diff --git a/hosts/sire/default.nix b/hosts/sire/default.nix index 3c8f5b7..192d909 100644 --- a/hosts/sire/default.nix +++ b/hosts/sire/default.nix @@ -42,9 +42,6 @@ }; }; - # TODO track my github stats - # services.telegraf.extraConfig.inputs.github = {}; - guests = let mkGuest = guestName: { enableStorageDataset ? false, diff --git a/hosts/sire/guests/loki.nix b/hosts/sire/guests/loki.nix index 6f8b517..600409d 100644 --- a/hosts/sire/guests/loki.nix +++ b/hosts/sire/guests/loki.nix @@ -1,12 +1,10 @@ { config, - lib, nodes, ... }: let sentinelCfg = nodes.sentinel.config; wardWebProxyCfg = nodes.ward-web-proxy.config; - wardCfg = nodes.ward.config; lokiDomain = "loki.${config.repo.secrets.global.domains.me}"; in { wireguard.proxy-sentinel = { @@ -44,14 +42,11 @@ in { proxyWebsockets = true; extraConfig = '' auth_basic "Authentication required"; - auth_basic_user_file ${wardWebProxyCfg.age.secrets.loki-basic-auth-hashes.path}; + auth_basic_user_file ${sentinelCfg.age.secrets.loki-basic-auth-hashes.path}; proxy_read_timeout 1800s; proxy_connect_timeout 1600s; - ${lib.concatMapStrings (ip: "allow ${ip};\n") wardCfg.wireguard.proxy-home.server.reservedAddresses} - deny all; - access_log off; ''; }; @@ -89,7 +84,7 @@ in { proxyWebsockets = true; extraConfig = '' auth_basic "Authentication required"; - auth_basic_user_file ${sentinelCfg.age.secrets.loki-basic-auth-hashes.path}; + auth_basic_user_file ${wardWebProxyCfg.age.secrets.loki-basic-auth-hashes.path}; proxy_read_timeout 1800s; proxy_connect_timeout 1600s; diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix index 88483ea..fbe92e5 100644 --- a/hosts/ward/guests/adguardhome.nix +++ b/hosts/ward/guests/adguardhome.nix @@ -59,12 +59,11 @@ in { # allowed_clients = [ # ]; #trusted_proxies = []; - ratelimit = 60; + ratelimit = 300; upstream_dns = [ - "1.1.1.1" - # FIXME: enable ipv6 "2606:4700:4700::1111" - "8.8.8.8" - # FIXME: enable ipv6 "2001:4860:4860::8844" + "https://dns.cloudflare.com/dns-query" + "https://dns.google/dns-query" + "https://doh.mullvad.net/dns-query" ]; bootstrap_dns = [ "1.1.1.1" diff --git a/hosts/ward/guests/web-proxy.nix b/hosts/ward/guests/web-proxy.nix index 1f7c78a..cb9d5e6 100644 --- a/hosts/ward/guests/web-proxy.nix +++ b/hosts/ward/guests/web-proxy.nix @@ -33,6 +33,72 @@ in { inherit (acme) certs wildcardDomains; }; + age.secrets.github-access-token = { + rekeyFile = config.node.secretsDir + "/github-access-token.age"; + mode = "440"; + group = "telegraf"; + }; + + meta.telegraf.secrets."@GITHUB_ACCESS_TOKEN@" = config.age.secrets.github-access-token.path; + services.telegraf.extraConfig.inputs = { + ping = [ + { + method = "native"; + urls = [ + "192.168.178.1" + "192.168.1.1" + ]; + tags.type = "internal"; + fieldpass = [ + "percent_packet_loss" + "average_response_ms" + "standard_deviation_ms" + "reply_received" + "percent_reply_loss" + ]; + } + { + method = "native"; + urls = [ + "1.1.1.1" + "8.8.8.8" + config.repo.secrets.global.domains.me + config.repo.secrets.global.domains.personal + ]; + tags.type = "external"; + fieldpass = [ + "percent_packet_loss" + "average_response_ms" + "standard_deviation_ms" + "reply_received" + "percent_reply_loss" + ]; + } + ]; + + # FIXME: pls define this on the relevant hosts. Then we can ping it from multiple other hosts + #http_response = [ + # { + # urls = [ + # ]; + # response_string_match = "Index of /"; + # response_status_code = 200; + # } + #]; + + github = { + access_token = "@GITHUB_ACCESS_TOKEN@"; + repositories = [ + "oddlama/agenix-rekey" + "oddlama/autokernel" + "oddlama/gentoo-install" + "oddlama/nix-config" + "oddlama/nix-topology" + "oddlama/vane" + ]; + }; + }; + services.nginx = { upstreams.fritzbox = { servers."192.168.178.1" = {}; diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix index cc8d190..fdf8705 100644 --- a/hosts/ward/net.nix +++ b/hosts/ward/net.nix @@ -75,25 +75,23 @@ in { IPForward = "yes"; IPv6PrivacyExtensions = "yes"; IPv6SendRA = true; + IPv6AcceptRA = false; + DHCPPrefixDelegation = true; MulticastDNS = true; }; # Announce a static prefix ipv6Prefixes = [ {ipv6PrefixConfig.Prefix = lanCidrv6;} ]; - # Delegate prefix from wan - #dhcpPrefixDelegationConfig = { - # UplinkInterface = "wan"; - # Announce = true; - # SubnetId = "auto"; - #}; + # Delegate prefix + dhcpPrefixDelegationConfig = { + SubnetId = "22"; + }; # Provide a DNS resolver - # TODO ipv6SendRAConfig = { - # TODO EmitDNS = true; - # TODO # TODO change to self later - # TODO #DNS = lib.net.cidr.host 1 net.lan.ipv6cidr; - # TODO DNS = ["2606:4700:4700::1111" "2001:4860:4860::8888"]; - # TODO }; + ipv6SendRAConfig = { + EmitDNS = true; + DNS = lib.net.cidr.host 3 lanCidrv6; + }; linkConfig.RequiredForOnline = "routable"; }; # Remaining macvtap interfaces should not be touched. diff --git a/hosts/ward/secrets/web-proxy/github-access-token.age b/hosts/ward/secrets/web-proxy/github-access-token.age new file mode 100644 index 0000000..9a196bc Binary files /dev/null and b/hosts/ward/secrets/web-proxy/github-access-token.age differ diff --git a/modules/oa2p.nix b/modules/oa2p.nix deleted file mode 100644 index 5c8b87a..0000000 --- a/modules/oa2p.nix +++ /dev/null @@ -1,139 +0,0 @@ -{ - config, - lib, - ... -}: let - cfg = config.services.oauth2-proxy.nginx; -in { - disabledModules = ["services/security/oauth2-proxy-nginx.nix"]; - options.services.oauth2-proxy.nginx = { - proxy = lib.mkOption { - type = lib.types.str; - default = config.services.oauth2-proxy.httpAddress; - defaultText = lib.literalExpression "config.services.oauth2-proxy.httpAddress"; - description = '' - The address of the reverse proxy endpoint for oauth2-proxy - ''; - }; - - domain = lib.mkOption { - type = lib.types.str; - description = '' - The domain under which the oauth2-proxy will be accesible and the path of cookies are set to. - This setting must be set to ensure back-redirects are working properly - if oauth2-proxy is configured with {option}`services.oauth2-proxy.cookie.domain` - or multiple {option}`services.oauth2-proxy.nginx.virtualHosts` that are not on the same domain. - ''; - }; - - virtualHosts = lib.mkOption { - type = let - vhostSubmodule = lib.types.submodule { - options = { - allowed_groups = lib.mkOption { - type = lib.types.nullOr (lib.types.listOf lib.types.str); - description = "List of groups to allow access to this vhost, or null to allow all."; - default = null; - }; - allowed_emails = lib.mkOption { - type = lib.types.nullOr (lib.types.listOf lib.types.str); - description = "List of emails to allow access to this vhost, or null to allow all."; - default = null; - }; - allowed_email_domains = lib.mkOption { - type = lib.types.nullOr (lib.types.listOf lib.types.str); - description = "List of email domains to allow access to this vhost, or null to allow all."; - default = null; - }; - }; - }; - oldType = lib.types.listOf lib.types.str; - convertFunc = x: - lib.warn "services.oauth2-proxy.nginx.virtualHosts should be an attrset, found ${lib.generators.toPretty {} x}" - lib.genAttrs - x (_: {}); - newType = lib.types.attrsOf vhostSubmodule; - in - lib.types.coercedTo oldType convertFunc newType; - default = {}; - example = { - "protected.foo.com" = { - allowed_groups = ["admins"]; - allowed_emails = ["boss@foo.com"]; - }; - }; - description = '' - Nginx virtual hosts to put behind the oauth2 proxy. - You can exclude specific locations by setting `auth_request off;` in the locations extraConfig setting. - ''; - }; - }; - - config.services.oauth2-proxy = lib.mkIf (cfg.virtualHosts != {} && (lib.hasPrefix "127.0.0.1:" cfg.proxy)) { - enable = true; - }; - - config.services.nginx = lib.mkIf (cfg.virtualHosts != {} && config.services.oauth2-proxy.enable) (lib.mkMerge ([ - { - virtualHosts.${cfg.domain}.locations."/oauth2/" = { - proxyPass = cfg.proxy; - extraConfig = '' - proxy_set_header X-Scheme $scheme; - proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; - ''; - }; - } - ] - ++ lib.optional (cfg.virtualHosts != {}) { - recommendedProxySettings = true; # needed because duplicate headers - } - ++ (lib.mapAttrsToList (vhost: conf: { - virtualHosts.${vhost} = { - locations = { - "/oauth2/auth" = let - maybeQueryArg = name: value: - if value == null - then null - else "${name}=${lib.concatStringsSep "," (builtins.map lib.escapeURL value)}"; - allArgs = lib.mapAttrsToList maybeQueryArg conf; - cleanArgs = builtins.filter (x: x != null) allArgs; - cleanArgsStr = lib.concatStringsSep "&" cleanArgs; - in { - # nginx doesn't support passing query string arguments to auth_request, - # so pass them here instead - proxyPass = "${cfg.proxy}/oauth2/auth?${cleanArgsStr}"; - extraConfig = '' - auth_request off; - proxy_set_header X-Scheme $scheme; - # nginx auth_request includes headers but not body - proxy_set_header Content-Length ""; - proxy_pass_request_body off; - ''; - }; - "@redirectToAuth2ProxyLogin" = { - return = "307 https://${cfg.domain}/oauth2/start?rd=$scheme://$host$request_uri"; - extraConfig = '' - auth_request off; - ''; - }; - }; - - extraConfig = '' - auth_request /oauth2/auth; - error_page 401 = @redirectToAuth2ProxyLogin; - - # pass information via X-User and X-Email headers to backend, - # requires running with --set-xauthrequest flag - auth_request_set $user $upstream_http_x_auth_request_user; - auth_request_set $email $upstream_http_x_auth_request_email; - proxy_set_header X-User $user; - proxy_set_header X-Email $email; - - # if you enabled --cookie-refresh, this is needed for it to work with auth_request - auth_request_set $auth_cookie $upstream_http_set_cookie; - add_header Set-Cookie $auth_cookie; - ''; - }; - }) - cfg.virtualHosts))); -} diff --git a/modules/oauth2-proxy.nix b/modules/oauth2-proxy.nix index 6c2bb55..55e431e 100644 --- a/modules/oauth2-proxy.nix +++ b/modules/oauth2-proxy.nix @@ -16,7 +16,6 @@ cfg = config.meta.oauth2-proxy; in { - imports = [./oa2p.nix]; options.meta.oauth2-proxy = { enable = mkEnableOption "oauth2 proxy"; diff --git a/modules/telegraf.nix b/modules/telegraf.nix index 8227a02..bfad346 100644 --- a/modules/telegraf.nix +++ b/modules/telegraf.nix @@ -27,6 +27,15 @@ in { description = "Scrape sensors with lm_sensors. You should disable this for virtualized hosts."; }; + secrets = mkOption { + type = types.attrsOf types.path; + default = {}; + example = { + "@INFLUX_TOKEN@" = "/run/agenix/influx-token"; + }; + description = "Additional secrets to replace in pre-start. The attr name will be searched and replaced in the config with the value read from the given file."; + }; + influxdb2 = { domain = mkOption { type = types.str; @@ -86,6 +95,8 @@ in { group = "telegraf"; }; + meta.telegraf.secrets."@INFLUX_TOKEN@" = config.age.secrets.telegraf-influxdb-token.path; + security.elewrap.telegraf-sensors = mkIf cfg.scrapeSensors { command = ["${pkgs.lm_sensors}/bin/sensors" "-A" "-u"]; targetUser = "root"; @@ -125,7 +136,7 @@ in { outputs = { influxdb_v2 = { urls = ["https://${cfg.influxdb2.domain}"]; - token = "$INFLUX_TOKEN"; + token = "@INFLUX_TOKEN@"; inherit (cfg.influxdb2) organization bucket; }; }; @@ -202,12 +213,19 @@ in { (pkgs.writeShellScriptBin "sensors" config.security.elewrap.telegraf-sensors.path)) ]; serviceConfig = { - Environment = "INFLUX_TOKEN=\$INFLUX_TOKEN"; # Required so the first envsubst in the original module doesn't change it ExecStartPre = mkAfter [ - (pkgs.writeShellScript "pre-start-token" '' - export INFLUX_TOKEN=$(< ${config.age.secrets.telegraf-influxdb-token.path}) - ${pkgs.envsubst}/bin/envsubst -i /var/run/telegraf/config.toml -o /var/run/telegraf/config.toml - '') + ( + pkgs.writeShellScript "pre-start-token" (lib.concatLines ( + lib.flip lib.mapAttrsToList config.meta.telegraf.secrets ( + key: secret: '' + ${lib.getExe pkgs.replace-secret} \ + ${lib.escapeShellArg key} \ + ${lib.escapeShellArg secret} \ + /var/run/telegraf/config.toml + '' + ) + )) + ) ]; # For wireguard statistics AmbientCapabilities = ["CAP_NET_ADMIN"]; diff --git a/secrets/rekeyed/ward-web-proxy/248016a36e45ca4cc24a93a8f0382290-github-access-token.age b/secrets/rekeyed/ward-web-proxy/248016a36e45ca4cc24a93a8f0382290-github-access-token.age new file mode 100644 index 0000000..80dfdde --- /dev/null +++ b/secrets/rekeyed/ward-web-proxy/248016a36e45ca4cc24a93a8f0382290-github-access-token.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 NwOpTA Rq5PyLLJdiYKkL+9vW+BS7sbFHBFoLwdxxWgPTH+0wU +wr1wRFGKYVgziwtzOm95pO4ZPnzF+pTuXlhedNd7HoU +-> Or$Ir-grease =Z{2b= (FvA*6m iV4)_ +tePL0HELOtPx9UAsd0K7CvKv/56vQP++Y/PI5LMIl1IP7Opv2tiOqlB+R5bqWClO +lzV5jX+CVtQNABFgyDrQDfeqUgrw +--- YYlss0gmwNI2pNYbukrJl0hZpdCC8xKh+trLpAeTqFg +?1Ý7©ˆåˆ§¡êdÒÛ=2P»(û˜­Uuø/98ÊÖ.ËŒ¯;gyþúÄNö]ÄkdÞ|L/QJÞ…6ÀûMUÝ$Ørs9 \ No newline at end of file diff --git a/users/myuser/secrets/user.nix.age b/users/myuser/secrets/user.nix.age index 649c61b..c010005 100644 Binary files a/users/myuser/secrets/user.nix.age and b/users/myuser/secrets/user.nix.age differ