From cfb7c88862478a05275765ca82216b6fc9783cf8 Mon Sep 17 00:00:00 2001 From: oddlama Date: Fri, 9 Jun 2023 23:21:18 +0200 Subject: [PATCH] feat: remove generate-wireguard-keys in favor of agenix-rekey generators --- README.md | 26 ++++++-- flake.lock | 40 ++++++------ modules/wireguard.nix | 12 +++- nix/apps/default.nix | 10 ++- nix/apps/generate-secrets.nix | 39 ------------ nix/apps/generate-wireguard-keys.nix | 92 ---------------------------- nix/lib.nix | 6 +- 7 files changed, 62 insertions(+), 163 deletions(-) delete mode 100644 nix/apps/generate-secrets.nix delete mode 100644 nix/apps/generate-wireguard-keys.nix diff --git a/README.md b/README.md index 3091bd2..dac89e9 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,6 @@ This is my personal nix config. - `default.nix` Collects all apps and generates a definition for a specified system - `draw-graph.nix` (**WIP:** infrastructure graph renderer) - `format-secrets.nix` Runs the code formatter on the secret .nix files - - `generate-wireguard-keys.nix` Generates wireguard keys for each server-and-peer pair - `show-wireguard-qr.nix` Generates a QR code for external wireguard participants - `checks.nix` pre-commit-hooks for this repository - `colmena.nix` Setup for distributed deployment using colmena (actually defines all NixOS hosts) @@ -62,7 +61,7 @@ This is my personal nix config. - fill net.nix - fill fs.nix (you need to know the device by-id paths in advance for formatting to work!) - generate an initrd hostkey if necessary `ssh-keygen -t ed25519 -N "" -f /tmp/key; rage ...` -- run generate-wireguard-keys +- run generate-secrets #### Initial deploy @@ -140,13 +139,30 @@ openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \ # Recover admin account (server must not be running) > systemctl stop kanidmd > kanidmd recover_account -c server.toml admin -qU6UUdN5PbaetgtjKDttQx6D7XQwa0bBef5N5N0sjchg8gNz +aM4Fk1dvM8AjyYzuVsFuxGkY4PqcVJaZwaHSfvFQGvFkH2Ez > systemctl start kanidmd # Login with recovered root account -> kanidm login -D admin +> kanidm login --name admin # Generate new credentials for idm_admin account > kanidm service-account credential generate -D admin idm_admin -xbwa3tbUefdRBxKqbDYQfW2StqjZYa0zwp6FQRyWXy0dCYUb +cVXKuT9LGpCN0RTjgjEG52bPFANxbPKbT9LjSb3H4K2NeW2g +# Generate new oauth2 app for grafana +> kanidm group create grafana-access +> kanidm group create grafana-server-admins +> kanidm group create grafana-admins +> kanidm group create grafana-editors +> kanidm system oauth2 create grafana "Grafana" https://grafana.${personalDomain} +> kanidm system oauth2 update-scope-map grafana grafana-access openid profile email +> kanidm system oauth2 update-sup-scope-map grafana grafana-server-admins server_admin +> kanidm system oauth2 update-sup-scope-map grafana grafana-admins admin +> kanidm system oauth2 update-sup-scope-map grafana grafana-editors editor +> kanidm system oauth2 show-basic-secret grafana +# Add new user +> kanidm login --name idm_admin +> kanidm person create myuser "My User" +> kanidm person update myuser --legalname "Full Name" --mail "myuser@example.com" +> kanidm group add_members grafana-access myuser +> kanidm group add_members grafana-server-admins myuser ``` diff --git a/flake.lock b/flake.lock index 6af0e0a..7638077 100644 --- a/flake.lock +++ b/flake.lock @@ -31,10 +31,12 @@ ] }, "locked": { - "lastModified": 1686159246, - "narHash": "sha256-6+u3Ed6rsYKJ1gnjt1DoEnxgF6Xmi4qPFUy7OBEiN5E=", - "type": "git", - "url": "file:///root/projects/agenix-rekey" + "lastModified": 1686343990, + "narHash": "sha256-/XkX73eAccg0l+2plLpDQHX4bl4sk2enSRwxUzuCcsc=", + "owner": "oddlama", + "repo": "agenix-rekey", + "rev": "1dd5cf245e842c4b698b537a7097c417f2912efe", + "type": "github" }, "original": { "owner": "oddlama", @@ -117,11 +119,11 @@ ] }, "locked": { - "lastModified": 1686150639, - "narHash": "sha256-QHorMn3tgvCE0BM4QlNb/7vuquz11cS2ke1GSfmgiPo=", + "lastModified": 1686222354, + "narHash": "sha256-dtqnAwzucKZv54dTrLetIXhOavUrCsdqOe+JtFH9riE=", "owner": "nix-community", "repo": "disko", - "rev": "f1178c6e72b7d8ab2b55990397969324822275eb", + "rev": "5d9f362aecd7a4c2e8a3bf2afddb49051988cab9", "type": "github" }, "original": { @@ -208,11 +210,11 @@ ] }, "locked": { - "lastModified": 1686142265, - "narHash": "sha256-IP0xPa0VYqxCzpqZsg3iYGXarUF+4r2zpkhwdHy9WsM=", + "lastModified": 1686342731, + "narHash": "sha256-GwCwviXcc5nrewuFwtsrxys8srrZcI+m8hdIGOt+fHY=", "owner": "nix-community", "repo": "home-manager", - "rev": "39c7d0a97a77d3f31953941767a0822c94dc01f5", + "rev": "0945875a2a20de314093b0f9d4d5448e9b4fdccb", "type": "github" }, "original": { @@ -258,11 +260,11 @@ ] }, "locked": { - "lastModified": 1686092477, - "narHash": "sha256-ewXevzxR3FGhI5ip1QX+jCAQW2En9BTwBI9+kGip9DA=", + "lastModified": 1686244773, + "narHash": "sha256-AtS5u3Qfrvtd1OiaRugEWKymbm6kwd7DGYiCiV8x3/U=", "owner": "astro", "repo": "microvm.nix", - "rev": "c6416c6b9fed22b71f526720cb120b0218c51b62", + "rev": "8f759ded0bbc7728738b064516a879b36ee115b9", "type": "github" }, "original": { @@ -309,11 +311,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1684899633, - "narHash": "sha256-NtwerXX8UFsoNy6k+DukJMriWtEjQtMU/Urbff2O2Dg=", + "lastModified": 1686217350, + "narHash": "sha256-Nb9b3m/GEK8jyFsYfUkXGsqj6rH05GgJ2QWcNNbK7dw=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "4cc688ee711159b9bcb5a367be44007934e1a49d", + "rev": "e4b34b90f27696ec3965fa15dcbacc351293dc67", "type": "github" }, "original": { @@ -386,11 +388,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1686050334, - "narHash": "sha256-R0mczWjDzBpIvM3XXhO908X5e2CQqjyh/gFbwZk/7/Q=", + "lastModified": 1686213770, + "narHash": "sha256-Re6xXLEqQ/HRnThryumyGzEf3Uv0Pl4cuG50MrDofP8=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "6881eb2ae5d8a3516e34714e7a90d9d95914c4dc", + "rev": "182af51202998af5b64ddecaa7ff9be06425399b", "type": "github" }, "original": { diff --git a/modules/wireguard.nix b/modules/wireguard.nix index 3a3c307..951fb84 100644 --- a/modules/wireguard.nix +++ b/modules/wireguard.nix @@ -158,7 +158,7 @@ ${peerPresharedKeySecret nodeName other} = { rekeyFile = peerPresharedKeyPath nodeName other; owner = "systemd-network"; - # TODO gen func + generator.script = {pkgs, ...}: "${pkgs.wireguard-tools}/bin/wg genpsk"; }; }) neededPeers) @@ -166,7 +166,15 @@ ${peerPrivateKeySecret nodeName} = { rekeyFile = peerPrivateKeyPath nodeName; owner = "systemd-network"; - # TODO gen func + generator.script = { + pkgs, + file, + ... + }: '' + ${pkgs.wireguard-tools}/bin/wg genkey \ + | tee /dev/stdout \ + | ${pkgs.wireguard-tools}/bin/wg pubkey > ${lib.escapeShellArg (lib.removeSuffix ".age" file + ".pub")} + ''; }; }; diff --git a/nix/apps/default.nix b/nix/apps/default.nix index 59b92ed..3a8463f 100644 --- a/nix/apps/default.nix +++ b/nix/apps/default.nix @@ -2,6 +2,7 @@ pkgs = self.pkgs.${system}; inherit (pkgs.lib) + flip nameValuePair removeSuffix ; @@ -13,9 +14,12 @@ apps = [ ./draw-graph.nix ./format-secrets.nix - ./generate-secrets.nix - ./generate-wireguard-keys.nix ./show-wireguard-qr.nix ]; in - builtins.listToAttrs (map (appPath: nameValuePair (removeSuffix ".nix" (builtins.baseNameOf appPath)) (mkApp (import appPath args))) apps) + builtins.listToAttrs (flip map apps ( + appPath: + nameValuePair + (removeSuffix ".nix" (builtins.baseNameOf appPath)) + (mkApp (import appPath args)) + )) diff --git a/nix/apps/generate-secrets.nix b/nix/apps/generate-secrets.nix deleted file mode 100644 index 2bb3bd4..0000000 --- a/nix/apps/generate-secrets.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ - self, - pkgs, - ... -} @ inputs: let - inherit - (pkgs.lib) - assertMsg - removePrefix - hasPrefix - concatStringsSep - filterAttrs - escapeShellArg - flatten - mapAttrsToList - ; - - inherit (self.extraLib) rageEncryptArgs; - - flakeDir = toString self.sourceInfo.outPath; - relativeToFlake = x: let - xFile = toString x; - in - assert assertMsg (hasPrefix flakeDir xFile) "${xFile} must be a subpath of ${flakeDir}"; - "." + removePrefix flakeDir xFile; - - x = nodeName: nodeCfg: - mapAttrsToList (_: s: '' - echo ${escapeShellArg (relativeToFlake s.file)} - '') (filterAttrs (_: s: s.generate != null) nodeCfg.config.rekey.secrets); -in - pkgs.writeShellScript "generate-secrets" '' - set -euo pipefail - if [[ ! -e flake.nix ]] ; then - echo "this script must be executed from your flake's root directory." >&2; - exit 1 - fi - ${concatStringsSep "\n" (flatten (mapAttrsToList x self.nodes))} - '' diff --git a/nix/apps/generate-wireguard-keys.nix b/nix/apps/generate-wireguard-keys.nix deleted file mode 100644 index becc747..0000000 --- a/nix/apps/generate-wireguard-keys.nix +++ /dev/null @@ -1,92 +0,0 @@ -{ - self, - pkgs, - ... -} @ inputs: let - inherit - (pkgs.lib) - attrNames - concatMap - concatMapStrings - concatStringsSep - escapeShellArg - filter - optionalString - removeSuffix - substring - unique - ; - - inherit (self.extraLib) rageEncryptArgs; - - nodeNames = attrNames self.nodes; - wireguardNetworks = unique (concatMap (n: attrNames self.nodes.${n}.config.extra.wireguard) nodeNames); - - generateNetworkKeys = wgName: let - inherit - (self.extraLib.wireguard wgName) - allPeers - externalPeersForNode - participatingClientNodes - participatingNodes - participatingServerNodes - peerPresharedKeyFile - peerPrivateKeyFile - peerPublicKeyFile - sortedPeers - ; - - # Every peer needs a private and public key. - generatePeerKeys = peerName: let - keyBasename = escapeShellArg ("./" + removeSuffix ".pub" (peerPublicKeyFile peerName)); - pubkeyFile = escapeShellArg ("./" + peerPublicKeyFile peerName); - privkeyFile = escapeShellArg ("./" + peerPrivateKeyFile peerName); - in '' - if [[ ! -e ${privkeyFile} ]] || [[ ! -e ${pubkeyFile} ]]; then - mkdir -p $(dirname ${privkeyFile}) - echo "Generating "${keyBasename}".{age,pub}" - privkey=$(${pkgs.wireguard-tools}/bin/wg genkey) - echo "$privkey" | ${pkgs.wireguard-tools}/bin/wg pubkey > ${pubkeyFile} - ${pkgs.rage}/bin/rage -e ${rageEncryptArgs} <<< "$privkey" > ${privkeyFile} \ - || { echo "error: Failed to encrypt wireguard private key for peer ${peerName} on network ${wgName}!" >&2; exit 1; } - else - echo "Skipping existing "${keyBasename}".{age,pub}" - fi - ''; - - # Generates the psk for peer1 and peer2. - generatePeerPsk = { - peer1, - peer2, - }: let - pskFile = escapeShellArg ("./" + peerPresharedKeyFile peer1 peer2); - in '' - if [[ ! -e ${pskFile} ]]; then - mkdir -p $(dirname ${pskFile}) - echo "Generating "${pskFile}"" - psk=$(${pkgs.wireguard-tools}/bin/wg genpsk) - ${pkgs.rage}/bin/rage -e ${rageEncryptArgs} <<< "$psk" > ${pskFile} \ - || { echo "error: Failed to encrypt wireguard psk for peers ${peer1} and ${peer2} on network ${wgName}!" >&2; exit 1; } - else - echo "Skipping existing "${pskFile}"" - fi - ''; - - # This generates all psks for each combination of peers given. - # xs is a list of peers and fys a function that generates a list of peers - # for any given x. - psksForPeerCombinations = xs: fys: map generatePeerPsk (unique (concatMap (x: map (sortedPeers x) (fys x)) xs)); - in - ["echo ==== ${wgName} ===="] - ++ map generatePeerKeys (attrNames allPeers) - # All server-nodes need a psk for each other, but not reflexive. - ++ psksForPeerCombinations participatingServerNodes (n: filter (x: x != n) participatingServerNodes) - # Each server-node need a psk for all client nodes - ++ psksForPeerCombinations participatingServerNodes (_: participatingClientNodes) - # Each server-node need a psk for all their external peers - ++ psksForPeerCombinations participatingServerNodes (n: attrNames (externalPeersForNode n)); -in - pkgs.writeShellScript "generate-wireguard-keys" '' - set -euo pipefail - ${concatStringsSep "\n" (concatMap generateNetworkKeys wireguardNetworks)} - '' diff --git a/nix/lib.nix b/nix/lib.nix index 8d8a1ee..5607331 100644 --- a/nix/lib.nix +++ b/nix/lib.nix @@ -233,16 +233,16 @@ in rec { }; peerPublicKeyFile = peerName: "secrets/wireguard/${wgName}/keys/${peerName}.pub"; - peerPublicKeyPath = peerName: "${../.}/" + peerPublicKeyFile peerName; + peerPublicKeyPath = peerName: "${self.outPath}/" + peerPublicKeyFile peerName; peerPrivateKeyFile = peerName: "secrets/wireguard/${wgName}/keys/${peerName}.age"; - peerPrivateKeyPath = peerName: "${../.}/" + peerPrivateKeyFile peerName; + peerPrivateKeyPath = peerName: "${self.outPath}/" + peerPrivateKeyFile peerName; peerPrivateKeySecret = peerName: "wireguard-${wgName}-priv-${peerName}"; peerPresharedKeyFile = peerA: peerB: let inherit (sortedPeers peerA peerB) peer1 peer2; in "secrets/wireguard/${wgName}/psks/${peer1}+${peer2}.age"; - peerPresharedKeyPath = peerA: peerB: "${../.}/" + peerPresharedKeyFile peerA peerB; + peerPresharedKeyPath = peerA: peerB: "${self.outPath}/" + peerPresharedKeyFile peerA peerB; peerPresharedKeySecret = peerA: peerB: let inherit (sortedPeers peerA peerB) peer1 peer2; in "wireguard-${wgName}-psks-${peer1}+${peer2}";