pub-solar/infra
6
1
Fork 3
Code Issues 16 Pull requests 7 Actions Packages Projects 1 Releases Wiki Activity

wireguard: initial commit

Browse source
This commit is contained in:
Benjamin Yule Bädorf 2024-04-03 20:54:40 +02:00 committed by b12f
parent 6748e44824
commit eacf60974c
Signed by: pub.solar gitea
GPG key ID: F0332B04B7054873
12 changed files with 131 additions and 64 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
flake.nix
View file

@ -39,7 +39,7 @@
imports = [
inputs.nixos-flake.flakeModule
./public-keys
./logins
./lib
./overlays
./modules
@ -63,6 +63,7 @@
deploy-rs
nixpkgs-fmt
agenix
age-plugin-yubikey
cachix
editorconfig-checker
nodePackages.prettier

30
hosts/nachtigall/networking.nix
View file

@ -1,4 +1,8 @@
{ config, pkgs, ... }:
{
config,
pkgs,
flake,
... }:
{
networking.hostName = "nachtigall";
@ -21,4 +25,28 @@
];
networking.defaultGateway = "138.201.80.65";
networking.defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; };
networking.firewall.allowedUDPPorts = [ 51899 ];
age.secrets.wg-private-key.file = "${flake.self}/secrets/nachtigall-wg-private-key.age";
networking.wireguard.interfaces = {
wg-ssh = {
listenPort = 51899;
mtu = 1300;
ips = [
"10.7.6.1/32"
"fd00:fae:fae:fae:fae:1::/96"
];
privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.admins.wireguardDevices ++ [
{ # flora6
publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
allowedIPs = [ ];
persistentKeepalive = 30;
dynamicEndpointRefreshSeconds = 30;
}
];
};
};
}

43
logins/admins.nix Normal file
View file

@ -0,0 +1,43 @@
{
axeman = rec {
sshPubKeys = {
axeman-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU axeman@tuxnix";
};
secretEncryptionKeys = sshPubKeys;
};
b12f = rec {
sshPubKeys = {
b12f-gpg = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDVbUEOgciblRPOCaCkkwfYoKLjmJ6JKxnfg6MY7sN3W1/N4AsC27bvYPkYI66d4M3Ygi6nztaUrIIKBOPZrQtS0vx1jqosmcDwBMttNI7u4LdSDjGMEGB4zJdfR60HFuzpSNaBI/nKMWcAxr8v1KODy/mKTQ7fnMDN15OhvE7sAZe26B6IptUbG1DLuouezd4AW0OwQ3c6hVIuv5eF96OKrwFZ9XpNyYAashy8WTYqJWJRb71DV8oiqT9b3sN0Dy+7nUAPcLvJdwUDGjHQvnklgFUupKtrPhpRWqgJ41l4ebb1DCxmoL2zpdVohUK4eVC9ELdplvXtK+EJIJ1lKcDAYduYcxk//3+EdUDH0IkfXvz0Tomryu2BeyxURdMPzQh+ctHUWNI49tByx/mWrEqSu+XdgvtcumVg+jNUZKL9eA++xxuOan7H/OyshptLugZHd2e9JNM34NEOUEptq7LtHD5pEdXRV1ZT1IOsuSoDtdX14GeP2GSl21eKLnvSu9g8nGULIsx9hI3CrrlvvL9JU+Aymb4iEvqLhDeUNE643uYQad6P2SuK0kLQ/9Ny0z3y6bgglGn2uDUiAOPd8c+gFRRkMWvAWjWQi3iIR9TYBS4Z+CeYmUv8X2UCRcQPBn1wt69rvE9RcfHqRLZTUE5SpstQ0rXLinXmRA/WQV5Bdw== yubi-gpg";
};
secretEncryptionKeys = {
bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw== hello@benjaminbaedorf.com";
yubi485 = "age1yubikey1qgxuu2x3uzw7k5pg5sp2dv43edhwdz3xuhj7kjqrnw0p8t0l67c5yz9nm6q";
yubi464 = "age1yubikey1qd7szmr9ux2znl4x4hzykkwaru60nr4ufu6kdd88sm7657gjz4x5w0jy4y7";
} // sshPubKeys;
wireguardDevices = [
];
};
hensoko = rec {
sshPubKeys = {
hensoko-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb";
hensoko-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy";
};
secretEncryptionKeys = sshPubKeys;
};
teutat3s = {
sshPubKeys = {
teutat3s-1 = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a";
};
secretEncryptionKeys = {
teutat3s-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
};
};
}

14
logins/default.nix Normal file
View file

@ -0,0 +1,14 @@
{ lib, ... }: let
admins = import ./admins.nix;
robots = import ./robots.nix;
in {
flake = {
logins = {
admins = lib.lists.foldl (logins: adminConfig: logins // {
sshPubKeys = lib.attrsets.attrValues adminConfig.sshPubKeys;
wireguardDevices = adminConfig.wireguardDevices;
}) {} (lib.attrsets.attrValues admins);
robots.sshPubKeys = lib.attrsets.attrValues robots;
};
};
}

0
public-keys/default.nix → logins/public-keys/default.nix
View file

0
public-keys/robots.nix → logins/robots.nix
View file

2
modules/unlock-zfs-on-boot.nix
View file

@ -10,7 +10,7 @@
# Please create this manually the first time.
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
authorizedKeys = flake.self.publicKeys.admins;
authorizedKeys = flake.self.logins.admins.sshPubKeys;
};
# this will automatically load the zfs password prompt on login
# and kill the other prompt so boot can continue

6
modules/users.nix
View file

@ -4,12 +4,12 @@
group = flake.self.username;
extraGroups = [ "wheel" "docker" ];
isNormalUser = true;
openssh.authorizedKeys.keys = flake.self.publicKeys.admins;
openssh.authorizedKeys.keys = flake.self.logins.admins.sshPubKeys;
};
users.groups.${flake.self.username} = { };
# TODO: Remove when we stop locking ourselves out.
users.users.root.openssh.authorizedKeys.keys = flake.self.publicKeys.admins;
users.users.root.openssh.authorizedKeys.keys = flake.self.logins.admins.sshPubKeys;
users.users.hakkonaut = {
description = "CI and automation user";
@ -19,7 +19,7 @@
uid = 998;
group = "hakkonaut";
isSystemUser = true;
openssh.authorizedKeys.keys = flake.self.publicKeys.robots;
openssh.authorizedKeys.keys = flake.self.logins.robots.sshPubKeys;
};
users.groups.hakkonaut = { };

13
public-keys/admins.nix
View file

@ -1,13 +0,0 @@
{
axeman-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU axeman@tuxnix";
b12f-yubi-backup = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup";
b12f-gpg = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDVbUEOgciblRPOCaCkkwfYoKLjmJ6JKxnfg6MY7sN3W1/N4AsC27bvYPkYI66d4M3Ygi6nztaUrIIKBOPZrQtS0vx1jqosmcDwBMttNI7u4LdSDjGMEGB4zJdfR60HFuzpSNaBI/nKMWcAxr8v1KODy/mKTQ7fnMDN15OhvE7sAZe26B6IptUbG1DLuouezd4AW0OwQ3c6hVIuv5eF96OKrwFZ9XpNyYAashy8WTYqJWJRb71DV8oiqT9b3sN0Dy+7nUAPcLvJdwUDGjHQvnklgFUupKtrPhpRWqgJ41l4ebb1DCxmoL2zpdVohUK4eVC9ELdplvXtK+EJIJ1lKcDAYduYcxk//3+EdUDH0IkfXvz0Tomryu2BeyxURdMPzQh+ctHUWNI49tByx/mWrEqSu+XdgvtcumVg+jNUZKL9eA++xxuOan7H/OyshptLugZHd2e9JNM34NEOUEptq7LtHD5pEdXRV1ZT1IOsuSoDtdX14GeP2GSl21eKLnvSu9g8nGULIsx9hI3CrrlvvL9JU+Aymb4iEvqLhDeUNE643uYQad6P2SuK0kLQ/9Ny0z3y6bgglGn2uDUiAOPd8c+gFRRkMWvAWjWQi3iIR9TYBS4Z+CeYmUv8X2UCRcQPBn1wt69rvE9RcfHqRLZTUE5SpstQ0rXLinXmRA/WQV5Bdw== yubi-gpg";
b12f-464-fido2 = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHUbowjUtBiOPWi+TCHGToFwIsMDY6s7IRev6buVVdWxAAAACHNzaDpiMTJm yubi@464";
b12f-485-fido2 = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDyxaJNw0jXREOzQfa0E2RQE/xLD/VddDldbdSmS8uf9AAAACHNzaDpiMTJm yubi@485";
hensoko-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb";
hensoko-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy";
teutat3s-1 = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a";
}

1
secrets/age-yubikey-464-identity.txt Normal file
View file

@ -0,0 +1 @@
AGE-PLUGIN-YUBIKEY-1HZCCGQVZH5WV7DCL6V837

1
secrets/age-yubikey-485-identity.txt Normal file
View file

@ -0,0 +1 @@
AGE-PLUGIN-YUBIKEY-1EKCCGQVZE64TLZCKYUCW7

82
secrets/secrets.nix
View file

@ -1,21 +1,10 @@
let
# set ssh public keys here for your system and user
axeman-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU axeman@tuxnix";
b12f-bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw== hello@benjaminbaedorf.com";
hensoko-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb";
hensoko-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy";
teutat3s-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
admins = import ../logins/admins.nix;
nachtigall-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7G0ufi+MNvaAZLDgpieHrABPGN7e/kD5kMFwSk4ABj root@nachtigall";
flora-6-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@flora-6";
baseKeys = [
axeman-1
b12f-bbcom
hensoko-1
hensoko-2
teutat3s-1
];
adminKeys = builtins.foldl' (keys: login: keys ++ (builtins.attrValues login.secretEncryptionKeys)) [] (builtins.attrValues admins);
nachtigallKeys = [
nachtigall-host
@ -27,48 +16,51 @@ let
in
{
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall
"nachtigall-root-ssh-key.age".publicKeys = nachtigallKeys ++ baseKeys;
"nachtigall-root-ssh-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"mastodon-secret-key-base.age".publicKeys = nachtigallKeys ++ baseKeys;
"mastodon-otp-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
"mastodon-vapid-private-key.age".publicKeys = nachtigallKeys ++ baseKeys;
"mastodon-vapid-public-key.age".publicKeys = nachtigallKeys ++ baseKeys;
"mastodon-smtp-password.age".publicKeys = nachtigallKeys ++ baseKeys;
"mastodon-extra-env-secrets.age".publicKeys = nachtigallKeys ++ baseKeys;
"nachtigall-wg-private-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"flora6-wg-private-key.age".publicKeys = flora6Keys ++ adminKeys;
"keycloak-database-password.age".publicKeys = nachtigallKeys ++ baseKeys;
"mastodon-secret-key-base.age".publicKeys = nachtigallKeys ++ adminKeys;
"mastodon-otp-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
"mastodon-vapid-private-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"mastodon-vapid-public-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"mastodon-smtp-password.age".publicKeys = nachtigallKeys ++ adminKeys;
"mastodon-extra-env-secrets.age".publicKeys = nachtigallKeys ++ adminKeys;
"forgejo-actions-runner-token.age".publicKeys = flora6Keys ++ baseKeys;
"forgejo-database-password.age".publicKeys = nachtigallKeys ++ baseKeys;
"forgejo-mailer-password.age".publicKeys = nachtigallKeys ++ baseKeys;
"keycloak-database-password.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ baseKeys;
"matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ baseKeys;
"matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ baseKeys;
"matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
"forgejo-actions-runner-token.age".publicKeys = flora6Keys ++ adminKeys;
"forgejo-database-password.age".publicKeys = nachtigallKeys ++ adminKeys;
"forgejo-mailer-password.age".publicKeys = nachtigallKeys ++ adminKeys;
"nextcloud-secrets.age".publicKeys = nachtigallKeys ++ baseKeys;
"nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ baseKeys;
"matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
"searx-environment.age".publicKeys = nachtigallKeys ++ baseKeys;
"nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys;
"nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys;
"restic-repo-droppie.age".publicKeys = nachtigallKeys ++ baseKeys;
"restic-repo-storagebox.age".publicKeys = nachtigallKeys ++ baseKeys;
"searx-environment.age".publicKeys = nachtigallKeys ++ adminKeys;
"drone-db-secrets.age".publicKeys = flora6Keys ++ baseKeys;
"drone-secrets.age".publicKeys = flora6Keys ++ baseKeys;
"restic-repo-droppie.age".publicKeys = nachtigallKeys ++ adminKeys;
"restic-repo-storagebox.age".publicKeys = nachtigallKeys ++ adminKeys;
"mediawiki-database-password.age".publicKeys = nachtigallKeys ++ baseKeys;
"mediawiki-admin-password.age".publicKeys = nachtigallKeys ++ baseKeys;
"mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
"mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ baseKeys;
"drone-db-secrets.age".publicKeys = flora6Keys ++ adminKeys;
"drone-secrets.age".publicKeys = flora6Keys ++ adminKeys;
"coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
"mediawiki-database-password.age".publicKeys = nachtigallKeys ++ adminKeys;
"mediawiki-admin-password.age".publicKeys = nachtigallKeys ++ adminKeys;
"mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
"mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"grafana-admin-password.age".publicKeys = flora6Keys ++ baseKeys;
"grafana-keycloak-client-secret.age".publicKeys = flora6Keys ++ baseKeys;
"grafana-smtp-password.age".publicKeys = flora6Keys ++ baseKeys;
"coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
"nachtigall-metrics-nginx-basic-auth.age".publicKeys = nachtigallKeys ++ baseKeys;
"nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys = flora6Keys ++ nachtigallKeys ++ baseKeys;
"grafana-admin-password.age".publicKeys = flora6Keys ++ adminKeys;
"grafana-keycloak-client-secret.age".publicKeys = flora6Keys ++ adminKeys;
"grafana-smtp-password.age".publicKeys = flora6Keys ++ adminKeys;
"nachtigall-metrics-nginx-basic-auth.age".publicKeys = nachtigallKeys ++ adminKeys;
"nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys = flora6Keys ++ nachtigallKeys ++ adminKeys;
}