search

krebs / krops

Mirror of https://cgit.krebsco.de/krops/about/ (PRs / issues accepted, as can be seen by not having them disabled)
Do What The F*ck You Want To Public License
135 stars 18 forks source link

permission management for secrets [question] #4

Open ghost opened 4 years ago

ghost commented 4 years ago

What is the best way to make krops chown and chmod certain directories that were deployed from a password-store to make them accessible to the services? For example I want to deploy secrets to /var/src/secrets/gitlab/ and they should be readable by the gitlab user.

4z3 commented 4 years ago

There's no best way yet. One solution is to do it in NixOS by having a separate service to copy, chmod, chown these secrets. There exists a very crude example for that at the moment (here's an example user of that crude service). A more refined mechanism would have to ensure that secrets cannot change silently, i.e. all services depending on a changed secret would get restarted. Similar solutions could also be realized using (privileged) ExecStartPre, or even activation scripts. That said, it would be possible to let krops do the chowning and chmodding. But as restarting of services would still be an issue, this would only be half a solution, and so it hasn't been attempted, yet.

mrVanDalo commented 4 years ago

I created theses modules for that purpose, https://github.com/mrVanDalo/module.krops always happy for improvements.

ghost commented 4 years ago

I had initially thought of a simpler solution like running chown remotely at the end of the populate script, but the issue with that is that the users might only be created when the system activation script is run. Restarting the services is not important for me, and another problem outside the scope of this issue in my opinion. mrVanDalo's modules look promising, but they seem too opinionated and big to be included in krops. I think we could create a document explaining some possible setups for this regardless, just as an idea for new users.

mrVanDalo commented 4 years ago

@petabyteboy yes they are not meant to be included into krops, they are more a hotfix for problems I have with krops. (this is why I named the repo krops). But you are right, the biggest problem for the rights management, is that users might not exists while changing the rights of the files.

4z3 commented 4 years ago

Related RFC: https://github.com/NixOS/rfcs/pull/59

Mic92 commented 4 years ago

Rather than a systemd service, I use an activation script: https://github.com/Mic92/dotfiles/blob/23f163cae52545d44a7e379dc204010b013d679a/nixos/vms/modules/secrets.nix That way it makes sure all secrets are in place before systemd services get started. It should also be started only after declarative users/groups have been created.