lots of misc changes with wireguard and whatever

This commit is contained in:
chaos 2023-09-16 16:06:16 +01:00
parent d69991819a
commit 907785359f
No known key found for this signature in database
45 changed files with 697 additions and 268 deletions

View file

@ -1,28 +1,28 @@
{}: rec {
all = "10.69.42.1/32";
all = "10.69.42.1/24";
hosts = {
hetzner-vm = {
ip = "10.69.42.1";
public = "UJr+EmUM7KWkIy0nk0JA38ibvcLC++6iuOKkHdrx9Dc=";
public = "liO33kMSEwuaaH4i6qDuorWssd9s/EfTBKBHQEbaDXE=";
endpoint = "hetzner-vm.servers.genderfucked.monster:51820";
};
vault = {
ip = "10.69.42.2";
public = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc=";
endpoint = "vault.servers.genderfucked.monster:51820";
public = "GJ/IQ5W2Ch2vSiqcciKkrBA+pVycY2cibhvF1SFzi0I=";
#endpoint = "vault.servers.genderfucked.monster:51820";
};
iphone8 = {
ip = "10.69.42.3";
public = "2BgT08bDKh8WlFFSeRArI9a1GpFgUyqEApvJy4KgAmw=";
public = "PEBw7EI5uogB433cp8eSfJ5DCEiYj+YG2dZd0XkIV1c=";
};
lappy-t495 = {
ip = "10.69.42.4";
public = "rEioKieZqI3UaJGGaSC/yaHfdZE9VKpsq355x4dHgCs=";
public = "BR23xeK/nTgw8Ad001wz9wrfS6gTknTpCKZBLG9bnHM=";
};
raspberry = {
ip = "10.69.42.5";
public = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc=";
public = "ld5XI4l/Gmr5JWg8r5midy7MTIgZkWVhMPsJqzIonng=";
endpoint = "raspberry.servers.genderfucked.monster:51820";
};
};

View file

@ -0,0 +1,95 @@
{
lib,
pkgs,
...
}: let
wireguard_data = import ../data/chaos_wireguard_internal.nix {};
wireguard_hosts = wireguard_data.hosts;
inherit (pkgs) writeShellScriptBin;
inherit (lib.lists) forEach filter;
inherit (builtins) hasAttr attrNames;
kvPathForHost = host: "/private-public-keys/wireguard/chaos-internal/${host}";
in rec {
initAllScript = writeShellScriptBin "wg-keys-init-all" (let
vault = "${pkgs.vault-bin}/bin/vault";
jq = "${pkgs.jq}/bin/jq";
in ''
${lib.concatStringsSep "\n" (lib.forEach (attrNames wireguard_hosts) (hostName: ''
if [ -z "$PRESHARED_ONLY" ]; then
echo "{}" | vault kv put "${kvPathForHost hostName}" - 2>/dev/null
fi
''))}
${lib.concatStringsSep "\n" (lib.forEach (attrNames wireguard_hosts) (hostName: ''
echo "Deploying keys for ${hostName}"
"${genInitScript hostName}/bin/wg-keys-init-${hostName}"
''))}
${lib.concatStringsSep "\n" (lib.forEach (attrNames wireguard_hosts) (hostName: ''
echo
PUBLIC=$(${vault} kv get -format=json "${kvPathForHost hostName}" | ${jq} .data.data.public)
echo "Public Key for ${hostName}: $PUBLIC"
''))}
'');
genInitScript = systemHostName: (writeShellScriptBin "wg-keys-init-${systemHostName}" (let
vault = "${pkgs.vault-bin}/bin/vault";
jq = "${pkgs.jq}/bin/jq";
wg = "${pkgs.wireguard-tools}/bin/wg";
sponge = "${pkgs.moreutils}/bin/sponge";
hostsWithEndpoints = filter (hostName: (hostName != systemHostName && hasAttr "endpoint" wireguard_hosts.${hostName})) (attrNames wireguard_hosts);
in ''
PRIVATE=$(${wg} genkey)
PUBLIC=$(echo "$PRIVATE" | ${wg} pubkey)
TMP_DIR=$(mktemp -d)
pushd "$TMP_DIR"
echo "{}" > currentHost.json
if [ -z "$PRESHARED_ONLY" ]; then
${jq} ".public = \"$PUBLIC\"" currentHost.json | ${sponge} currentHost.json
${jq} ".private = \"$PRIVATE\"" currentHost.json | ${sponge} currentHost.json
fi
${jq} '.preshared_keys = {}' currentHost.json | ${sponge} currentHost.json
${lib.concatStringsSep "\n" (lib.forEach hostsWithEndpoints (hostName: ''
echo "Generating preshared key for ${hostName}"
PSK=$(${wg} genpsk)
${jq} ".preshared_keys.\"${hostName}\" = \"$PSK\"" currentHost.json | ${sponge} currentHost.json
''))}
${lib.concatStringsSep "\n" (lib.forEach hostsWithEndpoints (hostName: ''
echo "Deploying preshared key for ${hostName}"
PSK=$(jq -r '.preshared_keys."${hostName}"' currentHost.json)
${vault} kv get -format=json "${kvPathForHost hostName}" 2>/dev/null | jq -r .data.data > otherHost.json
${jq} ".preshared_keys.\"${systemHostName}\" = \"$PSK\"" otherHost.json | ${sponge} otherHost.json
cat otherHost.json | vault kv put "${kvPathForHost hostName}" - 2>/dev/null
rm otherHost.json
''))}
if [ -z "$PRESHARED_ONLY" ]; then
cat currentHost.json | ${vault} kv put "${kvPathForHost systemHostName}" - 2>/dev/null
cat currentHost.json | jq
fi
rm currentHost.json
popd
rm -rf "$TMP_DIR"
echo "Public Key for ${systemHostName}: $PUBLIC"
''));
}

View file

@ -119,11 +119,11 @@
]
},
"locked": {
"lastModified": 1694469544,
"narHash": "sha256-eqZng5dZnAUyb7xXyFk5z871GY/++KVv3Gyld5mVh20=",
"lastModified": 1694643239,
"narHash": "sha256-pv2k/5FvyirDE8g4TNehzwZ0T4UOMMmqWSQnM/luRtE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "5171f5ef654425e09d9c2100f856d887da595437",
"rev": "d9b88b43524db1591fb3d9410a21428198d75d49",
"type": "github"
},
"original": {
@ -160,11 +160,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1694422566,
"narHash": "sha256-lHJ+A9esOz9vln/3CJG23FV6Wd2OoOFbDeEs4cMGMqc=",
"lastModified": 1694669921,
"narHash": "sha256-6ESpJ6FsftHV96JO/zn6je07tyV2dlLR7SdLsmkegTY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "3a2786eea085f040a66ecde1bc3ddc7099f6dbeb",
"rev": "f2ea252d23ebc9a5336bf6a61e0644921f64e67c",
"type": "github"
},
"original": {
@ -176,11 +176,11 @@
},
"nur": {
"locked": {
"lastModified": 1694547969,
"narHash": "sha256-rcP53Lh8T0SywogEVPByeSXjExzpfZdd85fubbxgXYo=",
"lastModified": 1694778311,
"narHash": "sha256-Hu5U9pXwMqUjWF7uh4SKqdKy1QMy9RVGxmst11srSgA=",
"owner": "nix-community",
"repo": "NUR",
"rev": "6006151c90751e36c5dd68a7f754c3d26c8a55c1",
"rev": "7a673ac1f35648a908730206a2793b0e3818bc25",
"type": "github"
},
"original": {
@ -202,11 +202,11 @@
]
},
"locked": {
"lastModified": 1694714112,
"narHash": "sha256-x2CgsEvWIf4ETx4puLqmHrPthesNXW30OMYg4pVJARg=",
"lastModified": 1694730023,
"narHash": "sha256-/J7ZPye0T1idRgvpa7oHJnON3rzIniv4tXiMP2sj3tk=",
"owner": "ChaotiCryptidz",
"repo": "piped-flake",
"rev": "c5ad01eac79809686d9685671e77a6dac4e17ddf",
"rev": "1729b90a2e81b95f0158720816b174532a9b1f2b",
"type": "gitlab"
},
"original": {

View file

@ -12,6 +12,7 @@
# nixpkgs Unstable Inputs
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
home-manager-unstable.url = "github:nix-community/home-manager";
home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";

View file

@ -8,5 +8,6 @@
rsync
openssh
nmap
tcpdump
];
}

View file

@ -65,9 +65,10 @@
size = 14.0;
};
statusCommand = lib.escapeShellArgs [
"${pkgs.gobar}/bin/gobar"
"-config"
"cpu\\|mem\\|weather\\(Leighton\\ Buzzard\\)\\|bat\\(BAT0\\)\\|time"
"/home/chaos/Projects/rustbar/target/debug/rustbar"
#"${pkgs.gobar}/bin/gobar"
#"-config"
#"cpu\\|mem\\|weather\\(Leighton\\ Buzzard\\)\\|bat\\(BAT0\\)\\|time"
];
}
{command = "${pkgs.waybar}/bin/waybar";}

View file

@ -3,6 +3,7 @@
lib,
inputs,
config,
pkgs,
...
}: let
ports = [
@ -53,12 +54,14 @@ in {
})))
];
specialArgs = {
inherit inputs;
inherit tree;
host_secrets = secrets;
};
config = {config, ...}: {
_module.args = {
inherit inputs;
inherit tree;
host_secrets = secrets;
};
nixpkgs.pkgs = pkgs;
imports = with tree;
[

View file

@ -3,6 +3,7 @@
lib,
inputs,
config,
pkgs,
...
}: let
container-addresses = import ../../data/container-addresses.nix {};
@ -41,12 +42,14 @@ in {
};
}));
specialArgs = {
inherit inputs;
inherit tree;
host_secrets = secrets;
};
config = {config, ...}: {
_module.args = {
inherit inputs;
inherit tree;
host_secrets = secrets;
};
nixpkgs.pkgs = pkgs;
imports = with tree;
[

View file

@ -1,4 +1,7 @@
{}: {
piped-backend = 3012;
piped-proxy = 3013;
cockroachdb = 26257;
cockroachdb-http = 3014;
}

View file

@ -3,13 +3,13 @@
lib,
inputs,
config,
pkgs,
...
}: let
internal_wireguard = import ../../../../data/chaos_wireguard_internal.nix {};
container-addresses = import ../../data/container-addresses.nix {};
hostIP = container-addresses.host;
containerIP = container-addresses.containers.piped;
#container-addresses = import ../../data/container-addresses.nix {};
#hostIP = container-addresses.host;
#containerIP = container-addresses.containers.piped;
containerConfig = config.containers.piped.config;
ports = import ./data/ports.nix {};
@ -18,6 +18,18 @@
secrets_list = [
"piped_restic_env"
"piped_restic_password"
{
name = "piped_cockroachdb_ca_certificate";
path = "/var/lib/cockroachdb-certs/ca.crt";
}
{
name = "piped_cockroachdb_node_certificate";
path = "/var/lib/cockroachdb-certs/node.crt";
}
{
name = "piped_cockroachdb_node_key";
path = "/var/lib/cockroachdb-certs/node.key";
}
];
containerName = "piped";
@ -25,42 +37,69 @@
component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock"
);
in {
# Create this directory outside the container so the bind mounts work
systemd.tmpfiles.rules = [
"d /var/lib/nixos-containers/${containerName}/var/lib/cockroachdb-certs - root root"
];
users.users."cockroachdb-piped" = {
uid = containerConfig.users.users.cockroachdb.uid;
group = "cockroachdb-piped";
};
users.groups."cockroachdb-piped" = {
gid = containerConfig.users.groups.cockroachdb.gid;
};
containers.piped = {
autoStart = true;
privateNetwork = true;
hostAddress = hostIP;
localAddress = containerIP;
bindMounts = lib.mkMerge (lib.forEach secrets_list (secret_name: let
path = "${secrets.${secret_name}.path}";
#privateNetwork = false;
#hostAddress = hostIP;
#localAddress = containerIP;
bindMounts = lib.mkMerge (lib.forEach secrets_list (secret_item: let
secret =
if builtins.isString secret_item
then secrets.${secret_item}
else secrets.${secret_item.name};
hostPath = secret.path;
containerPath =
if builtins.isString secret_item
then hostPath
else secret_item.path;
in {
"${path}" = {
hostPath = "${path}";
"${containerPath}" = {
inherit hostPath;
};
}));
specialArgs = {
inherit inputs;
inherit tree;
host_secrets = secrets;
};
config = {config, ...}: {
_module.args = {
inherit inputs;
inherit tree;
host_secrets = secrets;
};
nixpkgs.pkgs = pkgs;
imports = with tree;
[
profiles.base
inputs.home-manager-unstable.nixosModules.home-manager
profiles.sshd
#profiles.sshd
profiles.nginx
profiles.cockroachdb-bin-fix
modules.nixos.secrets
inputs.piped-flake.nixosModules.default
users.root
]
++ (with hosts.hetzner-vm.containers.piped; [
profiles.piped
profiles.restic
++ (with hosts.hetzner-vm.containers.piped.profiles; [
piped
restic
cockroachdb
]);
# For Shared Secrets
@ -86,7 +125,7 @@ in {
};
};
services.nginx.virtualHosts."piped.owo.monster" = {
services.nginx.virtualHosts."piped-fi.owo.monster" = {
forceSSL = true;
enableACME = true;
locations."/" = {
@ -94,7 +133,7 @@ in {
};
};
services.nginx.virtualHosts."backend.piped.owo.monster" = {
services.nginx.virtualHosts."backend.piped-fi.owo.monster" = {
forceSSL = true;
enableACME = true;
locations."/" = {
@ -102,18 +141,12 @@ in {
};
};
services.nginx.virtualHosts."proxy.piped.owo.monster" = {
services.nginx.virtualHosts."proxy.piped-fi.owo.monster" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://${internal_wireguard.hosts.raspberry.ip}";
extraConfig = ''
proxy_set_header Host $host;
'';
#proxyPass = "http://unix:${pipedSocketForComponent "proxy"}";
#extraConfig = config.services.piped.proxyNginxExtraConfig;
proxyPass = "http://unix:${pipedSocketForComponent "proxy"}";
extraConfig = config.services.piped.proxyNginxExtraConfig;
};
};
networking.firewall.allowedTCPPorts = [4242];
}

View file

@ -0,0 +1,16 @@
{...}: let
ports = import ../data/ports.nix {};
internal_wireguard = import ../../../../../data/chaos_wireguard_internal.nix {};
in {
services.cockroachdb = {
enable = true;
certsDir = "/var/lib/cockroachdb-certs";
join = "localhost:${toString ports.cockroachdb},${internal_wireguard.hosts.raspberry.ip}:26257";
# ssh -L 3014:127.0.0.1:3014 -L 26257:127.0.0.1:26257 hetzner-vm
listen.port = ports.cockroachdb;
http = {
address = "0.0.0.0";
port = ports.cockroachdb-http;
};
};
}

View file

@ -4,11 +4,19 @@
in {
config.services.piped = {
enable = true;
frontendDomain = "piped.owo.monster";
backendDomain = "backend.piped.owo.monster";
proxyDomain = "proxy.piped.owo.monster";
frontendDomain = "piped-fi.owo.monster";
backendDomain = "backend.piped-fi.owo.monster";
proxyDomain = "proxy.piped-fi.owo.monster";
disableProxy = true; # Currently using proxy via raspberry in UK
disableRegistrations = false;
postgresDBName = "piped";
postgresDBUsername = "piped";
postgresDBPassword = "piped";
postgresDBHost = "127.0.0.1";
postgresDBPort = 26257;
databaseDialect = "org.hibernate.dialect.CockroachDialect";
disablePostgresDB = true;
nginxForceSSL = false;
nginxEnableACME = false;
@ -29,11 +37,29 @@ in {
config.services.nginx.virtualHosts."${piped_config.frontendDomain}" = {
extraConfig = "listen unix:/var/sockets/piped-frontend.sock;";
listen = [
{
addr = "127.0.0.1";
port = 9080;
}
];
};
config.services.nginx.virtualHosts."${piped_config.backendDomain}" = {
extraConfig = "listen unix:/var/sockets/piped-backend.sock;";
listen = [
{
addr = "127.0.0.1";
port = 9080;
}
];
};
config.services.nginx.virtualHosts."${piped_config.proxyDomain}" = {
extraConfig = "listen unix:/var/sockets/piped-proxy.sock;";
listen = [
{
addr = "127.0.0.1";
port = 9080;
}
];
};
#config.services.nginx.virtualHosts."${piped_config.proxyDomain}" = {
# extraConfig = "listen unix:/var/sockets/piped-proxy.sock;";
#};
}

View file

@ -4,12 +4,11 @@
...
}: let
secrets = host_secrets;
backupPrepareCommand = "${
(pkgs.writeShellScriptBin "backupPrepareCommand" ''
systemctl start postgresqlBackup-piped --wait
'')
}/bin/backupPrepareCommand";
#backupPrepareCommand = "${
# (pkgs.writeShellScriptBin "backupPrepareCommand" ''
# systemctl start postgresqlBackup-piped --wait
# '')
#}/bin/backupPrepareCommand";
in {
environment.systemPackages = with pkgs; [
restic
@ -24,7 +23,7 @@ in {
services.restic.backups.piped = {
user = "root";
paths = [
"/var/backup/postgresql"
#"/var/backup/postgresql"
];
# repository is overrided in environmentFile to contain auth
@ -42,13 +41,13 @@ in {
OnCalendar = "daily";
};
inherit backupPrepareCommand;
#inherit backupPrepareCommand;
};
services.postgresqlBackup = {
enable = true;
backupAll = false;
databases = ["piped"];
compression = "zstd";
};
#services.postgresqlBackup = {
# enable = true;
# backupAll = false;
# databases = ["piped"];
# compression = "zstd";
#};
}

View file

@ -3,6 +3,7 @@
lib,
inputs,
config,
pkgs,
...
}: let
container-addresses = import ../../data/container-addresses.nix {};
@ -36,12 +37,14 @@ in {
};
}));
specialArgs = {
inherit inputs;
inherit tree;
host_secrets = secrets;
};
config = {config, ...}: {
_module.args = {
inherit inputs;
inherit tree;
host_secrets = secrets;
};
nixpkgs.pkgs = pkgs;
imports = with tree;
[

View file

@ -2,6 +2,7 @@
tree,
inputs,
config,
pkgs,
...
}: let
container-addresses = import ../../data/container-addresses.nix {};
@ -28,16 +29,14 @@ in {
};
};
config = {
config,
pkgs,
...
}: {
_module.args = {
inherit inputs;
inherit tree;
host_secrets = secrets;
};
specialArgs = {
inherit inputs;
inherit tree;
host_secrets = secrets;
};
config = {config, ...}: {
nixpkgs.pkgs = pkgs;
imports = with tree;
[

View file

@ -2,6 +2,7 @@
tree,
lib,
inputs,
pkgs,
...
}: let
container-addresses = import ../../data/container-addresses.nix {};
@ -18,17 +19,14 @@ in {
privateNetwork = true;
hostAddress = hostIP;
localAddress = containerIP;
config = {
config,
pkgs,
...
}: let
secrets = config.services.secrets.secrets;
in {
_module.args = {
inherit inputs;
inherit tree;
};
specialArgs = {
inherit inputs;
inherit tree;
};
config = {...}: {
nixpkgs.pkgs = pkgs;
imports = with tree;
[

View file

@ -14,8 +14,8 @@
profiles.nginx
profiles.nginx-firewall
profiles.nix-gc
profiles.kernels.latest
profiles.cross.arm64
profiles.chaos-internal-wireguard
./networking.nix
./hardware.nix
@ -32,10 +32,13 @@
++ (with hosts.hetzner-vm.profiles; [
vaultui
gitlab-static-sites
wireguard
nginx-misc
]);
boot.kernel.sysctl = {
"fs.inotify.max_user_watches" = 1024 * 64 * 4;
};
environment.systemPackages = with pkgs;
[
(pkgs.writeShellScriptBin "journalctl-vaccum-all" ''
@ -73,9 +76,6 @@
externalInterface = "eth0";
};
networking.firewall.allowedTCPPorts = [80 443];
networking.firewall.allowedUDPPorts = [443];
home-manager.users.root = {
imports = with tree; [home.base home.dev.small];
home.stateVersion = "23.05";

View file

@ -5,6 +5,9 @@
networking.firewall.allowPing = true;
networking.firewall.allowedTCPPorts = [22];
services.resolved.enable = false;
environment.etc."resolv.conf".text = "nameserver 8.8.8.8";
networking.enableIPv6 = true;
networking.usePredictableInterfaceNames = false;
networking.dhcpcd.enable = true;

View file

@ -1,43 +0,0 @@
{config, ...}: let
secrets = config.services.secrets.secrets;
data = import ../../../data/chaos_wireguard_internal.nix {};
in {
networking.wg-quick.interfaces = {
wg0 = {
address = ["${data.hosts.hetzner-vm.ip}/32"];
listenPort = 51820;
privateKeyFile = "${secrets.wg_privkey.path}";
peers = [
# vault
{
publicKey = "${data.hosts.vault.public}";
presharedKeyFile = "${secrets.wg_preshared_vault.path}";
endpoint = "${data.hosts.vault.endpoint}";
allowedIPs = ["${data.hosts.vault.ip}/32"];
}
# iphone8
{
publicKey = "${data.hosts.iphone8.public}";
presharedKeyFile = "${secrets.wg_preshared_iphone8.path}";
allowedIPs = ["${data.hosts.iphone8.ip}/32"];
}
# lappy-t495
{
publicKey = "${data.hosts.lappy-t495.public}";
presharedKeyFile = "${secrets.wg_preshared_lappy-t495.path}";
allowedIPs = ["${data.hosts.lappy-t495.ip}/32"];
}
# raspberry
{
publicKey = "${data.hosts.raspberry.public}";
presharedKeyFile = "${secrets.wg_preshared_raspberry.path}";
allowedIPs = ["${data.hosts.raspberry.ip}/32"];
endpoint = "${data.hosts.raspberry.endpoint}";
persistentKeepalive = 25;
}
];
};
};
networking.firewall.allowedUDPPorts = [51820];
}

View file

@ -51,6 +51,9 @@ in {
"passwords/data/mail"
"private-public-keys/data/wireguard/chaos-internal/hetzner-vm"
"private-public-keys/data/piped-cockroachdb-ca/nodes/hetzner-vm"
"private-public-keys/data/restic/Mail"
"private-public-keys/data/restic/Social"
"private-public-keys/data/restic/Quassel"
@ -71,7 +74,7 @@ in {
'';
};
# for wireguard
wg_privkey = {
wg_priv = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .private > "$secretFile"
'';
@ -214,6 +217,33 @@ in {
echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Piped" > "$secretFile"
'';
};
piped_cockroachdb_ca_certificate = {
user = "cockroachdb-piped";
group = "cockroachdb-piped";
permissions = "600";
fetchScript = ''
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/hetzner-vm" .ca_certificate \
| base64 -d > "$secretFile"
'';
};
piped_cockroachdb_node_certificate = {
user = "cockroachdb-piped";
group = "cockroachdb-piped";
permissions = "600";
fetchScript = ''
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/hetzner-vm" .node_certificate \
| base64 -d > "$secretFile"
'';
};
piped_cockroachdb_node_key = {
user = "cockroachdb-piped";
group = "cockroachdb-piped";
permissions = "600";
fetchScript = ''
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/hetzner-vm" .node_key \
| base64 -d > "$secretFile"
'';
};
};
};
}

View file

@ -10,9 +10,7 @@
presets.nixos.encrypted-usb
profiles.cross.arm64
profiles.remote-builders
hosts.lappy-t495.profiles.wireguard
#profiles.remote-builders
./secrets.nix
];

View file

@ -0,0 +1,22 @@
{tree, ...}: let
internal_wireguard = import ../../../data/chaos_wireguard_internal.nix {};
in {
imports = with tree; [
profiles.cockroachdb-bin-fix
];
systemd.tmpfiles.rules = [
"d /var/lib/cockroachdb-certs - root root"
];
services.cockroachdb = {
enable = true;
certsDir = "/var/lib/cockroachdb-certs";
join = "localhost:26257,${internal_wireguard.hosts.hetzner-vm.ip}:26257";
# ssh -L 8080:127.0.0.1:8080 -L 26257:127.0.0.1:26257 raspberry
http = {
address = "0.0.0.0";
port = 8080;
};
};
}

View file

@ -0,0 +1,28 @@
{pkgs, ...}: let
rclone-raspberry = pkgs.writeShellScriptBin "rclone-raspberry" (let
vault = "${pkgs.vault-bin}/bin/vault";
jq = "${pkgs.jq}/bin/jq";
rclone = "${pkgs.rclone}/bin/rclone";
in ''
TMP_DIR="$(mktemp -d)"
cp ${../data/rclone_config.template} "$TMP_DIR/rclone.conf"
vault-login 2>&1
STORAGEBOX_PASSWORD=$(${vault} kv get -format json "/api-keys/hetzner/storagebox" \
| ${jq} -r ".data.data.password")
STORAGEBOX_PASSWORD=$(rclone obscure "$STORAGEBOX_PASSWORD")
sed -i "s/STORAGEBOX_PASSWORD/$STORAGEBOX_PASSWORD/" "$TMP_DIR/rclone.conf"
${rclone} --config "$TMP_DIR/rclone.conf" "$@"
returnVal=$?
rm -rf "$TMP_DIR"
return returnVal
'');
in {
environment.systemPackages = with pkgs; [rclone rclone-raspberry];
}

View file

@ -4,11 +4,12 @@
persistentKeepalive = 15;
in {
networking.firewall.trustedInterfaces = ["wg0"];
networking.firewall.trustedInterfaces = ["wg0" "wlan0"];
networking.firewall.allowedUDPPorts = [51820];
networking.wg-quick.interfaces = {
wg0 = {
address = ["${data.hosts.raspberry.ip}/32"];
address = ["${data.hosts.raspberry.ip}/24"];
listenPort = 51820;
privateKeyFile = "${secrets.wg_priv.path}";
peers = [
@ -16,7 +17,7 @@ in {
{
publicKey = "${data.hosts.hetzner-vm.public}";
presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}";
allowedIPs = ["${data.hosts.hetzner-vm.ip}/24"];
allowedIPs = ["${data.hosts.hetzner-vm.ip}/32"];
endpoint = "${data.hosts.hetzner-vm.endpoint}";
inherit persistentKeepalive;
}

View file

@ -8,6 +8,9 @@
}: let
secrets = config.services.secrets.secrets;
in {
networking.firewall.enable = true;
networking.firewall.allowPing = true;
imports = with tree;
[
users.root
@ -30,8 +33,10 @@ in {
++ (with hosts.raspberry.profiles; [
external-drive
wireguard
piped-proxy
cockroachdb
piped
auto-storage-backups
rclone
]);
environment.systemPackages = [

View file

@ -11,10 +11,11 @@
'';
requiredVaultPaths = [
"private-public-keys/data/piped-cockroachdb-ca/nodes/raspberry"
"private-public-keys/data/cryptsetup/raspberry-ext-drive" # used dynamically
"private-public-keys/data/wireguard/chaos-internal/raspberry"
"passwords/data/wifi/parentals-home"
"api-keys/data/hetzner/storagebox"
"api-keys/data/hetzner/storagebox" # also used dynamically
];
secrets = {
@ -47,22 +48,43 @@
'';
};
rclone_config = {
piped_cockroachdb_ca_certificate = {
user = "cockroachdb";
group = "cockroachdb";
permissions = "600";
path = "/var/lib/cockroachdb-certs/ca.crt";
fetchScript = ''
TMP_DIR="$(mktemp -d)"
cp ${./rclone_config.template} "$TMP_DIR/template"
pushd "$TMP_DIR" >/dev/null
STORAGEBOX_PASSWORD=$(simple_get_obscure /api-keys/hetzner/storagebox .password)
sed -i "s/STORAGEBOX_PASSWORD/$STORAGEBOX_PASSWORD/" ./template
cp ./template "$secretFile"
popd >/dev/null
rm -rf "$TMP_DIR"
if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
fi
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .ca_certificate \
| base64 -d > "$secretFile"
'';
};
piped_cockroachdb_node_certificate = {
user = "cockroachdb";
group = "cockroachdb";
permissions = "600";
path = "/var/lib/cockroachdb-certs/node.crt";
fetchScript = ''
if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
fi
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_certificate \
| base64 -d > "$secretFile"
'';
};
piped_cockroachdb_node_key = {
user = "cockroachdb";
group = "cockroachdb";
permissions = "600";
path = "/var/lib/cockroachdb-certs/node.key";
fetchScript = ''
if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
fi
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_key \
| base64 -d > "$secretFile"
'';
};

View file

@ -9,8 +9,6 @@
'';
};
networking.firewall.allowedTCPPorts = [80 443];
services.nginx.virtualHosts."vault.owo.monster" = {
forceSSL = true;
enableACME = true;

View file

@ -1,44 +0,0 @@
{config, ...}: let
secrets = config.services.secrets.secrets;
data = import ../../../data/chaos_wireguard_internal.nix {};
in {
networking.wg-quick.interfaces = {
wg0 = {
address = ["10.69.42.2/32"];
listenPort = 51820;
privateKeyFile = "${secrets.wg_priv.path}";
peers = [
# hetzner-vm
{
publicKey = "${data.hosts.hetzner-vm.public}";
presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}";
allowedIPs = ["${data.hosts.hetzner-vm.ip}/32"];
endpoint = "${data.hosts.hetzner-vm.endpoint}";
persistentKeepalive = 25;
}
# iphone8
{
publicKey = "${data.hosts.iphone8.public}";
presharedKeyFile = "${secrets.wg_preshared_iphone8.path}";
allowedIPs = ["${data.hosts.iphone8.ip}/32"];
}
# lappy-t495
{
publicKey = "${data.hosts.lappy-t495.public}";
presharedKeyFile = "${secrets.wg_preshared_lappy-t495.path}";
allowedIPs = ["${data.hosts.lappy-t495.ip}/32"];
}
# raspberry
{
publicKey = "${data.hosts.raspberry.public}";
presharedKeyFile = "${secrets.wg_preshared_raspberry.path}";
allowedIPs = ["${data.hosts.raspberry.ip}/32"];
endpoint = "${data.hosts.raspberry.endpoint}";
persistentKeepalive = 25;
}
];
};
};
networking.firewall.allowedUDPPorts = [51820];
}

View file

@ -3,8 +3,6 @@
enable = true;
requiredVaultPaths = [
"private-public-keys/data/wireguard/chaos-internal/vault"
"private-public-keys/data/restic/Vault"
"api-keys/data/storage/restic/Vault"
@ -23,31 +21,6 @@
echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > "$secretFile"
'';
};
wg_priv = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .private > "$secretFile"
'';
};
wg_preshared_hetzner-vm = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.hetzner_vm > "$secretFile"
'';
};
wg_preshared_iphone8 = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.iphone8 > "$secretFile"
'';
};
wg_preshared_lappy-t495 = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/vault" ".preshared_keys.lappy_t495" > "$secretFile"
'';
};
wg_preshared_raspberry = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/vault" ".preshared_keys.raspberry" > "$secretFile"
'';
};
};
};
}

View file

@ -7,9 +7,8 @@
profiles.nix-gc
profiles.nginx
profiles.nginx-firewall
profiles.kernels.latest
profiles.chaos-internal-wireguard
hosts.vault.profiles.wireguard
hosts.vault.profiles.vault
hosts.vault.profiles.restic

View file

@ -172,7 +172,7 @@
}
getGroupID() {
stat --format "%G" "$1" 2>/dev/null
stat --format "%g" "$1" 2>/dev/null
}
userNameMatches() {

View file

@ -55,9 +55,32 @@ in
inherit (pkgs) comic-code comic-sans;
inherit (pkgs) mk-enc-usb mk-normal-enc-ssd mk-dual-enc-ssd mk-raspberry-ext-drive;
inherit (pkgs) gotosocial;
inherit (pkgs) cockroachdb;
};
}
# internal wireguard scripts
(let
internalWireguardLib = import ./extras/internal-wireguard-lib.nix {
inherit (nixpkgs) lib;
inherit pkgs;
};
wireguard_data = import ./data/chaos_wireguard_internal.nix {};
hostsWithWireguard = builtins.attrNames wireguard_data.hosts;
in {
packages = mergeAttrsList [
(mergeAttrsList (
lib.forEach hostsWithWireguard (hostName: {
"wg-keys-init-${hostName}" = internalWireguardLib.genInitScript hostName;
})
))
{
"wg-keys-init-all" = internalWireguardLib.initAllScript;
}
];
})
# secrets-init, secrets-check and vault-policy for machines and containers
(let
secretsLib = import ./modules/nixos/secrets-lib/lib.nix {

View file

@ -0,0 +1,48 @@
{
lib,
stdenv,
autoPatchelfHook,
fetchzip,
}:
stdenv.mkDerivation rec {
pname = "cockroachdb-bin";
version = "23.1.9";
src = let
inherit (stdenv.hostPlatform) system;
selectSystem = attrs: attrs.${system} or (throw "Unsupported system: ${system}");
suffix = selectSystem {
x86_64-linux = "linux-amd64";
aarch64-linux = "linux-arm64";
};
sha256 = selectSystem {
x86_64-linux = "sha256-TopDCszdU73WiD/fsa/lq4h7jPUk0u50v3ELiuakzTU=";
aarch64-linux = "sha256-uRW1g2IFAfQ6a1w7pz5GKklHmfaNgk70qj3hhm6KV6s=";
};
in
fetchzip {
url = "https://binaries.cockroachdb.com/cockroach-v${version}.${suffix}.tgz";
inherit sha256;
};
dontConfigure = true;
dontBuild = true;
dontStrip = stdenv.isDarwin;
nativeBuildInputs = [autoPatchelfHook];
installPhase = ''
runHook preInstall
install -D cockroach $out/bin/cockroach
runHook postInstall
'';
meta = with lib; {
homepage = "https://www.cockroachlabs.com";
description = "A scalable, survivable, strongly-consistent SQL database";
license = licenses.bsl11;
mainProgram = "cockroach";
sourceProvenance = with sourceTypes; [binaryNativeCode];
platforms = ["x86_64-linux" "aarch64-linux"];
};
}

View file

@ -1,4 +1,4 @@
final: prev: {
final: prev: rec {
comic-sans = final.callPackage ./comic-sans {};
comic-code = final.callPackage ./comic-code {};
@ -12,6 +12,9 @@ final: prev: {
mk-dual-enc-ssd = final.callPackage ../extras/mk-dual-enc-ssd.nix {};
mk-raspberry-ext-drive = final.callPackage ../extras/mk-raspberry-ext-drive.nix {};
cockroachdb-bin = final.callPackage ./cockroachdb-bin {};
cockroachdb = cockroachdb-bin;
gotosocial = prev.gotosocial.overrideAttrs (_old: let
owner = "superseriousbusiness";
repo = "gotosocial";

View file

@ -0,0 +1,43 @@
{
lib,
config,
...
}: let
inherit (lib.modules) mkMerge;
inherit (lib.lists) forEach filter;
inherit (builtins) hasAttr;
wireguard_data = import ../../data/chaos_wireguard_internal.nix {};
wireguard_hosts = wireguard_data.hosts;
currentHostName = config.networking.hostName;
currentHostConfig = wireguard_hosts.${currentHostName};
in {
services.secrets = {
enable = true;
requiredVaultPaths = [
"private-public-keys/data/wireguard/chaos-internal/${currentHostName}"
];
secrets = mkMerge ([
{
wg_priv = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" .private > "$secretFile"
'';
};
}
]
++ (forEach (filter (hostName: (hostName != currentHostName && hasAttr "endpoint" wireguard_hosts.${hostName})) (builtins.attrNames wireguard_hosts)) (
hostName: let
in {
"wg_preshared_${hostName}" = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" ".preshared_keys.\"${hostName}\"" > "$secretFile"
'';
};
}
)));
};
}

View file

@ -0,0 +1,58 @@
{
lib,
config,
pkgs,
...
}: let
inherit (lib.modules) mkIf;
inherit (builtins) hasAttr;
# Assume this to be set
secrets = config.services.secrets.secrets;
wireguard_data = import ../../data/chaos_wireguard_internal.nix {};
wireguard_hosts = wireguard_data.hosts;
currentHostName = config.networking.hostName;
currentHostConfig = wireguard_hosts.${currentHostName};
in {
networking.firewall.allowPing = true;
networking.firewall.allowedUDPPorts = mkIf (hasAttr "endpoint" currentHostConfig) [51820];
systemd.services.wireguard-debug = {
wantedBy = ["multi-user.target"];
partOf = ["wg-quick-wg0.service"];
script = ''
echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
'';
};
networking.wg-quick.interfaces = {
wg0 = {
address = ["${currentHostConfig.ip}/24"];
privateKeyFile = "${secrets.wg_priv.path}";
listenPort = mkIf (hasAttr "endpoint" currentHostConfig) 51820;
peers = [
# hetzner-vm
(mkIf (currentHostName != "hetzner-vm") (let
host = wireguard_hosts."hetzner-vm";
in {
allowedIPs = ["${host.ip}/32"];
publicKey = host.public;
#presharedKeyFile = secrets.wg_preshared_hetzner-vm.path;
endpoint = host.endpoint or null;
}))
# vault
(mkIf (currentHostName != "vault") (let
host = wireguard_hosts."vault";
in {
allowedIPs = ["${host.ip}/32"];
publicKey = host.public;
#presharedKeyFile = secrets.wg_preshared_vault.path;
endpoint = host.endpoint or null;
}))
];
};
};
}

View file

@ -0,0 +1,60 @@
{
config,
lib,
...
}: let
escapeSystemdExecArg = arg: let
s =
if builtins.isPath arg
then "${arg}"
else if builtins.isString arg
then arg
else if builtins.isInt arg || builtins.isFloat arg
then toString arg
else throw "escapeSystemdExecArg only allows strings, paths and numbers";
in
lib.replaceStrings ["%" "$"] ["%%" "$$"] (builtins.toJSON s);
# Quotes a list of arguments into a single string for use in a Exec*
# line.
escapeSystemdExecArgs = lib.concatMapStringsSep " " escapeSystemdExecArg;
cfg = config.services.cockroachdb;
crdb = cfg.package;
startupCommand =
escapeSystemdExecArgs
([
# Basic startup
"${crdb}/bin/cockroach"
(
if (cfg.join != null)
then "start"
else "start-single-node"
)
"--logtostderr"
"--store=/var/lib/cockroachdb"
# WebUI settings
"--http-addr=${cfg.http.address}:${toString cfg.http.port}"
# Cluster listen address
"--listen-addr=${cfg.listen.address}:${toString cfg.listen.port}"
# Cache and memory settings.
"--cache=${cfg.cache}"
"--max-sql-memory=${cfg.maxSqlMemory}"
# Certificate/security settings.
(
if cfg.insecure
then "--insecure"
else "--certs-dir=${cfg.certsDir}"
)
]
++ lib.optional (cfg.join != null) "--join=${cfg.join}"
++ lib.optional (cfg.locality != null) "--locality=${cfg.locality}"
++ cfg.extraArgs);
in {
systemd.services.cockroachdb.serviceConfig.ExecStart = lib.mkForce startupCommand;
}

View file

@ -1,4 +1,4 @@
{...}: {
networking.firewall.allowedTCPPorts = [80 443];
networking.firewall.allowedUDPPorts = [80 443];
}
}

View file

@ -8,7 +8,7 @@ cd $(git rev-parse --show-toplevel)
HOSTNAME=$(hostname)
[ "${NO_REBUILD}" == "" ] && ./scripts/rebuild.sh $@
[ "${HOSTNAME}" != "hetzner-vm" ] && ./scripts/deploy/hetzner-vm.sh $@
[ "${HOSTNAME}" != "vault" ] && ./scripts/deploy/vault.sh $@
[ "${HOSTNAME}" != "raspberry" ] && ./scripts/deploy/raspberry.sh $@
[ "${NO_REBUILD}" == "" ] && ./scripts/rebuild.sh "$@"
[ "${HOSTNAME}" != "hetzner-vm" ] && ./scripts/deploy/hetzner-vm.sh "$@"
[ "${HOSTNAME}" != "vault" ] && ./scripts/deploy/vault.sh "$@"
[ "${HOSTNAME}" != "raspberry" ] && ./scripts/deploy/raspberry.sh "$@"

21
scripts/deploy-secrets.sh Executable file
View file

@ -0,0 +1,21 @@
#!/usr/bin/env bash
set -e
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
cd $SCRIPT_DIR
cd $(git rev-parse --show-toplevel)
ARCH=${1}
HOSTNAME=${2}
SSH=${3}
CONTAINER=${4}
OPTIONAL_CONTAINER=
if [ -n "$CONTAINER" ]; then
OPTIONAL_CONTAINER="-container-${CONTAINER}"
fi
nix build --system ${ARCH} ".#secrets-init-${HOSTNAME}${OPTIONAL_CONTAINER}"
nix-copy-closure --to ${SSH} --use-substitutes $(readlink result)
ssh ${SSH} "$(readlink result)/bin/secrets-init-${HOSTNAME}${OPTIONAL_CONTAINER}"

View file

@ -6,4 +6,4 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
cd $SCRIPT_DIR
cd $(git rev-parse --show-toplevel)
nixos-rebuild switch --flake .#hetzner-vm --target-host hetzner-vm -s $@
nixos-rebuild switch --flake .#hetzner-vm --target-host hetzner-vm -s "$@"

2
scripts/deploy/raspberry.sh Normal file → Executable file
View file

@ -6,4 +6,4 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
cd $SCRIPT_DIR
cd $(git rev-parse --show-toplevel)
nixos-rebuild switch --flake .#raspberry --target-host raspberry -s $@
nixos-rebuild switch --flake .#raspberry --target-host raspberry -s "$@"

2
scripts/deploy/vault.sh Normal file → Executable file
View file

@ -6,4 +6,4 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
cd $SCRIPT_DIR
cd $(git rev-parse --show-toplevel)
nixos-rebuild switch --flake .#vault --target-host vault -s $@
nixos-rebuild switch --flake .#vault --target-host vault -s "$@"