chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

remove wireguard and internal CA

Browse source
This commit is contained in:
chaos 2024-07-21 20:33:20 +01:00
parent a3922810ad
commit af963bb628
No known key found for this signature in database
19 changed files with 1 additions and 430 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
data/internalCA.crt
View file

@ -1,12 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIBujCCAWGgAwIBAgIQINyB8JtDFzImcYtBEEbrbzAKBggqhkjOPQQDAjA8MRgw
FgYDVQQKEw9jaGFvc0ludGVybmFsQ0ExIDAeBgNVBAMTF2NoYW9zSW50ZXJuYWxD
QSBSb290IENBMB4XDTIzMTAwNzA5MjYyMloXDTMzMTAwNDA5MjYyMlowPDEYMBYG
A1UEChMPY2hhb3NJbnRlcm5hbENBMSAwHgYDVQQDExdjaGFvc0ludGVybmFsQ0Eg
Um9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFRmFlfmZyu0k0gt3SpK
X+87L2L6Ty0ddQoTVh6O/PnqSc5583oWjD3I8La8CP0Ehadr+MZ6qnTlng2Z5G+0
4PWjRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1Ud
DgQWBBQSdzj+Rld9GOvs4T2BuFlqk19d5zAKBggqhkjOPQQDAgNHADBEAiADlN6S
1AgXe0M3Jp9KMI17amhbJFJY+RKhZG8iXjLi5AIgBR1prsckn0cH6J5l1R2UFVfP
JXQxoNNf9ZJcgA9uOww=
-----END CERTIFICATE-----

13
data/internalCAIntermediate.crt
View file

@ -1,13 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIB5TCCAYugAwIBAgIRAMByUDCtdh+37o2NL01fJvQwCgYIKoZIzj0EAwIwPDEY
MBYGA1UEChMPY2hhb3NJbnRlcm5hbENBMSAwHgYDVQQDExdjaGFvc0ludGVybmFs
Q0EgUm9vdCBDQTAeFw0yMzEwMDcwOTI2MjNaFw0zMzEwMDQwOTI2MjNaMEQxGDAW
BgNVBAoTD2NoYW9zSW50ZXJuYWxDQTEoMCYGA1UEAxMfY2hhb3NJbnRlcm5hbENB
IEludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMb7h/fG
G2vlRc4fartmb/4q2MvuRzH8xTUQ4C/feNVmePHrJtIR0/tKsKhkHVWdp5Zz4MXz
jIhyT0EqB7N3gZyjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/
AgEAMB0GA1UdDgQWBBS2nPpqHCugN9/hYZkIE2TtUfJa5DAfBgNVHSMEGDAWgBQS
dzj+Rld9GOvs4T2BuFlqk19d5zAKBggqhkjOPQQDAgNIADBFAiEApu4b3L3t2mxi
WSXC0RQq+T/kpwtyCY+PCy4Wwp8pbgUCIGFfjmVjv7eCz+NkBnA6B74trz1vNN/j
FdFrgXnBo365
-----END CERTIFICATE-----

44
data/wireguard/chaosInternalWireGuard.nix
View file

@ -1,44 +0,0 @@
let
pubkeys = builtins.fromJSON (builtins.readFile ./chaosInternalWireGuardPubKeys.json);
listenPort = 51820;
in rec {
# 10.0.0.0/24 - machines
# 10.0.1.0/24 - containers for hetzner-arm
hosts = {
"hetzner-arm" = {
ip = "10.0.0.1";
allowedIPs = [
"10.0.0.1/32" # Allow itself
"10.0.1.1/24" # Containers
];
public = pubkeys."hetzner-arm";
inherit listenPort;
endpoint = "hetzner-arm.servers.genderfucked.monster:${toString listenPort}";
};
"vault" = {
ip = "10.0.0.2";
public = pubkeys."vault";
inherit listenPort;
endpoint = "vault.servers.genderfucked.monster:${toString listenPort}";
};
"lappy-t495" = {
ip = "10.0.0.3";
public = pubkeys."lappy-t495";
};
"raspberry" = {
ip = "10.0.0.4";
public = pubkeys."raspberry";
inherit listenPort;
endpoint = "raspberry.servers.genderfucked.monster:${toString listenPort}";
};
"iphone15" = {
ip = "10.0.0.5";
public = pubkeys."iphone15";
};
"iphone8" = {
ip = "10.0.0.6";
public = pubkeys."iphone8";
};
};
}

8
data/wireguard/chaosInternalWireGuardPubKeys.json
View file

@ -1,8 +0,0 @@
{
"vault": "IfYCpiUXmsGVj8OR32W1ind0TWf2hmT+Axz3SaTsUQE=",
"raspberry": "ZWnPJZ5Bw/EyoLo5o3xjhkn3aTDC+ivPnnizGL0JfEo=",
"lappy-t495": "ogQmpEb3pXgn8NhQUlIwj/6CwAxXeB1ayqfXaieKs3g=",
"iphone8": "OptrVbP0q9q3DkEUGYu8aa6kj3S7h7cpotz5yuKs7Qw=",
"hetzner-arm": "UJ1WgFOy5AtvMvvU9Y3F8CuDOXz8JeJGZtDa83s7D3s=",
"iphone15": "i4vGjEqQyuoRqOJucXVrW0aIbwSUaB2dVVtEUjvHx3A="
}

50
hosts/hetzner-arm/containers/vault/data/ca.json
View file

@ -1,50 +0,0 @@
{
"root": "/var/lib/step-ca/certs/root_ca.crt",
"federatedRoots": null,
"crt": "/var/lib/step-ca/certs/intermediate_ca.crt",
"key": "/var/lib/step-ca/secrets/intermediate_ca_key",
"address": ":8443",
"insecureAddress": "",
"dnsNames": [
"internal-ca.genderfucked.monster"
],
"logger": {
"format": "text"
},
"db": {
"type": "badgerv2",
"dataSource": "/var/lib/step-ca/db",
"badgerFileLoadingMode": ""
},
"authority": {
"provisioners": [
{
"type": "JWK",
"name": "chaos@owo.monster",
"key": {
"use": "sig",
"kty": "EC",
"kid": "iVF2Pv4bjT49y3A7Fr7VLUX7DRA_agV8MtJO1fPsXak",
"crv": "P-256",
"alg": "ES256",
"x": "eObudoofL4N97swbxJENw_l8CNUJDqY-z7D7FsGuQAo",
"y": "oVh_vs7tyU0hqVp9_rlGg4zf_DEfwt9sP8HvvX-BBpg"
},
"encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiejg2MEtzcTRSdmFjTnlnTzZlODlnQSJ9.UJmlI8NY3E3Q9mxCiQKg3A8w_BrbxRajrWsdFAADTgNSmWvMv9BO2Q.5YJjMQy7CHO0yBT2.bglp3YwvZtGJm8tSRXRt87kCr4sLiNDWUDHdJi5HJOlRQGFpW95tbI_3smJ81fBZHxA8yXXKP4vce-pmheTd_MbKWKjlmATZx6-JrvyVxHgOb80Fqdlb7GTVHkTu6fOYJzZtFUHswNvKdhJ4kHzQzs09ukc3KZRRCl9t2OV_jSY0ag8EhEAfqDCHAhx9V4Rlg6E10oLHA2kCGo7Z8bE_mClRPd9sFCIg4C0WdvIlXRJk3-Hs7tqCrGXBq50vZf28VjvS2B2JrtEGzK6CU1338GJ6oT3I7BaMF1X9IS-UfU3mUrGalwr8j7MV7-ezDwlEoCnFhQbD2UOVC0nHRyE.Ta-x2FImNtgtlIlIiWdpAA"
},
{
"type": "ACME",
"name": "acme"
}
]
},
"tls": {
"cipherSuites": [
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
],
"minVersion": 1.2,
"maxVersion": 1.3,
"renegotiation": false
}
}

14
hosts/hetzner-arm/containers/vault/default.nix
View file

@ -35,7 +35,6 @@ in {
] ]
++ (with hosts.hetzner-arm.containers.vault.profiles; [ ++ (with hosts.hetzner-arm.containers.vault.profiles; [
vault vault
#internalCA
restic restic
]); ]);
@ -53,17 +52,4 @@ in {
"/".proxyPass = "http://${containerIP}:8200"; "/".proxyPass = "http://${containerIP}:8200";
}; };
}; };
# TODO: redo this
#security.acme.certs."vault.genderfucked.monster" = {
# server = "https://internal-ca.genderfucked.monster:8443/acme/acme/directory";
#};
#services.nginx.virtualHosts."vault.genderfucked.monster" = {
# forceSSL = true;
# enableACME = true;
# locations = {
# "/".proxyPass = "http://${containerIP}:8200";
# };
#};
} }

20
hosts/hetzner-arm/containers/vault/profiles/internalCA.nix
View file

@ -1,20 +0,0 @@
{
pkgs,
config,
...
}: let
inherit (config.services.secrets) secrets;
in {
environment.systemPackages = with pkgs; [
step-cli
step-ca
];
services.step-ca = {
enable = true;
address = "0.0.0.0";
port = 8443;
intermediatePasswordFile = secrets.internal_ca_password.path;
settings = builtins.fromJSON (builtins.readFile ../data/ca.json);
};
}

8
hosts/hetzner-arm/containers/vault/secrets.nix
View file

@ -15,8 +15,6 @@
"private-public-keys/data/restic/Vault" "private-public-keys/data/restic/Vault"
"api-keys/data/backblaze/Chaos-Backups" "api-keys/data/backblaze/Chaos-Backups"
"infra/data/internalCAPassword"
]; ];
secrets = { secrets = {
@ -37,12 +35,6 @@
EOF EOF
''; '';
}; };
internal_ca_password = {
fetchScript = ''
simple_get "/infra/internalCAPassword" .password > "$secretFile"
'';
};
}; };
}; };
} }

2
hosts/hetzner-arm/hetzner-arm.nix
View file

@ -14,8 +14,6 @@ in {
profiles.nginx profiles.nginx
profiles.firewallAllow.httpCommon profiles.firewallAllow.httpCommon
# profiles.chaosInternalWireGuard
./hardware.nix ./hardware.nix
./secrets.nix ./secrets.nix
] ]

1
hosts/lappy-surface/lappy-surface.nix
View file

@ -10,7 +10,6 @@
profiles.cross.arm64 profiles.cross.arm64
profiles.remoteBuilders profiles.remoteBuilders
#profiles.chaosInternalWireGuard
hosts.lappy-surface.profiles.music-player-target hosts.lappy-surface.profiles.music-player-target

1
hosts/lappy-t495/lappy-t495.nix
View file

@ -10,7 +10,6 @@
profiles.cross.arm64 profiles.cross.arm64
profiles.remoteBuilders profiles.remoteBuilders
profiles.chaosInternalWireGuard
profiles.gaming.steam profiles.gaming.steam

2
hosts/raspberry/raspberry.nix
View file

@ -6,8 +6,6 @@
profiles.nginx profiles.nginx
profiles.firewallAllow.httpCommon profiles.firewallAllow.httpCommon
profiles.chaosInternalWireGuard
./secrets.nix ./secrets.nix
./boot.nix ./boot.nix
] ]

7
hosts/raspberry/secrets.nix
View file

@ -7,12 +7,7 @@
loginUsername = "raspberry"; loginUsername = "raspberry";
}; };
# some are also added from wireguard internal config requiredVaultPaths = [];
requiredVaultPaths = [
"private-public-keys/data/cryptsetup/raspberry-ext-drive" # used dynamically
"api-keys/data/hetzner/storagebox" # also used dynamically
];
secrets = { secrets = {
vault_password = { vault_password = {

41
lib/containerLib.nix
View file

@ -1,41 +0,0 @@
{lib, ...}: let
inherit (lib.lists) forEach;
inherit (lib.modules) mkMerge;
inherit (builtins) isString;
in rec {
genBindMountForSecret = secrets: secretItem: let
secret =
if isString secretItem
then secrets.${secretItem}
else secrets.${secretItem.name};
hostPath = secret.path;
containerPath =
if isString secretItem
then hostPath
else secretItem.path;
writable =
if isString secretItem
then
(
if secretItem ? "writable"
then secretItem.writable
else false
)
else false;
in {
"${containerPath}" = {
inherit hostPath;
isReadOnly = !writable;
};
};
genBindHostsForSecrets = secrets: secrets_list: (
mkMerge (forEach secrets_list (
secretItem:
genBindMountForSecret secrets secretItem
))
);
}

99
lib/internalWireGuardLib.nix
View file

@ -1,99 +0,0 @@
{
lib,
pkgs,
...
}: let
inherit (pkgs) writeShellScriptBin;
inherit (lib.lists) forEach;
inherit (lib.strings) concatStringsSep optionalString;
inherit (builtins) attrNames;
wireguardData = import ../data/wireguard/chaosInternalWireGuard.nix;
wireguardHosts = wireguardData.hosts;
kvPathForHost = host: "/private-public-keys/wireguard/chaos-internal/${host}";
in rec {
initAllScript = writeShellScriptBin "wg-keys-init-all" (let
vault = "${pkgs.vault}/bin/vault";
in ''
PUBKEYS_FILE=$1
if [ -z "$PUBKEYS_FILE" ]; then
echo "please provide path to file with pubkeys"
exit 1
fi
${concatStringsSep "\n" (forEach (attrNames wireguardHosts) (hostName: ''
echo "{}" | ${vault} kv put "${kvPathForHost hostName}" - 2>/dev/null
''))}
${concatStringsSep "\n" (forEach (attrNames wireguardHosts) (hostName: ''
echo "Deploying keys for ${hostName}"
"${genInitScript hostName}/bin/wg-keys-init-${hostName}" "$PUBKEYS_FILE"
''))}
'');
genInitScript = systemHostName: (writeShellScriptBin "wg-keys-init-${systemHostName}" (let
vault = "${pkgs.vault}/bin/vault";
jq = "${pkgs.jq}/bin/jq";
wg = "${pkgs.wireguard-tools}/bin/wg";
sponge = "${pkgs.moreutils}/bin/sponge";
in ''
PUBKEYS_FILE=$1
if [ -z "$PUBKEYS_FILE" ]; then
echo "please provide path to file with pubkeys"
exit 1
fi
PRIVATE=$(${wg} genkey)
PUBLIC=$(echo "$PRIVATE" | ${wg} pubkey)
TMP_DIR=$(mktemp -d)
pushd "$TMP_DIR"
echo "{}" > currentHost.json
${jq} ".public = \"$PUBLIC\"" currentHost.json | ${sponge} currentHost.json
${jq} ".private = \"$PRIVATE\"" currentHost.json | ${sponge} currentHost.json
cat currentHost.json | ${vault} kv put "${kvPathForHost systemHostName}" - 2>/dev/null
cat currentHost.json | jq
popd
rm -rf "$TMP_DIR"
${jq} ".\"${systemHostName}\" = \"$PUBLIC\"" "$PUBKEYS_FILE" | ${sponge} "$PUBKEYS_FILE"
''));
genConfScript = systemHostName: (writeShellScriptBin "wg-gen-conf-${systemHostName}" (let
vault = "${pkgs.vault}/bin/vault";
jq = "${pkgs.jq}/bin/jq";
currentHostConfig = wireguardHosts.${systemHostName};
in ''
set -euo pipefail
getPrivateKey() {
${vault} kv get -format=json "/private-public-keys/wireguard/chaos-internal/$1" | ${jq} -r ".data.data.private" | tr -d '\n'
}
cat << EOF
[interface]
Address = ${currentHostConfig.ip}/24
${optionalString (currentHostConfig ? "listenAddress") "ListenAddress = ${toString currentHostConfig.listenAddress}"}
PrivateKey = $(getPrivateKey ${systemHostName})
${concatStringsSep "\n" (forEach (attrNames wireguardHosts) (hostName: (let
hostConfig = wireguardHosts.${hostName};
in ''
[Peer]
PublicKey = ${hostConfig.public}
${optionalString (hostConfig ? "endpoint") "Endpoint = ${hostConfig.endpoint}"}
AllowedIPs = ${
if hostConfig ? "allowedIPs"
then concatStringsSep "," hostConfig.allowedIPs
else "${hostConfig.ip}/32"
}
'')))}
EOF
''));
}

23
outputs.nix
View file

@ -59,29 +59,6 @@ in
}; };
} }
# internal wireguard scripts
(let
internalWireGuardLib = import ./lib/internalWireGuardLib.nix {
inherit (nixpkgs) lib;
inherit pkgs;
};
wireguardData = import ./data/wireguard/chaosInternalWireGuard.nix;
hostsWithWireGuard = builtins.attrNames wireguardData.hosts;
in {
packages = mergeAttrsList [
(mergeAttrsList (
forEach hostsWithWireGuard (hostName: {
"wg-keys-init-${hostName}" = internalWireGuardLib.genInitScript hostName;
"wg-gen-conf-${hostName}" = internalWireGuardLib.genConfScript hostName;
})
))
{
"wg-keys-init-all" = internalWireGuardLib.initAllScript;
}
];
})
# secrets-init, secrets-check and vault-policy for machines and containers # secrets-init, secrets-check and vault-policy for machines and containers
(let (let
secretsLib = import ./modules/nixos/secretsLib/lib.nix { secretsLib = import ./modules/nixos/secretsLib/lib.nix {

5
profiles/base/internalCA.nix
View file

@ -1,5 +0,0 @@
{...}: {
security.pki.certificateFiles = [
../../data/internalCA.crt
];
}

24
profiles/chaosInternalWireGuard/secrets.nix
View file

@ -1,24 +0,0 @@
{config, ...}: let
currentHostName = config.networking.hostName;
in {
services.secrets = {
enable = true;
requiredVaultPaths = [
"private-public-keys/data/wireguard/chaos-internal/${currentHostName}"
];
secrets = {
wg_public = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" .public > "$secretFile"
'';
};
wg_private = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" .private > "$secretFile"
'';
};
};
};
}

57
profiles/chaosInternalWireGuard/wireguard.nix
View file

@ -1,57 +0,0 @@
{
self,
lib,
config,
...
}: let
inherit (lib.modules) mkIf;
inherit (lib.lists) filter;
inherit (builtins) hasAttr attrNames;
# Assume this to be set
inherit (config.services.secrets) secrets;
wireguardData = import "${self}/data/wireguard/chaosInternalWireGuard.nix";
wireguardHosts = wireguardData.hosts;
currentHostName = config.networking.hostName;
currentHostConfig = wireguardHosts.${currentHostName};
in {
networking.firewall = {
trustedInterfaces = [
"wg0"
];
allowPing = true;
allowedUDPPorts = mkIf (hasAttr "listenPort" currentHostConfig) [
currentHostConfig.listenPort
];
};
systemd.services.wireguard-debug = {
wantedBy = ["multi-user.target"];
script = ''
echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
'';
};
networking.wg-quick.interfaces = {
wg0 = {
address = ["${currentHostConfig.ip}/24"];
privateKeyFile = "${secrets.wg_private.path}";
listenPort = mkIf (hasAttr "listenPort" currentHostConfig) currentHostConfig.listenPort;
peers =
map (
hostName: let
host = wireguardHosts.${hostName};
in {
allowedIPs = host.allowedIPs or ["${host.ip}/32"];
publicKey = host.public;
endpoint = host.endpoint or null;
}
) (filter (
hostName: hostName != currentHostName
) (attrNames wireguardHosts));
};
};
}