diff --git a/data/chaos_wireguard_internal.nix b/data/chaos_wireguard_internal.nix index a028137..b662258 100644 --- a/data/chaos_wireguard_internal.nix +++ b/data/chaos_wireguard_internal.nix @@ -1,28 +1,28 @@ {}: rec { - all = "10.69.42.1/32"; + all = "10.69.42.1/24"; hosts = { hetzner-vm = { ip = "10.69.42.1"; - public = "UJr+EmUM7KWkIy0nk0JA38ibvcLC++6iuOKkHdrx9Dc="; + public = "liO33kMSEwuaaH4i6qDuorWssd9s/EfTBKBHQEbaDXE="; endpoint = "hetzner-vm.servers.genderfucked.monster:51820"; }; vault = { ip = "10.69.42.2"; - public = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc="; - endpoint = "vault.servers.genderfucked.monster:51820"; + public = "GJ/IQ5W2Ch2vSiqcciKkrBA+pVycY2cibhvF1SFzi0I="; + #endpoint = "vault.servers.genderfucked.monster:51820"; }; iphone8 = { ip = "10.69.42.3"; - public = "2BgT08bDKh8WlFFSeRArI9a1GpFgUyqEApvJy4KgAmw="; + public = "PEBw7EI5uogB433cp8eSfJ5DCEiYj+YG2dZd0XkIV1c="; }; lappy-t495 = { ip = "10.69.42.4"; - public = "rEioKieZqI3UaJGGaSC/yaHfdZE9VKpsq355x4dHgCs="; + public = "BR23xeK/nTgw8Ad001wz9wrfS6gTknTpCKZBLG9bnHM="; }; raspberry = { ip = "10.69.42.5"; - public = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc="; + public = "ld5XI4l/Gmr5JWg8r5midy7MTIgZkWVhMPsJqzIonng="; endpoint = "raspberry.servers.genderfucked.monster:51820"; }; }; diff --git a/extras/internal-wireguard-lib.nix b/extras/internal-wireguard-lib.nix new file mode 100644 index 0000000..a89285f --- /dev/null +++ b/extras/internal-wireguard-lib.nix @@ -0,0 +1,95 @@ +{ + lib, + pkgs, + ... +}: let + wireguard_data = import ../data/chaos_wireguard_internal.nix {}; + wireguard_hosts = wireguard_data.hosts; + + inherit (pkgs) writeShellScriptBin; + inherit (lib.lists) forEach filter; + inherit (builtins) hasAttr attrNames; + + kvPathForHost = host: "/private-public-keys/wireguard/chaos-internal/${host}"; +in rec { + initAllScript = writeShellScriptBin "wg-keys-init-all" (let + vault = "${pkgs.vault-bin}/bin/vault"; + jq = "${pkgs.jq}/bin/jq"; + in '' + + ${lib.concatStringsSep "\n" (lib.forEach (attrNames wireguard_hosts) (hostName: '' + if [ -z "$PRESHARED_ONLY" ]; then + echo "{}" | vault kv put "${kvPathForHost hostName}" - 2>/dev/null + fi + ''))} + + ${lib.concatStringsSep "\n" (lib.forEach (attrNames wireguard_hosts) (hostName: '' + echo "Deploying keys for ${hostName}" + + "${genInitScript hostName}/bin/wg-keys-init-${hostName}" + ''))} + + ${lib.concatStringsSep "\n" (lib.forEach (attrNames wireguard_hosts) (hostName: '' + echo + + PUBLIC=$(${vault} kv get -format=json "${kvPathForHost hostName}" | ${jq} .data.data.public) + echo "Public Key for ${hostName}: $PUBLIC" + ''))} + ''); + + genInitScript = systemHostName: (writeShellScriptBin "wg-keys-init-${systemHostName}" (let + vault = "${pkgs.vault-bin}/bin/vault"; + jq = "${pkgs.jq}/bin/jq"; + wg = "${pkgs.wireguard-tools}/bin/wg"; + sponge = "${pkgs.moreutils}/bin/sponge"; + + hostsWithEndpoints = filter (hostName: (hostName != systemHostName && hasAttr "endpoint" wireguard_hosts.${hostName})) (attrNames wireguard_hosts); + in '' + PRIVATE=$(${wg} genkey) + PUBLIC=$(echo "$PRIVATE" | ${wg} pubkey) + + TMP_DIR=$(mktemp -d) + pushd "$TMP_DIR" + + echo "{}" > currentHost.json + if [ -z "$PRESHARED_ONLY" ]; then + ${jq} ".public = \"$PUBLIC\"" currentHost.json | ${sponge} currentHost.json + ${jq} ".private = \"$PRIVATE\"" currentHost.json | ${sponge} currentHost.json + fi + + ${jq} '.preshared_keys = {}' currentHost.json | ${sponge} currentHost.json + + ${lib.concatStringsSep "\n" (lib.forEach hostsWithEndpoints (hostName: '' + echo "Generating preshared key for ${hostName}" + + PSK=$(${wg} genpsk) + ${jq} ".preshared_keys.\"${hostName}\" = \"$PSK\"" currentHost.json | ${sponge} currentHost.json + ''))} + + + ${lib.concatStringsSep "\n" (lib.forEach hostsWithEndpoints (hostName: '' + echo "Deploying preshared key for ${hostName}" + + PSK=$(jq -r '.preshared_keys."${hostName}"' currentHost.json) + + ${vault} kv get -format=json "${kvPathForHost hostName}" 2>/dev/null | jq -r .data.data > otherHost.json + ${jq} ".preshared_keys.\"${systemHostName}\" = \"$PSK\"" otherHost.json | ${sponge} otherHost.json + cat otherHost.json | vault kv put "${kvPathForHost hostName}" - 2>/dev/null + + rm otherHost.json + ''))} + + if [ -z "$PRESHARED_ONLY" ]; then + cat currentHost.json | ${vault} kv put "${kvPathForHost systemHostName}" - 2>/dev/null + cat currentHost.json | jq + fi + rm currentHost.json + + + popd + + rm -rf "$TMP_DIR" + + echo "Public Key for ${systemHostName}: $PUBLIC" + '')); +} diff --git a/flake.lock b/flake.lock index 00a744f..aa04c62 100644 --- a/flake.lock +++ b/flake.lock @@ -119,11 +119,11 @@ ] }, "locked": { - "lastModified": 1694469544, - "narHash": "sha256-eqZng5dZnAUyb7xXyFk5z871GY/++KVv3Gyld5mVh20=", + "lastModified": 1694643239, + "narHash": "sha256-pv2k/5FvyirDE8g4TNehzwZ0T4UOMMmqWSQnM/luRtE=", "owner": "nix-community", "repo": "home-manager", - "rev": "5171f5ef654425e09d9c2100f856d887da595437", + "rev": "d9b88b43524db1591fb3d9410a21428198d75d49", "type": "github" }, "original": { @@ -160,11 +160,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1694422566, - "narHash": "sha256-lHJ+A9esOz9vln/3CJG23FV6Wd2OoOFbDeEs4cMGMqc=", + "lastModified": 1694669921, + "narHash": "sha256-6ESpJ6FsftHV96JO/zn6je07tyV2dlLR7SdLsmkegTY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "3a2786eea085f040a66ecde1bc3ddc7099f6dbeb", + "rev": "f2ea252d23ebc9a5336bf6a61e0644921f64e67c", "type": "github" }, "original": { @@ -176,11 +176,11 @@ }, "nur": { "locked": { - "lastModified": 1694547969, - "narHash": "sha256-rcP53Lh8T0SywogEVPByeSXjExzpfZdd85fubbxgXYo=", + "lastModified": 1694778311, + "narHash": "sha256-Hu5U9pXwMqUjWF7uh4SKqdKy1QMy9RVGxmst11srSgA=", "owner": "nix-community", "repo": "NUR", - "rev": "6006151c90751e36c5dd68a7f754c3d26c8a55c1", + "rev": "7a673ac1f35648a908730206a2793b0e3818bc25", "type": "github" }, "original": { @@ -202,11 +202,11 @@ ] }, "locked": { - "lastModified": 1694714112, - "narHash": "sha256-x2CgsEvWIf4ETx4puLqmHrPthesNXW30OMYg4pVJARg=", + "lastModified": 1694730023, + "narHash": "sha256-/J7ZPye0T1idRgvpa7oHJnON3rzIniv4tXiMP2sj3tk=", "owner": "ChaotiCryptidz", "repo": "piped-flake", - "rev": "c5ad01eac79809686d9685671e77a6dac4e17ddf", + "rev": "1729b90a2e81b95f0158720816b174532a9b1f2b", "type": "gitlab" }, "original": { diff --git a/flake.nix b/flake.nix index 80d3f4c..e8961ad 100644 --- a/flake.nix +++ b/flake.nix @@ -12,6 +12,7 @@ # nixpkgs Unstable Inputs nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + home-manager-unstable.url = "github:nix-community/home-manager"; home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable"; diff --git a/home/dev/all/network.nix b/home/dev/all/network.nix index 07c90da..5a33fdb 100644 --- a/home/dev/all/network.nix +++ b/home/dev/all/network.nix @@ -8,5 +8,6 @@ rsync openssh nmap + tcpdump ]; } diff --git a/home/gui/environments/sway/sway.nix b/home/gui/environments/sway/sway.nix index 8c158a2..82f19f1 100644 --- a/home/gui/environments/sway/sway.nix +++ b/home/gui/environments/sway/sway.nix @@ -65,9 +65,10 @@ size = 14.0; }; statusCommand = lib.escapeShellArgs [ - "${pkgs.gobar}/bin/gobar" - "-config" - "cpu\\|mem\\|weather\\(Leighton\\ Buzzard\\)\\|bat\\(BAT0\\)\\|time" + "/home/chaos/Projects/rustbar/target/debug/rustbar" + #"${pkgs.gobar}/bin/gobar" + #"-config" + #"cpu\\|mem\\|weather\\(Leighton\\ Buzzard\\)\\|bat\\(BAT0\\)\\|time" ]; } {command = "${pkgs.waybar}/bin/waybar";} diff --git a/hosts/hetzner-vm/containers/mail/default.nix b/hosts/hetzner-vm/containers/mail/default.nix index ed16557..96702b6 100644 --- a/hosts/hetzner-vm/containers/mail/default.nix +++ b/hosts/hetzner-vm/containers/mail/default.nix @@ -3,6 +3,7 @@ lib, inputs, config, + pkgs, ... }: let ports = [ @@ -53,12 +54,14 @@ in { }))) ]; + specialArgs = { + inherit inputs; + inherit tree; + host_secrets = secrets; + }; + config = {config, ...}: { - _module.args = { - inherit inputs; - inherit tree; - host_secrets = secrets; - }; + nixpkgs.pkgs = pkgs; imports = with tree; [ diff --git a/hosts/hetzner-vm/containers/music/default.nix b/hosts/hetzner-vm/containers/music/default.nix index f7e15b3..f6bbaea 100644 --- a/hosts/hetzner-vm/containers/music/default.nix +++ b/hosts/hetzner-vm/containers/music/default.nix @@ -3,6 +3,7 @@ lib, inputs, config, + pkgs, ... }: let container-addresses = import ../../data/container-addresses.nix {}; @@ -41,12 +42,14 @@ in { }; })); + specialArgs = { + inherit inputs; + inherit tree; + host_secrets = secrets; + }; + config = {config, ...}: { - _module.args = { - inherit inputs; - inherit tree; - host_secrets = secrets; - }; + nixpkgs.pkgs = pkgs; imports = with tree; [ diff --git a/hosts/hetzner-vm/containers/piped/data/ports.nix b/hosts/hetzner-vm/containers/piped/data/ports.nix index b46f54b..be26c62 100644 --- a/hosts/hetzner-vm/containers/piped/data/ports.nix +++ b/hosts/hetzner-vm/containers/piped/data/ports.nix @@ -1,4 +1,7 @@ {}: { piped-backend = 3012; piped-proxy = 3013; + + cockroachdb = 26257; + cockroachdb-http = 3014; } diff --git a/hosts/hetzner-vm/containers/piped/default.nix b/hosts/hetzner-vm/containers/piped/default.nix index eed90e7..6e2ad5e 100644 --- a/hosts/hetzner-vm/containers/piped/default.nix +++ b/hosts/hetzner-vm/containers/piped/default.nix @@ -3,13 +3,13 @@ lib, inputs, config, + pkgs, ... }: let - internal_wireguard = import ../../../../data/chaos_wireguard_internal.nix {}; - - container-addresses = import ../../data/container-addresses.nix {}; - hostIP = container-addresses.host; - containerIP = container-addresses.containers.piped; + #container-addresses = import ../../data/container-addresses.nix {}; + #hostIP = container-addresses.host; + #containerIP = container-addresses.containers.piped; + containerConfig = config.containers.piped.config; ports = import ./data/ports.nix {}; @@ -18,6 +18,18 @@ secrets_list = [ "piped_restic_env" "piped_restic_password" + { + name = "piped_cockroachdb_ca_certificate"; + path = "/var/lib/cockroachdb-certs/ca.crt"; + } + { + name = "piped_cockroachdb_node_certificate"; + path = "/var/lib/cockroachdb-certs/node.crt"; + } + { + name = "piped_cockroachdb_node_key"; + path = "/var/lib/cockroachdb-certs/node.key"; + } ]; containerName = "piped"; @@ -25,42 +37,69 @@ component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock" ); in { + # Create this directory outside the container so the bind mounts work + systemd.tmpfiles.rules = [ + "d /var/lib/nixos-containers/${containerName}/var/lib/cockroachdb-certs - root root" + ]; + + users.users."cockroachdb-piped" = { + uid = containerConfig.users.users.cockroachdb.uid; + group = "cockroachdb-piped"; + }; + users.groups."cockroachdb-piped" = { + gid = containerConfig.users.groups.cockroachdb.gid; + }; + containers.piped = { autoStart = true; - privateNetwork = true; - hostAddress = hostIP; - localAddress = containerIP; - bindMounts = lib.mkMerge (lib.forEach secrets_list (secret_name: let - path = "${secrets.${secret_name}.path}"; + #privateNetwork = false; + #hostAddress = hostIP; + #localAddress = containerIP; + + bindMounts = lib.mkMerge (lib.forEach secrets_list (secret_item: let + secret = + if builtins.isString secret_item + then secrets.${secret_item} + else secrets.${secret_item.name}; + + hostPath = secret.path; + containerPath = + if builtins.isString secret_item + then hostPath + else secret_item.path; in { - "${path}" = { - hostPath = "${path}"; + "${containerPath}" = { + inherit hostPath; }; })); + specialArgs = { + inherit inputs; + inherit tree; + host_secrets = secrets; + }; + config = {config, ...}: { - _module.args = { - inherit inputs; - inherit tree; - host_secrets = secrets; - }; + nixpkgs.pkgs = pkgs; imports = with tree; [ profiles.base inputs.home-manager-unstable.nixosModules.home-manager - profiles.sshd + #profiles.sshd profiles.nginx + profiles.cockroachdb-bin-fix modules.nixos.secrets inputs.piped-flake.nixosModules.default users.root ] - ++ (with hosts.hetzner-vm.containers.piped; [ - profiles.piped - profiles.restic + ++ (with hosts.hetzner-vm.containers.piped.profiles; [ + piped + restic + cockroachdb ]); # For Shared Secrets @@ -86,7 +125,7 @@ in { }; }; - services.nginx.virtualHosts."piped.owo.monster" = { + services.nginx.virtualHosts."piped-fi.owo.monster" = { forceSSL = true; enableACME = true; locations."/" = { @@ -94,7 +133,7 @@ in { }; }; - services.nginx.virtualHosts."backend.piped.owo.monster" = { + services.nginx.virtualHosts."backend.piped-fi.owo.monster" = { forceSSL = true; enableACME = true; locations."/" = { @@ -102,18 +141,12 @@ in { }; }; - services.nginx.virtualHosts."proxy.piped.owo.monster" = { + services.nginx.virtualHosts."proxy.piped-fi.owo.monster" = { forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://${internal_wireguard.hosts.raspberry.ip}"; - extraConfig = '' - proxy_set_header Host $host; - ''; - #proxyPass = "http://unix:${pipedSocketForComponent "proxy"}"; - #extraConfig = config.services.piped.proxyNginxExtraConfig; + proxyPass = "http://unix:${pipedSocketForComponent "proxy"}"; + extraConfig = config.services.piped.proxyNginxExtraConfig; }; }; - - networking.firewall.allowedTCPPorts = [4242]; } diff --git a/hosts/hetzner-vm/containers/piped/profiles/cockroachdb.nix b/hosts/hetzner-vm/containers/piped/profiles/cockroachdb.nix new file mode 100644 index 0000000..20fe48d --- /dev/null +++ b/hosts/hetzner-vm/containers/piped/profiles/cockroachdb.nix @@ -0,0 +1,16 @@ +{...}: let + ports = import ../data/ports.nix {}; + internal_wireguard = import ../../../../../data/chaos_wireguard_internal.nix {}; +in { + services.cockroachdb = { + enable = true; + certsDir = "/var/lib/cockroachdb-certs"; + join = "localhost:${toString ports.cockroachdb},${internal_wireguard.hosts.raspberry.ip}:26257"; + # ssh -L 3014:127.0.0.1:3014 -L 26257:127.0.0.1:26257 hetzner-vm + listen.port = ports.cockroachdb; + http = { + address = "0.0.0.0"; + port = ports.cockroachdb-http; + }; + }; +} diff --git a/hosts/hetzner-vm/containers/piped/profiles/piped.nix b/hosts/hetzner-vm/containers/piped/profiles/piped.nix index 7a2e1a2..bc8c98a 100644 --- a/hosts/hetzner-vm/containers/piped/profiles/piped.nix +++ b/hosts/hetzner-vm/containers/piped/profiles/piped.nix @@ -4,11 +4,19 @@ in { config.services.piped = { enable = true; - frontendDomain = "piped.owo.monster"; - backendDomain = "backend.piped.owo.monster"; - proxyDomain = "proxy.piped.owo.monster"; + frontendDomain = "piped-fi.owo.monster"; + backendDomain = "backend.piped-fi.owo.monster"; + proxyDomain = "proxy.piped-fi.owo.monster"; - disableProxy = true; # Currently using proxy via raspberry in UK + disableRegistrations = false; + + postgresDBName = "piped"; + postgresDBUsername = "piped"; + postgresDBPassword = "piped"; + postgresDBHost = "127.0.0.1"; + postgresDBPort = 26257; + databaseDialect = "org.hibernate.dialect.CockroachDialect"; + disablePostgresDB = true; nginxForceSSL = false; nginxEnableACME = false; @@ -29,11 +37,29 @@ in { config.services.nginx.virtualHosts."${piped_config.frontendDomain}" = { extraConfig = "listen unix:/var/sockets/piped-frontend.sock;"; + listen = [ + { + addr = "127.0.0.1"; + port = 9080; + } + ]; }; config.services.nginx.virtualHosts."${piped_config.backendDomain}" = { extraConfig = "listen unix:/var/sockets/piped-backend.sock;"; + listen = [ + { + addr = "127.0.0.1"; + port = 9080; + } + ]; + }; + config.services.nginx.virtualHosts."${piped_config.proxyDomain}" = { + extraConfig = "listen unix:/var/sockets/piped-proxy.sock;"; + listen = [ + { + addr = "127.0.0.1"; + port = 9080; + } + ]; }; - #config.services.nginx.virtualHosts."${piped_config.proxyDomain}" = { - # extraConfig = "listen unix:/var/sockets/piped-proxy.sock;"; - #}; } diff --git a/hosts/hetzner-vm/containers/piped/profiles/restic.nix b/hosts/hetzner-vm/containers/piped/profiles/restic.nix index 4f8e020..3d962a7 100644 --- a/hosts/hetzner-vm/containers/piped/profiles/restic.nix +++ b/hosts/hetzner-vm/containers/piped/profiles/restic.nix @@ -4,12 +4,11 @@ ... }: let secrets = host_secrets; - - backupPrepareCommand = "${ - (pkgs.writeShellScriptBin "backupPrepareCommand" '' - systemctl start postgresqlBackup-piped --wait - '') - }/bin/backupPrepareCommand"; + #backupPrepareCommand = "${ + # (pkgs.writeShellScriptBin "backupPrepareCommand" '' + # systemctl start postgresqlBackup-piped --wait + # '') + #}/bin/backupPrepareCommand"; in { environment.systemPackages = with pkgs; [ restic @@ -24,7 +23,7 @@ in { services.restic.backups.piped = { user = "root"; paths = [ - "/var/backup/postgresql" + #"/var/backup/postgresql" ]; # repository is overrided in environmentFile to contain auth @@ -42,13 +41,13 @@ in { OnCalendar = "daily"; }; - inherit backupPrepareCommand; + #inherit backupPrepareCommand; }; - services.postgresqlBackup = { - enable = true; - backupAll = false; - databases = ["piped"]; - compression = "zstd"; - }; + #services.postgresqlBackup = { + # enable = true; + # backupAll = false; + # databases = ["piped"]; + # compression = "zstd"; + #}; } diff --git a/hosts/hetzner-vm/containers/quassel/default.nix b/hosts/hetzner-vm/containers/quassel/default.nix index aa09a9a..c70241a 100644 --- a/hosts/hetzner-vm/containers/quassel/default.nix +++ b/hosts/hetzner-vm/containers/quassel/default.nix @@ -3,6 +3,7 @@ lib, inputs, config, + pkgs, ... }: let container-addresses = import ../../data/container-addresses.nix {}; @@ -36,12 +37,14 @@ in { }; })); + specialArgs = { + inherit inputs; + inherit tree; + host_secrets = secrets; + }; + config = {config, ...}: { - _module.args = { - inherit inputs; - inherit tree; - host_secrets = secrets; - }; + nixpkgs.pkgs = pkgs; imports = with tree; [ diff --git a/hosts/hetzner-vm/containers/social/default.nix b/hosts/hetzner-vm/containers/social/default.nix index 9d0e2bd..3eaa41f 100644 --- a/hosts/hetzner-vm/containers/social/default.nix +++ b/hosts/hetzner-vm/containers/social/default.nix @@ -2,6 +2,7 @@ tree, inputs, config, + pkgs, ... }: let container-addresses = import ../../data/container-addresses.nix {}; @@ -28,16 +29,14 @@ in { }; }; - config = { - config, - pkgs, - ... - }: { - _module.args = { - inherit inputs; - inherit tree; - host_secrets = secrets; - }; + specialArgs = { + inherit inputs; + inherit tree; + host_secrets = secrets; + }; + + config = {config, ...}: { + nixpkgs.pkgs = pkgs; imports = with tree; [ diff --git a/hosts/hetzner-vm/containers/storage/default.nix b/hosts/hetzner-vm/containers/storage/default.nix index 934b7d3..8cbaa63 100644 --- a/hosts/hetzner-vm/containers/storage/default.nix +++ b/hosts/hetzner-vm/containers/storage/default.nix @@ -2,6 +2,7 @@ tree, lib, inputs, + pkgs, ... }: let container-addresses = import ../../data/container-addresses.nix {}; @@ -18,17 +19,14 @@ in { privateNetwork = true; hostAddress = hostIP; localAddress = containerIP; - config = { - config, - pkgs, - ... - }: let - secrets = config.services.secrets.secrets; - in { - _module.args = { - inherit inputs; - inherit tree; - }; + + specialArgs = { + inherit inputs; + inherit tree; + }; + + config = {...}: { + nixpkgs.pkgs = pkgs; imports = with tree; [ diff --git a/hosts/hetzner-vm/hetzner-vm.nix b/hosts/hetzner-vm/hetzner-vm.nix index 0ebc5d9..9ba7962 100644 --- a/hosts/hetzner-vm/hetzner-vm.nix +++ b/hosts/hetzner-vm/hetzner-vm.nix @@ -14,8 +14,8 @@ profiles.nginx profiles.nginx-firewall profiles.nix-gc - profiles.kernels.latest profiles.cross.arm64 + profiles.chaos-internal-wireguard ./networking.nix ./hardware.nix @@ -32,10 +32,13 @@ ++ (with hosts.hetzner-vm.profiles; [ vaultui gitlab-static-sites - wireguard nginx-misc ]); + boot.kernel.sysctl = { + "fs.inotify.max_user_watches" = 1024 * 64 * 4; + }; + environment.systemPackages = with pkgs; [ (pkgs.writeShellScriptBin "journalctl-vaccum-all" '' @@ -73,9 +76,6 @@ externalInterface = "eth0"; }; - networking.firewall.allowedTCPPorts = [80 443]; - networking.firewall.allowedUDPPorts = [443]; - home-manager.users.root = { imports = with tree; [home.base home.dev.small]; home.stateVersion = "23.05"; diff --git a/hosts/hetzner-vm/networking.nix b/hosts/hetzner-vm/networking.nix index 7be5760..421aaf7 100644 --- a/hosts/hetzner-vm/networking.nix +++ b/hosts/hetzner-vm/networking.nix @@ -5,6 +5,9 @@ networking.firewall.allowPing = true; networking.firewall.allowedTCPPorts = [22]; + services.resolved.enable = false; + environment.etc."resolv.conf".text = "nameserver 8.8.8.8"; + networking.enableIPv6 = true; networking.usePredictableInterfaceNames = false; networking.dhcpcd.enable = true; diff --git a/hosts/hetzner-vm/profiles/wireguard.nix b/hosts/hetzner-vm/profiles/wireguard.nix deleted file mode 100644 index 3b515ac..0000000 --- a/hosts/hetzner-vm/profiles/wireguard.nix +++ /dev/null @@ -1,43 +0,0 @@ -{config, ...}: let - secrets = config.services.secrets.secrets; - - data = import ../../../data/chaos_wireguard_internal.nix {}; -in { - networking.wg-quick.interfaces = { - wg0 = { - address = ["${data.hosts.hetzner-vm.ip}/32"]; - listenPort = 51820; - privateKeyFile = "${secrets.wg_privkey.path}"; - peers = [ - # vault - { - publicKey = "${data.hosts.vault.public}"; - presharedKeyFile = "${secrets.wg_preshared_vault.path}"; - endpoint = "${data.hosts.vault.endpoint}"; - allowedIPs = ["${data.hosts.vault.ip}/32"]; - } - # iphone8 - { - publicKey = "${data.hosts.iphone8.public}"; - presharedKeyFile = "${secrets.wg_preshared_iphone8.path}"; - allowedIPs = ["${data.hosts.iphone8.ip}/32"]; - } - # lappy-t495 - { - publicKey = "${data.hosts.lappy-t495.public}"; - presharedKeyFile = "${secrets.wg_preshared_lappy-t495.path}"; - allowedIPs = ["${data.hosts.lappy-t495.ip}/32"]; - } - # raspberry - { - publicKey = "${data.hosts.raspberry.public}"; - presharedKeyFile = "${secrets.wg_preshared_raspberry.path}"; - allowedIPs = ["${data.hosts.raspberry.ip}/32"]; - endpoint = "${data.hosts.raspberry.endpoint}"; - persistentKeepalive = 25; - } - ]; - }; - }; - networking.firewall.allowedUDPPorts = [51820]; -} diff --git a/hosts/hetzner-vm/secrets.nix b/hosts/hetzner-vm/secrets.nix index 8853b8a..a3a256f 100644 --- a/hosts/hetzner-vm/secrets.nix +++ b/hosts/hetzner-vm/secrets.nix @@ -51,6 +51,9 @@ in { "passwords/data/mail" "private-public-keys/data/wireguard/chaos-internal/hetzner-vm" + + "private-public-keys/data/piped-cockroachdb-ca/nodes/hetzner-vm" + "private-public-keys/data/restic/Mail" "private-public-keys/data/restic/Social" "private-public-keys/data/restic/Quassel" @@ -71,7 +74,7 @@ in { ''; }; # for wireguard - wg_privkey = { + wg_priv = { fetchScript = '' simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .private > "$secretFile" ''; @@ -214,6 +217,33 @@ in { echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Piped" > "$secretFile" ''; }; + piped_cockroachdb_ca_certificate = { + user = "cockroachdb-piped"; + group = "cockroachdb-piped"; + permissions = "600"; + fetchScript = '' + simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/hetzner-vm" .ca_certificate \ + | base64 -d > "$secretFile" + ''; + }; + piped_cockroachdb_node_certificate = { + user = "cockroachdb-piped"; + group = "cockroachdb-piped"; + permissions = "600"; + fetchScript = '' + simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/hetzner-vm" .node_certificate \ + | base64 -d > "$secretFile" + ''; + }; + piped_cockroachdb_node_key = { + user = "cockroachdb-piped"; + group = "cockroachdb-piped"; + permissions = "600"; + fetchScript = '' + simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/hetzner-vm" .node_key \ + | base64 -d > "$secretFile" + ''; + }; }; }; } diff --git a/hosts/lappy-t495/lappy-t495.nix b/hosts/lappy-t495/lappy-t495.nix index 954d0d2..38e4b0d 100644 --- a/hosts/lappy-t495/lappy-t495.nix +++ b/hosts/lappy-t495/lappy-t495.nix @@ -10,9 +10,7 @@ presets.nixos.encrypted-usb profiles.cross.arm64 - profiles.remote-builders - - hosts.lappy-t495.profiles.wireguard + #profiles.remote-builders ./secrets.nix ]; diff --git a/hosts/raspberry/rclone_config.template b/hosts/raspberry/data/rclone_config.template similarity index 100% rename from hosts/raspberry/rclone_config.template rename to hosts/raspberry/data/rclone_config.template diff --git a/hosts/raspberry/profiles/cockroachdb.nix b/hosts/raspberry/profiles/cockroachdb.nix new file mode 100644 index 0000000..1e1169c --- /dev/null +++ b/hosts/raspberry/profiles/cockroachdb.nix @@ -0,0 +1,22 @@ +{tree, ...}: let + internal_wireguard = import ../../../data/chaos_wireguard_internal.nix {}; +in { + imports = with tree; [ + profiles.cockroachdb-bin-fix + ]; + + systemd.tmpfiles.rules = [ + "d /var/lib/cockroachdb-certs - root root" + ]; + + services.cockroachdb = { + enable = true; + certsDir = "/var/lib/cockroachdb-certs"; + join = "localhost:26257,${internal_wireguard.hosts.hetzner-vm.ip}:26257"; + # ssh -L 8080:127.0.0.1:8080 -L 26257:127.0.0.1:26257 raspberry + http = { + address = "0.0.0.0"; + port = 8080; + }; + }; +} diff --git a/hosts/raspberry/profiles/piped-proxy.nix b/hosts/raspberry/profiles/piped.nix similarity index 100% rename from hosts/raspberry/profiles/piped-proxy.nix rename to hosts/raspberry/profiles/piped.nix diff --git a/hosts/raspberry/profiles/rclone.nix b/hosts/raspberry/profiles/rclone.nix new file mode 100644 index 0000000..a17126a --- /dev/null +++ b/hosts/raspberry/profiles/rclone.nix @@ -0,0 +1,28 @@ +{pkgs, ...}: let + rclone-raspberry = pkgs.writeShellScriptBin "rclone-raspberry" (let + vault = "${pkgs.vault-bin}/bin/vault"; + jq = "${pkgs.jq}/bin/jq"; + rclone = "${pkgs.rclone}/bin/rclone"; + in '' + TMP_DIR="$(mktemp -d)" + + cp ${../data/rclone_config.template} "$TMP_DIR/rclone.conf" + + vault-login 2>&1 + + STORAGEBOX_PASSWORD=$(${vault} kv get -format json "/api-keys/hetzner/storagebox" \ + | ${jq} -r ".data.data.password") + STORAGEBOX_PASSWORD=$(rclone obscure "$STORAGEBOX_PASSWORD") + + sed -i "s/STORAGEBOX_PASSWORD/$STORAGEBOX_PASSWORD/" "$TMP_DIR/rclone.conf" + + ${rclone} --config "$TMP_DIR/rclone.conf" "$@" + returnVal=$? + + rm -rf "$TMP_DIR" + + return returnVal + ''); +in { + environment.systemPackages = with pkgs; [rclone rclone-raspberry]; +} diff --git a/hosts/raspberry/profiles/wireguard.nix b/hosts/raspberry/profiles/wireguard.nix index 33afd1e..31ddcea 100644 --- a/hosts/raspberry/profiles/wireguard.nix +++ b/hosts/raspberry/profiles/wireguard.nix @@ -4,11 +4,12 @@ persistentKeepalive = 15; in { - networking.firewall.trustedInterfaces = ["wg0"]; + networking.firewall.trustedInterfaces = ["wg0" "wlan0"]; networking.firewall.allowedUDPPorts = [51820]; networking.wg-quick.interfaces = { wg0 = { - address = ["${data.hosts.raspberry.ip}/32"]; + address = ["${data.hosts.raspberry.ip}/24"]; + listenPort = 51820; privateKeyFile = "${secrets.wg_priv.path}"; peers = [ @@ -16,7 +17,7 @@ in { { publicKey = "${data.hosts.hetzner-vm.public}"; presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}"; - allowedIPs = ["${data.hosts.hetzner-vm.ip}/24"]; + allowedIPs = ["${data.hosts.hetzner-vm.ip}/32"]; endpoint = "${data.hosts.hetzner-vm.endpoint}"; inherit persistentKeepalive; } diff --git a/hosts/raspberry/raspberry.nix b/hosts/raspberry/raspberry.nix index 7a4272d..40f3e6a 100644 --- a/hosts/raspberry/raspberry.nix +++ b/hosts/raspberry/raspberry.nix @@ -8,6 +8,9 @@ }: let secrets = config.services.secrets.secrets; in { + networking.firewall.enable = true; + networking.firewall.allowPing = true; + imports = with tree; [ users.root @@ -30,8 +33,10 @@ in { ++ (with hosts.raspberry.profiles; [ external-drive wireguard - piped-proxy + cockroachdb + piped auto-storage-backups + rclone ]); environment.systemPackages = [ diff --git a/hosts/raspberry/secrets.nix b/hosts/raspberry/secrets.nix index fab461f..c44e766 100644 --- a/hosts/raspberry/secrets.nix +++ b/hosts/raspberry/secrets.nix @@ -11,10 +11,11 @@ ''; requiredVaultPaths = [ + "private-public-keys/data/piped-cockroachdb-ca/nodes/raspberry" "private-public-keys/data/cryptsetup/raspberry-ext-drive" # used dynamically "private-public-keys/data/wireguard/chaos-internal/raspberry" "passwords/data/wifi/parentals-home" - "api-keys/data/hetzner/storagebox" + "api-keys/data/hetzner/storagebox" # also used dynamically ]; secrets = { @@ -47,22 +48,43 @@ ''; }; - rclone_config = { + piped_cockroachdb_ca_certificate = { + user = "cockroachdb"; + group = "cockroachdb"; + permissions = "600"; + path = "/var/lib/cockroachdb-certs/ca.crt"; fetchScript = '' - TMP_DIR="$(mktemp -d)" - - cp ${./rclone_config.template} "$TMP_DIR/template" - - pushd "$TMP_DIR" >/dev/null - - STORAGEBOX_PASSWORD=$(simple_get_obscure /api-keys/hetzner/storagebox .password) - sed -i "s/STORAGEBOX_PASSWORD/$STORAGEBOX_PASSWORD/" ./template - - cp ./template "$secretFile" - - popd >/dev/null - - rm -rf "$TMP_DIR" + if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then + mkdir -p "$SYSROOT/var/lib/cockroachdb-certs" + fi + simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .ca_certificate \ + | base64 -d > "$secretFile" + ''; + }; + piped_cockroachdb_node_certificate = { + user = "cockroachdb"; + group = "cockroachdb"; + permissions = "600"; + path = "/var/lib/cockroachdb-certs/node.crt"; + fetchScript = '' + if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then + mkdir -p "$SYSROOT/var/lib/cockroachdb-certs" + fi + simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_certificate \ + | base64 -d > "$secretFile" + ''; + }; + piped_cockroachdb_node_key = { + user = "cockroachdb"; + group = "cockroachdb"; + permissions = "600"; + path = "/var/lib/cockroachdb-certs/node.key"; + fetchScript = '' + if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then + mkdir -p "$SYSROOT/var/lib/cockroachdb-certs" + fi + simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_key \ + | base64 -d > "$secretFile" ''; }; diff --git a/hosts/vault/profiles/vault.nix b/hosts/vault/profiles/vault.nix index 9b352c4..9935604 100644 --- a/hosts/vault/profiles/vault.nix +++ b/hosts/vault/profiles/vault.nix @@ -9,8 +9,6 @@ ''; }; - networking.firewall.allowedTCPPorts = [80 443]; - services.nginx.virtualHosts."vault.owo.monster" = { forceSSL = true; enableACME = true; diff --git a/hosts/vault/profiles/wireguard.nix b/hosts/vault/profiles/wireguard.nix deleted file mode 100644 index c829462..0000000 --- a/hosts/vault/profiles/wireguard.nix +++ /dev/null @@ -1,44 +0,0 @@ -{config, ...}: let - secrets = config.services.secrets.secrets; - data = import ../../../data/chaos_wireguard_internal.nix {}; -in { - networking.wg-quick.interfaces = { - wg0 = { - address = ["10.69.42.2/32"]; - listenPort = 51820; - privateKeyFile = "${secrets.wg_priv.path}"; - - peers = [ - # hetzner-vm - { - publicKey = "${data.hosts.hetzner-vm.public}"; - presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}"; - allowedIPs = ["${data.hosts.hetzner-vm.ip}/32"]; - endpoint = "${data.hosts.hetzner-vm.endpoint}"; - persistentKeepalive = 25; - } - # iphone8 - { - publicKey = "${data.hosts.iphone8.public}"; - presharedKeyFile = "${secrets.wg_preshared_iphone8.path}"; - allowedIPs = ["${data.hosts.iphone8.ip}/32"]; - } - # lappy-t495 - { - publicKey = "${data.hosts.lappy-t495.public}"; - presharedKeyFile = "${secrets.wg_preshared_lappy-t495.path}"; - allowedIPs = ["${data.hosts.lappy-t495.ip}/32"]; - } - # raspberry - { - publicKey = "${data.hosts.raspberry.public}"; - presharedKeyFile = "${secrets.wg_preshared_raspberry.path}"; - allowedIPs = ["${data.hosts.raspberry.ip}/32"]; - endpoint = "${data.hosts.raspberry.endpoint}"; - persistentKeepalive = 25; - } - ]; - }; - }; - networking.firewall.allowedUDPPorts = [51820]; -} diff --git a/hosts/vault/secrets.nix b/hosts/vault/secrets.nix index 7a7b916..50ed79c 100644 --- a/hosts/vault/secrets.nix +++ b/hosts/vault/secrets.nix @@ -3,8 +3,6 @@ enable = true; requiredVaultPaths = [ - "private-public-keys/data/wireguard/chaos-internal/vault" - "private-public-keys/data/restic/Vault" "api-keys/data/storage/restic/Vault" @@ -23,31 +21,6 @@ echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > "$secretFile" ''; }; - wg_priv = { - fetchScript = '' - simple_get "/private-public-keys/wireguard/chaos-internal/vault" .private > "$secretFile" - ''; - }; - wg_preshared_hetzner-vm = { - fetchScript = '' - simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.hetzner_vm > "$secretFile" - ''; - }; - wg_preshared_iphone8 = { - fetchScript = '' - simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.iphone8 > "$secretFile" - ''; - }; - wg_preshared_lappy-t495 = { - fetchScript = '' - simple_get "/private-public-keys/wireguard/chaos-internal/vault" ".preshared_keys.lappy_t495" > "$secretFile" - ''; - }; - wg_preshared_raspberry = { - fetchScript = '' - simple_get "/private-public-keys/wireguard/chaos-internal/vault" ".preshared_keys.raspberry" > "$secretFile" - ''; - }; }; }; } diff --git a/hosts/vault/vault.nix b/hosts/vault/vault.nix index 8a01c75..0d7f366 100644 --- a/hosts/vault/vault.nix +++ b/hosts/vault/vault.nix @@ -7,9 +7,8 @@ profiles.nix-gc profiles.nginx profiles.nginx-firewall - profiles.kernels.latest + profiles.chaos-internal-wireguard - hosts.vault.profiles.wireguard hosts.vault.profiles.vault hosts.vault.profiles.restic diff --git a/modules/nixos/secrets-lib/lib.nix b/modules/nixos/secrets-lib/lib.nix index eec08ce..38f6bad 100644 --- a/modules/nixos/secrets-lib/lib.nix +++ b/modules/nixos/secrets-lib/lib.nix @@ -172,7 +172,7 @@ } getGroupID() { - stat --format "%G" "$1" 2>/dev/null + stat --format "%g" "$1" 2>/dev/null } userNameMatches() { diff --git a/outputs.nix b/outputs.nix index fb0f328..8d52cef 100644 --- a/outputs.nix +++ b/outputs.nix @@ -55,9 +55,32 @@ in inherit (pkgs) comic-code comic-sans; inherit (pkgs) mk-enc-usb mk-normal-enc-ssd mk-dual-enc-ssd mk-raspberry-ext-drive; inherit (pkgs) gotosocial; + inherit (pkgs) cockroachdb; }; } + # internal wireguard scripts + (let + internalWireguardLib = import ./extras/internal-wireguard-lib.nix { + inherit (nixpkgs) lib; + inherit pkgs; + }; + + wireguard_data = import ./data/chaos_wireguard_internal.nix {}; + hostsWithWireguard = builtins.attrNames wireguard_data.hosts; + in { + packages = mergeAttrsList [ + (mergeAttrsList ( + lib.forEach hostsWithWireguard (hostName: { + "wg-keys-init-${hostName}" = internalWireguardLib.genInitScript hostName; + }) + )) + { + "wg-keys-init-all" = internalWireguardLib.initAllScript; + } + ]; + }) + # secrets-init, secrets-check and vault-policy for machines and containers (let secretsLib = import ./modules/nixos/secrets-lib/lib.nix { diff --git a/overlay/cockroachdb-bin/default.nix b/overlay/cockroachdb-bin/default.nix new file mode 100644 index 0000000..9e87104 --- /dev/null +++ b/overlay/cockroachdb-bin/default.nix @@ -0,0 +1,48 @@ +{ + lib, + stdenv, + autoPatchelfHook, + fetchzip, +}: +stdenv.mkDerivation rec { + pname = "cockroachdb-bin"; + version = "23.1.9"; + + src = let + inherit (stdenv.hostPlatform) system; + selectSystem = attrs: attrs.${system} or (throw "Unsupported system: ${system}"); + suffix = selectSystem { + x86_64-linux = "linux-amd64"; + aarch64-linux = "linux-arm64"; + }; + sha256 = selectSystem { + x86_64-linux = "sha256-TopDCszdU73WiD/fsa/lq4h7jPUk0u50v3ELiuakzTU="; + aarch64-linux = "sha256-uRW1g2IFAfQ6a1w7pz5GKklHmfaNgk70qj3hhm6KV6s="; + }; + in + fetchzip { + url = "https://binaries.cockroachdb.com/cockroach-v${version}.${suffix}.tgz"; + inherit sha256; + }; + + dontConfigure = true; + dontBuild = true; + dontStrip = stdenv.isDarwin; + + nativeBuildInputs = [autoPatchelfHook]; + + installPhase = '' + runHook preInstall + install -D cockroach $out/bin/cockroach + runHook postInstall + ''; + + meta = with lib; { + homepage = "https://www.cockroachlabs.com"; + description = "A scalable, survivable, strongly-consistent SQL database"; + license = licenses.bsl11; + mainProgram = "cockroach"; + sourceProvenance = with sourceTypes; [binaryNativeCode]; + platforms = ["x86_64-linux" "aarch64-linux"]; + }; +} diff --git a/overlay/default.nix b/overlay/default.nix index 12b409d..7f67c4d 100644 --- a/overlay/default.nix +++ b/overlay/default.nix @@ -1,4 +1,4 @@ -final: prev: { +final: prev: rec { comic-sans = final.callPackage ./comic-sans {}; comic-code = final.callPackage ./comic-code {}; @@ -12,6 +12,9 @@ final: prev: { mk-dual-enc-ssd = final.callPackage ../extras/mk-dual-enc-ssd.nix {}; mk-raspberry-ext-drive = final.callPackage ../extras/mk-raspberry-ext-drive.nix {}; + cockroachdb-bin = final.callPackage ./cockroachdb-bin {}; + cockroachdb = cockroachdb-bin; + gotosocial = prev.gotosocial.overrideAttrs (_old: let owner = "superseriousbusiness"; repo = "gotosocial"; diff --git a/profiles/chaos-internal-wireguard/secrets.nix b/profiles/chaos-internal-wireguard/secrets.nix new file mode 100644 index 0000000..bd50a8a --- /dev/null +++ b/profiles/chaos-internal-wireguard/secrets.nix @@ -0,0 +1,43 @@ +{ + lib, + config, + ... +}: let + inherit (lib.modules) mkMerge; + inherit (lib.lists) forEach filter; + inherit (builtins) hasAttr; + + wireguard_data = import ../../data/chaos_wireguard_internal.nix {}; + wireguard_hosts = wireguard_data.hosts; + + currentHostName = config.networking.hostName; + currentHostConfig = wireguard_hosts.${currentHostName}; +in { + services.secrets = { + enable = true; + + requiredVaultPaths = [ + "private-public-keys/data/wireguard/chaos-internal/${currentHostName}" + ]; + + secrets = mkMerge ([ + { + wg_priv = { + fetchScript = '' + simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" .private > "$secretFile" + ''; + }; + } + ] + ++ (forEach (filter (hostName: (hostName != currentHostName && hasAttr "endpoint" wireguard_hosts.${hostName})) (builtins.attrNames wireguard_hosts)) ( + hostName: let + in { + "wg_preshared_${hostName}" = { + fetchScript = '' + simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" ".preshared_keys.\"${hostName}\"" > "$secretFile" + ''; + }; + } + ))); + }; +} diff --git a/profiles/chaos-internal-wireguard/wireguard.nix b/profiles/chaos-internal-wireguard/wireguard.nix new file mode 100644 index 0000000..c55b6a1 --- /dev/null +++ b/profiles/chaos-internal-wireguard/wireguard.nix @@ -0,0 +1,58 @@ +{ + lib, + config, + pkgs, + ... +}: let + inherit (lib.modules) mkIf; + inherit (builtins) hasAttr; + + # Assume this to be set + secrets = config.services.secrets.secrets; + + wireguard_data = import ../../data/chaos_wireguard_internal.nix {}; + wireguard_hosts = wireguard_data.hosts; + + currentHostName = config.networking.hostName; + currentHostConfig = wireguard_hosts.${currentHostName}; +in { + networking.firewall.allowPing = true; + networking.firewall.allowedUDPPorts = mkIf (hasAttr "endpoint" currentHostConfig) [51820]; + + systemd.services.wireguard-debug = { + wantedBy = ["multi-user.target"]; + partOf = ["wg-quick-wg0.service"]; + script = '' + echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control + ''; + }; + + networking.wg-quick.interfaces = { + wg0 = { + address = ["${currentHostConfig.ip}/24"]; + privateKeyFile = "${secrets.wg_priv.path}"; + listenPort = mkIf (hasAttr "endpoint" currentHostConfig) 51820; + + peers = [ + # hetzner-vm + (mkIf (currentHostName != "hetzner-vm") (let + host = wireguard_hosts."hetzner-vm"; + in { + allowedIPs = ["${host.ip}/32"]; + publicKey = host.public; + #presharedKeyFile = secrets.wg_preshared_hetzner-vm.path; + endpoint = host.endpoint or null; + })) + # vault + (mkIf (currentHostName != "vault") (let + host = wireguard_hosts."vault"; + in { + allowedIPs = ["${host.ip}/32"]; + publicKey = host.public; + #presharedKeyFile = secrets.wg_preshared_vault.path; + endpoint = host.endpoint or null; + })) + ]; + }; + }; +} diff --git a/profiles/cockroachdb-bin-fix.nix b/profiles/cockroachdb-bin-fix.nix new file mode 100644 index 0000000..873595a --- /dev/null +++ b/profiles/cockroachdb-bin-fix.nix @@ -0,0 +1,60 @@ +{ + config, + lib, + ... +}: let + escapeSystemdExecArg = arg: let + s = + if builtins.isPath arg + then "${arg}" + else if builtins.isString arg + then arg + else if builtins.isInt arg || builtins.isFloat arg + then toString arg + else throw "escapeSystemdExecArg only allows strings, paths and numbers"; + in + lib.replaceStrings ["%" "$"] ["%%" "$$"] (builtins.toJSON s); + + # Quotes a list of arguments into a single string for use in a Exec* + # line. + escapeSystemdExecArgs = lib.concatMapStringsSep " " escapeSystemdExecArg; + + cfg = config.services.cockroachdb; + crdb = cfg.package; + + startupCommand = + escapeSystemdExecArgs + ([ + # Basic startup + "${crdb}/bin/cockroach" + ( + if (cfg.join != null) + then "start" + else "start-single-node" + ) + "--logtostderr" + "--store=/var/lib/cockroachdb" + + # WebUI settings + "--http-addr=${cfg.http.address}:${toString cfg.http.port}" + + # Cluster listen address + "--listen-addr=${cfg.listen.address}:${toString cfg.listen.port}" + + # Cache and memory settings. + "--cache=${cfg.cache}" + "--max-sql-memory=${cfg.maxSqlMemory}" + + # Certificate/security settings. + ( + if cfg.insecure + then "--insecure" + else "--certs-dir=${cfg.certsDir}" + ) + ] + ++ lib.optional (cfg.join != null) "--join=${cfg.join}" + ++ lib.optional (cfg.locality != null) "--locality=${cfg.locality}" + ++ cfg.extraArgs); +in { + systemd.services.cockroachdb.serviceConfig.ExecStart = lib.mkForce startupCommand; +} diff --git a/profiles/nginx-firewall.nix b/profiles/nginx-firewall.nix index 93e302c..ecb50b7 100644 --- a/profiles/nginx-firewall.nix +++ b/profiles/nginx-firewall.nix @@ -1,4 +1,4 @@ {...}: { networking.firewall.allowedTCPPorts = [80 443]; networking.firewall.allowedUDPPorts = [80 443]; -} \ No newline at end of file +} diff --git a/scripts/deploy-all.sh b/scripts/deploy-all.sh index e5cca12..c807729 100755 --- a/scripts/deploy-all.sh +++ b/scripts/deploy-all.sh @@ -8,7 +8,7 @@ cd $(git rev-parse --show-toplevel) HOSTNAME=$(hostname) -[ "${NO_REBUILD}" == "" ] && ./scripts/rebuild.sh $@ -[ "${HOSTNAME}" != "hetzner-vm" ] && ./scripts/deploy/hetzner-vm.sh $@ -[ "${HOSTNAME}" != "vault" ] && ./scripts/deploy/vault.sh $@ -[ "${HOSTNAME}" != "raspberry" ] && ./scripts/deploy/raspberry.sh $@ \ No newline at end of file +[ "${NO_REBUILD}" == "" ] && ./scripts/rebuild.sh "$@" +[ "${HOSTNAME}" != "hetzner-vm" ] && ./scripts/deploy/hetzner-vm.sh "$@" +[ "${HOSTNAME}" != "vault" ] && ./scripts/deploy/vault.sh "$@" +[ "${HOSTNAME}" != "raspberry" ] && ./scripts/deploy/raspberry.sh "$@" \ No newline at end of file diff --git a/scripts/deploy-secrets.sh b/scripts/deploy-secrets.sh new file mode 100755 index 0000000..52877c3 --- /dev/null +++ b/scripts/deploy-secrets.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash + +set -e + +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +cd $SCRIPT_DIR +cd $(git rev-parse --show-toplevel) + +ARCH=${1} +HOSTNAME=${2} +SSH=${3} +CONTAINER=${4} + +OPTIONAL_CONTAINER= +if [ -n "$CONTAINER" ]; then + OPTIONAL_CONTAINER="-container-${CONTAINER}" +fi + +nix build --system ${ARCH} ".#secrets-init-${HOSTNAME}${OPTIONAL_CONTAINER}" +nix-copy-closure --to ${SSH} --use-substitutes $(readlink result) +ssh ${SSH} "$(readlink result)/bin/secrets-init-${HOSTNAME}${OPTIONAL_CONTAINER}" \ No newline at end of file diff --git a/scripts/deploy/hetzner-vm.sh b/scripts/deploy/hetzner-vm.sh index 078f236..c60c5f5 100755 --- a/scripts/deploy/hetzner-vm.sh +++ b/scripts/deploy/hetzner-vm.sh @@ -6,4 +6,4 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) cd $SCRIPT_DIR cd $(git rev-parse --show-toplevel) -nixos-rebuild switch --flake .#hetzner-vm --target-host hetzner-vm -s $@ \ No newline at end of file +nixos-rebuild switch --flake .#hetzner-vm --target-host hetzner-vm -s "$@" \ No newline at end of file diff --git a/scripts/deploy/raspberry.sh b/scripts/deploy/raspberry.sh old mode 100644 new mode 100755 index c2512aa..1330182 --- a/scripts/deploy/raspberry.sh +++ b/scripts/deploy/raspberry.sh @@ -6,4 +6,4 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) cd $SCRIPT_DIR cd $(git rev-parse --show-toplevel) -nixos-rebuild switch --flake .#raspberry --target-host raspberry -s $@ \ No newline at end of file +nixos-rebuild switch --flake .#raspberry --target-host raspberry -s "$@" \ No newline at end of file diff --git a/scripts/deploy/vault.sh b/scripts/deploy/vault.sh old mode 100644 new mode 100755 index a76194f..036c644 --- a/scripts/deploy/vault.sh +++ b/scripts/deploy/vault.sh @@ -6,4 +6,4 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) cd $SCRIPT_DIR cd $(git rev-parse --show-toplevel) -nixos-rebuild switch --flake .#vault --target-host vault -s $@ \ No newline at end of file +nixos-rebuild switch --flake .#vault --target-host vault -s "$@" \ No newline at end of file