From c1f62e9827efe7c8e303e3cfa70dac8f544312b1 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 9 Aug 2022 11:23:00 +0300 Subject: ... --- hosts/sif/default.nix | 10 ++++++---- hosts/surtr/bifrost/default.nix | 8 ++++---- hosts/surtr/dns/default.nix | 8 +++++--- hosts/surtr/matrix/default.nix | 5 ++--- hosts/surtr/tls/default.nix | 15 +++------------ hosts/surtr/vpn/default.nix | 13 ++++++++----- hosts/vidhar/network/bifrost/default.nix | 8 ++++---- modules/netns.nix | 8 +++++--- modules/yggdrasil-wg/default.nix | 8 ++++---- system-profiles/default-locale.nix | 7 +++++-- 10 files changed, 46 insertions(+), 44 deletions(-) diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index f51535ea..8c64551a 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix @@ -26,6 +26,8 @@ in { }; }; + time.timeZone = null; + boot = { initrd = { luks.devices = { @@ -148,7 +150,7 @@ in { Kind = "wireguard"; }; wireguardConfig = { - PrivateKeyFile = config.sops.secrets.wgrz.path; + PrivateKeyFile = "/run/credentials/systemd-networkd.service/wgrz.priv"; ListenPort = 51822; # FirewallMark = 1; }; @@ -233,11 +235,11 @@ in { sops.secrets.wgrz = { format = "binary"; sopsFile = ./wgrz/privkey; - mode = "0640"; - owner = "root"; - group = "systemd-network"; }; networking.networkmanager.unmanaged = ["wgrz" "virbr0"]; + systemd.services."systemd-networkd".serviceConfig.LoadCredential = [ + "wgrz.priv:${config.sops.secrets.wgrz.path}" + ]; services.dnsmasq = { enable = true; diff --git a/hosts/surtr/bifrost/default.nix b/hosts/surtr/bifrost/default.nix index 790af94a..bdedf5b6 100644 --- a/hosts/surtr/bifrost/default.nix +++ b/hosts/surtr/bifrost/default.nix @@ -14,7 +14,7 @@ in { Kind = "wireguard"; }; wireguardConfig = { - PrivateKeyFile = config.sops.secrets.bifrost.path; + PrivateKeyFile = "/run/credentials/systemd-networkd.service/bifrost.priv"; ListenPort = 51822; }; wireguardPeers = [ @@ -49,12 +49,12 @@ in { }; }; }; + systemd.services."systemd-networkd".serviceConfig.LoadCredential = [ + "bifrost.priv:${config.sops.secrets.bifrost.path}" + ]; sops.secrets.bifrost = { format = "binary"; sopsFile = ./surtr.priv; - mode = "0640"; - owner = "root"; - group = "systemd-network"; }; }; } diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index 808c56da..026111be 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix @@ -44,11 +44,14 @@ in { fsType = "zfs"; }; - systemd.services.knot.unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; + systemd.services.knot = { + unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; + serviceConfig.LoadCredential = map ({name, ...}: "${name}:config.sops.secrets.${name}.path") knotKeys; + }; services.knot = { enable = true; - keyFiles = map ({name, ...}: config.sops.secrets.${name}.path) knotKeys; + keyFiles = map ({name, ...}: "/run/credentials/knot.service/${name}") knotKeys; extraConfig = '' server: listen: 127.0.0.1@53 @@ -192,7 +195,6 @@ in { sops.secrets = listToAttrs (map ({name, path}: nameValuePair name { format = "binary"; - owner = "knot"; sopsFile = path; }) knotKeys); diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index a469be69..e3a52f9a 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix @@ -265,7 +265,7 @@ with lib; min-port = 49000; max-port = 50000; use-auth-secret = true; - static-auth-secret-file = config.sops.secrets."coturn-auth-secret".path; + static-auth-secret-file = "/run/credentials/coturn.service/auth-secret"; realm = "turn.synapse.li"; cert = "/run/credentials/coturn.service/turn.synapse.li.pem"; pkey = "/run/credentials/coturn.service/turn.synapse.li.key.pem"; @@ -307,6 +307,7 @@ with lib; LoadCredential = [ "turn.synapse.li.key.pem:${config.security.acme.certs."turn.synapse.li".directory}/key.pem" "turn.synapse.li.pem:${config.security.acme.certs."turn.synapse.li".directory}/fullchain.pem" + "auth-secret:${config.sops.secrets."coturn-auth-secret".path}" ]; }; }; @@ -314,8 +315,6 @@ with lib; sops.secrets."coturn-auth-secret" = { format = "binary"; sopsFile = ./coturn-auth-secret; - owner = "turnserver"; - group = "turnserver"; }; }; } diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix index 0f3a7fec..9b1fd1f3 100644 --- a/hosts/surtr/tls/default.nix +++ b/hosts/surtr/tls/default.nix @@ -59,22 +59,19 @@ in { let domainAttrset = domain: let tsigPath = ./tsig_keys + "/${domain}"; - tsigSecret = config.sops.secrets.${tsigSecretName domain}; isTsig = pathExists tsigPath; shared = { inherit domain; extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}"; dnsResolver = "127.0.0.1:5353"; }; - mkRFC2136 = let - tsigInfo = readYaml tsigPath; - in shared // { + mkRFC2136 = shared // { dnsProvider = "rfc2136"; credentialsFile = pkgs.writeText "${domain}_credentials.env" '' RFC2136_NAMESERVER=127.0.0.1:53 RFC2136_TSIG_ALGORITHM=hmac-sha256. RFC2136_TSIG_KEY=${domain}_acme_key - RFC2136_TSIG_SECRET_FILE=${tsigSecret.path} + RFC2136_TSIG_SECRET_FILE=/run/credentials/acme-${domain}.service/tsig_secret RFC2136_TTL=0 RFC2136_PROPAGATION_TIMEOUT=60 RFC2136_POLLING_INTERVAL=2 @@ -90,8 +87,6 @@ in { if v == "regular" || v == "symlink" then nameValuePair (tsigSecretName n) { format = "binary"; - owner = if config.security.acme.useRoot then "root" else "acme"; - group = "acme"; sopsFile = ./tsig_keys + "/${n}"; } else null; in mapFilterAttrs (_: v: v != null) toTSIGSecret (builtins.readDir ./tsig_keys); @@ -101,11 +96,7 @@ in { serviceAttrset = domain: { after = [ "knot.service" ]; bindsTo = [ "knot.service" ]; - serviceConfig = { - ReadWritePaths = ["/run/knot/knot.sock"]; - SupplementaryGroups = ["knot"]; - RestrictAddressFamilies = ["AF_UNIX"]; - }; + serviceConfig.LoadCredential = ["tsig_secret:${config.sops.secrets.${tsigSecretName domain}.path}"]; }; in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset); diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix index 9d003f23..ba45e486 100644 --- a/hosts/surtr/vpn/default.nix +++ b/hosts/surtr/vpn/default.nix @@ -43,10 +43,13 @@ in { "2620:fe::fe:10#dns10.quad9.net" ]; - systemd.tmpfiles.rules = [ - "d /etc/wireguard 0755 root systemd-network - -" - "C /etc/wireguard/surtr.priv 0640 root systemd-network - /run/host/credentials/surtr.priv" - ]; + systemd.services."systemd-networkd" = { + serviceConfig = { + LoadCredential = [ + "surtr.priv" + ]; + }; + }; systemd.network = { netdevs = { @@ -56,7 +59,7 @@ in { Kind = "wireguard"; }; wireguardConfig = { - PrivateKeyFile = "/etc/wireguard/surtr.priv"; + PrivateKeyFile = "/run/credentials/systemd-networkd.service/surtr.priv"; ListenPort = 51820; }; wireguardPeers = imap1 (i: { name, ip ? i }: { diff --git a/hosts/vidhar/network/bifrost/default.nix b/hosts/vidhar/network/bifrost/default.nix index 752e3e3c..8c2cc1de 100644 --- a/hosts/vidhar/network/bifrost/default.nix +++ b/hosts/vidhar/network/bifrost/default.nix @@ -14,7 +14,7 @@ in { Kind = "wireguard"; }; wireguardConfig = { - PrivateKeyFile = config.sops.secrets.bifrost.path; + PrivateKeyFile = "/run/credentials/systemd-networkd.service/bifrost.priv"; ListenPort = 51822; }; wireguardPeers = [ @@ -65,12 +65,12 @@ in { }; }; }; + systemd.services."systemd-networkd".serviceConfig.LoadCredential = [ + "bifrost.priv:${config.sops.secrets.bifrost.path}" + ]; sops.secrets.bifrost = { format = "binary"; sopsFile = ./vidhar.priv; - mode = "0640"; - owner = "root"; - group = "systemd-network"; }; }; } diff --git a/modules/netns.nix b/modules/netns.nix index 18e066e5..d4f07feb 100644 --- a/modules/netns.nix +++ b/modules/netns.nix @@ -92,9 +92,11 @@ let mkdir -p -m 0755 \ "/nix/var/nix/profiles/per-container/${containerName}" \ "/nix/var/nix/gcroots/per-container/${containerName}" - credsBind="" + credsBind=() if [ -n "''${CREDENTIALS_DIRECTORY}" ]; then - credsBind="--bind-ro=''${CREDENTIALS_DIRECTORY}:/run/host/credentials" + while IFS= read -r -d $'\0' credFile; do + credsBind+=("--load-credential=$(basename "''${credFile}"):''${credFile}") + done < <(find ''${CREDENTIALS_DIRECTORY} -type f -print0) fi # Run systemd-nspawn without startup notification (we'll # wait for the container systemd to signal readiness). @@ -105,7 +107,7 @@ let --bind-ro=/nix/store \ --bind-ro=/nix/var/nix/db \ --bind-ro=/nix/var/nix/daemon-socket \ - $credsBind \ + ''${credsBind} \ --bind="/nix/var/nix/profiles/per-container/${containerName}:/nix/var/nix/profiles" \ --bind="/nix/var/nix/gcroots/per-container/${containerName}:/nix/var/nix/gcroots" \ --setenv PATH="$PATH" \ diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix index 1e52ba06..c27eb286 100644 --- a/modules/yggdrasil-wg/default.nix +++ b/modules/yggdrasil-wg/default.nix @@ -132,11 +132,12 @@ let Kind = "wireguard"; }; wireguardConfig = { - PrivateKeyFile = config.sops.secrets."yggdrasil-wg-${family}.priv".path; + PrivateKeyFile = "/run/credentials/systemd-networkd.service/yggdrasil-wg-${family}.priv"; ListenPort = listenPort.${family}; }; wireguardPeers = map (opts@{to, from, ...}: { wireguardPeerConfig = linkToPeer family opts; }) hostLinks.${family}; }; + familyToLoadCred = family: "yggdrasil-wg-${family}.priv:${config.sops.secrets."yggdrasil-wg-${family}.priv".path}"; familyToYggdrasilNetwork = family: nameValuePair "yggdrasil-wg-${family}" { name = "yggdrasil-wg-${family}"; matchConfig = { @@ -159,9 +160,6 @@ let familyToSopsSecret = family: nameValuePair "yggdrasil-wg-${family}.priv" (mkIf (pathExists (privateKeyPath family)) { format = "binary"; sopsFile = privateKeyPath family; - mode = "0640"; - owner = "root"; - group = "systemd-network"; }); thisHost = host: host == hostName; @@ -240,6 +238,8 @@ in { config.routeTables.yggdrasil = 1024; }; + systemd.services."systemd-networkd".serviceConfig.LoadCredential = mkIf inNetwork (map familyToLoadCred hostFamilies); + sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies); boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; diff --git a/system-profiles/default-locale.nix b/system-profiles/default-locale.nix index 0dcea5b5..6915184a 100644 --- a/system-profiles/default-locale.nix +++ b/system-profiles/default-locale.nix @@ -1,7 +1,10 @@ -{...}: +{ lib, ... }: + +with lib; + { i18n.defaultLocale = "en_DK.UTF-8"; console.keyMap = "dvorak-programmer"; - time.timeZone = "Europe/Berlin"; + time.timeZone = mkDefault "Europe/Berlin"; } -- cgit v1.2.3