updates & more wireguard & per-hostname keys

2022-11-12 13:01:43 +00:00 · 2022-11-12 13:01:43 +00:00 · c81a933217
parent 3198c30933
commit c81a933217
14 changed files with 155 additions and 16 deletions
--- a/data/usb_data.nix
+++ b/data/usb_data.nix
@ -18,7 +18,7 @@
  mapper_path = "/dev/mapper/${mapper_name}";

  # Paths to some important files
-  lappy_encryption_key_path = "${mountpoint}/encryption-keys/lappy.key";
+  encryption_keys_path = "${mountpoint}/encryption-keys";

  chaos_age_privkey_path = "${mountpoint}/age-keys/chaoskey.priv";
  chaos_age_pubkey_path = "${mountpoint}/age-keys/chaoskey.pub";
--- a/flake.lock
+++ b/flake.lock
@ -9,11 +9,11 @@
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1659725433,
-        "narHash": "sha256-1ZxuK67TL29YLw88vQ18Y2Y6iYg8Jb7I6/HVzmNB6nM=",
+        "lastModified": 1668166163,
+        "narHash": "sha256-XCuM+n98KcG0v+DT1HolGCO3j5FOBUjV4K8YcZsVeQw=",
        "owner": "serokell",
        "repo": "deploy-rs",
-        "rev": "41f15759dd8b638e7b4f299730d94d5aa46ab7eb",
+        "rev": "b011f13bc577b978f52aaefde5605332f7bca7e9",
        "type": "github"
      },
      "original": {
@ -137,11 +137,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1667901915,
-        "narHash": "sha256-IkSou5ox/yZ2YUhGpk8vxd2TNU2pwRlYtir5k55NaxE=",
+        "lastModified": 1667991831,
+        "narHash": "sha256-DHgEsLZI044B9T4AjA3K6+yB9/DqLr4dyA7OIx0FG7o=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "093268502280540a7f5bf1e2a6330a598ba3b7d0",
+        "rev": "872fceeed60ae6b7766cc0a4cd5bf5901b9098ec",
        "type": "github"
      },
      "original": {
@ -153,11 +153,11 @@
    },
    "nur": {
      "locked": {
-        "lastModified": 1668174315,
-        "narHash": "sha256-oss9lJ30HbgXpVFy5Xv9doB+1mNjQehbFlFYau95odM=",
+        "lastModified": 1668255064,
+        "narHash": "sha256-JWVzaBAC9eL+Eg/SG71ZPSDQQd/eO9sS2YNGrlDDEH4=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "5da1d2f59d29cd1bb9c0787db9c1046825ade56a",
+        "rev": "9a0be7d4b9de779707b8788c6bdaaf23160a7975",
        "type": "github"
      },
      "original": {
--- a/hosts/hetzner-vm/secrets-db.nix
+++ b/hosts/hetzner-vm/secrets-db.nix
@ -59,4 +59,10 @@
    permissions = "660";
    path = "/secrets/wg_preshared_storage";
  };
+  wg_preshared_iphone8 = {
+    user = "root";
+    group = "root";
+    permissions = "660";
+    path = "/secrets/wg_preshared_iphone8";
+  };
 }
--- a/hosts/hetzner-vm/secrets.nix
+++ b/hosts/hetzner-vm/secrets.nix
@ -86,6 +86,12 @@ in {
      simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.storage > $file 
      chown ${secrets-db.wg_preshared_storage.user}:${secrets-db.wg_preshared_storage.group} $file
      chmod ${secrets-db.wg_preshared_storage.permissions} $file
+
+      file=${secrets-db.wg_preshared_iphone8.path}
+      echo $file
+      simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.iphone8 > $file 
+      chown ${secrets-db.wg_preshared_iphone8.user}:${secrets-db.wg_preshared_iphone8.group} $file
+      chmod ${secrets-db.wg_preshared_iphone8.permissions} $file
    '')
  ];
 }
--- a/hosts/hetzner-vm/services/wireguard.nix
+++ b/hosts/hetzner-vm/services/wireguard.nix
@ -26,6 +26,12 @@ in {
          presharedKeyFile = "${secrets-db.wg_preshared_storage.path}";
          allowedIPs = [ "10.69.42.4/32" ];
        }
+        # iphone8
+        {
+          publicKey = "2BgT08bDKh8WlFFSeRArI9a1GpFgUyqEApvJy4KgAmw=";
+          presharedKeyFile = "${secrets-db.wg_preshared_iphone8.path}";
+          allowedIPs = [ "10.69.42.5/32" ];
+        }
      ];
    };
  };
--- a/hosts/storage/secrets-db.nix
+++ b/hosts/storage/secrets-db.nix
@ -29,4 +29,34 @@
    permissions = "660";
    path = "/secrets/vault_password";
  };
+  wg_priv = {
+    user = "root";
+    group = "root";
+    permissions = "660";
+    path = "/secrets/wg_priv";
+  };
+  wg_preshared_hetzner-vm = {
+    user = "root";
+    group = "root";
+    permissions = "660";
+    path = "/secrets/wg_preshared_hetzner-vm";
+  };
+  wg_preshared_tablet = {
+    user = "root";
+    group = "root";
+    permissions = "660";
+    path = "/secrets/wg_preshared_tablet";
+  };
+  wg_preshared_vault = {
+    user = "root";
+    group = "root";
+    permissions = "660";
+    path = "/secrets/wg_preshared_vault";
+  };
+  wg_preshared_iphone8 = {
+    user = "root";
+    group = "root";
+    permissions = "660";
+    path = "/secrets/wg_preshared_iphone8";
+  };
 }
--- a/hosts/storage/secrets.nix
+++ b/hosts/storage/secrets.nix
@ -58,6 +58,36 @@ in {
      simple_get "/vault-users/storage" .password > $file
      chown ${secrets-db.vault_password.user}:${secrets-db.vault_password.group} $file
      chmod ${secrets-db.vault_password.permissions} $file
+
+      file=${secrets-db.wg_priv.path}
+      echo $file
+      simple_get "/private-public-keys/wireguard/chaos-internal/storage" .private > $file
+      chown ${secrets-db.wg_priv.user}:${secrets-db.wg_priv.group} $file
+      chmod ${secrets-db.wg_priv.permissions} $file
+
+      file=${secrets-db.wg_preshared_hetzner-vm.path}
+      echo $file
+      simple_get "/private-public-keys/wireguard/chaos-internal/storage" .preshared_keys.hetzner_vm > $file
+      chown ${secrets-db.wg_preshared_hetzner-vm.user}:${secrets-db.wg_preshared_hetzner-vm.group} $file
+      chmod ${secrets-db.wg_preshared_hetzner-vm.permissions} $file
+
+      file=${secrets-db.wg_preshared_tablet.path}
+      echo $file
+      simple_get "/private-public-keys/wireguard/chaos-internal/storage" .preshared_keys.tablet > $file
+      chown ${secrets-db.wg_preshared_tablet.user}:${secrets-db.wg_preshared_tablet.group} $file
+      chmod ${secrets-db.wg_preshared_tablet.permissions} $file
+
+      file=${secrets-db.wg_preshared_vault.path}
+      echo $file
+      simple_get "/private-public-keys/wireguard/chaos-internal/storage" .preshared_keys.vault > $file
+      chown ${secrets-db.wg_preshared_vault.user}:${secrets-db.wg_preshared_vault.group} $file
+      chmod ${secrets-db.wg_preshared_vault.permissions} $file
+
+      file=${secrets-db.wg_preshared_iphone8.path}
+      echo $file
+      simple_get "/private-public-keys/wireguard/chaos-internal/storage" .preshared_keys.iphone8 > $file
+      chown ${secrets-db.wg_preshared_iphone8.user}:${secrets-db.wg_preshared_iphone8.group} $file
+      chmod ${secrets-db.wg_preshared_iphone8.permissions} $file
    '')
  ];
 }
--- a/hosts/storage/storage.nix
+++ b/hosts/storage/storage.nix
@ -15,6 +15,7 @@ in {
    ./hardware.nix
    ./networking.nix
    ./secrets.nix
+    ./wireguard.nix
  ];

  systemd.tmpfiles.rules = [
--- a/hosts/storage/wireguard.nix
+++ b/hosts/storage/wireguard.nix
@ -0,0 +1,42 @@
+{ ... }:
+let secrets-db = (import ./secrets-db.nix { });
+in {
+  networking.wg-quick.interfaces = {
+    wg0 = {
+      address = [ "10.69.42.4/32" ];
+      listenPort = 51820;
+      privateKeyFile = "${secrets-db.wg_priv.path}";
+
+      peers = [
+        # hetzner-vm
+        {
+          publicKey = "UJr+EmUM7KWkIy0nk0JA38ibvcLC++6iuOKkHdrx9Dc=";
+          presharedKeyFile = "${secrets-db.wg_preshared_hetzner-vm.path}";
+          allowedIPs = [ "10.69.42.1/32" ];
+          endpoint = "hetzner-vm.servers.genderfucked.monster:51820";
+          persistentKeepalive = 25;
+        }
+        # tablet
+        {
+          publicKey = "jXA0DeprEaL/ARQ3K81l8xWuUI5C/90DcY3bIfcIjz8=";
+          presharedKeyFile = "${secrets-db.wg_preshared_tablet.path}";
+          allowedIPs = [ "10.69.42.2/32" ];
+        }
+        # vault
+        {
+          publicKey = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc=";
+          presharedKeyFile = "${secrets-db.wg_preshared_vault.path}";
+          endpoint = "vault.servers.genderfucked.monster:51820";
+          allowedIPs = [ "10.69.42.3/32" ];
+        }
+        # iphone8
+        {
+          publicKey = "2BgT08bDKh8WlFFSeRArI9a1GpFgUyqEApvJy4KgAmw=";
+          presharedKeyFile = "${secrets-db.wg_preshared_iphone8.path}";
+          allowedIPs = [ "10.69.42.5/32" ];
+        }
+      ];
+    };
+  };
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+}
--- a/hosts/vault/profiles/wireguard.nix
+++ b/hosts/vault/profiles/wireguard.nix
@ -29,6 +29,12 @@ in {
          endpoint = "storage.servers.genderfucked.monster:51820";
          allowedIPs = [ "10.69.42.4/32" ];
        }
+        # iphone8
+        {
+          publicKey = "2BgT08bDKh8WlFFSeRArI9a1GpFgUyqEApvJy4KgAmw=";
+          presharedKeyFile = "${secrets-db.wg_preshared_iphone8.path}";
+          allowedIPs = [ "10.69.42.5/32" ];
+        }
      ];
    };
  };
--- a/hosts/vault/secrets-db.nix
+++ b/hosts/vault/secrets-db.nix
@ -35,4 +35,10 @@
    permissions = "660";
    path = "/secrets/wg_preshared_storage";
  };
+  wg_preshared_iphone8 = {
+    user = "root";
+    group = "root";
+    permissions = "660";
+    path = "/secrets/wg_preshared_iphone8";
+  };
 }
--- a/hosts/vault/secrets.nix
+++ b/hosts/vault/secrets.nix
@ -53,6 +53,12 @@ in {
      simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.storage > $file
      chown ${secrets-db.wg_preshared_storage.user}:${secrets-db.wg_preshared_storage.group} $file
      chmod ${secrets-db.wg_preshared_storage.permissions} $file
+
+      file=${secrets-db.wg_preshared_iphone8.path}
+      echo $file
+      simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.iphone8 > $file
+      chown ${secrets-db.wg_preshared_iphone8.user}:${secrets-db.wg_preshared_iphone8.group} $file
+      chmod ${secrets-db.wg_preshared_iphone8.permissions} $file
    '')
  ];
 }
--- a/presets/nixos/normal-encrypted-drive.nix
+++ b/presets/nixos/normal-encrypted-drive.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 let
  usb_data = import ../../data/usb_data.nix { };
  drive_data = import ../../data/normal_drive_data.nix { };
@ -35,7 +35,7 @@ in {
    initrd.luks.devices = {
      "${drive_data.root_mapper_name}" = {
        device = "${drive_data.encrypted_root_path}";
-        keyFile = "${usb_data.lappy_encryption_key_path}";
+        keyFile = "${usb_data.encryption_keys_path}/${config.networking.hostName}.key";
        preLVM = false;
        allowDiscards = true;
      };
--- a/scripts/deploy-all.sh
+++ b/scripts/deploy-all.sh
@ -1,11 +1,11 @@
 #!/usr/bin/env bash

+set -ex
+
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 REPO_ROOT="${SCRIPT_DIR}/.."
 cd $REPO_ROOT

-git add .
-
-#deploy -s ".#lappy"
 deploy -s ".#hetzner-vm"
-#deploy -s ".#raspberry" -- --no-sandbox
+deploy -s ".#vault"
+deploy -s ".#storage"