From 0e3d88188710997f76a1d76c307b9595ea951112 Mon Sep 17 00:00:00 2001 From: oddlama Date: Thu, 25 May 2023 01:57:16 +0200 Subject: [PATCH] feat: experiment with kanidm and acme dns-01. add common conditional locations to impermanence --- README.md | 6 +- hosts/common/core/impermanence.nix | 94 ++++++++- hosts/common/core/issue.nix | 1 + hosts/ward/default.nix | 189 +++++++++++++++++- hosts/ward/grafana.nix | 1 - hosts/ward/net.nix | 4 +- hosts/ward/node_exporter.nix | 1 - hosts/ward/prometheus.nix | 1 - hosts/ward/samba.nix | 1 - hosts/ward/secrets/acme-credentials.age | Bin 0 -> 527 bytes hosts/ward/secrets/kanidm-self-signed.crt.age | Bin 0 -> 2223 bytes hosts/ward/secrets/kanidm-self-signed.key.age | Bin 0 -> 3736 bytes hosts/ward/secrets/local.nix.age | Bin 627 -> 783 bytes hosts/ward/vaultwarden.nix | 4 +- hosts/zackbiene/esphome.nix | 2 +- hosts/zackbiene/home-assistant.nix | 2 +- hosts/zackbiene/net.nix | 9 +- hosts/zackbiene/nginx.nix | 2 + hosts/zackbiene/zigbee2mqtt.nix | 2 +- modules/microvms.nix | 13 +- .../ward-local-vms/keys/ward-nginx.age | 10 + .../ward-local-vms/keys/ward-nginx.pub | 1 + .../ward-local-vms/psks/ward+ward-nginx.age | Bin 0 -> 414 bytes .../psks/ward-nginx+ward-test.age | 9 + 24 files changed, 323 insertions(+), 29 deletions(-) delete mode 100644 hosts/ward/grafana.nix delete mode 100644 hosts/ward/node_exporter.nix delete mode 100644 hosts/ward/prometheus.nix delete mode 100644 hosts/ward/samba.nix create mode 100644 hosts/ward/secrets/acme-credentials.age create mode 100644 hosts/ward/secrets/kanidm-self-signed.crt.age create mode 100644 hosts/ward/secrets/kanidm-self-signed.key.age create mode 100644 secrets/wireguard/ward-local-vms/keys/ward-nginx.age create mode 100644 secrets/wireguard/ward-local-vms/keys/ward-nginx.pub create mode 100644 secrets/wireguard/ward-local-vms/psks/ward+ward-nginx.age create mode 100644 secrets/wireguard/ward-local-vms/psks/ward-nginx+ward-test.age diff --git a/README.md b/README.md index 526062c..e1adc23 100644 --- a/README.md +++ b/README.md @@ -93,7 +93,7 @@ then select the host in the fzf menu ## Stuff - Secrets can be created/edited by running `nix run .#edit-secret some/secret.age` -- Secrets can be rekeyed by running `nix run .#rekey` (you will be prompted to do so in an error message if neccessary) +- Secrets can be rekeyed by running `nix run .#rekey` (you will also be prompted to do so in an error message if neccessary) To be able to decrypt the repository-wide secrets transparently on a host that is _not_ managed by this config, you will need to (be me and) run @@ -110,10 +110,10 @@ all commands using these extra parameters, or permanently add the following the ## Misc -Generate self-signed cert: +Generate self-signed cert, e.g. for kanidm internal communication to proxy: ```bash openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \ - -keyout zackbiene-selfcert.key -out zackbiene-selfcert.crt -subj \ + -keyout selfcert.key -out selfcert.crt -subj \ "/CN=example.com" -addext "subjectAltName=DNS:example.com,DNS:sub1.example.com,DNS:sub2.example.com,IP:10.0.0.1" ``` diff --git a/hosts/common/core/impermanence.nix b/hosts/common/core/impermanence.nix index 07170fb..ad85bda 100644 --- a/hosts/common/core/impermanence.nix +++ b/hosts/common/core/impermanence.nix @@ -1,4 +1,8 @@ { + config, + lib, + ... +}: { # State that should be kept across reboots, but is otherwise # NOT important information in any way that needs to be backed up. #environment.persistence."/nix/state" = { @@ -20,10 +24,90 @@ "/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key.pub" ]; - directories = [ - "/var/lib/nixos" - "/var/lib/systemd/coredump" - "/var/log" - ]; + directories = + [ + { + directory = "/var/lib/nixos"; + user = "root"; + group = "root"; + mode = "0755"; + } + { + directory = "/var/lib/systemd"; + user = "root"; + group = "root"; + mode = "0755"; + } + { + directory = "/var/log"; + user = "root"; + group = "root"; + mode = "0755"; + } + #{ directory = "/tmp"; user = "root"; group = "root"; mode = "1777"; } + #{ directory = "/var/tmp"; user = "root"; group = "root"; mode = "1777"; } + { + directory = "/var/spool"; + user = "root"; + group = "root"; + mode = "0777"; + } + ] + ++ lib.optionals config.networking.wireless.iwd.enable [ + { + directory = "/var/lib/iwd"; + user = "root"; + group = "root"; + mode = "0700"; + } + ] + ++ lib.optionals (config.services.kea.dhcp4.enable || config.services.kea.dhcp6.enable) [ + { + directory = "/var/lib/kea"; + user = "kea"; + group = "kea"; + mode = "0755"; + } + ] + ++ lib.optionals config.services.gitea.enable [ + { + directory = "/var/lib/gitea"; + user = "gitea"; + group = "gitea"; + mode = "0755"; + } + ] + ++ lib.optionals config.security.acme.acceptTerms [ + { + directory = "/var/lib/acme"; + user = "acme"; + group = "acme"; + mode = "0755"; + } + ] + ++ lib.optionals config.services.printing.enable [ + { + directory = "/var/lib/cups"; + user = "root"; + group = "root"; + mode = "0755"; + } + ] + ++ lib.optionals config.services.fail2ban.enable [ + { + directory = "/var/lib/fail2ban"; + user = "fail2ban"; + group = "fail2ban"; + mode = "0750"; + } + ] + ++ lib.optionals config.services.opendkim.enable [ + { + directory = "/var/lib/postgresql"; + user = "postgres"; + group = "postgres"; + mode = "0755"; + } + ]; }; } diff --git a/hosts/common/core/issue.nix b/hosts/common/core/issue.nix index ba51081..f324347 100644 --- a/hosts/common/core/issue.nix +++ b/hosts/common/core/issue.nix @@ -2,6 +2,7 @@ let # IP addresses: ${"${interface} \e{halfbright}\4{${interface}}\e{reset} \e{halfbright}\6{${interface}}\e{reset}"} issue_text = '' \d \t + \e{halfbright}\4\e{reset} \e{halfbright}\6\e{reset} This is \e{cyan}\n\e{reset} [\e{lightblue}\l\e{reset}] (\s \m \r) ''; diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index 844a0e3..95b75ce 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -3,7 +3,19 @@ nixos-hardware, pkgs, ... -}: { +}: let + # TODO byebyebye + # TODO byebyebye + # TODO byebyebye + # TODO byebyebye + # TODO byebyebye + # TODO byebyebye + # TODO byebyebye + # TODO byebyebye + # TODO byebyebye + inherit (config.repo.secrets.local) acme; + auth.domain = config.repo.secrets.local.auth.domain; +in { imports = [ nixos-hardware.common-cpu-intel nixos-hardware.common-pc-ssd @@ -33,15 +45,26 @@ }; in { test = defineVm 11; - - #nginx = defineVm 12; + #ddclient = defineVm 11; + nginx = defineVm 12; #kanidm = defineVm 13; #gitea = defineVm 14; #vaultwarden = defineVm 15; - #samba = defineVm 16; + #samba+wsdd = defineVm 16; #fasten-health = defineVm 17; #immich = defineVm 18; #paperless = defineVm 19; + #radicale = defineVm 20; + #minecraft = defineVm 21; + + #grafana + #loki + + #maddy = defineVm 19; + #anonaddy = defineVm 19; + + #automatic1111 = defineVm 19; + #invokeai = defineVm 19; #kanidm = defineVm 12 // { # configPath = ./vm-test.nix; @@ -51,4 +74,162 @@ microvm.vms.test.config = { rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g"; }; + + microvm.vms.nginx.config = { + lib, + config, + parentNodeName, + ... + }: { + rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq"; + + rekey.secrets."kanidm-self-signed.crt" = { + file = ./secrets/kanidm-self-signed.crt.age; + mode = "440"; + owner = "nginx"; + group = "kanidm"; + }; + rekey.secrets."kanidm-self-signed.key" = { + file = ./secrets/kanidm-self-signed.key.age; + mode = "440"; + owner = "nginx"; + group = "kanidm"; + }; + rekey.secrets."dhparams.pem" = { + # TODO make own? + file = ../zackbiene/secrets/dhparams.pem.age; + mode = "440"; + group = "nginx"; + }; + + networking.hosts = { + "192.168.100.12" = [auth.domain]; + }; + + rekey.secrets.acme-credentials = { + file = ./secrets/acme-credentials.age; + mode = "440"; + group = "acme"; + }; + security.acme = { + acceptTerms = true; + defaults = { + inherit (acme) email; + dnsProvider = "cloudflare"; + credentialsFile = config.rekey.secrets.acme-credentials.path; + dnsPropagationCheck = true; + }; + certs = lib.genAttrs acme.domains (domain: { + extraDomainNames = ["*.${domain}"]; + }); + }; + users.groups.acme.members = ["nginx"]; + + # TODO needed in my current testing network that has no ipv6 connectivity + # TODO but these should use fallback......... something's wrong + systemd.network.networks."10-wan".networkConfig.DNS = ["1.1.1.1" "8.8.8.8"]; + + # TODO reload nginx when acme is renewed + + # TODO make default nginx config in core to reduce boilerplate? + services.nginx = let + # TODO not implemented well + # TODO not implemented well + # TODO not implemented well + # TODO not implemented well + # TODO not implemented well + # TODO not implemented well + # TODO not implemented well + # TODO not implemented well + # TODO (acme.domains is very specific) + # TODO (security.acme causes recursion) + matchingWildcardCert = domain: let + # Filter all certs that are wildcard certs and which match the given domain + matchingCerts = + lib.filter + (x: !lib.hasInfix "." (lib.removeSuffix ".${x}" domain)) + acme.domains; + in + assert lib.assertMsg (matchingCerts != []) "No wildcard certificate was defined that matches ${domain}"; + lib.head matchingCerts; + in { + enable = true; + + recommendedBrotliSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # SSL config + sslCiphers = "EECDH+AESGCM:EDH+AESGCM:!aNULL"; + sslDhparam = config.rekey.secrets."dhparams.pem".path; + commonHttpConfig = '' + error_log syslog:server=unix:/dev/log; + access_log syslog:server=unix:/dev/log; + ssl_ecdh_curve secp384r1; + ''; + + upstreams."kanidm" = { + servers."${config.extra.wireguard."${parentNodeName}-local-vms".ipv4}:8300" = {}; + extraConfig = '' + zone kanidm 64k; + keepalive 2; + ''; + }; + virtualHosts.${auth.domain} = { + forceSSL = true; + useACMEHost = matchingWildcardCert auth.domain; + locations."/".proxyPass = "https://kanidm"; + # Allow using self-signed certs to satisfy kanidm's requirement + # for TLS connections. (This is over wireguard anyway) + extraConfig = '' + proxy_ssl_verify off; + ''; + }; + }; + + networking.firewall.allowedTCPPorts = [80 443]; + + networking.nftables.firewall.rules = lib.mkForce { + local-vms-to-local.allowedTCPPorts = [8300]; + }; + + # systemd.services.kanidm = let + # cfg = config.services.kanidm; + # certName = config.services.nginx.virtualHosts.${cfg.serverSettings.domain}.useACMEHost; + # in { + # requires = [ "acme-finished-${certName}.target" ]; + # serviceConfig.LoadCredential = let + # certDir = config.security.acme.certs.${certName}.directory; + # in [ + # "fullchain.pem:${certDir}/fullchain.pem" + # "key.pem:${certDir}/key.pem" + # ]; + # }; + + services.kanidm = { + enableServer = true; + # enablePAM = true; + serverSettings = { + inherit (auth) domain; + origin = "https://${config.services.kanidm.serverSettings.domain}"; + #tls_chain = "/run/credentials/kanidm.service/fullchain.pem"; + #tls_key = "/run/credentials/kanidm.service/key.pem"; + tls_chain = config.rekey.secrets."kanidm-self-signed.crt".path; + tls_key = config.rekey.secrets."kanidm-self-signed.key".path; + bindaddress = "${config.extra.wireguard."${parentNodeName}-local-vms".ipv4}:8300"; + trust_x_forward_for = true; + }; + + enableClient = true; + clientSettings = { + uri = config.services.kanidm.serverSettings.origin; + verify_ca = true; + verify_hostnames = true; + }; + }; + + environment.systemPackages = [pkgs.kanidm]; + }; } diff --git a/hosts/ward/grafana.nix b/hosts/ward/grafana.nix deleted file mode 100644 index 0967ef4..0000000 --- a/hosts/ward/grafana.nix +++ /dev/null @@ -1 +0,0 @@ -{} diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix index ef6ce5a..01dd033 100644 --- a/hosts/ward/net.nix +++ b/hosts/ward/net.nix @@ -3,7 +3,7 @@ lib, ... }: let - inherit (config.lib.net) ip cidr; + inherit (config.lib.net) cidr; lanCidrv4 = "192.168.100.0/24"; lanCidrv6 = "fd00::/64"; @@ -165,7 +165,7 @@ in { interface = "lan-self"; subnet = lanCidrv4; pools = [ - {pool = "${cidr.host 20 lanCidrv4} - ${cidr.host (-6) lanCidrv4}";} + {pool = "${cidr.host 40 lanCidrv4} - ${cidr.host (-6) lanCidrv4}";} ]; option-data = [ { diff --git a/hosts/ward/node_exporter.nix b/hosts/ward/node_exporter.nix deleted file mode 100644 index 0967ef4..0000000 --- a/hosts/ward/node_exporter.nix +++ /dev/null @@ -1 +0,0 @@ -{} diff --git a/hosts/ward/prometheus.nix b/hosts/ward/prometheus.nix deleted file mode 100644 index 0967ef4..0000000 --- a/hosts/ward/prometheus.nix +++ /dev/null @@ -1 +0,0 @@ -{} diff --git a/hosts/ward/samba.nix b/hosts/ward/samba.nix deleted file mode 100644 index 0967ef4..0000000 --- a/hosts/ward/samba.nix +++ /dev/null @@ -1 +0,0 @@ -{} diff --git a/hosts/ward/secrets/acme-credentials.age b/hosts/ward/secrets/acme-credentials.age new file mode 100644 index 0000000000000000000000000000000000000000..2bbf452cedc2c61379659a076d739faad5adc41d GIT binary patch literal 527 zcmV+q0`UD|XJsvAZewzJaCB*JZZ2RCDW3v8x=m*`eUnzL0OF~q!t_=A#|_>%RI|1 z_0XR%_LSLK6(-AKPsH?;GTPT2*ow~B1=g5M=uRo%$~6M3$Zr5N0@nM~o$*|bSj2W} zRKc?n%_WnDw|mmDW09r()MGIjLtF%Pi}g!ESPpxb=jB}m5Qe>bT<&A#n>{gOXKs>A R8E4uEHC)_QT3bEE9OZ1K#>oHx literal 0 HcmV?d00001 diff --git a/hosts/ward/secrets/kanidm-self-signed.crt.age b/hosts/ward/secrets/kanidm-self-signed.crt.age new file mode 100644 index 0000000000000000000000000000000000000000..27fb4e8f00245d41dfdb3a7b07e375d3c65807b1 GIT binary patch literal 2223 zcmV;g2vGN7XJsvAZewzJaCB*JZZ2qYG&oFjVqq{)NpnMQb22nkb7u-IJ|Iy$EH@!7XL4m>b7de^A~bzUTt{Od zDJonbYf(#0d>~?SIV}owL2N~9c4<&|T0$@}V^d5^Z(2iAQD}L0SXy`rEiEk|Og z_`04+hkixYC@co!zG`ftag;jbaR<7j4dJaNw|6P9uv#NEP(px6l$*rTwDejjm=|+E zGDYRxcZRni1{2#`PU(71dTD;5tJCg{<+v{3vxp#JW*}e~b`ukQAB||z#E=F2rOdc@ zg5t}4&k*i4f>oZMR&oOUAyaBg7Q58NRXJq&A=zM}~^@o;_i zx1O3$KDlwc2hqD?)q>x3lrfruEh@l|KEBW*eNmp^>4hej(0iK3a^kIFIaSIK|Nrhwpp|ml0UQ_omAv~5iks*XYphP1qJp;K#La{(F{ZoPA98)FJ@2( z2#@as+3%)FKQFfOww*jLK)pm{GSC&uX8SVg5xyv~Ev260zMgu?sxNqGJwR~L9ts*J7vuyCFBE&_#B+&9dtC%zamhHNWn@K6#tQK<2d&>mWcx@de1Ko!~%nwFgqDb8<(%1$xx z=Rk$jct;_R+K}fKWN`xYNE7`euHz|rtonxq2zy(|WgI(=$}Z$z5h$UY_x>6uO<;c^ z=&^uEyftnG`-Z9tladhxY1^H(nsk^MY^SEqgYzSyQ@pMof$K-mI%`0HiX+Xj^}q2w zxLUCy3axn-iMsH*GcNJ9S_-DI-={fY-jJZ?zepI>D>yw3^bA%Dh31AeW_%VGU#b%GqIo%bhxs2xBc1 z2p(#MzFuc(YKbOc|FI$_Z1p86?%hQE`G0?PjyUC3$A zwYMg(R{|Pd3DFfw&M&avtEuiK0@4%btXe)2uj(##0r0^le(yMbU=!s%mI*>P=ULx6 zvBIAEMNVs3BztDWlca?h?a2EJQ5q8gfU3T(r!ulTt6b@VsF5>swfuyq^0mMke_#ZC zkF}R)CqS35baC#G!7FFxFX(QmUU}v1u>GM`eNP)d``Kc07GqU$HMZVt{UL9~?(Q9l zcL4X{9v8f@Ug%hvF{c4mF!Q9D!UjTUpZ^X376F!_ zfJ)IS@T!~J{LosI+KGc~MJ}2()wF=PG(H%&uSAdfl~vw6n!X6 zZgqo04XJfLB@1h8@X8(gRdbaJgBfe`MV;<6?!YSjEza^j?EaJbIU^%P1R#dxSF1gp zB$tqR#1!`8w&}7*J4z`76$^iDzjy_QN(?dE7i)3n7E3ixi{()Ttf=&k(V{54q8Uls z-0VoUA0oAonagJeOneZR8NEX zV$@ z`D%md!&Myaz4gGNPuuA!6>!3sB4eFAht1k!Y@a*T8B{~SS`Z-X3hemWOt=L1E2lFW)A zj#IaBM8I}hEc*%ANCwZ}x1}HtQ@Pl$qD9JpNaJx#jbzJ8c+J?H4B2TYT!r<;Igb1m xmg!-ZhT^8;B@#9Qd;5wCE@ye_wAX8U;X7+#pZJ%N_KxBhs&(kNXsY#xwTiVk7$yJ! literal 0 HcmV?d00001 diff --git a/hosts/ward/secrets/kanidm-self-signed.key.age b/hosts/ward/secrets/kanidm-self-signed.key.age new file mode 100644 index 0000000000000000000000000000000000000000..87add02ec53f40f7764d4924d2a1b3e1c5065bd8 GIT binary patch literal 3736 zcmV;J4rlRUXJsvAZewzJaCB*JZZ2Z8p zGyGN;fn~Fb7dexZF_tsZ+T$~ zOHFf2bWu2SS!**xcr|cVRc|s-crs^pNMTlIX;yV*LpgbDHh4r~a58dnOmKYgR8y zNl#cWH(GK@MRQ?CD^_`LSx-uCD^W8uMG6WnEiE8YNkKs~D|SUtMp;x#R#Q)NSVvf8 zFhMYCHAHlDIBRHPGc+|vV>L!$WLXM@>;A~og!BD{hnu|W-ct*fJgkDO6(Ac`+Je|C z335O*3wn~G2#1dY+aDqy2hIki{evT!K~x|=-TRa;+8r+%$GQ`>O4#e}yrv%sj z0w+-cO}m3lBoBp{abV2Qwh|<}0veTSPy_?YcJ-SlY^Nfp_@HciKhBd|`c`PwV`dvI zxTaT^D2(M6$D@$BrF%=(=Mu3{xf=gS>n(?cI6_)U+8g48GIJtfX;Y1W1c7P#fS9i+ zOaTopj_OqbaF>oeAw*_7>=*be zu(@ON`>>-xO=Z@-8gk5T9lOrb9i8jbvYA-Kbf}puI$v#q= zf8ZiSJxhgu|8RQjYSiMhkp8z3pWW@vws}e(P_GT602lFVD4DR3a{2JloWauUi*+X( zh+Mr|kISbHHWa$pxY`u=la09z+}nhau`ubo)LFHaYLtPb$ZG1fHCDIfPrsDX#xt4w zQ8PWAS;4u=g6&|d95?m8xm?3-yOL@_AJeH+gd z|3&u*4H65+Buw38+TGj8^Qa=*!Vu^)ZDuP!JuW<6m=z>5{c|6=^iYcVN;B_sri8I;wE z^Wa*AbhnsyP46nYmzyzt^-{C^J}lQ)&_B;~h*A~hIg=^r@jz~J?3WQ4hFrTYG08~M z!?)yKAuZc?;kab`GknP;>Mh~WC0JvZ(C3AXpW}D!zSp!y@y%%gC+6a zV;W-Nkfin9)AqJnfxev7o$3np(TwjOl)vo4IzSRMWgJMb z6UMrk5e;!GE$St^HH?ks;w#+)^#pG#gJbO=BP&63ZGq8CDgr1$zv}R*pPG$4MUs#W zN`Hg-uvX!v!-wp&q$%0w2}p&vBm_|wZ0gu9aHrhwPvQpNu9P!T$HdJAhl{@bBsTWL zJfV*h&J403TE3SQNi%yJWZ=?`enhA7Avg)}(^76#L|c8XcA4qPKpZu941Q-gCCy37W(ZeX(q7GMjPuYuLfLd>($ zKuL)v<-5J4LlG)%(=;7}v6mS?pvY1XR{+sZhpeW<7}Y5wGEd2I5hP4SB}Ps=&u=_9 z#I3TrSU0epVZE`6s}8rSpp&Os689AWg-Sp=cD<`Qt5shiMgK>h2p%@TiDoauce!v z@Lo~is&3Xry0uWqlG_T`cmm%~l2--_A)+-4tfc=NN1e5vMXGh-T)S7VstFPm5rpcJ zYHBK4oha1jTkmETQpxZ)+l`1&;$Ih;KE@fk*X#gX;ztW-&c?1PuQAPxX} z&S<~_IC5c?c0B$THKwWYI?fQ3$5SAPq8>964_PmepP14&w`v5+!}UyIk=S8Q{0API z1vhiF!0z*jQ~h#&(&ZO&2^WZrG0VM|GZkZp`kkrB)9@f+6H0)8dc zS{ZM)nk}ehxt_ zD(JoCN0L0rhT`eF+v82W`p@|T1~6G=4HDrU*Z!>=k2vxYyXD!*@U@{!4~bO@HpKe_ zXnN02&>WF+gZXQmiw}|A!%(=Gl=Jl=X_c`jDg@A4DCroo-fg{P4BzeF*9RvzVW;R{ zb;OX3%Njl^+8K$?`myRVmz2yXdyvep+-rH@{e%XY(pfL zrVcHjf<<%yq659VR!p4IElF{BXPd__ED;$mXTVlwX#DMXuQ}R--M_?$#rLMF+hn}W8-c&emI13C?R@KU9OId}U9xn}n`u=f>3N(}t z3Rv^rnIK7n5xx;J)0{sb?UDOP;Ib;MS%UO&N@2>5dhm7C&sB^bdap`j=&0MO{FByd z4R5QQ=(3eNpY%@avnpw)lLNL%?5{P-Dm2Yb12x3bWh4s$N#(R!eAoGe()Le#D3sOM z_wY<&I6s3hp_Q6M1e(8l78w8t&(~Z!8@&4d8&`^oD-82tj1UJYNWzapSMxVf=ZZep zt13>^A#r5S2DCwi;*c&{Vmc~2Liutem>12;$DxW(sYVobCDLE)UPY=_?mpCqo-b>E z$6DVydF7Y23fVRf+h13}c3P7bKPJT|_JxMOB0QEAa33DHQcDlco30G1YSBXx&n}qa z4ge0lAi%PVtL&c^E465?*?PY+T25Nt%z;Csq!8T+l>JevAGNU~HRsD>oi6m!&Ty##woKuo?FMKNhhK%30tDe{&mbUj@qalScAyhcM*6rwSk|SQ*QR z6^M})ExH<36exaHKg{QJAZh;C$bC#Wr2Hq}w^`Ro@fAv&MRi{jW@2Wh^iUe;vRdzs zhSa3bWkgsqz2hCirH4w3Ni`W&U7wL&dj>H9L^$7dINPFewjYWqDBsuJ=~rFl=!Vwy)sY-6~|3cJa{YWsUhmlE+7vJzBS%dxGvg1;v8RK^Gsy8qN|J&4 ziFzzK1%-hb@sA^w+qzm{S^Pbzqaonv{+>bh&ZGK%m+!-beq9Gc8n7dy~C8}00O@skhQ1Lw~5lpEKyP6cC|O&EjI357>mvEz(fM3`o-c%eM)8Qt6~kx%WbJ~W0~To&__B)Q~0WN+!cpT z%F;zKsHzgC4L5yR7S0hlHFhJOZAfZpbxkv7cQ#jccv4AvbwX5B zLNj7_cM5TBFllc>a&vNGFj!?sHF0ooc``IFSVCwwQdc=pW=LgYb8|T_b4PViO$seO zAaH4REpRe5HXwL$Q)M_&AVG6hD_44QQEfDFWlu?SXgE1aaer+@b$3N=OHF!nT4gXx zG*NF>IWI9dSX2s0GDdAxN>6q#LPMo%J|K8KDOn;dXL4m>b7df7I#Wv^JatP7D@AEqIZ1JMW>9BnOLs6wQ+GEvD>gT8 zS4nSrNpM$jOn*a0bVNgJNODI)Z)R#RNiR)8d1pgHH!x;KNntp4F$!9BYiUs{ZfR$2 zD`ssrZ#gthc4BchQdehWHE35cZ*XEzSWq`|b8}-=cz0wkLUUAXQb=f5FbXX#Eg)xW zbxdPIaB@XWR%1nZc4{|mXIL^fNKS1wc}6%jG)78cOMh@vX>)pFXh{m#DM4yYOT70K zuDJp7Rm&U0xa5p@p^nb7;dMe)YAP+%`ZvO&OB^Qck)BBq(&eO=Ng3?Y!)$z(EO0LA1^tr2vY0UGd z9q?xCsiLTbz4$v(ETO8p5&HNDNj&yz0~v%Eu|>bS&@1n tyX-~tjwBn9N;T_yD*R_9Vve%yTg@qbxQLesPLAbHj_2ES^MyOm_#2B3Hyi)} delta 606 zcmV-k0-^nn2J-}vAb&J-T6a=&FJnbTVsuGmK~gI@F=RwyMq_MuFEVIOba^x@H9}2f zc}i_UX9`nqWNUIYF=BU1Gc{*WIaO{>D`#_2Sa~ovPEIi~Mp$GvQ(ALNXE|hYFbXX` zAaH4REpRe5HXwL$Q)M_&AVGI4XliD4Pg*!DNN83yae7T>On-4fRWmkjLSZXIIe0Q? zXfjt;SVnMEXiN%DN>62UF>zydX-QdXM@lbRRCabbPDpNNX=7WL9ElP%l|# zN-zp7J|H(GLpm*Ia%Ew2Wgv7>YeY|JAX!6t3QJ;1Fg0~UVJ}%Tb7f9Ob1zFTSz0l5 zWH4toH#lQwa({YNXhmvSSu0IsD_J&fP)%$wT6bkiOhRN=HcfFkLpTaFQ(<&dRWWvA zV?}OdaWPE_EiEk|OnFOAYBp#qad2dU2|`IW)u%pu9~kbivE>Mdp;{VN)(H-cHR7)&q# z*aIGi<0G@(Br4Z+nKzymi1HKQfH}CeU+^yI^Qqk#g>Q5R;`iHRju=RPk2V43jKY!l z0!3?JaGNJhbvue>UAxw6`OTN|MAiZmA*oqF{8EoyMwcqSoPaEQr}0L1?ScN65eS!K zY^zg8M_2BjR?x`7j#lnDmaK?`6d1|x{oI(1eQj5yJ!+y;6|^5iY_0P|&IOI~KoOv< sYX^B`x$*Hm83|=!SqmMxv<#!$ug;%$eM3AQjZ<&$N&HU diff --git a/hosts/ward/vaultwarden.nix b/hosts/ward/vaultwarden.nix index db04250..1ef30ae 100644 --- a/hosts/ward/vaultwarden.nix +++ b/hosts/ward/vaultwarden.nix @@ -42,14 +42,14 @@ services.nginx = { upstreams."vaultwarden" = { - servers = {"localhost:8012" = {};}; + servers."localhost:8012" = {}; extraConfig = '' zone vaultwarden 64k; keepalive 2; ''; }; upstreams."vaultwarden-websocket" = { - servers = {"localhost:3012" = {};}; + servers."localhost:3012" = {}; extraConfig = '' zone vaultwarden-websocket 64k; keepalive 2; diff --git a/hosts/zackbiene/esphome.nix b/hosts/zackbiene/esphome.nix index 19e32d3..ee16b8b 100644 --- a/hosts/zackbiene/esphome.nix +++ b/hosts/zackbiene/esphome.nix @@ -17,7 +17,7 @@ services.nginx = { upstreams."esphome" = { - servers = {"unix:/run/esphome/esphome.sock" = {};}; + servers."unix:/run/esphome/esphome.sock" = {}; extraConfig = '' zone esphome 64k; keepalive 2; diff --git a/hosts/zackbiene/home-assistant.nix b/hosts/zackbiene/home-assistant.nix index 7d469a7..4dbd9ae 100644 --- a/hosts/zackbiene/home-assistant.nix +++ b/hosts/zackbiene/home-assistant.nix @@ -108,7 +108,7 @@ in { services.nginx = { upstreams."homeassistant" = { - servers = {"localhost:${toString haPort}" = {};}; + servers."localhost:${toString haPort}" = {}; extraConfig = '' zone homeassistant 64k; keepalive 2; diff --git a/hosts/zackbiene/net.nix b/hosts/zackbiene/net.nix index 0d326f7..7faa067 100644 --- a/hosts/zackbiene/net.nix +++ b/hosts/zackbiene/net.nix @@ -5,8 +5,8 @@ }: let inherit (config.lib.net) cidr; - net.iot.ipv4cidr = "10.90.0.1/24"; - net.iot.ipv6cidr = "fd90::1/64"; + iotCidrv4 = "10.90.0.0/24"; + iotCidrv6 = "fd90::/64"; in { networking.hostId = config.repo.secrets.local.networking.hostId; @@ -23,7 +23,10 @@ in { linkConfig.RequiredForOnline = "routable"; }; "10-wlan1" = { - address = [net.iot.ipv4cidr net.iot.ipv6cidr]; + address = [ + (cidr.hostCidr 1 iotCidrv4) + (cidr.hostCidr 1 iotCidrv6) + ]; matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.wlan1.mac; linkConfig.RequiredForOnline = "no"; }; diff --git a/hosts/zackbiene/nginx.nix b/hosts/zackbiene/nginx.nix index 9fba23e..dd0dcb7 100644 --- a/hosts/zackbiene/nginx.nix +++ b/hosts/zackbiene/nginx.nix @@ -34,6 +34,8 @@ sslCiphers = "EECDH+AESGCM:EDH+AESGCM:!aNULL"; sslDhparam = config.rekey.secrets."dhparams.pem".path; commonHttpConfig = '' + error_log syslog:server=unix:/dev/log; + access_log syslog:server=unix:/dev/log; ssl_ecdh_curve secp384r1; ''; }; diff --git a/hosts/zackbiene/zigbee2mqtt.nix b/hosts/zackbiene/zigbee2mqtt.nix index 2a8390f..7f72959 100644 --- a/hosts/zackbiene/zigbee2mqtt.nix +++ b/hosts/zackbiene/zigbee2mqtt.nix @@ -32,7 +32,7 @@ services.nginx = { upstreams."zigbee2mqtt" = { - servers = {"localhost:8072" = {};}; + servers."localhost:8072" = {}; extraConfig = '' zone zigbee2mqtt 64k; keepalive 2; diff --git a/modules/microvms.nix b/modules/microvms.nix index 462e33f..8e99c97 100644 --- a/modules/microvms.nix +++ b/modules/microvms.nix @@ -32,6 +32,7 @@ types ; + parentConfig = config; cfg = config.extra.microvms; inherit (config.extra.microvms) vms; inherit (config.lib) net; @@ -103,7 +104,7 @@ // node.specialArgs; inherit (node) pkgs; inherit (vmCfg) autostart; - config = { + config = {config, ...}: { imports = [microvm.microvm] ++ cfg.commonImports ++ node.imports; microvm = { @@ -156,7 +157,7 @@ extra.networking.renameInterfacesByMac.${vmCfg.networking.mainLinkName} = mac; systemd.network.networks = let - wgConfig = config.extra.wireguard."${nodeName}-local-vms".unitConfName; + wgConfig = parentConfig.extra.wireguard."${nodeName}-local-vms".unitConfName; in { # Remove requirement for the wireguard interface to come online, # to allow microvms to be deployed more easily (otherwise they @@ -204,13 +205,19 @@ networking.nftables.firewall = { zones = mkForce { "${vmCfg.networking.mainLinkName}".interfaces = [vmCfg.networking.mainLinkName]; - local-vms.interfaces = ["local-vms"]; + local-vms.interfaces = [config.extra.wireguard."${nodeName}-local-vms".linkName]; }; rules = mkForce { "${vmCfg.networking.mainLinkName}-to-local" = { from = [vmCfg.networking.mainLinkName]; to = ["local"]; + + inherit + (config.networking.firewall) + allowedTCPPorts + allowedUDPPorts + ; }; local-vms-to-local = { diff --git a/secrets/wireguard/ward-local-vms/keys/ward-nginx.age b/secrets/wireguard/ward-local-vms/keys/ward-nginx.age new file mode 100644 index 0000000..cd1d621 --- /dev/null +++ b/secrets/wireguard/ward-local-vms/keys/ward-nginx.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 +S2DEXP2FxIlF3HeWNul/QHE4fuVwv7ausZO8C1Yvko +USoULC2zp6mkLEGQFc4ELAotOQkq85yjfC3ImZQe6g0 +-> piv-p256 xqSe8Q AuVsMp2nyVB5I6ae7X4rnTT6gH/AyOwkVH5C8qRzenCu +QLdaqASucS24wx5LuoFVD+LBdgsd+wGITMhJBOCrqpY +-> z&m(b4Nw-grease ,&}.>' UWDXz +adqzHHC2X08jrZz0h0y+MuJHM6/kuSUNad8+19cY88IRTF2ujQnoDVDS +--- 8dc8Ta84I8RY7YGIcEuZStaEncGXv1uwJw2ncy3QgtU +r}jEA]W4g3A"Ȥʚ +ru3_E /ztKߔ݈I/} * \ No newline at end of file diff --git a/secrets/wireguard/ward-local-vms/keys/ward-nginx.pub b/secrets/wireguard/ward-local-vms/keys/ward-nginx.pub new file mode 100644 index 0000000..478d9b8 --- /dev/null +++ b/secrets/wireguard/ward-local-vms/keys/ward-nginx.pub @@ -0,0 +1 @@ +Zs0W99JiuCv1F3NMTp/PcMBrt1bzWttJWNEh00Freyw= diff --git a/secrets/wireguard/ward-local-vms/psks/ward+ward-nginx.age b/secrets/wireguard/ward-local-vms/psks/ward+ward-nginx.age new file mode 100644 index 0000000000000000000000000000000000000000..27d85ff242c376858656c36bd832da881674c239 GIT binary patch literal 414 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR2FFfuhYv{WcJa4hjMH7W@y$~R7_NXp7g z$@Xv#NlVrb3=J?(aSX0BEiOuS4k$6MNaxBoDRYcUjdaluaI5gkET|04Hx0=*tTagr z&JPK5&+sVq2@fdGs>*Rp%Lmy|kXfc%U}S2hP*E71Y7wa5SQS-}m*QjU>S7U5S(feX z@8*}EUgqmmV(es@lIK=r9`0sPmf{`h9px7qkX4aa z>>F5SoZ%DTm=u(mW9aDPm+23-%Sp{3S6?^1C^fM-RUuj-u29Ffur5|jp|UVdoy#XT z)x4}M%iY8!BG@R%H_0fxGA+j=KcK+V(}hb{S63k|GtH$kqO#P`H!~^SEl@io!Ykd- z)h#_cBQPh>)5tQYQr{=vEu`2mIgsmX{DG#^@(VUgw3(a@ X25519 95jd7mMbmilIpQbvDmu48FfMFZZbkioExF8KTw3fNXI +CxWXmbD6kArjmJ2Y4lYVcwaQghWyJzS6DsQ4djspUf4 +-> piv-p256 xqSe8Q A13AOGXe31ASOihylki3jl8xCxp2bh2lYnzQC44Rbe10 ++R8gYDIFyANNPLvdQcq8+67dy+tFcVqS/7rYAbN7pz8 +-> 6q.AXp(-grease +GJOOcphfNDKW +--- E/iTzPRKqfS52YBWVcbVAak5koIxmdanzTXRt/5MZnM +۸6Wn?W}7Jp[Bo|T:T]YkBo޽6zqV?+ ^M*/  \ No newline at end of file