Files
Gebos/nix/modules/gebos-secrets.nix
T
Lars Nolden 4f9c6086bd hivemq setup
2026-06-26 18:36:44 +02:00

167 lines
6.1 KiB
Nix

{ config, lib, pkgs, ... }:
let
cfg = config.services.gebos.secrets;
secretsFile = ../secrets/secrets.yaml;
hasSecrets = builtins.pathExists secretsFile;
# Map from logical group → list of secret keys in secrets.yaml.
# Keys are flat (e.g. "supabase_jwt_secret") so .sops.yaml regex rules can
# filter per-host without nested-path footguns.
supabaseKeys = [
"supabase_postgres_password"
"supabase_jwt_secret"
"supabase_anon_key"
"supabase_service_role_key"
"supabase_dashboard_password"
];
ingesterKeys = [ "ingester_postgres_password" ];
postgresAdminKeys = [ "postgres_admin_password" ];
hivemqKeys = [ "hivemq_ingester_password" "hivemq_admin_password" ];
# HiveMQ file-RBAC credentials.xml. Only the passwords are secret; the role/
# topic policy is structural. `ingester` may subscribe to the whole telemetry
# tree (t/<tenant>/d/<device>/<metric>); `admin` is an operational superuser.
hivemqCredentialsXml = ingesterPassword: adminPassword: ''
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<file-rbac>
<users>
<user>
<name>ingester</name>
<password>${ingesterPassword}</password>
<roles><id>ingest</id></roles>
</user>
<user>
<name>admin</name>
<password>${adminPassword}</password>
<roles><id>superuser</id></roles>
</user>
</users>
<roles>
<role>
<id>ingest</id>
<permissions>
<permission>
<topic>t/#</topic>
<activity>SUBSCRIBE</activity>
</permission>
</permissions>
</role>
<role>
<id>superuser</id>
<permissions>
<permission><topic>#</topic></permission>
</permissions>
</role>
</roles>
</file-rbac>
'';
# Render an env file body from a list of (key, envVarName) pairs.
envBody = pairs: lib.concatStringsSep "\n" (map
({ key, var }: "${var}=${config.sops.placeholder.${key}}")
pairs);
enabledPairs =
lib.optionals cfg.supabase [
{ key = "supabase_postgres_password"; var = "POSTGRES_PASSWORD"; }
{ key = "supabase_jwt_secret"; var = "JWT_SECRET"; }
{ key = "supabase_anon_key"; var = "ANON_KEY"; }
{ key = "supabase_service_role_key"; var = "SERVICE_ROLE_KEY"; }
{ key = "supabase_dashboard_password"; var = "DASHBOARD_PASSWORD"; }
]
++ lib.optionals cfg.ingester [
{ key = "ingester_postgres_password"; var = "GEBOS_POSTGRES_PASSWORD"; }
]
++ lib.optionals cfg.postgresAdmin [
{ key = "postgres_admin_password"; var = "POSTGRES_ADMIN_PASSWORD"; }
];
enabledKeys =
lib.optionals cfg.supabase supabaseKeys
++ lib.optionals cfg.ingester ingesterKeys
++ lib.optionals cfg.postgresAdmin postgresAdminKeys
++ lib.optionals cfg.hivemq hivemqKeys;
in
{
options.services.gebos.secrets = {
supabase = lib.mkEnableOption ''
Supabase compose stack secrets: POSTGRES_PASSWORD, JWT_SECRET, ANON_KEY,
SERVICE_ROLE_KEY, DASHBOARD_PASSWORD.'';
ingester = lib.mkEnableOption ''
Ingester DB password: GEBOS_POSTGRES_PASSWORD (for the gebos_ingest role).'';
postgresAdmin = lib.mkEnableOption ''
Postgres bootstrap admin password applied via a one-shot ALTER ROLE unit.'';
hivemq = lib.mkEnableOption ''
HiveMQ file-RBAC credentials.xml (ingester + admin MQTT users), rendered
0400/gebos-hivemq for the broker's file-RBAC extension.'';
hivemqCredentialsFile = lib.mkOption {
type = lib.types.path;
readOnly = true;
description = ''
Path of the rendered HiveMQ file-RBAC credentials.xml consumed by the
gebos-hivemq broker. Resolves to the sops-templated secret when sops
material is present and the hivemq toggle is on, else to a baked-in
dev-defaults file (so first-boot eval and local VMs work).
'';
default =
if hasSecrets && cfg.hivemq
then config.sops.templates."hivemq-credentials".path
else "${pkgs.writeText "hivemq-credentials-dev.xml"
(hivemqCredentialsXml "dev-ingester" "dev-admin")}";
};
envFile = lib.mkOption {
type = lib.types.path;
readOnly = true;
description = ''
Path of the rendered env file consumed by service units' EnvironmentFile=.
Resolves to the sops-templated file under /run/secrets when sops material
is present, or to a baked-in dev-defaults file otherwise (so first-boot
eval and local NixOS VMs work without any secrets bootstrap).
'';
default =
if hasSecrets
then config.sops.templates."gebos-env".path
else "${pkgs.writeText "gebos-env-dev-defaults" (
# Dev fallback. Never used in prod — overridden once secrets.yaml exists.
lib.concatStringsSep "\n" (map ({ var, ... }: "${var}=dev-${var}") enabledPairs)
)}";
};
};
config = lib.mkIf hasSecrets {
sops = {
defaultSopsFile = secretsFile;
# Derive each host's age identity from its existing ssh host key.
# No extra key material to provision — ssh-to-age handles conversion.
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets = lib.listToAttrs (map
(key: { name = key; value = { }; })
enabledKeys);
templates."gebos-env" = lib.mkIf (enabledPairs != []) {
content = envBody enabledPairs;
mode = "0400";
owner = "root";
};
# Rendered as a standalone file (not env) — the file-RBAC extension reads
# credentials.xml directly. Owned by the broker user so preStart can link
# it into the extension's conf/ dir.
templates."hivemq-credentials" = lib.mkIf cfg.hivemq {
content = hivemqCredentialsXml
config.sops.placeholder.hivemq_ingester_password
config.sops.placeholder.hivemq_admin_password;
mode = "0400";
owner = "gebos-hivemq";
};
};
};
}