From f926b4d61ab9fbb2831c52594ed2e523842c1e24 Mon Sep 17 00:00:00 2001 From: William Carroll Date: Sun, 23 Feb 2020 18:55:28 +0000 Subject: Expose secrets to Monzo / YNAB service Here is my first attempt to manage secrets when I deploy onto a NixOS machine. Background: When I develop, I use direnv, which reads an .envrc file in which I define my secrets. My secrets are read from `pass` using a pattern like this... ```shell secret_value="$(pass show path/to/secret)" ``` ...Thus far, I've found this pattern convenient. `pass show` invokes GPG, which asks me for a password to authenticate. This means that when I cd into a directory with an .envrc file using this pattern, I may be prompted by GPG for a password. When I'm not, it's because gpg-agent is still caching my password. This works for development, but I currently do not know how to use direnv for deployments. Here is what I'm using until I find a more convenient solution: - Store the secrets in /etc/secrets on socrates. Ensure that the /etc/secrets directory and its contents are only readable by root. - Use systemd's Environment and NixOS's builtins.readFile to read the files in /etc/secrets when I can `sudo nixos-rebuild`. Ideally I could call a function like `builtins.readFromPasswordStore` within configuration.nix. This would allow me to skip the step where I run... ```shell > ssh socrates > pass show finance/monzo/client-id | sudo tee /etc/secrets/monzo-client-id > pass show finance/monzo/client-secret | sudo tee /etc/secrets/monzo-client-secret > # etc ``` ...I don't know how to manage secrets using NixOS, but at least this is one answer. --- nixos/configuration.nix | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'nixos') diff --git a/nixos/configuration.nix b/nixos/configuration.nix index acca228714b9..f34e15f00495 100644 --- a/nixos/configuration.nix +++ b/nixos/configuration.nix @@ -1,6 +1,9 @@ { pkgs ? import {}, ... }: -{ +let + trimNewline = x: pkgs.lib.removeSuffix "\n" x; + readSecret = x: trimNewline (builtins.readFile ("/etc/secrets/" + x)); +in { imports = [ ./hardware.nix ]; # Use the systemd-boot EFI boot loader. @@ -72,13 +75,19 @@ services.lorri.enable = true; - # TODO(wpcarro): Expose the Monzo credentials to this job. Currently they're - # managed with direnv and pass, which presumably systemd isn't accessing. systemd.user.services.monzo-token-server = { enable = true; description = "Ensure my Monzo access token is valid"; script = "/home/wpcarro/.nix-profile/bin/token-server"; + environment = { + monzo_client_id = readSecret "monzo-client-id"; + monzo_client_secret = readSecret "monzo-client-secret"; + ynab_personal_access_token = readSecret "ynab-personal-access-token"; + ynab_account_id = readSecret "ynab-account-id"; + ynab_budget_id = readSecret "ynab-budget-id"; + }; + serviceConfig = { WorkingDirectory = "%h/briefcase/monzo_ynab"; Type = "oneshot"; -- cgit 1.4.1