diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-08-09 11:23:00 +0300 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-08-09 11:23:00 +0300 |
commit | c1f62e9827efe7c8e303e3cfa70dac8f544312b1 (patch) | |
tree | d20ff0f367804bc87996c6312cebe2fa57b5bd4c | |
parent | de66ba821b2851cb23bcc7b064e84de3dd848e26 (diff) | |
download | nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.tar nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.tar.gz nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.tar.bz2 nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.tar.xz nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.zip |
...
-rw-r--r-- | hosts/sif/default.nix | 10 | ||||
-rw-r--r-- | hosts/surtr/bifrost/default.nix | 8 | ||||
-rw-r--r-- | hosts/surtr/dns/default.nix | 8 | ||||
-rw-r--r-- | hosts/surtr/matrix/default.nix | 5 | ||||
-rw-r--r-- | hosts/surtr/tls/default.nix | 15 | ||||
-rw-r--r-- | hosts/surtr/vpn/default.nix | 13 | ||||
-rw-r--r-- | hosts/vidhar/network/bifrost/default.nix | 8 | ||||
-rw-r--r-- | modules/netns.nix | 8 | ||||
-rw-r--r-- | modules/yggdrasil-wg/default.nix | 8 | ||||
-rw-r--r-- | system-profiles/default-locale.nix | 7 |
10 files changed, 46 insertions, 44 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index f51535ea..8c64551a 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix | |||
@@ -26,6 +26,8 @@ in { | |||
26 | }; | 26 | }; |
27 | }; | 27 | }; |
28 | 28 | ||
29 | time.timeZone = null; | ||
30 | |||
29 | boot = { | 31 | boot = { |
30 | initrd = { | 32 | initrd = { |
31 | luks.devices = { | 33 | luks.devices = { |
@@ -148,7 +150,7 @@ in { | |||
148 | Kind = "wireguard"; | 150 | Kind = "wireguard"; |
149 | }; | 151 | }; |
150 | wireguardConfig = { | 152 | wireguardConfig = { |
151 | PrivateKeyFile = config.sops.secrets.wgrz.path; | 153 | PrivateKeyFile = "/run/credentials/systemd-networkd.service/wgrz.priv"; |
152 | ListenPort = 51822; | 154 | ListenPort = 51822; |
153 | # FirewallMark = 1; | 155 | # FirewallMark = 1; |
154 | }; | 156 | }; |
@@ -233,11 +235,11 @@ in { | |||
233 | sops.secrets.wgrz = { | 235 | sops.secrets.wgrz = { |
234 | format = "binary"; | 236 | format = "binary"; |
235 | sopsFile = ./wgrz/privkey; | 237 | sopsFile = ./wgrz/privkey; |
236 | mode = "0640"; | ||
237 | owner = "root"; | ||
238 | group = "systemd-network"; | ||
239 | }; | 238 | }; |
240 | networking.networkmanager.unmanaged = ["wgrz" "virbr0"]; | 239 | networking.networkmanager.unmanaged = ["wgrz" "virbr0"]; |
240 | systemd.services."systemd-networkd".serviceConfig.LoadCredential = [ | ||
241 | "wgrz.priv:${config.sops.secrets.wgrz.path}" | ||
242 | ]; | ||
241 | 243 | ||
242 | services.dnsmasq = { | 244 | services.dnsmasq = { |
243 | enable = true; | 245 | enable = true; |
diff --git a/hosts/surtr/bifrost/default.nix b/hosts/surtr/bifrost/default.nix index 790af94a..bdedf5b6 100644 --- a/hosts/surtr/bifrost/default.nix +++ b/hosts/surtr/bifrost/default.nix | |||
@@ -14,7 +14,7 @@ in { | |||
14 | Kind = "wireguard"; | 14 | Kind = "wireguard"; |
15 | }; | 15 | }; |
16 | wireguardConfig = { | 16 | wireguardConfig = { |
17 | PrivateKeyFile = config.sops.secrets.bifrost.path; | 17 | PrivateKeyFile = "/run/credentials/systemd-networkd.service/bifrost.priv"; |
18 | ListenPort = 51822; | 18 | ListenPort = 51822; |
19 | }; | 19 | }; |
20 | wireguardPeers = [ | 20 | wireguardPeers = [ |
@@ -49,12 +49,12 @@ in { | |||
49 | }; | 49 | }; |
50 | }; | 50 | }; |
51 | }; | 51 | }; |
52 | systemd.services."systemd-networkd".serviceConfig.LoadCredential = [ | ||
53 | "bifrost.priv:${config.sops.secrets.bifrost.path}" | ||
54 | ]; | ||
52 | sops.secrets.bifrost = { | 55 | sops.secrets.bifrost = { |
53 | format = "binary"; | 56 | format = "binary"; |
54 | sopsFile = ./surtr.priv; | 57 | sopsFile = ./surtr.priv; |
55 | mode = "0640"; | ||
56 | owner = "root"; | ||
57 | group = "systemd-network"; | ||
58 | }; | 58 | }; |
59 | }; | 59 | }; |
60 | } | 60 | } |
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index 808c56da..026111be 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix | |||
@@ -44,11 +44,14 @@ in { | |||
44 | fsType = "zfs"; | 44 | fsType = "zfs"; |
45 | }; | 45 | }; |
46 | 46 | ||
47 | systemd.services.knot.unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; | 47 | systemd.services.knot = { |
48 | unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; | ||
49 | serviceConfig.LoadCredential = map ({name, ...}: "${name}:config.sops.secrets.${name}.path") knotKeys; | ||
50 | }; | ||
48 | 51 | ||
49 | services.knot = { | 52 | services.knot = { |
50 | enable = true; | 53 | enable = true; |
51 | keyFiles = map ({name, ...}: config.sops.secrets.${name}.path) knotKeys; | 54 | keyFiles = map ({name, ...}: "/run/credentials/knot.service/${name}") knotKeys; |
52 | extraConfig = '' | 55 | extraConfig = '' |
53 | server: | 56 | server: |
54 | listen: 127.0.0.1@53 | 57 | listen: 127.0.0.1@53 |
@@ -192,7 +195,6 @@ in { | |||
192 | 195 | ||
193 | sops.secrets = listToAttrs (map ({name, path}: nameValuePair name { | 196 | sops.secrets = listToAttrs (map ({name, path}: nameValuePair name { |
194 | format = "binary"; | 197 | format = "binary"; |
195 | owner = "knot"; | ||
196 | sopsFile = path; | 198 | sopsFile = path; |
197 | }) knotKeys); | 199 | }) knotKeys); |
198 | 200 | ||
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index a469be69..e3a52f9a 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix | |||
@@ -265,7 +265,7 @@ with lib; | |||
265 | min-port = 49000; | 265 | min-port = 49000; |
266 | max-port = 50000; | 266 | max-port = 50000; |
267 | use-auth-secret = true; | 267 | use-auth-secret = true; |
268 | static-auth-secret-file = config.sops.secrets."coturn-auth-secret".path; | 268 | static-auth-secret-file = "/run/credentials/coturn.service/auth-secret"; |
269 | realm = "turn.synapse.li"; | 269 | realm = "turn.synapse.li"; |
270 | cert = "/run/credentials/coturn.service/turn.synapse.li.pem"; | 270 | cert = "/run/credentials/coturn.service/turn.synapse.li.pem"; |
271 | pkey = "/run/credentials/coturn.service/turn.synapse.li.key.pem"; | 271 | pkey = "/run/credentials/coturn.service/turn.synapse.li.key.pem"; |
@@ -307,6 +307,7 @@ with lib; | |||
307 | LoadCredential = [ | 307 | LoadCredential = [ |
308 | "turn.synapse.li.key.pem:${config.security.acme.certs."turn.synapse.li".directory}/key.pem" | 308 | "turn.synapse.li.key.pem:${config.security.acme.certs."turn.synapse.li".directory}/key.pem" |
309 | "turn.synapse.li.pem:${config.security.acme.certs."turn.synapse.li".directory}/fullchain.pem" | 309 | "turn.synapse.li.pem:${config.security.acme.certs."turn.synapse.li".directory}/fullchain.pem" |
310 | "auth-secret:${config.sops.secrets."coturn-auth-secret".path}" | ||
310 | ]; | 311 | ]; |
311 | }; | 312 | }; |
312 | }; | 313 | }; |
@@ -314,8 +315,6 @@ with lib; | |||
314 | sops.secrets."coturn-auth-secret" = { | 315 | sops.secrets."coturn-auth-secret" = { |
315 | format = "binary"; | 316 | format = "binary"; |
316 | sopsFile = ./coturn-auth-secret; | 317 | sopsFile = ./coturn-auth-secret; |
317 | owner = "turnserver"; | ||
318 | group = "turnserver"; | ||
319 | }; | 318 | }; |
320 | }; | 319 | }; |
321 | } | 320 | } |
diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix index 0f3a7fec..9b1fd1f3 100644 --- a/hosts/surtr/tls/default.nix +++ b/hosts/surtr/tls/default.nix | |||
@@ -59,22 +59,19 @@ in { | |||
59 | let | 59 | let |
60 | domainAttrset = domain: let | 60 | domainAttrset = domain: let |
61 | tsigPath = ./tsig_keys + "/${domain}"; | 61 | tsigPath = ./tsig_keys + "/${domain}"; |
62 | tsigSecret = config.sops.secrets.${tsigSecretName domain}; | ||
63 | isTsig = pathExists tsigPath; | 62 | isTsig = pathExists tsigPath; |
64 | shared = { | 63 | shared = { |
65 | inherit domain; | 64 | inherit domain; |
66 | extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}"; | 65 | extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}"; |
67 | dnsResolver = "127.0.0.1:5353"; | 66 | dnsResolver = "127.0.0.1:5353"; |
68 | }; | 67 | }; |
69 | mkRFC2136 = let | 68 | mkRFC2136 = shared // { |
70 | tsigInfo = readYaml tsigPath; | ||
71 | in shared // { | ||
72 | dnsProvider = "rfc2136"; | 69 | dnsProvider = "rfc2136"; |
73 | credentialsFile = pkgs.writeText "${domain}_credentials.env" '' | 70 | credentialsFile = pkgs.writeText "${domain}_credentials.env" '' |
74 | RFC2136_NAMESERVER=127.0.0.1:53 | 71 | RFC2136_NAMESERVER=127.0.0.1:53 |
75 | RFC2136_TSIG_ALGORITHM=hmac-sha256. | 72 | RFC2136_TSIG_ALGORITHM=hmac-sha256. |
76 | RFC2136_TSIG_KEY=${domain}_acme_key | 73 | RFC2136_TSIG_KEY=${domain}_acme_key |
77 | RFC2136_TSIG_SECRET_FILE=${tsigSecret.path} | 74 | RFC2136_TSIG_SECRET_FILE=/run/credentials/acme-${domain}.service/tsig_secret |
78 | RFC2136_TTL=0 | 75 | RFC2136_TTL=0 |
79 | RFC2136_PROPAGATION_TIMEOUT=60 | 76 | RFC2136_PROPAGATION_TIMEOUT=60 |
80 | RFC2136_POLLING_INTERVAL=2 | 77 | RFC2136_POLLING_INTERVAL=2 |
@@ -90,8 +87,6 @@ in { | |||
90 | if v == "regular" || v == "symlink" | 87 | if v == "regular" || v == "symlink" |
91 | then nameValuePair (tsigSecretName n) { | 88 | then nameValuePair (tsigSecretName n) { |
92 | format = "binary"; | 89 | format = "binary"; |
93 | owner = if config.security.acme.useRoot then "root" else "acme"; | ||
94 | group = "acme"; | ||
95 | sopsFile = ./tsig_keys + "/${n}"; | 90 | sopsFile = ./tsig_keys + "/${n}"; |
96 | } else null; | 91 | } else null; |
97 | in mapFilterAttrs (_: v: v != null) toTSIGSecret (builtins.readDir ./tsig_keys); | 92 | in mapFilterAttrs (_: v: v != null) toTSIGSecret (builtins.readDir ./tsig_keys); |
@@ -101,11 +96,7 @@ in { | |||
101 | serviceAttrset = domain: { | 96 | serviceAttrset = domain: { |
102 | after = [ "knot.service" ]; | 97 | after = [ "knot.service" ]; |
103 | bindsTo = [ "knot.service" ]; | 98 | bindsTo = [ "knot.service" ]; |
104 | serviceConfig = { | 99 | serviceConfig.LoadCredential = ["tsig_secret:${config.sops.secrets.${tsigSecretName domain}.path}"]; |
105 | ReadWritePaths = ["/run/knot/knot.sock"]; | ||
106 | SupplementaryGroups = ["knot"]; | ||
107 | RestrictAddressFamilies = ["AF_UNIX"]; | ||
108 | }; | ||
109 | }; | 100 | }; |
110 | in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset); | 101 | in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset); |
111 | 102 | ||
diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix index 9d003f23..ba45e486 100644 --- a/hosts/surtr/vpn/default.nix +++ b/hosts/surtr/vpn/default.nix | |||
@@ -43,10 +43,13 @@ in { | |||
43 | "2620:fe::fe:10#dns10.quad9.net" | 43 | "2620:fe::fe:10#dns10.quad9.net" |
44 | ]; | 44 | ]; |
45 | 45 | ||
46 | systemd.tmpfiles.rules = [ | 46 | systemd.services."systemd-networkd" = { |
47 | "d /etc/wireguard 0755 root systemd-network - -" | 47 | serviceConfig = { |
48 | "C /etc/wireguard/surtr.priv 0640 root systemd-network - /run/host/credentials/surtr.priv" | 48 | LoadCredential = [ |
49 | ]; | 49 | "surtr.priv" |
50 | ]; | ||
51 | }; | ||
52 | }; | ||
50 | 53 | ||
51 | systemd.network = { | 54 | systemd.network = { |
52 | netdevs = { | 55 | netdevs = { |
@@ -56,7 +59,7 @@ in { | |||
56 | Kind = "wireguard"; | 59 | Kind = "wireguard"; |
57 | }; | 60 | }; |
58 | wireguardConfig = { | 61 | wireguardConfig = { |
59 | PrivateKeyFile = "/etc/wireguard/surtr.priv"; | 62 | PrivateKeyFile = "/run/credentials/systemd-networkd.service/surtr.priv"; |
60 | ListenPort = 51820; | 63 | ListenPort = 51820; |
61 | }; | 64 | }; |
62 | wireguardPeers = imap1 (i: { name, ip ? i }: { | 65 | wireguardPeers = imap1 (i: { name, ip ? i }: { |
diff --git a/hosts/vidhar/network/bifrost/default.nix b/hosts/vidhar/network/bifrost/default.nix index 752e3e3c..8c2cc1de 100644 --- a/hosts/vidhar/network/bifrost/default.nix +++ b/hosts/vidhar/network/bifrost/default.nix | |||
@@ -14,7 +14,7 @@ in { | |||
14 | Kind = "wireguard"; | 14 | Kind = "wireguard"; |
15 | }; | 15 | }; |
16 | wireguardConfig = { | 16 | wireguardConfig = { |
17 | PrivateKeyFile = config.sops.secrets.bifrost.path; | 17 | PrivateKeyFile = "/run/credentials/systemd-networkd.service/bifrost.priv"; |
18 | ListenPort = 51822; | 18 | ListenPort = 51822; |
19 | }; | 19 | }; |
20 | wireguardPeers = [ | 20 | wireguardPeers = [ |
@@ -65,12 +65,12 @@ in { | |||
65 | }; | 65 | }; |
66 | }; | 66 | }; |
67 | }; | 67 | }; |
68 | systemd.services."systemd-networkd".serviceConfig.LoadCredential = [ | ||
69 | "bifrost.priv:${config.sops.secrets.bifrost.path}" | ||
70 | ]; | ||
68 | sops.secrets.bifrost = { | 71 | sops.secrets.bifrost = { |
69 | format = "binary"; | 72 | format = "binary"; |
70 | sopsFile = ./vidhar.priv; | 73 | sopsFile = ./vidhar.priv; |
71 | mode = "0640"; | ||
72 | owner = "root"; | ||
73 | group = "systemd-network"; | ||
74 | }; | 74 | }; |
75 | }; | 75 | }; |
76 | } | 76 | } |
diff --git a/modules/netns.nix b/modules/netns.nix index 18e066e5..d4f07feb 100644 --- a/modules/netns.nix +++ b/modules/netns.nix | |||
@@ -92,9 +92,11 @@ let | |||
92 | mkdir -p -m 0755 \ | 92 | mkdir -p -m 0755 \ |
93 | "/nix/var/nix/profiles/per-container/${containerName}" \ | 93 | "/nix/var/nix/profiles/per-container/${containerName}" \ |
94 | "/nix/var/nix/gcroots/per-container/${containerName}" | 94 | "/nix/var/nix/gcroots/per-container/${containerName}" |
95 | credsBind="" | 95 | credsBind=() |
96 | if [ -n "''${CREDENTIALS_DIRECTORY}" ]; then | 96 | if [ -n "''${CREDENTIALS_DIRECTORY}" ]; then |
97 | credsBind="--bind-ro=''${CREDENTIALS_DIRECTORY}:/run/host/credentials" | 97 | while IFS= read -r -d $'\0' credFile; do |
98 | credsBind+=("--load-credential=$(basename "''${credFile}"):''${credFile}") | ||
99 | done < <(find ''${CREDENTIALS_DIRECTORY} -type f -print0) | ||
98 | fi | 100 | fi |
99 | # Run systemd-nspawn without startup notification (we'll | 101 | # Run systemd-nspawn without startup notification (we'll |
100 | # wait for the container systemd to signal readiness). | 102 | # wait for the container systemd to signal readiness). |
@@ -105,7 +107,7 @@ let | |||
105 | --bind-ro=/nix/store \ | 107 | --bind-ro=/nix/store \ |
106 | --bind-ro=/nix/var/nix/db \ | 108 | --bind-ro=/nix/var/nix/db \ |
107 | --bind-ro=/nix/var/nix/daemon-socket \ | 109 | --bind-ro=/nix/var/nix/daemon-socket \ |
108 | $credsBind \ | 110 | ''${credsBind} \ |
109 | --bind="/nix/var/nix/profiles/per-container/${containerName}:/nix/var/nix/profiles" \ | 111 | --bind="/nix/var/nix/profiles/per-container/${containerName}:/nix/var/nix/profiles" \ |
110 | --bind="/nix/var/nix/gcroots/per-container/${containerName}:/nix/var/nix/gcroots" \ | 112 | --bind="/nix/var/nix/gcroots/per-container/${containerName}:/nix/var/nix/gcroots" \ |
111 | --setenv PATH="$PATH" \ | 113 | --setenv PATH="$PATH" \ |
diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix index 1e52ba06..c27eb286 100644 --- a/modules/yggdrasil-wg/default.nix +++ b/modules/yggdrasil-wg/default.nix | |||
@@ -132,11 +132,12 @@ let | |||
132 | Kind = "wireguard"; | 132 | Kind = "wireguard"; |
133 | }; | 133 | }; |
134 | wireguardConfig = { | 134 | wireguardConfig = { |
135 | PrivateKeyFile = config.sops.secrets."yggdrasil-wg-${family}.priv".path; | 135 | PrivateKeyFile = "/run/credentials/systemd-networkd.service/yggdrasil-wg-${family}.priv"; |
136 | ListenPort = listenPort.${family}; | 136 | ListenPort = listenPort.${family}; |
137 | }; | 137 | }; |
138 | wireguardPeers = map (opts@{to, from, ...}: { wireguardPeerConfig = linkToPeer family opts; }) hostLinks.${family}; | 138 | wireguardPeers = map (opts@{to, from, ...}: { wireguardPeerConfig = linkToPeer family opts; }) hostLinks.${family}; |
139 | }; | 139 | }; |
140 | familyToLoadCred = family: "yggdrasil-wg-${family}.priv:${config.sops.secrets."yggdrasil-wg-${family}.priv".path}"; | ||
140 | familyToYggdrasilNetwork = family: nameValuePair "yggdrasil-wg-${family}" { | 141 | familyToYggdrasilNetwork = family: nameValuePair "yggdrasil-wg-${family}" { |
141 | name = "yggdrasil-wg-${family}"; | 142 | name = "yggdrasil-wg-${family}"; |
142 | matchConfig = { | 143 | matchConfig = { |
@@ -159,9 +160,6 @@ let | |||
159 | familyToSopsSecret = family: nameValuePair "yggdrasil-wg-${family}.priv" (mkIf (pathExists (privateKeyPath family)) { | 160 | familyToSopsSecret = family: nameValuePair "yggdrasil-wg-${family}.priv" (mkIf (pathExists (privateKeyPath family)) { |
160 | format = "binary"; | 161 | format = "binary"; |
161 | sopsFile = privateKeyPath family; | 162 | sopsFile = privateKeyPath family; |
162 | mode = "0640"; | ||
163 | owner = "root"; | ||
164 | group = "systemd-network"; | ||
165 | }); | 163 | }); |
166 | 164 | ||
167 | thisHost = host: host == hostName; | 165 | thisHost = host: host == hostName; |
@@ -240,6 +238,8 @@ in { | |||
240 | config.routeTables.yggdrasil = 1024; | 238 | config.routeTables.yggdrasil = 1024; |
241 | }; | 239 | }; |
242 | 240 | ||
241 | systemd.services."systemd-networkd".serviceConfig.LoadCredential = mkIf inNetwork (map familyToLoadCred hostFamilies); | ||
242 | |||
243 | sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies); | 243 | sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies); |
244 | 244 | ||
245 | boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; | 245 | boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; |
diff --git a/system-profiles/default-locale.nix b/system-profiles/default-locale.nix index 0dcea5b5..6915184a 100644 --- a/system-profiles/default-locale.nix +++ b/system-profiles/default-locale.nix | |||
@@ -1,7 +1,10 @@ | |||
1 | {...}: | 1 | { lib, ... }: |
2 | |||
3 | with lib; | ||
4 | |||
2 | { | 5 | { |
3 | i18n.defaultLocale = "en_DK.UTF-8"; | 6 | i18n.defaultLocale = "en_DK.UTF-8"; |
4 | console.keyMap = "dvorak-programmer"; | 7 | console.keyMap = "dvorak-programmer"; |
5 | 8 | ||
6 | time.timeZone = "Europe/Berlin"; | 9 | time.timeZone = mkDefault "Europe/Berlin"; |
7 | } | 10 | } |