From c81a933217231fad2459fa24e5eb5f8e98e4fb69 Mon Sep 17 00:00:00 2001 From: Chaos Date: Sat, 12 Nov 2022 13:01:43 +0000 Subject: [PATCH] updates & more wireguard & per-hostname keys --- data/usb_data.nix | 2 +- flake.lock | 18 +++++----- hosts/hetzner-vm/secrets-db.nix | 6 ++++ hosts/hetzner-vm/secrets.nix | 6 ++++ hosts/hetzner-vm/services/wireguard.nix | 6 ++++ hosts/storage/secrets-db.nix | 30 +++++++++++++++++ hosts/storage/secrets.nix | 30 +++++++++++++++++ hosts/storage/storage.nix | 1 + hosts/storage/wireguard.nix | 42 ++++++++++++++++++++++++ hosts/vault/profiles/wireguard.nix | 6 ++++ hosts/vault/secrets-db.nix | 6 ++++ hosts/vault/secrets.nix | 6 ++++ presets/nixos/normal-encrypted-drive.nix | 4 +-- scripts/deploy-all.sh | 8 ++--- 14 files changed, 155 insertions(+), 16 deletions(-) create mode 100644 hosts/storage/wireguard.nix diff --git a/data/usb_data.nix b/data/usb_data.nix index 98a5f3a..d17e6fb 100644 --- a/data/usb_data.nix +++ b/data/usb_data.nix @@ -18,7 +18,7 @@ mapper_path = "/dev/mapper/${mapper_name}"; # Paths to some important files - lappy_encryption_key_path = "${mountpoint}/encryption-keys/lappy.key"; + encryption_keys_path = "${mountpoint}/encryption-keys"; chaos_age_privkey_path = "${mountpoint}/age-keys/chaoskey.priv"; chaos_age_pubkey_path = "${mountpoint}/age-keys/chaoskey.pub"; diff --git a/flake.lock b/flake.lock index 200b58d..6f0b74a 100644 --- a/flake.lock +++ b/flake.lock @@ -9,11 +9,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1659725433, - "narHash": "sha256-1ZxuK67TL29YLw88vQ18Y2Y6iYg8Jb7I6/HVzmNB6nM=", + "lastModified": 1668166163, + "narHash": "sha256-XCuM+n98KcG0v+DT1HolGCO3j5FOBUjV4K8YcZsVeQw=", "owner": "serokell", "repo": "deploy-rs", - "rev": "41f15759dd8b638e7b4f299730d94d5aa46ab7eb", + "rev": "b011f13bc577b978f52aaefde5605332f7bca7e9", "type": "github" }, "original": { @@ -137,11 +137,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1667901915, - "narHash": "sha256-IkSou5ox/yZ2YUhGpk8vxd2TNU2pwRlYtir5k55NaxE=", + "lastModified": 1667991831, + "narHash": "sha256-DHgEsLZI044B9T4AjA3K6+yB9/DqLr4dyA7OIx0FG7o=", "owner": "nixos", "repo": "nixpkgs", - "rev": "093268502280540a7f5bf1e2a6330a598ba3b7d0", + "rev": "872fceeed60ae6b7766cc0a4cd5bf5901b9098ec", "type": "github" }, "original": { @@ -153,11 +153,11 @@ }, "nur": { "locked": { - "lastModified": 1668174315, - "narHash": "sha256-oss9lJ30HbgXpVFy5Xv9doB+1mNjQehbFlFYau95odM=", + "lastModified": 1668255064, + "narHash": "sha256-JWVzaBAC9eL+Eg/SG71ZPSDQQd/eO9sS2YNGrlDDEH4=", "owner": "nix-community", "repo": "NUR", - "rev": "5da1d2f59d29cd1bb9c0787db9c1046825ade56a", + "rev": "9a0be7d4b9de779707b8788c6bdaaf23160a7975", "type": "github" }, "original": { diff --git a/hosts/hetzner-vm/secrets-db.nix b/hosts/hetzner-vm/secrets-db.nix index b9d933d..d4c4490 100644 --- a/hosts/hetzner-vm/secrets-db.nix +++ b/hosts/hetzner-vm/secrets-db.nix @@ -59,4 +59,10 @@ permissions = "660"; path = "/secrets/wg_preshared_storage"; }; + wg_preshared_iphone8 = { + user = "root"; + group = "root"; + permissions = "660"; + path = "/secrets/wg_preshared_iphone8"; + }; } diff --git a/hosts/hetzner-vm/secrets.nix b/hosts/hetzner-vm/secrets.nix index 8235678..853602c 100644 --- a/hosts/hetzner-vm/secrets.nix +++ b/hosts/hetzner-vm/secrets.nix @@ -86,6 +86,12 @@ in { simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.storage > $file chown ${secrets-db.wg_preshared_storage.user}:${secrets-db.wg_preshared_storage.group} $file chmod ${secrets-db.wg_preshared_storage.permissions} $file + + file=${secrets-db.wg_preshared_iphone8.path} + echo $file + simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.iphone8 > $file + chown ${secrets-db.wg_preshared_iphone8.user}:${secrets-db.wg_preshared_iphone8.group} $file + chmod ${secrets-db.wg_preshared_iphone8.permissions} $file '') ]; } diff --git a/hosts/hetzner-vm/services/wireguard.nix b/hosts/hetzner-vm/services/wireguard.nix index 3974e28..36a307e 100644 --- a/hosts/hetzner-vm/services/wireguard.nix +++ b/hosts/hetzner-vm/services/wireguard.nix @@ -26,6 +26,12 @@ in { presharedKeyFile = "${secrets-db.wg_preshared_storage.path}"; allowedIPs = [ "10.69.42.4/32" ]; } + # iphone8 + { + publicKey = "2BgT08bDKh8WlFFSeRArI9a1GpFgUyqEApvJy4KgAmw="; + presharedKeyFile = "${secrets-db.wg_preshared_iphone8.path}"; + allowedIPs = [ "10.69.42.5/32" ]; + } ]; }; }; diff --git a/hosts/storage/secrets-db.nix b/hosts/storage/secrets-db.nix index aeb1c2e..e859527 100644 --- a/hosts/storage/secrets-db.nix +++ b/hosts/storage/secrets-db.nix @@ -29,4 +29,34 @@ permissions = "660"; path = "/secrets/vault_password"; }; + wg_priv = { + user = "root"; + group = "root"; + permissions = "660"; + path = "/secrets/wg_priv"; + }; + wg_preshared_hetzner-vm = { + user = "root"; + group = "root"; + permissions = "660"; + path = "/secrets/wg_preshared_hetzner-vm"; + }; + wg_preshared_tablet = { + user = "root"; + group = "root"; + permissions = "660"; + path = "/secrets/wg_preshared_tablet"; + }; + wg_preshared_vault = { + user = "root"; + group = "root"; + permissions = "660"; + path = "/secrets/wg_preshared_vault"; + }; + wg_preshared_iphone8 = { + user = "root"; + group = "root"; + permissions = "660"; + path = "/secrets/wg_preshared_iphone8"; + }; } diff --git a/hosts/storage/secrets.nix b/hosts/storage/secrets.nix index 8449956..908034f 100644 --- a/hosts/storage/secrets.nix +++ b/hosts/storage/secrets.nix @@ -58,6 +58,36 @@ in { simple_get "/vault-users/storage" .password > $file chown ${secrets-db.vault_password.user}:${secrets-db.vault_password.group} $file chmod ${secrets-db.vault_password.permissions} $file + + file=${secrets-db.wg_priv.path} + echo $file + simple_get "/private-public-keys/wireguard/chaos-internal/storage" .private > $file + chown ${secrets-db.wg_priv.user}:${secrets-db.wg_priv.group} $file + chmod ${secrets-db.wg_priv.permissions} $file + + file=${secrets-db.wg_preshared_hetzner-vm.path} + echo $file + simple_get "/private-public-keys/wireguard/chaos-internal/storage" .preshared_keys.hetzner_vm > $file + chown ${secrets-db.wg_preshared_hetzner-vm.user}:${secrets-db.wg_preshared_hetzner-vm.group} $file + chmod ${secrets-db.wg_preshared_hetzner-vm.permissions} $file + + file=${secrets-db.wg_preshared_tablet.path} + echo $file + simple_get "/private-public-keys/wireguard/chaos-internal/storage" .preshared_keys.tablet > $file + chown ${secrets-db.wg_preshared_tablet.user}:${secrets-db.wg_preshared_tablet.group} $file + chmod ${secrets-db.wg_preshared_tablet.permissions} $file + + file=${secrets-db.wg_preshared_vault.path} + echo $file + simple_get "/private-public-keys/wireguard/chaos-internal/storage" .preshared_keys.vault > $file + chown ${secrets-db.wg_preshared_vault.user}:${secrets-db.wg_preshared_vault.group} $file + chmod ${secrets-db.wg_preshared_vault.permissions} $file + + file=${secrets-db.wg_preshared_iphone8.path} + echo $file + simple_get "/private-public-keys/wireguard/chaos-internal/storage" .preshared_keys.iphone8 > $file + chown ${secrets-db.wg_preshared_iphone8.user}:${secrets-db.wg_preshared_iphone8.group} $file + chmod ${secrets-db.wg_preshared_iphone8.permissions} $file '') ]; } diff --git a/hosts/storage/storage.nix b/hosts/storage/storage.nix index 1e10468..3b7d215 100644 --- a/hosts/storage/storage.nix +++ b/hosts/storage/storage.nix @@ -15,6 +15,7 @@ in { ./hardware.nix ./networking.nix ./secrets.nix + ./wireguard.nix ]; systemd.tmpfiles.rules = [ diff --git a/hosts/storage/wireguard.nix b/hosts/storage/wireguard.nix new file mode 100644 index 0000000..edaa3a4 --- /dev/null +++ b/hosts/storage/wireguard.nix @@ -0,0 +1,42 @@ +{ ... }: +let secrets-db = (import ./secrets-db.nix { }); +in { + networking.wg-quick.interfaces = { + wg0 = { + address = [ "10.69.42.4/32" ]; + listenPort = 51820; + privateKeyFile = "${secrets-db.wg_priv.path}"; + + peers = [ + # hetzner-vm + { + publicKey = "UJr+EmUM7KWkIy0nk0JA38ibvcLC++6iuOKkHdrx9Dc="; + presharedKeyFile = "${secrets-db.wg_preshared_hetzner-vm.path}"; + allowedIPs = [ "10.69.42.1/32" ]; + endpoint = "hetzner-vm.servers.genderfucked.monster:51820"; + persistentKeepalive = 25; + } + # tablet + { + publicKey = "jXA0DeprEaL/ARQ3K81l8xWuUI5C/90DcY3bIfcIjz8="; + presharedKeyFile = "${secrets-db.wg_preshared_tablet.path}"; + allowedIPs = [ "10.69.42.2/32" ]; + } + # vault + { + publicKey = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc="; + presharedKeyFile = "${secrets-db.wg_preshared_vault.path}"; + endpoint = "vault.servers.genderfucked.monster:51820"; + allowedIPs = [ "10.69.42.3/32" ]; + } + # iphone8 + { + publicKey = "2BgT08bDKh8WlFFSeRArI9a1GpFgUyqEApvJy4KgAmw="; + presharedKeyFile = "${secrets-db.wg_preshared_iphone8.path}"; + allowedIPs = [ "10.69.42.5/32" ]; + } + ]; + }; + }; + networking.firewall.allowedUDPPorts = [ 51820 ]; +} diff --git a/hosts/vault/profiles/wireguard.nix b/hosts/vault/profiles/wireguard.nix index 4f678dd..2b328e5 100644 --- a/hosts/vault/profiles/wireguard.nix +++ b/hosts/vault/profiles/wireguard.nix @@ -29,6 +29,12 @@ in { endpoint = "storage.servers.genderfucked.monster:51820"; allowedIPs = [ "10.69.42.4/32" ]; } + # iphone8 + { + publicKey = "2BgT08bDKh8WlFFSeRArI9a1GpFgUyqEApvJy4KgAmw="; + presharedKeyFile = "${secrets-db.wg_preshared_iphone8.path}"; + allowedIPs = [ "10.69.42.5/32" ]; + } ]; }; }; diff --git a/hosts/vault/secrets-db.nix b/hosts/vault/secrets-db.nix index e70407f..a96a7da 100644 --- a/hosts/vault/secrets-db.nix +++ b/hosts/vault/secrets-db.nix @@ -35,4 +35,10 @@ permissions = "660"; path = "/secrets/wg_preshared_storage"; }; + wg_preshared_iphone8 = { + user = "root"; + group = "root"; + permissions = "660"; + path = "/secrets/wg_preshared_iphone8"; + }; } diff --git a/hosts/vault/secrets.nix b/hosts/vault/secrets.nix index b345aec..835a4b8 100644 --- a/hosts/vault/secrets.nix +++ b/hosts/vault/secrets.nix @@ -53,6 +53,12 @@ in { simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.storage > $file chown ${secrets-db.wg_preshared_storage.user}:${secrets-db.wg_preshared_storage.group} $file chmod ${secrets-db.wg_preshared_storage.permissions} $file + + file=${secrets-db.wg_preshared_iphone8.path} + echo $file + simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.iphone8 > $file + chown ${secrets-db.wg_preshared_iphone8.user}:${secrets-db.wg_preshared_iphone8.group} $file + chmod ${secrets-db.wg_preshared_iphone8.permissions} $file '') ]; } diff --git a/presets/nixos/normal-encrypted-drive.nix b/presets/nixos/normal-encrypted-drive.nix index 242adee..dae85cd 100644 --- a/presets/nixos/normal-encrypted-drive.nix +++ b/presets/nixos/normal-encrypted-drive.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ config, pkgs, ... }: let usb_data = import ../../data/usb_data.nix { }; drive_data = import ../../data/normal_drive_data.nix { }; @@ -35,7 +35,7 @@ in { initrd.luks.devices = { "${drive_data.root_mapper_name}" = { device = "${drive_data.encrypted_root_path}"; - keyFile = "${usb_data.lappy_encryption_key_path}"; + keyFile = "${usb_data.encryption_keys_path}/${config.networking.hostName}.key"; preLVM = false; allowDiscards = true; }; diff --git a/scripts/deploy-all.sh b/scripts/deploy-all.sh index 72c5388..96356d0 100755 --- a/scripts/deploy-all.sh +++ b/scripts/deploy-all.sh @@ -1,11 +1,11 @@ #!/usr/bin/env bash +set -ex + SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) REPO_ROOT="${SCRIPT_DIR}/.." cd $REPO_ROOT -git add . - -#deploy -s ".#lappy" deploy -s ".#hetzner-vm" -#deploy -s ".#raspberry" -- --no-sandbox +deploy -s ".#vault" +deploy -s ".#storage"