natto1784/dotfiles
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

changed root cert and TLS locations

Browse Source
This commit is contained in:
Amneesh Singh
2022-01-21 14:55:10 +05:30
parent 436a6dfa34
commit 72ea26c17e
7 changed files with 74 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
cert.pem
View File

@@ -1,29 +1,29 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIE6zCCAtOgAwIBAgIUNNSWTkJnI0dCgQaJdOCX3JAWHc0wDQYJKoZIhvcNAQEL MIIE6zCCAtOgAwIBAgIUYwGtP4yx0u86Vhmz/QMYny9UZNkwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAwwJMTAuNTUuMC4yMB4XDTIxMDYyNTEzNTYzMFoXDTIyMDYy BQAwFDESMBAGA1UEAwwJMTAuNTUuMC4yMB4XDTIyMDEyMTA3NTI1M1oXDTMyMDEx
NTEzNTYzMFowFDESMBAGA1UEAwwJMTAuNTUuMC4yMIICIjANBgkqhkiG9w0BAQEF OTA3NTI1M1owFDESMBAGA1UEAwwJMTAuNTUuMC4yMIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEAxMeQxG3pdasufk1FoJHs9gB9SjV8KwDtp3fWrF9IvU+Y AAOCAg8AMIICCgKCAgEA8WLjrsuY8F1dAIVxYDwZSl8IXh2msJJw/mQlpKXS4UKm
S/AemARwcublbom8VHfAKAQymUd6ySPrxtfGfY3/p1gfiYVQDEW6tEpLas5mkrPG ypwYNuV/onEwqX+J4j09+IKFD5CDOXJ6ttUkdYRBt+sJ3irR82PBJWw1VN0Hx4XX
zKY3L7ORCuCcxCc6gJZIjSHQv4LpJutcsJDvGiwrw+2M+8mMD2EL0QHT8zYMefhV 4ln8nVyZzM5DXERGjk9odN0B0ItKrYR7IoX4peabuU8mHamLbnO0k2TOjChFqFC1
Rm9opkcgzE9uWzyzlgqEEVu7FFkBIc6s0f27ZQzYtSrabU0qeCc3jrxlux/0jupM 1C7m2KRJ8RSAP17oYnwi7zUs8ZCBHaoxD1mhcCrCTgA2fGiv1CAtkoYuPLabxgwA
73LG79CvPo3sTocDmol2Rqi85OE7KuR7CgMqa5ZkR4uLLTnp8Zia0Ha4UuMRANHN o9flmw+s2f95dGmWAybKzRGHXXy26CfU0HWwujkEPWORwuh2aISY+nVY+jigqae8
FxIfnXcTgkx8SQZH9JH8GAD1af5CJFvdJ1AB6QvnTSPoEGVDVlAJhq0CIakMdA/b 5SuL2qHnQW5CxViUjG8tzsuSq/Tad+EbQ8UsxjPgzoD3NdK0Ynk4vUKoBShVPqkk
HALiM1+o7M39HyHv2f8UZ2CsESmCpgxVsISCKkVeGt4VrsvgxmJU+NQPGci8Vgwx Psut7eaVykJ7E3Epv/BnJlvfTvqnR0VwCI5A0QQd37inBU2Qlv5cK3sKKmN4xdMt
Vv5KueenzfmyX1DYRm1IJz4IufG3wypGSMWwrIDFCLfFhBm1buJLdU+mLddD+jA3 r26eVYG05u+d3PbC7GW/Ocydu74U8vUtBN/ev5QzYFPwjz6shabfIRdjNy1o38tX
tc0JnxB7VINEhb0DiK1OuxeRhRrp6IjDUurMdQ+euyTToJAttfm0USUQx+43aNot CZjCvdh19WJinQjCoRqBMqD29pM7QBb4ubn4Yj2xTdGu5jbeHwSwk5aof3kZi7OD
hd4ZwfX43oN//N+wGr0gKENmO5mF95mQTmPdH+1JlKsyMgXoWerezE8kFsCfK6Z6 yZJvidkz1xwvTfhDFIMmGwdEofeVcn3UpYzTN8/+6dQVk1SyGHf1+UOe3d8xcXQf
1eEvaFtqsPYN/dmXQRQQGW80iQKPFdmwk33KyH5TLBSLDlJCuz/ml9HC6CSQ+zMC KEHOJsOlq9W54VtAj+WfPvAEF6dI8GdIMc9rjvPVUWtJdEYIVA1RL20tt0CL1BkC
AwEAAaM1MDMwCwYDVR0PBAQDAgQwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1Ud AwEAAaM1MDMwCwYDVR0PBAQDAgQwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1Ud
EQQIMAaHBAo3AAIwDQYJKoZIhvcNAQELBQADggIBAAMB4ykzYA6bAPRftL82VrkM EQQIMAaHBAo3AAIwDQYJKoZIhvcNAQELBQADggIBABElHiY1vOY2ksNNAr/McpgH
Ls8p5xdXogiE68QegoGVIV1R4j6JEotPSdDsvt5B77RVgL1aJ/rIsjfX26IkN9me 1OHhQhMt91Ah1fXsyo25MebTq2MUz5E/csBaHU+iRHVJ2IDhKh9xQtzvvnuLHSHe
wTE0NlhOSWY2ShsPJ9YRHPV0UAyrzE0KPVqnpeQWuS6Vt7aNaAcNXR/Xgs+DJCab of7Tm4GkHpeTq8p8FuCP7r6BN7ehJm4z9zewExPP6QtRXgkJsOeud47yKCgW/9sH
SfWN6uZHbgYxoMzbV7Xk5HOinJmxt2r31+LZL4rCUajobpNdod6a1s2XQz8vwKgA UVwUSB0pBpz8E87VbxnAqbjpfAWY2L5y/7o/g6iaX5Kwn5mNtgWHrjTD1Itdl738
c7tUEfTe48YOXeLT4GcugYDL+JliaDTwXWJ5VzQByJeBvwLsggVRBtsxT2tbr0iT +ESurei7JDBF0zJAEDxqvIuuVl1rkoTru7MaCT12Y9tfWYUyYDbXgZ3daIrAhnWs
FBPRK+vT20vZVACzxUlRpvzUGau16IdzF2u8/KO+0Zbpm9k/EzPRvJcxt5mBp+Mh ZZveNOLbtpB1099L/sdsbITfNg4pDtMvOTp3NCN4jkt+vFopwMpUYxXSADrJ14MJ
joqTtp3SG/nCbs+6z8FYzZYHzWPHg1YdcZcnWj7YUDDIZLLJMX+0hGUcWLKV9+MV 3dUdYtlFcqtP7j2Da74ldw+5U7T8DJi8fOQ+KpNpGaE+OG+X9pl+1QPdisRBADuc
VCGpRGY8IZ+Ke3KN0J0IkJLfERezQdyVrSJlgvKAjICQ4dboLCFFm1EvEp/beSnW pCDFgAitiL9XUnErlm6G+pbgFdC2sXRDsBfawp9ApWOCdNb5VQ9KwJPoD1ZxQBkx
9STGWRREyId7e3UeL0EBnISd3ym7O+oY2QcbCTj+WPaFefovwBfixG4AFEJlJsYp x/7eCtKy6q6XyPkT/Feib0R1Fsiet6PYaCt9sWercvEogqgJSVbtihebj0z5Bl2W
1gQClz28AvDT6aDYSKWodQKXSbz5j0BLG5ez7IBEdvXzmcZU53kKmn5oW9pE7q2M q3j22H7UL/P5yiQlDs4t+OUfDVd3wk9l5DD+b8jhawuOSYwbUU8X+fex+8nt08AY
0OCu628xx51ePG2FgF50vvA5rzJjDIN+vwS+oBSNKG8KscsxGt3V4g3Hmzzh9qg+ MxKS3xXoO872XiW4zq6ymOyGzpTZRkPywQzrQdpjrs4umJa8hFf207liMWdHflte
LUHIEflezPJoCBc1CBBm sr09NMvxcPr+WNEuKV6r
-----END CERTIFICATE----- -----END CERTIFICATE-----

4
flake.nix
View File

@@ -110,7 +110,7 @@
Marisa = nixpkgs.lib.nixosSystem { Marisa = nixpkgs.lib.nixosSystem {
system = "aarch64-linux"; system = "aarch64-linux";
modules = [ modules = [
./hosts/servers/marisa.nix ./hosts/marisa
#inputs.mailserver.nixosModules.mailserver #inputs.mailserver.nixosModules.mailserver
{ {
nixpkgs.pkgs = self.legacyPackages.aarch64-linux; nixpkgs.pkgs = self.legacyPackages.aarch64-linux;
@@ -124,7 +124,7 @@
Remilia = nixpkgs.lib.nixosSystem { Remilia = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./hosts/servers/remilia.nix ./hosts/remilia
inputs.mailserver.nixosModules.mailserver inputs.mailserver.nixosModules.mailserver
{ {
nixpkgs.pkgs = self.legacyPackages.x86_64-linux; nixpkgs.pkgs = self.legacyPackages.x86_64-linux;

1
hosts/marisa/default.nix
View File

@@ -7,6 +7,5 @@
./boot.nix ./boot.nix
./services.nix ./services.nix
]; ];
programs.gnupg.agent.enable = pkgs.lib.mkForce false;
system.stateVersion = "21.05"; system.stateVersion = "21.05";
} }

2
hosts/marisa/networking.nix
View File

@@ -3,7 +3,7 @@
networking = { networking = {
hostName = "Marisa"; hostName = "Marisa";
firewall = { firewall = {
allowedTCPPorts = [ 22 80 6060 5001 8800 8888 4444 4445 ]; allowedTCPPorts = [ 22 80 6060 5001 8800 8888 4444 4445 4646 ];
allowedUDPPorts = [ 17840 ]; allowedUDPPorts = [ 17840 ];
}; };
wireless = { wireless = {

55
hosts/marisa/services.nix
View File

@@ -1,36 +1,58 @@
{ lib, config, pkgs, ... }: { lib, config, pkgs, ... }:
{ {
systemd.services.nomad.after = [ "consul.service" ];
services = { services = {
openssh = { openssh = {
enable = true; enable = true;
permitRootLogin = "yes"; permitRootLogin = "yes";
}; };
/* nomad = { nomad = {
enable = true; enable = false;
enableDocker = true; enableDocker = true;
settings = { settings = {
bind_addr = "0.0.0.0";
data_dir = "/var/lib/nomad"; data_dir = "/var/lib/nomad";
datacenter = "n1";
log_file = "/var/log/nomad/nomad.log";
server = { server = {
enable = true; enabled = true;
bootstrap_expect = 1; bootstrap_expect = 1;
encrypt = "nY1vuN+1ecJkwJu0s2x6Ge6UX/txvTxVqNrDMqruMlg=";
};
client = {
enabled = true;
}; };
vault = { vault = {
enabled = true; enabled = true;
address = "https://10.55.0.2:6060"; token = "s.WaNfk6ZISRbwsEx43UokG3HU";
ca_path = "../../cert.pem"; address = "https://10.55.0.2:8800";
ca_file = "/var/rootcert/cert.pem";
cert_file = "/var/vault/cert.pem"; cert_file = "/var/vault/cert.pem";
key_file = "/var/vault/key.pem"; key_file = "/var/vault/key.pem";
# allow_unauthenticated = true; allow_unauthenticated = false;
create_from_role = "nomad-cluster"; create_from_role = "nomad-cluster";
}; };
consul = {
address = "10.55.0.2:4444";
ssl = true;
allow_unauthenticated = false;
auto_advertise = true;
server_auto_join = true;
client_auto_join = true;
ca_file = "/var/certs/cert.pem";
cert_file = "/var/vault/cert.pem";
key_file = "/var/vault/key.pem";
};
acl = {
enabled = true;
};
};
}; };
};*/
vault = { vault = {
package = pkgs.vault-bin; package = pkgs.vault-bin;
enable = true; enable = true;
tlsCertFile = "/var/certs/cert.pem"; tlsCertFile = "/var/rootcert/cert.pem";
tlsKeyFile = "/var/certs/key.pem"; tlsKeyFile = "/var/rootcert/key.pem";
address = "0.0.0.0:8800"; address = "0.0.0.0:8800";
storageBackend = "file"; storageBackend = "file";
storagePath = "/var/lib/vault"; storagePath = "/var/lib/vault";
@@ -40,7 +62,7 @@
''; '';
}; };
consul = { consul = {
enable = true; enable = false;
webUi = true; webUi = true;
extraConfig = rec { extraConfig = rec {
bootstrap = true; bootstrap = true;
@@ -55,8 +77,10 @@
connect = { connect = {
enabled = true; enabled = true;
}; };
encrypt = "zdlcIl2Z4D01SdNQMv6fSfBN6OkQU10LAyPvwdQDwn4="; encrypt = "dXoYbVt1Rb1cTFTWVBGO6CaFIBmc90MPCjhqttBlXi0=";
ca_file = "../../cert.pem"; ca_file = "/var/rootcert/cert.pem";
cert_file = "/var/certs/cert.pem";
key_file = "/var/certs/key.pem";
ports = { ports = {
http = 4444; http = 4444;
grpc = 4445; grpc = 4445;
@@ -68,8 +92,8 @@
settings = { settings = {
vault = { vault = {
address = "https://10.55.0.2:8800"; address = "https://10.55.0.2:8800";
client_cert = "/var/vault/cert.pem"; client_cert = "/var/certs/cert.pem";
client_key = "/var/vault/key.pem"; client_key = "/var/certs/key.pem";
}; };
auto_auth = { auto_auth = {
method = [ method = [
@@ -139,7 +163,6 @@
}; };
}; };
}; };
# systemd.services.consul.serviceConfig.Type = "notify";
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHingN2Aho+KGgEvBMjtoez+W1svl9uVoa4vG0d646j" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHingN2Aho+KGgEvBMjtoez+W1svl9uVoa4vG0d646j"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPX1HDzWpoaOcU8GDEGuDzXgxkCpyeqxRR6gLs/8JgHw" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPX1HDzWpoaOcU8GDEGuDzXgxkCpyeqxRR6gLs/8JgHw"

4
hosts/remilia/services.nix
View File

@@ -33,8 +33,8 @@
settings = { settings = {
vault = { vault = {
address = "https://10.55.0.2:8800"; address = "https://10.55.0.2:8800";
client_cert = "/var/vault/cert.pem"; client_cert = "/var/certs/cert.pem";
client_key = "/var/vault/key.pem"; client_key = "/var/certs/key.pem";
}; };
auto_auth = { auto_auth = {
method = [ method = [

6
hosts/satori/services.nix
View File

@@ -13,12 +13,12 @@
}; };
};*/ };*/
vault-agent = { vault-agent = {
enable = true; enable = false;
settings = { settings = {
vault = { vault = {
address = "https://10.55.0.2:8800"; address = "https://10.55.0.2:8800";
client_cert = "/var/vault/cert.pem"; client_cert = "/var/certs/cert.pem";
client_key = "/var/vault/key.pem"; client_key = "/var/certs/key.pem";
}; };
auto_auth = { auto_auth = {
method = [ method = [