about summary refs log tree commit diff
diff options
context:
space:
mode:
authorWilliam Carroll <wpcarro@gmail.com>2020-02-23T18·55+0000
committerWilliam Carroll <wpcarro@gmail.com>2020-02-23T19·32+0000
commitf926b4d61ab9fbb2831c52594ed2e523842c1e24 (patch)
tree7888c9db25df884aef7757118d385b638399c0c6
parent527b472469acd55f71dee55e22e13a2a24142cea (diff)
Expose secrets to Monzo / YNAB service
Here is my first attempt to manage secrets when I deploy onto a NixOS machine.

Background: When I develop, I use direnv, which reads an .envrc file in which I
define my secrets. My secrets are read from `pass` using a pattern like this...

```shell
secret_value="$(pass show path/to/secret)"
```

...Thus far, I've found this pattern convenient. `pass show` invokes GPG, which
asks me for a password to authenticate. This means that when I cd into a
directory with an .envrc file using this pattern, I may be prompted by GPG for a
password. When I'm not, it's because gpg-agent is still caching my
password. This works for development, but I currently do not know how to use
direnv for deployments.

Here is what I'm using until I find a more convenient solution:
- Store the secrets in /etc/secrets on socrates. Ensure that the /etc/secrets
  directory and its contents are only readable by root.
- Use systemd's Environment and NixOS's builtins.readFile to read the files in
  /etc/secrets when I can `sudo nixos-rebuild`.

Ideally I could call a function like `builtins.readFromPasswordStore` within
configuration.nix. This would allow me to skip the step where I run...

```shell
> ssh socrates
> pass show finance/monzo/client-id | sudo tee /etc/secrets/monzo-client-id
> pass show finance/monzo/client-secret | sudo tee /etc/secrets/monzo-client-secret
> # etc
```

...I don't know how to manage secrets using NixOS, but at least this is one
answer.
-rw-r--r--nixos/configuration.nix15
1 files changed, 12 insertions, 3 deletions
diff --git a/nixos/configuration.nix b/nixos/configuration.nix
index acca228714b9..f34e15f00495 100644
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@@ -1,6 +1,9 @@
 { pkgs ? import <nixpkgs> {}, ... }:
 
-{
+let
+  trimNewline = x: pkgs.lib.removeSuffix "\n" x;
+  readSecret = x: trimNewline (builtins.readFile ("/etc/secrets/" + x));
+in {
   imports = [ ./hardware.nix ];
 
   # Use the systemd-boot EFI boot loader.
@@ -72,13 +75,19 @@
 
   services.lorri.enable = true;
 
-  # TODO(wpcarro): Expose the Monzo credentials to this job. Currently they're
-  # managed with direnv and pass, which presumably systemd isn't accessing.
   systemd.user.services.monzo-token-server = {
     enable = true;
     description = "Ensure my Monzo access token is valid";
     script = "/home/wpcarro/.nix-profile/bin/token-server";
 
+    environment = {
+      monzo_client_id = readSecret "monzo-client-id";
+      monzo_client_secret = readSecret "monzo-client-secret";
+      ynab_personal_access_token = readSecret "ynab-personal-access-token";
+      ynab_account_id = readSecret "ynab-account-id";
+      ynab_budget_id = readSecret "ynab-budget-id";
+    };
+
     serviceConfig = {
       WorkingDirectory = "%h/briefcase/monzo_ynab";
       Type = "oneshot";