add remaining devices to chaosInternalWireguard and fix partOf behaviour
This commit is contained in:
parent
5e362bbbd8
commit
f7a2f2ddd6
|
@ -12,14 +12,14 @@ in rec {
|
|||
public = pubkeys."vault";
|
||||
endpoint = "vault.servers.genderfucked.monster:51820";
|
||||
};
|
||||
#"iphone8" = {
|
||||
# ip = "10.69.42.3";
|
||||
# public = "PEBw7EI5uogB433cp8eSfJ5DCEiYj+YG2dZd0XkIV1c=";
|
||||
#};
|
||||
#"lappy-t495" = {
|
||||
# ip = "10.69.42.4";
|
||||
# public = "BR23xeK/nTgw8Ad001wz9wrfS6gTknTpCKZBLG9bnHM=";
|
||||
#};
|
||||
"iphone8" = {
|
||||
ip = "10.69.42.3";
|
||||
public = pubkeys."iphone8";
|
||||
};
|
||||
"lappy-t495" = {
|
||||
ip = "10.69.42.4";
|
||||
public = pubkeys."lappy-t495";
|
||||
};
|
||||
"raspberry" = {
|
||||
ip = "10.69.42.5";
|
||||
public = pubkeys."raspberry";
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
{
|
||||
"hetzner-vm": "xgOQQcZQXftPC25+A7Iyf/XK6/iSo3Osyx6kTrZKdzw=",
|
||||
"vault": "u8hSeht8xR48O9AN+0cSsXPK0ZZFNcnPhOxdc+rsrlI=",
|
||||
"raspberry": "Ghrs0ps2RCsg0My9seLq+8ZFZCM4NLZWE8RiY3g9/RU="
|
||||
"raspberry": "Ghrs0ps2RCsg0My9seLq+8ZFZCM4NLZWE8RiY3g9/RU=",
|
||||
"lappy-t495": "8aZBM3f8/qThiHvGlGP1IHLoe61m/3VTwNzCi7CrhF8=",
|
||||
"iphone8": "jHPQuWXO5TTBACr4o/tk4bpb+N/x/AjCPGbmqkopOko="
|
||||
}
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
then fontSizesAll.${nixosConfig.networking.hostName}
|
||||
else fontSizesAll.default;
|
||||
in {
|
||||
imports = with tree; [home.apps.kitty home.apps.rofi];
|
||||
imports = with tree; [home.gui.base home.apps.kitty home.apps.rofi];
|
||||
|
||||
home.packages = with pkgs; [dconf2nix gnome.dconf-editor xclip];
|
||||
|
||||
|
|
|
@ -66,8 +66,6 @@ in {
|
|||
"passwords/data/slskd"
|
||||
"passwords/data/mail"
|
||||
|
||||
"private-public-keys/data/wireguard/chaos-internal/hetzner-vm"
|
||||
|
||||
"private-public-keys/data/piped-cockroachdb-ca/nodes/hetzner-vm"
|
||||
|
||||
"private-public-keys/data/restic/Mail"
|
||||
|
@ -93,32 +91,6 @@ in {
|
|||
echo "GITLAB_TOKEN=$token" > "$secretFile"
|
||||
'';
|
||||
};
|
||||
# for wireguard
|
||||
wg_priv = {
|
||||
fetchScript = ''
|
||||
simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .private > "$secretFile"
|
||||
'';
|
||||
};
|
||||
wg_preshared_vault = {
|
||||
fetchScript = ''
|
||||
simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.vault > "$secretFile"
|
||||
'';
|
||||
};
|
||||
wg_preshared_iphone8 = {
|
||||
fetchScript = ''
|
||||
simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.iphone8 > "$secretFile"
|
||||
'';
|
||||
};
|
||||
wg_preshared_lappy-t495 = {
|
||||
fetchScript = ''
|
||||
simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" ".preshared_keys.lappy_t495" > "$secretFile"
|
||||
'';
|
||||
};
|
||||
wg_preshared_raspberry = {
|
||||
fetchScript = ''
|
||||
simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" ".preshared_keys.raspberry" > "$secretFile"
|
||||
'';
|
||||
};
|
||||
|
||||
# Container: music
|
||||
mpd_control_password = {
|
||||
|
|
|
@ -4,12 +4,13 @@
|
|||
users.chaos
|
||||
profiles.sshd
|
||||
|
||||
presets.nixos.desktopSway
|
||||
presets.nixos.desktopGnome
|
||||
presets.nixos.laptop
|
||||
presets.nixos.encryptedUSB
|
||||
|
||||
profiles.cross.arm64
|
||||
#profiles.remote-builders
|
||||
profiles.chaosInternalWireGuard
|
||||
|
||||
./secrets.nix
|
||||
];
|
||||
|
|
|
@ -2,7 +2,9 @@
|
|||
services.secrets = {
|
||||
enable = true;
|
||||
secrets = {
|
||||
usb_encryption_passphrase = {manual = true;};
|
||||
usb_encryption_passphrase = {
|
||||
manual = true;
|
||||
};
|
||||
|
||||
music_stream_password = {
|
||||
user = 1000;
|
||||
|
@ -37,23 +39,6 @@
|
|||
echo "RESTIC_PASSWORD=''${restic_password}" >> "$secretFile"
|
||||
'';
|
||||
};
|
||||
|
||||
# for internal wireguard VPN
|
||||
wg_priv = {
|
||||
fetchScript = ''
|
||||
simple_get "/private-public-keys/wireguard/chaos-internal/lappy-t495" .private > "$secretFile"
|
||||
'';
|
||||
};
|
||||
wg_preshared_hetzner-vm = {
|
||||
fetchScript = ''
|
||||
simple_get "/private-public-keys/wireguard/chaos-internal/lappy-t495" .preshared_keys.hetzner_vm > "$secretFile"
|
||||
'';
|
||||
};
|
||||
wg_preshared_vault = {
|
||||
fetchScript = ''
|
||||
simple_get "/private-public-keys/wireguard/chaos-internal/lappy-t495" .preshared_keys.vault > "$secretFile"
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -23,15 +23,11 @@
|
|||
requiredVaultPaths = [
|
||||
"private-public-keys/data/piped-cockroachdb-ca/nodes/raspberry"
|
||||
"private-public-keys/data/cryptsetup/raspberry-ext-drive" # used dynamically
|
||||
"private-public-keys/data/wireguard/chaos-internal/raspberry"
|
||||
"passwords/data/wifi/parentals-home"
|
||||
"api-keys/data/hetzner/storagebox" # also used dynamically
|
||||
];
|
||||
|
||||
secrets = {
|
||||
# Used for fetching the encryption drive's key at runtime
|
||||
# can be revoked in case of hardware theft
|
||||
# Can also run vault-login on host before secrets-init to fetch secrets using raspberry's login
|
||||
vault_password = {
|
||||
manual = true;
|
||||
};
|
||||
|
@ -75,23 +71,6 @@
|
|||
| base64 -d > "$secretFile"
|
||||
'';
|
||||
};
|
||||
|
||||
# for internal wireguard VPN
|
||||
wg_priv = {
|
||||
fetchScript = ''
|
||||
simple_get "/private-public-keys/wireguard/chaos-internal/raspberry" .private > "$secretFile"
|
||||
'';
|
||||
};
|
||||
wg_preshared_hetzner-vm = {
|
||||
fetchScript = ''
|
||||
simple_get "/private-public-keys/wireguard/chaos-internal/raspberry" .preshared_keys.hetzner_vm > "$secretFile"
|
||||
'';
|
||||
};
|
||||
wg_preshared_vault = {
|
||||
fetchScript = ''
|
||||
simple_get "/private-public-keys/wireguard/chaos-internal/raspberry" .preshared_keys.vault > "$secretFile"
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
}: let
|
||||
inherit (lib.modules) mkIf mkMerge;
|
||||
inherit (lib.options) mkOption mkEnableOption;
|
||||
inherit (lib.lists) filter;
|
||||
inherit (lib) types;
|
||||
inherit (builtins) isString listToAttrs;
|
||||
|
||||
|
@ -76,7 +77,7 @@ in {
|
|||
withPartOf = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = "add auto-secrets.service to the service's PartOf; this may not be wanted for stuff on a timer such as backups";
|
||||
description = "add service to auto-secrets's PartOf; this may not be wanted for stuff on a timer such as backups";
|
||||
};
|
||||
};
|
||||
default = {};
|
||||
|
@ -227,15 +228,23 @@ in {
|
|||
})
|
||||
cfg.autoSecrets.affectedSystemdServices;
|
||||
in {
|
||||
services = listToAttrs (map (unitConfig: {
|
||||
name = unitConfig.name;
|
||||
value = {
|
||||
after = ["auto-secrets.service"];
|
||||
wants = ["auto-secrets.service"];
|
||||
partOf = mkIf unitConfig.withPartOf ["auto-secrets.service"];
|
||||
};
|
||||
})
|
||||
affectedSystemdServices);
|
||||
services =
|
||||
(listToAttrs (map (unitConfig: {
|
||||
name = unitConfig.name;
|
||||
value = {
|
||||
after = ["auto-secrets.service"];
|
||||
wants = ["auto-secrets.service"];
|
||||
systemctl status wg-quick-wg0partOf = mkIf unitConfig.withPartOf ["auto-secrets.service"];
|
||||
};
|
||||
})
|
||||
affectedSystemdServices))
|
||||
// {
|
||||
auto-secrets.partOf =
|
||||
map (unitConfig: unitConfig.name + ".service")
|
||||
(lib.filter
|
||||
(unitConfig: unitConfig.withPartOf)
|
||||
affectedSystemdServices);
|
||||
};systemctl status wg-quick-wg0
|
||||
};
|
||||
})
|
||||
|
||||
|
|
|
@ -1,6 +1,4 @@
|
|||
{config, ...}: let
|
||||
#wireguardData = import "${self}/data/chaosInternalWireGuard.nix";
|
||||
#wireguardHosts = wireguardData.hosts;
|
||||
currentHostName = config.networking.hostName;
|
||||
in {
|
||||
services.secrets = {
|
||||
|
@ -11,7 +9,12 @@ in {
|
|||
];
|
||||
|
||||
secrets = {
|
||||
wg_priv = {
|
||||
wg_public = {
|
||||
fetchScript = ''
|
||||
simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" .public > "$secretFile"
|
||||
'';
|
||||
};
|
||||
wg_private = {
|
||||
fetchScript = ''
|
||||
simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" .private > "$secretFile"
|
||||
'';
|
||||
|
|
|
@ -5,7 +5,8 @@
|
|||
...
|
||||
}: let
|
||||
inherit (lib.modules) mkIf;
|
||||
inherit (builtins) hasAttr;
|
||||
inherit (lib.lists) filter;
|
||||
inherit (builtins) hasAttr attrNames;
|
||||
|
||||
# Assume this to be set
|
||||
secrets = config.services.secrets.secrets;
|
||||
|
@ -31,34 +32,20 @@ in {
|
|||
networking.wg-quick.interfaces = {
|
||||
wg0 = {
|
||||
address = ["${currentHostConfig.ip}/24"];
|
||||
privateKeyFile = "${secrets.wg_priv.path}";
|
||||
privateKeyFile = "${secrets.wg_private.path}";
|
||||
listenPort = mkIf (hasAttr "endpoint" currentHostConfig) 51820;
|
||||
|
||||
peers = [
|
||||
# hetzner-vm
|
||||
(mkIf (currentHostName != "hetzner-vm") (let
|
||||
host = wireguardHosts."hetzner-vm";
|
||||
in {
|
||||
allowedIPs = ["${host.ip}/32"];
|
||||
publicKey = host.public;
|
||||
endpoint = host.endpoint or null;
|
||||
}))
|
||||
# vault
|
||||
(mkIf (currentHostName != "vault") (let
|
||||
host = wireguardHosts."vault";
|
||||
in {
|
||||
allowedIPs = ["${host.ip}/32"];
|
||||
publicKey = host.public;
|
||||
endpoint = host.endpoint or null;
|
||||
}))
|
||||
(mkIf (currentHostName != "raspberry") (let
|
||||
host = wireguardHosts."raspberry";
|
||||
in {
|
||||
allowedIPs = ["${host.ip}/32"];
|
||||
publicKey = host.public;
|
||||
endpoint = host.endpoint or null;
|
||||
}))
|
||||
];
|
||||
peers = (map (
|
||||
hostName: let
|
||||
host = wireguardHosts.${hostName};
|
||||
in {
|
||||
allowedIPs = ["${host.ip}/32"];
|
||||
publicKey = host.public;
|
||||
endpoint = host.endpoint or null;
|
||||
}
|
||||
) (filter (
|
||||
hostName: hostName != currentHostName
|
||||
) (attrNames wireguardHosts)));
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue