diff options
Diffstat (limited to 'hosts/surtr')
| -rw-r--r-- | hosts/surtr/bifrost/default.nix | 8 | ||||
| -rw-r--r-- | hosts/surtr/dns/default.nix | 8 | ||||
| -rw-r--r-- | hosts/surtr/matrix/default.nix | 5 | ||||
| -rw-r--r-- | hosts/surtr/tls/default.nix | 15 | ||||
| -rw-r--r-- | hosts/surtr/vpn/default.nix | 13 |
5 files changed, 22 insertions, 27 deletions
diff --git a/hosts/surtr/bifrost/default.nix b/hosts/surtr/bifrost/default.nix index 790af94a..bdedf5b6 100644 --- a/hosts/surtr/bifrost/default.nix +++ b/hosts/surtr/bifrost/default.nix | |||
| @@ -14,7 +14,7 @@ in { | |||
| 14 | Kind = "wireguard"; | 14 | Kind = "wireguard"; |
| 15 | }; | 15 | }; |
| 16 | wireguardConfig = { | 16 | wireguardConfig = { |
| 17 | PrivateKeyFile = config.sops.secrets.bifrost.path; | 17 | PrivateKeyFile = "/run/credentials/systemd-networkd.service/bifrost.priv"; |
| 18 | ListenPort = 51822; | 18 | ListenPort = 51822; |
| 19 | }; | 19 | }; |
| 20 | wireguardPeers = [ | 20 | wireguardPeers = [ |
| @@ -49,12 +49,12 @@ in { | |||
| 49 | }; | 49 | }; |
| 50 | }; | 50 | }; |
| 51 | }; | 51 | }; |
| 52 | systemd.services."systemd-networkd".serviceConfig.LoadCredential = [ | ||
| 53 | "bifrost.priv:${config.sops.secrets.bifrost.path}" | ||
| 54 | ]; | ||
| 52 | sops.secrets.bifrost = { | 55 | sops.secrets.bifrost = { |
| 53 | format = "binary"; | 56 | format = "binary"; |
| 54 | sopsFile = ./surtr.priv; | 57 | sopsFile = ./surtr.priv; |
| 55 | mode = "0640"; | ||
| 56 | owner = "root"; | ||
| 57 | group = "systemd-network"; | ||
| 58 | }; | 58 | }; |
| 59 | }; | 59 | }; |
| 60 | } | 60 | } |
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index 808c56da..026111be 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix | |||
| @@ -44,11 +44,14 @@ in { | |||
| 44 | fsType = "zfs"; | 44 | fsType = "zfs"; |
| 45 | }; | 45 | }; |
| 46 | 46 | ||
| 47 | systemd.services.knot.unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; | 47 | systemd.services.knot = { |
| 48 | unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; | ||
| 49 | serviceConfig.LoadCredential = map ({name, ...}: "${name}:config.sops.secrets.${name}.path") knotKeys; | ||
| 50 | }; | ||
| 48 | 51 | ||
| 49 | services.knot = { | 52 | services.knot = { |
| 50 | enable = true; | 53 | enable = true; |
| 51 | keyFiles = map ({name, ...}: config.sops.secrets.${name}.path) knotKeys; | 54 | keyFiles = map ({name, ...}: "/run/credentials/knot.service/${name}") knotKeys; |
| 52 | extraConfig = '' | 55 | extraConfig = '' |
| 53 | server: | 56 | server: |
| 54 | listen: 127.0.0.1@53 | 57 | listen: 127.0.0.1@53 |
| @@ -192,7 +195,6 @@ in { | |||
| 192 | 195 | ||
| 193 | sops.secrets = listToAttrs (map ({name, path}: nameValuePair name { | 196 | sops.secrets = listToAttrs (map ({name, path}: nameValuePair name { |
| 194 | format = "binary"; | 197 | format = "binary"; |
| 195 | owner = "knot"; | ||
| 196 | sopsFile = path; | 198 | sopsFile = path; |
| 197 | }) knotKeys); | 199 | }) knotKeys); |
| 198 | 200 | ||
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index a469be69..e3a52f9a 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix | |||
| @@ -265,7 +265,7 @@ with lib; | |||
| 265 | min-port = 49000; | 265 | min-port = 49000; |
| 266 | max-port = 50000; | 266 | max-port = 50000; |
| 267 | use-auth-secret = true; | 267 | use-auth-secret = true; |
| 268 | static-auth-secret-file = config.sops.secrets."coturn-auth-secret".path; | 268 | static-auth-secret-file = "/run/credentials/coturn.service/auth-secret"; |
| 269 | realm = "turn.synapse.li"; | 269 | realm = "turn.synapse.li"; |
| 270 | cert = "/run/credentials/coturn.service/turn.synapse.li.pem"; | 270 | cert = "/run/credentials/coturn.service/turn.synapse.li.pem"; |
| 271 | pkey = "/run/credentials/coturn.service/turn.synapse.li.key.pem"; | 271 | pkey = "/run/credentials/coturn.service/turn.synapse.li.key.pem"; |
| @@ -307,6 +307,7 @@ with lib; | |||
| 307 | LoadCredential = [ | 307 | LoadCredential = [ |
| 308 | "turn.synapse.li.key.pem:${config.security.acme.certs."turn.synapse.li".directory}/key.pem" | 308 | "turn.synapse.li.key.pem:${config.security.acme.certs."turn.synapse.li".directory}/key.pem" |
| 309 | "turn.synapse.li.pem:${config.security.acme.certs."turn.synapse.li".directory}/fullchain.pem" | 309 | "turn.synapse.li.pem:${config.security.acme.certs."turn.synapse.li".directory}/fullchain.pem" |
| 310 | "auth-secret:${config.sops.secrets."coturn-auth-secret".path}" | ||
| 310 | ]; | 311 | ]; |
| 311 | }; | 312 | }; |
| 312 | }; | 313 | }; |
| @@ -314,8 +315,6 @@ with lib; | |||
| 314 | sops.secrets."coturn-auth-secret" = { | 315 | sops.secrets."coturn-auth-secret" = { |
| 315 | format = "binary"; | 316 | format = "binary"; |
| 316 | sopsFile = ./coturn-auth-secret; | 317 | sopsFile = ./coturn-auth-secret; |
| 317 | owner = "turnserver"; | ||
| 318 | group = "turnserver"; | ||
| 319 | }; | 318 | }; |
| 320 | }; | 319 | }; |
| 321 | } | 320 | } |
diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix index 0f3a7fec..9b1fd1f3 100644 --- a/hosts/surtr/tls/default.nix +++ b/hosts/surtr/tls/default.nix | |||
| @@ -59,22 +59,19 @@ in { | |||
| 59 | let | 59 | let |
| 60 | domainAttrset = domain: let | 60 | domainAttrset = domain: let |
| 61 | tsigPath = ./tsig_keys + "/${domain}"; | 61 | tsigPath = ./tsig_keys + "/${domain}"; |
| 62 | tsigSecret = config.sops.secrets.${tsigSecretName domain}; | ||
| 63 | isTsig = pathExists tsigPath; | 62 | isTsig = pathExists tsigPath; |
| 64 | shared = { | 63 | shared = { |
| 65 | inherit domain; | 64 | inherit domain; |
| 66 | extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}"; | 65 | extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}"; |
| 67 | dnsResolver = "127.0.0.1:5353"; | 66 | dnsResolver = "127.0.0.1:5353"; |
| 68 | }; | 67 | }; |
| 69 | mkRFC2136 = let | 68 | mkRFC2136 = shared // { |
| 70 | tsigInfo = readYaml tsigPath; | ||
| 71 | in shared // { | ||
| 72 | dnsProvider = "rfc2136"; | 69 | dnsProvider = "rfc2136"; |
| 73 | credentialsFile = pkgs.writeText "${domain}_credentials.env" '' | 70 | credentialsFile = pkgs.writeText "${domain}_credentials.env" '' |
| 74 | RFC2136_NAMESERVER=127.0.0.1:53 | 71 | RFC2136_NAMESERVER=127.0.0.1:53 |
| 75 | RFC2136_TSIG_ALGORITHM=hmac-sha256. | 72 | RFC2136_TSIG_ALGORITHM=hmac-sha256. |
| 76 | RFC2136_TSIG_KEY=${domain}_acme_key | 73 | RFC2136_TSIG_KEY=${domain}_acme_key |
| 77 | RFC2136_TSIG_SECRET_FILE=${tsigSecret.path} | 74 | RFC2136_TSIG_SECRET_FILE=/run/credentials/acme-${domain}.service/tsig_secret |
| 78 | RFC2136_TTL=0 | 75 | RFC2136_TTL=0 |
| 79 | RFC2136_PROPAGATION_TIMEOUT=60 | 76 | RFC2136_PROPAGATION_TIMEOUT=60 |
| 80 | RFC2136_POLLING_INTERVAL=2 | 77 | RFC2136_POLLING_INTERVAL=2 |
| @@ -90,8 +87,6 @@ in { | |||
| 90 | if v == "regular" || v == "symlink" | 87 | if v == "regular" || v == "symlink" |
| 91 | then nameValuePair (tsigSecretName n) { | 88 | then nameValuePair (tsigSecretName n) { |
| 92 | format = "binary"; | 89 | format = "binary"; |
| 93 | owner = if config.security.acme.useRoot then "root" else "acme"; | ||
| 94 | group = "acme"; | ||
| 95 | sopsFile = ./tsig_keys + "/${n}"; | 90 | sopsFile = ./tsig_keys + "/${n}"; |
| 96 | } else null; | 91 | } else null; |
| 97 | in mapFilterAttrs (_: v: v != null) toTSIGSecret (builtins.readDir ./tsig_keys); | 92 | in mapFilterAttrs (_: v: v != null) toTSIGSecret (builtins.readDir ./tsig_keys); |
| @@ -101,11 +96,7 @@ in { | |||
| 101 | serviceAttrset = domain: { | 96 | serviceAttrset = domain: { |
| 102 | after = [ "knot.service" ]; | 97 | after = [ "knot.service" ]; |
| 103 | bindsTo = [ "knot.service" ]; | 98 | bindsTo = [ "knot.service" ]; |
| 104 | serviceConfig = { | 99 | serviceConfig.LoadCredential = ["tsig_secret:${config.sops.secrets.${tsigSecretName domain}.path}"]; |
| 105 | ReadWritePaths = ["/run/knot/knot.sock"]; | ||
| 106 | SupplementaryGroups = ["knot"]; | ||
| 107 | RestrictAddressFamilies = ["AF_UNIX"]; | ||
| 108 | }; | ||
| 109 | }; | 100 | }; |
| 110 | in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset); | 101 | in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset); |
| 111 | 102 | ||
diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix index 9d003f23..ba45e486 100644 --- a/hosts/surtr/vpn/default.nix +++ b/hosts/surtr/vpn/default.nix | |||
| @@ -43,10 +43,13 @@ in { | |||
| 43 | "2620:fe::fe:10#dns10.quad9.net" | 43 | "2620:fe::fe:10#dns10.quad9.net" |
| 44 | ]; | 44 | ]; |
| 45 | 45 | ||
| 46 | systemd.tmpfiles.rules = [ | 46 | systemd.services."systemd-networkd" = { |
| 47 | "d /etc/wireguard 0755 root systemd-network - -" | 47 | serviceConfig = { |
| 48 | "C /etc/wireguard/surtr.priv 0640 root systemd-network - /run/host/credentials/surtr.priv" | 48 | LoadCredential = [ |
| 49 | ]; | 49 | "surtr.priv" |
| 50 | ]; | ||
| 51 | }; | ||
| 52 | }; | ||
| 50 | 53 | ||
| 51 | systemd.network = { | 54 | systemd.network = { |
| 52 | netdevs = { | 55 | netdevs = { |
| @@ -56,7 +59,7 @@ in { | |||
| 56 | Kind = "wireguard"; | 59 | Kind = "wireguard"; |
| 57 | }; | 60 | }; |
| 58 | wireguardConfig = { | 61 | wireguardConfig = { |
| 59 | PrivateKeyFile = "/etc/wireguard/surtr.priv"; | 62 | PrivateKeyFile = "/run/credentials/systemd-networkd.service/surtr.priv"; |
| 60 | ListenPort = 51820; | 63 | ListenPort = 51820; |
| 61 | }; | 64 | }; |
| 62 | wireguardPeers = imap1 (i: { name, ip ? i }: { | 65 | wireguardPeers = imap1 (i: { name, ip ? i }: { |