDpbPmASqSGyQ+i5DlztrxFv5Lh/aRv625Sg1A67l953kDEXQpxv+
|
||||
zBemaRLOCsSsVKt7D5melw0rhNDRxPbssB61OVGyetbKTqhiYvdjfJvMaQARAQAB
|
||||
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
|
||||
AQgAFgUCAAAAAAkQ/dqStVkcOycCGw8CGQEAADAnEAAdGe47mNyQ4DWflOnL9SeS
|
||||
c1J9GdyjMiqDey0QYoB/E01gem9Hu3CUAjUJ/NGxF5qi/BlcbLU4maRM5akUQI/W
|
||||
ejBsZa84pamVY3U9ZxjNDNyA765oADJlBWIrUD52g8T3eeKKwURHTC7ncDTXesAz
|
||||
C6TamaHPy4f7tdvfA8KubD68g9tyy2C4nWBrJyov+FfcMcFRhpQAvFiNXmOYTnTm
|
||||
ylmVGCv9tAtzlmJ02jt3BPeL98EsCIAJ3S1D75Q5wFSuSPhGDLfhGdkHtXAeswLK
|
||||
s+j3+4qHrCkE1NoaLcnHgWt4sKCtAju0eai/LY7AH1CEGJDSbpeEz4uTctK93iKb
|
||||
bz1bvKlgGf3byqUfje5mRLgVWZwKH5m16SuIMBLU4vPUzTY6XTu2QpX6W9cTB5r1
|
||||
/Gpp45sI43fFVkCTZq+qTRogX+j5EElpk5d1wDAEyHTU8EeiqHrJOrrmPrOXJQGr
|
||||
f89lbi+tGbs0XmlT8J0hVr6SxyUjOlQScQcvlZi4+ewrWTDsndGjCLFTzEK0yKRo
|
||||
Q1ZxyE7o+WDgjiKuvaiH4iTyUQ4aCsfGNybQ0885gt1sLzk8aV2e0Ex3f6luH+W7
|
||||
TY+silE/jPHHCW66PoWOc2nIzfMOHXBQjpKr3h9cJ9F5stQfFlpNpPUFjGRayQ5x
|
||||
2oEhzxK1JhulVJ9ojN37nQ==
|
||||
=a4ad
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
|
@ -0,0 +1,26 @@
|
|||
{
|
||||
"data": "ENC[AES256_GCM,data:m16wyh6ruLGXyVOzcGHLlAfeubguGZL6FpgLyBIxk1iai4KrYoZ5r+y+eSTddg==,iv:FhiZjUwkp019wW7RT6T4AxGqNZ6HFHluAt8/z7r3Oz8=,tag:T1GNuBxuAdq97tm45l05dQ==,type:str]",
|
||||
"sops": {
|
||||
"kms": null,
|
||||
"gcp_kms": null,
|
||||
"azure_kv": null,
|
||||
"hc_vault": null,
|
||||
"age": null,
|
||||
"lastmodified": "2022-03-10T14:53:47Z",
|
||||
"mac": "ENC[AES256_GCM,data:fU70SEXq2Qa9rZvwa6/KrFqecx8bTORySXnKDLlTNIAk/hgjuw8Hevxazpqum074Zh3e7KrpWkmiA02PPoVdMAmNpzL37dTiyzVJoOF3SSq6BXJ1IpnIQtdQl0MZqTbCdRFf96WMq0AXc2TNIPGd1L0Acf3p0AvVJS62kYkkhX4=,iv:96YVf6tJ3qEmz6E0eGcHU3NS+0Ct1TWJoTTER5+c4B8=,tag:7d/GAUe1LE2fEHjZ+6iCVg==,type:str]",
|
||||
"pgp": [
|
||||
{
|
||||
"created_at": "2022-03-10T12:50:11Z",
|
||||
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA/3akrVZHDsnAQ/9FhBUrNeemuywlWRJIE9IgQEz3CTtOyIHluk8Af0RNvdo\naZXd6XTHM+vip25dRKsXhJkVjFvYibwoj35LvIcKISIwJcFlwEO6BWTUeyfuwofB\ny4Ig+4sh6nSzBi0REBu8DNROBHWJfKVtZ2TI+705AP9SnZlKmfgtIrdct3bVpTqk\nnriYjiCRahzCnQ/7JJvOkKDIWbaGiv0NZm4CXpl164DeN3AnKE6Wg45Q8GPgg31I\n1F+GE2kSwD9wgtwlnyYiN/9Ngx09K486CE2/qo3FePNpk5QgFaxTmHnv/1CTvNu0\nZjOab8ENwLn1TPr/uvXUWfTi4j8auk768Q7+bIFG1xp6BQ+hR6/5r4GVsnAyzdE1\ntcjNIAoiXwbcNcsvV0jvjc/VkyPWhOS7rPW6uZ6hT3OEWVo3e9HPe84N5FjmLIPN\nGFGHHxtJXs7CRHLx1vxCEfzKC2UFW6+fyF+hVEzNV0ThDPpSBxiUnzENfTpgEaBF\nmJjlTg4kmvVzDCdlUdkU8ID5pqoHg0xtVUllxB5FFOlNUsBtpLwjb0CaNVXxSbC5\nYJi+SS6JIzw+C+Hg2pBEuxxWDIGWrq8TOxLn4fVWQz2A8Fz1nKjmqwKRSfdBAuia\nq1Pc0LVXZCFd+PeZ0RL/rcN5MPSRwdiyPZTXY2NexU07WZ/YjmFoLSwhiKim9xnS\nUAFpcSXaOUAiqA/s5dWsw4nCLuR8VS1DTBKqovHJOB+lQkYKzNRJ5gWwY77L+M7F\n2ObqQsP+dvMwDY15ZV7YHAHED+K5Xf/4rpPgSExh6Umr\n=EbV6\n-----END PGP MESSAGE-----\n",
|
||||
"fp": "8d7c2caf71c02de02980dba3fdda92b5591c3b27"
|
||||
},
|
||||
{
|
||||
"created_at": "2022-03-10T12:50:11Z",
|
||||
"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMA/Z87ylQaotQAQgABf6ptkC0Sqrta+jzY9PJwOEkZRz9arPzpdVCPg9PqrqR\n4F3bFghd1PHoijCNfKCFnDFGwGhH/lxtQvqox+xc83iBc8B+mt8ydDnXBPS3ff5V\n1/obWuG71AIUAZPEHvzs3a3KbQ4lt7hsvSlkfHoAXbRvl/A3Ly8Z7ji7Ql4r2K71\neOARuxATmPKmgjMB1rWsaNkIwiazcr2YXPJJoA284DGOZw6W0Rptv9RFNm9PttC0\nKecwKUVxqR0atTd3bG6+CTTcKH7sSCKhui+LWkX6kWt26cnT2dNxYF83shVojCJ3\nhpj5MHfvbsbPCNzoefrYWE+Gk4qhmwWS5VFTJrqfO9LmAWI/eHwaK/e2uK4xyrqB\nvFFm/BNoK9x17tRDBHo75M/SLkm1Xqg+UW4TpjjjYDH6RYU8n3P2fB15fjy3yVeH\nS+T6o0eFl6hW886pq9Akvmar4mtUYFcA\n=goup\n-----END PGP MESSAGE-----",
|
||||
"fp": "9EA68B7F21204979645182E4287B083353C3241C"
|
||||
}
|
||||
],
|
||||
"unencrypted_suffix": "_unencrypted",
|
||||
"version": "3.7.1"
|
||||
}
|
||||
}
|
|
@ -31,8 +31,8 @@
|
|||
commonModules = [
|
||||
./deployment/modules/nix.nix
|
||||
./deployment/modules/default.nix
|
||||
#sops-nix.nixosModules.sops
|
||||
#./deployment/modules/sops.nix
|
||||
sops-nix.nixosModules.sops
|
||||
./deployment/modules/sops.nix
|
||||
./deployment/modules/dns.nix
|
||||
#./deployment/modules/monitoring/client.nix
|
||||
./deployment/modules/nginx/beherbergung.nix
|
||||
|
|
Loading…
Reference in New Issue