...

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-08-09 11:23:00 +0300
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-08-09 11:23:00 +0300
commit: c1f62e9827efe7c8e303e3cfa70dac8f544312b1 (patch)
tree: d20ff0f367804bc87996c6312cebe2fa57b5bd4c /hosts/surtr
parent: de66ba821b2851cb23bcc7b064e84de3dd848e26 (diff)
download: nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.tar
nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.tar.gz
nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.tar.bz2
nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.tar.xz
nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.zip
5 files changed, 22 insertions, 27 deletions
diff --git a/hosts/surtr/bifrost/default.nix b/hosts/surtr/bifrost/default.nix
index 790af94a..bdedf5b6 100644
--- a/hosts/surtr/bifrost/default.nix
+++ b/hosts/surtr/bifrost/default.nix
@@ -14,7 +14,7 @@ in {
            Kind = "wireguard";
          };
          wireguardConfig = {
-            PrivateKeyFile = config.sops.secrets.bifrost.path;
+            PrivateKeyFile = "/run/credentials/systemd-networkd.service/bifrost.priv";
            ListenPort = 51822;
          };
          wireguardPeers = [
@@ -49,12 +49,12 @@ in {
        };
      };
    };
+    systemd.services."systemd-networkd".serviceConfig.LoadCredential = [
+      "bifrost.priv:${config.sops.secrets.bifrost.path}"
+    ];
    sops.secrets.bifrost = {
      format = "binary";
      sopsFile = ./surtr.priv;
-      mode = "0640";
-      owner = "root";
-      group = "systemd-network";
    };
  };
 }
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index 808c56da..026111be 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -44,11 +44,14 @@ in {
        fsType = "zfs";
      };
-    systemd.services.knot.unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];
+    systemd.services.knot = {
+      unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];
+      serviceConfig.LoadCredential = map ({name, ...}: "${name}:config.sops.secrets.${name}.path") knotKeys;
+    };
    
    services.knot = {
      enable = true;
-      keyFiles = map ({name, ...}: config.sops.secrets.${name}.path) knotKeys;
+      keyFiles = map ({name, ...}: "/run/credentials/knot.service/${name}") knotKeys;
      extraConfig = ''
        server:
          listen: 127.0.0.1@53
@@ -192,7 +195,6 @@ in {
    sops.secrets = listToAttrs (map ({name, path}: nameValuePair name {
      format = "binary";
-      owner = "knot";
      sopsFile = path;
    }) knotKeys);
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index a469be69..e3a52f9a 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -265,7 +265,7 @@ with lib;
      min-port = 49000;
      max-port = 50000;
      use-auth-secret = true;
-      static-auth-secret-file = config.sops.secrets."coturn-auth-secret".path;
+      static-auth-secret-file = "/run/credentials/coturn.service/auth-secret";
      realm = "turn.synapse.li";
      cert = "/run/credentials/coturn.service/turn.synapse.li.pem";
      pkey = "/run/credentials/coturn.service/turn.synapse.li.key.pem";
@@ -307,6 +307,7 @@ with lib;
        LoadCredential = [
          "turn.synapse.li.key.pem:${config.security.acme.certs."turn.synapse.li".directory}/key.pem"
          "turn.synapse.li.pem:${config.security.acme.certs."turn.synapse.li".directory}/fullchain.pem"
+          "auth-secret:${config.sops.secrets."coturn-auth-secret".path}"
        ];
      };
    };
@@ -314,8 +315,6 @@ with lib;
    sops.secrets."coturn-auth-secret" = {
      format = "binary";
      sopsFile = ./coturn-auth-secret;
-      owner = "turnserver";
-      group = "turnserver";
    };
  };
 }
diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix
index 0f3a7fec..9b1fd1f3 100644
--- a/hosts/surtr/tls/default.nix
+++ b/hosts/surtr/tls/default.nix
@@ -59,22 +59,19 @@ in {
        let
          domainAttrset = domain: let
            tsigPath = ./tsig_keys + "/${domain}";
-            tsigSecret = config.sops.secrets.${tsigSecretName domain};
            isTsig = pathExists tsigPath;
            shared = {
              inherit domain;
              extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}";
              dnsResolver = "127.0.0.1:5353";
            };
-            mkRFC2136 = let
+            mkRFC2136 = shared // {
-              tsigInfo = readYaml tsigPath;
-            in shared // {
              dnsProvider = "rfc2136";
              credentialsFile = pkgs.writeText "${domain}_credentials.env" ''
                RFC2136_NAMESERVER=127.0.0.1:53
                RFC2136_TSIG_ALGORITHM=hmac-sha256.
                RFC2136_TSIG_KEY=${domain}_acme_key
-                RFC2136_TSIG_SECRET_FILE=${tsigSecret.path}
+                RFC2136_TSIG_SECRET_FILE=/run/credentials/acme-${domain}.service/tsig_secret
                RFC2136_TTL=0
                RFC2136_PROPAGATION_TIMEOUT=60
                RFC2136_POLLING_INTERVAL=2
@@ -90,8 +87,6 @@ in {
        if v == "regular" || v == "symlink"
        then nameValuePair (tsigSecretName n) {
          format = "binary";
-          owner = if config.security.acme.useRoot then "root" else "acme";
-          group = "acme";
          sopsFile = ./tsig_keys + "/${n}";
        } else null;
    in mapFilterAttrs (_: v: v != null) toTSIGSecret (builtins.readDir ./tsig_keys);
@@ -101,11 +96,7 @@ in {
        serviceAttrset = domain: {
          after = [ "knot.service" ];
          bindsTo = [ "knot.service" ];
-          serviceConfig = {
+          serviceConfig.LoadCredential = ["tsig_secret:${config.sops.secrets.${tsigSecretName domain}.path}"];
-            ReadWritePaths = ["/run/knot/knot.sock"];
-            SupplementaryGroups = ["knot"];
-            RestrictAddressFamilies = ["AF_UNIX"];
-          };
        };
      in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset);
diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix
index 9d003f23..ba45e486 100644
--- a/hosts/surtr/vpn/default.nix
+++ b/hosts/surtr/vpn/default.nix
@@ -43,10 +43,13 @@ in {
          "2620:fe::fe:10#dns10.quad9.net"
        ];
-        systemd.tmpfiles.rules = [
+        systemd.services."systemd-networkd" = {
-          "d /etc/wireguard 0755 root systemd-network - -"
+          serviceConfig = {
-          "C /etc/wireguard/surtr.priv 0640 root systemd-network - /run/host/credentials/surtr.priv"
+            LoadCredential = [
-        ];
+              "surtr.priv"
+            ];
+          };
+        };
        systemd.network = {
          netdevs = {
@@ -56,7 +59,7 @@ in {
                Kind = "wireguard";
              };
              wireguardConfig = {
-                PrivateKeyFile = "/etc/wireguard/surtr.priv";
+                PrivateKeyFile = "/run/credentials/systemd-networkd.service/surtr.priv";
                ListenPort = 51820;
              };
              wireguardPeers = imap1 (i: { name, ip ? i }: {
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-08-09 11:23:00 +0300
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-08-09 11:23:00 +0300
commit	c1f62e9827efe7c8e303e3cfa70dac8f544312b1 (patch)
tree	d20ff0f367804bc87996c6312cebe2fa57b5bd4c /hosts/surtr
parent	de66ba821b2851cb23bcc7b064e84de3dd848e26 (diff)
download	nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.tar nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.tar.gz nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.tar.bz2 nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.tar.xz nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.zip