diff --git a/data/internalCA.crt b/data/internalCA.crt deleted file mode 100644 index 2f8d774..0000000 --- a/data/internalCA.crt +++ /dev/null @@ -1,12 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBujCCAWGgAwIBAgIQINyB8JtDFzImcYtBEEbrbzAKBggqhkjOPQQDAjA8MRgw -FgYDVQQKEw9jaGFvc0ludGVybmFsQ0ExIDAeBgNVBAMTF2NoYW9zSW50ZXJuYWxD -QSBSb290IENBMB4XDTIzMTAwNzA5MjYyMloXDTMzMTAwNDA5MjYyMlowPDEYMBYG -A1UEChMPY2hhb3NJbnRlcm5hbENBMSAwHgYDVQQDExdjaGFvc0ludGVybmFsQ0Eg -Um9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFRmFlfmZyu0k0gt3SpK -X+87L2L6Ty0ddQoTVh6O/PnqSc5583oWjD3I8La8CP0Ehadr+MZ6qnTlng2Z5G+0 -4PWjRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1Ud -DgQWBBQSdzj+Rld9GOvs4T2BuFlqk19d5zAKBggqhkjOPQQDAgNHADBEAiADlN6S -1AgXe0M3Jp9KMI17amhbJFJY+RKhZG8iXjLi5AIgBR1prsckn0cH6J5l1R2UFVfP -JXQxoNNf9ZJcgA9uOww= ------END CERTIFICATE----- \ No newline at end of file diff --git a/data/internalCAIntermediate.crt b/data/internalCAIntermediate.crt deleted file mode 100644 index d15ed17..0000000 --- a/data/internalCAIntermediate.crt +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIB5TCCAYugAwIBAgIRAMByUDCtdh+37o2NL01fJvQwCgYIKoZIzj0EAwIwPDEY -MBYGA1UEChMPY2hhb3NJbnRlcm5hbENBMSAwHgYDVQQDExdjaGFvc0ludGVybmFs -Q0EgUm9vdCBDQTAeFw0yMzEwMDcwOTI2MjNaFw0zMzEwMDQwOTI2MjNaMEQxGDAW -BgNVBAoTD2NoYW9zSW50ZXJuYWxDQTEoMCYGA1UEAxMfY2hhb3NJbnRlcm5hbENB -IEludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMb7h/fG -G2vlRc4fartmb/4q2MvuRzH8xTUQ4C/feNVmePHrJtIR0/tKsKhkHVWdp5Zz4MXz -jIhyT0EqB7N3gZyjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/ -AgEAMB0GA1UdDgQWBBS2nPpqHCugN9/hYZkIE2TtUfJa5DAfBgNVHSMEGDAWgBQS -dzj+Rld9GOvs4T2BuFlqk19d5zAKBggqhkjOPQQDAgNIADBFAiEApu4b3L3t2mxi -WSXC0RQq+T/kpwtyCY+PCy4Wwp8pbgUCIGFfjmVjv7eCz+NkBnA6B74trz1vNN/j -FdFrgXnBo365 ------END CERTIFICATE----- \ No newline at end of file diff --git a/data/wireguard/chaosInternalWireGuard.nix b/data/wireguard/chaosInternalWireGuard.nix deleted file mode 100644 index 9a6b1ea..0000000 --- a/data/wireguard/chaosInternalWireGuard.nix +++ /dev/null @@ -1,44 +0,0 @@ -let - pubkeys = builtins.fromJSON (builtins.readFile ./chaosInternalWireGuardPubKeys.json); - listenPort = 51820; -in rec { - # 10.0.0.0/24 - machines - # 10.0.1.0/24 - containers for hetzner-arm - - hosts = { - "hetzner-arm" = { - ip = "10.0.0.1"; - allowedIPs = [ - "10.0.0.1/32" # Allow itself - "10.0.1.1/24" # Containers - ]; - public = pubkeys."hetzner-arm"; - inherit listenPort; - endpoint = "hetzner-arm.servers.genderfucked.monster:${toString listenPort}"; - }; - "vault" = { - ip = "10.0.0.2"; - public = pubkeys."vault"; - inherit listenPort; - endpoint = "vault.servers.genderfucked.monster:${toString listenPort}"; - }; - "lappy-t495" = { - ip = "10.0.0.3"; - public = pubkeys."lappy-t495"; - }; - "raspberry" = { - ip = "10.0.0.4"; - public = pubkeys."raspberry"; - inherit listenPort; - endpoint = "raspberry.servers.genderfucked.monster:${toString listenPort}"; - }; - "iphone15" = { - ip = "10.0.0.5"; - public = pubkeys."iphone15"; - }; - "iphone8" = { - ip = "10.0.0.6"; - public = pubkeys."iphone8"; - }; - }; -} diff --git a/data/wireguard/chaosInternalWireGuardPubKeys.json b/data/wireguard/chaosInternalWireGuardPubKeys.json deleted file mode 100644 index 0106878..0000000 --- a/data/wireguard/chaosInternalWireGuardPubKeys.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "vault": "IfYCpiUXmsGVj8OR32W1ind0TWf2hmT+Axz3SaTsUQE=", - "raspberry": "ZWnPJZ5Bw/EyoLo5o3xjhkn3aTDC+ivPnnizGL0JfEo=", - "lappy-t495": "ogQmpEb3pXgn8NhQUlIwj/6CwAxXeB1ayqfXaieKs3g=", - "iphone8": "OptrVbP0q9q3DkEUGYu8aa6kj3S7h7cpotz5yuKs7Qw=", - "hetzner-arm": "UJ1WgFOy5AtvMvvU9Y3F8CuDOXz8JeJGZtDa83s7D3s=", - "iphone15": "i4vGjEqQyuoRqOJucXVrW0aIbwSUaB2dVVtEUjvHx3A=" -} diff --git a/hosts/hetzner-arm/containers/vault/data/ca.json b/hosts/hetzner-arm/containers/vault/data/ca.json deleted file mode 100644 index 6dfe9b3..0000000 --- a/hosts/hetzner-arm/containers/vault/data/ca.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "root": "/var/lib/step-ca/certs/root_ca.crt", - "federatedRoots": null, - "crt": "/var/lib/step-ca/certs/intermediate_ca.crt", - "key": "/var/lib/step-ca/secrets/intermediate_ca_key", - "address": ":8443", - "insecureAddress": "", - "dnsNames": [ - "internal-ca.genderfucked.monster" - ], - "logger": { - "format": "text" - }, - "db": { - "type": "badgerv2", - "dataSource": "/var/lib/step-ca/db", - "badgerFileLoadingMode": "" - }, - "authority": { - "provisioners": [ - { - "type": "JWK", - "name": "chaos@owo.monster", - "key": { - "use": "sig", - "kty": "EC", - "kid": "iVF2Pv4bjT49y3A7Fr7VLUX7DRA_agV8MtJO1fPsXak", - "crv": "P-256", - "alg": "ES256", - "x": "eObudoofL4N97swbxJENw_l8CNUJDqY-z7D7FsGuQAo", - "y": "oVh_vs7tyU0hqVp9_rlGg4zf_DEfwt9sP8HvvX-BBpg" - }, - "encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiejg2MEtzcTRSdmFjTnlnTzZlODlnQSJ9.UJmlI8NY3E3Q9mxCiQKg3A8w_BrbxRajrWsdFAADTgNSmWvMv9BO2Q.5YJjMQy7CHO0yBT2.bglp3YwvZtGJm8tSRXRt87kCr4sLiNDWUDHdJi5HJOlRQGFpW95tbI_3smJ81fBZHxA8yXXKP4vce-pmheTd_MbKWKjlmATZx6-JrvyVxHgOb80Fqdlb7GTVHkTu6fOYJzZtFUHswNvKdhJ4kHzQzs09ukc3KZRRCl9t2OV_jSY0ag8EhEAfqDCHAhx9V4Rlg6E10oLHA2kCGo7Z8bE_mClRPd9sFCIg4C0WdvIlXRJk3-Hs7tqCrGXBq50vZf28VjvS2B2JrtEGzK6CU1338GJ6oT3I7BaMF1X9IS-UfU3mUrGalwr8j7MV7-ezDwlEoCnFhQbD2UOVC0nHRyE.Ta-x2FImNtgtlIlIiWdpAA" - }, - { - "type": "ACME", - "name": "acme" - } - ] - }, - "tls": { - "cipherSuites": [ - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" - ], - "minVersion": 1.2, - "maxVersion": 1.3, - "renegotiation": false - } -} \ No newline at end of file diff --git a/hosts/hetzner-arm/containers/vault/default.nix b/hosts/hetzner-arm/containers/vault/default.nix index 6f9f512..b5f41d1 100644 --- a/hosts/hetzner-arm/containers/vault/default.nix +++ b/hosts/hetzner-arm/containers/vault/default.nix @@ -35,7 +35,6 @@ in { ] ++ (with hosts.hetzner-arm.containers.vault.profiles; [ vault - #internalCA restic ]); @@ -53,17 +52,4 @@ in { "/".proxyPass = "http://${containerIP}:8200"; }; }; - - # TODO: redo this - #security.acme.certs."vault.genderfucked.monster" = { - # server = "https://internal-ca.genderfucked.monster:8443/acme/acme/directory"; - #}; - - #services.nginx.virtualHosts."vault.genderfucked.monster" = { - # forceSSL = true; - # enableACME = true; - # locations = { - # "/".proxyPass = "http://${containerIP}:8200"; - # }; - #}; } diff --git a/hosts/hetzner-arm/containers/vault/profiles/internalCA.nix b/hosts/hetzner-arm/containers/vault/profiles/internalCA.nix deleted file mode 100644 index fca8042..0000000 --- a/hosts/hetzner-arm/containers/vault/profiles/internalCA.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ - pkgs, - config, - ... -}: let - inherit (config.services.secrets) secrets; -in { - environment.systemPackages = with pkgs; [ - step-cli - step-ca - ]; - - services.step-ca = { - enable = true; - address = "0.0.0.0"; - port = 8443; - intermediatePasswordFile = secrets.internal_ca_password.path; - settings = builtins.fromJSON (builtins.readFile ../data/ca.json); - }; -} diff --git a/hosts/hetzner-arm/containers/vault/secrets.nix b/hosts/hetzner-arm/containers/vault/secrets.nix index 0952b0b..1040a34 100644 --- a/hosts/hetzner-arm/containers/vault/secrets.nix +++ b/hosts/hetzner-arm/containers/vault/secrets.nix @@ -15,8 +15,6 @@ "private-public-keys/data/restic/Vault" "api-keys/data/backblaze/Chaos-Backups" - - "infra/data/internalCAPassword" ]; secrets = { @@ -37,12 +35,6 @@ EOF ''; }; - - internal_ca_password = { - fetchScript = '' - simple_get "/infra/internalCAPassword" .password > "$secretFile" - ''; - }; }; }; } diff --git a/hosts/hetzner-arm/hetzner-arm.nix b/hosts/hetzner-arm/hetzner-arm.nix index 826eb4d..fa37b77 100644 --- a/hosts/hetzner-arm/hetzner-arm.nix +++ b/hosts/hetzner-arm/hetzner-arm.nix @@ -14,8 +14,6 @@ in { profiles.nginx profiles.firewallAllow.httpCommon - # profiles.chaosInternalWireGuard - ./hardware.nix ./secrets.nix ] diff --git a/hosts/lappy-surface/lappy-surface.nix b/hosts/lappy-surface/lappy-surface.nix index 0f867e3..9c3b5c5 100644 --- a/hosts/lappy-surface/lappy-surface.nix +++ b/hosts/lappy-surface/lappy-surface.nix @@ -10,7 +10,6 @@ profiles.cross.arm64 profiles.remoteBuilders - #profiles.chaosInternalWireGuard hosts.lappy-surface.profiles.music-player-target diff --git a/hosts/lappy-t495/lappy-t495.nix b/hosts/lappy-t495/lappy-t495.nix index a7b4b3f..6486dbb 100644 --- a/hosts/lappy-t495/lappy-t495.nix +++ b/hosts/lappy-t495/lappy-t495.nix @@ -10,7 +10,6 @@ profiles.cross.arm64 profiles.remoteBuilders - profiles.chaosInternalWireGuard profiles.gaming.steam diff --git a/hosts/raspberry/raspberry.nix b/hosts/raspberry/raspberry.nix index f71ce80..c522dee 100644 --- a/hosts/raspberry/raspberry.nix +++ b/hosts/raspberry/raspberry.nix @@ -6,8 +6,6 @@ profiles.nginx profiles.firewallAllow.httpCommon - profiles.chaosInternalWireGuard - ./secrets.nix ./boot.nix ] diff --git a/hosts/raspberry/secrets.nix b/hosts/raspberry/secrets.nix index b6661a3..fcd30bb 100644 --- a/hosts/raspberry/secrets.nix +++ b/hosts/raspberry/secrets.nix @@ -7,12 +7,7 @@ loginUsername = "raspberry"; }; - # some are also added from wireguard internal config - requiredVaultPaths = [ - "private-public-keys/data/cryptsetup/raspberry-ext-drive" # used dynamically - - "api-keys/data/hetzner/storagebox" # also used dynamically - ]; + requiredVaultPaths = []; secrets = { vault_password = { diff --git a/lib/containerLib.nix b/lib/containerLib.nix deleted file mode 100644 index a2137f1..0000000 --- a/lib/containerLib.nix +++ /dev/null @@ -1,41 +0,0 @@ -{lib, ...}: let - inherit (lib.lists) forEach; - inherit (lib.modules) mkMerge; - inherit (builtins) isString; -in rec { - genBindMountForSecret = secrets: secretItem: let - secret = - if isString secretItem - then secrets.${secretItem} - else secrets.${secretItem.name}; - - hostPath = secret.path; - - containerPath = - if isString secretItem - then hostPath - else secretItem.path; - - writable = - if isString secretItem - then - ( - if secretItem ? "writable" - then secretItem.writable - else false - ) - else false; - in { - "${containerPath}" = { - inherit hostPath; - isReadOnly = !writable; - }; - }; - - genBindHostsForSecrets = secrets: secrets_list: ( - mkMerge (forEach secrets_list ( - secretItem: - genBindMountForSecret secrets secretItem - )) - ); -} diff --git a/lib/internalWireGuardLib.nix b/lib/internalWireGuardLib.nix deleted file mode 100644 index c2f38b6..0000000 --- a/lib/internalWireGuardLib.nix +++ /dev/null @@ -1,99 +0,0 @@ -{ - lib, - pkgs, - ... -}: let - inherit (pkgs) writeShellScriptBin; - inherit (lib.lists) forEach; - inherit (lib.strings) concatStringsSep optionalString; - inherit (builtins) attrNames; - - wireguardData = import ../data/wireguard/chaosInternalWireGuard.nix; - wireguardHosts = wireguardData.hosts; - - kvPathForHost = host: "/private-public-keys/wireguard/chaos-internal/${host}"; -in rec { - initAllScript = writeShellScriptBin "wg-keys-init-all" (let - vault = "${pkgs.vault}/bin/vault"; - in '' - - PUBKEYS_FILE=$1 - if [ -z "$PUBKEYS_FILE" ]; then - echo "please provide path to file with pubkeys" - exit 1 - fi - - ${concatStringsSep "\n" (forEach (attrNames wireguardHosts) (hostName: '' - echo "{}" | ${vault} kv put "${kvPathForHost hostName}" - 2>/dev/null - ''))} - - ${concatStringsSep "\n" (forEach (attrNames wireguardHosts) (hostName: '' - echo "Deploying keys for ${hostName}" - - "${genInitScript hostName}/bin/wg-keys-init-${hostName}" "$PUBKEYS_FILE" - ''))} - ''); - - genInitScript = systemHostName: (writeShellScriptBin "wg-keys-init-${systemHostName}" (let - vault = "${pkgs.vault}/bin/vault"; - jq = "${pkgs.jq}/bin/jq"; - wg = "${pkgs.wireguard-tools}/bin/wg"; - sponge = "${pkgs.moreutils}/bin/sponge"; - in '' - - PUBKEYS_FILE=$1 - if [ -z "$PUBKEYS_FILE" ]; then - echo "please provide path to file with pubkeys" - exit 1 - fi - - PRIVATE=$(${wg} genkey) - PUBLIC=$(echo "$PRIVATE" | ${wg} pubkey) - - TMP_DIR=$(mktemp -d) - pushd "$TMP_DIR" - echo "{}" > currentHost.json - ${jq} ".public = \"$PUBLIC\"" currentHost.json | ${sponge} currentHost.json - ${jq} ".private = \"$PRIVATE\"" currentHost.json | ${sponge} currentHost.json - cat currentHost.json | ${vault} kv put "${kvPathForHost systemHostName}" - 2>/dev/null - cat currentHost.json | jq - popd - - rm -rf "$TMP_DIR" - - ${jq} ".\"${systemHostName}\" = \"$PUBLIC\"" "$PUBKEYS_FILE" | ${sponge} "$PUBKEYS_FILE" - '')); - - genConfScript = systemHostName: (writeShellScriptBin "wg-gen-conf-${systemHostName}" (let - vault = "${pkgs.vault}/bin/vault"; - jq = "${pkgs.jq}/bin/jq"; - - currentHostConfig = wireguardHosts.${systemHostName}; - in '' - set -euo pipefail - getPrivateKey() { - ${vault} kv get -format=json "/private-public-keys/wireguard/chaos-internal/$1" | ${jq} -r ".data.data.private" | tr -d '\n' - } - - cat << EOF - [interface] - Address = ${currentHostConfig.ip}/24 - ${optionalString (currentHostConfig ? "listenAddress") "ListenAddress = ${toString currentHostConfig.listenAddress}"} - PrivateKey = $(getPrivateKey ${systemHostName}) - - - ${concatStringsSep "\n" (forEach (attrNames wireguardHosts) (hostName: (let - hostConfig = wireguardHosts.${hostName}; - in '' - [Peer] - PublicKey = ${hostConfig.public} - ${optionalString (hostConfig ? "endpoint") "Endpoint = ${hostConfig.endpoint}"} - AllowedIPs = ${ - if hostConfig ? "allowedIPs" - then concatStringsSep "," hostConfig.allowedIPs - else "${hostConfig.ip}/32" - } - '')))} - EOF - '')); -} diff --git a/outputs.nix b/outputs.nix index 3ac6da8..3f7ec0c 100644 --- a/outputs.nix +++ b/outputs.nix @@ -59,29 +59,6 @@ in }; } - # internal wireguard scripts - (let - internalWireGuardLib = import ./lib/internalWireGuardLib.nix { - inherit (nixpkgs) lib; - inherit pkgs; - }; - - wireguardData = import ./data/wireguard/chaosInternalWireGuard.nix; - hostsWithWireGuard = builtins.attrNames wireguardData.hosts; - in { - packages = mergeAttrsList [ - (mergeAttrsList ( - forEach hostsWithWireGuard (hostName: { - "wg-keys-init-${hostName}" = internalWireGuardLib.genInitScript hostName; - "wg-gen-conf-${hostName}" = internalWireGuardLib.genConfScript hostName; - }) - )) - { - "wg-keys-init-all" = internalWireGuardLib.initAllScript; - } - ]; - }) - # secrets-init, secrets-check and vault-policy for machines and containers (let secretsLib = import ./modules/nixos/secretsLib/lib.nix { diff --git a/profiles/base/internalCA.nix b/profiles/base/internalCA.nix deleted file mode 100644 index 37d7616..0000000 --- a/profiles/base/internalCA.nix +++ /dev/null @@ -1,5 +0,0 @@ -{...}: { - security.pki.certificateFiles = [ - ../../data/internalCA.crt - ]; -} diff --git a/profiles/chaosInternalWireGuard/secrets.nix b/profiles/chaosInternalWireGuard/secrets.nix deleted file mode 100644 index 96e8be7..0000000 --- a/profiles/chaosInternalWireGuard/secrets.nix +++ /dev/null @@ -1,24 +0,0 @@ -{config, ...}: let - currentHostName = config.networking.hostName; -in { - services.secrets = { - enable = true; - - requiredVaultPaths = [ - "private-public-keys/data/wireguard/chaos-internal/${currentHostName}" - ]; - - secrets = { - wg_public = { - fetchScript = '' - simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" .public > "$secretFile" - ''; - }; - wg_private = { - fetchScript = '' - simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" .private > "$secretFile" - ''; - }; - }; - }; -} diff --git a/profiles/chaosInternalWireGuard/wireguard.nix b/profiles/chaosInternalWireGuard/wireguard.nix deleted file mode 100644 index 2a252c0..0000000 --- a/profiles/chaosInternalWireGuard/wireguard.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ - self, - lib, - config, - ... -}: let - inherit (lib.modules) mkIf; - inherit (lib.lists) filter; - inherit (builtins) hasAttr attrNames; - - # Assume this to be set - inherit (config.services.secrets) secrets; - - wireguardData = import "${self}/data/wireguard/chaosInternalWireGuard.nix"; - wireguardHosts = wireguardData.hosts; - - currentHostName = config.networking.hostName; - currentHostConfig = wireguardHosts.${currentHostName}; -in { - networking.firewall = { - trustedInterfaces = [ - "wg0" - ]; - allowPing = true; - allowedUDPPorts = mkIf (hasAttr "listenPort" currentHostConfig) [ - currentHostConfig.listenPort - ]; - }; - - systemd.services.wireguard-debug = { - wantedBy = ["multi-user.target"]; - script = '' - echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control - ''; - }; - - networking.wg-quick.interfaces = { - wg0 = { - address = ["${currentHostConfig.ip}/24"]; - privateKeyFile = "${secrets.wg_private.path}"; - listenPort = mkIf (hasAttr "listenPort" currentHostConfig) currentHostConfig.listenPort; - - peers = - map ( - hostName: let - host = wireguardHosts.${hostName}; - in { - allowedIPs = host.allowedIPs or ["${host.ip}/32"]; - publicKey = host.public; - endpoint = host.endpoint or null; - } - ) (filter ( - hostName: hostName != currentHostName - ) (attrNames wireguardHosts)); - }; - }; -}