lots of misc changes with wireguard and whatever

This commit is contained in:
chaos 2023-09-16 16:06:16 +01:00
parent d69991819a
commit 907785359f
No known key found for this signature in database
45 changed files with 697 additions and 268 deletions

View file

@ -1,28 +1,28 @@
{}: rec { {}: rec {
all = "10.69.42.1/32"; all = "10.69.42.1/24";
hosts = { hosts = {
hetzner-vm = { hetzner-vm = {
ip = "10.69.42.1"; ip = "10.69.42.1";
public = "UJr+EmUM7KWkIy0nk0JA38ibvcLC++6iuOKkHdrx9Dc="; public = "liO33kMSEwuaaH4i6qDuorWssd9s/EfTBKBHQEbaDXE=";
endpoint = "hetzner-vm.servers.genderfucked.monster:51820"; endpoint = "hetzner-vm.servers.genderfucked.monster:51820";
}; };
vault = { vault = {
ip = "10.69.42.2"; ip = "10.69.42.2";
public = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc="; public = "GJ/IQ5W2Ch2vSiqcciKkrBA+pVycY2cibhvF1SFzi0I=";
endpoint = "vault.servers.genderfucked.monster:51820"; #endpoint = "vault.servers.genderfucked.monster:51820";
}; };
iphone8 = { iphone8 = {
ip = "10.69.42.3"; ip = "10.69.42.3";
public = "2BgT08bDKh8WlFFSeRArI9a1GpFgUyqEApvJy4KgAmw="; public = "PEBw7EI5uogB433cp8eSfJ5DCEiYj+YG2dZd0XkIV1c=";
}; };
lappy-t495 = { lappy-t495 = {
ip = "10.69.42.4"; ip = "10.69.42.4";
public = "rEioKieZqI3UaJGGaSC/yaHfdZE9VKpsq355x4dHgCs="; public = "BR23xeK/nTgw8Ad001wz9wrfS6gTknTpCKZBLG9bnHM=";
}; };
raspberry = { raspberry = {
ip = "10.69.42.5"; ip = "10.69.42.5";
public = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc="; public = "ld5XI4l/Gmr5JWg8r5midy7MTIgZkWVhMPsJqzIonng=";
endpoint = "raspberry.servers.genderfucked.monster:51820"; endpoint = "raspberry.servers.genderfucked.monster:51820";
}; };
}; };

View file

@ -0,0 +1,95 @@
{
lib,
pkgs,
...
}: let
wireguard_data = import ../data/chaos_wireguard_internal.nix {};
wireguard_hosts = wireguard_data.hosts;
inherit (pkgs) writeShellScriptBin;
inherit (lib.lists) forEach filter;
inherit (builtins) hasAttr attrNames;
kvPathForHost = host: "/private-public-keys/wireguard/chaos-internal/${host}";
in rec {
initAllScript = writeShellScriptBin "wg-keys-init-all" (let
vault = "${pkgs.vault-bin}/bin/vault";
jq = "${pkgs.jq}/bin/jq";
in ''
${lib.concatStringsSep "\n" (lib.forEach (attrNames wireguard_hosts) (hostName: ''
if [ -z "$PRESHARED_ONLY" ]; then
echo "{}" | vault kv put "${kvPathForHost hostName}" - 2>/dev/null
fi
''))}
${lib.concatStringsSep "\n" (lib.forEach (attrNames wireguard_hosts) (hostName: ''
echo "Deploying keys for ${hostName}"
"${genInitScript hostName}/bin/wg-keys-init-${hostName}"
''))}
${lib.concatStringsSep "\n" (lib.forEach (attrNames wireguard_hosts) (hostName: ''
echo
PUBLIC=$(${vault} kv get -format=json "${kvPathForHost hostName}" | ${jq} .data.data.public)
echo "Public Key for ${hostName}: $PUBLIC"
''))}
'');
genInitScript = systemHostName: (writeShellScriptBin "wg-keys-init-${systemHostName}" (let
vault = "${pkgs.vault-bin}/bin/vault";
jq = "${pkgs.jq}/bin/jq";
wg = "${pkgs.wireguard-tools}/bin/wg";
sponge = "${pkgs.moreutils}/bin/sponge";
hostsWithEndpoints = filter (hostName: (hostName != systemHostName && hasAttr "endpoint" wireguard_hosts.${hostName})) (attrNames wireguard_hosts);
in ''
PRIVATE=$(${wg} genkey)
PUBLIC=$(echo "$PRIVATE" | ${wg} pubkey)
TMP_DIR=$(mktemp -d)
pushd "$TMP_DIR"
echo "{}" > currentHost.json
if [ -z "$PRESHARED_ONLY" ]; then
${jq} ".public = \"$PUBLIC\"" currentHost.json | ${sponge} currentHost.json
${jq} ".private = \"$PRIVATE\"" currentHost.json | ${sponge} currentHost.json
fi
${jq} '.preshared_keys = {}' currentHost.json | ${sponge} currentHost.json
${lib.concatStringsSep "\n" (lib.forEach hostsWithEndpoints (hostName: ''
echo "Generating preshared key for ${hostName}"
PSK=$(${wg} genpsk)
${jq} ".preshared_keys.\"${hostName}\" = \"$PSK\"" currentHost.json | ${sponge} currentHost.json
''))}
${lib.concatStringsSep "\n" (lib.forEach hostsWithEndpoints (hostName: ''
echo "Deploying preshared key for ${hostName}"
PSK=$(jq -r '.preshared_keys."${hostName}"' currentHost.json)
${vault} kv get -format=json "${kvPathForHost hostName}" 2>/dev/null | jq -r .data.data > otherHost.json
${jq} ".preshared_keys.\"${systemHostName}\" = \"$PSK\"" otherHost.json | ${sponge} otherHost.json
cat otherHost.json | vault kv put "${kvPathForHost hostName}" - 2>/dev/null
rm otherHost.json
''))}
if [ -z "$PRESHARED_ONLY" ]; then
cat currentHost.json | ${vault} kv put "${kvPathForHost systemHostName}" - 2>/dev/null
cat currentHost.json | jq
fi
rm currentHost.json
popd
rm -rf "$TMP_DIR"
echo "Public Key for ${systemHostName}: $PUBLIC"
''));
}

View file

@ -119,11 +119,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1694469544, "lastModified": 1694643239,
"narHash": "sha256-eqZng5dZnAUyb7xXyFk5z871GY/++KVv3Gyld5mVh20=", "narHash": "sha256-pv2k/5FvyirDE8g4TNehzwZ0T4UOMMmqWSQnM/luRtE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "5171f5ef654425e09d9c2100f856d887da595437", "rev": "d9b88b43524db1591fb3d9410a21428198d75d49",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -160,11 +160,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1694422566, "lastModified": 1694669921,
"narHash": "sha256-lHJ+A9esOz9vln/3CJG23FV6Wd2OoOFbDeEs4cMGMqc=", "narHash": "sha256-6ESpJ6FsftHV96JO/zn6je07tyV2dlLR7SdLsmkegTY=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "3a2786eea085f040a66ecde1bc3ddc7099f6dbeb", "rev": "f2ea252d23ebc9a5336bf6a61e0644921f64e67c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -176,11 +176,11 @@
}, },
"nur": { "nur": {
"locked": { "locked": {
"lastModified": 1694547969, "lastModified": 1694778311,
"narHash": "sha256-rcP53Lh8T0SywogEVPByeSXjExzpfZdd85fubbxgXYo=", "narHash": "sha256-Hu5U9pXwMqUjWF7uh4SKqdKy1QMy9RVGxmst11srSgA=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "6006151c90751e36c5dd68a7f754c3d26c8a55c1", "rev": "7a673ac1f35648a908730206a2793b0e3818bc25",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -202,11 +202,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1694714112, "lastModified": 1694730023,
"narHash": "sha256-x2CgsEvWIf4ETx4puLqmHrPthesNXW30OMYg4pVJARg=", "narHash": "sha256-/J7ZPye0T1idRgvpa7oHJnON3rzIniv4tXiMP2sj3tk=",
"owner": "ChaotiCryptidz", "owner": "ChaotiCryptidz",
"repo": "piped-flake", "repo": "piped-flake",
"rev": "c5ad01eac79809686d9685671e77a6dac4e17ddf", "rev": "1729b90a2e81b95f0158720816b174532a9b1f2b",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {

View file

@ -12,6 +12,7 @@
# nixpkgs Unstable Inputs # nixpkgs Unstable Inputs
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
home-manager-unstable.url = "github:nix-community/home-manager"; home-manager-unstable.url = "github:nix-community/home-manager";
home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable"; home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";

View file

@ -8,5 +8,6 @@
rsync rsync
openssh openssh
nmap nmap
tcpdump
]; ];
} }

View file

@ -65,9 +65,10 @@
size = 14.0; size = 14.0;
}; };
statusCommand = lib.escapeShellArgs [ statusCommand = lib.escapeShellArgs [
"${pkgs.gobar}/bin/gobar" "/home/chaos/Projects/rustbar/target/debug/rustbar"
"-config" #"${pkgs.gobar}/bin/gobar"
"cpu\\|mem\\|weather\\(Leighton\\ Buzzard\\)\\|bat\\(BAT0\\)\\|time" #"-config"
#"cpu\\|mem\\|weather\\(Leighton\\ Buzzard\\)\\|bat\\(BAT0\\)\\|time"
]; ];
} }
{command = "${pkgs.waybar}/bin/waybar";} {command = "${pkgs.waybar}/bin/waybar";}

View file

@ -3,6 +3,7 @@
lib, lib,
inputs, inputs,
config, config,
pkgs,
... ...
}: let }: let
ports = [ ports = [
@ -53,12 +54,14 @@ in {
}))) })))
]; ];
specialArgs = {
inherit inputs;
inherit tree;
host_secrets = secrets;
};
config = {config, ...}: { config = {config, ...}: {
_module.args = { nixpkgs.pkgs = pkgs;
inherit inputs;
inherit tree;
host_secrets = secrets;
};
imports = with tree; imports = with tree;
[ [

View file

@ -3,6 +3,7 @@
lib, lib,
inputs, inputs,
config, config,
pkgs,
... ...
}: let }: let
container-addresses = import ../../data/container-addresses.nix {}; container-addresses = import ../../data/container-addresses.nix {};
@ -41,12 +42,14 @@ in {
}; };
})); }));
specialArgs = {
inherit inputs;
inherit tree;
host_secrets = secrets;
};
config = {config, ...}: { config = {config, ...}: {
_module.args = { nixpkgs.pkgs = pkgs;
inherit inputs;
inherit tree;
host_secrets = secrets;
};
imports = with tree; imports = with tree;
[ [

View file

@ -1,4 +1,7 @@
{}: { {}: {
piped-backend = 3012; piped-backend = 3012;
piped-proxy = 3013; piped-proxy = 3013;
cockroachdb = 26257;
cockroachdb-http = 3014;
} }

View file

@ -3,13 +3,13 @@
lib, lib,
inputs, inputs,
config, config,
pkgs,
... ...
}: let }: let
internal_wireguard = import ../../../../data/chaos_wireguard_internal.nix {}; #container-addresses = import ../../data/container-addresses.nix {};
#hostIP = container-addresses.host;
container-addresses = import ../../data/container-addresses.nix {}; #containerIP = container-addresses.containers.piped;
hostIP = container-addresses.host; containerConfig = config.containers.piped.config;
containerIP = container-addresses.containers.piped;
ports = import ./data/ports.nix {}; ports = import ./data/ports.nix {};
@ -18,6 +18,18 @@
secrets_list = [ secrets_list = [
"piped_restic_env" "piped_restic_env"
"piped_restic_password" "piped_restic_password"
{
name = "piped_cockroachdb_ca_certificate";
path = "/var/lib/cockroachdb-certs/ca.crt";
}
{
name = "piped_cockroachdb_node_certificate";
path = "/var/lib/cockroachdb-certs/node.crt";
}
{
name = "piped_cockroachdb_node_key";
path = "/var/lib/cockroachdb-certs/node.key";
}
]; ];
containerName = "piped"; containerName = "piped";
@ -25,42 +37,69 @@
component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock" component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock"
); );
in { in {
# Create this directory outside the container so the bind mounts work
systemd.tmpfiles.rules = [
"d /var/lib/nixos-containers/${containerName}/var/lib/cockroachdb-certs - root root"
];
users.users."cockroachdb-piped" = {
uid = containerConfig.users.users.cockroachdb.uid;
group = "cockroachdb-piped";
};
users.groups."cockroachdb-piped" = {
gid = containerConfig.users.groups.cockroachdb.gid;
};
containers.piped = { containers.piped = {
autoStart = true; autoStart = true;
privateNetwork = true; #privateNetwork = false;
hostAddress = hostIP; #hostAddress = hostIP;
localAddress = containerIP; #localAddress = containerIP;
bindMounts = lib.mkMerge (lib.forEach secrets_list (secret_name: let
path = "${secrets.${secret_name}.path}"; bindMounts = lib.mkMerge (lib.forEach secrets_list (secret_item: let
secret =
if builtins.isString secret_item
then secrets.${secret_item}
else secrets.${secret_item.name};
hostPath = secret.path;
containerPath =
if builtins.isString secret_item
then hostPath
else secret_item.path;
in { in {
"${path}" = { "${containerPath}" = {
hostPath = "${path}"; inherit hostPath;
}; };
})); }));
specialArgs = {
inherit inputs;
inherit tree;
host_secrets = secrets;
};
config = {config, ...}: { config = {config, ...}: {
_module.args = { nixpkgs.pkgs = pkgs;
inherit inputs;
inherit tree;
host_secrets = secrets;
};
imports = with tree; imports = with tree;
[ [
profiles.base profiles.base
inputs.home-manager-unstable.nixosModules.home-manager inputs.home-manager-unstable.nixosModules.home-manager
profiles.sshd #profiles.sshd
profiles.nginx profiles.nginx
profiles.cockroachdb-bin-fix
modules.nixos.secrets modules.nixos.secrets
inputs.piped-flake.nixosModules.default inputs.piped-flake.nixosModules.default
users.root users.root
] ]
++ (with hosts.hetzner-vm.containers.piped; [ ++ (with hosts.hetzner-vm.containers.piped.profiles; [
profiles.piped piped
profiles.restic restic
cockroachdb
]); ]);
# For Shared Secrets # For Shared Secrets
@ -86,7 +125,7 @@ in {
}; };
}; };
services.nginx.virtualHosts."piped.owo.monster" = { services.nginx.virtualHosts."piped-fi.owo.monster" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
@ -94,7 +133,7 @@ in {
}; };
}; };
services.nginx.virtualHosts."backend.piped.owo.monster" = { services.nginx.virtualHosts."backend.piped-fi.owo.monster" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
@ -102,18 +141,12 @@ in {
}; };
}; };
services.nginx.virtualHosts."proxy.piped.owo.monster" = { services.nginx.virtualHosts."proxy.piped-fi.owo.monster" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://${internal_wireguard.hosts.raspberry.ip}"; proxyPass = "http://unix:${pipedSocketForComponent "proxy"}";
extraConfig = '' extraConfig = config.services.piped.proxyNginxExtraConfig;
proxy_set_header Host $host;
'';
#proxyPass = "http://unix:${pipedSocketForComponent "proxy"}";
#extraConfig = config.services.piped.proxyNginxExtraConfig;
}; };
}; };
networking.firewall.allowedTCPPorts = [4242];
} }

View file

@ -0,0 +1,16 @@
{...}: let
ports = import ../data/ports.nix {};
internal_wireguard = import ../../../../../data/chaos_wireguard_internal.nix {};
in {
services.cockroachdb = {
enable = true;
certsDir = "/var/lib/cockroachdb-certs";
join = "localhost:${toString ports.cockroachdb},${internal_wireguard.hosts.raspberry.ip}:26257";
# ssh -L 3014:127.0.0.1:3014 -L 26257:127.0.0.1:26257 hetzner-vm
listen.port = ports.cockroachdb;
http = {
address = "0.0.0.0";
port = ports.cockroachdb-http;
};
};
}

View file

@ -4,11 +4,19 @@
in { in {
config.services.piped = { config.services.piped = {
enable = true; enable = true;
frontendDomain = "piped.owo.monster"; frontendDomain = "piped-fi.owo.monster";
backendDomain = "backend.piped.owo.monster"; backendDomain = "backend.piped-fi.owo.monster";
proxyDomain = "proxy.piped.owo.monster"; proxyDomain = "proxy.piped-fi.owo.monster";
disableProxy = true; # Currently using proxy via raspberry in UK disableRegistrations = false;
postgresDBName = "piped";
postgresDBUsername = "piped";
postgresDBPassword = "piped";
postgresDBHost = "127.0.0.1";
postgresDBPort = 26257;
databaseDialect = "org.hibernate.dialect.CockroachDialect";
disablePostgresDB = true;
nginxForceSSL = false; nginxForceSSL = false;
nginxEnableACME = false; nginxEnableACME = false;
@ -29,11 +37,29 @@ in {
config.services.nginx.virtualHosts."${piped_config.frontendDomain}" = { config.services.nginx.virtualHosts."${piped_config.frontendDomain}" = {
extraConfig = "listen unix:/var/sockets/piped-frontend.sock;"; extraConfig = "listen unix:/var/sockets/piped-frontend.sock;";
listen = [
{
addr = "127.0.0.1";
port = 9080;
}
];
}; };
config.services.nginx.virtualHosts."${piped_config.backendDomain}" = { config.services.nginx.virtualHosts."${piped_config.backendDomain}" = {
extraConfig = "listen unix:/var/sockets/piped-backend.sock;"; extraConfig = "listen unix:/var/sockets/piped-backend.sock;";
listen = [
{
addr = "127.0.0.1";
port = 9080;
}
];
};
config.services.nginx.virtualHosts."${piped_config.proxyDomain}" = {
extraConfig = "listen unix:/var/sockets/piped-proxy.sock;";
listen = [
{
addr = "127.0.0.1";
port = 9080;
}
];
}; };
#config.services.nginx.virtualHosts."${piped_config.proxyDomain}" = {
# extraConfig = "listen unix:/var/sockets/piped-proxy.sock;";
#};
} }

View file

@ -4,12 +4,11 @@
... ...
}: let }: let
secrets = host_secrets; secrets = host_secrets;
#backupPrepareCommand = "${
backupPrepareCommand = "${ # (pkgs.writeShellScriptBin "backupPrepareCommand" ''
(pkgs.writeShellScriptBin "backupPrepareCommand" '' # systemctl start postgresqlBackup-piped --wait
systemctl start postgresqlBackup-piped --wait # '')
'') #}/bin/backupPrepareCommand";
}/bin/backupPrepareCommand";
in { in {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
restic restic
@ -24,7 +23,7 @@ in {
services.restic.backups.piped = { services.restic.backups.piped = {
user = "root"; user = "root";
paths = [ paths = [
"/var/backup/postgresql" #"/var/backup/postgresql"
]; ];
# repository is overrided in environmentFile to contain auth # repository is overrided in environmentFile to contain auth
@ -42,13 +41,13 @@ in {
OnCalendar = "daily"; OnCalendar = "daily";
}; };
inherit backupPrepareCommand; #inherit backupPrepareCommand;
}; };
services.postgresqlBackup = { #services.postgresqlBackup = {
enable = true; # enable = true;
backupAll = false; # backupAll = false;
databases = ["piped"]; # databases = ["piped"];
compression = "zstd"; # compression = "zstd";
}; #};
} }

View file

@ -3,6 +3,7 @@
lib, lib,
inputs, inputs,
config, config,
pkgs,
... ...
}: let }: let
container-addresses = import ../../data/container-addresses.nix {}; container-addresses = import ../../data/container-addresses.nix {};
@ -36,12 +37,14 @@ in {
}; };
})); }));
specialArgs = {
inherit inputs;
inherit tree;
host_secrets = secrets;
};
config = {config, ...}: { config = {config, ...}: {
_module.args = { nixpkgs.pkgs = pkgs;
inherit inputs;
inherit tree;
host_secrets = secrets;
};
imports = with tree; imports = with tree;
[ [

View file

@ -2,6 +2,7 @@
tree, tree,
inputs, inputs,
config, config,
pkgs,
... ...
}: let }: let
container-addresses = import ../../data/container-addresses.nix {}; container-addresses = import ../../data/container-addresses.nix {};
@ -28,16 +29,14 @@ in {
}; };
}; };
config = { specialArgs = {
config, inherit inputs;
pkgs, inherit tree;
... host_secrets = secrets;
}: { };
_module.args = {
inherit inputs; config = {config, ...}: {
inherit tree; nixpkgs.pkgs = pkgs;
host_secrets = secrets;
};
imports = with tree; imports = with tree;
[ [

View file

@ -2,6 +2,7 @@
tree, tree,
lib, lib,
inputs, inputs,
pkgs,
... ...
}: let }: let
container-addresses = import ../../data/container-addresses.nix {}; container-addresses = import ../../data/container-addresses.nix {};
@ -18,17 +19,14 @@ in {
privateNetwork = true; privateNetwork = true;
hostAddress = hostIP; hostAddress = hostIP;
localAddress = containerIP; localAddress = containerIP;
config = {
config, specialArgs = {
pkgs, inherit inputs;
... inherit tree;
}: let };
secrets = config.services.secrets.secrets;
in { config = {...}: {
_module.args = { nixpkgs.pkgs = pkgs;
inherit inputs;
inherit tree;
};
imports = with tree; imports = with tree;
[ [

View file

@ -14,8 +14,8 @@
profiles.nginx profiles.nginx
profiles.nginx-firewall profiles.nginx-firewall
profiles.nix-gc profiles.nix-gc
profiles.kernels.latest
profiles.cross.arm64 profiles.cross.arm64
profiles.chaos-internal-wireguard
./networking.nix ./networking.nix
./hardware.nix ./hardware.nix
@ -32,10 +32,13 @@
++ (with hosts.hetzner-vm.profiles; [ ++ (with hosts.hetzner-vm.profiles; [
vaultui vaultui
gitlab-static-sites gitlab-static-sites
wireguard
nginx-misc nginx-misc
]); ]);
boot.kernel.sysctl = {
"fs.inotify.max_user_watches" = 1024 * 64 * 4;
};
environment.systemPackages = with pkgs; environment.systemPackages = with pkgs;
[ [
(pkgs.writeShellScriptBin "journalctl-vaccum-all" '' (pkgs.writeShellScriptBin "journalctl-vaccum-all" ''
@ -73,9 +76,6 @@
externalInterface = "eth0"; externalInterface = "eth0";
}; };
networking.firewall.allowedTCPPorts = [80 443];
networking.firewall.allowedUDPPorts = [443];
home-manager.users.root = { home-manager.users.root = {
imports = with tree; [home.base home.dev.small]; imports = with tree; [home.base home.dev.small];
home.stateVersion = "23.05"; home.stateVersion = "23.05";

View file

@ -5,6 +5,9 @@
networking.firewall.allowPing = true; networking.firewall.allowPing = true;
networking.firewall.allowedTCPPorts = [22]; networking.firewall.allowedTCPPorts = [22];
services.resolved.enable = false;
environment.etc."resolv.conf".text = "nameserver 8.8.8.8";
networking.enableIPv6 = true; networking.enableIPv6 = true;
networking.usePredictableInterfaceNames = false; networking.usePredictableInterfaceNames = false;
networking.dhcpcd.enable = true; networking.dhcpcd.enable = true;

View file

@ -1,43 +0,0 @@
{config, ...}: let
secrets = config.services.secrets.secrets;
data = import ../../../data/chaos_wireguard_internal.nix {};
in {
networking.wg-quick.interfaces = {
wg0 = {
address = ["${data.hosts.hetzner-vm.ip}/32"];
listenPort = 51820;
privateKeyFile = "${secrets.wg_privkey.path}";
peers = [
# vault
{
publicKey = "${data.hosts.vault.public}";
presharedKeyFile = "${secrets.wg_preshared_vault.path}";
endpoint = "${data.hosts.vault.endpoint}";
allowedIPs = ["${data.hosts.vault.ip}/32"];
}
# iphone8
{
publicKey = "${data.hosts.iphone8.public}";
presharedKeyFile = "${secrets.wg_preshared_iphone8.path}";
allowedIPs = ["${data.hosts.iphone8.ip}/32"];
}
# lappy-t495
{
publicKey = "${data.hosts.lappy-t495.public}";
presharedKeyFile = "${secrets.wg_preshared_lappy-t495.path}";
allowedIPs = ["${data.hosts.lappy-t495.ip}/32"];
}
# raspberry
{
publicKey = "${data.hosts.raspberry.public}";
presharedKeyFile = "${secrets.wg_preshared_raspberry.path}";
allowedIPs = ["${data.hosts.raspberry.ip}/32"];
endpoint = "${data.hosts.raspberry.endpoint}";
persistentKeepalive = 25;
}
];
};
};
networking.firewall.allowedUDPPorts = [51820];
}

View file

@ -51,6 +51,9 @@ in {
"passwords/data/mail" "passwords/data/mail"
"private-public-keys/data/wireguard/chaos-internal/hetzner-vm" "private-public-keys/data/wireguard/chaos-internal/hetzner-vm"
"private-public-keys/data/piped-cockroachdb-ca/nodes/hetzner-vm"
"private-public-keys/data/restic/Mail" "private-public-keys/data/restic/Mail"
"private-public-keys/data/restic/Social" "private-public-keys/data/restic/Social"
"private-public-keys/data/restic/Quassel" "private-public-keys/data/restic/Quassel"
@ -71,7 +74,7 @@ in {
''; '';
}; };
# for wireguard # for wireguard
wg_privkey = { wg_priv = {
fetchScript = '' fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .private > "$secretFile" simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .private > "$secretFile"
''; '';
@ -214,6 +217,33 @@ in {
echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Piped" > "$secretFile" echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Piped" > "$secretFile"
''; '';
}; };
piped_cockroachdb_ca_certificate = {
user = "cockroachdb-piped";
group = "cockroachdb-piped";
permissions = "600";
fetchScript = ''
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/hetzner-vm" .ca_certificate \
| base64 -d > "$secretFile"
'';
};
piped_cockroachdb_node_certificate = {
user = "cockroachdb-piped";
group = "cockroachdb-piped";
permissions = "600";
fetchScript = ''
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/hetzner-vm" .node_certificate \
| base64 -d > "$secretFile"
'';
};
piped_cockroachdb_node_key = {
user = "cockroachdb-piped";
group = "cockroachdb-piped";
permissions = "600";
fetchScript = ''
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/hetzner-vm" .node_key \
| base64 -d > "$secretFile"
'';
};
}; };
}; };
} }

View file

@ -10,9 +10,7 @@
presets.nixos.encrypted-usb presets.nixos.encrypted-usb
profiles.cross.arm64 profiles.cross.arm64
profiles.remote-builders #profiles.remote-builders
hosts.lappy-t495.profiles.wireguard
./secrets.nix ./secrets.nix
]; ];

View file

@ -0,0 +1,22 @@
{tree, ...}: let
internal_wireguard = import ../../../data/chaos_wireguard_internal.nix {};
in {
imports = with tree; [
profiles.cockroachdb-bin-fix
];
systemd.tmpfiles.rules = [
"d /var/lib/cockroachdb-certs - root root"
];
services.cockroachdb = {
enable = true;
certsDir = "/var/lib/cockroachdb-certs";
join = "localhost:26257,${internal_wireguard.hosts.hetzner-vm.ip}:26257";
# ssh -L 8080:127.0.0.1:8080 -L 26257:127.0.0.1:26257 raspberry
http = {
address = "0.0.0.0";
port = 8080;
};
};
}

View file

@ -0,0 +1,28 @@
{pkgs, ...}: let
rclone-raspberry = pkgs.writeShellScriptBin "rclone-raspberry" (let
vault = "${pkgs.vault-bin}/bin/vault";
jq = "${pkgs.jq}/bin/jq";
rclone = "${pkgs.rclone}/bin/rclone";
in ''
TMP_DIR="$(mktemp -d)"
cp ${../data/rclone_config.template} "$TMP_DIR/rclone.conf"
vault-login 2>&1
STORAGEBOX_PASSWORD=$(${vault} kv get -format json "/api-keys/hetzner/storagebox" \
| ${jq} -r ".data.data.password")
STORAGEBOX_PASSWORD=$(rclone obscure "$STORAGEBOX_PASSWORD")
sed -i "s/STORAGEBOX_PASSWORD/$STORAGEBOX_PASSWORD/" "$TMP_DIR/rclone.conf"
${rclone} --config "$TMP_DIR/rclone.conf" "$@"
returnVal=$?
rm -rf "$TMP_DIR"
return returnVal
'');
in {
environment.systemPackages = with pkgs; [rclone rclone-raspberry];
}

View file

@ -4,11 +4,12 @@
persistentKeepalive = 15; persistentKeepalive = 15;
in { in {
networking.firewall.trustedInterfaces = ["wg0"]; networking.firewall.trustedInterfaces = ["wg0" "wlan0"];
networking.firewall.allowedUDPPorts = [51820]; networking.firewall.allowedUDPPorts = [51820];
networking.wg-quick.interfaces = { networking.wg-quick.interfaces = {
wg0 = { wg0 = {
address = ["${data.hosts.raspberry.ip}/32"]; address = ["${data.hosts.raspberry.ip}/24"];
listenPort = 51820;
privateKeyFile = "${secrets.wg_priv.path}"; privateKeyFile = "${secrets.wg_priv.path}";
peers = [ peers = [
@ -16,7 +17,7 @@ in {
{ {
publicKey = "${data.hosts.hetzner-vm.public}"; publicKey = "${data.hosts.hetzner-vm.public}";
presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}"; presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}";
allowedIPs = ["${data.hosts.hetzner-vm.ip}/24"]; allowedIPs = ["${data.hosts.hetzner-vm.ip}/32"];
endpoint = "${data.hosts.hetzner-vm.endpoint}"; endpoint = "${data.hosts.hetzner-vm.endpoint}";
inherit persistentKeepalive; inherit persistentKeepalive;
} }

View file

@ -8,6 +8,9 @@
}: let }: let
secrets = config.services.secrets.secrets; secrets = config.services.secrets.secrets;
in { in {
networking.firewall.enable = true;
networking.firewall.allowPing = true;
imports = with tree; imports = with tree;
[ [
users.root users.root
@ -30,8 +33,10 @@ in {
++ (with hosts.raspberry.profiles; [ ++ (with hosts.raspberry.profiles; [
external-drive external-drive
wireguard wireguard
piped-proxy cockroachdb
piped
auto-storage-backups auto-storage-backups
rclone
]); ]);
environment.systemPackages = [ environment.systemPackages = [

View file

@ -11,10 +11,11 @@
''; '';
requiredVaultPaths = [ requiredVaultPaths = [
"private-public-keys/data/piped-cockroachdb-ca/nodes/raspberry"
"private-public-keys/data/cryptsetup/raspberry-ext-drive" # used dynamically "private-public-keys/data/cryptsetup/raspberry-ext-drive" # used dynamically
"private-public-keys/data/wireguard/chaos-internal/raspberry" "private-public-keys/data/wireguard/chaos-internal/raspberry"
"passwords/data/wifi/parentals-home" "passwords/data/wifi/parentals-home"
"api-keys/data/hetzner/storagebox" "api-keys/data/hetzner/storagebox" # also used dynamically
]; ];
secrets = { secrets = {
@ -47,22 +48,43 @@
''; '';
}; };
rclone_config = { piped_cockroachdb_ca_certificate = {
user = "cockroachdb";
group = "cockroachdb";
permissions = "600";
path = "/var/lib/cockroachdb-certs/ca.crt";
fetchScript = '' fetchScript = ''
TMP_DIR="$(mktemp -d)" if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
cp ${./rclone_config.template} "$TMP_DIR/template" fi
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .ca_certificate \
pushd "$TMP_DIR" >/dev/null | base64 -d > "$secretFile"
'';
STORAGEBOX_PASSWORD=$(simple_get_obscure /api-keys/hetzner/storagebox .password) };
sed -i "s/STORAGEBOX_PASSWORD/$STORAGEBOX_PASSWORD/" ./template piped_cockroachdb_node_certificate = {
user = "cockroachdb";
cp ./template "$secretFile" group = "cockroachdb";
permissions = "600";
popd >/dev/null path = "/var/lib/cockroachdb-certs/node.crt";
fetchScript = ''
rm -rf "$TMP_DIR" if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
fi
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_certificate \
| base64 -d > "$secretFile"
'';
};
piped_cockroachdb_node_key = {
user = "cockroachdb";
group = "cockroachdb";
permissions = "600";
path = "/var/lib/cockroachdb-certs/node.key";
fetchScript = ''
if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
fi
simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_key \
| base64 -d > "$secretFile"
''; '';
}; };

View file

@ -9,8 +9,6 @@
''; '';
}; };
networking.firewall.allowedTCPPorts = [80 443];
services.nginx.virtualHosts."vault.owo.monster" = { services.nginx.virtualHosts."vault.owo.monster" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;

View file

@ -1,44 +0,0 @@
{config, ...}: let
secrets = config.services.secrets.secrets;
data = import ../../../data/chaos_wireguard_internal.nix {};
in {
networking.wg-quick.interfaces = {
wg0 = {
address = ["10.69.42.2/32"];
listenPort = 51820;
privateKeyFile = "${secrets.wg_priv.path}";
peers = [
# hetzner-vm
{
publicKey = "${data.hosts.hetzner-vm.public}";
presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}";
allowedIPs = ["${data.hosts.hetzner-vm.ip}/32"];
endpoint = "${data.hosts.hetzner-vm.endpoint}";
persistentKeepalive = 25;
}
# iphone8
{
publicKey = "${data.hosts.iphone8.public}";
presharedKeyFile = "${secrets.wg_preshared_iphone8.path}";
allowedIPs = ["${data.hosts.iphone8.ip}/32"];
}
# lappy-t495
{
publicKey = "${data.hosts.lappy-t495.public}";
presharedKeyFile = "${secrets.wg_preshared_lappy-t495.path}";
allowedIPs = ["${data.hosts.lappy-t495.ip}/32"];
}
# raspberry
{
publicKey = "${data.hosts.raspberry.public}";
presharedKeyFile = "${secrets.wg_preshared_raspberry.path}";
allowedIPs = ["${data.hosts.raspberry.ip}/32"];
endpoint = "${data.hosts.raspberry.endpoint}";
persistentKeepalive = 25;
}
];
};
};
networking.firewall.allowedUDPPorts = [51820];
}

View file

@ -3,8 +3,6 @@
enable = true; enable = true;
requiredVaultPaths = [ requiredVaultPaths = [
"private-public-keys/data/wireguard/chaos-internal/vault"
"private-public-keys/data/restic/Vault" "private-public-keys/data/restic/Vault"
"api-keys/data/storage/restic/Vault" "api-keys/data/storage/restic/Vault"
@ -23,31 +21,6 @@
echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > "$secretFile" echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > "$secretFile"
''; '';
}; };
wg_priv = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .private > "$secretFile"
'';
};
wg_preshared_hetzner-vm = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.hetzner_vm > "$secretFile"
'';
};
wg_preshared_iphone8 = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.iphone8 > "$secretFile"
'';
};
wg_preshared_lappy-t495 = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/vault" ".preshared_keys.lappy_t495" > "$secretFile"
'';
};
wg_preshared_raspberry = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/vault" ".preshared_keys.raspberry" > "$secretFile"
'';
};
}; };
}; };
} }

View file

@ -7,9 +7,8 @@
profiles.nix-gc profiles.nix-gc
profiles.nginx profiles.nginx
profiles.nginx-firewall profiles.nginx-firewall
profiles.kernels.latest profiles.chaos-internal-wireguard
hosts.vault.profiles.wireguard
hosts.vault.profiles.vault hosts.vault.profiles.vault
hosts.vault.profiles.restic hosts.vault.profiles.restic

View file

@ -172,7 +172,7 @@
} }
getGroupID() { getGroupID() {
stat --format "%G" "$1" 2>/dev/null stat --format "%g" "$1" 2>/dev/null
} }
userNameMatches() { userNameMatches() {

View file

@ -55,9 +55,32 @@ in
inherit (pkgs) comic-code comic-sans; inherit (pkgs) comic-code comic-sans;
inherit (pkgs) mk-enc-usb mk-normal-enc-ssd mk-dual-enc-ssd mk-raspberry-ext-drive; inherit (pkgs) mk-enc-usb mk-normal-enc-ssd mk-dual-enc-ssd mk-raspberry-ext-drive;
inherit (pkgs) gotosocial; inherit (pkgs) gotosocial;
inherit (pkgs) cockroachdb;
}; };
} }
# internal wireguard scripts
(let
internalWireguardLib = import ./extras/internal-wireguard-lib.nix {
inherit (nixpkgs) lib;
inherit pkgs;
};
wireguard_data = import ./data/chaos_wireguard_internal.nix {};
hostsWithWireguard = builtins.attrNames wireguard_data.hosts;
in {
packages = mergeAttrsList [
(mergeAttrsList (
lib.forEach hostsWithWireguard (hostName: {
"wg-keys-init-${hostName}" = internalWireguardLib.genInitScript hostName;
})
))
{
"wg-keys-init-all" = internalWireguardLib.initAllScript;
}
];
})
# secrets-init, secrets-check and vault-policy for machines and containers # secrets-init, secrets-check and vault-policy for machines and containers
(let (let
secretsLib = import ./modules/nixos/secrets-lib/lib.nix { secretsLib = import ./modules/nixos/secrets-lib/lib.nix {

View file

@ -0,0 +1,48 @@
{
lib,
stdenv,
autoPatchelfHook,
fetchzip,
}:
stdenv.mkDerivation rec {
pname = "cockroachdb-bin";
version = "23.1.9";
src = let
inherit (stdenv.hostPlatform) system;
selectSystem = attrs: attrs.${system} or (throw "Unsupported system: ${system}");
suffix = selectSystem {
x86_64-linux = "linux-amd64";
aarch64-linux = "linux-arm64";
};
sha256 = selectSystem {
x86_64-linux = "sha256-TopDCszdU73WiD/fsa/lq4h7jPUk0u50v3ELiuakzTU=";
aarch64-linux = "sha256-uRW1g2IFAfQ6a1w7pz5GKklHmfaNgk70qj3hhm6KV6s=";
};
in
fetchzip {
url = "https://binaries.cockroachdb.com/cockroach-v${version}.${suffix}.tgz";
inherit sha256;
};
dontConfigure = true;
dontBuild = true;
dontStrip = stdenv.isDarwin;
nativeBuildInputs = [autoPatchelfHook];
installPhase = ''
runHook preInstall
install -D cockroach $out/bin/cockroach
runHook postInstall
'';
meta = with lib; {
homepage = "https://www.cockroachlabs.com";
description = "A scalable, survivable, strongly-consistent SQL database";
license = licenses.bsl11;
mainProgram = "cockroach";
sourceProvenance = with sourceTypes; [binaryNativeCode];
platforms = ["x86_64-linux" "aarch64-linux"];
};
}

View file

@ -1,4 +1,4 @@
final: prev: { final: prev: rec {
comic-sans = final.callPackage ./comic-sans {}; comic-sans = final.callPackage ./comic-sans {};
comic-code = final.callPackage ./comic-code {}; comic-code = final.callPackage ./comic-code {};
@ -12,6 +12,9 @@ final: prev: {
mk-dual-enc-ssd = final.callPackage ../extras/mk-dual-enc-ssd.nix {}; mk-dual-enc-ssd = final.callPackage ../extras/mk-dual-enc-ssd.nix {};
mk-raspberry-ext-drive = final.callPackage ../extras/mk-raspberry-ext-drive.nix {}; mk-raspberry-ext-drive = final.callPackage ../extras/mk-raspberry-ext-drive.nix {};
cockroachdb-bin = final.callPackage ./cockroachdb-bin {};
cockroachdb = cockroachdb-bin;
gotosocial = prev.gotosocial.overrideAttrs (_old: let gotosocial = prev.gotosocial.overrideAttrs (_old: let
owner = "superseriousbusiness"; owner = "superseriousbusiness";
repo = "gotosocial"; repo = "gotosocial";

View file

@ -0,0 +1,43 @@
{
lib,
config,
...
}: let
inherit (lib.modules) mkMerge;
inherit (lib.lists) forEach filter;
inherit (builtins) hasAttr;
wireguard_data = import ../../data/chaos_wireguard_internal.nix {};
wireguard_hosts = wireguard_data.hosts;
currentHostName = config.networking.hostName;
currentHostConfig = wireguard_hosts.${currentHostName};
in {
services.secrets = {
enable = true;
requiredVaultPaths = [
"private-public-keys/data/wireguard/chaos-internal/${currentHostName}"
];
secrets = mkMerge ([
{
wg_priv = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" .private > "$secretFile"
'';
};
}
]
++ (forEach (filter (hostName: (hostName != currentHostName && hasAttr "endpoint" wireguard_hosts.${hostName})) (builtins.attrNames wireguard_hosts)) (
hostName: let
in {
"wg_preshared_${hostName}" = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" ".preshared_keys.\"${hostName}\"" > "$secretFile"
'';
};
}
)));
};
}

View file

@ -0,0 +1,58 @@
{
lib,
config,
pkgs,
...
}: let
inherit (lib.modules) mkIf;
inherit (builtins) hasAttr;
# Assume this to be set
secrets = config.services.secrets.secrets;
wireguard_data = import ../../data/chaos_wireguard_internal.nix {};
wireguard_hosts = wireguard_data.hosts;
currentHostName = config.networking.hostName;
currentHostConfig = wireguard_hosts.${currentHostName};
in {
networking.firewall.allowPing = true;
networking.firewall.allowedUDPPorts = mkIf (hasAttr "endpoint" currentHostConfig) [51820];
systemd.services.wireguard-debug = {
wantedBy = ["multi-user.target"];
partOf = ["wg-quick-wg0.service"];
script = ''
echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
'';
};
networking.wg-quick.interfaces = {
wg0 = {
address = ["${currentHostConfig.ip}/24"];
privateKeyFile = "${secrets.wg_priv.path}";
listenPort = mkIf (hasAttr "endpoint" currentHostConfig) 51820;
peers = [
# hetzner-vm
(mkIf (currentHostName != "hetzner-vm") (let
host = wireguard_hosts."hetzner-vm";
in {
allowedIPs = ["${host.ip}/32"];
publicKey = host.public;
#presharedKeyFile = secrets.wg_preshared_hetzner-vm.path;
endpoint = host.endpoint or null;
}))
# vault
(mkIf (currentHostName != "vault") (let
host = wireguard_hosts."vault";
in {
allowedIPs = ["${host.ip}/32"];
publicKey = host.public;
#presharedKeyFile = secrets.wg_preshared_vault.path;
endpoint = host.endpoint or null;
}))
];
};
};
}

View file

@ -0,0 +1,60 @@
{
config,
lib,
...
}: let
escapeSystemdExecArg = arg: let
s =
if builtins.isPath arg
then "${arg}"
else if builtins.isString arg
then arg
else if builtins.isInt arg || builtins.isFloat arg
then toString arg
else throw "escapeSystemdExecArg only allows strings, paths and numbers";
in
lib.replaceStrings ["%" "$"] ["%%" "$$"] (builtins.toJSON s);
# Quotes a list of arguments into a single string for use in a Exec*
# line.
escapeSystemdExecArgs = lib.concatMapStringsSep " " escapeSystemdExecArg;
cfg = config.services.cockroachdb;
crdb = cfg.package;
startupCommand =
escapeSystemdExecArgs
([
# Basic startup
"${crdb}/bin/cockroach"
(
if (cfg.join != null)
then "start"
else "start-single-node"
)
"--logtostderr"
"--store=/var/lib/cockroachdb"
# WebUI settings
"--http-addr=${cfg.http.address}:${toString cfg.http.port}"
# Cluster listen address
"--listen-addr=${cfg.listen.address}:${toString cfg.listen.port}"
# Cache and memory settings.
"--cache=${cfg.cache}"
"--max-sql-memory=${cfg.maxSqlMemory}"
# Certificate/security settings.
(
if cfg.insecure
then "--insecure"
else "--certs-dir=${cfg.certsDir}"
)
]
++ lib.optional (cfg.join != null) "--join=${cfg.join}"
++ lib.optional (cfg.locality != null) "--locality=${cfg.locality}"
++ cfg.extraArgs);
in {
systemd.services.cockroachdb.serviceConfig.ExecStart = lib.mkForce startupCommand;
}

View file

@ -1,4 +1,4 @@
{...}: { {...}: {
networking.firewall.allowedTCPPorts = [80 443]; networking.firewall.allowedTCPPorts = [80 443];
networking.firewall.allowedUDPPorts = [80 443]; networking.firewall.allowedUDPPorts = [80 443];
} }

View file

@ -8,7 +8,7 @@ cd $(git rev-parse --show-toplevel)
HOSTNAME=$(hostname) HOSTNAME=$(hostname)
[ "${NO_REBUILD}" == "" ] && ./scripts/rebuild.sh $@ [ "${NO_REBUILD}" == "" ] && ./scripts/rebuild.sh "$@"
[ "${HOSTNAME}" != "hetzner-vm" ] && ./scripts/deploy/hetzner-vm.sh $@ [ "${HOSTNAME}" != "hetzner-vm" ] && ./scripts/deploy/hetzner-vm.sh "$@"
[ "${HOSTNAME}" != "vault" ] && ./scripts/deploy/vault.sh $@ [ "${HOSTNAME}" != "vault" ] && ./scripts/deploy/vault.sh "$@"
[ "${HOSTNAME}" != "raspberry" ] && ./scripts/deploy/raspberry.sh $@ [ "${HOSTNAME}" != "raspberry" ] && ./scripts/deploy/raspberry.sh "$@"

21
scripts/deploy-secrets.sh Executable file
View file

@ -0,0 +1,21 @@
#!/usr/bin/env bash
set -e
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
cd $SCRIPT_DIR
cd $(git rev-parse --show-toplevel)
ARCH=${1}
HOSTNAME=${2}
SSH=${3}
CONTAINER=${4}
OPTIONAL_CONTAINER=
if [ -n "$CONTAINER" ]; then
OPTIONAL_CONTAINER="-container-${CONTAINER}"
fi
nix build --system ${ARCH} ".#secrets-init-${HOSTNAME}${OPTIONAL_CONTAINER}"
nix-copy-closure --to ${SSH} --use-substitutes $(readlink result)
ssh ${SSH} "$(readlink result)/bin/secrets-init-${HOSTNAME}${OPTIONAL_CONTAINER}"

View file

@ -6,4 +6,4 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
cd $SCRIPT_DIR cd $SCRIPT_DIR
cd $(git rev-parse --show-toplevel) cd $(git rev-parse --show-toplevel)
nixos-rebuild switch --flake .#hetzner-vm --target-host hetzner-vm -s $@ nixos-rebuild switch --flake .#hetzner-vm --target-host hetzner-vm -s "$@"

2
scripts/deploy/raspberry.sh Normal file → Executable file
View file

@ -6,4 +6,4 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
cd $SCRIPT_DIR cd $SCRIPT_DIR
cd $(git rev-parse --show-toplevel) cd $(git rev-parse --show-toplevel)
nixos-rebuild switch --flake .#raspberry --target-host raspberry -s $@ nixos-rebuild switch --flake .#raspberry --target-host raspberry -s "$@"

2
scripts/deploy/vault.sh Normal file → Executable file
View file

@ -6,4 +6,4 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
cd $SCRIPT_DIR cd $SCRIPT_DIR
cd $(git rev-parse --show-toplevel) cd $(git rev-parse --show-toplevel)
nixos-rebuild switch --flake .#vault --target-host vault -s $@ nixos-rebuild switch --flake .#vault --target-host vault -s "$@"