AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

minio + kes for server-side encryption

Browse Source
This commit is contained in:
Dmitriy Kholkin 2024-01-27 18:02:15 +03:00
parent a75bd96aeb
commit 4f103c910e
Signed by: AtaraxiaDev
GPG Key ID: FD266B810DF48DF2
3 changed files with 168 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
modules/minio-kes.nix Normal file
View File

@ -0,0 +1,80 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.kes;
format = pkgs.formats.yaml { };
configFile = format.generate "config.yaml" cfg.settings;
port = strings.toInt (lists.last (strings.splitString ":" cfg.settings.address));
in
{
options.services.kes = {
enable = mkEnableOption (mdDoc "Minio's Key Managament Server");
package = mkOption {
type = types.package;
description = mdDoc "Which package to use for the kes instance.";
default = pkgs.minio-kes;
};
environmentFile = mkOption {
type = with types; nullOr str;
default = null;
description = lib.mdDoc ''
File in the format of an EnvironmentFile as described by systemd.exec(5).
'';
};
settings = mkOption {
type = format.type;
default = { address = "0.0.0.0:7373"; };
example = literalExpression ''
{
address = "0.0.0.0:7373";
cache = {
expiry = {
any = "5m0s";
unused = "20s";
};
};
}
'';
description = mdDoc ''
KES Configuration.
Refer to <https://github.com/minio/kes/blob/master/server-config.yaml>
for details on supported values.
'';
};
};
config = mkIf cfg.enable {
systemd.services.kes = {
description = "KES";
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
path = [ cfg.package ];
serviceConfig = {
Type = "simple";
Restart = "always";
ExecStart = "${cfg.package}/bin/kes server --config ${configFile}";
User = "kes";
Group = "kes";
# WorkingDirectory = "/etc/kes";
AmbientCapabilities = mkIf (port < 1024) ["CAP_NET_BIND_SERVICE"];
LimitNOFILE = 65536;
ProtectProc = "invisible";
SendSIGKILL = "no";
TasksMax = "infinity";
TimeoutStopSec = "infinity";
} // optionalAttrs (cfg.environmentFile != null) {
EnvironmentFile = cfg.environmentFile;
};
};
environment.systemPackages = [ cfg.package ];
users.groups.kes = { };
users.users.kes = {
description = "KES user";
group = "kes";
isSystemUser = true;
};
};
}

92
profiles/servers/minio.nix
View File

@ -1,10 +1,26 @@
{ config, lib, pkgs, inputs, ... }: { { config, lib, inputs, ... }:
sops.secrets.minio-credentials = { let
minio-secret = {
owner = "minio"; owner = "minio";
mode = "0400"; mode = "0400";
sopsFile = inputs.self.secretsDir + /home-hypervisor/minio.yaml; sopsFile = inputs.self.secretsDir + /home-hypervisor/minio.yaml;
restartUnits = [ "minio.service" ]; restartUnits = [ "minio.service" ];
}; };
kes-secret = {
owner = "kes";
mode = "0400";
sopsFile = inputs.self.secretsDir + /home-hypervisor/minio.yaml;
restartUnits = [ "kes.service" ];
};
in {
sops.secrets.minio-credentials = minio-secret;
sops.secrets.kes-vault-env = kes-secret;
sops.secrets.kes-key = kes-secret;
sops.secrets.kes-cert = kes-secret // {
group = "minio";
mode = "0440";
restartUnits = [ "kes.service" "minio.service" ];
};
services.minio = { services.minio = {
enable = true; enable = true;
@ -26,29 +42,73 @@
MINIO_IDENTITY_OPENID_REDIRECT_URI = MINIO_IDENTITY_OPENID_REDIRECT_URI =
"https://s3.ataraxiadev.com/ui/oauth_callback"; "https://s3.ataraxiadev.com/ui/oauth_callback";
MINIO_IDENTITY_OPENID_SCOPES = "openid,profile,email,minio"; MINIO_IDENTITY_OPENID_SCOPES = "openid,profile,email,minio";
# KMS
MINIO_KMS_KES_ENDPOINT = "https://${config.services.kes.settings.address}";
MINIO_KMS_KES_CAPATH = config.sops.secrets.kes-cert.path;
MINIO_KMS_KES_KEY_NAME = "minio-default-key";
MINIO_KMS_KES_ENCLAVE = "minio-hypervisor";
}; };
}; };
systemd.services.minio.after =
lib.mkIf config.services.authentik.enable [
"authentik-server.service"
"authentik-worker.service"
"nginx.service"
"kes.service"
];
services.kes = {
enable = true;
environmentFile = config.sops.secrets.kes-vault-env.path;
settings = {
address = "127.0.0.1:7373";
admin.identity = "disabled";
tls = {
key = config.sops.secrets.kes-key.path;
cert = config.sops.secrets.kes-cert.path;
};
policy.minio = {
allow = [
"/v1/key/create/minio-*"
"/v1/key/generate/minio-*"
"/v1/key/decrypt/minio-*"
"/v1/key/bulk/decrypt"
"/v1/key/list/*"
"/v1/status"
"/v1/metrics"
"/v1/log/audit"
"/v1/log/errot"
];
identities = [
"d76b126754bd382de969e18ab71c3ba3fe1fdf9bb89927b3f16e08ebae07d242"
];
};
keystore.vault = {
endpoint = "http://${config.services.vault.address}";
engine = "kv/";
version = "v1";
approle = {
id = ''''${KES_APPROLE_ID}'';
secret = ''''${KES_APPROLE_SECRET}'';
retry = "15s";
};
status.ping = "10s";
};
};
};
systemd.services.kes.after = [ "vault.service" "vault-unseal.service" ];
# Sync local minio buckets to remote s3 storage # Sync local minio buckets to remote s3 storage
sops.secrets.rclone-s3-sync.sopsFile = inputs.self.secretsDir + /rustic.yaml; sops.secrets.rclone-s3-sync.sopsFile = inputs.self.secretsDir + /rustic.yaml;
backups.rclone-sync.minio = { backups.rclone-sync.minio = {
rcloneConfigFile = config.sops.secrets.rclone-s3-sync.path; rcloneConfigFile = config.sops.secrets.rclone-s3-sync.path;
syncTargets = syncTargets =
let buckets = [ "authentik-media" "obsidian" "ocis" "outline" ]; let buckets = [
in map (bucket: { "authentik-media" "ocis" "outline"
"obsidian-ataraxia" "obsidian-doste" "obsidian-kpoxa"
]; in map (bucket: {
source = "minio:${bucket}"; source = "minio:${bucket}";
target = "idrive:${bucket}-backup"; target = "idrive:minio-${bucket}";
}) buckets; }) buckets;
}; };
systemd.services.ocis-server.after =
lib.mkIf config.services.authentik.enable [
"authentik-server.service"
"authentik-worker.service"
"nginx.service"
];
# persist.state.directories = config.services.minio.dataDir ++ [
# config.services.minio.configDir
# ];
} }

15
secrets/home-hypervisor/minio.yaml
View File

@ -1,12 +1,21 @@
minio-credentials: ENC[AES256_GCM,data:yK/skw8GkY6rlhfIYHKoHV4+pBMHkLtXtwG8hQMVit6SQtcC74T7tQOnwe/AU79xKZAL9Bpvn1vBurBAVmsBiyPWNZVvkuWWT1033LkE9lApwwb6HaF4PAqPgiCvXwc0svPKPaFp+Kfyc07+I6KhKuL2tQLKWtZLIVhwEltSsQME/X1f2pAfJMxd/JfiZYd9kpv2JNN5PGPtDNCddsqHg8x5xJfVS3rCDe3LCiIZliKHOHD0D+EpFpnCrdR5GLH67LCwNT/1ZHjOntWoTVHDFMzWYW+bahE+HQp/C+462NmDTFFqT3cfh+c+hArADVAwIrgPNo5jbPkbkSFYhhC9kyWmCwasgtb1Pw+/66wNJWIrZ2lQWIFsV73NmNPv3qsuXJ/Iw4fRXzy8x0FY8fXhdIUOlpBmZINiGmwPEVGLRv+Fym6RGOsKWSqx3q9vgT3hA0AU6bh1,iv:PBXOkdagtbApkWY/dM4cH61lfJtsk+PbVeeGmSvnNzs=,tag:CqhqHbNxGNItLfQTrXEc4w==,type:str] minio-credentials: ENC[AES256_GCM,data:ZSlcb56ikNhHpdE56LabmhJcRVZcnEPEFjUhA2zrnc14lqdyXNk4uvNy52RVfrODm6jvD8BwWwcYwCy7gvv/gHbySE8At/PGXyHHz208RlgKAGMqWqYAPnGH3ASiW4yn5bdU6PFz13RVdqER9rTT43J9Rj99DMaJlc7t/9/KrEUDNwkRvJs7DLvTwXEom+Q3W936hlyFRAqpLrwbFNpQKgSOiwsOA0eTGGKh+4ZQjU0Qsu75TIR581hj0cyBZ+3aBN3NdwC7x13p1WZTlNAdpnMcdGSTa5fb9cWhyXxzvh9rqrmXNiUXwnTnMjv0cADnZ8p3Ou2+nV5YFbIChlFA0qynBvBgq5OEs39yF2ikaitOytpILkhQYPaR6bczQJ2tCm/r759S1jtXz2EMiOaAJ/TptJx6eV06ICVpBFenw8/PoxcCM8oUwM7cvQZVRSSj3j0pVE/OtvC9IG47XR719pSyIQCv3w32U7lIk4ivrEGNlzCR/Ue8VxaJFHfBP3arougZsiinmAc2qHKXdu0CEkIogazzIfuYbPNl21o+kBA=,iv:RVvj6dBIc/Oe2qjuF7iIKsUvAqYyx9WbLOBvny5Uqac=,tag:fhQG+CAWw43BKzrbff6b+A==,type:str]
kes-vault-env: ENC[AES256_GCM,data:PiHL6k29G7Ci7bWQfPQZW8E8lPP3RU8eXFYc6JM1uLPj7rhO9qdz1Q/EdxxFpkPBwzXKGJtcNW1jNM4oiGO29ONOIsk4GNIMqbvmv4TU9/jPaXhR3UPdEChw9xvaLmTnHinRVWtHHHVZ1X0=,iv:eLV1Wxh8pDJzvHylkpEkNQJD5uoDNNbJQGdTFT6m2zs=,tag:i/f+ZlItVPUimfWJKmhEBQ==,type:str]
kes-vault-approle-id: ENC[AES256_GCM,data:bKjEKJDT+i/SZh8q9CpW/5N63gvMPAK884FD2ZcDB/IHSbkV,iv:sKFMub4+4JGHodb518y1ysaevCiSE+UQTMahUQAJo+I=,tag:cH7jlkt6GsUhy1yXoKE0GA==,type:str]
kes-vault-approle-secret: ENC[AES256_GCM,data:9idFvJnsTSAvUEbsyelqv7bRev8p+veFDe7LEI/4wHbDE+F2,iv:6JABa/k0zaLUkRhI/Ag690CIcYqalXjeGUWFXBEaTao=,tag:iXIpWQRHJt5oAGcUF3MlmQ==,type:str]
minio-kes-api-key: ENC[AES256_GCM,data:lSZdYv/MYMVgNE4Pe+fftTQg06lgczKSXj8DJpWfbHHQCDoDtuzBdTnau87QN59xqRXG,iv:0X4CC3dBbBPyq/kQpFlveaqZYQfSbVlxvGavHStwCB4=,tag:m8jWGL5wfcOP91gu4SIgsg==,type:str]
kes-api-key: ENC[AES256_GCM,data:RSj/mTGjPe3di/xqZvko4CTynB66AyUhdGzHm/sacgl0+2kHejd1NvGEd+G7UehqUvcq,iv:UQvlGP9dwEK5r82anaTzSJW12+BD8bmKBy3XhJP2JaU=,tag:ipKsmtQhIYZy2K0WBgpyWw==,type:str]
minio-kes-cert: ENC[AES256_GCM,data:o84eMtsgxp3ClR4Dkh1j5sHPUirkPKDy0tZCiqvLZV3N5/8M3erfECtK7Mv7nFQgvkYyk9/SfSy7i34iUckilHnkZytH8iBKDK6krJanntJFf/C1ntmraWvPb0mmCm+MNzNq+/0kYXt/LzxGpoCdjk2xspmQbSVU1qeiWBSuFIwoMg9EMwurkwp6DQZJgZfatyZgkrFud7sq7BviD8dBQ+3ybJUBuAfU6ITOHSlVVxu32J1OcCJDbA8BPxw3WOhK9/XWfnKdHxOEHPp2HM8kK5xGcWsawadAaHy9OD+RrDYLuF6UaGFtb+8FRDn/oq04+hQa0v7AWiDssvcgg2XyflLHQUfN9aRYm/iZrFIEzTa/goxSfUhYZ73g+irf5/dd0RSpOCwqEe9Vsd0TDa6ENbTPR9IHaeUDF+ro1+LaSQLR3SBc0fiH3TP+mFKPor2vX9T20wqwlD+3x+j/bipyZbP1iO0u4DS8p5+tBJ/e655HWbWShFgovThNik9EDNRKZOTjh+HdVkGpoVSupc5jPTOo6ucLeUq0QWuEcH0Lm8YP7/vWAjJ/JQMc558J7qe3d6MDge6QfwZxcdARvu0DCTY2NjxNI/aFMIoGtuv4sKEKk8Gqe1WdYnoqNPQW5UkysJ/6xP38N5nrCPdUL8EWPLf+Zns/X6Hk,iv:FelsEzmNCaYplIhk78FoPXduC5UW5kRNlFlStEEH06o=,tag:aEfdYmjAD0cvOteQlk/I3w==,type:str]
minio-kes-key: ENC[AES256_GCM,data:1h4AdQ4L9bOfkAfKQz4qfO8M6qe5vXOpZnBzpCYUfNJQefCM3dDJwbYmE87jh8UWqX6iM0hdE7YuBll21oflu7d5HAWMRWEuYp1ApiAcWaRYZ6/MsonPv51bboiJFplPcPmLen48kpQ5AcbQddhgzrD99WX9Pg==,iv:7kZrAD2ty0v7Iq9bKtIkHViDz1f35Qvji5cI6ow8FVQ=,tag:lqEMjq2qIBHDLT7LSpdwcA==,type:str]
kes-cert: ENC[AES256_GCM,data:jUNtsajgp8wSJ6JeqxJNR0jplRpewew4H74SUx+Ib5S5hxSLz3uxTDSJvEeWj2D0FngmKH4GDhltGl2as3DBRiELC4mApSc/7K+aXwi1+lE2HLTG1ESLMBLG3d0iuNvuCM4qX5rEvH3ZKFTyMIhXZMt0wOMiGn9fyFqxNiGr4ipx8aVXWzJ3jRMHWKVaW4HlSSWRGkmf2U7Dc9WeYtc5T/ziissIjHqBfPRfDp8X7P2goWLjCI4LBkGzjOwgw+J8/2B65cvde/gMAwWX8Q6VRNAhVkNlfc2633YwQQF9GzyFgvuEFQrTvzrR/L6JJnDvW40ldlW04I3AtEHFQTJGk+caXdj2xil5Be3949VcGWPVMD9nfMTFnl1LS7rzUj3eT1eoKoQHmfV/Z+32MOxiLtTVh+TRSLIDiu3JfyDSL1khLHKGY6kvTibN6KHgTHAM1fopaNdks23pgn+G9ONkRuTWIKnNldNeKBWt2XfB4dQv/ITd6bio8tJHfmJenBUKUuUlocQlzgzqpghLoLuX3hcitVMZfBn3xHDEDXpl6ou6eTp9BmRtjaYN/oFaEJNiZGCCYxgi+m6FEpp4deK2us8va+XoeYGIN3uQOFVcI7D///nmvtOyqc3lN2xKKNJgVNyv4U3Z4dLu3Zk93bMtug==,iv:CwacuLmfX/cj7wC6AaAj7sny3Ywrx+RVkKqDZv6OheM=,tag:iIh1StrhkveyX0Ccjuh14g==,type:str]
kes-key: ENC[AES256_GCM,data:D4I0gPI1e4cDS+E3xvIoBbk5HXvkqh7t6pIRztOPptkUuu9WG9R3HjOJb4qqUtAQGwX2oNs0lxwnopBWps48SFh3bIwPVlPJ9JrMhWrTs7q7GNYaUTxsH7rFU7j/GKvsd52YL9UHee9GPSo4JdmdvfGm2EJLSg==,iv:lCNaOi1uEFzYnDD+w8SKGVUGUsiOhRUjUGQ5R2Aw+W0=,tag:rNeHNUV14sCeYOvClzng3A==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2024-01-20T18:53:33Z" lastmodified: "2024-01-27T13:31:03Z"
mac: ENC[AES256_GCM,data:KnuQeJpvts2n53WRRsPOeSJLVPu5D/aTiqcbmB+zzWGxAmRRJz+Nx2iPPAy3Soz1Plg9LlcAW0P42wQ392qlxwq0SYPceJ6wxllnqOURoPF4hHTfvkPmJoQjgt782tunDvzKP8EsBb3GQwpwG7yPkFSCU4NpZc1hQsuFlWxjfJw=,iv:YVJLsTMBRmmuSXV5IHLxNysKIQqwN5P4D5qINrQwieY=,tag:+Z1Rj5JJilHqkR6M0i7aGQ==,type:str] mac: ENC[AES256_GCM,data:jOoYhT0lGWkfv8KaV1sTVLDa//v7fhGX6U8TZbl1fBwsqjAds2wgac0XlrsHTtXvI4IbdzQCt3+czfUP4n6xHssRZCAP/Hjqp6NjXcHKY1P3/k/CPnRElb8DizjGJyhuDDRW7gokrxK6XEEvE/y4muI+tBy4/DP2dz6wflgC16g=,iv:StiAgxMmAHb5V6gb24Lz6f+DIhxSozWxmP8RD9wgoNg=,tag:On+Tu3KFxuTLBcdGQCyFDg==,type:str]
pgp: pgp:
- created_at: "2024-01-20T17:06:10Z" - created_at: "2024-01-20T17:06:10Z"
enc: |- enc: |-