mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 23:00:39 +02:00
Code Activity

feat: remove generate-wireguard-keys in favor of agenix-rekey generators

Browse source
This commit is contained in:
oddlama 2023-06-09 23:21:18 +02:00
parent dec790c589
commit cfb7c88862
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
7 changed files with 62 additions and 163 deletions
Download patch file Download diff file Expand all files Collapse all files

26
README.md
View file

@ -34,7 +34,6 @@ This is my personal nix config.
- `default.nix` Collects all apps and generates a definition for a specified system
- `draw-graph.nix` (**WIP:** infrastructure graph renderer)
- `format-secrets.nix` Runs the code formatter on the secret .nix files
- `generate-wireguard-keys.nix` Generates wireguard keys for each server-and-peer pair
- `show-wireguard-qr.nix` Generates a QR code for external wireguard participants
- `checks.nix` pre-commit-hooks for this repository
- `colmena.nix` Setup for distributed deployment using colmena (actually defines all NixOS hosts)
@ -62,7 +61,7 @@ This is my personal nix config.
- fill net.nix
- fill fs.nix (you need to know the device by-id paths in advance for formatting to work!)
- generate an initrd hostkey if necessary `ssh-keygen -t ed25519 -N "" -f /tmp/key; rage ...`
- run generate-wireguard-keys
- run generate-secrets
#### Initial deploy
@ -140,13 +139,30 @@ openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
# Recover admin account (server must not be running)
> systemctl stop kanidmd
> kanidmd recover_account -c server.toml admin
qU6UUdN5PbaetgtjKDttQx6D7XQwa0bBef5N5N0sjchg8gNz
aM4Fk1dvM8AjyYzuVsFuxGkY4PqcVJaZwaHSfvFQGvFkH2Ez
> systemctl start kanidmd
# Login with recovered root account
> kanidm login -D admin
> kanidm login --name admin
# Generate new credentials for idm_admin account
> kanidm service-account credential generate -D admin idm_admin
xbwa3tbUefdRBxKqbDYQfW2StqjZYa0zwp6FQRyWXy0dCYUb
cVXKuT9LGpCN0RTjgjEG52bPFANxbPKbT9LjSb3H4K2NeW2g
# Generate new oauth2 app for grafana
> kanidm group create grafana-access
> kanidm group create grafana-server-admins
> kanidm group create grafana-admins
> kanidm group create grafana-editors
> kanidm system oauth2 create grafana "Grafana" https://grafana.${personalDomain}
> kanidm system oauth2 update-scope-map grafana grafana-access openid profile email
> kanidm system oauth2 update-sup-scope-map grafana grafana-server-admins server_admin
> kanidm system oauth2 update-sup-scope-map grafana grafana-admins admin
> kanidm system oauth2 update-sup-scope-map grafana grafana-editors editor
> kanidm system oauth2 show-basic-secret grafana
# Add new user
> kanidm login --name idm_admin
> kanidm person create myuser "My User"
> kanidm person update myuser --legalname "Full Name" --mail "myuser@example.com"
> kanidm group add_members grafana-access myuser
> kanidm group add_members grafana-server-admins myuser
```

40
flake.lock generated
View file

@ -31,10 +31,12 @@
]
},
"locked": {
"lastModified": 1686159246,
"narHash": "sha256-6+u3Ed6rsYKJ1gnjt1DoEnxgF6Xmi4qPFUy7OBEiN5E=",
"type": "git",
"url": "file:///root/projects/agenix-rekey"
"lastModified": 1686343990,
"narHash": "sha256-/XkX73eAccg0l+2plLpDQHX4bl4sk2enSRwxUzuCcsc=",
"owner": "oddlama",
"repo": "agenix-rekey",
"rev": "1dd5cf245e842c4b698b537a7097c417f2912efe",
"type": "github"
},
"original": {
"owner": "oddlama",
@ -117,11 +119,11 @@
]
},
"locked": {
"lastModified": 1686150639,
"narHash": "sha256-QHorMn3tgvCE0BM4QlNb/7vuquz11cS2ke1GSfmgiPo=",
"lastModified": 1686222354,
"narHash": "sha256-dtqnAwzucKZv54dTrLetIXhOavUrCsdqOe+JtFH9riE=",
"owner": "nix-community",
"repo": "disko",
"rev": "f1178c6e72b7d8ab2b55990397969324822275eb",
"rev": "5d9f362aecd7a4c2e8a3bf2afddb49051988cab9",
"type": "github"
},
"original": {
@ -208,11 +210,11 @@
]
},
"locked": {
"lastModified": 1686142265,
"narHash": "sha256-IP0xPa0VYqxCzpqZsg3iYGXarUF+4r2zpkhwdHy9WsM=",
"lastModified": 1686342731,
"narHash": "sha256-GwCwviXcc5nrewuFwtsrxys8srrZcI+m8hdIGOt+fHY=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "39c7d0a97a77d3f31953941767a0822c94dc01f5",
"rev": "0945875a2a20de314093b0f9d4d5448e9b4fdccb",
"type": "github"
},
"original": {
@ -258,11 +260,11 @@
]
},
"locked": {
"lastModified": 1686092477,
"narHash": "sha256-ewXevzxR3FGhI5ip1QX+jCAQW2En9BTwBI9+kGip9DA=",
"lastModified": 1686244773,
"narHash": "sha256-AtS5u3Qfrvtd1OiaRugEWKymbm6kwd7DGYiCiV8x3/U=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "c6416c6b9fed22b71f526720cb120b0218c51b62",
"rev": "8f759ded0bbc7728738b064516a879b36ee115b9",
"type": "github"
},
"original": {
@ -309,11 +311,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1684899633,
"narHash": "sha256-NtwerXX8UFsoNy6k+DukJMriWtEjQtMU/Urbff2O2Dg=",
"lastModified": 1686217350,
"narHash": "sha256-Nb9b3m/GEK8jyFsYfUkXGsqj6rH05GgJ2QWcNNbK7dw=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "4cc688ee711159b9bcb5a367be44007934e1a49d",
"rev": "e4b34b90f27696ec3965fa15dcbacc351293dc67",
"type": "github"
},
"original": {
@ -386,11 +388,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1686050334,
"narHash": "sha256-R0mczWjDzBpIvM3XXhO908X5e2CQqjyh/gFbwZk/7/Q=",
"lastModified": 1686213770,
"narHash": "sha256-Re6xXLEqQ/HRnThryumyGzEf3Uv0Pl4cuG50MrDofP8=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "6881eb2ae5d8a3516e34714e7a90d9d95914c4dc",
"rev": "182af51202998af5b64ddecaa7ff9be06425399b",
"type": "github"
},
"original": {

12
modules/wireguard.nix
View file

@ -158,7 +158,7 @@
${peerPresharedKeySecret nodeName other} = {
rekeyFile = peerPresharedKeyPath nodeName other;
owner = "systemd-network";
# TODO gen func
generator.script = {pkgs, ...}: "${pkgs.wireguard-tools}/bin/wg genpsk";
};
})
neededPeers)
@ -166,7 +166,15 @@
${peerPrivateKeySecret nodeName} = {
rekeyFile = peerPrivateKeyPath nodeName;
owner = "systemd-network";
# TODO gen func
generator.script = {
pkgs,
file,
...
}: ''
${pkgs.wireguard-tools}/bin/wg genkey \
| tee /dev/stdout \
| ${pkgs.wireguard-tools}/bin/wg pubkey > ${lib.escapeShellArg (lib.removeSuffix ".age" file + ".pub")}
'';
};
};

10
nix/apps/default.nix
View file

@ -2,6 +2,7 @@
pkgs = self.pkgs.${system};
inherit
(pkgs.lib)
flip
nameValuePair
removeSuffix
;
@ -13,9 +14,12 @@
apps = [
./draw-graph.nix
./format-secrets.nix
./generate-secrets.nix
./generate-wireguard-keys.nix
./show-wireguard-qr.nix
];
in
builtins.listToAttrs (map (appPath: nameValuePair (removeSuffix ".nix" (builtins.baseNameOf appPath)) (mkApp (import appPath args))) apps)
builtins.listToAttrs (flip map apps (
appPath:
nameValuePair
(removeSuffix ".nix" (builtins.baseNameOf appPath))
(mkApp (import appPath args))
))

39
nix/apps/generate-secrets.nix
View file

@ -1,39 +0,0 @@
{
self,
pkgs,
...
} @ inputs: let
inherit
(pkgs.lib)
assertMsg
removePrefix
hasPrefix
concatStringsSep
filterAttrs
escapeShellArg
flatten
mapAttrsToList
;
inherit (self.extraLib) rageEncryptArgs;
flakeDir = toString self.sourceInfo.outPath;
relativeToFlake = x: let
xFile = toString x;
in
assert assertMsg (hasPrefix flakeDir xFile) "${xFile} must be a subpath of ${flakeDir}";
"." + removePrefix flakeDir xFile;
x = nodeName: nodeCfg:
mapAttrsToList (_: s: ''
echo ${escapeShellArg (relativeToFlake s.file)}
'') (filterAttrs (_: s: s.generate != null) nodeCfg.config.rekey.secrets);
in
pkgs.writeShellScript "generate-secrets" ''
set -euo pipefail
if [[ ! -e flake.nix ]] ; then
echo "this script must be executed from your flake's root directory." >&2;
exit 1
fi
${concatStringsSep "\n" (flatten (mapAttrsToList x self.nodes))}
''

92
nix/apps/generate-wireguard-keys.nix
View file

@ -1,92 +0,0 @@
{
self,
pkgs,
...
} @ inputs: let
inherit
(pkgs.lib)
attrNames
concatMap
concatMapStrings
concatStringsSep
escapeShellArg
filter
optionalString
removeSuffix
substring
unique
;
inherit (self.extraLib) rageEncryptArgs;
nodeNames = attrNames self.nodes;
wireguardNetworks = unique (concatMap (n: attrNames self.nodes.${n}.config.extra.wireguard) nodeNames);
generateNetworkKeys = wgName: let
inherit
(self.extraLib.wireguard wgName)
allPeers
externalPeersForNode
participatingClientNodes
participatingNodes
participatingServerNodes
peerPresharedKeyFile
peerPrivateKeyFile
peerPublicKeyFile
sortedPeers
;
# Every peer needs a private and public key.
generatePeerKeys = peerName: let
keyBasename = escapeShellArg ("./" + removeSuffix ".pub" (peerPublicKeyFile peerName));
pubkeyFile = escapeShellArg ("./" + peerPublicKeyFile peerName);
privkeyFile = escapeShellArg ("./" + peerPrivateKeyFile peerName);
in ''
if [[ ! -e ${privkeyFile} ]] || [[ ! -e ${pubkeyFile} ]]; then
mkdir -p $(dirname ${privkeyFile})
echo "Generating "${keyBasename}".{age,pub}"
privkey=$(${pkgs.wireguard-tools}/bin/wg genkey)
echo "$privkey" | ${pkgs.wireguard-tools}/bin/wg pubkey > ${pubkeyFile}
${pkgs.rage}/bin/rage -e ${rageEncryptArgs} <<< "$privkey" > ${privkeyFile} \
|| { echo "error: Failed to encrypt wireguard private key for peer ${peerName} on network ${wgName}!" >&2; exit 1; }
else
echo "Skipping existing "${keyBasename}".{age,pub}"
fi
'';
# Generates the psk for peer1 and peer2.
generatePeerPsk = {
peer1,
peer2,
}: let
pskFile = escapeShellArg ("./" + peerPresharedKeyFile peer1 peer2);
in ''
if [[ ! -e ${pskFile} ]]; then
mkdir -p $(dirname ${pskFile})
echo "Generating "${pskFile}""
psk=$(${pkgs.wireguard-tools}/bin/wg genpsk)
${pkgs.rage}/bin/rage -e ${rageEncryptArgs} <<< "$psk" > ${pskFile} \
|| { echo "error: Failed to encrypt wireguard psk for peers ${peer1} and ${peer2} on network ${wgName}!" >&2; exit 1; }
else
echo "Skipping existing "${pskFile}""
fi
'';
# This generates all psks for each combination of peers given.
# xs is a list of peers and fys a function that generates a list of peers
# for any given x.
psksForPeerCombinations = xs: fys: map generatePeerPsk (unique (concatMap (x: map (sortedPeers x) (fys x)) xs));
in
["echo ==== ${wgName} ===="]
++ map generatePeerKeys (attrNames allPeers)
# All server-nodes need a psk for each other, but not reflexive.
++ psksForPeerCombinations participatingServerNodes (n: filter (x: x != n) participatingServerNodes)
# Each server-node need a psk for all client nodes
++ psksForPeerCombinations participatingServerNodes (_: participatingClientNodes)
# Each server-node need a psk for all their external peers
++ psksForPeerCombinations participatingServerNodes (n: attrNames (externalPeersForNode n));
in
pkgs.writeShellScript "generate-wireguard-keys" ''
set -euo pipefail
${concatStringsSep "\n" (concatMap generateNetworkKeys wireguardNetworks)}
''

6
nix/lib.nix
View file

@ -233,16 +233,16 @@ in rec {
};
peerPublicKeyFile = peerName: "secrets/wireguard/${wgName}/keys/${peerName}.pub";
peerPublicKeyPath = peerName: "${../.}/" + peerPublicKeyFile peerName;
peerPublicKeyPath = peerName: "${self.outPath}/" + peerPublicKeyFile peerName;
peerPrivateKeyFile = peerName: "secrets/wireguard/${wgName}/keys/${peerName}.age";
peerPrivateKeyPath = peerName: "${../.}/" + peerPrivateKeyFile peerName;
peerPrivateKeyPath = peerName: "${self.outPath}/" + peerPrivateKeyFile peerName;
peerPrivateKeySecret = peerName: "wireguard-${wgName}-priv-${peerName}";
peerPresharedKeyFile = peerA: peerB: let
inherit (sortedPeers peerA peerB) peer1 peer2;
in "secrets/wireguard/${wgName}/psks/${peer1}+${peer2}.age";
peerPresharedKeyPath = peerA: peerB: "${../.}/" + peerPresharedKeyFile peerA peerB;
peerPresharedKeyPath = peerA: peerB: "${self.outPath}/" + peerPresharedKeyFile peerA peerB;
peerPresharedKeySecret = peerA: peerB: let
inherit (sortedPeers peerA peerB) peer1 peer2;
in "wireguard-${wgName}-psks-${peer1}+${peer2}";