secrets

2022-11-02 10:24:47 +00:00 · 2022-11-02 10:24:47 +00:00 · 974c444b7a
parent d36f29c748
commit 974c444b7a
12 changed files with 195 additions and 49 deletions
--- a/deployNodes.nix
+++ b/deployNodes.nix
@ -26,4 +26,13 @@ in {
      path = activateNixOS_x64_64-linux nixosConfigurations.storage;
    };
  };
+  vault = {
+    hostname = "vault.servers.genderfucked.monster";
+    username = "root";
+    profiles.system = {
+      user = "root";
+      sshUser = "root";
+      path = activateNixOS_x64_64-linux nixosConfigurations.vault;
+    };
+  };
 }
--- a/hosts/hetzner-vm/hetzner-vm.nix
+++ b/hosts/hetzner-vm/hetzner-vm.nix
@ -8,11 +8,11 @@
    profiles.base
    profiles.tailscale
    profiles.sshd
+    profiles.nginx

    hosts.hetzner-vm.services.restic
    hosts.hetzner-vm.services.nginx
    hosts.hetzner-vm.services.invidious
-    hosts.hetzner-vm.services.vault
    hosts.hetzner-vm.services.quassel
    hosts.hetzner-vm.services.mpd
    hosts.hetzner-vm.services.storage-sftp
@ -24,6 +24,8 @@
    (modulesPath + "/profiles/qemu-guest.nix")
  ];

+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
  home-manager.users.root = {
    imports = with tree; [ home.base home.dev.small ];
    home.stateVersion = "22.05";
--- a/hosts/hetzner-vm/services/vault.nix
+++ b/hosts/hetzner-vm/services/vault.nix
@ -1,19 +0,0 @@
-{ pkgs, ... }: {
-  services.vault = {
-    enable = true;
-    package = pkgs.vault-bin;
-    address = "127.0.0.1:8200";
-    storageBackend = "file";
-    extraConfig = ''
-      ui = true
-    '';
-  };
-  services.nginx.virtualHosts."vault.owo.monster" = {
-    forceSSL = true;
-    enableACME = true;
-    locations = { "/" = { proxyPass = "http://127.0.0.1:8200"; }; };
-  };
-
-  services.nginx.logError = "/var/log/nginx/debug.log debug";
-  #networking.firewall.allowedTCPPorts = [ 8200 ];
-}
--- a/hosts/nixos.nix
+++ b/hosts/nixos.nix
@ -54,6 +54,12 @@ in {
    ];
  };

+  vault = nixosUnstableSystem {
+    specialArgs = defaultSpecialArgs;
+    system = "x86_64-linux";
+    modules = defaultModules ++ [ ./vault/vault.nix ];
+  };
+
  # nix build .#nixosConfigurations.nixos-live-x86_64.config.system.build.isoImage
  nixos-live-x86_64 = nixosUnstableSystem {
    specialArgs = defaultSpecialArgs;
--- a/hosts/storage/storage.nix
+++ b/hosts/storage/storage.nix
@ -3,16 +3,23 @@
 {
  imports = with tree; [
    users.root
-    users.chaos

    profiles.base
-    profiles.tailscale
    profiles.sshd
+    profiles.nix-gc
+    profiles.nginx

    ./hardware.nix
-    ./misc.nix
+    ./networking.nix
  ];

+  systemd.tmpfiles.rules = [
+    "d /secrets - root root"
+    #
+    "d /storage - root root"
+  ];
+
+
  users.groups.storage = { };
  users.users.storage = {
    isNormalUser = true;
@ -53,22 +60,6 @@
    '';
  };

-  security.acme = {
-    defaults = { email = "chaoticryptidz@owo.monster"; };
-    acceptTerms = true;
-  };
-  services.nginx = {
-    enable = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-    commonHttpConfig = "";
-    clientMaxBodySize = "512m";
-    serverNamesHashBucketSize = 1024;
-  };
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-
  services.rclone-serve = {
    enable = true;
    remotes = [
@ -81,7 +72,7 @@
      }
      {
        user = "storage";
-        remote = "StorageBox:Chaos-Backups/HetznerVM";
+        remote = "StorageBox:Chaos-Backups/Restic/HetznerVM";
        type = "restic";
        wants = [ "populate-rclone-config.service" ];
        extraArgs = [
@ -92,7 +83,7 @@
      }
      {
        user = "storage";
-        remote = "StorageBox:Chaos-Backups/Music";
+        remote = "StorageBox:Chaos-Backups/Restic/Music";
        type = "restic";
        wants = [ "populate-rclone-config.service" ];
        extraArgs = [
@ -101,9 +92,22 @@
          "--baseurl=/Music/"
        ];
      }
+      {
+        user = "storage";
+        remote = "StorageBox:Chaos-Backups/Restic/Vault";
+        type = "restic";
+        wants = [ "populate-rclone-config.service" ];
+        extraArgs = [
+          "--addr=:4245"
+          "--htpasswd=/secrets/restic_vault_htpasswd"
+          "--baseurl=/Vault/"
+        ];
+      }
    ];
  };

+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
  services.nginx.virtualHosts."storage-webdav.owo.monster" = {
    forceSSL = true;
    enableACME = true;
@ -116,6 +120,7 @@
    locations = {
      "/HetznerVM/".proxyPass = "http://localhost:4243";
      "/Music/".proxyPass = "http://localhost:4244";
+      "/Vault/".proxyPass = "http://localhost:4245";
    };
  };

@ -155,10 +160,6 @@
    imports = with tree; [ home.base home.dev.small ];
    home.stateVersion = "22.05";
  };
-  home-manager.users.chaos = {
-    imports = with tree; [ home.base home.dev.small ];
-    home.stateVersion = "22.05";
-  };

  networking.hostName = "storage";
  time.timeZone = "Europe/London";
--- a/hosts/vault/hardware.nix
+++ b/hosts/vault/hardware.nix
@ -0,0 +1,14 @@
+{ modulesPath, ... }: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+
+  ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = {
+    device = "/dev/sda1";
+    fsType = "ext4";
+  };
+}
--- a/hosts/vault/networking.nix
+++ b/hosts/vault/networking.nix
@ -0,0 +1,19 @@
+{ ... }: {
+  systemd.services.systemd-networkd-wait-online.enable = false;
+
+  networking.firewall.enable = true;
+  networking.firewall.allowPing = true;
+  networking.firewall.allowedTCPPorts = [ 22 ];
+
+  networking.enableIPv6 = true;
+  networking.usePredictableInterfaceNames = false;
+  networking.dhcpcd.enable = true;
+  systemd.network = {
+    enable = true;
+    networks.eth0 = {
+      name = "eth0";
+      address = [ "2a01:4f9:c010:6a89::1" ];
+      gateway = [ "fe80::1" ];
+    };
+  };
+}
--- a/hosts/vault/secrets-db.nix
+++ b/hosts/vault/secrets-db.nix
@ -0,0 +1,14 @@
+{ }: {
+  restic_password = {
+    user = "root";
+    group = "root";
+    permissions = "660";
+    path = "/secrets/restic_password";
+  };
+  restic_env = {
+    user = "root";
+    group = "root";
+    permissions = "660";
+    path = "/secrets/restic_env";
+  };
+}
--- a/hosts/vault/secrets.nix
+++ b/hosts/vault/secrets.nix
@ -0,0 +1,32 @@
+{ pkgs, ... }:
+let secrets-db = (import ./secrets-db.nix { });
+in {
+  environment.systemPackages = [
+    (pkgs.writeShellScriptBin "init-secrets" ''
+      VAULT_ADDR_DEFAULT="https://vault.owo.monster"
+
+      [ -n "$VAULT_ADDR" ] && export VAULT_ADDR="$VAULT_ADDR_DEFAULT"
+
+      export PATH=$PATH:${pkgs.vault}/bin
+      export PATH=$PATH:${pkgs.jq}/bin
+
+      kv_get() {
+        vault kv get -format json $1
+      }
+
+      simple_get() {
+        kv_get $1 | jq .data.data$2 -r
+      }
+
+      simple_get "/private-public-keys/restic/Vault" .password > /secrets/restic_password 
+      chown ${secrets-db.restic_password.user}:${secrets-db.restic_password.group} /secrets/restic_password 
+      chmod ${secrets-db.restic_password.permissions} /secrets/restic_password
+
+      RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Vault" .username)
+      RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Vault" .password)
+      echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > /secrets/restic_env
+      chown ${secrets-db.restic_env.user}:${secrets-db.restic_env.group} /secrets/restic_env 
+      chmod ${secrets-db.restic_env.permissions} /secrets/restic_env
+    '')
+  ];
+}
--- a/hosts/vault/vault.nix
+++ b/hosts/vault/vault.nix
@ -0,0 +1,69 @@
+{ modulesPath, tree, config, pkgs, lib, ... }:
+let secrets-db = (import ./secrets-db.nix { });
+in {
+  imports = with tree; [
+    users.root
+
+    profiles.base
+    profiles.sshd
+    profiles.nix-gc
+    profiles.nginx
+
+    ./hardware.nix
+    ./networking.nix
+    ./secrets.nix
+  ];
+
+  systemd.tmpfiles.rules = [ "d /secrets - root root" ];
+
+  services.vault = {
+    enable = true;
+    package = pkgs.vault-bin;
+    address = "127.0.0.1:8200";
+    storageBackend = "file";
+    extraConfig = ''
+      ui = true
+    '';
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.nginx.virtualHosts."vault.owo.monster" = {
+    forceSSL = true;
+    enableACME = true;
+    locations = { "/" = { proxyPass = "http://127.0.0.1:8200"; }; };
+  };
+
+  services.restic.backups.vault = {
+    user = "root";
+    paths = [ "/var/lib/vault" "/var/lib/acme" ];
+    timerConfig = {
+      OnBootSec = "1m";
+      OnCalendar = "daily";
+    };
+    # env contains fixed repository with auth
+    repository = "rest:https://storage-restic.owo.monster/HetznerVM";
+    passwordFile = "${secrets-db.restic_password.path}";
+    environmentFile = "${secrets-db.restic_env.path}";
+  };
+
+  environment.systemPackages = [
+    (pkgs.writeShellScriptBin "restic-vault" ''
+      env \
+        RESTIC_PASSWORD_FILE=${secrets-db.restic_password.path} \
+        $(cat ${secrets-db.restic_env.path}) \
+      ${pkgs.restic}/bin/restic $@
+    '')
+  ];
+
+  home-manager.users.root = {
+    imports = with tree; [ home.base home.dev.small ];
+    home.stateVersion = "22.05";
+  };
+
+  networking.hostName = "vault";
+  time.timeZone = "Europe/London";
+
+  system.stateVersion = "21.11";
+}
+
--- a/hosts/hetzner-vm/services/nginx.nix
+++ b/hosts/hetzner-vm/services/nginx.nix
@ -1,4 +1,4 @@
-_: {
+{...}: {
  security.acme = {
    defaults = { email = "chaoticryptidz@owo.monster"; };
    acceptTerms = true;
@ -13,5 +13,4 @@ _: {
    clientMaxBodySize = "512m";
    serverNamesHashBucketSize = 1024;
  };
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-}
+}
--- a/hosts/storage/misc.nix
+++ b/hosts/storage/misc.nix
@ -5,4 +5,4 @@
    dates = "daily";
    options = "--delete-older-than 1d";
  };
-}
+}