diff --git a/flake.lock b/flake.lock index 7210b7a..e40a783 100644 --- a/flake.lock +++ b/flake.lock @@ -47,12 +47,13 @@ ] }, "locked": { - "lastModified": 1687304097, - "narHash": "sha256-VId0oZxpYm4HSHwbsuGKI84zFkL6Gp4wuoJbbl52oZg=", - "owner": "oddlama", - "repo": "agenix-rekey", - "rev": "b1811920562ba287b680f35644ce3ed78d029cdf", - "type": "github" + "lastModified": 1690798647, + "narHash": "sha256-7871l3pVqSIozmY/31G2aJRVmbN3kHbxj+GP2LS9N6k=", + "ref": "refs/heads/main", + "rev": "af31e2c282ab26d2c7bb3524f6508df1cb88ff10", + "revCount": 72, + "type": "git", + "url": "file:///root/projects/agenix-rekey" }, "original": { "owner": "oddlama", @@ -159,11 +160,11 @@ ] }, "locked": { - "lastModified": 1690278259, - "narHash": "sha256-0Ujy0ZD1Yg5+QDaEnk4TeYhIZ6AckRORrXLGsAEhFKE=", + "lastModified": 1690739034, + "narHash": "sha256-roW02IaiQ3gnEEDMCDWL5YyN+C4nBf/te6vfL7rG0jk=", "owner": "nix-community", "repo": "disko", - "rev": "5b19fb2e74df312751cecbf0f668217eb59d9170", + "rev": "4015740375676402a2ee6adebc3c30ea625b9a94", "type": "github" }, "original": { @@ -364,11 +365,11 @@ ] }, "locked": { - "lastModified": 1690269402, - "narHash": "sha256-SybA24IOGigiHfcTB5eBge4UZQI6a0z8Ah+EzD17tdk=", + "lastModified": 1690790567, + "narHash": "sha256-fymHCZFy+qjrNh+EZDHYEEtbZw1TvjtxtCBPBSWU7CM=", "owner": "nix-community", "repo": "home-manager", - "rev": "0306d5ed7e9d1662b55ec0d08afc73d4cb5eadca", + "rev": "729ab77f9e998e0989fa30140ecc91e738bc0cb1", "type": "github" }, "original": { @@ -379,11 +380,11 @@ }, "impermanence": { "locked": { - "lastModified": 1684264534, - "narHash": "sha256-K0zr+ry3FwIo3rN2U/VWAkCJSgBslBisvfRIPwMbuCQ=", + "lastModified": 1690797372, + "narHash": "sha256-GImz19e33SeVcIvBB7NnhbJSbTpFFmNtWLh7Z85Y188=", "owner": "nix-community", "repo": "impermanence", - "rev": "89253fb1518063556edd5e54509c30ac3089d5e6", + "rev": "e3a7acd113903269a1b5c8b527e84ce7ee859851", "type": "github" }, "original": { @@ -414,10 +415,12 @@ ] }, "locked": { - "lastModified": 1689768420, - "narHash": "sha256-j6i9S2UNoBIpkUvGmI3GZr+rX4YiwACZsMypwKJJ9Tw=", - "type": "git", - "url": "file:///root/projects/microvm.nix" + "lastModified": 1690673766, + "narHash": "sha256-CXid4DnH57//153gEdI+E9Fljoy7LMpf3xhBI1C40bI=", + "owner": "astro", + "repo": "microvm.nix", + "rev": "3183d2a0c00e25772ed3926a24908e3445c69bbc", + "type": "github" }, "original": { "owner": "astro", @@ -463,11 +466,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1690200740, - "narHash": "sha256-aRkEXGmCbAGcvDcdh/HB3YN+EvoPoxmJMOaqRZmf6vM=", + "lastModified": 1690704397, + "narHash": "sha256-sgIWjcz0e+x87xlKg324VtHgH55J5rIuFF0ZWRDvQoE=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "ba9650b14e83b365fb9e731f7d7c803f22d2aecf", + "rev": "96e5a0a0e8568c998135ea05575a9ed2c87f5492", "type": "github" }, "original": { @@ -499,11 +502,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1690179384, - "narHash": "sha256-+arbgqFTAtoeKtepW9wCnA0njCOyoiDFyl0Q0SBSOtE=", + "lastModified": 1690640159, + "narHash": "sha256-5DZUYnkeMOsVb/eqPYb9zns5YsnQXRJRC8Xx/nPMcno=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b12803b6d90e2e583429bb79b859ca53c348b39a", + "rev": "e6ab46982debeab9831236869539a507f670a129", "type": "github" }, "original": { @@ -586,11 +589,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1689668210, - "narHash": "sha256-XAATwDkaUxH958yXLs1lcEOmU6pSEIkatY3qjqk8X0E=", + "lastModified": 1690743255, + "narHash": "sha256-dsJzQsyJGWCym1+LMyj2rbYmvjYmzeOrk7ypPrSFOPo=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "eb433bff05b285258be76513add6f6c57b441775", + "rev": "fcbf4705d98398d084e6cb1c826a0b90a91d22d7", "type": "github" }, "original": { diff --git a/hosts/ward/microvms/grafana.nix b/hosts/ward/microvms/grafana.nix index 2ab4604..2e1c606 100644 --- a/hosts/ward/microvms/grafana.nix +++ b/hosts/ward/microvms/grafana.nix @@ -17,8 +17,7 @@ in { }; age.secrets.grafana-loki-basic-auth-password = { - rekeyFile = config.node.secretsDir + "/grafana-loki-basic-auth-password.age"; - generator = "alnum"; + generator.script = "alnum"; mode = "440"; group = "grafana"; }; diff --git a/hosts/ward/microvms/kanidm.nix b/hosts/ward/microvms/kanidm.nix index c6bd38f..08416e7 100644 --- a/hosts/ward/microvms/kanidm.nix +++ b/hosts/ward/microvms/kanidm.nix @@ -73,7 +73,9 @@ in { }; systemd.services.kanidm = { + # TODO this doesn't suffice, percieved 1 in 50 this fails because kanidm starts too soon, + # a requiredforonline might be necessary after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"]; - serviceConfig.RestartSec = "600"; # Retry every 10 minutes + serviceConfig.RestartSec = "60"; # Retry every minute }; } diff --git a/hosts/ward/microvms/loki.nix b/hosts/ward/microvms/loki.nix index 0817baa..8ab86ab 100644 --- a/hosts/ward/microvms/loki.nix +++ b/hosts/ward/microvms/loki.nix @@ -14,10 +14,7 @@ in { networking.providedDomains.loki = lokiDomain; age.secrets.loki-basic-auth-hashes = { - rekeyFile = config.node.secretsDir + "/loki-basic-auth-hashes.age"; - # Copy only the script so the dependencies can be added by the nodes - # that define passwords (using distributed-config). - generator.script = config.age.generators.basic-auth.script; + generator.script = "basic-auth"; mode = "440"; group = "nginx"; }; diff --git a/hosts/ward/secrets/grafana/grafana-influxdb-basic-auth-password.age b/hosts/ward/secrets/grafana/grafana-influxdb-basic-auth-password.age deleted file mode 100644 index 68310c6..0000000 --- a/hosts/ward/secrets/grafana/grafana-influxdb-basic-auth-password.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> X25519 JkYU2Cl00JF/GhXzdpiUgflrbrccHJs21Fzu3Qaw5gE -fC1m7yieLy3DxiUyz7twBLpS7f81Jq59jWMYf1DgFBE --> piv-p256 xqSe8Q AgV+3PVzCEKzk8BFNpxH3aQ+aEtUj8J/h+nvNStufABq -8kNzjmSyg2KsHtQT9ZEPHoL7zz8S/KM/u8yAu/vp8vs --> {-grease tf)|= -cDF+oRa+QUDN9YzV7BnKiI94C7JkDw ---- B8X7W4qjJYPC4W7+hHgTLA34seGqgfJ24lrWA3q/Cgs -!hd`0Rd0k- /Nmxy?7'rJ=>  _\MMxD) \ No newline at end of file diff --git a/modules/config/secrets.nix b/modules/config/secrets.nix index 276604e..d255474 100644 --- a/modules/config/secrets.nix +++ b/modules/config/secrets.nix @@ -25,10 +25,10 @@ # current system due to yubikey availability. forceRekeyOnSystem = builtins.extraBuiltins.unsafeCurrentSystem; hostPubkey = config.node.secretsDir + "/host.pub"; + generatedSecretsDir = inputs.self.outPath + "/secrets/generated/${config.node.name}"; }; - age.generators.dhparams.script = {pkgs, ...}: "${pkgs.openssl}/bin/openssl dhparam 4096"; - age.generators.basic-auth.script = { + age.generators.basic-auth = { pkgs, lib, decrypt, diff --git a/modules/meta/nginx.nix b/modules/meta/nginx.nix index 9cba64d..56f9b38 100644 --- a/modules/meta/nginx.nix +++ b/modules/meta/nginx.nix @@ -36,8 +36,7 @@ in { config = mkIf config.services.nginx.enable { age.secrets."dhparams.pem" = { - rekeyFile = config.node.secretsDir + "/dhparams.pem.age"; - generator = "dhparams"; + generator.script = "dhparams"; mode = "440"; group = "nginx"; }; diff --git a/modules/meta/promtail.nix b/modules/meta/promtail.nix index a28e914..fee1072 100644 --- a/modules/meta/promtail.nix +++ b/modules/meta/promtail.nix @@ -25,8 +25,7 @@ in { config = mkIf cfg.enable { age.secrets.promtail-loki-basic-auth-password = { - rekeyFile = config.node.secretsDir + "/promtail-loki-basic-auth-password.age"; - generator = "alnum"; + generator.script = "alnum"; mode = "440"; group = "promtail"; }; diff --git a/modules/meta/telegraf.nix b/modules/meta/telegraf.nix index 1729f52..76a4f70 100644 --- a/modules/meta/telegraf.nix +++ b/modules/meta/telegraf.nix @@ -16,7 +16,6 @@ ; cfg = config.meta.telegraf; - nodeName = config.node.name; in { options.meta.telegraf = { enable = mkEnableOption (mdDoc "telegraf to push metrics to influx."); @@ -92,7 +91,7 @@ in { flush_interval = "20s"; flush_jitter = "5s"; precision = "1ms"; - hostname = nodeName; + hostname = config.node.name; omit_hostname = false; }; outputs = { diff --git a/modules/optional/initrd-ssh.nix b/modules/optional/initrd-ssh.nix index 0c7a229..f9ca967 100644 --- a/modules/optional/initrd-ssh.nix +++ b/modules/optional/initrd-ssh.nix @@ -3,17 +3,7 @@ pkgs, ... }: { - age.secrets.initrd_host_ed25519_key = { - rekeyFile = config.node.secretsDir + "/initrd_host_ed25519_key.age"; - # Generate only an ssh-ed25519 private key - generator.script = { - pkgs, - lib, - ... - }: '' - (exec 3>&1; ${pkgs.openssh}/bin/ssh-keygen -q -t ed25519 -N "" -f /proc/self/fd/3 <</dev/null 2>&1) - ''; - }; + age.secrets.initrd_host_ed25519_key.generator.script = "ssh-ed25519"; boot.initrd.network.enable = true; boot.initrd.network.ssh = { diff --git a/hosts/nom/secrets/initrd_host_ed25519_key.age b/secrets/generated/nom/initrd_host_ed25519_key.age similarity index 100% rename from hosts/nom/secrets/initrd_host_ed25519_key.age rename to secrets/generated/nom/initrd_host_ed25519_key.age diff --git a/hosts/sentinel/secrets/dhparams.pem.age b/secrets/generated/sentinel/dhparams.pem.age similarity index 100% rename from hosts/sentinel/secrets/dhparams.pem.age rename to secrets/generated/sentinel/dhparams.pem.age diff --git a/hosts/sentinel/secrets/initrd_host_ed25519_key.age b/secrets/generated/sentinel/initrd_host_ed25519_key.age similarity index 100% rename from hosts/sentinel/secrets/initrd_host_ed25519_key.age rename to secrets/generated/sentinel/initrd_host_ed25519_key.age diff --git a/hosts/ward/secrets/loki/loki-basic-auth-hashes.age b/secrets/generated/sentinel/loki-basic-auth-hashes.age similarity index 100% rename from hosts/ward/secrets/loki/loki-basic-auth-hashes.age rename to secrets/generated/sentinel/loki-basic-auth-hashes.age diff --git a/hosts/sentinel/secrets/promtail-loki-basic-auth-password.age b/secrets/generated/sentinel/promtail-loki-basic-auth-password.age similarity index 100% rename from hosts/sentinel/secrets/promtail-loki-basic-auth-password.age rename to secrets/generated/sentinel/promtail-loki-basic-auth-password.age diff --git a/hosts/ward/secrets/adguardhome/promtail-loki-basic-auth-password.age b/secrets/generated/ward-adguardhome/promtail-loki-basic-auth-password.age similarity index 100% rename from hosts/ward/secrets/adguardhome/promtail-loki-basic-auth-password.age rename to secrets/generated/ward-adguardhome/promtail-loki-basic-auth-password.age diff --git a/hosts/ward/secrets/grafana/grafana-loki-basic-auth-password.age b/secrets/generated/ward-grafana/grafana-loki-basic-auth-password.age similarity index 100% rename from hosts/ward/secrets/grafana/grafana-loki-basic-auth-password.age rename to secrets/generated/ward-grafana/grafana-loki-basic-auth-password.age diff --git a/hosts/ward/secrets/grafana/promtail-loki-basic-auth-password.age b/secrets/generated/ward-grafana/promtail-loki-basic-auth-password.age similarity index 100% rename from hosts/ward/secrets/grafana/promtail-loki-basic-auth-password.age rename to secrets/generated/ward-grafana/promtail-loki-basic-auth-password.age diff --git a/hosts/ward/secrets/influxdb/promtail-loki-basic-auth-password.age b/secrets/generated/ward-influxdb/promtail-loki-basic-auth-password.age similarity index 100% rename from hosts/ward/secrets/influxdb/promtail-loki-basic-auth-password.age rename to secrets/generated/ward-influxdb/promtail-loki-basic-auth-password.age diff --git a/hosts/ward/secrets/kanidm/promtail-loki-basic-auth-password.age b/secrets/generated/ward-kanidm/promtail-loki-basic-auth-password.age similarity index 100% rename from hosts/ward/secrets/kanidm/promtail-loki-basic-auth-password.age rename to secrets/generated/ward-kanidm/promtail-loki-basic-auth-password.age diff --git a/hosts/ward/secrets/loki/promtail-loki-basic-auth-password.age b/secrets/generated/ward-loki/promtail-loki-basic-auth-password.age similarity index 100% rename from hosts/ward/secrets/loki/promtail-loki-basic-auth-password.age rename to secrets/generated/ward-loki/promtail-loki-basic-auth-password.age diff --git a/hosts/ward/secrets/vaultwarden/promtail-loki-basic-auth-password.age b/secrets/generated/ward-vaultwarden/promtail-loki-basic-auth-password.age similarity index 100% rename from hosts/ward/secrets/vaultwarden/promtail-loki-basic-auth-password.age rename to secrets/generated/ward-vaultwarden/promtail-loki-basic-auth-password.age diff --git a/hosts/ward/secrets/initrd_host_ed25519_key.age b/secrets/generated/ward/initrd_host_ed25519_key.age similarity index 100% rename from hosts/ward/secrets/initrd_host_ed25519_key.age rename to secrets/generated/ward/initrd_host_ed25519_key.age diff --git a/hosts/ward/secrets/promtail-loki-basic-auth-password.age b/secrets/generated/ward/promtail-loki-basic-auth-password.age similarity index 100% rename from hosts/ward/secrets/promtail-loki-basic-auth-password.age rename to secrets/generated/ward/promtail-loki-basic-auth-password.age diff --git a/hosts/zackbiene/secrets/dhparams.pem.age b/secrets/generated/zackbiene/dhparams.pem.age similarity index 100% rename from hosts/zackbiene/secrets/dhparams.pem.age rename to secrets/generated/zackbiene/dhparams.pem.age diff --git a/hosts/zackbiene/secrets/initrd_host_ed25519_key.age b/secrets/generated/zackbiene/initrd_host_ed25519_key.age similarity index 100% rename from hosts/zackbiene/secrets/initrd_host_ed25519_key.age rename to secrets/generated/zackbiene/initrd_host_ed25519_key.age diff --git a/hosts/zackbiene/secrets/promtail-loki-basic-auth-password.age b/secrets/generated/zackbiene/promtail-loki-basic-auth-password.age similarity index 100% rename from hosts/zackbiene/secrets/promtail-loki-basic-auth-password.age rename to secrets/generated/zackbiene/promtail-loki-basic-auth-password.age