From 974c444b7aafe775aba71ff37c0bd9c7b496a7dd Mon Sep 17 00:00:00 2001 From: Chaos Date: Wed, 2 Nov 2022 10:24:47 +0000 Subject: [PATCH] secrets --- deployNodes.nix | 9 +++ hosts/hetzner-vm/hetzner-vm.nix | 4 +- hosts/hetzner-vm/services/vault.nix | 19 ----- hosts/nixos.nix | 6 ++ hosts/storage/storage.nix | 51 +++++++------- hosts/vault/hardware.nix | 14 ++++ hosts/vault/networking.nix | 19 +++++ hosts/vault/secrets-db.nix | 14 ++++ hosts/vault/secrets.nix | 32 +++++++++ hosts/vault/vault.nix | 69 +++++++++++++++++++ .../services => profiles}/nginx.nix | 5 +- hosts/storage/misc.nix => profiles/nix-gc.nix | 2 +- 12 files changed, 195 insertions(+), 49 deletions(-) delete mode 100644 hosts/hetzner-vm/services/vault.nix create mode 100644 hosts/vault/hardware.nix create mode 100644 hosts/vault/networking.nix create mode 100644 hosts/vault/secrets-db.nix create mode 100644 hosts/vault/secrets.nix create mode 100644 hosts/vault/vault.nix rename {hosts/hetzner-vm/services => profiles}/nginx.nix (86%) rename hosts/storage/misc.nix => profiles/nix-gc.nix (98%) diff --git a/deployNodes.nix b/deployNodes.nix index cc92b52..abb4da6 100644 --- a/deployNodes.nix +++ b/deployNodes.nix @@ -26,4 +26,13 @@ in { path = activateNixOS_x64_64-linux nixosConfigurations.storage; }; }; + vault = { + hostname = "vault.servers.genderfucked.monster"; + username = "root"; + profiles.system = { + user = "root"; + sshUser = "root"; + path = activateNixOS_x64_64-linux nixosConfigurations.vault; + }; + }; } diff --git a/hosts/hetzner-vm/hetzner-vm.nix b/hosts/hetzner-vm/hetzner-vm.nix index 6b8d4eb..46e9843 100644 --- a/hosts/hetzner-vm/hetzner-vm.nix +++ b/hosts/hetzner-vm/hetzner-vm.nix @@ -8,11 +8,11 @@ profiles.base profiles.tailscale profiles.sshd + profiles.nginx hosts.hetzner-vm.services.restic hosts.hetzner-vm.services.nginx hosts.hetzner-vm.services.invidious - hosts.hetzner-vm.services.vault hosts.hetzner-vm.services.quassel hosts.hetzner-vm.services.mpd hosts.hetzner-vm.services.storage-sftp @@ -24,6 +24,8 @@ (modulesPath + "/profiles/qemu-guest.nix") ]; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + home-manager.users.root = { imports = with tree; [ home.base home.dev.small ]; home.stateVersion = "22.05"; diff --git a/hosts/hetzner-vm/services/vault.nix b/hosts/hetzner-vm/services/vault.nix deleted file mode 100644 index 244e545..0000000 --- a/hosts/hetzner-vm/services/vault.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ pkgs, ... }: { - services.vault = { - enable = true; - package = pkgs.vault-bin; - address = "127.0.0.1:8200"; - storageBackend = "file"; - extraConfig = '' - ui = true - ''; - }; - services.nginx.virtualHosts."vault.owo.monster" = { - forceSSL = true; - enableACME = true; - locations = { "/" = { proxyPass = "http://127.0.0.1:8200"; }; }; - }; - - services.nginx.logError = "/var/log/nginx/debug.log debug"; - #networking.firewall.allowedTCPPorts = [ 8200 ]; -} diff --git a/hosts/nixos.nix b/hosts/nixos.nix index 40bfe60..bef6c6f 100644 --- a/hosts/nixos.nix +++ b/hosts/nixos.nix @@ -54,6 +54,12 @@ in { ]; }; + vault = nixosUnstableSystem { + specialArgs = defaultSpecialArgs; + system = "x86_64-linux"; + modules = defaultModules ++ [ ./vault/vault.nix ]; + }; + # nix build .#nixosConfigurations.nixos-live-x86_64.config.system.build.isoImage nixos-live-x86_64 = nixosUnstableSystem { specialArgs = defaultSpecialArgs; diff --git a/hosts/storage/storage.nix b/hosts/storage/storage.nix index efdeff6..bb04f3f 100644 --- a/hosts/storage/storage.nix +++ b/hosts/storage/storage.nix @@ -3,16 +3,23 @@ { imports = with tree; [ users.root - users.chaos profiles.base - profiles.tailscale profiles.sshd + profiles.nix-gc + profiles.nginx ./hardware.nix - ./misc.nix + ./networking.nix ]; + systemd.tmpfiles.rules = [ + "d /secrets - root root" + # + "d /storage - root root" + ]; + + users.groups.storage = { }; users.users.storage = { isNormalUser = true; @@ -53,22 +60,6 @@ ''; }; - security.acme = { - defaults = { email = "chaoticryptidz@owo.monster"; }; - acceptTerms = true; - }; - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - commonHttpConfig = ""; - clientMaxBodySize = "512m"; - serverNamesHashBucketSize = 1024; - }; - networking.firewall.allowedTCPPorts = [ 80 443 ]; - services.rclone-serve = { enable = true; remotes = [ @@ -81,7 +72,7 @@ } { user = "storage"; - remote = "StorageBox:Chaos-Backups/HetznerVM"; + remote = "StorageBox:Chaos-Backups/Restic/HetznerVM"; type = "restic"; wants = [ "populate-rclone-config.service" ]; extraArgs = [ @@ -92,7 +83,7 @@ } { user = "storage"; - remote = "StorageBox:Chaos-Backups/Music"; + remote = "StorageBox:Chaos-Backups/Restic/Music"; type = "restic"; wants = [ "populate-rclone-config.service" ]; extraArgs = [ @@ -101,9 +92,22 @@ "--baseurl=/Music/" ]; } + { + user = "storage"; + remote = "StorageBox:Chaos-Backups/Restic/Vault"; + type = "restic"; + wants = [ "populate-rclone-config.service" ]; + extraArgs = [ + "--addr=:4245" + "--htpasswd=/secrets/restic_vault_htpasswd" + "--baseurl=/Vault/" + ]; + } ]; }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + services.nginx.virtualHosts."storage-webdav.owo.monster" = { forceSSL = true; enableACME = true; @@ -116,6 +120,7 @@ locations = { "/HetznerVM/".proxyPass = "http://localhost:4243"; "/Music/".proxyPass = "http://localhost:4244"; + "/Vault/".proxyPass = "http://localhost:4245"; }; }; @@ -155,10 +160,6 @@ imports = with tree; [ home.base home.dev.small ]; home.stateVersion = "22.05"; }; - home-manager.users.chaos = { - imports = with tree; [ home.base home.dev.small ]; - home.stateVersion = "22.05"; - }; networking.hostName = "storage"; time.timeZone = "Europe/London"; diff --git a/hosts/vault/hardware.nix b/hosts/vault/hardware.nix new file mode 100644 index 0000000..8ee92b3 --- /dev/null +++ b/hosts/vault/hardware.nix @@ -0,0 +1,14 @@ +{ modulesPath, ... }: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + + ]; + + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { + device = "/dev/sda1"; + fsType = "ext4"; + }; +} diff --git a/hosts/vault/networking.nix b/hosts/vault/networking.nix new file mode 100644 index 0000000..6a9bb2a --- /dev/null +++ b/hosts/vault/networking.nix @@ -0,0 +1,19 @@ +{ ... }: { + systemd.services.systemd-networkd-wait-online.enable = false; + + networking.firewall.enable = true; + networking.firewall.allowPing = true; + networking.firewall.allowedTCPPorts = [ 22 ]; + + networking.enableIPv6 = true; + networking.usePredictableInterfaceNames = false; + networking.dhcpcd.enable = true; + systemd.network = { + enable = true; + networks.eth0 = { + name = "eth0"; + address = [ "2a01:4f9:c010:6a89::1" ]; + gateway = [ "fe80::1" ]; + }; + }; +} diff --git a/hosts/vault/secrets-db.nix b/hosts/vault/secrets-db.nix new file mode 100644 index 0000000..5447148 --- /dev/null +++ b/hosts/vault/secrets-db.nix @@ -0,0 +1,14 @@ +{ }: { + restic_password = { + user = "root"; + group = "root"; + permissions = "660"; + path = "/secrets/restic_password"; + }; + restic_env = { + user = "root"; + group = "root"; + permissions = "660"; + path = "/secrets/restic_env"; + }; +} diff --git a/hosts/vault/secrets.nix b/hosts/vault/secrets.nix new file mode 100644 index 0000000..784f56c --- /dev/null +++ b/hosts/vault/secrets.nix @@ -0,0 +1,32 @@ +{ pkgs, ... }: +let secrets-db = (import ./secrets-db.nix { }); +in { + environment.systemPackages = [ + (pkgs.writeShellScriptBin "init-secrets" '' + VAULT_ADDR_DEFAULT="https://vault.owo.monster" + + [ -n "$VAULT_ADDR" ] && export VAULT_ADDR="$VAULT_ADDR_DEFAULT" + + export PATH=$PATH:${pkgs.vault}/bin + export PATH=$PATH:${pkgs.jq}/bin + + kv_get() { + vault kv get -format json $1 + } + + simple_get() { + kv_get $1 | jq .data.data$2 -r + } + + simple_get "/private-public-keys/restic/Vault" .password > /secrets/restic_password + chown ${secrets-db.restic_password.user}:${secrets-db.restic_password.group} /secrets/restic_password + chmod ${secrets-db.restic_password.permissions} /secrets/restic_password + + RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Vault" .username) + RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Vault" .password) + echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > /secrets/restic_env + chown ${secrets-db.restic_env.user}:${secrets-db.restic_env.group} /secrets/restic_env + chmod ${secrets-db.restic_env.permissions} /secrets/restic_env + '') + ]; +} diff --git a/hosts/vault/vault.nix b/hosts/vault/vault.nix new file mode 100644 index 0000000..4c8b248 --- /dev/null +++ b/hosts/vault/vault.nix @@ -0,0 +1,69 @@ +{ modulesPath, tree, config, pkgs, lib, ... }: +let secrets-db = (import ./secrets-db.nix { }); +in { + imports = with tree; [ + users.root + + profiles.base + profiles.sshd + profiles.nix-gc + profiles.nginx + + ./hardware.nix + ./networking.nix + ./secrets.nix + ]; + + systemd.tmpfiles.rules = [ "d /secrets - root root" ]; + + services.vault = { + enable = true; + package = pkgs.vault-bin; + address = "127.0.0.1:8200"; + storageBackend = "file"; + extraConfig = '' + ui = true + ''; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.nginx.virtualHosts."vault.owo.monster" = { + forceSSL = true; + enableACME = true; + locations = { "/" = { proxyPass = "http://127.0.0.1:8200"; }; }; + }; + + services.restic.backups.vault = { + user = "root"; + paths = [ "/var/lib/vault" "/var/lib/acme" ]; + timerConfig = { + OnBootSec = "1m"; + OnCalendar = "daily"; + }; + # env contains fixed repository with auth + repository = "rest:https://storage-restic.owo.monster/HetznerVM"; + passwordFile = "${secrets-db.restic_password.path}"; + environmentFile = "${secrets-db.restic_env.path}"; + }; + + environment.systemPackages = [ + (pkgs.writeShellScriptBin "restic-vault" '' + env \ + RESTIC_PASSWORD_FILE=${secrets-db.restic_password.path} \ + $(cat ${secrets-db.restic_env.path}) \ + ${pkgs.restic}/bin/restic $@ + '') + ]; + + home-manager.users.root = { + imports = with tree; [ home.base home.dev.small ]; + home.stateVersion = "22.05"; + }; + + networking.hostName = "vault"; + time.timeZone = "Europe/London"; + + system.stateVersion = "21.11"; +} + diff --git a/hosts/hetzner-vm/services/nginx.nix b/profiles/nginx.nix similarity index 86% rename from hosts/hetzner-vm/services/nginx.nix rename to profiles/nginx.nix index b3b80f6..cb2c645 100644 --- a/hosts/hetzner-vm/services/nginx.nix +++ b/profiles/nginx.nix @@ -1,4 +1,4 @@ -_: { +{...}: { security.acme = { defaults = { email = "chaoticryptidz@owo.monster"; }; acceptTerms = true; @@ -13,5 +13,4 @@ _: { clientMaxBodySize = "512m"; serverNamesHashBucketSize = 1024; }; - networking.firewall.allowedTCPPorts = [ 80 443 ]; -} +} \ No newline at end of file diff --git a/hosts/storage/misc.nix b/profiles/nix-gc.nix similarity index 98% rename from hosts/storage/misc.nix rename to profiles/nix-gc.nix index df7c466..189c6b1 100644 --- a/hosts/storage/misc.nix +++ b/profiles/nix-gc.nix @@ -5,4 +5,4 @@ dates = "daily"; options = "--delete-older-than 1d"; }; -} +} \ No newline at end of file