add remaining devices to chaosInternalWireguard and fix partOf behaviour

This commit is contained in:
chaos 2023-09-18 15:40:33 +01:00
parent 5e362bbbd8
commit f7a2f2ddd6
No known key found for this signature in database
10 changed files with 56 additions and 118 deletions

View file

@ -12,14 +12,14 @@ in rec {
public = pubkeys."vault";
endpoint = "vault.servers.genderfucked.monster:51820";
};
#"iphone8" = {
# ip = "10.69.42.3";
# public = "PEBw7EI5uogB433cp8eSfJ5DCEiYj+YG2dZd0XkIV1c=";
#};
#"lappy-t495" = {
# ip = "10.69.42.4";
# public = "BR23xeK/nTgw8Ad001wz9wrfS6gTknTpCKZBLG9bnHM=";
#};
"iphone8" = {
ip = "10.69.42.3";
public = pubkeys."iphone8";
};
"lappy-t495" = {
ip = "10.69.42.4";
public = pubkeys."lappy-t495";
};
"raspberry" = {
ip = "10.69.42.5";
public = pubkeys."raspberry";

View file

@ -1,5 +1,7 @@
{
"hetzner-vm": "xgOQQcZQXftPC25+A7Iyf/XK6/iSo3Osyx6kTrZKdzw=",
"vault": "u8hSeht8xR48O9AN+0cSsXPK0ZZFNcnPhOxdc+rsrlI=",
"raspberry": "Ghrs0ps2RCsg0My9seLq+8ZFZCM4NLZWE8RiY3g9/RU="
"raspberry": "Ghrs0ps2RCsg0My9seLq+8ZFZCM4NLZWE8RiY3g9/RU=",
"lappy-t495": "8aZBM3f8/qThiHvGlGP1IHLoe61m/3VTwNzCi7CrhF8=",
"iphone8": "jHPQuWXO5TTBACr4o/tk4bpb+N/x/AjCPGbmqkopOko="
}

View file

@ -19,7 +19,7 @@
then fontSizesAll.${nixosConfig.networking.hostName}
else fontSizesAll.default;
in {
imports = with tree; [home.apps.kitty home.apps.rofi];
imports = with tree; [home.gui.base home.apps.kitty home.apps.rofi];
home.packages = with pkgs; [dconf2nix gnome.dconf-editor xclip];

View file

@ -66,8 +66,6 @@ in {
"passwords/data/slskd"
"passwords/data/mail"
"private-public-keys/data/wireguard/chaos-internal/hetzner-vm"
"private-public-keys/data/piped-cockroachdb-ca/nodes/hetzner-vm"
"private-public-keys/data/restic/Mail"
@ -93,32 +91,6 @@ in {
echo "GITLAB_TOKEN=$token" > "$secretFile"
'';
};
# for wireguard
wg_priv = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .private > "$secretFile"
'';
};
wg_preshared_vault = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.vault > "$secretFile"
'';
};
wg_preshared_iphone8 = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.iphone8 > "$secretFile"
'';
};
wg_preshared_lappy-t495 = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" ".preshared_keys.lappy_t495" > "$secretFile"
'';
};
wg_preshared_raspberry = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" ".preshared_keys.raspberry" > "$secretFile"
'';
};
# Container: music
mpd_control_password = {

View file

@ -4,12 +4,13 @@
users.chaos
profiles.sshd
presets.nixos.desktopSway
presets.nixos.desktopGnome
presets.nixos.laptop
presets.nixos.encryptedUSB
profiles.cross.arm64
#profiles.remote-builders
profiles.chaosInternalWireGuard
./secrets.nix
];

View file

@ -2,7 +2,9 @@
services.secrets = {
enable = true;
secrets = {
usb_encryption_passphrase = {manual = true;};
usb_encryption_passphrase = {
manual = true;
};
music_stream_password = {
user = 1000;
@ -37,23 +39,6 @@
echo "RESTIC_PASSWORD=''${restic_password}" >> "$secretFile"
'';
};
# for internal wireguard VPN
wg_priv = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/lappy-t495" .private > "$secretFile"
'';
};
wg_preshared_hetzner-vm = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/lappy-t495" .preshared_keys.hetzner_vm > "$secretFile"
'';
};
wg_preshared_vault = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/lappy-t495" .preshared_keys.vault > "$secretFile"
'';
};
};
};
}

View file

@ -23,15 +23,11 @@
requiredVaultPaths = [
"private-public-keys/data/piped-cockroachdb-ca/nodes/raspberry"
"private-public-keys/data/cryptsetup/raspberry-ext-drive" # used dynamically
"private-public-keys/data/wireguard/chaos-internal/raspberry"
"passwords/data/wifi/parentals-home"
"api-keys/data/hetzner/storagebox" # also used dynamically
];
secrets = {
# Used for fetching the encryption drive's key at runtime
# can be revoked in case of hardware theft
# Can also run vault-login on host before secrets-init to fetch secrets using raspberry's login
vault_password = {
manual = true;
};
@ -75,23 +71,6 @@
| base64 -d > "$secretFile"
'';
};
# for internal wireguard VPN
wg_priv = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/raspberry" .private > "$secretFile"
'';
};
wg_preshared_hetzner-vm = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/raspberry" .preshared_keys.hetzner_vm > "$secretFile"
'';
};
wg_preshared_vault = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/raspberry" .preshared_keys.vault > "$secretFile"
'';
};
};
};
}

View file

@ -6,6 +6,7 @@
}: let
inherit (lib.modules) mkIf mkMerge;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.lists) filter;
inherit (lib) types;
inherit (builtins) isString listToAttrs;
@ -76,7 +77,7 @@ in {
withPartOf = mkOption {
type = types.bool;
default = true;
description = "add auto-secrets.service to the service's PartOf; this may not be wanted for stuff on a timer such as backups";
description = "add service to auto-secrets's PartOf; this may not be wanted for stuff on a timer such as backups";
};
};
default = {};
@ -227,15 +228,23 @@ in {
})
cfg.autoSecrets.affectedSystemdServices;
in {
services = listToAttrs (map (unitConfig: {
services =
(listToAttrs (map (unitConfig: {
name = unitConfig.name;
value = {
after = ["auto-secrets.service"];
wants = ["auto-secrets.service"];
partOf = mkIf unitConfig.withPartOf ["auto-secrets.service"];
systemctl status wg-quick-wg0partOf = mkIf unitConfig.withPartOf ["auto-secrets.service"];
};
})
affectedSystemdServices))
// {
auto-secrets.partOf =
map (unitConfig: unitConfig.name + ".service")
(lib.filter
(unitConfig: unitConfig.withPartOf)
affectedSystemdServices);
};systemctl status wg-quick-wg0
};
})

View file

@ -1,6 +1,4 @@
{config, ...}: let
#wireguardData = import "${self}/data/chaosInternalWireGuard.nix";
#wireguardHosts = wireguardData.hosts;
currentHostName = config.networking.hostName;
in {
services.secrets = {
@ -11,7 +9,12 @@ in {
];
secrets = {
wg_priv = {
wg_public = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" .public > "$secretFile"
'';
};
wg_private = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" .private > "$secretFile"
'';

View file

@ -5,7 +5,8 @@
...
}: let
inherit (lib.modules) mkIf;
inherit (builtins) hasAttr;
inherit (lib.lists) filter;
inherit (builtins) hasAttr attrNames;
# Assume this to be set
secrets = config.services.secrets.secrets;
@ -31,34 +32,20 @@ in {
networking.wg-quick.interfaces = {
wg0 = {
address = ["${currentHostConfig.ip}/24"];
privateKeyFile = "${secrets.wg_priv.path}";
privateKeyFile = "${secrets.wg_private.path}";
listenPort = mkIf (hasAttr "endpoint" currentHostConfig) 51820;
peers = [
# hetzner-vm
(mkIf (currentHostName != "hetzner-vm") (let
host = wireguardHosts."hetzner-vm";
peers = (map (
hostName: let
host = wireguardHosts.${hostName};
in {
allowedIPs = ["${host.ip}/32"];
publicKey = host.public;
endpoint = host.endpoint or null;
}))
# vault
(mkIf (currentHostName != "vault") (let
host = wireguardHosts."vault";
in {
allowedIPs = ["${host.ip}/32"];
publicKey = host.public;
endpoint = host.endpoint or null;
}))
(mkIf (currentHostName != "raspberry") (let
host = wireguardHosts."raspberry";
in {
allowedIPs = ["${host.ip}/32"];
publicKey = host.public;
endpoint = host.endpoint or null;
}))
];
}
) (filter (
hostName: hostName != currentHostName
) (attrNames wireguardHosts)));
};
};
}