From 3ba2086d8a592dc89091e5895e87e19dbd774183 Mon Sep 17 00:00:00 2001 From: chaos Date: Fri, 24 May 2024 18:58:21 +0100 Subject: [PATCH] attempt moving vault to hetzner-arm --- .../containers/vault-ca}/data/ca.json | 0 .../containers/vault-ca/default.nix | 68 ++++++++++++++++ .../vault-ca}/profiles/internalCA.nix | 0 .../containers/vault-ca}/profiles/restic.nix | 24 +++--- .../containers/vault-ca/profiles/vault.nix | 11 +++ .../containers/vault-ca/secrets.nix | 51 ++++++++++++ hosts/hetzner-arm/profiles/staticSites.nix | 6 ++ hosts/vault/hardware.nix | 6 -- hosts/vault/profiles/vault.nix | 31 ------- hosts/vault/profiles/vaultUI.nix | 11 --- hosts/vault/secrets.nix | 80 ------------------- hosts/vault/vault.nix | 26 ------ 12 files changed, 149 insertions(+), 165 deletions(-) rename hosts/{vault => hetzner-arm/containers/vault-ca}/data/ca.json (100%) create mode 100644 hosts/hetzner-arm/containers/vault-ca/default.nix rename hosts/{vault => hetzner-arm/containers/vault-ca}/profiles/internalCA.nix (100%) rename hosts/{vault => hetzner-arm/containers/vault-ca}/profiles/restic.nix (80%) create mode 100644 hosts/hetzner-arm/containers/vault-ca/profiles/vault.nix create mode 100644 hosts/hetzner-arm/containers/vault-ca/secrets.nix delete mode 100644 hosts/vault/hardware.nix delete mode 100644 hosts/vault/profiles/vault.nix delete mode 100644 hosts/vault/profiles/vaultUI.nix delete mode 100644 hosts/vault/secrets.nix delete mode 100644 hosts/vault/vault.nix diff --git a/hosts/vault/data/ca.json b/hosts/hetzner-arm/containers/vault-ca/data/ca.json similarity index 100% rename from hosts/vault/data/ca.json rename to hosts/hetzner-arm/containers/vault-ca/data/ca.json diff --git a/hosts/hetzner-arm/containers/vault-ca/default.nix b/hosts/hetzner-arm/containers/vault-ca/default.nix new file mode 100644 index 0000000..6a0eebf --- /dev/null +++ b/hosts/hetzner-arm/containers/vault-ca/default.nix @@ -0,0 +1,68 @@ +{ + self, + hostPath, + tree, + inputs, + config, + pkgs, + ... +}: let + containerAddresses = import "${hostPath}/data/containerAddresses.nix"; + hostIP = containerAddresses.host; + containerIP = containerAddresses.containers.vault-ca; +in { + containers.vault-ca = { + autoStart = true; + privateNetwork = true; + hostAddress = hostIP; + localAddress = containerIP; + + specialArgs = { + inherit inputs; + inherit tree; + inherit self; + inherit hostPath; + }; + + config = {...}: { + nixpkgs.pkgs = pkgs; + + imports = with tree; + [ + presets.nixos.containerBase + ./secrets.nix + ] + ++ (with hosts.hetzner-arm.containers.vault-ca.profiles; [ + vault + #internalCA + restic + ]); + + networking.firewall.allowedTCPPorts = [8200 8443]; + + home-manager.users.root.home.stateVersion = "23.05"; + system.stateVersion = "23.05"; + }; + }; + + services.nginx.virtualHosts."vault.owo.monster" = { + forceSSL = true; + enableACME = true; + locations = { + "/".proxyPass = "http://${containerIP}:8200"; + }; + }; + + # TODO: redo this + #security.acme.certs."vault.genderfucked.monster" = { + # server = "https://internal-ca.genderfucked.monster:8443/acme/acme/directory"; + #}; + + #services.nginx.virtualHosts."vault.genderfucked.monster" = { + # forceSSL = true; + # enableACME = true; + # locations = { + # "/".proxyPass = "http://${containerIP}:8200"; + # }; + #}; +} diff --git a/hosts/vault/profiles/internalCA.nix b/hosts/hetzner-arm/containers/vault-ca/profiles/internalCA.nix similarity index 100% rename from hosts/vault/profiles/internalCA.nix rename to hosts/hetzner-arm/containers/vault-ca/profiles/internalCA.nix diff --git a/hosts/vault/profiles/restic.nix b/hosts/hetzner-arm/containers/vault-ca/profiles/restic.nix similarity index 80% rename from hosts/vault/profiles/restic.nix rename to hosts/hetzner-arm/containers/vault-ca/profiles/restic.nix index aceb628..6c2e077 100644 --- a/hosts/vault/profiles/restic.nix +++ b/hosts/hetzner-arm/containers/vault-ca/profiles/restic.nix @@ -4,9 +4,19 @@ config, ... }: let - inherit (config.services.secrets) secrets; backupSchedules = import "${self}/data/backupSchedules.nix"; + inherit (config.services.secrets) secrets; in { + environment.systemPackages = with pkgs; [ + restic + (pkgs.writeShellScriptBin "restic-vault" '' + env \ + RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \ + $(cat ${secrets.restic_env.path}) \ + ${pkgs.restic}/bin/restic $@ + '') + ]; + services.restic.backups.vault = { user = "root"; paths = [ @@ -15,18 +25,10 @@ in { ]; timerConfig = backupSchedules.restic.high; - # env contains fixed repository with auth + # repository is overrided in environmentFile to contain auth + # make sure to keep up to date when changing repository repository = "rest:https://storage-restic.owo.monster/Vault"; passwordFile = "${secrets.restic_password.path}"; environmentFile = "${secrets.restic_env.path}"; }; - - environment.systemPackages = [ - (pkgs.writeShellScriptBin "restic-vault" '' - env \ - RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \ - $(cat ${secrets.restic_env.path}) \ - ${pkgs.restic}/bin/restic $@ - '') - ]; } diff --git a/hosts/hetzner-arm/containers/vault-ca/profiles/vault.nix b/hosts/hetzner-arm/containers/vault-ca/profiles/vault.nix new file mode 100644 index 0000000..9907dd5 --- /dev/null +++ b/hosts/hetzner-arm/containers/vault-ca/profiles/vault.nix @@ -0,0 +1,11 @@ +{pkgs, ...}: { + services.vault = { + enable = true; + package = pkgs.vault-bin; + address = "0.0.0.0:8200"; + storageBackend = "file"; + extraConfig = '' + ui = true + ''; + }; +} diff --git a/hosts/hetzner-arm/containers/vault-ca/secrets.nix b/hosts/hetzner-arm/containers/vault-ca/secrets.nix new file mode 100644 index 0000000..52e0bda --- /dev/null +++ b/hosts/hetzner-arm/containers/vault-ca/secrets.nix @@ -0,0 +1,51 @@ +{pkgs, ...}: { + services.secrets = { + enable = true; + + packages = with pkgs; [ + apacheHttpd + ]; + + vaultLogin = { + enable = true; + # TODO: change to hetzner-arm-container-vault-ca + loginUsername = "vault"; + }; + + autoSecrets = { + enable = true; + }; + + requiredVaultPaths = [ + "private-public-keys/data/restic/Vault" + + "api-keys/data/storage/restic/Vault" + + "infra/data/internalCAPassword" + ]; + + secrets = { + vault_password = { + manual = true; + }; + + restic_password = { + fetchScript = '' + simple_get "/private-public-keys/restic/Vault" .password > "$secretFile" + ''; + }; + restic_env = { + fetchScript = '' + RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Vault" .restic) + echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > "$secretFile" + ''; + }; + + internal_ca_password = { + fetchScript = '' + simple_get "/infra/internalCAPassword" .password > "$secretFile" + ''; + }; + }; + }; +} diff --git a/hosts/hetzner-arm/profiles/staticSites.nix b/hosts/hetzner-arm/profiles/staticSites.nix index c415659..4a600a1 100644 --- a/hosts/hetzner-arm/profiles/staticSites.nix +++ b/hosts/hetzner-arm/profiles/staticSites.nix @@ -3,6 +3,12 @@ pkgs, ... }: { + services.vaultui = { + enable = true; + package = inputs.vaultui.packages.${pkgs.system}.vaultui; + domain = "vaultui.owo.monster"; + }; + services.nginx.virtualHosts."thisisanexampleofspeex.uk" = { enableACME = true; forceSSL = true; diff --git a/hosts/vault/hardware.nix b/hosts/vault/hardware.nix deleted file mode 100644 index 2b0447b..0000000 --- a/hosts/vault/hardware.nix +++ /dev/null @@ -1,6 +0,0 @@ -{...}: { - boot.loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; -} diff --git a/hosts/vault/profiles/vault.nix b/hosts/vault/profiles/vault.nix deleted file mode 100644 index 22ce553..0000000 --- a/hosts/vault/profiles/vault.nix +++ /dev/null @@ -1,31 +0,0 @@ -{pkgs, ...}: { - services.vault = { - enable = true; - package = pkgs.vault-bin; - address = "127.0.0.1:8200"; - storageBackend = "file"; - extraConfig = '' - ui = true - ''; - }; - - services.nginx.virtualHosts."vault.owo.monster" = { - forceSSL = true; - enableACME = true; - locations = { - "/".proxyPass = "http://127.0.0.1:8200"; - }; - }; - - security.acme.certs."vault.genderfucked.monster" = { - server = "https://internal-ca.genderfucked.monster:8443/acme/acme/directory"; - }; - - services.nginx.virtualHosts."vault.genderfucked.monster" = { - forceSSL = true; - enableACME = true; - locations = { - "/".proxyPass = "http://127.0.0.1:8200"; - }; - }; -} diff --git a/hosts/vault/profiles/vaultUI.nix b/hosts/vault/profiles/vaultUI.nix deleted file mode 100644 index 069ab60..0000000 --- a/hosts/vault/profiles/vaultUI.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ - inputs, - pkgs, - ... -}: { - services.vaultui = { - enable = true; - package = inputs.vaultui.packages.${pkgs.system}.vaultui; - domain = "vaultui.owo.monster"; - }; -} diff --git a/hosts/vault/secrets.nix b/hosts/vault/secrets.nix deleted file mode 100644 index 632dbff..0000000 --- a/hosts/vault/secrets.nix +++ /dev/null @@ -1,80 +0,0 @@ -{...}: { - services.secrets = { - enable = true; - - vaultURL = "http://127.0.0.1:8200"; - - vaultLogin = { - enable = true; - loginUsername = "vault"; - }; - - autoSecrets = { - # won't work when sealed - enable = false; - }; - - requiredVaultPaths = [ - "private-public-keys/data/ssh/root@vault" - "private-public-keys/data/ssh/root@vault-decrypt" - - "private-public-keys/data/restic/Vault" - - "api-keys/data/storage/restic/Vault" - - "infra/data/internalCAPassword" - ]; - - secrets = { - vault_password = { - manual = true; - }; - - ssh_host_ed25519_key = { - path = "/etc/ssh/ssh_host_ed25519_key"; - permissions = "600"; - fetchScript = '' - [ ! -d "$SYSROOT/etc/ssh" ] && mkdir -p "$SYSROOT/etc/ssh/" - simple_get "/private-public-keys/ssh/root@vault" .private | base64 -d > "$secretFile" - ''; - }; - ssh_host_ed25519_key_pub = { - path = "/etc/ssh/ssh_host_ed25519_key.pub"; - permissions = "600"; - fetchScript = '' - [ ! -d "$SYSROOT/etc/ssh" ] && mkdir -p "$SYSROOT/etc/ssh/" - simple_get "/private-public-keys/ssh/root@vault" .private | base64 -d > "$secretFile" - ''; - }; - - # this doesn't need to be a secret and can be generated at install time - # but it makes it easier to install. - # it's stored in /nix store anyway - initrd_ssh_host_ed25519_key = { - path = "/initrd_ssh_host_ed25519_key"; - permissions = "600"; - fetchScript = '' - simple_get "/private-public-keys/ssh/root@vault-decrypt" .private | base64 -d > "$secretFile" - ''; - }; - - restic_password = { - fetchScript = '' - simple_get "/private-public-keys/restic/Vault" .password > "$secretFile" - ''; - }; - restic_env = { - fetchScript = '' - RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Vault" .restic) - echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > "$secretFile" - ''; - }; - - internal_ca_password = { - fetchScript = '' - simple_get "/infra/internalCAPassword" .password > "$secretFile" - ''; - }; - }; - }; -} diff --git a/hosts/vault/vault.nix b/hosts/vault/vault.nix deleted file mode 100644 index 9666fbf..0000000 --- a/hosts/vault/vault.nix +++ /dev/null @@ -1,26 +0,0 @@ -{tree, ...}: { - imports = with tree; - [ - presets.nixos.serverBase - presets.nixos.serverHetzner - presets.nixos.serverEncryptedDrive - - profiles.nginx - profiles.firewallAllow.httpCommon - profiles.chaosInternalWireGuard - - ./secrets.nix - ./hardware.nix - ] - ++ (with hosts.vault.profiles; [ - vault - vaultUI - restic - internalCA - ]); - - networking.hostName = "vault"; - - home-manager.users.root.home.stateVersion = "23.05"; - system.stateVersion = "23.05"; -}