magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-11-29 11:36:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove all semi-secret things

Browse source 
Signed-off-by: Magic_RB <magic_rb@redalder.org>
This commit is contained in:
Magic_RB 2021-08-19 18:14:15 +02:00
parent 3009efbc8f
commit 3ccb236c4b
No known key found for this signature in database
GPG key ID: 08D5287CC5DDCA0E
13 changed files with 223 additions and 106 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
nix/flake.lock
View file

@ -215,6 +215,7 @@
"nixpkgs": "nixpkgs",
"nixpkgs-master": "nixpkgs-master",
"nixpkgs-unstable": "nixpkgs-unstable",
"secret": "secret",
"vtermModule": "vtermModule",
"yusdacra-dotfiles": "yusdacra-dotfiles"
}
@ -236,6 +237,18 @@
"type": "github"
}
},
"secret": {
"flake": false,
"locked": {
"narHash": "sha256-oCBpVoYGJ5YnK2IFHMFKSniFB9Vav0qA+mA04+zkaj4=",
"path": "secret",
"type": "path"
},
"original": {
"path": "secret",
"type": "path"
}
},
"vtermModule": {
"flake": false,
"locked": {

6
nix/flake.nix
View file

@ -35,6 +35,12 @@
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
secret = {
url = "path:secret";
flake = false;
};
# PACKAGES
## Emacs

1
nix/nixos-modules/default.nix
View file

@ -1,6 +1,7 @@
{ ... }:
{
imports = [
../secret-lib
./efi-grub.nix
./erase-my-darlings.nix
./main.nix

4
nix/nixos-modules/main.nix
View file

@ -1,4 +1,4 @@
{ config, lib, ... }:
{ config, lib, secret, ... }:
with lib;
let
nm-enable = config.networking.networkmanager.enable;
@ -10,7 +10,7 @@ in {
users.main = {
isNormalUser = true;
home = "/home/main";
hashedPassword = "<REDACTED>";
hashedPassword = secret.passwordHashes.main.generic;
description = "main";
uid = 1000;

33
nix/secret-lib/default.nix Normal file
View file

@ -0,0 +1,33 @@
{ lib, config, ... }:
with lib;
{
options.magic_rb.secret = mkOption {
description = ''
Magic_RB's secret sause.
'';
type = types.unspecified;
};
config = {
_module.args.secret = config.magic_rb.secret;
magic_rb.secret =
let
secret = "${config.magic_rb.pins.secret}/default.nix";
modules = evalModules
{ modules =
[ ./wireguard.nix
./network.nix
./password-hashes.nix
] ++
(if (builtins.pathExists secret) then
[ secret ]
else
builtins.trace "Warning! Not loading any secrets, you may get errors." []
);
};
in
modules.config;
};
}

22
nix/secret-lib/network.nix Normal file
View file

@ -0,0 +1,22 @@
{ lib, ... }:
with lib;
{
options = {
network.ips = mkOption {
description = ''
Host IPs.
'';
type = with types; attrsOf (oneOf [ str (attrsOf str) ]);
default = {};
};
network.networks = mkOption {
description = ''
Network IPs.
'';
type = with types; attrsOf str;
default = {};
};
};
}

14
nix/secret-lib/password-hashes.nix Normal file
View file

@ -0,0 +1,14 @@
{ lib, ... }:
with lib;
{
options = {
passwordHashes = mkOption {
description = ''
Password hashes.
'';
type = with types; attrsOf (oneOf [ str (attrsOf str) ] );
default = {};
};
};
}

97
nix/secret-lib/wireguard.nix Normal file
View file

@ -0,0 +1,97 @@
{ lib, ... }:
with lib;
{
options = {
wireguard = mkOption {
description = ''
Wireguard machine specific settings.
'';
type = with types; attrsOf (submodule
{ options = {
ips = mkOption {
description = ''
IP addresses.
'';
type = listOf str;
default = [];
};
listenPort = mkOption {
description = ''
Listen port.
'';
type = port;
};
privateKeyFile = mkOption {
description = ''
Path to private key
'';
type = str;
};
peers = mkOption {
description = ''
List of peers.
'';
type = listOf (submodule
{
options = {
publicKey = mkOption {
description = ''
Peer public key.
'';
type = str;
};
allowedIPs = mkOption {
description = ''
Allowed IPs for peer.
'';
type = listOf str;
};
endpoint = mkOption {
description = ''
Peer endpoint.
'';
type = nullOr str;
default = null;
};
persistentKeepalive = mkOption {
description = ''
Persistent keepalive.
'';
type = nullOr int;
default = null;
};
};
}
);
default = [];
};
};
}
);
default = {};
example = literalExample
''
{
heater = {
ips =
[ "stuff" ];
listenPort = 0;
privateKeyFile = "stuff";
peers = [
{ publicKey =
"stuff";
allowedIPs =
[ "stuff"
];
};
];
}
}
'';
};
};
}

9
nix/systems/gooseberry.nix
View file

@ -5,7 +5,7 @@ inputs: {
../nixos-modules/default.nix
inputs.home-manager.nixosModules.home-manager
({ pkgs, config, lib, ... }:
({ pkgs, config, lib, secret, ... }:
{
home-manager.users."main" =
{ ... }:
@ -59,9 +59,8 @@ inputs: {
settings = {
authorization = {
trusted_clients =
[ "127.0.0.1" "10.64.2.201" "10.64.3.202"
"10.64.0.10"
trusted_clients = with secret.network.ips;
[ "127.0.0.1" heater edge.flat edge.vpn
];
};
@ -84,7 +83,7 @@ inputs: {
'';
};
virtualHosts."gooseberry.in.redalder.org" = {
virtualHosts.${secret.network.ips.gooseberry.dns} = {
root = pkgs.magic_rb.mainsail;
locations."/".extraConfig = ''

10
nix/systems/heater.nix
View file

@ -6,7 +6,7 @@ inputs: {
inputs.dwarffs.nixosModules.dwarffs
inputs.home-manager.nixosModules.home-manager
({ pkgs, config, lib, ... }:
({ pkgs, config, lib, secret, ... }:
let
inherit (config.magic_rb.pkgs) nixpkgs-unstable;
in
@ -93,7 +93,7 @@ inputs: {
enable = true;
settings = {
vault = {
address = "https://vault.in.redalder.org:8200";
address = "https://${secret.network.ips.vault.vpn}:8200";
client_cert = "/etc/vault-agent/client.crt";
client_key = "/etc/vault-agent/client.key";
@ -120,7 +120,7 @@ inputs: {
source = pkgs.writeText "nomad.hcl.tpl" ''
client {
enabled = true
servers = [ "blowhole.in.redalder.org:4647" ]
servers = [ "${secret.network.ips.blowhole.dns}:4647" ]
options {
docker.privileged.enabled = "true"
@ -132,14 +132,14 @@ inputs: {
{{ with secret "kv/data/systems/heater/nomad" }}
vault {
enabled = true
address = "https://vault.in.redalder.org:8200"
address = "https://${secret.network.ips.vault.vpn}:8200"
token = "{{ .Data.data.vault_token }}"
allow_unauthenticated = true
create_from_role = "nomad-cluster"
}
consul {
address = "blowhole.in.redalder.org:8500"
address = "${secret.network.ips.blowhole.dns}:8500"
token = "{{ .Data.data.consul_token }}"
}
{{ end }}

21
nix/systems/omen.nix
View file

@ -4,7 +4,7 @@ inputs: {
modules = [
../nixos-modules/default.nix
inputs.home-manager.nixosModules.home-manager
({ pkgs, config, ... }: {
({ pkgs, config, secret, ... }: {
home-manager.users."main" =
{ ... }: {
imports = [ ../home-manager/modules/default.nix ];
@ -45,7 +45,7 @@ inputs: {
enable = true;
settings = {
vault = {
address = "https://vault.in.redalder.org:8200";
address = "https://${secret.network.ips.vault.dns}:8200";
client_cert = "/etc/vault-agent/client.crt";
client_key = "/etc/vault-agent/client.key";
@ -122,22 +122,9 @@ inputs: {
interfaces.eno1.useDHCP = true;
hostId = "10c7ffc5";
wireguard.interfaces = {
wg0 = {
ips = [ "10.64.0.8/24" ];
listenPort = 6666;
wireguard.interfaces."wg0" = {
privateKeyFile = "/var/secrets/wg0.key";
peers = [
{
publicKey = "h4g6vWjOB6RS0NbrP/Kvb2CZeutm/F+ZfDbJmEd1Dgk=";
allowedIPs = [ "10.64.0.0/24" "10.64.1.0/24" ];
endpoint = "redalder.org:6666";
persistentKeepalive = 30;
}
];
};
};
} // config.magic_rb.secret.wireguard."omen";
};
security.pki.certificates = [ (builtins.readFile ../redalder.org.crt) ];

97
nix/systems/toothpick.nix
View file

@ -3,7 +3,7 @@ inputs: {
modules = [
../nixos-modules/default.nix
({ lib, pkgs, config, ... }: {
({ lib, pkgs, config, secret, ... }: {
magic_rb = {
pins = inputs;
overlays = inputs.self.overlays;
@ -30,7 +30,7 @@ inputs: {
dropPrivileges = false;
package = config.magic_rb.pkgs.nixpkgs-master.nomad_1_1;
extraPackages = [ pkgs.consul ];
extraPackages = with pkgs; [ consul glibc ];
extraSettingsPaths = [ "/var/secrets/nomad.hcl" ];
};
@ -71,7 +71,7 @@ inputs: {
enable = true;
settings = {
vault = {
address = "https://vault.in.redalder.org:8200";
address = "https://${secret.network.ips.vault.dns}:8200";
client_cert = "/etc/vault-agent/vault.crt";
client_key = "/etc/vault-agent/vault.key";
@ -126,7 +126,7 @@ inputs: {
set -e
export VAULT_ADDR="https://vault.in.redalder.org:8200/"
export VAULT_ADDR="https://${secret.network.ips.vault.dns}:8200/"
export VAULT_TOKEN="$(vault login \
-method=cert \
-client-cert=/etc/vault-agent/vault.crt \
@ -192,15 +192,15 @@ inputs: {
}
host_network "vpn" {
cidr = "10.64.0.0/24"
cidr = "${secret.network.networks.vpn}"
reserved_ports = ""
}
}
advertise {
http = "10.64.0.1"
rpc = "10.64.0.1"
serf = "10.64.0.1"
http = "${secret.network.ips.toothpick}"
rpc = "${secret.network.ips.toothpick}"
serf = "${secret.network.ips.toothpick}"
}
plugin "docker" {
@ -213,7 +213,7 @@ inputs: {
vault {
enabled = true
address = "https://vault.in.redalder.org:8200"
address = "https://${secret.network.ips.vault.dns}:8200"
allow_unauthenticated = false
create_from_role = "nomad-cluster"
}
@ -247,7 +247,7 @@ inputs: {
node_name = "toothpick"
data_dir = "/var/lib/consul"
retry_join_wan = [ "10.64.1.201" ]
retry_join_wan = [ "${secret.network.ips.blowhole.ip}" ]
server = true
@ -291,7 +291,7 @@ inputs: {
# ca_provider = "vault"
# ca_config {
# address = "https://vault.in.redalder.org:8200"
# address = "https://${secret.network.ips.vault.dns}:8200"
# token = "{{ file "/var/secrets/vault.token" | trimSpace }}"
# root_pki_path = "consul_root"
# intermediate_pki_path = "consul_intermediate"
@ -307,78 +307,23 @@ inputs: {
hostName = "toothpick";
nameservers =
[ "10.64.1.1"
[ "${secret.network.ips.woodchip}"
"93.184.77.2"
"67.207.67.3"
];
wireguard = {
enable = true;
interfaces."wg0" = {
ips =
[ "10.64.0.1/24" ];
listenPort = 6666;
privateKeyFile = "/var/secret/wg0.key";
interfaces."wg0" =
{
postSetup = ''
${pkgs.iptables}/bin/iptables -I FORWARD -i wg0 -o wg0 -j ACCEPT
'';
postSetup = ''
${pkgs.iptables}/bin/iptables -I FORWARD -i wg0 -o wg0 -j ACCEPT
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -o wg0 -j ACCEPT
'';
peers = [
# heater
{ publicKey =
"ygBDTN7rLFfN69WpgVCEmIacNMWnNXZX7DWpk2PYSz4=";
allowedIPs =
[ "10.64.0.3/32"
];
}
# blowhole
{ publicKey =
"E+0dxPdE4K+tjNDTyONG1xNQoPFvdr3tHbh25wYq9FM=";
allowedIPs =
[ "10.64.0.2/32"
"10.64.1.0/24"
];
}
# edge
{ publicKey =
"IQ7Ct49/ZsQfZ9f5je8NSJ6J++J6FFZbU9JTffyKrHg=";
allowedIPs =
[ "10.64.0.10/32"
];
}
# vantablack
{ publicKey =
"+S551mKun3i0Ptmt++zcAYbWAGkTOINv/uKYQrTIsg0=";
allowedIPs =
[ "10.64.0.5/32"
];
}
# thy - main
{ publicKey =
"dEwoaWN1CiCorGwogggUNhbNsXvfYgfw7GqFxvSKGBk=";
allowedIPs =
[ "10.64.0.6/32" ];
}
# sei - laptop
{ publicKey =
"fILkxz8hoCTws8fly91q3dDqxXZjbaz1bl+r/6r9Q0M=";
allowedIPs =
[ "10.64.0.7/32" ];
}
# omen
{ publicKey =
"pFjiXQLFe3K72RwbhCYXHy6ttZzsvYqW8PIBbro10iM=";
allowedIPs =
[ "10.64.0.8/32"
];
}
];
};
postShutdown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -o wg0 -j ACCEPT
'';
} // config.magic_rb.secret.wireguard."toothpick";
};
defaultGateway = "64.225.96.1";

2
secret

@ -1 +1 @@
Subproject commit f82d1beac1106e2c0c4a83f4d188a09027f86981
Subproject commit 3733aa83be8c801c92e6665f95496f09d2d293fd