diff --git a/README.md b/README.md index d8b2a39..811a2c4 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,12 @@ This is my personal nix config. - not yet ready for publicized: my main development machine, powerful home server, some services ... (still in transition from gentoo :/) - `modules/` additional NixOS modules that are not yet upstreamed. - `nix/` library functions and plumbing - - `apps.nix` Additional runnable actions for this flake (**WIP:** infrastructure graph renderer) + - `apps/` Additional runnable actions for this flake + - `default.nix` Collects all apps and generates a definition for a specified system + - `draw-graph.nix` (**WIP:** infrastructure graph renderer) + - `format-secrets.nix` Runs the code formatter on the secret .nix files + - `generate-initrd-keys.nix` Generates initrd hostkeys for each host if they don't exist yet (for setup) + - `generate-wireguard-keys.nix` Generates wireguard keys for each server-and-peer pair - `checks.nix` pre-commit-hooks for this repository - `colmena.nix` Setup for distributed deployment using colmena (actually defines all NixOS hosts) - `dev-shell.nix` Environment setup for `nix develop` for using this flake @@ -48,6 +53,12 @@ This is my personal nix config. ... +- add hosts/ +- fill meta.nix +- fill net.nix +- todo: hostid (move to nodeSecrets) +- generate-initrd-keys + #### New secret ... diff --git a/flake.nix b/flake.nix index 9cfe41a..1123a9d 100644 --- a/flake.nix +++ b/flake.nix @@ -75,7 +75,7 @@ apps = agenix-rekey.defineApps self pkgs self.nodes - // import ./nix/apps.nix inputs system; + // import ./nix/apps inputs system; checks = import ./nix/checks.nix inputs system; devShells.default = import ./nix/dev-shell.nix inputs system; formatter = pkgs.alejandra; diff --git a/hosts/common/core/default.nix b/hosts/common/core/default.nix index ad82f67..17569a1 100644 --- a/hosts/common/core/default.nix +++ b/hosts/common/core/default.nix @@ -87,9 +87,10 @@ in { stateVersion = "23.05"; }; - systemd = { - enableUnifiedCgroupHierarchy = true; - network.wait-online.anyInterface = true; + systemd.enableUnifiedCgroupHierarchy = true; + systemd.network = { + enable = true; + wait-online.anyInterface = true; }; users.mutableUsers = false; diff --git a/hosts/ward/grafana.nix b/hosts/ward/grafana.nix new file mode 100644 index 0000000..0967ef4 --- /dev/null +++ b/hosts/ward/grafana.nix @@ -0,0 +1 @@ +{} diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix index 238f822..e2cc253 100644 --- a/hosts/ward/net.nix +++ b/hosts/ward/net.nix @@ -1,4 +1,7 @@ -{nodeSecrets, ...}: { +{nodeSecrets, ...}: let + wgName = "wg-vms"; + wgPort = 51820; +in { networking.hostId = "49ce3b71"; systemd.network.networks = { @@ -17,4 +20,42 @@ dhcpV6Config.RouteMetric = 20; }; }; + + #systemd.network.netdevs."20-${wgName}" = { + # netdevConfig = { + # Kind = "wireguard"; + # Name = "${wgName}"; + # Description = "Wireguard network ${wgName}"; + # }; + # wireguardConfig = { + # PrivateKeyFile = wireguardPrivateKey wgName nodeMeta.name; + # ListenPort = wgPort; + # }; + # wireguardPeers = [ + # { + # wireguardPeerConfig = { + # PublicKey = wireguardPublicKey wgName nodeMeta.name;; + # PresharedKey = wireguardPresharedKey wgName nodeMeta.name;; + # AllowedIPs = [ "10.66.66.10/32" ]; + # PersistentKeepalive = 25; + # }; + # } + # { + # wireguardPeerConfig = { + # AllowedIPs = [ "10.66.66.100/32" ]; + # PersistentKeepalive = 25; + # }; + # } + # ]; + #}; + #networks."20-${wgName}" = { + # matchConfig.Name = wgName; + # networkConfig = { + # Address = "10.66.66.1/24"; + # IPForward = "ipv4"; + # }; + #}; + + #extra.wireguard.servers.home = { + #}; } diff --git a/hosts/ward/node_exporter.nix b/hosts/ward/node_exporter.nix new file mode 100644 index 0000000..0967ef4 --- /dev/null +++ b/hosts/ward/node_exporter.nix @@ -0,0 +1 @@ +{} diff --git a/hosts/ward/prometheus.nix b/hosts/ward/prometheus.nix new file mode 100644 index 0000000..0967ef4 --- /dev/null +++ b/hosts/ward/prometheus.nix @@ -0,0 +1 @@ +{} diff --git a/hosts/ward/samba.nix b/hosts/ward/samba.nix new file mode 100644 index 0000000..0967ef4 --- /dev/null +++ b/hosts/ward/samba.nix @@ -0,0 +1 @@ +{} diff --git a/nix/apps.nix b/nix/apps.nix deleted file mode 100644 index 0e51637..0000000 --- a/nix/apps.nix +++ /dev/null @@ -1,75 +0,0 @@ -{self, ...}: system: let - mkApp = drv: { - type = "app"; - program = "${drv}"; - }; - pkgs = self.pkgs.${system}; - mapAttrsToLines = f: attrs: pkgs.lib.concatStringsSep "\n" (pkgs.lib.mapAttrsToList f attrs); - filterMapAttrsToLines = filter: f: attrs: pkgs.lib.concatStringsSep "\n" (pkgs.lib.mapAttrsToList f (pkgs.lib.filterAttrs filter attrs)); -in - with pkgs.lib; { - draw-graph = let - renderNode = nodeName: node: let - renderNic = nicName: nic: '' - nic_${nicName}: ${ - if hasInfix "wlan" nicName - then "📶" - else "🖧" - } ${self.hosts.${nodeName}.physical_connections.${nicName}} { - shape: sql_table - MAC: ${nic.matchConfig.MACAddress} - } - ''; - in '' - ${nodeName}: { - ${filterMapAttrsToLines (_: v: v.matchConfig ? MACAddress) renderNic node.config.systemd.network.networks} - } - ''; - graph = '' - ${mapAttrsToLines renderNode self.nodes} - ''; - in - mkApp (pkgs.writeShellScript "draw-graph" '' - set -euo pipefail - echo "${graph}" - ''); - generate-initrd-keys = let - generateHostKey = node: '' - if [[ ! -f ${escapeShellArg node.config.rekey.secrets.initrd_host_ed25519_key.file} ]]; then - ssh-keygen -t ed25519 -N "" -f /tmp/1 - TODO - fi - ''; - in - mkApp (pkgs.writeShellScript "generate-initrd-keys" '' - set -euo pipefail - ${mapAttrsToLines generateHostKey self.nodes} - ''); - format-secrets = let - isAbsolutePath = x: substring 0 1 x == "/"; - masterIdentityArgs = concatMapStrings (x: ''-i ${escapeShellArg x} '') self.secrets.masterIdentities; - extraEncryptionPubkeys = - concatMapStrings ( - x: - if isAbsolutePath x - then ''-R ${escapeShellArg x} '' - else ''-r ${escapeShellArg x} '' - ) - self.secrets.extraEncryptionPubkeys; - formatSecret = path: '' - ''; - in - mkApp (pkgs.writeShellScript "format-secrets" '' - set -euo pipefail - [[ -d .git ]] && [[ -f flake.nix ]] || { echo "error: Please execute this from the project's root folder (the folder with flake.nix)" >&2; exit 1; } - for f in $(find . -type f -name '*.nix.age'); do - echo "Formatting $f ..." - decrypted=$(${./rage-decrypt.sh} --print-out-path "$f" ${concatStringsSep " " self.secrets.masterIdentities}) \ - || { echo "error: Failed to decrypt!" >&2; exit 1; } - formatted=$(${pkgs.alejandra}/bin/alejandra --quiet < "$decrypted") \ - || { echo "error: Failed to format $decrypted!" >&2; exit 1; } - ${pkgs.rage}/bin/rage -e ${masterIdentityArgs} ${extraEncryptionPubkeys} <<< "$formatted" > "$f" \ - || { echo "error: Failed to re-encrypt!" >&2; exit 1; } - done - ''); - } diff --git a/nix/apps/default.nix b/nix/apps/default.nix new file mode 100644 index 0000000..d455011 --- /dev/null +++ b/nix/apps/default.nix @@ -0,0 +1,20 @@ +{self, ...} @ inputs: system: let + pkgs = self.pkgs.${system}; + inherit + (pkgs.lib) + nameValuePair + removeSuffix + ; + mkApp = drv: { + type = "app"; + program = "${drv}"; + }; + args = inputs // {inherit pkgs;}; + apps = [ + ./draw-graph.nix + ./format-secrets.nix + ./generate-initrd-keys.nix + ./generate-wireguard-keys.nix + ]; +in + builtins.listToAttrs (map (appPath: nameValuePair (removeSuffix ".nix" (builtins.baseNameOf appPath)) (mkApp (import appPath args))) apps) diff --git a/nix/apps/draw-graph.nix b/nix/apps/draw-graph.nix new file mode 100644 index 0000000..a53cf03 --- /dev/null +++ b/nix/apps/draw-graph.nix @@ -0,0 +1,38 @@ +{ + self, + pkgs, + ... +}: let + inherit + (pkgs.lib) + concatStringsSep + filterAttrs + hasInfix + mapAttrsToList + ; + mapAttrsToLines = f: attrs: concatStringsSep "\n" (mapAttrsToList f attrs); + filterMapAttrsToLines = filter: f: attrs: concatStringsSep "\n" (mapAttrsToList f (filterAttrs filter attrs)); + renderNode = nodeName: node: let + renderNic = nicName: nic: '' + nic_${nicName}: ${ + if hasInfix "wlan" nicName + then "📶" + else "🖧" + } ${self.hosts.${nodeName}.physicalConnections.${nicName}} { + shape: sql_table + MAC: ${nic.matchConfig.MACAddress} + } + ''; + in '' + ${nodeName}: { + ${filterMapAttrsToLines (_: v: v.matchConfig ? MACAddress) renderNic node.config.systemd.network.networks} + } + ''; + graph = '' + ${mapAttrsToLines renderNode self.nodes} + ''; +in + pkgs.writeShellScript "draw-graph" '' + set -euo pipefail + echo "${graph}" + '' diff --git a/nix/apps/format-secrets.nix b/nix/apps/format-secrets.nix new file mode 100644 index 0000000..2c9e5ef --- /dev/null +++ b/nix/apps/format-secrets.nix @@ -0,0 +1,36 @@ +{ + self, + pkgs, + ... +}: let + inherit + (pkgs.lib) + concatMapStrings + concatStringsSep + escapeShellArg + substring + ; + isAbsolutePath = x: substring 0 1 x == "/"; + masterIdentityArgs = concatMapStrings (x: ''-i ${escapeShellArg x} '') self.secrets.masterIdentities; + extraEncryptionPubkeys = + concatMapStrings ( + x: + if isAbsolutePath x + then ''-R ${escapeShellArg x} '' + else ''-r ${escapeShellArg x} '' + ) + self.secrets.extraEncryptionPubkeys; +in + pkgs.writeShellScript "format-secrets" '' + set -euo pipefail + [[ -d .git ]] && [[ -f flake.nix ]] || { echo "error: Please execute this from the project's root folder (the folder with flake.nix)" >&2; exit 1; } + for f in $(find . -type f -name '*.nix.age'); do + echo "Formatting $f ..." + decrypted=$(${../rage-decrypt.sh} --print-out-path "$f" ${concatStringsSep " " self.secrets.masterIdentities}) \ + || { echo "error: Failed to decrypt!" >&2; exit 1; } + formatted=$(${pkgs.alejandra}/bin/alejandra --quiet < "$decrypted") \ + || { echo "error: Failed to format $decrypted!" >&2; exit 1; } + ${pkgs.rage}/bin/rage -e ${masterIdentityArgs} ${extraEncryptionPubkeys} <<< "$formatted" > "$f" \ + || { echo "error: Failed to re-encrypt!" >&2; exit 1; } + done + '' diff --git a/nix/apps/generate-initrd-keys.nix b/nix/apps/generate-initrd-keys.nix new file mode 100644 index 0000000..009df80 --- /dev/null +++ b/nix/apps/generate-initrd-keys.nix @@ -0,0 +1,25 @@ +{ + self, + pkgs, + ... +}: let + inherit + (pkgs.lib) + escapeShellArg + concatStringsSep + mapAttrsToList + ; + mapAttrsToLines = f: attrs: concatStringsSep "\n" (mapAttrsToList f attrs); + generateHostKey = node: '' + if [[ ! -f ${escapeShellArg node.config.rekey.secrets.initrd_host_ed25519_key.file} ]]; then + echo TODOOOOO + exit 1 + ssh-keygen -t ed25519 -N "" -f /tmp/1 + TODO + fi + ''; +in + pkgs.writeShellScript "generate-initrd-keys" '' + set -euo pipefail + ${mapAttrsToLines generateHostKey self.nodes} + '' diff --git a/nix/apps/generate-wireguard-keys.nix b/nix/apps/generate-wireguard-keys.nix new file mode 100644 index 0000000..2b4573e --- /dev/null +++ b/nix/apps/generate-wireguard-keys.nix @@ -0,0 +1,11 @@ +{ + self, + pkgs, + ... +}: let + inherit (pkgs.lib) escapeShellArg; +in + pkgs.writeShellScript "generate-wireguard-keys" '' + set -euo pipefail + echo TODO + ''