From c90f2462abd21d72556037f05c697d042ed64baa Mon Sep 17 00:00:00 2001
From: Robin Stumm <robin.stumm@iohk.io>
Date: Wed, 29 Mar 2023 15:52:45 +0200
Subject: [PATCH] add OIDC and cookie secrets for cicero

---
 nix/cloud/kv/vault/cicero/cookie.enc.yaml     | 18 +++++++++++++
 .../kv/vault/cicero/oauth/google.enc.yaml     | 18 +++++++++++++
 nix/cloud/nomadEnvs/cicero/default.nix        | 27 +++++++++++++++++++
 3 files changed, 63 insertions(+)
 create mode 100644 nix/cloud/kv/vault/cicero/cookie.enc.yaml
 create mode 100644 nix/cloud/kv/vault/cicero/oauth/google.enc.yaml

diff --git a/nix/cloud/kv/vault/cicero/cookie.enc.yaml b/nix/cloud/kv/vault/cicero/cookie.enc.yaml
new file mode 100644
index 0000000..ad13303
--- /dev/null
+++ b/nix/cloud/kv/vault/cicero/cookie.enc.yaml
@@ -0,0 +1,18 @@
+authentication: ENC[AES256_GCM,data:RyamUwvzcSmtVg22IyEfFQ==,iv:9MFyw3NHmYt1MS6LG3CurTHfHShXII2GbiRIhhzk5m8=,tag:yXWOGliUIZQq/mBc43kGGg==,type:str]
+encryption: ENC[AES256_GCM,data:gli1OWBx2El/laY3DdWJSXinN6hkpU2v4NqI2J2VWHc=,iv:EW2V8JP4fTXVG+dXIjO0KIBcyP0iGEH4qUr8o/kr5T0=,tag:fFES6Fv9tLbH7fBPJz9wNA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault:
+        - vault_address: https://vault.ci.iog.io
+          engine_path: sops
+          key_name: ops
+          created_at: "2022-04-22T16:31:48Z"
+          enc: vault:v1:NKNt0+n8/ij6bjpHqxgMu+M4bsF+RasH1yzL2H7lBlnltXuQYFMPCvrfCsd/B+/LAw4Nc3N7sTHBlSlO
+    age: []
+    lastmodified: "2023-03-29T13:50:05Z"
+    mac: ENC[AES256_GCM,data:+W77RBasZv9JQ9jk3sLnI6W4SE6tKmHS9iD6J+Y+LgaO2Okkp6wfPN+4/gLkYf/FNBo9Dn5bomJKpFpPyrzRCvS1LWJBL0OQdPQzWJJquUUuTzllGUsW4YjxL5jTfxmMMv3lB1o0OObd5y2/10Ma+H1uehgrQwj48pLetlevLsM=,iv:c9OddrYDpRmP2wL82a3OAH0GDMPvirg8fD0y/utWTA4=,tag:4XU/TJce9HnMBu2UkSoyIA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/nix/cloud/kv/vault/cicero/oauth/google.enc.yaml b/nix/cloud/kv/vault/cicero/oauth/google.enc.yaml
new file mode 100644
index 0000000..f92cbc3
--- /dev/null
+++ b/nix/cloud/kv/vault/cicero/oauth/google.enc.yaml
@@ -0,0 +1,18 @@
+client-id: ENC[AES256_GCM,data:R0i+cD8glyrf2xokItfNZUOowqykZ761Rep0XQIeBio/x2GMGpSjYIlDZ7Q3ENXCG/m2SxDeGUpT9ehA+MreRL90/9i89ObEgA==,iv:X6Zaptal1J0KIUho6kW2ECQXm0FvDxUFFCCPzHccBmo=,tag:fVWHXVozZvscLK7wMFwBEw==,type:str]
+client-secret: ENC[AES256_GCM,data:6dU9Ge8Kefz93M2qigv9ddUy91yVmmVhtCEmUdJqxB4OB1s=,iv:CAd7fHIOaHbeB7QLOczXcoc3qjNhniPtoSbRJ881PVM=,tag:hYmUFOaZXKwfk5/efq5j6A==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault:
+    - vault_address: https://vault.ci.iog.io
+      engine_path: sops
+      key_name: ops
+      created_at: "2022-04-22T16:31:48Z"
+      enc: vault:v1:NKNt0+n8/ij6bjpHqxgMu+M4bsF+RasH1yzL2H7lBlnltXuQYFMPCvrfCsd/B+/LAw4Nc3N7sTHBlSlO
+  age: []
+  lastmodified: "2023-03-29T13:42:00Z"
+  mac: ENC[AES256_GCM,data:kpC2TbtaXyZkDfBrUVjFWCALRfHDsSvVP2rVJyjQTD01op5MTaOEH504E62G6Qisi1NoYvHRWNJXVc3sQ/jbI++ULgDgHAlagKzJlV5xsWPGQFety5wtPTWNKnOGF5dIqkDtk176XVrsAYDGdE022gRtuogq/M4rMNZ8oyBKl8c=,iv:iChKvb9862zma4k7ZG2Gw+yCgbhcxwsn7sGzpwYiTRc=,tag:gkZP2it7Ah/I7Kuz+PEq4g==,type:str]
+  pgp: []
+  unencrypted_suffix: _unencrypted
+  version: 3.7.3
diff --git a/nix/cloud/nomadEnvs/cicero/default.nix b/nix/cloud/nomadEnvs/cicero/default.nix
index 05b338a..1ca9890 100644
--- a/nix/cloud/nomadEnvs/cicero/default.nix
+++ b/nix/cloud/nomadEnvs/cicero/default.nix
@@ -225,6 +225,9 @@
         args = lib.flatten [
           ["--victoriametrics-addr" "http://monitoring.node.consul:8428"]
           ["--prometheus-addr" "http://monitoring.node.consul:3100"]
+          ["--web-cookie-auth" "/secrets/cookie/authentication"]
+          ["--web-cookie-enc" "/secrets/cookie/encryption"]
+          ["--web-oidc-providers" "/secrets/oidc-providers"]
           ["--transform" (map lib.getExe transformers)]
         ];
       };
@@ -304,6 +307,30 @@
             env = true;
           }
 
+          {
+            destination = "/secrets/cookie/authentication";
+            data = ''{{(secret "kv/data/cicero/cookie").Data.data.authentication}}'';
+          }
+          {
+            destination = "/secrets/cookie/encryption";
+            data = ''{{(secret "kv/data/cicero/cookie").Data.data.encryption}}'';
+          }
+          {
+            destination = "/secrets/oidc-providers";
+            data = ''
+              {
+                "google": {
+                  {{with (secret "kv/data/cicero/oauth/google").Data.data -}}
+                  "issuer": "https://accounts.google.com",
+                  "callback-url": "https://${subdomain}.${domain}/login/oidc/google/callback",
+                  "client-id": "{{index . "client-id"}}",
+                  "client-secret": "{{index . "client-secret"}}"
+                  {{- end}}
+                }
+              }
+            '';
+          }
+
           {
             destination = "/secrets/docker";
             data = ''