minio + kes for server-side encryption
This commit is contained in:
parent
a75bd96aeb
commit
4f103c910e
GPG Key ID:
FD266B810DF48DF2
80
modules/minio-kes.nix
Normal file
80
modules/minio-kes.nix
Normal file
@ -0,0 +1,80 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.services.kes;
|
||||
format = pkgs.formats.yaml { };
|
||||
configFile = format.generate "config.yaml" cfg.settings;
|
||||
port = strings.toInt (lists.last (strings.splitString ":" cfg.settings.address));
|
||||
in
|
||||
{
|
||||
options.services.kes = {
|
||||
enable = mkEnableOption (mdDoc "Minio's Key Managament Server");
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
description = mdDoc "Which package to use for the kes instance.";
|
||||
default = pkgs.minio-kes;
|
||||
};
|
||||
environmentFile = mkOption {
|
||||
type = with types; nullOr str;
|
||||
default = null;
|
||||
description = lib.mdDoc ''
|
||||
File in the format of an EnvironmentFile as described by systemd.exec(5).
|
||||
'';
|
||||
};
|
||||
settings = mkOption {
|
||||
type = format.type;
|
||||
default = { address = "0.0.0.0:7373"; };
|
||||
example = literalExpression ''
|
||||
{
|
||||
address = "0.0.0.0:7373";
|
||||
cache = {
|
||||
expiry = {
|
||||
any = "5m0s";
|
||||
unused = "20s";
|
||||
};
|
||||
};
|
||||
}
|
||||
'';
|
||||
description = mdDoc ''
|
||||
KES Configuration.
|
||||
Refer to <https://github.com/minio/kes/blob/master/server-config.yaml>
|
||||
for details on supported values.
|
||||
'';
|
||||
};
|
||||
};
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services.kes = {
|
||||
description = "KES";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
after = [ "network-online.target" ];
|
||||
path = [ cfg.package ];
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
Restart = "always";
|
||||
ExecStart = "${cfg.package}/bin/kes server --config ${configFile}";
|
||||
User = "kes";
|
||||
Group = "kes";
|
||||
# WorkingDirectory = "/etc/kes";
|
||||
|
||||
AmbientCapabilities = mkIf (port < 1024) ["CAP_NET_BIND_SERVICE"];
|
||||
LimitNOFILE = 65536;
|
||||
ProtectProc = "invisible";
|
||||
SendSIGKILL = "no";
|
||||
TasksMax = "infinity";
|
||||
TimeoutStopSec = "infinity";
|
||||
} // optionalAttrs (cfg.environmentFile != null) {
|
||||
EnvironmentFile = cfg.environmentFile;
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = [ cfg.package ];
|
||||
|
||||
users.groups.kes = { };
|
||||
users.users.kes = {
|
||||
description = "KES user";
|
||||
group = "kes";
|
||||
isSystemUser = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
@ -1,10 +1,26 @@
|
||||
{ config, lib, pkgs, inputs, ... }: {
|
||||
sops.secrets.minio-credentials = {
|
||||
{ config, lib, inputs, ... }:
|
||||
let
|
||||
minio-secret = {
|
||||
owner = "minio";
|
||||
mode = "0400";
|
||||
sopsFile = inputs.self.secretsDir + /home-hypervisor/minio.yaml;
|
||||
restartUnits = [ "minio.service" ];
|
||||
};
|
||||
kes-secret = {
|
||||
owner = "kes";
|
||||
mode = "0400";
|
||||
sopsFile = inputs.self.secretsDir + /home-hypervisor/minio.yaml;
|
||||
restartUnits = [ "kes.service" ];
|
||||
};
|
||||
in {
|
||||
sops.secrets.minio-credentials = minio-secret;
|
||||
sops.secrets.kes-vault-env = kes-secret;
|
||||
sops.secrets.kes-key = kes-secret;
|
||||
sops.secrets.kes-cert = kes-secret // {
|
||||
group = "minio";
|
||||
mode = "0440";
|
||||
restartUnits = [ "kes.service" "minio.service" ];
|
||||
};
|
||||
|
||||
services.minio = {
|
||||
enable = true;
|
||||
@ -26,29 +42,73 @@
|
||||
MINIO_IDENTITY_OPENID_REDIRECT_URI =
|
||||
"https://s3.ataraxiadev.com/ui/oauth_callback";
|
||||
MINIO_IDENTITY_OPENID_SCOPES = "openid,profile,email,minio";
|
||||
# KMS
|
||||
MINIO_KMS_KES_ENDPOINT = "https://${config.services.kes.settings.address}";
|
||||
MINIO_KMS_KES_CAPATH = config.sops.secrets.kes-cert.path;
|
||||
MINIO_KMS_KES_KEY_NAME = "minio-default-key";
|
||||
MINIO_KMS_KES_ENCLAVE = "minio-hypervisor";
|
||||
};
|
||||
};
|
||||
systemd.services.minio.after =
|
||||
lib.mkIf config.services.authentik.enable [
|
||||
"authentik-server.service"
|
||||
"authentik-worker.service"
|
||||
"nginx.service"
|
||||
"kes.service"
|
||||
];
|
||||
|
||||
services.kes = {
|
||||
enable = true;
|
||||
environmentFile = config.sops.secrets.kes-vault-env.path;
|
||||
settings = {
|
||||
address = "127.0.0.1:7373";
|
||||
admin.identity = "disabled";
|
||||
tls = {
|
||||
key = config.sops.secrets.kes-key.path;
|
||||
cert = config.sops.secrets.kes-cert.path;
|
||||
};
|
||||
policy.minio = {
|
||||
allow = [
|
||||
"/v1/key/create/minio-*"
|
||||
"/v1/key/generate/minio-*"
|
||||
"/v1/key/decrypt/minio-*"
|
||||
"/v1/key/bulk/decrypt"
|
||||
"/v1/key/list/*"
|
||||
"/v1/status"
|
||||
"/v1/metrics"
|
||||
"/v1/log/audit"
|
||||
"/v1/log/errot"
|
||||
];
|
||||
identities = [
|
||||
"d76b126754bd382de969e18ab71c3ba3fe1fdf9bb89927b3f16e08ebae07d242"
|
||||
];
|
||||
};
|
||||
keystore.vault = {
|
||||
endpoint = "http://${config.services.vault.address}";
|
||||
engine = "kv/";
|
||||
version = "v1";
|
||||
approle = {
|
||||
id = ''''${KES_APPROLE_ID}'';
|
||||
secret = ''''${KES_APPROLE_SECRET}'';
|
||||
retry = "15s";
|
||||
};
|
||||
status.ping = "10s";
|
||||
};
|
||||
};
|
||||
};
|
||||
systemd.services.kes.after = [ "vault.service" "vault-unseal.service" ];
|
||||
|
||||
# Sync local minio buckets to remote s3 storage
|
||||
sops.secrets.rclone-s3-sync.sopsFile = inputs.self.secretsDir + /rustic.yaml;
|
||||
backups.rclone-sync.minio = {
|
||||
rcloneConfigFile = config.sops.secrets.rclone-s3-sync.path;
|
||||
syncTargets =
|
||||
let buckets = [ "authentik-media" "obsidian" "ocis" "outline" ];
|
||||
in map (bucket: {
|
||||
let buckets = [
|
||||
"authentik-media" "ocis" "outline"
|
||||
"obsidian-ataraxia" "obsidian-doste" "obsidian-kpoxa"
|
||||
]; in map (bucket: {
|
||||
source = "minio:${bucket}";
|
||||
target = "idrive:${bucket}-backup";
|
||||
target = "idrive:minio-${bucket}";
|
||||
}) buckets;
|
||||
};
|
||||
|
||||
systemd.services.ocis-server.after =
|
||||
lib.mkIf config.services.authentik.enable [
|
||||
"authentik-server.service"
|
||||
"authentik-worker.service"
|
||||
"nginx.service"
|
||||
];
|
||||
|
||||
# persist.state.directories = config.services.minio.dataDir ++ [
|
||||
# config.services.minio.configDir
|
||||
# ];
|
||||
}
|
||||
|
||||
@ -1,12 +1,21 @@
|
||||
minio-credentials: ENC[AES256_GCM,data:yK/skw8GkY6rlhfIYHKoHV4+pBMHkLtXtwG8hQMVit6SQtcC74T7tQOnwe/AU79xKZAL9Bpvn1vBurBAVmsBiyPWNZVvkuWWT1033LkE9lApwwb6HaF4PAqPgiCvXwc0svPKPaFp+Kfyc07+I6KhKuL2tQLKWtZLIVhwEltSsQME/X1f2pAfJMxd/JfiZYd9kpv2JNN5PGPtDNCddsqHg8x5xJfVS3rCDe3LCiIZliKHOHD0D+EpFpnCrdR5GLH67LCwNT/1ZHjOntWoTVHDFMzWYW+bahE+HQp/C+462NmDTFFqT3cfh+c+hArADVAwIrgPNo5jbPkbkSFYhhC9kyWmCwasgtb1Pw+/66wNJWIrZ2lQWIFsV73NmNPv3qsuXJ/Iw4fRXzy8x0FY8fXhdIUOlpBmZINiGmwPEVGLRv+Fym6RGOsKWSqx3q9vgT3hA0AU6bh1,iv:PBXOkdagtbApkWY/dM4cH61lfJtsk+PbVeeGmSvnNzs=,tag:CqhqHbNxGNItLfQTrXEc4w==,type:str]
|
||||
minio-credentials: ENC[AES256_GCM,data:ZSlcb56ikNhHpdE56LabmhJcRVZcnEPEFjUhA2zrnc14lqdyXNk4uvNy52RVfrODm6jvD8BwWwcYwCy7gvv/gHbySE8At/PGXyHHz208RlgKAGMqWqYAPnGH3ASiW4yn5bdU6PFz13RVdqER9rTT43J9Rj99DMaJlc7t/9/KrEUDNwkRvJs7DLvTwXEom+Q3W936hlyFRAqpLrwbFNpQKgSOiwsOA0eTGGKh+4ZQjU0Qsu75TIR581hj0cyBZ+3aBN3NdwC7x13p1WZTlNAdpnMcdGSTa5fb9cWhyXxzvh9rqrmXNiUXwnTnMjv0cADnZ8p3Ou2+nV5YFbIChlFA0qynBvBgq5OEs39yF2ikaitOytpILkhQYPaR6bczQJ2tCm/r759S1jtXz2EMiOaAJ/TptJx6eV06ICVpBFenw8/PoxcCM8oUwM7cvQZVRSSj3j0pVE/OtvC9IG47XR719pSyIQCv3w32U7lIk4ivrEGNlzCR/Ue8VxaJFHfBP3arougZsiinmAc2qHKXdu0CEkIogazzIfuYbPNl21o+kBA=,iv:RVvj6dBIc/Oe2qjuF7iIKsUvAqYyx9WbLOBvny5Uqac=,tag:fhQG+CAWw43BKzrbff6b+A==,type:str]
|
||||
kes-vault-env: ENC[AES256_GCM,data:PiHL6k29G7Ci7bWQfPQZW8E8lPP3RU8eXFYc6JM1uLPj7rhO9qdz1Q/EdxxFpkPBwzXKGJtcNW1jNM4oiGO29ONOIsk4GNIMqbvmv4TU9/jPaXhR3UPdEChw9xvaLmTnHinRVWtHHHVZ1X0=,iv:eLV1Wxh8pDJzvHylkpEkNQJD5uoDNNbJQGdTFT6m2zs=,tag:i/f+ZlItVPUimfWJKmhEBQ==,type:str]
|
||||
kes-vault-approle-id: ENC[AES256_GCM,data:bKjEKJDT+i/SZh8q9CpW/5N63gvMPAK884FD2ZcDB/IHSbkV,iv:sKFMub4+4JGHodb518y1ysaevCiSE+UQTMahUQAJo+I=,tag:cH7jlkt6GsUhy1yXoKE0GA==,type:str]
|
||||
kes-vault-approle-secret: ENC[AES256_GCM,data:9idFvJnsTSAvUEbsyelqv7bRev8p+veFDe7LEI/4wHbDE+F2,iv:6JABa/k0zaLUkRhI/Ag690CIcYqalXjeGUWFXBEaTao=,tag:iXIpWQRHJt5oAGcUF3MlmQ==,type:str]
|
||||
minio-kes-api-key: ENC[AES256_GCM,data:lSZdYv/MYMVgNE4Pe+fftTQg06lgczKSXj8DJpWfbHHQCDoDtuzBdTnau87QN59xqRXG,iv:0X4CC3dBbBPyq/kQpFlveaqZYQfSbVlxvGavHStwCB4=,tag:m8jWGL5wfcOP91gu4SIgsg==,type:str]
|
||||
kes-api-key: ENC[AES256_GCM,data:RSj/mTGjPe3di/xqZvko4CTynB66AyUhdGzHm/sacgl0+2kHejd1NvGEd+G7UehqUvcq,iv:UQvlGP9dwEK5r82anaTzSJW12+BD8bmKBy3XhJP2JaU=,tag:ipKsmtQhIYZy2K0WBgpyWw==,type:str]
|
||||
minio-kes-cert: ENC[AES256_GCM,data:o84eMtsgxp3ClR4Dkh1j5sHPUirkPKDy0tZCiqvLZV3N5/8M3erfECtK7Mv7nFQgvkYyk9/SfSy7i34iUckilHnkZytH8iBKDK6krJanntJFf/C1ntmraWvPb0mmCm+MNzNq+/0kYXt/LzxGpoCdjk2xspmQbSVU1qeiWBSuFIwoMg9EMwurkwp6DQZJgZfatyZgkrFud7sq7BviD8dBQ+3ybJUBuAfU6ITOHSlVVxu32J1OcCJDbA8BPxw3WOhK9/XWfnKdHxOEHPp2HM8kK5xGcWsawadAaHy9OD+RrDYLuF6UaGFtb+8FRDn/oq04+hQa0v7AWiDssvcgg2XyflLHQUfN9aRYm/iZrFIEzTa/goxSfUhYZ73g+irf5/dd0RSpOCwqEe9Vsd0TDa6ENbTPR9IHaeUDF+ro1+LaSQLR3SBc0fiH3TP+mFKPor2vX9T20wqwlD+3x+j/bipyZbP1iO0u4DS8p5+tBJ/e655HWbWShFgovThNik9EDNRKZOTjh+HdVkGpoVSupc5jPTOo6ucLeUq0QWuEcH0Lm8YP7/vWAjJ/JQMc558J7qe3d6MDge6QfwZxcdARvu0DCTY2NjxNI/aFMIoGtuv4sKEKk8Gqe1WdYnoqNPQW5UkysJ/6xP38N5nrCPdUL8EWPLf+Zns/X6Hk,iv:FelsEzmNCaYplIhk78FoPXduC5UW5kRNlFlStEEH06o=,tag:aEfdYmjAD0cvOteQlk/I3w==,type:str]
|
||||
minio-kes-key: ENC[AES256_GCM,data:1h4AdQ4L9bOfkAfKQz4qfO8M6qe5vXOpZnBzpCYUfNJQefCM3dDJwbYmE87jh8UWqX6iM0hdE7YuBll21oflu7d5HAWMRWEuYp1ApiAcWaRYZ6/MsonPv51bboiJFplPcPmLen48kpQ5AcbQddhgzrD99WX9Pg==,iv:7kZrAD2ty0v7Iq9bKtIkHViDz1f35Qvji5cI6ow8FVQ=,tag:lqEMjq2qIBHDLT7LSpdwcA==,type:str]
|
||||
kes-cert: ENC[AES256_GCM,data:jUNtsajgp8wSJ6JeqxJNR0jplRpewew4H74SUx+Ib5S5hxSLz3uxTDSJvEeWj2D0FngmKH4GDhltGl2as3DBRiELC4mApSc/7K+aXwi1+lE2HLTG1ESLMBLG3d0iuNvuCM4qX5rEvH3ZKFTyMIhXZMt0wOMiGn9fyFqxNiGr4ipx8aVXWzJ3jRMHWKVaW4HlSSWRGkmf2U7Dc9WeYtc5T/ziissIjHqBfPRfDp8X7P2goWLjCI4LBkGzjOwgw+J8/2B65cvde/gMAwWX8Q6VRNAhVkNlfc2633YwQQF9GzyFgvuEFQrTvzrR/L6JJnDvW40ldlW04I3AtEHFQTJGk+caXdj2xil5Be3949VcGWPVMD9nfMTFnl1LS7rzUj3eT1eoKoQHmfV/Z+32MOxiLtTVh+TRSLIDiu3JfyDSL1khLHKGY6kvTibN6KHgTHAM1fopaNdks23pgn+G9ONkRuTWIKnNldNeKBWt2XfB4dQv/ITd6bio8tJHfmJenBUKUuUlocQlzgzqpghLoLuX3hcitVMZfBn3xHDEDXpl6ou6eTp9BmRtjaYN/oFaEJNiZGCCYxgi+m6FEpp4deK2us8va+XoeYGIN3uQOFVcI7D///nmvtOyqc3lN2xKKNJgVNyv4U3Z4dLu3Zk93bMtug==,iv:CwacuLmfX/cj7wC6AaAj7sny3Ywrx+RVkKqDZv6OheM=,tag:iIh1StrhkveyX0Ccjuh14g==,type:str]
|
||||
kes-key: ENC[AES256_GCM,data:D4I0gPI1e4cDS+E3xvIoBbk5HXvkqh7t6pIRztOPptkUuu9WG9R3HjOJb4qqUtAQGwX2oNs0lxwnopBWps48SFh3bIwPVlPJ9JrMhWrTs7q7GNYaUTxsH7rFU7j/GKvsd52YL9UHee9GPSo4JdmdvfGm2EJLSg==,iv:lCNaOi1uEFzYnDD+w8SKGVUGUsiOhRUjUGQ5R2Aw+W0=,tag:rNeHNUV14sCeYOvClzng3A==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2024-01-20T18:53:33Z"
|
||||
mac: ENC[AES256_GCM,data:KnuQeJpvts2n53WRRsPOeSJLVPu5D/aTiqcbmB+zzWGxAmRRJz+Nx2iPPAy3Soz1Plg9LlcAW0P42wQ392qlxwq0SYPceJ6wxllnqOURoPF4hHTfvkPmJoQjgt782tunDvzKP8EsBb3GQwpwG7yPkFSCU4NpZc1hQsuFlWxjfJw=,iv:YVJLsTMBRmmuSXV5IHLxNysKIQqwN5P4D5qINrQwieY=,tag:+Z1Rj5JJilHqkR6M0i7aGQ==,type:str]
|
||||
lastmodified: "2024-01-27T13:31:03Z"
|
||||
mac: ENC[AES256_GCM,data:jOoYhT0lGWkfv8KaV1sTVLDa//v7fhGX6U8TZbl1fBwsqjAds2wgac0XlrsHTtXvI4IbdzQCt3+czfUP4n6xHssRZCAP/Hjqp6NjXcHKY1P3/k/CPnRElb8DizjGJyhuDDRW7gokrxK6XEEvE/y4muI+tBy4/DP2dz6wflgC16g=,iv:StiAgxMmAHb5V6gb24Lz6f+DIhxSozWxmP8RD9wgoNg=,tag:On+Tu3KFxuTLBcdGQCyFDg==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-01-20T17:06:10Z"
|
||||
enc: |-
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user