From c1f62e9827efe7c8e303e3cfa70dac8f544312b1 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 9 Aug 2022 11:23:00 +0300 Subject: ... --- hosts/sif/default.nix | 10 ++++++---- hosts/surtr/bifrost/default.nix | 8 ++++---- hosts/surtr/dns/default.nix | 8 +++++--- hosts/surtr/matrix/default.nix | 5 ++--- hosts/surtr/tls/default.nix | 15 +++------------ hosts/surtr/vpn/default.nix | 13 ++++++++----- hosts/vidhar/network/bifrost/default.nix | 8 ++++---- 7 files changed, 32 insertions(+), 35 deletions(-) (limited to 'hosts') diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index f51535ea..8c64551a 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix @@ -26,6 +26,8 @@ in { }; }; + time.timeZone = null; + boot = { initrd = { luks.devices = { @@ -148,7 +150,7 @@ in { Kind = "wireguard"; }; wireguardConfig = { - PrivateKeyFile = config.sops.secrets.wgrz.path; + PrivateKeyFile = "/run/credentials/systemd-networkd.service/wgrz.priv"; ListenPort = 51822; # FirewallMark = 1; }; @@ -233,11 +235,11 @@ in { sops.secrets.wgrz = { format = "binary"; sopsFile = ./wgrz/privkey; - mode = "0640"; - owner = "root"; - group = "systemd-network"; }; networking.networkmanager.unmanaged = ["wgrz" "virbr0"]; + systemd.services."systemd-networkd".serviceConfig.LoadCredential = [ + "wgrz.priv:${config.sops.secrets.wgrz.path}" + ]; services.dnsmasq = { enable = true; diff --git a/hosts/surtr/bifrost/default.nix b/hosts/surtr/bifrost/default.nix index 790af94a..bdedf5b6 100644 --- a/hosts/surtr/bifrost/default.nix +++ b/hosts/surtr/bifrost/default.nix @@ -14,7 +14,7 @@ in { Kind = "wireguard"; }; wireguardConfig = { - PrivateKeyFile = config.sops.secrets.bifrost.path; + PrivateKeyFile = "/run/credentials/systemd-networkd.service/bifrost.priv"; ListenPort = 51822; }; wireguardPeers = [ @@ -49,12 +49,12 @@ in { }; }; }; + systemd.services."systemd-networkd".serviceConfig.LoadCredential = [ + "bifrost.priv:${config.sops.secrets.bifrost.path}" + ]; sops.secrets.bifrost = { format = "binary"; sopsFile = ./surtr.priv; - mode = "0640"; - owner = "root"; - group = "systemd-network"; }; }; } diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index 808c56da..026111be 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix @@ -44,11 +44,14 @@ in { fsType = "zfs"; }; - systemd.services.knot.unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; + systemd.services.knot = { + unitConfig.RequiresMountsFor = [ "/var/lib/knot" ]; + serviceConfig.LoadCredential = map ({name, ...}: "${name}:config.sops.secrets.${name}.path") knotKeys; + }; services.knot = { enable = true; - keyFiles = map ({name, ...}: config.sops.secrets.${name}.path) knotKeys; + keyFiles = map ({name, ...}: "/run/credentials/knot.service/${name}") knotKeys; extraConfig = '' server: listen: 127.0.0.1@53 @@ -192,7 +195,6 @@ in { sops.secrets = listToAttrs (map ({name, path}: nameValuePair name { format = "binary"; - owner = "knot"; sopsFile = path; }) knotKeys); diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index a469be69..e3a52f9a 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix @@ -265,7 +265,7 @@ with lib; min-port = 49000; max-port = 50000; use-auth-secret = true; - static-auth-secret-file = config.sops.secrets."coturn-auth-secret".path; + static-auth-secret-file = "/run/credentials/coturn.service/auth-secret"; realm = "turn.synapse.li"; cert = "/run/credentials/coturn.service/turn.synapse.li.pem"; pkey = "/run/credentials/coturn.service/turn.synapse.li.key.pem"; @@ -307,6 +307,7 @@ with lib; LoadCredential = [ "turn.synapse.li.key.pem:${config.security.acme.certs."turn.synapse.li".directory}/key.pem" "turn.synapse.li.pem:${config.security.acme.certs."turn.synapse.li".directory}/fullchain.pem" + "auth-secret:${config.sops.secrets."coturn-auth-secret".path}" ]; }; }; @@ -314,8 +315,6 @@ with lib; sops.secrets."coturn-auth-secret" = { format = "binary"; sopsFile = ./coturn-auth-secret; - owner = "turnserver"; - group = "turnserver"; }; }; } diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix index 0f3a7fec..9b1fd1f3 100644 --- a/hosts/surtr/tls/default.nix +++ b/hosts/surtr/tls/default.nix @@ -59,22 +59,19 @@ in { let domainAttrset = domain: let tsigPath = ./tsig_keys + "/${domain}"; - tsigSecret = config.sops.secrets.${tsigSecretName domain}; isTsig = pathExists tsigPath; shared = { inherit domain; extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}"; dnsResolver = "127.0.0.1:5353"; }; - mkRFC2136 = let - tsigInfo = readYaml tsigPath; - in shared // { + mkRFC2136 = shared // { dnsProvider = "rfc2136"; credentialsFile = pkgs.writeText "${domain}_credentials.env" '' RFC2136_NAMESERVER=127.0.0.1:53 RFC2136_TSIG_ALGORITHM=hmac-sha256. RFC2136_TSIG_KEY=${domain}_acme_key - RFC2136_TSIG_SECRET_FILE=${tsigSecret.path} + RFC2136_TSIG_SECRET_FILE=/run/credentials/acme-${domain}.service/tsig_secret RFC2136_TTL=0 RFC2136_PROPAGATION_TIMEOUT=60 RFC2136_POLLING_INTERVAL=2 @@ -90,8 +87,6 @@ in { if v == "regular" || v == "symlink" then nameValuePair (tsigSecretName n) { format = "binary"; - owner = if config.security.acme.useRoot then "root" else "acme"; - group = "acme"; sopsFile = ./tsig_keys + "/${n}"; } else null; in mapFilterAttrs (_: v: v != null) toTSIGSecret (builtins.readDir ./tsig_keys); @@ -101,11 +96,7 @@ in { serviceAttrset = domain: { after = [ "knot.service" ]; bindsTo = [ "knot.service" ]; - serviceConfig = { - ReadWritePaths = ["/run/knot/knot.sock"]; - SupplementaryGroups = ["knot"]; - RestrictAddressFamilies = ["AF_UNIX"]; - }; + serviceConfig.LoadCredential = ["tsig_secret:${config.sops.secrets.${tsigSecretName domain}.path}"]; }; in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset); diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix index 9d003f23..ba45e486 100644 --- a/hosts/surtr/vpn/default.nix +++ b/hosts/surtr/vpn/default.nix @@ -43,10 +43,13 @@ in { "2620:fe::fe:10#dns10.quad9.net" ]; - systemd.tmpfiles.rules = [ - "d /etc/wireguard 0755 root systemd-network - -" - "C /etc/wireguard/surtr.priv 0640 root systemd-network - /run/host/credentials/surtr.priv" - ]; + systemd.services."systemd-networkd" = { + serviceConfig = { + LoadCredential = [ + "surtr.priv" + ]; + }; + }; systemd.network = { netdevs = { @@ -56,7 +59,7 @@ in { Kind = "wireguard"; }; wireguardConfig = { - PrivateKeyFile = "/etc/wireguard/surtr.priv"; + PrivateKeyFile = "/run/credentials/systemd-networkd.service/surtr.priv"; ListenPort = 51820; }; wireguardPeers = imap1 (i: { name, ip ? i }: { diff --git a/hosts/vidhar/network/bifrost/default.nix b/hosts/vidhar/network/bifrost/default.nix index 752e3e3c..8c2cc1de 100644 --- a/hosts/vidhar/network/bifrost/default.nix +++ b/hosts/vidhar/network/bifrost/default.nix @@ -14,7 +14,7 @@ in { Kind = "wireguard"; }; wireguardConfig = { - PrivateKeyFile = config.sops.secrets.bifrost.path; + PrivateKeyFile = "/run/credentials/systemd-networkd.service/bifrost.priv"; ListenPort = 51822; }; wireguardPeers = [ @@ -65,12 +65,12 @@ in { }; }; }; + systemd.services."systemd-networkd".serviceConfig.LoadCredential = [ + "bifrost.priv:${config.sops.secrets.bifrost.path}" + ]; sops.secrets.bifrost = { format = "binary"; sopsFile = ./vidhar.priv; - mode = "0640"; - owner = "root"; - group = "systemd-network"; }; }; } -- cgit v1.2.3