summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--hosts/sif/default.nix10
-rw-r--r--hosts/surtr/bifrost/default.nix8
-rw-r--r--hosts/surtr/dns/default.nix8
-rw-r--r--hosts/surtr/matrix/default.nix5
-rw-r--r--hosts/surtr/tls/default.nix15
-rw-r--r--hosts/surtr/vpn/default.nix13
-rw-r--r--hosts/vidhar/network/bifrost/default.nix8
-rw-r--r--modules/netns.nix8
-rw-r--r--modules/yggdrasil-wg/default.nix8
-rw-r--r--system-profiles/default-locale.nix7
10 files changed, 46 insertions, 44 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index f51535ea..8c64551a 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -26,6 +26,8 @@ in {
26 }; 26 };
27 }; 27 };
28 28
29 time.timeZone = null;
30
29 boot = { 31 boot = {
30 initrd = { 32 initrd = {
31 luks.devices = { 33 luks.devices = {
@@ -148,7 +150,7 @@ in {
148 Kind = "wireguard"; 150 Kind = "wireguard";
149 }; 151 };
150 wireguardConfig = { 152 wireguardConfig = {
151 PrivateKeyFile = config.sops.secrets.wgrz.path; 153 PrivateKeyFile = "/run/credentials/systemd-networkd.service/wgrz.priv";
152 ListenPort = 51822; 154 ListenPort = 51822;
153 # FirewallMark = 1; 155 # FirewallMark = 1;
154 }; 156 };
@@ -233,11 +235,11 @@ in {
233 sops.secrets.wgrz = { 235 sops.secrets.wgrz = {
234 format = "binary"; 236 format = "binary";
235 sopsFile = ./wgrz/privkey; 237 sopsFile = ./wgrz/privkey;
236 mode = "0640";
237 owner = "root";
238 group = "systemd-network";
239 }; 238 };
240 networking.networkmanager.unmanaged = ["wgrz" "virbr0"]; 239 networking.networkmanager.unmanaged = ["wgrz" "virbr0"];
240 systemd.services."systemd-networkd".serviceConfig.LoadCredential = [
241 "wgrz.priv:${config.sops.secrets.wgrz.path}"
242 ];
241 243
242 services.dnsmasq = { 244 services.dnsmasq = {
243 enable = true; 245 enable = true;
diff --git a/hosts/surtr/bifrost/default.nix b/hosts/surtr/bifrost/default.nix
index 790af94a..bdedf5b6 100644
--- a/hosts/surtr/bifrost/default.nix
+++ b/hosts/surtr/bifrost/default.nix
@@ -14,7 +14,7 @@ in {
14 Kind = "wireguard"; 14 Kind = "wireguard";
15 }; 15 };
16 wireguardConfig = { 16 wireguardConfig = {
17 PrivateKeyFile = config.sops.secrets.bifrost.path; 17 PrivateKeyFile = "/run/credentials/systemd-networkd.service/bifrost.priv";
18 ListenPort = 51822; 18 ListenPort = 51822;
19 }; 19 };
20 wireguardPeers = [ 20 wireguardPeers = [
@@ -49,12 +49,12 @@ in {
49 }; 49 };
50 }; 50 };
51 }; 51 };
52 systemd.services."systemd-networkd".serviceConfig.LoadCredential = [
53 "bifrost.priv:${config.sops.secrets.bifrost.path}"
54 ];
52 sops.secrets.bifrost = { 55 sops.secrets.bifrost = {
53 format = "binary"; 56 format = "binary";
54 sopsFile = ./surtr.priv; 57 sopsFile = ./surtr.priv;
55 mode = "0640";
56 owner = "root";
57 group = "systemd-network";
58 }; 58 };
59 }; 59 };
60} 60}
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index 808c56da..026111be 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -44,11 +44,14 @@ in {
44 fsType = "zfs"; 44 fsType = "zfs";
45 }; 45 };
46 46
47 systemd.services.knot.unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; 47 systemd.services.knot = {
48 unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];
49 serviceConfig.LoadCredential = map ({name, ...}: "${name}:config.sops.secrets.${name}.path") knotKeys;
50 };
48 51
49 services.knot = { 52 services.knot = {
50 enable = true; 53 enable = true;
51 keyFiles = map ({name, ...}: config.sops.secrets.${name}.path) knotKeys; 54 keyFiles = map ({name, ...}: "/run/credentials/knot.service/${name}") knotKeys;
52 extraConfig = '' 55 extraConfig = ''
53 server: 56 server:
54 listen: 127.0.0.1@53 57 listen: 127.0.0.1@53
@@ -192,7 +195,6 @@ in {
192 195
193 sops.secrets = listToAttrs (map ({name, path}: nameValuePair name { 196 sops.secrets = listToAttrs (map ({name, path}: nameValuePair name {
194 format = "binary"; 197 format = "binary";
195 owner = "knot";
196 sopsFile = path; 198 sopsFile = path;
197 }) knotKeys); 199 }) knotKeys);
198 200
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index a469be69..e3a52f9a 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -265,7 +265,7 @@ with lib;
265 min-port = 49000; 265 min-port = 49000;
266 max-port = 50000; 266 max-port = 50000;
267 use-auth-secret = true; 267 use-auth-secret = true;
268 static-auth-secret-file = config.sops.secrets."coturn-auth-secret".path; 268 static-auth-secret-file = "/run/credentials/coturn.service/auth-secret";
269 realm = "turn.synapse.li"; 269 realm = "turn.synapse.li";
270 cert = "/run/credentials/coturn.service/turn.synapse.li.pem"; 270 cert = "/run/credentials/coturn.service/turn.synapse.li.pem";
271 pkey = "/run/credentials/coturn.service/turn.synapse.li.key.pem"; 271 pkey = "/run/credentials/coturn.service/turn.synapse.li.key.pem";
@@ -307,6 +307,7 @@ with lib;
307 LoadCredential = [ 307 LoadCredential = [
308 "turn.synapse.li.key.pem:${config.security.acme.certs."turn.synapse.li".directory}/key.pem" 308 "turn.synapse.li.key.pem:${config.security.acme.certs."turn.synapse.li".directory}/key.pem"
309 "turn.synapse.li.pem:${config.security.acme.certs."turn.synapse.li".directory}/fullchain.pem" 309 "turn.synapse.li.pem:${config.security.acme.certs."turn.synapse.li".directory}/fullchain.pem"
310 "auth-secret:${config.sops.secrets."coturn-auth-secret".path}"
310 ]; 311 ];
311 }; 312 };
312 }; 313 };
@@ -314,8 +315,6 @@ with lib;
314 sops.secrets."coturn-auth-secret" = { 315 sops.secrets."coturn-auth-secret" = {
315 format = "binary"; 316 format = "binary";
316 sopsFile = ./coturn-auth-secret; 317 sopsFile = ./coturn-auth-secret;
317 owner = "turnserver";
318 group = "turnserver";
319 }; 318 };
320 }; 319 };
321} 320}
diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix
index 0f3a7fec..9b1fd1f3 100644
--- a/hosts/surtr/tls/default.nix
+++ b/hosts/surtr/tls/default.nix
@@ -59,22 +59,19 @@ in {
59 let 59 let
60 domainAttrset = domain: let 60 domainAttrset = domain: let
61 tsigPath = ./tsig_keys + "/${domain}"; 61 tsigPath = ./tsig_keys + "/${domain}";
62 tsigSecret = config.sops.secrets.${tsigSecretName domain};
63 isTsig = pathExists tsigPath; 62 isTsig = pathExists tsigPath;
64 shared = { 63 shared = {
65 inherit domain; 64 inherit domain;
66 extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}"; 65 extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}";
67 dnsResolver = "127.0.0.1:5353"; 66 dnsResolver = "127.0.0.1:5353";
68 }; 67 };
69 mkRFC2136 = let 68 mkRFC2136 = shared // {
70 tsigInfo = readYaml tsigPath;
71 in shared // {
72 dnsProvider = "rfc2136"; 69 dnsProvider = "rfc2136";
73 credentialsFile = pkgs.writeText "${domain}_credentials.env" '' 70 credentialsFile = pkgs.writeText "${domain}_credentials.env" ''
74 RFC2136_NAMESERVER=127.0.0.1:53 71 RFC2136_NAMESERVER=127.0.0.1:53
75 RFC2136_TSIG_ALGORITHM=hmac-sha256. 72 RFC2136_TSIG_ALGORITHM=hmac-sha256.
76 RFC2136_TSIG_KEY=${domain}_acme_key 73 RFC2136_TSIG_KEY=${domain}_acme_key
77 RFC2136_TSIG_SECRET_FILE=${tsigSecret.path} 74 RFC2136_TSIG_SECRET_FILE=/run/credentials/acme-${domain}.service/tsig_secret
78 RFC2136_TTL=0 75 RFC2136_TTL=0
79 RFC2136_PROPAGATION_TIMEOUT=60 76 RFC2136_PROPAGATION_TIMEOUT=60
80 RFC2136_POLLING_INTERVAL=2 77 RFC2136_POLLING_INTERVAL=2
@@ -90,8 +87,6 @@ in {
90 if v == "regular" || v == "symlink" 87 if v == "regular" || v == "symlink"
91 then nameValuePair (tsigSecretName n) { 88 then nameValuePair (tsigSecretName n) {
92 format = "binary"; 89 format = "binary";
93 owner = if config.security.acme.useRoot then "root" else "acme";
94 group = "acme";
95 sopsFile = ./tsig_keys + "/${n}"; 90 sopsFile = ./tsig_keys + "/${n}";
96 } else null; 91 } else null;
97 in mapFilterAttrs (_: v: v != null) toTSIGSecret (builtins.readDir ./tsig_keys); 92 in mapFilterAttrs (_: v: v != null) toTSIGSecret (builtins.readDir ./tsig_keys);
@@ -101,11 +96,7 @@ in {
101 serviceAttrset = domain: { 96 serviceAttrset = domain: {
102 after = [ "knot.service" ]; 97 after = [ "knot.service" ];
103 bindsTo = [ "knot.service" ]; 98 bindsTo = [ "knot.service" ];
104 serviceConfig = { 99 serviceConfig.LoadCredential = ["tsig_secret:${config.sops.secrets.${tsigSecretName domain}.path}"];
105 ReadWritePaths = ["/run/knot/knot.sock"];
106 SupplementaryGroups = ["knot"];
107 RestrictAddressFamilies = ["AF_UNIX"];
108 };
109 }; 100 };
110 in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset); 101 in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset);
111 102
diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix
index 9d003f23..ba45e486 100644
--- a/hosts/surtr/vpn/default.nix
+++ b/hosts/surtr/vpn/default.nix
@@ -43,10 +43,13 @@ in {
43 "2620:fe::fe:10#dns10.quad9.net" 43 "2620:fe::fe:10#dns10.quad9.net"
44 ]; 44 ];
45 45
46 systemd.tmpfiles.rules = [ 46 systemd.services."systemd-networkd" = {
47 "d /etc/wireguard 0755 root systemd-network - -" 47 serviceConfig = {
48 "C /etc/wireguard/surtr.priv 0640 root systemd-network - /run/host/credentials/surtr.priv" 48 LoadCredential = [
49 ]; 49 "surtr.priv"
50 ];
51 };
52 };
50 53
51 systemd.network = { 54 systemd.network = {
52 netdevs = { 55 netdevs = {
@@ -56,7 +59,7 @@ in {
56 Kind = "wireguard"; 59 Kind = "wireguard";
57 }; 60 };
58 wireguardConfig = { 61 wireguardConfig = {
59 PrivateKeyFile = "/etc/wireguard/surtr.priv"; 62 PrivateKeyFile = "/run/credentials/systemd-networkd.service/surtr.priv";
60 ListenPort = 51820; 63 ListenPort = 51820;
61 }; 64 };
62 wireguardPeers = imap1 (i: { name, ip ? i }: { 65 wireguardPeers = imap1 (i: { name, ip ? i }: {
diff --git a/hosts/vidhar/network/bifrost/default.nix b/hosts/vidhar/network/bifrost/default.nix
index 752e3e3c..8c2cc1de 100644
--- a/hosts/vidhar/network/bifrost/default.nix
+++ b/hosts/vidhar/network/bifrost/default.nix
@@ -14,7 +14,7 @@ in {
14 Kind = "wireguard"; 14 Kind = "wireguard";
15 }; 15 };
16 wireguardConfig = { 16 wireguardConfig = {
17 PrivateKeyFile = config.sops.secrets.bifrost.path; 17 PrivateKeyFile = "/run/credentials/systemd-networkd.service/bifrost.priv";
18 ListenPort = 51822; 18 ListenPort = 51822;
19 }; 19 };
20 wireguardPeers = [ 20 wireguardPeers = [
@@ -65,12 +65,12 @@ in {
65 }; 65 };
66 }; 66 };
67 }; 67 };
68 systemd.services."systemd-networkd".serviceConfig.LoadCredential = [
69 "bifrost.priv:${config.sops.secrets.bifrost.path}"
70 ];
68 sops.secrets.bifrost = { 71 sops.secrets.bifrost = {
69 format = "binary"; 72 format = "binary";
70 sopsFile = ./vidhar.priv; 73 sopsFile = ./vidhar.priv;
71 mode = "0640";
72 owner = "root";
73 group = "systemd-network";
74 }; 74 };
75 }; 75 };
76} 76}
diff --git a/modules/netns.nix b/modules/netns.nix
index 18e066e5..d4f07feb 100644
--- a/modules/netns.nix
+++ b/modules/netns.nix
@@ -92,9 +92,11 @@ let
92 mkdir -p -m 0755 \ 92 mkdir -p -m 0755 \
93 "/nix/var/nix/profiles/per-container/${containerName}" \ 93 "/nix/var/nix/profiles/per-container/${containerName}" \
94 "/nix/var/nix/gcroots/per-container/${containerName}" 94 "/nix/var/nix/gcroots/per-container/${containerName}"
95 credsBind="" 95 credsBind=()
96 if [ -n "''${CREDENTIALS_DIRECTORY}" ]; then 96 if [ -n "''${CREDENTIALS_DIRECTORY}" ]; then
97 credsBind="--bind-ro=''${CREDENTIALS_DIRECTORY}:/run/host/credentials" 97 while IFS= read -r -d $'\0' credFile; do
98 credsBind+=("--load-credential=$(basename "''${credFile}"):''${credFile}")
99 done < <(find ''${CREDENTIALS_DIRECTORY} -type f -print0)
98 fi 100 fi
99 # Run systemd-nspawn without startup notification (we'll 101 # Run systemd-nspawn without startup notification (we'll
100 # wait for the container systemd to signal readiness). 102 # wait for the container systemd to signal readiness).
@@ -105,7 +107,7 @@ let
105 --bind-ro=/nix/store \ 107 --bind-ro=/nix/store \
106 --bind-ro=/nix/var/nix/db \ 108 --bind-ro=/nix/var/nix/db \
107 --bind-ro=/nix/var/nix/daemon-socket \ 109 --bind-ro=/nix/var/nix/daemon-socket \
108 $credsBind \ 110 ''${credsBind} \
109 --bind="/nix/var/nix/profiles/per-container/${containerName}:/nix/var/nix/profiles" \ 111 --bind="/nix/var/nix/profiles/per-container/${containerName}:/nix/var/nix/profiles" \
110 --bind="/nix/var/nix/gcroots/per-container/${containerName}:/nix/var/nix/gcroots" \ 112 --bind="/nix/var/nix/gcroots/per-container/${containerName}:/nix/var/nix/gcroots" \
111 --setenv PATH="$PATH" \ 113 --setenv PATH="$PATH" \
diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix
index 1e52ba06..c27eb286 100644
--- a/modules/yggdrasil-wg/default.nix
+++ b/modules/yggdrasil-wg/default.nix
@@ -132,11 +132,12 @@ let
132 Kind = "wireguard"; 132 Kind = "wireguard";
133 }; 133 };
134 wireguardConfig = { 134 wireguardConfig = {
135 PrivateKeyFile = config.sops.secrets."yggdrasil-wg-${family}.priv".path; 135 PrivateKeyFile = "/run/credentials/systemd-networkd.service/yggdrasil-wg-${family}.priv";
136 ListenPort = listenPort.${family}; 136 ListenPort = listenPort.${family};
137 }; 137 };
138 wireguardPeers = map (opts@{to, from, ...}: { wireguardPeerConfig = linkToPeer family opts; }) hostLinks.${family}; 138 wireguardPeers = map (opts@{to, from, ...}: { wireguardPeerConfig = linkToPeer family opts; }) hostLinks.${family};
139 }; 139 };
140 familyToLoadCred = family: "yggdrasil-wg-${family}.priv:${config.sops.secrets."yggdrasil-wg-${family}.priv".path}";
140 familyToYggdrasilNetwork = family: nameValuePair "yggdrasil-wg-${family}" { 141 familyToYggdrasilNetwork = family: nameValuePair "yggdrasil-wg-${family}" {
141 name = "yggdrasil-wg-${family}"; 142 name = "yggdrasil-wg-${family}";
142 matchConfig = { 143 matchConfig = {
@@ -159,9 +160,6 @@ let
159 familyToSopsSecret = family: nameValuePair "yggdrasil-wg-${family}.priv" (mkIf (pathExists (privateKeyPath family)) { 160 familyToSopsSecret = family: nameValuePair "yggdrasil-wg-${family}.priv" (mkIf (pathExists (privateKeyPath family)) {
160 format = "binary"; 161 format = "binary";
161 sopsFile = privateKeyPath family; 162 sopsFile = privateKeyPath family;
162 mode = "0640";
163 owner = "root";
164 group = "systemd-network";
165 }); 163 });
166 164
167 thisHost = host: host == hostName; 165 thisHost = host: host == hostName;
@@ -240,6 +238,8 @@ in {
240 config.routeTables.yggdrasil = 1024; 238 config.routeTables.yggdrasil = 1024;
241 }; 239 };
242 240
241 systemd.services."systemd-networkd".serviceConfig.LoadCredential = mkIf inNetwork (map familyToLoadCred hostFamilies);
242
243 sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies); 243 sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies);
244 244
245 boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; 245 boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv];
diff --git a/system-profiles/default-locale.nix b/system-profiles/default-locale.nix
index 0dcea5b5..6915184a 100644
--- a/system-profiles/default-locale.nix
+++ b/system-profiles/default-locale.nix
@@ -1,7 +1,10 @@
1{...}: 1{ lib, ... }:
2
3with lib;
4
2{ 5{
3 i18n.defaultLocale = "en_DK.UTF-8"; 6 i18n.defaultLocale = "en_DK.UTF-8";
4 console.keyMap = "dvorak-programmer"; 7 console.keyMap = "dvorak-programmer";
5 8
6 time.timeZone = "Europe/Berlin"; 9 time.timeZone = mkDefault "Europe/Berlin";
7} 10}