From 15bb6f6f92d6566ae77d9e155e61be6b05b962fd Mon Sep 17 00:00:00 2001 From: Chaos Date: Fri, 11 Nov 2022 20:53:17 +0000 Subject: [PATCH] initial work on wireguard mess --- home/apps/mpv.nix | 4 +- hosts/hetzner-vm/hetzner-vm.nix | 1 + hosts/hetzner-vm/secrets-db.nix | 24 ++++ hosts/hetzner-vm/secrets.nix | 24 ++++ hosts/hetzner-vm/services/wireguard.nix | 33 +++++ hosts/lappy/hardware.nix | 66 ---------- hosts/lappy/hardware/ssd_data.nix | 24 ---- hosts/lappy/hardware/usb_data.nix | 28 ----- hosts/lappy/lappy.nix | 159 ------------------------ hosts/lappy/profiles/harry-vpn.nix | 19 --- hosts/lappy/profiles/macos-vm.nix | 15 --- hosts/lappy/profiles/mpd.nix | 32 ----- hosts/lappy/profiles/usb-automount.nix | 40 ------ hosts/lappy/vm.nix | 11 -- hosts/tablet/profiles/wireguard.nix | 29 +++++ hosts/tablet/secrets-db.nix | 39 ++++++ hosts/tablet/secrets.nix | 54 ++++++++ hosts/tablet/tablet.nix | 2 + hosts/vault/profiles/wireguard.nix | 29 +++++ hosts/vault/secrets-db.nix | 18 +++ hosts/vault/secrets.nix | 18 +++ hosts/vault/vault.nix | 2 + wg.key | 1 + wg.pub | 1 + 24 files changed, 277 insertions(+), 396 deletions(-) create mode 100644 hosts/hetzner-vm/services/wireguard.nix delete mode 100644 hosts/lappy/hardware.nix delete mode 100644 hosts/lappy/hardware/ssd_data.nix delete mode 100644 hosts/lappy/hardware/usb_data.nix delete mode 100644 hosts/lappy/lappy.nix delete mode 100644 hosts/lappy/profiles/harry-vpn.nix delete mode 100644 hosts/lappy/profiles/macos-vm.nix delete mode 100644 hosts/lappy/profiles/mpd.nix delete mode 100644 hosts/lappy/profiles/usb-automount.nix delete mode 100644 hosts/lappy/vm.nix create mode 100644 hosts/tablet/profiles/wireguard.nix create mode 100644 hosts/tablet/secrets-db.nix create mode 100644 hosts/tablet/secrets.nix create mode 100644 hosts/vault/profiles/wireguard.nix create mode 100644 wg.key create mode 100644 wg.pub diff --git a/home/apps/mpv.nix b/home/apps/mpv.nix index 79c15fd..1f6d22b 100644 --- a/home/apps/mpv.nix +++ b/home/apps/mpv.nix @@ -1,9 +1,9 @@ { config, pkgs, ... }: let listen-password-file = if pkgs.stdenv.isLinux then - "/secrets/music-stream-password" + "/secrets/music_stream_password" else - "$HOME/.secrets/music-stream-password"; + "$HOME/.secrets/music_stream_password"; in { home.packages = with pkgs; [ mpv ffmpeg yt-dlp ]; programs.mpv = { diff --git a/hosts/hetzner-vm/hetzner-vm.nix b/hosts/hetzner-vm/hetzner-vm.nix index ab1b842..df727ca 100644 --- a/hosts/hetzner-vm/hetzner-vm.nix +++ b/hosts/hetzner-vm/hetzner-vm.nix @@ -17,6 +17,7 @@ hosts.hetzner-vm.services.gitlab-static-sites hosts.hetzner-vm.services.lappy-dev hosts.hetzner-vm.services.misskey + hosts.hetzner-vm.services.wireguard ./networking.nix ./hardware.nix diff --git a/hosts/hetzner-vm/secrets-db.nix b/hosts/hetzner-vm/secrets-db.nix index be02f02..b9d933d 100644 --- a/hosts/hetzner-vm/secrets-db.nix +++ b/hosts/hetzner-vm/secrets-db.nix @@ -35,4 +35,28 @@ permissions = "660"; path = "/secrets/restic_env"; }; + wg_privkey = { + user = "root"; + group = "root"; + permissions = "660"; + path = "/secrets/wg_privkey"; + }; + wg_preshared_tablet = { + user = "root"; + group = "root"; + permissions = "660"; + path = "/secrets/wg_preshared_tablet"; + }; + wg_preshared_vault = { + user = "root"; + group = "root"; + permissions = "660"; + path = "/secrets/wg_preshared_vault"; + }; + wg_preshared_storage = { + user = "root"; + group = "root"; + permissions = "660"; + path = "/secrets/wg_preshared_storage"; + }; } diff --git a/hosts/hetzner-vm/secrets.nix b/hosts/hetzner-vm/secrets.nix index 105053e..8235678 100644 --- a/hosts/hetzner-vm/secrets.nix +++ b/hosts/hetzner-vm/secrets.nix @@ -62,6 +62,30 @@ in { echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/HetznerVM" > $file chown ${secrets-db.restic_env.user}:${secrets-db.restic_env.group} $file chmod ${secrets-db.restic_env.permissions} $file + + file=${secrets-db.wg_privkey.path} + echo $file + simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .private > $file + chown ${secrets-db.wg_privkey.user}:${secrets-db.wg_privkey.group} $file + chmod ${secrets-db.wg_privkey.permissions} $file + + file=${secrets-db.wg_preshared_tablet.path} + echo $file + simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.tablet > $file + chown ${secrets-db.wg_preshared_tablet.user}:${secrets-db.wg_preshared_tablet.group} $file + chmod ${secrets-db.wg_preshared_tablet.permissions} $file + + file=${secrets-db.wg_preshared_vault.path} + echo $file + simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.vault > $file + chown ${secrets-db.wg_preshared_vault.user}:${secrets-db.wg_preshared_vault.group} $file + chmod ${secrets-db.wg_preshared_vault.permissions} $file + + file=${secrets-db.wg_preshared_storage.path} + echo $file + simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.storage > $file + chown ${secrets-db.wg_preshared_storage.user}:${secrets-db.wg_preshared_storage.group} $file + chmod ${secrets-db.wg_preshared_storage.permissions} $file '') ]; } diff --git a/hosts/hetzner-vm/services/wireguard.nix b/hosts/hetzner-vm/services/wireguard.nix new file mode 100644 index 0000000..3974e28 --- /dev/null +++ b/hosts/hetzner-vm/services/wireguard.nix @@ -0,0 +1,33 @@ +{ ... }: +let secrets-db = (import ../secrets-db.nix { }); +in { + networking.wg-quick.interfaces = { + wg0 = { + address = [ "10.69.42.1/32" ]; + listenPort = 51820; + privateKeyFile = "${secrets-db.wg_privkey.path}"; + peers = [ + # tablet + { + publicKey = "jXA0DeprEaL/ARQ3K81l8xWuUI5C/90DcY3bIfcIjz8="; + presharedKeyFile = "${secrets-db.wg_preshared_tablet.path}"; + allowedIPs = [ "10.69.42.2/32" ]; + } + # vault + { + publicKey = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc="; + presharedKeyFile = "${secrets-db.wg_preshared_vault.path}"; + endpoint = "vault.servers.genderfucked.monster:51820"; + allowedIPs = [ "10.69.42.3/32" ]; + } + # storage + { + publicKey = "biNNeCkjAWi2jUVoL5+1pBtXGa3OFZi4DltB2dqGjGg="; + presharedKeyFile = "${secrets-db.wg_preshared_storage.path}"; + allowedIPs = [ "10.69.42.4/32" ]; + } + ]; + }; + }; + networking.firewall.allowedUDPPorts = [ 51820 ]; +} diff --git a/hosts/lappy/hardware.nix b/hosts/lappy/hardware.nix deleted file mode 100644 index 3becbbd..0000000 --- a/hosts/lappy/hardware.nix +++ /dev/null @@ -1,66 +0,0 @@ -{ pkgs, ... }: -let - usb_data = import ./hardware/usb_data.nix { }; - ssd_data = import ./hardware/ssd_data.nix { }; -in { - boot = { - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - initrd.availableKernelModules = [ - "xhci_pci" - "ahci" - "nvme" - "usb_storage" - "sd_mod" - "rtsx_pci_sdmmc" - "uas" - "usbcore" - "usb_storage" - "vfat" - "nls_cp437" - "nls_iso8859_1" - "aesni_intel" - "cryptd" - ]; - kernelModules = [ "kvm-intel" ]; - - initrd.postDeviceCommands = pkgs.lib.mkBefore '' - mkdir -m 0755 -p ${usb_data.mountpoint} - - while !(test -b ${usb_data.encrypted_path}) - do - echo "Please Plug In USB" - sleep 1 - done - - echo "Please Decrypt USB" - - cryptsetup luksOpen ${usb_data.encrypted_path} ${usb_data.mapper_name} - - mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint} - ''; - - initrd.luks.devices = { - "${ssd_data.root_mapper_name}" = { - device = "${ssd_data.encrypted_root_path}"; - keyFile = "${usb_data.lappy_encryption_key_path}"; - preLVM = false; - allowDiscards = true; - }; - }; - }; - - fileSystems = { - "/" = { - device = "${ssd_data.decrypted_root_path}"; - fsType = "${ssd_data.unencrypted_root_fs_type}"; - }; - "/boot" = { - device = "${ssd_data.boot_path}"; - fsType = "${ssd_data.boot_fs_type}"; - }; - }; - -} diff --git a/hosts/lappy/hardware/ssd_data.nix b/hosts/lappy/hardware/ssd_data.nix deleted file mode 100644 index 6bc8aa2..0000000 --- a/hosts/lappy/hardware/ssd_data.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ }: rec { - # Mountpoints - root_mountpoint = "/"; - boot_mountpoint = "/boot"; - - # Partition Labels - boot_label = "nixboot"; - unencrypted_root_label = "nixos"; - encrypted_root_partlabel = "nixos_encrypted"; - - # Partition Filesystems - unencrypted_root_fs_type = "ext4"; - boot_fs_type = "vfat"; - - # Mapper Name - root_mapper_name = "cryptroot"; - - # FS Paths - encrypted_root_path = "/dev/disk/by-partlabel/${encrypted_root_partlabel}"; - decrypted_root_path = "/dev/mapper/${root_mapper_name}"; - - boot_path = "/dev/disk/by-label/${boot_label}"; - -} diff --git a/hosts/lappy/hardware/usb_data.nix b/hosts/lappy/hardware/usb_data.nix deleted file mode 100644 index 98a5f3a..0000000 --- a/hosts/lappy/hardware/usb_data.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ ... }: rec { - # Mountpoints - mountpoint = "/usb"; - - # Partition Labels - encrypted_partlabel = "usb"; - unencrypted_label = "usb_unencrypted"; - - # Partition Filesystems - unencrypted_fs_type = "ext4"; - - # Mapper Information - mapper_name = "usb_unencrypted"; - - # FS Paths - encrypted_path = "/dev/disk/by-partlabel/${encrypted_partlabel}"; - unencrypted_path = "/dev/disk/by-label/${unencrypted_label}"; - mapper_path = "/dev/mapper/${mapper_name}"; - - # Paths to some important files - lappy_encryption_key_path = "${mountpoint}/encryption-keys/lappy.key"; - - chaos_age_privkey_path = "${mountpoint}/age-keys/chaoskey.priv"; - chaos_age_pubkey_path = "${mountpoint}/age-keys/chaoskey.pub"; - - ssh_priv_path = "${mountpoint}/ssh-keys/chaos.priv"; - ssh_pub_path = "${mountpoint}/ssh-keys/chaos.pub"; -} diff --git a/hosts/lappy/lappy.nix b/hosts/lappy/lappy.nix deleted file mode 100644 index a35d4a4..0000000 --- a/hosts/lappy/lappy.nix +++ /dev/null @@ -1,159 +0,0 @@ -{ tree, config, pkgs, lib, ... }: -let usb_data = import ./hardware/usb_data.nix { }; -in { - imports = with tree; [ - users.root - users.chaos - profiles.tailscale - #profiles.dnscrypt - #profiles.printing - profiles.sshd - - hosts.lappy.profiles.usb-automount - hosts.lappy.profiles.harry-vpn - - # required for dualsense controller - profiles.kernels.latest - - profiles.laptop - - # Bluetooth - #profiles.connectivity.bluetooth - - profiles.connectivity.network_manager - profiles.connectivity.ios - - profiles.sound.pipewire - - profiles.gui.base - profiles.gui.environments.gnome - - profiles.gaming.steam - - # for sci-hub and whenever websites break - profiles.tor - - # For cross compiling and deploying to raspberry - profiles.cross.arm64 - - profiles.force_dns - #extras.shenanigans-hotspot - ]; - - services.mullvad-vpn.enable = true; - - home-manager.users.root = { - imports = with tree; [ home.base ]; - home.stateVersion = "22.05"; - }; - home-manager.users.chaos = { - programs.ssh.matchBlocks."*".identityFile = "${usb_data.ssh_priv_path}"; - programs.git.extraConfig = { - gpg.format = "ssh"; - commit.gpgsign = "true"; - tag.gpgsign = "true"; - user = { signingKey = "${usb_data.ssh_priv_path}"; }; - }; - imports = with tree; [ - home.base - home.dev.all - #home.reversing - - home.gui.base - home.gui.environments.gnome - - #home.gaming.emulators.ds - #home.gaming.games.minecraft - #home.gaming.games.osu - home.gaming.platforms.steam - - #home.bluetooth - #home.network_manager - - home.apps.vivaldi - home.apps.telegram - home.apps.quassel - home.apps.mpv - home.apps.strawberry - home.apps.file-roller - home.apps.nautilus - home.apps.nicotine-plus - home.apps.musicutil - home.apps.pavucontrol - home.apps.mullvad - home.apps.aria2 - home.apps.rclone - home.apps.restic - - home.programming.editors.vscode - home.programming.languages.go - home.programming.languages.nix - ]; - home.stateVersion = "22.05"; - }; - - hardware.opengl.extraPackages = with pkgs; [ - vaapiIntel - vaapiVdpau - libvdpau-va-gl - intel-media-driver - ]; - - #services.getty.extraArgs = [ "--skip-login" "--login-options" "chaos" ]; - - networking.firewall.enable = true; - networking.firewall.allowPing = true; - - # Allow Soulseek - networking.firewall.allowedTCPPorts = [ 8080 2235 ]; - networking.firewall.allowedTCPPortRanges = [ - # Allow aria2 to work - { - from = 6881; - to = 6999; - } - { - from = 50101; - to = 50109; - } - ]; - networking.firewall.allowedUDPPortRanges = [ - # Allow aria2 to work - { - from = 6881; - to = 6999; - } - { - from = 50101; - to = 50109; - } - ]; - - networking.enableIPv6 = true; - systemd.services.NetworkManager-wait-online.enable = false; - - # let vscode, vivaldi, etc work. - security.unprivilegedUsernsClone = true; - - nix.settings.auto-optimise-store = true; - nix.gc = { - automatic = true; - dates = "daily"; - options = "--delete-older-than 30d"; - }; - - nix.extraOptions = '' - keep-outputs = true - keep-derivations = true - builders-use-substitutes = true - ''; - - networking.hostName = "lappy"; - time.timeZone = "Europe/London"; - powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; - - services.fstrim.enable = true; - - system.stateVersion = "21.11"; -} - diff --git a/hosts/lappy/profiles/harry-vpn.nix b/hosts/lappy/profiles/harry-vpn.nix deleted file mode 100644 index 77a6c08..0000000 --- a/hosts/lappy/profiles/harry-vpn.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ pkgs, ... }: { - environment.systemPackages = with pkgs; [ wireguard-tools ]; - networking.wg-quick.interfaces = { - wg-harry-vpn = { - autostart = false; - address = [ "185.186.9.71/26" "2a0b:6b84:2022:6::1/64" ]; - dns = [ "8.8.8.8" ]; - mtu = 1280; - privateKeyFile = "/secrets/harry_vpn_wg_priv"; - - peers = [{ - publicKey = "7B6KSFqTHM7A7Nv24GIeUhDDh2XnlT7UqG5U+Si+zmc="; - allowedIPs = [ "0.0.0.0/0" "::/0" ]; - endpoint = "185.186.9.1:8081"; - persistentKeepalive = 25; - }]; - }; - }; -} diff --git a/hosts/lappy/profiles/macos-vm.nix b/hosts/lappy/profiles/macos-vm.nix deleted file mode 100644 index 8ce179a..0000000 --- a/hosts/lappy/profiles/macos-vm.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ pkgs, ... }: { - virtualisation.libvirtd.enable = true; - programs.dconf.enable = true; - environment.systemPackages = with pkgs; [ - virt-manager - p7zip - #umlutilities - qemu - gnumake - libguestfs - python3 - ]; - users.users.chaos.extraGroups = [ "libvirtd" "kvm" ]; - -} diff --git a/hosts/lappy/profiles/mpd.nix b/hosts/lappy/profiles/mpd.nix deleted file mode 100644 index da7fba7..0000000 --- a/hosts/lappy/profiles/mpd.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ pkgs, tree, ... }: { - imports = with tree; [ - ./mpd-music-sync.nix - profiles.sound.pulseaudio.pulse-recv-native-localhost - ]; - - environment.systemPackages = with pkgs; [ mpc_cli ]; - - systemd.tmpfiles.rules = [ - "d /var/lib/mpd 0755 mpd mpd -" - "d /var/lib/mpd/data 0755 mpd mpd -" - "d /var/lib/mpd/playlists 0755 mpd mpd -" - ]; - - services.mpd = { - enable = true; - dataDir = "/var/lib/mpd/data"; - playlistDirectory = "/var/lib/mpd/playlists"; - musicDirectory = "/music"; - extraConfig = '' - host_permissions "127.0.0.1 read,add,control,admin" - audio_output { - type "pulse" - name "Pulseaudio" - server "127.0.0.1" - } - ''; - }; - - systemd.services.mpd.serviceConfig.StateDirectory = - [ "/music" "/var/lib/mpd" ]; -} diff --git a/hosts/lappy/profiles/usb-automount.nix b/hosts/lappy/profiles/usb-automount.nix deleted file mode 100644 index d0d3773..0000000 --- a/hosts/lappy/profiles/usb-automount.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ lib, pkgs, ... }: -let - usb_data = import ../hardware/usb_data.nix { }; - mapper_name = "usb_unencrypted_afterboot"; - mapper_path = "/dev/mapper/${mapper_name}"; - mount_usb = pkgs.writeShellScriptBin "mount_usb" '' - umount ${usb_data.mountpoint} || true - cryptsetup close ${mapper_name} || true - - cat /secrets/usb_encryption_passphrase | cryptsetup luksOpen ${usb_data.encrypted_path} ${mapper_name} - - mount ${mapper_path} -o rw ${usb_data.mountpoint} - ''; - unmount_usb = pkgs.writeShellScriptBin "unmount_usb" '' - umount -flR ${usb_data.mountpoint} || true - cryptsetup close ${mapper_name} || true - ''; -in { - environment.systemPackages = [ mount_usb unmount_usb ]; - - systemd.tmpfiles.rules = [ "d ${usb_data.mountpoint} - chaos root" ]; - - systemd.services.usb-mount = { - path = [ pkgs.util-linux pkgs.cryptsetup ]; - script = '' - ${mount_usb}/bin/mount_usb - ''; - }; - - systemd.services.usb-unmount = { - path = [ pkgs.util-linux pkgs.cryptsetup ]; - script = '' - ${unmount_usb}/bin/unmount_usb - ''; - }; - - services.udev.extraRules = '' - ACTION=="add", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="usb-mount.service", ENV{UDISKS_PRESENTATION_HIDE}="1" - ACTION=="remove", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="usb-unmount.service" - ''; -} diff --git a/hosts/lappy/vm.nix b/hosts/lappy/vm.nix deleted file mode 100644 index 735e1d6..0000000 --- a/hosts/lappy/vm.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ lib, inputs, ... }: { - imports = [ "${inputs.nixpkgs}/nixos/modules/virtualisation/qemu-vm.nix" ]; - users.users.root.password = "owo"; - users.users.chaos.password = "owo"; - home-manager.users.chaos.home.sessionVariables = { - WLR_RENDERER_ALLOW_SOFTWARE = "1"; - }; - services.getty.extraArgs = lib.mkForce [ ]; - virtualisation.cores = 4; - virtualisation.qemu.options = [ "-vga" "qxl" ]; -} diff --git a/hosts/tablet/profiles/wireguard.nix b/hosts/tablet/profiles/wireguard.nix new file mode 100644 index 0000000..6f38cca --- /dev/null +++ b/hosts/tablet/profiles/wireguard.nix @@ -0,0 +1,29 @@ +{ ... }: +let secrets-db = (import ../secrets-db.nix { }); +in { + networking.wg-quick.interfaces = { + wg0 = { + address = [ "10.69.42.2/32" ]; + privateKeyFile = "${secrets-db.wg_priv.path}"; + + peers = [ + # hetzner-vm + { + publicKey = "UJr+EmUM7KWkIy0nk0JA38ibvcLC++6iuOKkHdrx9Dc="; + presharedKeyFile = "${secrets-db.wg_preshared_hetzner-vm.path}"; + allowedIPs = [ "10.69.42.1/32" ]; + endpoint = "hetzner-vm.servers.genderfucked.monster:51820"; + persistentKeepalive = 25; + } + # vault + { + publicKey = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc="; + presharedKeyFile = "${secrets-db.wg_preshared_vault.path}"; + allowedIPs = [ "10.69.42.3/32" ]; + endpoint = "vault.servers.genderfucked.monster:51820"; + persistentKeepalive = 25; + } + ]; + }; + }; +} diff --git a/hosts/tablet/secrets-db.nix b/hosts/tablet/secrets-db.nix new file mode 100644 index 0000000..dc0fa8c --- /dev/null +++ b/hosts/tablet/secrets-db.nix @@ -0,0 +1,39 @@ +{ }: { + # Manually Created, Not Stored In Vault + usb_encryption_passphrase = { + user = "root"; + group = "root"; + permissions = "660"; + path = "/secrets/usb_encryption_passphrase"; + }; + music_stream_password = { + user = "chaos"; + group = "users"; + permissions = "660"; + path = "/secrets/music_stream_password"; + }; + wg_priv = { + user = "root"; + group = "root"; + permissions = "660"; + path = "/secrets/wg_priv"; + }; + wg_preshared_hetzner-vm = { + user = "root"; + group = "root"; + permissions = "660"; + path = "/secrets/wg_preshared_hetzner-vm"; + }; + wg_preshared_vault = { + user = "root"; + group = "root"; + permissions = "660"; + path = "/secrets/wg_preshared_vault"; + }; + wg_preshared_storage = { + user = "root"; + group = "root"; + permissions = "660"; + path = "/secrets/wg_preshared_storage"; + }; +} diff --git a/hosts/tablet/secrets.nix b/hosts/tablet/secrets.nix new file mode 100644 index 0000000..189ed3a --- /dev/null +++ b/hosts/tablet/secrets.nix @@ -0,0 +1,54 @@ +{ pkgs, ... }: +let secrets-db = (import ./secrets-db.nix { }); +in { + systemd.tmpfiles.rules = [ "d /secrets - root root" ]; + environment.systemPackages = [ + (pkgs.writeShellScriptBin "init-secrets" '' + set -e -o pipefail + + VAULT_ADDR_DEFAULT="https://vault.owo.monster" + [ -z "$VAULT_ADDR" ] && export VAULT_ADDR="$VAULT_ADDR_DEFAULT" + + export PATH=$PATH:${pkgs.vault}/bin + export PATH=$PATH:${pkgs.jq}/bin + + kv_get() { + vault kv get -format json $1 + } + + simple_get() { + kv_get $1 | jq .data.data$2 -r + } + + file=${secrets-db.music_stream_password.path} + echo $file + simple_get "/api-keys/music-stream" .password > $file + chown ${secrets-db.music_stream_password.user}:${secrets-db.music_stream_password.group} $file + chmod ${secrets-db.music_stream_password.permissions} $file + + file=${secrets-db.wg_priv.path} + echo $file + simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .private > $file + chown ${secrets-db.wg_priv.user}:${secrets-db.wg_priv.group} $file + chmod ${secrets-db.wg_priv.permissions} $file + + file=${secrets-db.wg_preshared_hetzner-vm.path} + echo $file + simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.hetzner_vm > $file + chown ${secrets-db.wg_preshared_hetzner-vm.user}:${secrets-db.wg_preshared_hetzner-vm.group} $file + chmod ${secrets-db.wg_preshared_hetzner-vm.permissions} $file + + file=${secrets-db.wg_preshared_vault.path} + echo $file + simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.vault > $file + chown ${secrets-db.wg_preshared_vault.user}:${secrets-db.wg_preshared_vault.group} $file + chmod ${secrets-db.wg_preshared_vault.permissions} $file + + file=${secrets-db.wg_preshared_storage.path} + echo $file + simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.storage > $file + chown ${secrets-db.wg_preshared_storage.user}:${secrets-db.wg_preshared_storage.group} $file + chmod ${secrets-db.wg_preshared_storage.permissions} $file + '') + ]; +} diff --git a/hosts/tablet/tablet.nix b/hosts/tablet/tablet.nix index a349d63..0b5d90e 100644 --- a/hosts/tablet/tablet.nix +++ b/hosts/tablet/tablet.nix @@ -9,6 +9,8 @@ presets.nixos.laptop presets.nixos.encrypted-usb + ./secrets.nix + ./profiles/wireguard.nix ./profiles/harry-vpn.nix ]; diff --git a/hosts/vault/profiles/wireguard.nix b/hosts/vault/profiles/wireguard.nix new file mode 100644 index 0000000..7384e71 --- /dev/null +++ b/hosts/vault/profiles/wireguard.nix @@ -0,0 +1,29 @@ +{ ... }: +let secrets-db = (import ../secrets-db.nix { }); +in { + networking.wg-quick.interfaces = { + wg0 = { + address = [ "10.69.42.3/32" ]; + listenPort = 51820; + privateKeyFile = "${secrets-db.wg_priv.path}"; + + peers = [ + # hetzner-vm + { + publicKey = "UJr+EmUM7KWkIy0nk0JA38ibvcLC++6iuOKkHdrx9Dc="; + presharedKeyFile = "${secrets-db.wg_preshared_hetzner-vm.path}"; + allowedIPs = [ "10.69.42.1/32" ]; + endpoint = "hetzner-vm.servers.genderfucked.monster:51820"; + persistentKeepalive = 25; + } + # tablet + { + publicKey = "jXA0DeprEaL/ARQ3K81l8xWuUI5C/90DcY3bIfcIjz8="; + presharedKeyFile = "${secrets-db.wg_preshared_tablet.path}"; + allowedIPs = [ "10.69.42.2/32" ]; + } + ]; + }; + }; + networking.firewall.allowedUDPPorts = [ 51820 ]; +} diff --git a/hosts/vault/secrets-db.nix b/hosts/vault/secrets-db.nix index 5447148..4ee504f 100644 --- a/hosts/vault/secrets-db.nix +++ b/hosts/vault/secrets-db.nix @@ -11,4 +11,22 @@ permissions = "660"; path = "/secrets/restic_env"; }; + wg_priv = { + user = "root"; + group = "root"; + permissions = "660"; + path = "/secrets/wg_priv"; + }; + wg_preshared_hetzner-vm = { + user = "root"; + group = "root"; + permissions = "660"; + path = "/secrets/wg_preshared_hetzner-vm"; + }; + wg_preshared_tablet = { + user = "root"; + group = "root"; + permissions = "660"; + path = "/secrets/wg_preshared_tablet"; + }; } diff --git a/hosts/vault/secrets.nix b/hosts/vault/secrets.nix index 2769363..1149485 100644 --- a/hosts/vault/secrets.nix +++ b/hosts/vault/secrets.nix @@ -29,6 +29,24 @@ in { echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > /secrets/restic_env chown ${secrets-db.restic_env.user}:${secrets-db.restic_env.group} /secrets/restic_env chmod ${secrets-db.restic_env.permissions} /secrets/restic_env + + file=${secrets-db.wg_priv.path} + echo $file + simple_get "/private-public-keys/wireguard/chaos-internal/vault" .private > $file + chown ${secrets-db.wg_priv.user}:${secrets-db.wg_priv.group} $file + chmod ${secrets-db.wg_priv.permissions} $file + + file=${secrets-db.wg_preshared_hetzner-vm.path} + echo $file + simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.hetzner_vm > $file + chown ${secrets-db.wg_preshared_hetzner-vm.user}:${secrets-db.wg_preshared_hetzner-vm.group} $file + chmod ${secrets-db.wg_preshared_hetzner-vm.permissions} $file + + file=${secrets-db.wg_preshared_tablet.path} + echo $file + simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.tablet > $file + chown ${secrets-db.wg_preshared_tablet.user}:${secrets-db.wg_preshared_tablet.group} $file + chmod ${secrets-db.wg_preshared_tablet.permissions} $file '') ]; } diff --git a/hosts/vault/vault.nix b/hosts/vault/vault.nix index 3f21d81..41a211a 100644 --- a/hosts/vault/vault.nix +++ b/hosts/vault/vault.nix @@ -9,6 +9,8 @@ in { profiles.nix-gc profiles.nginx + ./profiles/wireguard.nix + ./hardware.nix ./networking.nix ./secrets.nix diff --git a/wg.key b/wg.key new file mode 100644 index 0000000..dd4fa5c --- /dev/null +++ b/wg.key @@ -0,0 +1 @@ +qCxTpFUKxcRZOg+uWUgphnr8+tfoy33IOpuuuDWZUEQ= diff --git a/wg.pub b/wg.pub new file mode 100644 index 0000000..e6ecd14 --- /dev/null +++ b/wg.pub @@ -0,0 +1 @@ ++gZf6RttTQHh/kdYrucasSJgDFpyIaG1UdickV4Mfj4=