nixfiles/hosts/raspberry/secrets.nix

{pkgs, ...}: {
  services.secrets = {
    enable = true;

    packages = with pkgs; [rclone];

    extraFunctions = ''
      simple_get_obscure() {
        rclone obscure "$(simple_get "$@")"
      }
    '';

    requiredVaultPaths = [
      "private-public-keys/data/piped-cockroachdb-ca/nodes/raspberry"
      "private-public-keys/data/cryptsetup/raspberry-ext-drive" # used dynamically
      "private-public-keys/data/wireguard/chaos-internal/raspberry"
      "passwords/data/wifi/parentals-home"
      "api-keys/data/hetzner/storagebox" # also used dynamically
    ];

    secrets = {
      # Used for fetching the encryption drive's key at runtime
      # can be revoked in case of hardware theft
      # Can also run vault-login on host before secrets-init to fetch secrets using raspberry's login
      vault_login_password = {
        manual = true;
      };

      home-wifi-password = {
        user = "root";
        group = "root";
        permissions = "600";
        path = "/etc/NetworkManager/system-connections/Home-WiFi.nmconnection";

        fetchScript = ''
          ssid=$(simple_get "/passwords/wifi/parentals-home" .ssid)
          password=$(simple_get "/passwords/wifi/parentals-home" .password)

          # Create path to if doesn't exist, useful for when using secrets-init on another host
          if [ ! -d "$SYSROOT/etc/NetworkManager/system-connections" ]; then
            mkdir -p "$SYSROOT/etc/NetworkManager/system-connections"
          fi

          cp ${./data/wifi-nmconnection.template} "$secretFile"
          sed -i "s/WIFI_ID/Home-WiFi/" "$secretFile"
          sed -i "s/WIFI_SSID/$ssid/" "$secretFile"
          sed -i "s/WIFI_PASSWORD/$password/" "$secretFile"
        '';
      };

      piped_cockroachdb_ca_certificate = {
        user = "cockroachdb";
        group = "cockroachdb";
        permissions = "600";
        path = "/var/lib/cockroachdb-certs/ca.crt";
        fetchScript = ''
          if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
            mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
          fi
          simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .ca_certificate \
            | base64 -d > "$secretFile"
        '';
      };
      piped_cockroachdb_node_certificate = {
        user = "cockroachdb";
        group = "cockroachdb";
        permissions = "600";
        path = "/var/lib/cockroachdb-certs/node.crt";
        fetchScript = ''
          if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
            mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
          fi
          simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_certificate \
            | base64 -d > "$secretFile"
        '';
      };
      piped_cockroachdb_node_key = {
        user = "cockroachdb";
        group = "cockroachdb";
        permissions = "600";
        path = "/var/lib/cockroachdb-certs/node.key";
        fetchScript = ''
          if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
            mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
          fi
          simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_key \
            | base64 -d > "$secretFile"
        '';
      };

      # for internal wireguard VPN
      wg_priv = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/raspberry" .private > "$secretFile"
        '';
      };
      wg_preshared_hetzner-vm = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/raspberry" .preshared_keys.hetzner_vm > "$secretFile"
        '';
      };
      wg_preshared_vault = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/raspberry" .preshared_keys.vault > "$secretFile"
        '';
      };
    };
  };
}
piped-proxy on raspberry 2023-09-14 19:44:27 +01:00			`{pkgs, ...}: {`
add vaultui flake, minor tidying, start work on raspberry machine 2023-09-13 16:21:54 +01:00			`services.secrets = {`
			`enable = true;`
piped-proxy on raspberry 2023-09-14 19:44:27 +01:00
			`packages = with pkgs; [rclone];`

			`extraFunctions = ''`
			`simple_get_obscure() {`
			`rclone obscure "$(simple_get "$@")"`
			`}`
			`'';`

			`requiredVaultPaths = [`
lots of misc changes with wireguard and whatever 2023-09-16 16:06:16 +01:00			`"private-public-keys/data/piped-cockroachdb-ca/nodes/raspberry"`
piped-proxy on raspberry 2023-09-14 19:44:27 +01:00			`"private-public-keys/data/cryptsetup/raspberry-ext-drive" # used dynamically`
			`"private-public-keys/data/wireguard/chaos-internal/raspberry"`
			`"passwords/data/wifi/parentals-home"`
lots of misc changes with wireguard and whatever 2023-09-16 16:06:16 +01:00			`"api-keys/data/hetzner/storagebox" # also used dynamically`
piped-proxy on raspberry 2023-09-14 19:44:27 +01:00			`];`

add vaultui flake, minor tidying, start work on raspberry machine 2023-09-13 16:21:54 +01:00			`secrets = {`
more work on raspberry's drive 2023-09-13 19:26:50 +01:00			`# Used for fetching the encryption drive's key at runtime`
			`# can be revoked in case of hardware theft`
			`# Can also run vault-login on host before secrets-init to fetch secrets using raspberry's login`
			`vault_login_password = {`
			`manual = true;`
			`};`

add vaultui flake, minor tidying, start work on raspberry machine 2023-09-13 16:21:54 +01:00			`home-wifi-password = {`
			`user = "root";`
			`group = "root";`
more work on raspberry's drive 2023-09-13 19:26:50 +01:00			`permissions = "600";`
add vaultui flake, minor tidying, start work on raspberry machine 2023-09-13 16:21:54 +01:00			`path = "/etc/NetworkManager/system-connections/Home-WiFi.nmconnection";`

			`fetchScript = ''`
			`ssid=$(simple_get "/passwords/wifi/parentals-home" .ssid)`
			`password=$(simple_get "/passwords/wifi/parentals-home" .password)`

			`# Create path to if doesn't exist, useful for when using secrets-init on another host`
			`if [ ! -d "$SYSROOT/etc/NetworkManager/system-connections" ]; then`
			`mkdir -p "$SYSROOT/etc/NetworkManager/system-connections"`
			`fi`

			`cp ${./data/wifi-nmconnection.template} "$secretFile"`
			`sed -i "s/WIFI_ID/Home-WiFi/" "$secretFile"`
			`sed -i "s/WIFI_SSID/$ssid/" "$secretFile"`
			`sed -i "s/WIFI_PASSWORD/$password/" "$secretFile"`
			`'';`
			`};`
wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00
lots of misc changes with wireguard and whatever 2023-09-16 16:06:16 +01:00			`piped_cockroachdb_ca_certificate = {`
			`user = "cockroachdb";`
			`group = "cockroachdb";`
			`permissions = "600";`
			`path = "/var/lib/cockroachdb-certs/ca.crt";`
piped-proxy on raspberry 2023-09-14 19:44:27 +01:00			`fetchScript = ''`
lots of misc changes with wireguard and whatever 2023-09-16 16:06:16 +01:00			`if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then`
			`mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"`
			`fi`
			`simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .ca_certificate \`
			`\| base64 -d > "$secretFile"`
			`'';`
			`};`
			`piped_cockroachdb_node_certificate = {`
			`user = "cockroachdb";`
			`group = "cockroachdb";`
			`permissions = "600";`
			`path = "/var/lib/cockroachdb-certs/node.crt";`
			`fetchScript = ''`
			`if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then`
			`mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"`
			`fi`
			`simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_certificate \`
			`\| base64 -d > "$secretFile"`
			`'';`
			`};`
			`piped_cockroachdb_node_key = {`
			`user = "cockroachdb";`
			`group = "cockroachdb";`
			`permissions = "600";`
			`path = "/var/lib/cockroachdb-certs/node.key";`
			`fetchScript = ''`
			`if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then`
			`mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"`
			`fi`
			`simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_key \`
			`\| base64 -d > "$secretFile"`
piped-proxy on raspberry 2023-09-14 19:44:27 +01:00			`'';`
			`};`

wireguard for raspberry, outputs.nix tidy, enable generating of vault policies 2023-09-14 13:54:56 +01:00			`# for internal wireguard VPN`
			`wg_priv = {`
			`fetchScript = ''`
			`simple_get "/private-public-keys/wireguard/chaos-internal/raspberry" .private > "$secretFile"`
			`'';`
			`};`
			`wg_preshared_hetzner-vm = {`
			`fetchScript = ''`
			`simple_get "/private-public-keys/wireguard/chaos-internal/raspberry" .preshared_keys.hetzner_vm > "$secretFile"`
			`'';`
			`};`
			`wg_preshared_vault = {`
			`fetchScript = ''`
			`simple_get "/private-public-keys/wireguard/chaos-internal/raspberry" .preshared_keys.vault > "$secretFile"`
			`'';`
			`};`
add vaultui flake, minor tidying, start work on raspberry machine 2023-09-13 16:21:54 +01:00			`};`
			`};`
			`}`