diff --git a/README.md b/README.md index 53046e1..26d8da0 100644 --- a/README.md +++ b/README.md @@ -79,7 +79,7 @@ but here's a quick breakdown of the what you will find where. Afterwards: - Run `install-system` in the live environment and reboot -- Retrieve the new host identity by using `ssh-keyscan | grep -o 'ed25519.*' > host//secrets/host.pub` +- Retrieve the new host identity by using `ssh-keyscan | grep -o 'ssh-ed25519.*' > hosts//secrets/host.pub` - (If the host has microvms, also retrieve their identities!) - Rekey the secrets for the new identity `nix run .#rekey` - Deploy again remotely via colmena diff --git a/flake.lock b/flake.lock index a2c43d2..7210b7a 100644 --- a/flake.lock +++ b/flake.lock @@ -27,11 +27,11 @@ ] }, "locked": { - "lastModified": 1689334118, - "narHash": "sha256-djk5AZv1yU84xlKFaVHqFWvH73U7kIRstXwUAnDJPsk=", + "lastModified": 1690228878, + "narHash": "sha256-9Xe7JV0krp4RJC9W9W9WutZVlw6BlHTFMiUP/k48LQY=", "owner": "ryantm", "repo": "agenix", - "rev": "0d8c5325fc81daf00532e3e26c6752f7bcde1143", + "rev": "d8c973fd228949736dedf61b7f8cc1ece3236792", "type": "github" }, "original": { @@ -159,11 +159,11 @@ ] }, "locked": { - "lastModified": 1690148072, - "narHash": "sha256-R7bk2ij1b06Wc8S3L/guz6Mape5HtKp/YZUyJaxSFa8=", + "lastModified": 1690278259, + "narHash": "sha256-0Ujy0ZD1Yg5+QDaEnk4TeYhIZ6AckRORrXLGsAEhFKE=", "owner": "nix-community", "repo": "disko", - "rev": "713eb78002e69bd77f5a69595756fd2e564233f3", + "rev": "5b19fb2e74df312751cecbf0f668217eb59d9170", "type": "github" }, "original": { @@ -364,11 +364,11 @@ ] }, "locked": { - "lastModified": 1690208251, - "narHash": "sha256-eb/KANeuQADVl5j4wVid4jyPCOMTorSI2+gqoXp3LME=", + "lastModified": 1690269402, + "narHash": "sha256-SybA24IOGigiHfcTB5eBge4UZQI6a0z8Ah+EzD17tdk=", "owner": "nix-community", "repo": "home-manager", - "rev": "d309a62ee81faec56dd31a263a0184b0e3227e36", + "rev": "0306d5ed7e9d1662b55ec0d08afc73d4cb5eadca", "type": "github" }, "original": { @@ -499,11 +499,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1690031011, - "narHash": "sha256-kzK0P4Smt7CL53YCdZCBbt9uBFFhE0iNvCki20etAf4=", + "lastModified": 1690179384, + "narHash": "sha256-+arbgqFTAtoeKtepW9wCnA0njCOyoiDFyl0Q0SBSOtE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "12303c652b881435065a98729eb7278313041e49", + "rev": "b12803b6d90e2e583429bb79b859ca53c348b39a", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 812b09a..da8a50d 100644 --- a/flake.nix +++ b/flake.nix @@ -92,19 +92,10 @@ extraEncryptionPubkeys = [./secrets/backup.pub]; }; - # This is the list of hosts that this flake defines, plus the minimum - # amount of metadata that is necessary to instanciate it correctly. - hosts = let - nixos = system: { - type = "nixos"; - inherit system; - }; - in { - nom = nixos "x86_64-linux"; - sentinel = nixos "x86_64-linux"; - ward = nixos "x86_64-linux"; - zackbiene = nixos "aarch64-linux"; - }; + # Load the list of hosts that this flake defines, which + # associates the minimum amount of metadata that is necessary + # to instanciate hosts correctly. + hosts = builtins.fromTOML (builtins.readFile ./hosts.toml); # This will process all defined hosts of type "nixos" and # generate the required colmena definition for each host. diff --git a/hosts.toml b/hosts.toml new file mode 100644 index 0000000..c7480ec --- /dev/null +++ b/hosts.toml @@ -0,0 +1,15 @@ +[nom] +type = "nixos" +system = "x86_64-linux" + +[sentinel] +type = "nixos" +system = "x86_64-linux" + +[ward] +type = "nixos" +system = "x86_64-linux" + +[zackbiene] +type = "nixos" +system = "aarch64-linux" diff --git a/hosts/ward/kea.nix b/hosts/ward/kea.nix index 71f4691..f59156a 100644 --- a/hosts/ward/kea.nix +++ b/hosts/ward/kea.nix @@ -1,77 +1,60 @@ { - config, lib, utils, nodes, ... }: let - inherit - (lib) - flip - mapAttrsToList - mkOption - net - types - ; - + inherit (lib) net; lanCidrv4 = "192.168.100.0/24"; dnsIp = net.cidr.host 2 lanCidrv4; in { # TODO make meta.kea module? # TODO reserve by default using assignIps algo? - options.networking.dhcp4Reservations = mkOption { - default = {}; - type = types.attrsOf (types.net.ipv4-in lanCidrv4); - description = "Maps MAC addresses to their reserved ipv4 address."; - }; - - config = { - services.kea.dhcp4 = { - enable = true; - settings = { - lease-database = { - name = "/var/lib/kea/dhcp4.leases"; - persist = true; - type = "memfile"; - }; - valid-lifetime = 4000; - renew-timer = 1000; - rebind-timer = 2000; - interfaces-config = { - # XXX: why does this bind other macvtaps? - interfaces = ["lan-self"]; - service-sockets-max-retries = -1; - }; - option-data = [ - { - name = "domain-name-servers"; - data = dnsIp; - } - ]; - subnet4 = [ - { - interface = "lan-self"; - subnet = lanCidrv4; - pools = [ - {pool = "${net.cidr.host 20 lanCidrv4} - ${net.cidr.host (-6) lanCidrv4}";} - ]; - option-data = [ - { - name = "routers"; - data = net.cidr.host 1 lanCidrv4; - } - ]; - reservations = [ - { - hw-address = nodes.ward-adguardhome.config.lib.microvm.mac; - ip-address = dnsIp; - } - ]; - } - ]; + services.kea.dhcp4 = { + enable = true; + settings = { + lease-database = { + name = "/var/lib/kea/dhcp4.leases"; + persist = true; + type = "memfile"; }; + valid-lifetime = 4000; + renew-timer = 1000; + rebind-timer = 2000; + interfaces-config = { + # XXX: why does this bind other macvtaps? + interfaces = ["lan-self"]; + service-sockets-max-retries = -1; + }; + option-data = [ + { + name = "domain-name-servers"; + data = dnsIp; + } + ]; + subnet4 = [ + { + interface = "lan-self"; + subnet = lanCidrv4; + pools = [ + {pool = "${net.cidr.host 20 lanCidrv4} - ${net.cidr.host (-6) lanCidrv4}";} + ]; + option-data = [ + { + name = "routers"; + data = net.cidr.host 1 lanCidrv4; + } + ]; + reservations = [ + { + hw-address = nodes.ward-adguardhome.config.lib.microvm.mac; + ip-address = dnsIp; + } + ]; + } + ]; }; - - systemd.services.kea-dhcp4-server.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-self"}.device"]; }; + + systemd.services.kea-dhcp4-server.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-self"}.device"]; } diff --git a/hosts/ward/microvms/common.nix b/hosts/ward/microvms/common.nix index c26df64..6e61ffd 100644 --- a/hosts/ward/microvms/common.nix +++ b/hosts/ward/microvms/common.nix @@ -7,7 +7,7 @@ in { proxy = "sentinel"; }; - # Connect safely via wireguard to skip authentication + # Connect safely via wireguard to skip http authentication networking.hosts.${sentinelCfg.meta.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb]; meta.telegraf = { enable = true; diff --git a/hosts/ward/secrets/loki/loki-basic-auth-hashes.age b/hosts/ward/secrets/loki/loki-basic-auth-hashes.age index 2534566..957822e 100644 Binary files a/hosts/ward/secrets/loki/loki-basic-auth-hashes.age and b/hosts/ward/secrets/loki/loki-basic-auth-hashes.age differ diff --git a/hosts/zackbiene/default.nix b/hosts/zackbiene/default.nix index 8e34795..1529bab 100644 --- a/hosts/zackbiene/default.nix +++ b/hosts/zackbiene/default.nix @@ -1,4 +1,10 @@ -{lib, ...}: { +{ + lib, + nodes, + ... +}: let + sentinelCfg = nodes.sentinel.config; +in { imports = [ ../../modules/optional/hardware/odroid-n2plus.nix @@ -7,17 +13,32 @@ ../../modules/optional/initrd-ssh.nix ../../modules/optional/zfs.nix - #./dnsmasq.nix #./esphome.nix ./fs.nix #./home-assistant.nix - #./hostapd.nix + ./hostapd.nix #./mosquitto.nix + ./kea.nix ./net.nix #./nginx.nix #./zigbee2mqtt.nix ]; + meta.wireguard-proxy.sentinel = {}; + meta.promtail = { + enable = true; + proxy = "sentinel"; + }; + + # Connect safely via wireguard to skip http authentication + networking.hosts.${sentinelCfg.meta.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb]; + meta.telegraf = { + enable = true; + influxdb2.domain = sentinelCfg.networking.providedDomains.influxdb; + influxdb2.organization = "servers"; + influxdb2.bucket = "telegraf"; + }; + # Fails if there are no SMART devices services.smartd.enable = lib.mkForce false; } diff --git a/hosts/zackbiene/dnsmasq.nix b/hosts/zackbiene/dnsmasq.nix deleted file mode 100644 index 4208369..0000000 --- a/hosts/zackbiene/dnsmasq.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ - services.dnsmasq = { - enable = true; - resolveLocalQueries = false; - settings = { - interface = "wlan1"; - dhcp-authoritative = true; - dhcp-range = [ - "10.0.90.10,10.0.90.240,24h" - "fd90::10,fd90::ff0,24h" - ]; - - # Enable ipv6 router advertisements - enable-ra = true; - # Don't use anything from /etc/resolv.conf - no-resolv = true; - # Never forward addresses in the non-routed address spaces. - bogus-priv = true; - }; - }; -} diff --git a/hosts/zackbiene/hostapd.nix b/hosts/zackbiene/hostapd.nix index c475552..d409bd9 100644 --- a/hosts/zackbiene/hostapd.nix +++ b/hosts/zackbiene/hostapd.nix @@ -1,9 +1,4 @@ -{ - lib, - config, - pkgs, - ... -}: { +{config, ...}: { # Associates each known client to a unique password age.secrets.wifi-clients.rekeyFile = ./secrets/wifi-clients.age; @@ -12,7 +7,7 @@ services.hostapd = { enable = true; radios.wlan1 = { - hwMode = "g"; + band = "2g"; countryCode = "DE"; channel = 13; # Automatic Channel Selection (ACS) is unfortunately not implemented for mt7612u. wifi4.capabilities = ["LDPC" "HT40+" "HT40-" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1"]; @@ -22,7 +17,8 @@ apIsolate = true; authentication = { saePasswordsFile = config.age.secrets.wifi-clients.path; - saeAddToMacAllow = true; + # TODO reenable when nixpkgs#245413 is merged + # saeAddToMacAllow = true; enableRecommendedPairwiseCiphers = true; }; bssid = "00:c0:ca:b1:4f:9f"; diff --git a/hosts/zackbiene/kea.nix b/hosts/zackbiene/kea.nix new file mode 100644 index 0000000..dc605f4 --- /dev/null +++ b/hosts/zackbiene/kea.nix @@ -0,0 +1,43 @@ +{ + lib, + utils, + ... +}: let + inherit (lib) net; + iotCidrv4 = "10.0.90.0/24"; +in { + services.kea.dhcp4 = { + enable = true; + settings = { + lease-database = { + name = "/var/lib/kea/dhcp4.leases"; + persist = true; + type = "memfile"; + }; + valid-lifetime = 4000; + renew-timer = 1000; + rebind-timer = 2000; + interfaces-config = { + interfaces = ["wlan1"]; + service-sockets-max-retries = -1; + }; + subnet4 = [ + { + interface = "wlan1"; + subnet = iotCidrv4; + pools = [ + {pool = "${net.cidr.host 20 iotCidrv4} - ${net.cidr.host (-6) iotCidrv4}";} + ]; + option-data = [ + { + name = "routers"; + data = net.cidr.host 1 iotCidrv4; + } + ]; + } + ]; + }; + }; + + systemd.services.kea-dhcp4-server.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "wlan1"}.device"]; +} diff --git a/hosts/zackbiene/net.nix b/hosts/zackbiene/net.nix index fb540fa..aa3a50d 100644 --- a/hosts/zackbiene/net.nix +++ b/hosts/zackbiene/net.nix @@ -32,6 +32,16 @@ in { (lib.net.cidr.hostCidr 1 iotCidrv6) ]; matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.wlan1.mac; + networkConfig = { + IPForward = "yes"; + IPv6PrivacyExtensions = "yes"; + IPv6SendRA = true; + MulticastDNS = true; + }; + # Announce a static prefix + ipv6Prefixes = [ + {ipv6PrefixConfig.Prefix = iotCidrv6;} + ]; linkConfig.RequiredForOnline = "no"; }; }; diff --git a/hosts/zackbiene/nginx.nix b/hosts/zackbiene/nginx.nix deleted file mode 100644 index 991c2c4..0000000 --- a/hosts/zackbiene/nginx.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ - lib, - config, - ... -}: { - age.secrets."selfcert.crt" = { - rekeyFile = ./secrets/selfcert.crt.age; - mode = "440"; - group = "nginx"; - }; - age.secrets."selfcert.key" = { - rekeyFile = ./secrets/selfcert.key.age; - mode = "440"; - group = "nginx"; - }; - - #security.acme.acceptTerms = true; - #security.acme.defaults.email = "admin+acme@example.com"; - services.nginx.enable = true; -} diff --git a/hosts/zackbiene/secrets/host.pub b/hosts/zackbiene/secrets/host.pub index e320b99..b694d85 100644 --- a/hosts/zackbiene/secrets/host.pub +++ b/hosts/zackbiene/secrets/host.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJVBhqJKfIBWOwXHGNjlskKMIpCuL3qjOjKiXyF8hkGT +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILaKQa+gcGMvtm9d1LM11lvsXRtE3Tvo+o40nG+eXYgo diff --git a/hosts/zackbiene/secrets/promtail-loki-basic-auth-password.age b/hosts/zackbiene/secrets/promtail-loki-basic-auth-password.age new file mode 100644 index 0000000..411d2cb --- /dev/null +++ b/hosts/zackbiene/secrets/promtail-loki-basic-auth-password.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> X25519 GORopMcTgwBFuvljV/6TrebfoW4aL13meWOk0tjX2Fg +A9OOzSPEqT8dPNYeKHcvVVdZOfYMnEzaSdudKzyals4 +-> piv-p256 xqSe8Q As7KMtJM+NWObNYdVxTjfePy8MThyA6PkOv32lvMNbth +LkC4vtpHWjizzs3qEyJF+L5yBniMH9XdMH6Y/H5RfTc +-> WQ0T*-grease ;xyW-]= 5tB %=C(B9M jM X25519 DCVhASEENA4z7QkZIAz+7shz69B3UGfuR4QwV28e3w4 +KcvcVb5PxsRMlA5n35c/4nRLdv7WoIL2bqJn6Ry0tBU +-> piv-p256 xqSe8Q ArDV5TYzLEFhnRxXIY1OMPe4nPE7rtNhsUhU+7J2La3o +SoqSbbPvxlF4uaGSRNKSumajM9aEr2EoHE8PyPr3sMk +-> e\9`z-grease +PtN7lO2jjyBoMojXSiPLmWGgv23uUbzd9TxrAwwDiCcBbW5RL5vvR2HFzc+k+ZVa +RA3xLg5UeIzjsZdkWBezPHX1p7OALN49ZxtJ21fzfDhdUCTfVIKK4mi++At2hEJF +6g +--- FdR7X/jFWv+BhzuO8kpGr8xC3SKgmrwHg4YaHRxnwHE + p 6SDW(YR3s_۪/2g}ܶW?ub +)/ ,{&F-5/u.p \%ɟ4qӉyKQk4W3ˌ +ӈ[t__4y q^/F* \ No newline at end of file diff --git a/secrets/wireguard/proxy-sentinel/keys/zackbiene.age b/secrets/wireguard/proxy-sentinel/keys/zackbiene.age new file mode 100644 index 0000000..e247137 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/zackbiene.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 yiNmRDhm4J2Kbdl23JqK806GwpAyxxhyPD7UzwQOd14 +YdtV6fwtI8Hi/Fl3viJa6Kdlg6jipWX8qY9yZ7AvCYk +-> piv-p256 xqSe8Q AxvoyuMwR6SeHcqsLOLFxaXHJnjGePz+ROnwlWDiUSgP +B4lYcmboqDpr747GYCFAGWXfOvpHK04uyM5UbEeNORI +-> x4pfd28-grease f+4S \ +BuQCPPOZhXqwnKl74fCB4eF5LYtULBuGiYX4BCOrS+sNP5svpj2pnGFvA5/VAJqv +9NE3mc0a9B41xJMSISdomiU +--- 3bUnrQO3LUeKPFet5T2s9XAe455gONeBR6TiIN0nf0Q +{jD˖I]'7KEmU"\^'}`K4A%P%M+G' \ No newline at end of file diff --git a/secrets/wireguard/proxy-sentinel/keys/zackbiene.pub b/secrets/wireguard/proxy-sentinel/keys/zackbiene.pub new file mode 100644 index 0000000..c11fca2 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/zackbiene.pub @@ -0,0 +1 @@ +m92MMTe8d8vtfKcRxel+8ptDcFFILyvzOThTt2rdiWU= diff --git a/secrets/wireguard/proxy-sentinel/psks/sentinel+zackbiene.age b/secrets/wireguard/proxy-sentinel/psks/sentinel+zackbiene.age new file mode 100644 index 0000000..19c3d6c Binary files /dev/null and b/secrets/wireguard/proxy-sentinel/psks/sentinel+zackbiene.age differ