lots of misc changes with wireguard and whatever

2023-09-16 16:06:16 +01:00 · 2023-09-16 16:06:16 +01:00 · 907785359f
parent d69991819a
commit 907785359f
45 changed files with 697 additions and 268 deletions
--- a/data/chaos_wireguard_internal.nix
+++ b/data/chaos_wireguard_internal.nix
@ -1,28 +1,28 @@
 {}: rec {
-  all = "10.69.42.1/32";
+  all = "10.69.42.1/24";

  hosts = {
    hetzner-vm = {
      ip = "10.69.42.1";
-      public = "UJr+EmUM7KWkIy0nk0JA38ibvcLC++6iuOKkHdrx9Dc=";
+      public = "liO33kMSEwuaaH4i6qDuorWssd9s/EfTBKBHQEbaDXE=";
      endpoint = "hetzner-vm.servers.genderfucked.monster:51820";
    };
    vault = {
      ip = "10.69.42.2";
-      public = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc=";
-      endpoint = "vault.servers.genderfucked.monster:51820";
+      public = "GJ/IQ5W2Ch2vSiqcciKkrBA+pVycY2cibhvF1SFzi0I=";
+      #endpoint = "vault.servers.genderfucked.monster:51820";
    };
    iphone8 = {
      ip = "10.69.42.3";
-      public = "2BgT08bDKh8WlFFSeRArI9a1GpFgUyqEApvJy4KgAmw=";
+      public = "PEBw7EI5uogB433cp8eSfJ5DCEiYj+YG2dZd0XkIV1c=";
    };
    lappy-t495 = {
      ip = "10.69.42.4";
-      public = "rEioKieZqI3UaJGGaSC/yaHfdZE9VKpsq355x4dHgCs=";
+      public = "BR23xeK/nTgw8Ad001wz9wrfS6gTknTpCKZBLG9bnHM=";
    };
    raspberry = {
      ip = "10.69.42.5";
-      public = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc=";
+      public = "ld5XI4l/Gmr5JWg8r5midy7MTIgZkWVhMPsJqzIonng=";
      endpoint = "raspberry.servers.genderfucked.monster:51820";
    };
  };
--- a/extras/internal-wireguard-lib.nix
+++ b/extras/internal-wireguard-lib.nix
@ -0,0 +1,95 @@
+{
+  lib,
+  pkgs,
+  ...
+}: let
+  wireguard_data = import ../data/chaos_wireguard_internal.nix {};
+  wireguard_hosts = wireguard_data.hosts;
+
+  inherit (pkgs) writeShellScriptBin;
+  inherit (lib.lists) forEach filter;
+  inherit (builtins) hasAttr attrNames;
+
+  kvPathForHost = host: "/private-public-keys/wireguard/chaos-internal/${host}";
+in rec {
+  initAllScript = writeShellScriptBin "wg-keys-init-all" (let
+    vault = "${pkgs.vault-bin}/bin/vault";
+    jq = "${pkgs.jq}/bin/jq";
+  in ''
+
+    ${lib.concatStringsSep "\n" (lib.forEach (attrNames wireguard_hosts) (hostName: ''
+      if [ -z "$PRESHARED_ONLY" ]; then
+        echo "{}" | vault kv put "${kvPathForHost hostName}" - 2>/dev/null
+      fi
+    ''))}
+
+    ${lib.concatStringsSep "\n" (lib.forEach (attrNames wireguard_hosts) (hostName: ''
+      echo "Deploying keys for ${hostName}"
+
+      "${genInitScript hostName}/bin/wg-keys-init-${hostName}"
+    ''))}
+
+    ${lib.concatStringsSep "\n" (lib.forEach (attrNames wireguard_hosts) (hostName: ''
+      echo
+
+      PUBLIC=$(${vault} kv get -format=json "${kvPathForHost hostName}" | ${jq} .data.data.public)
+      echo "Public Key for ${hostName}: $PUBLIC"
+    ''))}
+  '');
+
+  genInitScript = systemHostName: (writeShellScriptBin "wg-keys-init-${systemHostName}" (let
+    vault = "${pkgs.vault-bin}/bin/vault";
+    jq = "${pkgs.jq}/bin/jq";
+    wg = "${pkgs.wireguard-tools}/bin/wg";
+    sponge = "${pkgs.moreutils}/bin/sponge";
+
+    hostsWithEndpoints = filter (hostName: (hostName != systemHostName && hasAttr "endpoint" wireguard_hosts.${hostName})) (attrNames wireguard_hosts);
+  in ''
+    PRIVATE=$(${wg} genkey)
+    PUBLIC=$(echo "$PRIVATE" | ${wg} pubkey)
+
+    TMP_DIR=$(mktemp -d)
+    pushd "$TMP_DIR"
+
+    echo "{}" > currentHost.json
+    if [ -z "$PRESHARED_ONLY" ]; then
+      ${jq} ".public = \"$PUBLIC\"" currentHost.json | ${sponge} currentHost.json
+      ${jq} ".private = \"$PRIVATE\"" currentHost.json | ${sponge} currentHost.json
+    fi
+
+    ${jq} '.preshared_keys = {}' currentHost.json | ${sponge} currentHost.json
+
+    ${lib.concatStringsSep "\n" (lib.forEach hostsWithEndpoints (hostName: ''
+      echo "Generating preshared key for ${hostName}"
+
+      PSK=$(${wg} genpsk)
+      ${jq} ".preshared_keys.\"${hostName}\" = \"$PSK\"" currentHost.json | ${sponge} currentHost.json
+    ''))}
+
+
+    ${lib.concatStringsSep "\n" (lib.forEach hostsWithEndpoints (hostName: ''
+      echo "Deploying preshared key for ${hostName}"
+
+      PSK=$(jq -r '.preshared_keys."${hostName}"' currentHost.json)
+
+      ${vault} kv get -format=json "${kvPathForHost hostName}" 2>/dev/null | jq -r .data.data > otherHost.json
+      ${jq} ".preshared_keys.\"${systemHostName}\" = \"$PSK\"" otherHost.json | ${sponge} otherHost.json
+      cat otherHost.json | vault kv put "${kvPathForHost hostName}" - 2>/dev/null
+
+      rm otherHost.json
+    ''))}
+
+    if [ -z "$PRESHARED_ONLY" ]; then
+      cat currentHost.json | ${vault} kv put "${kvPathForHost systemHostName}" - 2>/dev/null
+      cat currentHost.json | jq
+    fi
+    rm currentHost.json
+
+
+    popd
+
+    rm -rf "$TMP_DIR"
+
+    echo "Public Key for ${systemHostName}: $PUBLIC"
+  ''));
+}
--- a/flake.lock
+++ b/flake.lock
@ -119,11 +119,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1694469544,
-        "narHash": "sha256-eqZng5dZnAUyb7xXyFk5z871GY/++KVv3Gyld5mVh20=",
+        "lastModified": 1694643239,
+        "narHash": "sha256-pv2k/5FvyirDE8g4TNehzwZ0T4UOMMmqWSQnM/luRtE=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "5171f5ef654425e09d9c2100f856d887da595437",
+        "rev": "d9b88b43524db1591fb3d9410a21428198d75d49",
        "type": "github"
      },
      "original": {
@ -160,11 +160,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1694422566,
-        "narHash": "sha256-lHJ+A9esOz9vln/3CJG23FV6Wd2OoOFbDeEs4cMGMqc=",
+        "lastModified": 1694669921,
+        "narHash": "sha256-6ESpJ6FsftHV96JO/zn6je07tyV2dlLR7SdLsmkegTY=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "3a2786eea085f040a66ecde1bc3ddc7099f6dbeb",
+        "rev": "f2ea252d23ebc9a5336bf6a61e0644921f64e67c",
        "type": "github"
      },
      "original": {
@ -176,11 +176,11 @@
    },
    "nur": {
      "locked": {
-        "lastModified": 1694547969,
-        "narHash": "sha256-rcP53Lh8T0SywogEVPByeSXjExzpfZdd85fubbxgXYo=",
+        "lastModified": 1694778311,
+        "narHash": "sha256-Hu5U9pXwMqUjWF7uh4SKqdKy1QMy9RVGxmst11srSgA=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "6006151c90751e36c5dd68a7f754c3d26c8a55c1",
+        "rev": "7a673ac1f35648a908730206a2793b0e3818bc25",
        "type": "github"
      },
      "original": {
@ -202,11 +202,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1694714112,
-        "narHash": "sha256-x2CgsEvWIf4ETx4puLqmHrPthesNXW30OMYg4pVJARg=",
+        "lastModified": 1694730023,
+        "narHash": "sha256-/J7ZPye0T1idRgvpa7oHJnON3rzIniv4tXiMP2sj3tk=",
        "owner": "ChaotiCryptidz",
        "repo": "piped-flake",
-        "rev": "c5ad01eac79809686d9685671e77a6dac4e17ddf",
+        "rev": "1729b90a2e81b95f0158720816b174532a9b1f2b",
        "type": "gitlab"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -12,6 +12,7 @@

    # nixpkgs Unstable Inputs
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+
    home-manager-unstable.url = "github:nix-community/home-manager";
    home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";

--- a/home/dev/all/network.nix
+++ b/home/dev/all/network.nix
@ -8,5 +8,6 @@
    rsync
    openssh
    nmap
+    tcpdump
  ];
 }
--- a/home/gui/environments/sway/sway.nix
+++ b/home/gui/environments/sway/sway.nix
@ -65,9 +65,10 @@
            size = 14.0;
          };
          statusCommand = lib.escapeShellArgs [
-            "${pkgs.gobar}/bin/gobar"
-            "-config"
-            "cpu\\|mem\\|weather\\(Leighton\\ Buzzard\\)\\|bat\\(BAT0\\)\\|time"
+	    "/home/chaos/Projects/rustbar/target/debug/rustbar"
+            #"${pkgs.gobar}/bin/gobar"
+            #"-config"
+            #"cpu\\|mem\\|weather\\(Leighton\\ Buzzard\\)\\|bat\\(BAT0\\)\\|time"
          ];
        }
        {command = "${pkgs.waybar}/bin/waybar";}
--- a/hosts/hetzner-vm/containers/mail/default.nix
+++ b/hosts/hetzner-vm/containers/mail/default.nix
@ -3,6 +3,7 @@
  lib,
  inputs,
  config,
+  pkgs,
  ...
 }: let
  ports = [
@ -53,13 +54,15 @@ in {
      })))
    ];

-    config = {config, ...}: {
-      _module.args = {
+    specialArgs = {
      inherit inputs;
      inherit tree;
      host_secrets = secrets;
    };

+    config = {config, ...}: {
+      nixpkgs.pkgs = pkgs;
+
      imports = with tree;
        [
          profiles.base
--- a/hosts/hetzner-vm/containers/music/default.nix
+++ b/hosts/hetzner-vm/containers/music/default.nix
@ -3,6 +3,7 @@
  lib,
  inputs,
  config,
+  pkgs,
  ...
 }: let
  container-addresses = import ../../data/container-addresses.nix {};
@ -41,13 +42,15 @@ in {
        };
      }));

-    config = {config, ...}: {
-      _module.args = {
+    specialArgs = {
      inherit inputs;
      inherit tree;
      host_secrets = secrets;
    };

+    config = {config, ...}: {
+      nixpkgs.pkgs = pkgs;
+
      imports = with tree;
        [
          profiles.base
--- a/hosts/hetzner-vm/containers/piped/data/ports.nix
+++ b/hosts/hetzner-vm/containers/piped/data/ports.nix
@ -1,4 +1,7 @@
 {}: {
  piped-backend = 3012;
  piped-proxy = 3013;
+
+  cockroachdb = 26257;
+  cockroachdb-http = 3014;
 }
--- a/hosts/hetzner-vm/containers/piped/default.nix
+++ b/hosts/hetzner-vm/containers/piped/default.nix
@ -3,13 +3,13 @@
  lib,
  inputs,
  config,
+  pkgs,
  ...
 }: let
-  internal_wireguard = import ../../../../data/chaos_wireguard_internal.nix {};
-
-  container-addresses = import ../../data/container-addresses.nix {};
-  hostIP = container-addresses.host;
-  containerIP = container-addresses.containers.piped;
+  #container-addresses = import ../../data/container-addresses.nix {};
+  #hostIP = container-addresses.host;
+  #containerIP = container-addresses.containers.piped;
+  containerConfig = config.containers.piped.config;

  ports = import ./data/ports.nix {};

@ -18,6 +18,18 @@
  secrets_list = [
    "piped_restic_env"
    "piped_restic_password"
+    {
+      name = "piped_cockroachdb_ca_certificate";
+      path = "/var/lib/cockroachdb-certs/ca.crt";
+    }
+    {
+      name = "piped_cockroachdb_node_certificate";
+      path = "/var/lib/cockroachdb-certs/node.crt";
+    }
+    {
+      name = "piped_cockroachdb_node_key";
+      path = "/var/lib/cockroachdb-certs/node.key";
+    }
  ];

  containerName = "piped";
@ -25,42 +37,69 @@
    component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock"
  );
 in {
+  # Create this directory outside the container so the bind mounts work
+  systemd.tmpfiles.rules = [
+    "d /var/lib/nixos-containers/${containerName}/var/lib/cockroachdb-certs - root root"
+  ];
+
+  users.users."cockroachdb-piped" = {
+    uid = containerConfig.users.users.cockroachdb.uid;
+    group = "cockroachdb-piped";
+  };
+  users.groups."cockroachdb-piped" = {
+    gid = containerConfig.users.groups.cockroachdb.gid;
+  };
+
  containers.piped = {
    autoStart = true;
-    privateNetwork = true;
-    hostAddress = hostIP;
-    localAddress = containerIP;
-    bindMounts = lib.mkMerge (lib.forEach secrets_list (secret_name: let
-      path = "${secrets.${secret_name}.path}";
+    #privateNetwork = false;
+    #hostAddress = hostIP;
+    #localAddress = containerIP;
+
+    bindMounts = lib.mkMerge (lib.forEach secrets_list (secret_item: let
+      secret =
+        if builtins.isString secret_item
+        then secrets.${secret_item}
+        else secrets.${secret_item.name};
+
+      hostPath = secret.path;
+      containerPath =
+        if builtins.isString secret_item
+        then hostPath
+        else secret_item.path;
    in {
-      "${path}" = {
-        hostPath = "${path}";
+      "${containerPath}" = {
+        inherit hostPath;
      };
    }));

-    config = {config, ...}: {
-      _module.args = {
+    specialArgs = {
      inherit inputs;
      inherit tree;
      host_secrets = secrets;
    };

+    config = {config, ...}: {
+      nixpkgs.pkgs = pkgs;
+
      imports = with tree;
        [
          profiles.base
          inputs.home-manager-unstable.nixosModules.home-manager

-          profiles.sshd
+          #profiles.sshd
          profiles.nginx
+          profiles.cockroachdb-bin-fix

          modules.nixos.secrets
          inputs.piped-flake.nixosModules.default

          users.root
        ]
-        ++ (with hosts.hetzner-vm.containers.piped; [
-          profiles.piped
-          profiles.restic
+        ++ (with hosts.hetzner-vm.containers.piped.profiles; [
+          piped
+          restic
+          cockroachdb
        ]);

      # For Shared Secrets
@ -86,7 +125,7 @@ in {
    };
  };

-  services.nginx.virtualHosts."piped.owo.monster" = {
+  services.nginx.virtualHosts."piped-fi.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
@ -94,7 +133,7 @@ in {
    };
  };

-  services.nginx.virtualHosts."backend.piped.owo.monster" = {
+  services.nginx.virtualHosts."backend.piped-fi.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
@ -102,18 +141,12 @@ in {
    };
  };

-  services.nginx.virtualHosts."proxy.piped.owo.monster" = {
+  services.nginx.virtualHosts."proxy.piped-fi.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
-      proxyPass = "http://${internal_wireguard.hosts.raspberry.ip}";
-      extraConfig = ''
-        proxy_set_header Host $host;
-      '';
-      #proxyPass = "http://unix:${pipedSocketForComponent "proxy"}";
-      #extraConfig = config.services.piped.proxyNginxExtraConfig;
+      proxyPass = "http://unix:${pipedSocketForComponent "proxy"}";
+      extraConfig = config.services.piped.proxyNginxExtraConfig;
    };
  };
-
-  networking.firewall.allowedTCPPorts = [4242];
 }
--- a/hosts/hetzner-vm/containers/piped/profiles/cockroachdb.nix
+++ b/hosts/hetzner-vm/containers/piped/profiles/cockroachdb.nix
@ -0,0 +1,16 @@
+{...}: let
+  ports = import ../data/ports.nix {};
+  internal_wireguard = import ../../../../../data/chaos_wireguard_internal.nix {};
+in {
+  services.cockroachdb = {
+    enable = true;
+    certsDir = "/var/lib/cockroachdb-certs";
+    join = "localhost:${toString ports.cockroachdb},${internal_wireguard.hosts.raspberry.ip}:26257";
+    #  ssh -L 3014:127.0.0.1:3014 -L 26257:127.0.0.1:26257 hetzner-vm
+    listen.port = ports.cockroachdb;
+    http = {
+      address = "0.0.0.0";
+      port = ports.cockroachdb-http;
+    };
+  };
+}
--- a/hosts/hetzner-vm/containers/piped/profiles/piped.nix
+++ b/hosts/hetzner-vm/containers/piped/profiles/piped.nix
@ -4,11 +4,19 @@
 in {
  config.services.piped = {
    enable = true;
-    frontendDomain = "piped.owo.monster";
-    backendDomain = "backend.piped.owo.monster";
-    proxyDomain = "proxy.piped.owo.monster";
+    frontendDomain = "piped-fi.owo.monster";
+    backendDomain = "backend.piped-fi.owo.monster";
+    proxyDomain = "proxy.piped-fi.owo.monster";

-    disableProxy = true; # Currently using proxy via raspberry in UK
+    disableRegistrations = false;
+
+    postgresDBName = "piped";
+    postgresDBUsername = "piped";
+    postgresDBPassword = "piped";
+    postgresDBHost = "127.0.0.1";
+    postgresDBPort = 26257;
+    databaseDialect = "org.hibernate.dialect.CockroachDialect";
+    disablePostgresDB = true;

    nginxForceSSL = false;
    nginxEnableACME = false;
@ -29,11 +37,29 @@ in {

  config.services.nginx.virtualHosts."${piped_config.frontendDomain}" = {
    extraConfig = "listen unix:/var/sockets/piped-frontend.sock;";
+    listen = [
+      {
+        addr = "127.0.0.1";
+        port = 9080;
+      }
+    ];
  };
  config.services.nginx.virtualHosts."${piped_config.backendDomain}" = {
    extraConfig = "listen unix:/var/sockets/piped-backend.sock;";
-  };
-  #config.services.nginx.virtualHosts."${piped_config.proxyDomain}" = {
-  #  extraConfig = "listen unix:/var/sockets/piped-proxy.sock;";
-  #};
+    listen = [
+      {
+        addr = "127.0.0.1";
+        port = 9080;
+      }
+    ];
+  };
+  config.services.nginx.virtualHosts."${piped_config.proxyDomain}" = {
+    extraConfig = "listen unix:/var/sockets/piped-proxy.sock;";
+    listen = [
+      {
+        addr = "127.0.0.1";
+        port = 9080;
+      }
+    ];
+  };
 }
--- a/hosts/hetzner-vm/containers/piped/profiles/restic.nix
+++ b/hosts/hetzner-vm/containers/piped/profiles/restic.nix
@ -4,12 +4,11 @@
  ...
 }: let
  secrets = host_secrets;
-
-  backupPrepareCommand = "${
-    (pkgs.writeShellScriptBin "backupPrepareCommand" ''
-      systemctl start postgresqlBackup-piped --wait
-    '')
-  }/bin/backupPrepareCommand";
+  #backupPrepareCommand = "${
+  #  (pkgs.writeShellScriptBin "backupPrepareCommand" ''
+  #    systemctl start postgresqlBackup-piped --wait
+  #  '')
+  #}/bin/backupPrepareCommand";
 in {
  environment.systemPackages = with pkgs; [
    restic
@ -24,7 +23,7 @@ in {
  services.restic.backups.piped = {
    user = "root";
    paths = [
-      "/var/backup/postgresql"
+      #"/var/backup/postgresql"
    ];

    # repository is overrided in environmentFile to contain auth
@ -42,13 +41,13 @@ in {
      OnCalendar = "daily";
    };

-    inherit backupPrepareCommand;
+    #inherit backupPrepareCommand;
  };

-  services.postgresqlBackup = {
-    enable = true;
-    backupAll = false;
-    databases = ["piped"];
-    compression = "zstd";
-  };
+  #services.postgresqlBackup = {
+  #  enable = true;
+  #  backupAll = false;
+  #  databases = ["piped"];
+  #  compression = "zstd";
+  #};
 }
--- a/hosts/hetzner-vm/containers/quassel/default.nix
+++ b/hosts/hetzner-vm/containers/quassel/default.nix
@ -3,6 +3,7 @@
  lib,
  inputs,
  config,
+  pkgs,
  ...
 }: let
  container-addresses = import ../../data/container-addresses.nix {};
@ -36,13 +37,15 @@ in {
      };
    }));

-    config = {config, ...}: {
-      _module.args = {
+    specialArgs = {
      inherit inputs;
      inherit tree;
      host_secrets = secrets;
    };

+    config = {config, ...}: {
+      nixpkgs.pkgs = pkgs;
+
      imports = with tree;
        [
          profiles.base
--- a/hosts/hetzner-vm/containers/social/default.nix
+++ b/hosts/hetzner-vm/containers/social/default.nix
@ -2,6 +2,7 @@
  tree,
  inputs,
  config,
+  pkgs,
  ...
 }: let
  container-addresses = import ../../data/container-addresses.nix {};
@ -28,17 +29,15 @@ in {
      };
    };

-    config = {
-      config,
-      pkgs,
-      ...
-    }: {
-      _module.args = {
+    specialArgs = {
      inherit inputs;
      inherit tree;
      host_secrets = secrets;
    };

+    config = {config, ...}: {
+      nixpkgs.pkgs = pkgs;
+
      imports = with tree;
        [
          profiles.base
--- a/hosts/hetzner-vm/containers/storage/default.nix
+++ b/hosts/hetzner-vm/containers/storage/default.nix
@ -2,6 +2,7 @@
  tree,
  lib,
  inputs,
+  pkgs,
  ...
 }: let
  container-addresses = import ../../data/container-addresses.nix {};
@ -18,18 +19,15 @@ in {
    privateNetwork = true;
    hostAddress = hostIP;
    localAddress = containerIP;
-    config = {
-      config,
-      pkgs,
-      ...
-    }: let
-      secrets = config.services.secrets.secrets;
-    in {
-      _module.args = {
+
+    specialArgs = {
      inherit inputs;
      inherit tree;
    };

+    config = {...}: {
+      nixpkgs.pkgs = pkgs;
+
      imports = with tree;
        [
          profiles.base
--- a/hosts/hetzner-vm/hetzner-vm.nix
+++ b/hosts/hetzner-vm/hetzner-vm.nix
@ -14,8 +14,8 @@
      profiles.nginx
      profiles.nginx-firewall
      profiles.nix-gc
-      profiles.kernels.latest
      profiles.cross.arm64
+      profiles.chaos-internal-wireguard

      ./networking.nix
      ./hardware.nix
@ -32,10 +32,13 @@
    ++ (with hosts.hetzner-vm.profiles; [
      vaultui
      gitlab-static-sites
-      wireguard
      nginx-misc
    ]);

+  boot.kernel.sysctl = {
+    "fs.inotify.max_user_watches" = 1024 * 64 * 4;
+  };
+
  environment.systemPackages = with pkgs;
    [
      (pkgs.writeShellScriptBin "journalctl-vaccum-all" ''
@ -73,9 +76,6 @@
    externalInterface = "eth0";
  };

-  networking.firewall.allowedTCPPorts = [80 443];
-  networking.firewall.allowedUDPPorts = [443];
-
  home-manager.users.root = {
    imports = with tree; [home.base home.dev.small];
    home.stateVersion = "23.05";
--- a/hosts/hetzner-vm/networking.nix
+++ b/hosts/hetzner-vm/networking.nix
@ -5,6 +5,9 @@
  networking.firewall.allowPing = true;
  networking.firewall.allowedTCPPorts = [22];

+  services.resolved.enable = false;
+  environment.etc."resolv.conf".text = "nameserver 8.8.8.8";
+
  networking.enableIPv6 = true;
  networking.usePredictableInterfaceNames = false;
  networking.dhcpcd.enable = true;
--- a/hosts/hetzner-vm/profiles/wireguard.nix
+++ b/hosts/hetzner-vm/profiles/wireguard.nix
@ -1,43 +0,0 @@
-{config, ...}: let
-  secrets = config.services.secrets.secrets;
-
-  data = import ../../../data/chaos_wireguard_internal.nix {};
-in {
-  networking.wg-quick.interfaces = {
-    wg0 = {
-      address = ["${data.hosts.hetzner-vm.ip}/32"];
-      listenPort = 51820;
-      privateKeyFile = "${secrets.wg_privkey.path}";
-      peers = [
-        # vault
-        {
-          publicKey = "${data.hosts.vault.public}";
-          presharedKeyFile = "${secrets.wg_preshared_vault.path}";
-          endpoint = "${data.hosts.vault.endpoint}";
-          allowedIPs = ["${data.hosts.vault.ip}/32"];
-        }
-        # iphone8
-        {
-          publicKey = "${data.hosts.iphone8.public}";
-          presharedKeyFile = "${secrets.wg_preshared_iphone8.path}";
-          allowedIPs = ["${data.hosts.iphone8.ip}/32"];
-        }
-        # lappy-t495
-        {
-          publicKey = "${data.hosts.lappy-t495.public}";
-          presharedKeyFile = "${secrets.wg_preshared_lappy-t495.path}";
-          allowedIPs = ["${data.hosts.lappy-t495.ip}/32"];
-        }
-        # raspberry
-        {
-          publicKey = "${data.hosts.raspberry.public}";
-          presharedKeyFile = "${secrets.wg_preshared_raspberry.path}";
-          allowedIPs = ["${data.hosts.raspberry.ip}/32"];
-          endpoint = "${data.hosts.raspberry.endpoint}";
-          persistentKeepalive = 25;
-        }
-      ];
-    };
-  };
-  networking.firewall.allowedUDPPorts = [51820];
-}
--- a/hosts/hetzner-vm/secrets.nix
+++ b/hosts/hetzner-vm/secrets.nix
@ -51,6 +51,9 @@ in {
      "passwords/data/mail"

      "private-public-keys/data/wireguard/chaos-internal/hetzner-vm"
+
+      "private-public-keys/data/piped-cockroachdb-ca/nodes/hetzner-vm"
+
      "private-public-keys/data/restic/Mail"
      "private-public-keys/data/restic/Social"
      "private-public-keys/data/restic/Quassel"
@ -71,7 +74,7 @@ in {
        '';
      };
      # for wireguard
-      wg_privkey = {
+      wg_priv = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .private > "$secretFile"
        '';
@ -214,6 +217,33 @@ in {
          echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Piped" > "$secretFile"
        '';
      };
+      piped_cockroachdb_ca_certificate = {
+        user = "cockroachdb-piped";
+        group = "cockroachdb-piped";
+        permissions = "600";
+        fetchScript = ''
+          simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/hetzner-vm" .ca_certificate \
+            | base64 -d > "$secretFile"
+        '';
+      };
+      piped_cockroachdb_node_certificate = {
+        user = "cockroachdb-piped";
+        group = "cockroachdb-piped";
+        permissions = "600";
+        fetchScript = ''
+          simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/hetzner-vm" .node_certificate \
+            | base64 -d > "$secretFile"
+        '';
+      };
+      piped_cockroachdb_node_key = {
+        user = "cockroachdb-piped";
+        group = "cockroachdb-piped";
+        permissions = "600";
+        fetchScript = ''
+          simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/hetzner-vm" .node_key \
+            | base64 -d > "$secretFile"
+        '';
+      };
    };
  };
 }
--- a/hosts/lappy-t495/lappy-t495.nix
+++ b/hosts/lappy-t495/lappy-t495.nix
@ -10,9 +10,7 @@
    presets.nixos.encrypted-usb

    profiles.cross.arm64
-    profiles.remote-builders
-
-    hosts.lappy-t495.profiles.wireguard
+    #profiles.remote-builders

    ./secrets.nix
  ];
--- a/hosts/raspberry/data/rclone_config.template
+++ b/hosts/raspberry/data/rclone_config.template
--- a/hosts/raspberry/profiles/cockroachdb.nix
+++ b/hosts/raspberry/profiles/cockroachdb.nix
@ -0,0 +1,22 @@
+{tree, ...}: let
+  internal_wireguard = import ../../../data/chaos_wireguard_internal.nix {};
+in {
+  imports = with tree; [
+    profiles.cockroachdb-bin-fix
+  ];
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/cockroachdb-certs - root root"
+  ];
+
+  services.cockroachdb = {
+    enable = true;
+    certsDir = "/var/lib/cockroachdb-certs";
+    join = "localhost:26257,${internal_wireguard.hosts.hetzner-vm.ip}:26257";
+    #  ssh -L 8080:127.0.0.1:8080 -L 26257:127.0.0.1:26257 raspberry
+    http = {
+      address = "0.0.0.0";
+      port = 8080;
+    };
+  };
+}
--- a/hosts/raspberry/profiles/piped-proxy.nix
+++ b/hosts/raspberry/profiles/piped-proxy.nix
--- a/hosts/raspberry/profiles/rclone.nix
+++ b/hosts/raspberry/profiles/rclone.nix
@ -0,0 +1,28 @@
+{pkgs, ...}: let
+  rclone-raspberry = pkgs.writeShellScriptBin "rclone-raspberry" (let
+    vault = "${pkgs.vault-bin}/bin/vault";
+    jq = "${pkgs.jq}/bin/jq";
+    rclone = "${pkgs.rclone}/bin/rclone";
+  in ''
+    TMP_DIR="$(mktemp -d)"
+
+    cp ${../data/rclone_config.template} "$TMP_DIR/rclone.conf"
+
+    vault-login 2>&1
+
+    STORAGEBOX_PASSWORD=$(${vault} kv get -format json "/api-keys/hetzner/storagebox" \
+      | ${jq} -r ".data.data.password")
+    STORAGEBOX_PASSWORD=$(rclone obscure "$STORAGEBOX_PASSWORD")
+
+    sed -i "s/STORAGEBOX_PASSWORD/$STORAGEBOX_PASSWORD/" "$TMP_DIR/rclone.conf"
+
+    ${rclone} --config "$TMP_DIR/rclone.conf" "$@"
+    returnVal=$?
+
+    rm -rf "$TMP_DIR"
+
+    return returnVal
+  '');
+in {
+  environment.systemPackages = with pkgs; [rclone rclone-raspberry];
+}
--- a/hosts/raspberry/profiles/wireguard.nix
+++ b/hosts/raspberry/profiles/wireguard.nix
@ -4,11 +4,12 @@

  persistentKeepalive = 15;
 in {
-  networking.firewall.trustedInterfaces = ["wg0"];
+  networking.firewall.trustedInterfaces = ["wg0" "wlan0"];
  networking.firewall.allowedUDPPorts = [51820];
  networking.wg-quick.interfaces = {
    wg0 = {
-      address = ["${data.hosts.raspberry.ip}/32"];
+      address = ["${data.hosts.raspberry.ip}/24"];
+      listenPort = 51820;
      privateKeyFile = "${secrets.wg_priv.path}";

      peers = [
@ -16,7 +17,7 @@ in {
        {
          publicKey = "${data.hosts.hetzner-vm.public}";
          presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}";
-          allowedIPs = ["${data.hosts.hetzner-vm.ip}/24"];
+          allowedIPs = ["${data.hosts.hetzner-vm.ip}/32"];
          endpoint = "${data.hosts.hetzner-vm.endpoint}";
          inherit persistentKeepalive;
        }
--- a/hosts/raspberry/raspberry.nix
+++ b/hosts/raspberry/raspberry.nix
@ -8,6 +8,9 @@
 }: let
  secrets = config.services.secrets.secrets;
 in {
+  networking.firewall.enable = true;
+  networking.firewall.allowPing = true;
+
  imports = with tree;
    [
      users.root
@ -30,8 +33,10 @@ in {
    ++ (with hosts.raspberry.profiles; [
      external-drive
      wireguard
-      piped-proxy
+      cockroachdb
+      piped
      auto-storage-backups
+      rclone
    ]);

  environment.systemPackages = [
--- a/hosts/raspberry/secrets.nix
+++ b/hosts/raspberry/secrets.nix
@ -11,10 +11,11 @@
    '';

    requiredVaultPaths = [
+      "private-public-keys/data/piped-cockroachdb-ca/nodes/raspberry"
      "private-public-keys/data/cryptsetup/raspberry-ext-drive" # used dynamically
      "private-public-keys/data/wireguard/chaos-internal/raspberry"
      "passwords/data/wifi/parentals-home"
-      "api-keys/data/hetzner/storagebox"
+      "api-keys/data/hetzner/storagebox" # also used dynamically
    ];

    secrets = {
@ -47,22 +48,43 @@
        '';
      };

-      rclone_config = {
+      piped_cockroachdb_ca_certificate = {
+        user = "cockroachdb";
+        group = "cockroachdb";
+        permissions = "600";
+        path = "/var/lib/cockroachdb-certs/ca.crt";
        fetchScript = ''
-          TMP_DIR="$(mktemp -d)"
-
-          cp ${./rclone_config.template} "$TMP_DIR/template"
-
-          pushd "$TMP_DIR" >/dev/null
-
-          STORAGEBOX_PASSWORD=$(simple_get_obscure /api-keys/hetzner/storagebox .password)
-          sed -i "s/STORAGEBOX_PASSWORD/$STORAGEBOX_PASSWORD/" ./template
-
-          cp ./template "$secretFile"
-
-          popd >/dev/null
-
-          rm -rf "$TMP_DIR"
+          if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
+            mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
+          fi
+          simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .ca_certificate \
+            | base64 -d > "$secretFile"
+        '';
+      };
+      piped_cockroachdb_node_certificate = {
+        user = "cockroachdb";
+        group = "cockroachdb";
+        permissions = "600";
+        path = "/var/lib/cockroachdb-certs/node.crt";
+        fetchScript = ''
+          if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
+            mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
+          fi
+          simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_certificate \
+            | base64 -d > "$secretFile"
+        '';
+      };
+      piped_cockroachdb_node_key = {
+        user = "cockroachdb";
+        group = "cockroachdb";
+        permissions = "600";
+        path = "/var/lib/cockroachdb-certs/node.key";
+        fetchScript = ''
+          if [ ! -d "$SYSROOT/var/lib/cockroachdb-certs" ]; then
+            mkdir -p "$SYSROOT/var/lib/cockroachdb-certs"
+          fi
+          simple_get "/private-public-keys/piped-cockroachdb-ca/nodes/raspberry" .node_key \
+            | base64 -d > "$secretFile"
        '';
      };

--- a/hosts/vault/profiles/vault.nix
+++ b/hosts/vault/profiles/vault.nix
@ -9,8 +9,6 @@
    '';
  };

-  networking.firewall.allowedTCPPorts = [80 443];
-
  services.nginx.virtualHosts."vault.owo.monster" = {
    forceSSL = true;
    enableACME = true;
--- a/hosts/vault/profiles/wireguard.nix
+++ b/hosts/vault/profiles/wireguard.nix
@ -1,44 +0,0 @@
-{config, ...}: let
-  secrets = config.services.secrets.secrets;
-  data = import ../../../data/chaos_wireguard_internal.nix {};
-in {
-  networking.wg-quick.interfaces = {
-    wg0 = {
-      address = ["10.69.42.2/32"];
-      listenPort = 51820;
-      privateKeyFile = "${secrets.wg_priv.path}";
-
-      peers = [
-        # hetzner-vm
-        {
-          publicKey = "${data.hosts.hetzner-vm.public}";
-          presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}";
-          allowedIPs = ["${data.hosts.hetzner-vm.ip}/32"];
-          endpoint = "${data.hosts.hetzner-vm.endpoint}";
-          persistentKeepalive = 25;
-        }
-        # iphone8
-        {
-          publicKey = "${data.hosts.iphone8.public}";
-          presharedKeyFile = "${secrets.wg_preshared_iphone8.path}";
-          allowedIPs = ["${data.hosts.iphone8.ip}/32"];
-        }
-        # lappy-t495
-        {
-          publicKey = "${data.hosts.lappy-t495.public}";
-          presharedKeyFile = "${secrets.wg_preshared_lappy-t495.path}";
-          allowedIPs = ["${data.hosts.lappy-t495.ip}/32"];
-        }
-        # raspberry
-        {
-          publicKey = "${data.hosts.raspberry.public}";
-          presharedKeyFile = "${secrets.wg_preshared_raspberry.path}";
-          allowedIPs = ["${data.hosts.raspberry.ip}/32"];
-          endpoint = "${data.hosts.raspberry.endpoint}";
-          persistentKeepalive = 25;
-        }
-      ];
-    };
-  };
-  networking.firewall.allowedUDPPorts = [51820];
-}
--- a/hosts/vault/secrets.nix
+++ b/hosts/vault/secrets.nix
@ -3,8 +3,6 @@
    enable = true;

    requiredVaultPaths = [
-      "private-public-keys/data/wireguard/chaos-internal/vault"
-
      "private-public-keys/data/restic/Vault"

      "api-keys/data/storage/restic/Vault"
@ -23,31 +21,6 @@
          echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > "$secretFile"
        '';
      };
-      wg_priv = {
-        fetchScript = ''
-          simple_get "/private-public-keys/wireguard/chaos-internal/vault" .private > "$secretFile"
-        '';
-      };
-      wg_preshared_hetzner-vm = {
-        fetchScript = ''
-          simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.hetzner_vm > "$secretFile"
-        '';
-      };
-      wg_preshared_iphone8 = {
-        fetchScript = ''
-          simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.iphone8 > "$secretFile"
-        '';
-      };
-      wg_preshared_lappy-t495 = {
-        fetchScript = ''
-          simple_get "/private-public-keys/wireguard/chaos-internal/vault" ".preshared_keys.lappy_t495" > "$secretFile"
-        '';
-      };
-      wg_preshared_raspberry = {
-        fetchScript = ''
-          simple_get "/private-public-keys/wireguard/chaos-internal/vault" ".preshared_keys.raspberry" > "$secretFile"
-        '';
-      };
    };
  };
 }
--- a/hosts/vault/vault.nix
+++ b/hosts/vault/vault.nix
@ -7,9 +7,8 @@
    profiles.nix-gc
    profiles.nginx
    profiles.nginx-firewall
-    profiles.kernels.latest
+    profiles.chaos-internal-wireguard

-    hosts.vault.profiles.wireguard
    hosts.vault.profiles.vault
    hosts.vault.profiles.restic

--- a/modules/nixos/secrets-lib/lib.nix
+++ b/modules/nixos/secrets-lib/lib.nix
@ -172,7 +172,7 @@
        }

        getGroupID() {
-          stat --format "%G" "$1" 2>/dev/null
+          stat --format "%g" "$1" 2>/dev/null
        }

        userNameMatches() {
--- a/outputs.nix
+++ b/outputs.nix
@ -55,9 +55,32 @@ in
            inherit (pkgs) comic-code comic-sans;
            inherit (pkgs) mk-enc-usb mk-normal-enc-ssd mk-dual-enc-ssd mk-raspberry-ext-drive;
            inherit (pkgs) gotosocial;
+            inherit (pkgs) cockroachdb;
          };
        }

+        # internal wireguard scripts
+        (let
+          internalWireguardLib = import ./extras/internal-wireguard-lib.nix {
+            inherit (nixpkgs) lib;
+            inherit pkgs;
+          };
+
+          wireguard_data = import ./data/chaos_wireguard_internal.nix {};
+          hostsWithWireguard = builtins.attrNames wireguard_data.hosts;
+        in {
+          packages = mergeAttrsList [
+            (mergeAttrsList (
+              lib.forEach hostsWithWireguard (hostName: {
+                "wg-keys-init-${hostName}" = internalWireguardLib.genInitScript hostName;
+              })
+            ))
+            {
+              "wg-keys-init-all" = internalWireguardLib.initAllScript;
+            }
+          ];
+        })
+
        # secrets-init, secrets-check and vault-policy for machines and containers
        (let
          secretsLib = import ./modules/nixos/secrets-lib/lib.nix {
--- a/overlay/cockroachdb-bin/default.nix
+++ b/overlay/cockroachdb-bin/default.nix
@ -0,0 +1,48 @@
+{
+  lib,
+  stdenv,
+  autoPatchelfHook,
+  fetchzip,
+}:
+stdenv.mkDerivation rec {
+  pname = "cockroachdb-bin";
+  version = "23.1.9";
+
+  src = let
+    inherit (stdenv.hostPlatform) system;
+    selectSystem = attrs: attrs.${system} or (throw "Unsupported system: ${system}");
+    suffix = selectSystem {
+      x86_64-linux = "linux-amd64";
+      aarch64-linux = "linux-arm64";
+    };
+    sha256 = selectSystem {
+      x86_64-linux = "sha256-TopDCszdU73WiD/fsa/lq4h7jPUk0u50v3ELiuakzTU=";
+      aarch64-linux = "sha256-uRW1g2IFAfQ6a1w7pz5GKklHmfaNgk70qj3hhm6KV6s=";
+    };
+  in
+    fetchzip {
+      url = "https://binaries.cockroachdb.com/cockroach-v${version}.${suffix}.tgz";
+      inherit sha256;
+    };
+
+  dontConfigure = true;
+  dontBuild = true;
+  dontStrip = stdenv.isDarwin;
+
+  nativeBuildInputs = [autoPatchelfHook];
+
+  installPhase = ''
+    runHook preInstall
+    install -D cockroach $out/bin/cockroach
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    homepage = "https://www.cockroachlabs.com";
+    description = "A scalable, survivable, strongly-consistent SQL database";
+    license = licenses.bsl11;
+    mainProgram = "cockroach";
+    sourceProvenance = with sourceTypes; [binaryNativeCode];
+    platforms = ["x86_64-linux" "aarch64-linux"];
+  };
+}
--- a/overlay/default.nix
+++ b/overlay/default.nix
@ -1,4 +1,4 @@
-final: prev: {
+final: prev: rec {
  comic-sans = final.callPackage ./comic-sans {};
  comic-code = final.callPackage ./comic-code {};

@ -12,6 +12,9 @@ final: prev: {
  mk-dual-enc-ssd = final.callPackage ../extras/mk-dual-enc-ssd.nix {};
  mk-raspberry-ext-drive = final.callPackage ../extras/mk-raspberry-ext-drive.nix {};

+  cockroachdb-bin = final.callPackage ./cockroachdb-bin {};
+  cockroachdb = cockroachdb-bin;
+
  gotosocial = prev.gotosocial.overrideAttrs (_old: let
    owner = "superseriousbusiness";
    repo = "gotosocial";
--- a/profiles/chaos-internal-wireguard/secrets.nix
+++ b/profiles/chaos-internal-wireguard/secrets.nix
@ -0,0 +1,43 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  inherit (lib.modules) mkMerge;
+  inherit (lib.lists) forEach filter;
+  inherit (builtins) hasAttr;
+
+  wireguard_data = import ../../data/chaos_wireguard_internal.nix {};
+  wireguard_hosts = wireguard_data.hosts;
+
+  currentHostName = config.networking.hostName;
+  currentHostConfig = wireguard_hosts.${currentHostName};
+in {
+  services.secrets = {
+    enable = true;
+
+    requiredVaultPaths = [
+      "private-public-keys/data/wireguard/chaos-internal/${currentHostName}"
+    ];
+
+    secrets = mkMerge ([
+        {
+          wg_priv = {
+            fetchScript = ''
+              simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" .private > "$secretFile"
+            '';
+          };
+        }
+      ]
+      ++ (forEach (filter (hostName: (hostName != currentHostName && hasAttr "endpoint" wireguard_hosts.${hostName})) (builtins.attrNames wireguard_hosts)) (
+        hostName: let
+        in {
+          "wg_preshared_${hostName}" = {
+            fetchScript = ''
+              simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" ".preshared_keys.\"${hostName}\"" > "$secretFile"
+            '';
+          };
+        }
+      )));
+  };
+}
--- a/profiles/chaos-internal-wireguard/wireguard.nix
+++ b/profiles/chaos-internal-wireguard/wireguard.nix
@ -0,0 +1,58 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (lib.modules) mkIf;
+  inherit (builtins) hasAttr;
+
+  # Assume this to be set
+  secrets = config.services.secrets.secrets;
+
+  wireguard_data = import ../../data/chaos_wireguard_internal.nix {};
+  wireguard_hosts = wireguard_data.hosts;
+
+  currentHostName = config.networking.hostName;
+  currentHostConfig = wireguard_hosts.${currentHostName};
+in {
+  networking.firewall.allowPing = true;
+  networking.firewall.allowedUDPPorts = mkIf (hasAttr "endpoint" currentHostConfig) [51820];
+
+  systemd.services.wireguard-debug = {
+    wantedBy = ["multi-user.target"];
+    partOf = ["wg-quick-wg0.service"];
+    script = ''
+      echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
+    '';
+  };
+
+  networking.wg-quick.interfaces = {
+    wg0 = {
+      address = ["${currentHostConfig.ip}/24"];
+      privateKeyFile = "${secrets.wg_priv.path}";
+      listenPort = mkIf (hasAttr "endpoint" currentHostConfig) 51820;
+
+      peers = [
+        # hetzner-vm
+        (mkIf (currentHostName != "hetzner-vm") (let
+          host = wireguard_hosts."hetzner-vm";
+        in {
+          allowedIPs = ["${host.ip}/32"];
+          publicKey = host.public;
+          #presharedKeyFile = secrets.wg_preshared_hetzner-vm.path;
+          endpoint = host.endpoint or null;
+        }))
+        # vault
+        (mkIf (currentHostName != "vault") (let
+          host = wireguard_hosts."vault";
+        in {
+          allowedIPs = ["${host.ip}/32"];
+          publicKey = host.public;
+          #presharedKeyFile = secrets.wg_preshared_vault.path;
+          endpoint = host.endpoint or null;
+        }))
+      ];
+    };
+  };
+}
--- a/profiles/cockroachdb-bin-fix.nix
+++ b/profiles/cockroachdb-bin-fix.nix
@ -0,0 +1,60 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  escapeSystemdExecArg = arg: let
+    s =
+      if builtins.isPath arg
+      then "${arg}"
+      else if builtins.isString arg
+      then arg
+      else if builtins.isInt arg || builtins.isFloat arg
+      then toString arg
+      else throw "escapeSystemdExecArg only allows strings, paths and numbers";
+  in
+    lib.replaceStrings ["%" "$"] ["%%" "$$"] (builtins.toJSON s);
+
+  # Quotes a list of arguments into a single string for use in a Exec*
+  # line.
+  escapeSystemdExecArgs = lib.concatMapStringsSep " " escapeSystemdExecArg;
+
+  cfg = config.services.cockroachdb;
+  crdb = cfg.package;
+
+  startupCommand =
+    escapeSystemdExecArgs
+    ([
+        # Basic startup
+        "${crdb}/bin/cockroach"
+        (
+          if (cfg.join != null)
+          then "start"
+          else "start-single-node"
+        )
+        "--logtostderr"
+        "--store=/var/lib/cockroachdb"
+
+        # WebUI settings
+        "--http-addr=${cfg.http.address}:${toString cfg.http.port}"
+
+        # Cluster listen address
+        "--listen-addr=${cfg.listen.address}:${toString cfg.listen.port}"
+
+        # Cache and memory settings.
+        "--cache=${cfg.cache}"
+        "--max-sql-memory=${cfg.maxSqlMemory}"
+
+        # Certificate/security settings.
+        (
+          if cfg.insecure
+          then "--insecure"
+          else "--certs-dir=${cfg.certsDir}"
+        )
+      ]
+      ++ lib.optional (cfg.join != null) "--join=${cfg.join}"
+      ++ lib.optional (cfg.locality != null) "--locality=${cfg.locality}"
+      ++ cfg.extraArgs);
+in {
+  systemd.services.cockroachdb.serviceConfig.ExecStart = lib.mkForce startupCommand;
+}
--- a/scripts/deploy-all.sh
+++ b/scripts/deploy-all.sh
@ -8,7 +8,7 @@ cd $(git rev-parse --show-toplevel)

 HOSTNAME=$(hostname)

-[ "${NO_REBUILD}" == "" ] && ./scripts/rebuild.sh $@
-[ "${HOSTNAME}" != "hetzner-vm" ] && ./scripts/deploy/hetzner-vm.sh $@
-[ "${HOSTNAME}" != "vault" ] && ./scripts/deploy/vault.sh $@
-[ "${HOSTNAME}" != "raspberry" ] && ./scripts/deploy/raspberry.sh $@
+[ "${NO_REBUILD}" == "" ] && ./scripts/rebuild.sh "$@"
+[ "${HOSTNAME}" != "hetzner-vm" ] && ./scripts/deploy/hetzner-vm.sh "$@"
+[ "${HOSTNAME}" != "vault" ] && ./scripts/deploy/vault.sh "$@"
+[ "${HOSTNAME}" != "raspberry" ] && ./scripts/deploy/raspberry.sh "$@"
--- a/scripts/deploy-secrets.sh
+++ b/scripts/deploy-secrets.sh
@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+set -e
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+cd $SCRIPT_DIR
+cd $(git rev-parse --show-toplevel)
+
+ARCH=${1}
+HOSTNAME=${2}
+SSH=${3}
+CONTAINER=${4}
+
+OPTIONAL_CONTAINER=
+if [ -n "$CONTAINER" ]; then
+  OPTIONAL_CONTAINER="-container-${CONTAINER}"
+fi 
+
+nix build --system ${ARCH} ".#secrets-init-${HOSTNAME}${OPTIONAL_CONTAINER}"
+nix-copy-closure --to ${SSH} --use-substitutes $(readlink result)
+ssh ${SSH} "$(readlink result)/bin/secrets-init-${HOSTNAME}${OPTIONAL_CONTAINER}"
--- a/scripts/deploy/hetzner-vm.sh
+++ b/scripts/deploy/hetzner-vm.sh
@ -6,4 +6,4 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 cd $SCRIPT_DIR
 cd $(git rev-parse --show-toplevel)

-nixos-rebuild switch --flake .#hetzner-vm --target-host hetzner-vm -s $@
+nixos-rebuild switch --flake .#hetzner-vm --target-host hetzner-vm -s "$@"
--- a/scripts/deploy/raspberry.sh
+++ b/scripts/deploy/raspberry.sh
@ -6,4 +6,4 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 cd $SCRIPT_DIR
 cd $(git rev-parse --show-toplevel)

-nixos-rebuild switch --flake .#raspberry --target-host raspberry -s $@
+nixos-rebuild switch --flake .#raspberry --target-host raspberry -s "$@"
--- a/scripts/deploy/vault.sh
+++ b/scripts/deploy/vault.sh
@ -6,4 +6,4 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 cd $SCRIPT_DIR
 cd $(git rev-parse --show-toplevel)

-nixos-rebuild switch --flake .#vault --target-host vault -s $@
+nixos-rebuild switch --flake .#vault --target-host vault -s "$@"