attempt moving vault to hetzner-arm

2024-05-24 18:58:21 +01:00 · 2024-05-24 18:58:21 +01:00 · 3ba2086d8a
parent 7c8e57d416
commit 3ba2086d8a
12 changed files with 149 additions and 165 deletions
--- a/hosts/hetzner-arm/containers/vault-ca/data/ca.json
+++ b/hosts/hetzner-arm/containers/vault-ca/data/ca.json
--- a/hosts/hetzner-arm/containers/vault-ca/default.nix
+++ b/hosts/hetzner-arm/containers/vault-ca/default.nix
@ -0,0 +1,68 @@
 {
  self,
  hostPath,
  tree,
  inputs,
  config,
  pkgs,
  ...
 }: let
  containerAddresses = import "${hostPath}/data/containerAddresses.nix";
  hostIP = containerAddresses.host;
  containerIP = containerAddresses.containers.vault-ca;
 in {
  containers.vault-ca = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = hostIP;
    localAddress = containerIP;
    specialArgs = {
      inherit inputs;
      inherit tree;
      inherit self;
      inherit hostPath;
    };
    config = {...}: {
      nixpkgs.pkgs = pkgs;
      imports = with tree;
        [
          presets.nixos.containerBase
          ./secrets.nix
        ]
        ++ (with hosts.hetzner-arm.containers.vault-ca.profiles; [
          vault
          #internalCA
          restic
        ]);
      networking.firewall.allowedTCPPorts = [8200 8443];
      home-manager.users.root.home.stateVersion = "23.05";
      system.stateVersion = "23.05";
    };
  };
  services.nginx.virtualHosts."vault.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations = {
      "/".proxyPass = "http://${containerIP}:8200";
    };
  };
  # TODO: redo this
  #security.acme.certs."vault.genderfucked.monster" = {
  #  server = "https://internal-ca.genderfucked.monster:8443/acme/acme/directory";
  #};
  #services.nginx.virtualHosts."vault.genderfucked.monster" = {
  #  forceSSL = true;
  #  enableACME = true;
  #  locations = {
  #    "/".proxyPass = "http://${containerIP}:8200";
  #  };
  #};
 }
--- a/hosts/hetzner-arm/containers/vault-ca/profiles/internalCA.nix
+++ b/hosts/hetzner-arm/containers/vault-ca/profiles/internalCA.nix
--- a/hosts/hetzner-arm/containers/vault-ca/profiles/restic.nix
+++ b/hosts/hetzner-arm/containers/vault-ca/profiles/restic.nix
@ -4,9 +4,19 @@
  config,
  ...
 }: let
  inherit (config.services.secrets) secrets;
  backupSchedules = import "${self}/data/backupSchedules.nix";
  inherit (config.services.secrets) secrets;
 in {
  environment.systemPackages = with pkgs; [
    restic
    (pkgs.writeShellScriptBin "restic-vault" ''
      env \
        RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \
        $(cat ${secrets.restic_env.path}) \
      ${pkgs.restic}/bin/restic $@
    '')
  ];
  services.restic.backups.vault = {
    user = "root";
    paths = [
@ -15,18 +25,10 @@ in {
    ];
    timerConfig = backupSchedules.restic.high;
-    # env contains fixed repository with auth
+    # repository is overrided in environmentFile to contain auth
    # make sure to keep up to date when changing repository
    repository = "rest:https://storage-restic.owo.monster/Vault";
    passwordFile = "${secrets.restic_password.path}";
    environmentFile = "${secrets.restic_env.path}";
  };
  environment.systemPackages = [
    (pkgs.writeShellScriptBin "restic-vault" ''
      env \
        RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \
        $(cat ${secrets.restic_env.path}) \
      ${pkgs.restic}/bin/restic $@
    '')
  ];
 }
--- a/hosts/hetzner-arm/containers/vault-ca/profiles/vault.nix
+++ b/hosts/hetzner-arm/containers/vault-ca/profiles/vault.nix
@ -0,0 +1,11 @@
 {pkgs, ...}: {
  services.vault = {
    enable = true;
    package = pkgs.vault-bin;
    address = "0.0.0.0:8200";
    storageBackend = "file";
    extraConfig = ''
      ui = true
    '';
  };
 }
--- a/hosts/hetzner-arm/containers/vault-ca/secrets.nix
+++ b/hosts/hetzner-arm/containers/vault-ca/secrets.nix
@ -0,0 +1,51 @@
 {pkgs, ...}: {
  services.secrets = {
    enable = true;
    packages = with pkgs; [
      apacheHttpd
    ];
    vaultLogin = {
      enable = true;
      # TODO: change to hetzner-arm-container-vault-ca
      loginUsername = "vault";
    };
    autoSecrets = {
      enable = true;
    };
    requiredVaultPaths = [
      "private-public-keys/data/restic/Vault"
      "api-keys/data/storage/restic/Vault"
      "infra/data/internalCAPassword"
    ];
    secrets = {
      vault_password = {
        manual = true;
      };
      restic_password = {
        fetchScript = ''
          simple_get "/private-public-keys/restic/Vault" .password > "$secretFile"
        '';
      };
      restic_env = {
        fetchScript = ''
          RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Vault" .restic)
          echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > "$secretFile"
        '';
      };
      internal_ca_password = {
        fetchScript = ''
          simple_get "/infra/internalCAPassword" .password > "$secretFile"
        '';
      };
    };
  };
 }
--- a/hosts/hetzner-arm/profiles/staticSites.nix
+++ b/hosts/hetzner-arm/profiles/staticSites.nix
@ -3,6 +3,12 @@
  pkgs,
  ...
 }: {
  services.vaultui = {
    enable = true;
    package = inputs.vaultui.packages.${pkgs.system}.vaultui;
    domain = "vaultui.owo.monster";
  };
  services.nginx.virtualHosts."thisisanexampleofspeex.uk" = {
    enableACME = true;
    forceSSL = true;
--- a/hosts/vault/hardware.nix
+++ b/hosts/vault/hardware.nix
@ -1,6 +0,0 @@
 {...}: {
  boot.loader = {
    systemd-boot.enable = true;
    efi.canTouchEfiVariables = true;
  };
 }
--- a/hosts/vault/profiles/vault.nix
+++ b/hosts/vault/profiles/vault.nix
@ -1,31 +0,0 @@
 {pkgs, ...}: {
  services.vault = {
    enable = true;
    package = pkgs.vault-bin;
    address = "127.0.0.1:8200";
    storageBackend = "file";
    extraConfig = ''
      ui = true
    '';
  };
  services.nginx.virtualHosts."vault.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations = {
      "/".proxyPass = "http://127.0.0.1:8200";
    };
  };
  security.acme.certs."vault.genderfucked.monster" = {
    server = "https://internal-ca.genderfucked.monster:8443/acme/acme/directory";
  };
  services.nginx.virtualHosts."vault.genderfucked.monster" = {
    forceSSL = true;
    enableACME = true;
    locations = {
      "/".proxyPass = "http://127.0.0.1:8200";
    };
  };
 }
--- a/hosts/vault/profiles/vaultUI.nix
+++ b/hosts/vault/profiles/vaultUI.nix
@ -1,11 +0,0 @@
 {
  inputs,
  pkgs,
  ...
 }: {
  services.vaultui = {
    enable = true;
    package = inputs.vaultui.packages.${pkgs.system}.vaultui;
    domain = "vaultui.owo.monster";
  };
 }
--- a/hosts/vault/secrets.nix
+++ b/hosts/vault/secrets.nix
@ -1,80 +0,0 @@
 {...}: {
  services.secrets = {
    enable = true;
    vaultURL = "http://127.0.0.1:8200";
    vaultLogin = {
      enable = true;
      loginUsername = "vault";
    };
    autoSecrets = {
      # won't work when sealed
      enable = false;
    };
    requiredVaultPaths = [
      "private-public-keys/data/ssh/root@vault"
      "private-public-keys/data/ssh/root@vault-decrypt"
      "private-public-keys/data/restic/Vault"
      "api-keys/data/storage/restic/Vault"
      "infra/data/internalCAPassword"
    ];
    secrets = {
      vault_password = {
        manual = true;
      };
      ssh_host_ed25519_key = {
        path = "/etc/ssh/ssh_host_ed25519_key";
        permissions = "600";
        fetchScript = ''
          [ ! -d "$SYSROOT/etc/ssh" ] && mkdir -p "$SYSROOT/etc/ssh/"
          simple_get "/private-public-keys/ssh/root@vault" .private | base64 -d > "$secretFile"
        '';
      };
      ssh_host_ed25519_key_pub = {
        path = "/etc/ssh/ssh_host_ed25519_key.pub";
        permissions = "600";
        fetchScript = ''
          [ ! -d "$SYSROOT/etc/ssh" ] && mkdir -p "$SYSROOT/etc/ssh/"
          simple_get "/private-public-keys/ssh/root@vault" .private | base64 -d > "$secretFile"
        '';
      };
      # this doesn't need to be a secret and can be generated at install time
      # but it makes it easier to install.
      # it's stored in /nix store anyway
      initrd_ssh_host_ed25519_key = {
        path = "/initrd_ssh_host_ed25519_key";
        permissions = "600";
        fetchScript = ''
          simple_get "/private-public-keys/ssh/root@vault-decrypt" .private | base64 -d > "$secretFile"
        '';
      };
      restic_password = {
        fetchScript = ''
          simple_get "/private-public-keys/restic/Vault" .password > "$secretFile"
        '';
      };
      restic_env = {
        fetchScript = ''
          RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Vault" .restic)
          echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > "$secretFile"
        '';
      };
      internal_ca_password = {
        fetchScript = ''
          simple_get "/infra/internalCAPassword" .password > "$secretFile"
        '';
      };
    };
  };
 }
--- a/hosts/vault/vault.nix
+++ b/hosts/vault/vault.nix
@ -1,26 +0,0 @@
 {tree, ...}: {
  imports = with tree;
    [
      presets.nixos.serverBase
      presets.nixos.serverHetzner
      presets.nixos.serverEncryptedDrive
      profiles.nginx
      profiles.firewallAllow.httpCommon
      profiles.chaosInternalWireGuard
      ./secrets.nix
      ./hardware.nix
    ]
    ++ (with hosts.vault.profiles; [
      vault
      vaultUI
      restic
      internalCA
    ]);
  networking.hostName = "vault";
  home-manager.users.root.home.stateVersion = "23.05";
  system.stateVersion = "23.05";
 }