feat: experiment with kanidm and acme dns-01. add common conditional locations to impermanence

2023-05-25 01:57:16 +02:00 · 2023-05-25 01:57:16 +02:00 · 0e3d881887
commit 0e3d881887
parent 668f9fdaf4
24 changed files with 323 additions and 29 deletions
--- a/README.md
+++ b/README.md
@ -93,7 +93,7 @@ then select the host in the fzf menu
 ## Stuff
 - Secrets can be created/edited by running `nix run .#edit-secret some/secret.age`
- Secrets can be rekeyed by running `nix run .#rekey` (you will be prompted to do so in an error message if neccessary)
+- Secrets can be rekeyed by running `nix run .#rekey` (you will also be prompted to do so in an error message if neccessary)
 To be able to decrypt the repository-wide secrets transparently on a host that
 is _not_ managed by this config, you will need to <sub>(be me and)</sub> run
@ -110,10 +110,10 @@ all commands using these extra parameters, or permanently add the following the
 ## Misc
-Generate self-signed cert:
+Generate self-signed cert, e.g. for kanidm internal communication to proxy:
 ```bash
 openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-  -keyout zackbiene-selfcert.key -out zackbiene-selfcert.crt -subj \
+  -keyout selfcert.key -out selfcert.crt -subj \
  "/CN=example.com" -addext "subjectAltName=DNS:example.com,DNS:sub1.example.com,DNS:sub2.example.com,IP:10.0.0.1"
 ```
--- a/hosts/common/core/impermanence.nix
+++ b/hosts/common/core/impermanence.nix
@ -1,4 +1,8 @@
 {
  config,
  lib,
  ...
 }: {
  # State that should be kept across reboots, but is otherwise
  # NOT important information in any way that needs to be backed up.
  #environment.persistence."/nix/state" = {
@ -20,10 +24,90 @@
      "/etc/ssh/ssh_host_ed25519_key"
      "/etc/ssh/ssh_host_ed25519_key.pub"
    ];
-    directories = [
+    directories =
-      "/var/lib/nixos"
+      [
-      "/var/lib/systemd/coredump"
+        {
-      "/var/log"
+          directory = "/var/lib/nixos";
-    ];
+          user = "root";
          group = "root";
          mode = "0755";
        }
        {
          directory = "/var/lib/systemd";
          user = "root";
          group = "root";
          mode = "0755";
        }
        {
          directory = "/var/log";
          user = "root";
          group = "root";
          mode = "0755";
        }
        #{ directory = "/tmp"; user = "root"; group = "root"; mode = "1777"; }
        #{ directory = "/var/tmp"; user = "root"; group = "root"; mode = "1777"; }
        {
          directory = "/var/spool";
          user = "root";
          group = "root";
          mode = "0777";
        }
      ]
      ++ lib.optionals config.networking.wireless.iwd.enable [
        {
          directory = "/var/lib/iwd";
          user = "root";
          group = "root";
          mode = "0700";
        }
      ]
      ++ lib.optionals (config.services.kea.dhcp4.enable || config.services.kea.dhcp6.enable) [
        {
          directory = "/var/lib/kea";
          user = "kea";
          group = "kea";
          mode = "0755";
        }
      ]
      ++ lib.optionals config.services.gitea.enable [
        {
          directory = "/var/lib/gitea";
          user = "gitea";
          group = "gitea";
          mode = "0755";
        }
      ]
      ++ lib.optionals config.security.acme.acceptTerms [
        {
          directory = "/var/lib/acme";
          user = "acme";
          group = "acme";
          mode = "0755";
        }
      ]
      ++ lib.optionals config.services.printing.enable [
        {
          directory = "/var/lib/cups";
          user = "root";
          group = "root";
          mode = "0755";
        }
      ]
      ++ lib.optionals config.services.fail2ban.enable [
        {
          directory = "/var/lib/fail2ban";
          user = "fail2ban";
          group = "fail2ban";
          mode = "0750";
        }
      ]
      ++ lib.optionals config.services.opendkim.enable [
        {
          directory = "/var/lib/postgresql";
          user = "postgres";
          group = "postgres";
          mode = "0755";
        }
      ];
  };
 }
--- a/hosts/common/core/issue.nix
+++ b/hosts/common/core/issue.nix
@ -2,6 +2,7 @@ let
  # IP addresses: ${"${interface} \e{halfbright}\4{${interface}}\e{reset} \e{halfbright}\6{${interface}}\e{reset}"}
  issue_text = ''
    \d  \t
    \e{halfbright}\4\e{reset} \e{halfbright}\6\e{reset}
    This is \e{cyan}\n\e{reset} [\e{lightblue}\l\e{reset}] (\s \m \r)
  '';
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -3,7 +3,19 @@
  nixos-hardware,
  pkgs,
  ...
-}: {
+}: let
  # TODO byebyebye
  # TODO byebyebye
  # TODO byebyebye
  # TODO byebyebye
  # TODO byebyebye
  # TODO byebyebye
  # TODO byebyebye
  # TODO byebyebye
  # TODO byebyebye
  inherit (config.repo.secrets.local) acme;
  auth.domain = config.repo.secrets.local.auth.domain;
 in {
  imports = [
    nixos-hardware.common-cpu-intel
    nixos-hardware.common-pc-ssd
@ -33,15 +45,26 @@
    };
  in {
    test = defineVm 11;
-
+    #ddclient = defineVm 11;
-    #nginx = defineVm 12;
+    nginx = defineVm 12;
    #kanidm = defineVm 13;
    #gitea = defineVm 14;
    #vaultwarden = defineVm 15;
-    #samba = defineVm 16;
+    #samba+wsdd = defineVm 16;
    #fasten-health = defineVm 17;
    #immich = defineVm 18;
    #paperless = defineVm 19;
    #radicale = defineVm 20;
    #minecraft = defineVm 21;
    #grafana
    #loki
    #maddy = defineVm 19;
    #anonaddy = defineVm 19;
    #automatic1111 = defineVm 19;
    #invokeai = defineVm 19;
    #kanidm = defineVm 12 // {
    #  configPath = ./vm-test.nix;
@ -51,4 +74,162 @@
  microvm.vms.test.config = {
    rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g";
  };
  microvm.vms.nginx.config = {
    lib,
    config,
    parentNodeName,
    ...
  }: {
    rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq";
    rekey.secrets."kanidm-self-signed.crt" = {
      file = ./secrets/kanidm-self-signed.crt.age;
      mode = "440";
      owner = "nginx";
      group = "kanidm";
    };
    rekey.secrets."kanidm-self-signed.key" = {
      file = ./secrets/kanidm-self-signed.key.age;
      mode = "440";
      owner = "nginx";
      group = "kanidm";
    };
    rekey.secrets."dhparams.pem" = {
      # TODO make own?
      file = ../zackbiene/secrets/dhparams.pem.age;
      mode = "440";
      group = "nginx";
    };
    networking.hosts = {
      "192.168.100.12" = [auth.domain];
    };
    rekey.secrets.acme-credentials = {
      file = ./secrets/acme-credentials.age;
      mode = "440";
      group = "acme";
    };
    security.acme = {
      acceptTerms = true;
      defaults = {
        inherit (acme) email;
        dnsProvider = "cloudflare";
        credentialsFile = config.rekey.secrets.acme-credentials.path;
        dnsPropagationCheck = true;
      };
      certs = lib.genAttrs acme.domains (domain: {
        extraDomainNames = ["*.${domain}"];
      });
    };
    users.groups.acme.members = ["nginx"];
    # TODO needed in my current testing network that has no ipv6 connectivity
    # TODO but these should use fallback......... something's wrong
    systemd.network.networks."10-wan".networkConfig.DNS = ["1.1.1.1" "8.8.8.8"];
    # TODO reload nginx when acme is renewed
    # TODO make default nginx config in core to reduce boilerplate?
    services.nginx = let
      # TODO not implemented well
      # TODO not implemented well
      # TODO not implemented well
      # TODO not implemented well
      # TODO not implemented well
      # TODO not implemented well
      # TODO not implemented well
      # TODO not implemented well
      # TODO (acme.domains is very specific)
      # TODO (security.acme causes recursion)
      matchingWildcardCert = domain: let
        # Filter all certs that are wildcard certs and which match the given domain
        matchingCerts =
          lib.filter
          (x: !lib.hasInfix "." (lib.removeSuffix ".${x}" domain))
          acme.domains;
      in
        assert lib.assertMsg (matchingCerts != []) "No wildcard certificate was defined that matches ${domain}";
          lib.head matchingCerts;
    in {
      enable = true;
      recommendedBrotliSettings = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      # SSL config
      sslCiphers = "EECDH+AESGCM:EDH+AESGCM:!aNULL";
      sslDhparam = config.rekey.secrets."dhparams.pem".path;
      commonHttpConfig = ''
        error_log syslog:server=unix:/dev/log;
        access_log syslog:server=unix:/dev/log;
        ssl_ecdh_curve secp384r1;
      '';
      upstreams."kanidm" = {
        servers."${config.extra.wireguard."${parentNodeName}-local-vms".ipv4}:8300" = {};
        extraConfig = ''
          zone kanidm 64k;
          keepalive 2;
        '';
      };
      virtualHosts.${auth.domain} = {
        forceSSL = true;
        useACMEHost = matchingWildcardCert auth.domain;
        locations."/".proxyPass = "https://kanidm";
        # Allow using self-signed certs to satisfy kanidm's requirement
        # for TLS connections. (This is over wireguard anyway)
        extraConfig = ''
          proxy_ssl_verify off;
        '';
      };
    };
    networking.firewall.allowedTCPPorts = [80 443];
    networking.nftables.firewall.rules = lib.mkForce {
      local-vms-to-local.allowedTCPPorts = [8300];
    };
    # systemd.services.kanidm = let
    #   cfg = config.services.kanidm;
    #   certName = config.services.nginx.virtualHosts.${cfg.serverSettings.domain}.useACMEHost;
    # in {
    #   requires = [ "acme-finished-${certName}.target" ];
    #   serviceConfig.LoadCredential = let
    #     certDir = config.security.acme.certs.${certName}.directory;
    #   in [
    #     "fullchain.pem:${certDir}/fullchain.pem"
    #     "key.pem:${certDir}/key.pem"
    #   ];
    # };
    services.kanidm = {
      enableServer = true;
      # enablePAM = true;
      serverSettings = {
        inherit (auth) domain;
        origin = "https://${config.services.kanidm.serverSettings.domain}";
        #tls_chain = "/run/credentials/kanidm.service/fullchain.pem";
        #tls_key = "/run/credentials/kanidm.service/key.pem";
        tls_chain = config.rekey.secrets."kanidm-self-signed.crt".path;
        tls_key = config.rekey.secrets."kanidm-self-signed.key".path;
        bindaddress = "${config.extra.wireguard."${parentNodeName}-local-vms".ipv4}:8300";
        trust_x_forward_for = true;
      };
      enableClient = true;
      clientSettings = {
        uri = config.services.kanidm.serverSettings.origin;
        verify_ca = true;
        verify_hostnames = true;
      };
    };
    environment.systemPackages = [pkgs.kanidm];
  };
 }
--- a/hosts/ward/grafana.nix
+++ b/hosts/ward/grafana.nix
@ -1 +0,0 @@
 {}
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -3,7 +3,7 @@
  lib,
  ...
 }: let
-  inherit (config.lib.net) ip cidr;
+  inherit (config.lib.net) cidr;
  lanCidrv4 = "192.168.100.0/24";
  lanCidrv6 = "fd00::/64";
@ -165,7 +165,7 @@ in {
            interface = "lan-self";
            subnet = lanCidrv4;
            pools = [
-              {pool = "${cidr.host 20 lanCidrv4} - ${cidr.host (-6) lanCidrv4}";}
+              {pool = "${cidr.host 40 lanCidrv4} - ${cidr.host (-6) lanCidrv4}";}
            ];
            option-data = [
              {
--- a/hosts/ward/node_exporter.nix
+++ b/hosts/ward/node_exporter.nix
@ -1 +0,0 @@
 {}
--- a/hosts/ward/prometheus.nix
+++ b/hosts/ward/prometheus.nix
@ -1 +0,0 @@
 {}
--- a/hosts/ward/samba.nix
+++ b/hosts/ward/samba.nix
@ -1 +0,0 @@
 {}
--- a/hosts/ward/secrets/acme-credentials.age
+++ b/hosts/ward/secrets/acme-credentials.age
--- a/hosts/ward/secrets/kanidm-self-signed.crt.age
+++ b/hosts/ward/secrets/kanidm-self-signed.crt.age
--- a/hosts/ward/secrets/kanidm-self-signed.key.age
+++ b/hosts/ward/secrets/kanidm-self-signed.key.age
--- a/hosts/ward/secrets/local.nix.age
+++ b/hosts/ward/secrets/local.nix.age
--- a/hosts/ward/vaultwarden.nix
+++ b/hosts/ward/vaultwarden.nix
@ -42,14 +42,14 @@
  services.nginx = {
    upstreams."vaultwarden" = {
-      servers = {"localhost:8012" = {};};
+      servers."localhost:8012" = {};
      extraConfig = ''
        zone vaultwarden 64k;
        keepalive 2;
      '';
    };
    upstreams."vaultwarden-websocket" = {
-      servers = {"localhost:3012" = {};};
+      servers."localhost:3012" = {};
      extraConfig = ''
        zone vaultwarden-websocket 64k;
        keepalive 2;
--- a/hosts/zackbiene/esphome.nix
+++ b/hosts/zackbiene/esphome.nix
@ -17,7 +17,7 @@
  services.nginx = {
    upstreams."esphome" = {
-      servers = {"unix:/run/esphome/esphome.sock" = {};};
+      servers."unix:/run/esphome/esphome.sock" = {};
      extraConfig = ''
        zone esphome 64k;
        keepalive 2;
--- a/hosts/zackbiene/home-assistant.nix
+++ b/hosts/zackbiene/home-assistant.nix
@ -108,7 +108,7 @@ in {
  services.nginx = {
    upstreams."homeassistant" = {
-      servers = {"localhost:${toString haPort}" = {};};
+      servers."localhost:${toString haPort}" = {};
      extraConfig = ''
        zone homeassistant 64k;
        keepalive 2;
--- a/hosts/zackbiene/net.nix
+++ b/hosts/zackbiene/net.nix
@ -5,8 +5,8 @@
 }: let
  inherit (config.lib.net) cidr;
-  net.iot.ipv4cidr = "10.90.0.1/24";
+  iotCidrv4 = "10.90.0.0/24";
-  net.iot.ipv6cidr = "fd90::1/64";
+  iotCidrv6 = "fd90::/64";
 in {
  networking.hostId = config.repo.secrets.local.networking.hostId;
@ -23,7 +23,10 @@ in {
      linkConfig.RequiredForOnline = "routable";
    };
    "10-wlan1" = {
-      address = [net.iot.ipv4cidr net.iot.ipv6cidr];
+      address = [
        (cidr.hostCidr 1 iotCidrv4)
        (cidr.hostCidr 1 iotCidrv6)
      ];
      matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.wlan1.mac;
      linkConfig.RequiredForOnline = "no";
    };
--- a/hosts/zackbiene/nginx.nix
+++ b/hosts/zackbiene/nginx.nix
@ -34,6 +34,8 @@
    sslCiphers = "EECDH+AESGCM:EDH+AESGCM:!aNULL";
    sslDhparam = config.rekey.secrets."dhparams.pem".path;
    commonHttpConfig = ''
      error_log syslog:server=unix:/dev/log;
      access_log syslog:server=unix:/dev/log;
      ssl_ecdh_curve secp384r1;
    '';
  };
--- a/hosts/zackbiene/zigbee2mqtt.nix
+++ b/hosts/zackbiene/zigbee2mqtt.nix
@ -32,7 +32,7 @@
  services.nginx = {
    upstreams."zigbee2mqtt" = {
-      servers = {"localhost:8072" = {};};
+      servers."localhost:8072" = {};
      extraConfig = ''
        zone zigbee2mqtt 64k;
        keepalive 2;
--- a/modules/microvms.nix
+++ b/modules/microvms.nix
@ -32,6 +32,7 @@
    types
    ;
  parentConfig = config;
  cfg = config.extra.microvms;
  inherit (config.extra.microvms) vms;
  inherit (config.lib) net;
@ -103,7 +104,7 @@
        // node.specialArgs;
      inherit (node) pkgs;
      inherit (vmCfg) autostart;
-      config = {
+      config = {config, ...}: {
        imports = [microvm.microvm] ++ cfg.commonImports ++ node.imports;
        microvm = {
@ -156,7 +157,7 @@
        extra.networking.renameInterfacesByMac.${vmCfg.networking.mainLinkName} = mac;
        systemd.network.networks = let
-          wgConfig = config.extra.wireguard."${nodeName}-local-vms".unitConfName;
+          wgConfig = parentConfig.extra.wireguard."${nodeName}-local-vms".unitConfName;
        in {
          # Remove requirement for the wireguard interface to come online,
          # to allow microvms to be deployed more easily (otherwise they
@ -204,13 +205,19 @@
        networking.nftables.firewall = {
          zones = mkForce {
            "${vmCfg.networking.mainLinkName}".interfaces = [vmCfg.networking.mainLinkName];
-            local-vms.interfaces = ["local-vms"];
+            local-vms.interfaces = [config.extra.wireguard."${nodeName}-local-vms".linkName];
          };
          rules = mkForce {
            "${vmCfg.networking.mainLinkName}-to-local" = {
              from = [vmCfg.networking.mainLinkName];
              to = ["local"];
              inherit
                (config.networking.firewall)
                allowedTCPPorts
                allowedUDPPorts
                ;
            };
            local-vms-to-local = {
--- a/secrets/wireguard/ward-local-vms/keys/ward-nginx.age
+++ b/secrets/wireguard/ward-local-vms/keys/ward-nginx.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> X25519 +S2DEXP2FxIlF3HeWNul/QHE4fuVwv7ausZO8C1Yvko
 USoULC2zp6mkLEGQFc4ELAotOQkq85yjfC3ImZQe6g0
 -> piv-p256 xqSe8Q AuVsMp2nyVB5I6ae7X4rnTT6gH/AyOwkVH5C8qRzenCu
 QLdaqASucS24wx5LuoFVD+LBdgsd+wGITMhJBOCrqpY
 -> z&m(b4Nw-grease ,&}.>' UWDXz
 adqzHHC2X08jrZz0h0y+MuJHM6/kuSUNad8+19cY88IRTF2ujQnoDVDS
 --- 8dc8Ta84I8RY7YGIcEuZStaEncGXv1uwJw2ncy3QgtU
 Æàr}÷jãEŒA]ˆ¥ÒW˜4gù3“æòAº"ð¹È¤¡Êš
 ™ruî¥ž3Î_…E �/ŽöœztKÉß”ë¢Ýˆ°ÔI/°‚‹}Ïò*
--- a/secrets/wireguard/ward-local-vms/keys/ward-nginx.pub
+++ b/secrets/wireguard/ward-local-vms/keys/ward-nginx.pub
@ -0,0 +1 @@
 Zs0W99JiuCv1F3NMTp/PcMBrt1bzWttJWNEh00Freyw=
--- a/secrets/wireguard/ward-local-vms/psks/ward+ward-nginx.age
+++ b/secrets/wireguard/ward-local-vms/psks/ward+ward-nginx.age
--- a/secrets/wireguard/ward-local-vms/psks/ward-nginx+ward-test.age
+++ b/secrets/wireguard/ward-local-vms/psks/ward-nginx+ward-test.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> X25519 95jd7mMbmilIpQbvDmu48FfMFZZbkioExF8KTw3fNXI
 CxWXmbD6kArjmJ2Y4lYVcwaQghWyJzS6DsQ4djspUf4
 -> piv-p256 xqSe8Q A13AOGXe31ASOihylki3jl8xCxp2bh2lYnzQC44Rbe10
 +R8gYDIFyANNPLvdQcq8+67dy+tFcVqS/7rYAbN7pz8
 -> 6q.AXp(-grease
 GJOOcphfNDKW
 --- E/iTzPRKqfS52YBWVcbVAak5koIxmdanzTXRt/5MZnM
 ÃÛ¸›6çî¬‹W®ní?W}7Jp[Bêo|T¸:ûÓÞT¹¿˜]Ykû¤¿ŠBŸ‡èò‰oÞ½6zqVŒ’?+ˆë^Mž�*/ˆ¶Ö
		`@ -0,0 +1 @@`
							`Zs0W99JiuCv1F3NMTp/PcMBrt1bzWttJWNEh00Freyw=`