From 4e8103af472b06542e8da31958759b3e184e330c Mon Sep 17 00:00:00 2001 From: oddlama Date: Sun, 28 May 2023 01:05:23 +0200 Subject: [PATCH] wip: prepare for autogenerated wireguard ips; prepare for sentinel server --- hosts/ward/default.nix | 63 +++---------------------------- hosts/ward/secrets/local.nix.age | Bin 783 -> 661 bytes modules/wireguard.nix | 24 +++++++++--- nix/lib.nix | 6 ++- 4 files changed, 30 insertions(+), 63 deletions(-) diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index 2320b54..4bad082 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -1,20 +1,12 @@ { config, + nodes, nixos-hardware, pkgs, ... }: let - # TODO byebyebye - # TODO byebyebye - # TODO byebyebye - # TODO byebyebye - # TODO byebyebye - # TODO byebyebye - # TODO byebyebye - # TODO byebyebye - # TODO byebyebye - inherit (config.repo.secrets.local) acme; - auth.domain = config.repo.secrets.local.auth.domain; + inherit (nodes.sentinel.config.repo.secrets.local) personalDomain; + authDomain = "auth.${personalDomain}"; in { imports = [ nixos-hardware.common-cpu-intel @@ -79,51 +71,8 @@ in { }: { rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq"; - rekey.secrets."dhparams.pem" = { - # TODO make own? - file = ../zackbiene/secrets/dhparams.pem.age; - mode = "440"; - group = "nginx"; - }; - - rekey.secrets.acme-credentials = { - file = ./secrets/acme-credentials.age; - mode = "440"; - group = "acme"; - }; - - security.acme = { - acceptTerms = true; - defaults = { - inherit (acme) email; - credentialsFile = config.rekey.secrets.acme-credentials.path; - dnsProvider = "cloudflare"; - dnsPropagationCheck = true; - reloadServices = ["nginx"]; - }; - }; - extra.acme.wildcardDomains = acme.domains; - users.groups.acme.members = ["nginx"]; - services.nginx.enable = true; - - services.nginx = { - upstreams."kanidm" = { - servers."${config.extra.wireguard."${parentNodeName}-local-vms".ipv4}:8300" = {}; - extraConfig = '' - zone kanidm 64k; - keepalive 2; - ''; - }; - virtualHosts.${auth.domain} = { - forceSSL = true; - useACMEHost = config.lib.extra.matchingWildcardCert auth.domain; - locations."/".proxyPass = "https://kanidm"; - # Allow using self-signed certs to satisfy kanidm's requirement - # for TLS connections. (This is over wireguard anyway) - extraConfig = '' - proxy_ssl_verify off; - ''; - }; + extra.wireguard.proxy-sentinel = { + client.via = "sentinel"; }; networking.nftables.firewall = { @@ -155,7 +104,7 @@ in { enableServer = true; # enablePAM = true; serverSettings = { - inherit (auth) domain; + domain = authDomain; origin = "https://${config.services.kanidm.serverSettings.domain}"; #tls_chain = "/run/credentials/kanidm.service/fullchain.pem"; #tls_key = "/run/credentials/kanidm.service/key.pem"; diff --git a/hosts/ward/secrets/local.nix.age b/hosts/ward/secrets/local.nix.age index 18a02bf746f91fd681caff6bcc1258a0afd31ab3..0a172af65e68ecf43dcc847be8adff7880f400c9 100644 GIT binary patch delta 640 zcmV-`0)PFF29*VnAb)F2XIE-OOEy$XRBK{YVpw%YG;2(2Z(&eILv1%jXG(2nbTL9X za79yYK?*o8LRC|8b7E#nSVmTFOk`LuOGjm6FH&$ea&k3nbaXQ>RaHYUQF<~_a|$g! zAaH4REpRe5HXwL$Q)M_&AVD)SG)Z+>Vs3FoYIIt5bT}|hR)23XFlSRSadm1$O-5^O zMK&-mK}vWlL30XMW_eddP;G8VV|PzfVlYcIWK=>pc1SN{GcrXlT6i@$N-r=(XGkw$ zLU#%+J|J>zEoX9NVRL05KY4T@DoaUwGa!3WQ&T@6VOBqUK|Mixav1J7tZx5LaqmaC;sW4k( zkZ;)WC?P8>yiAb0!!s*fiX#vqew#j$Jincnq%_bY3hJOZAfZpbxkv7cQ#jccv4AvbwX5B zLNj7_cM5TBFllc>a&vNGFj!?sHF0ooc``IFSVCwwQdc=pW=LgYb8|T_b4PViO$seO zAaH4REpRe5HXwL$Q)M_&AVG6hD_44QQEfDFWlu?SXgE1aaer+@b$3N=OHF!nT4gXx zG*NF>IWI9dSX2s0GDdAxN>6q#LPMo%J|K8KDOn;dXL4m>b7df7I#Wv^JatP7D@AEqIZ1JMW>9BnOLs6wQ+GEvD>gT8 zS4nSrNpM$jOn*a0bVNgJNODI)Z)R#RNiR)8d1pgHH!x;KNntp4F$!9BYiUs{ZfR$2 zD`ssrZ#gthc4BchQdehWHE35cZ*XEzSWq`|b8}-=cz0wkLUUAXQb=f5FbXX#Eg)xW zbxdPIaB@XWR%1nZc4{|mXIL^fNKS1wc}6%jG)78cOMh@vX>)pFXh{m#DM4yYOT70K zuDJp7Rm&U0xa5p@p^nb7;dMe)YAP+%`ZvO&OB^Qck)BBq(&eO=Ng3?Y!)$z(EO0LA1^tr2vY0UGd z9q?xCsiLTbz4$v(ETO8p5&HNDNj&yz0~v%Eu|>bS&@1n tyX-~tjwBn9N;T_yD*R_9Vve%yTg@qbxQLesPLAbHj_2ES^MyOm_#1W4HopJ> diff --git a/modules/wireguard.nix b/modules/wireguard.nix index 8b78587..cdb335d 100644 --- a/modules/wireguard.nix +++ b/modules/wireguard.nix @@ -288,9 +288,9 @@ in { default = []; example = ["10.0.0.1/24" "fd00:cafe::/64"]; description = mdDoc '' - Allows defining extra cidr network ranges that shall be reserved for this machine - and its children (i.e. external peers or via clients). Reservation means that those - address spaces will be guaranteed to be included in the spanned network. + Allows defining extra cidr network ranges that shall be reserved for this network. + Reservation means that those address spaces will be guaranteed to be included in + the spanned network, but no rules will be enforced as to who in the network may use them. By default, this module will try to allocate the smallest address space that includes all network peers. If you know that there might be additional external peers added later, @@ -341,12 +341,26 @@ in { ipv4 = mkOption { type = net.types.ipv4; - description = mdDoc "The ipv4 address for this machine."; + default = spannedReservedNetwork.cidrv4; + description = mdDoc '' + The ipv4 address for this machine. If you do not set this explicitly, + a semi-stable ipv4 address will be derived automatically based on the + hostname of this machine. At least one participating server must reserve + a big-enough space of addresses by setting `reservedAddresses`. + See `net.cidr.assignIps` for more information on the algorithm. + ''; }; ipv6 = mkOption { type = net.types.ipv6; - description = mdDoc "The ipv6 address for this machine."; + default = ; + description = mdDoc '' + The ipv6 address for this machine. If you do not set this explicitly, + a semi-stable ipv6 address will be derived automatically based on the + hostname of this machine. At least one participating server must reserve + a big-enough space of addresses by setting `reservedAddresses`. + See `net.cidr.assignIps` for more information on the algorithm. + ''; }; addresses = mkOption { diff --git a/nix/lib.nix b/nix/lib.nix index a551782..f9093b7 100644 --- a/nix/lib.nix +++ b/nix/lib.nix @@ -31,7 +31,6 @@ stringToCharacters substring unique - warnIf ; in rec { # Counts how often each element occurrs in xs @@ -245,6 +244,11 @@ in rec { concatMap (n: (wgCfgOf n).addresses) associatedNodes ++ flatten (concatMap (n: attrValues (wgCfgOf n).server.externalPeers) associatedNodes); + # The cidrv4 and cidrv6 of the network spanned by all reserved addresses only. + # Used to determine automatically assigned addresses first. + spannedReservedNetwork = + net.cidr.merge (concatMap (n: (wgCfgOf n).server.reservedAddresses) associatedServerNodes); + # The cidrv4 and cidrv6 of the network spanned by all participating peer addresses. # This also takes into account any reserved address ranges that should be part of the network. networkAddresses =