diff --git a/cert.pem b/cert.pem new file mode 100644 index 0000000..9c8b7c6 --- /dev/null +++ b/cert.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIE6zCCAtOgAwIBAgIULw+Gpw3Q+bH8lsUs+SKS5RhRrbEwDQYJKoZIhvcNAQEL +BQAwFDESMBAGA1UEAwwJMTAuNTUuMC4yMB4XDTIxMDYwNzAyMjQ1NFoXDTIyMDYw +NzAyMjQ1NFowFDESMBAGA1UEAwwJMTAuNTUuMC4yMIICIjANBgkqhkiG9w0BAQEF +AAOCAg8AMIICCgKCAgEA0EnwkNg4T+1bvZZDM4NU4BrMMgrKyuFeGTWw+dN0W7NS +w0CwVkypqIqTHQShDoF1aU3QSHAzaJJyKbQVIOooFml4rJn4FDHGrtEMlg6lv1p3 +mObH35ruizcb0gMCKZsPGc/t7fEk12jDvQIQJtsFUW5XzIpQWkrjXpK5jvZrfAcM +fk5wRln5atjIOAisA+QIRwbHLpwZvzSOldXlzO+jz2OIrwKt1G/YvjQUmGUabsW3 +SZqGDcobvHWcmRILiqeYCumTXuKlu5EWFKhFu13HFBPdr+AK50IPNVoRIDgMqge5 +E/k235uzC980tx38ApYoO5oT+xGGwwxwYwhw68k7x26Oi71WXWue7bkZHL76JIn/ +diDMptDbrdDDMjp8wOS+eO12MSF0O539reSmpk+p4Afr6HeiCL0RfItPeOiTdh6X +H/8MdSK0wD5yo2LWexaj5kA9j29gdm9VQJ2ibbF5NliiimF0w1wW92zhbjf7HrJq +QeprPpOS/Ljzc8USmekCFm04+VwzWTxJ6VsxLrABVO4B2aoLE5FfPoEU0fDZsZQw +ClwkpWvq6Oxc6wKg8gI5HKVVXTHb/y+v45eVL8AyRZvtdriQ6jMG7newiTiISJFs +ESblNUs0cEfAnDw+g6Q11srqS6wtMCuagteKHvRkvnByPY28p6yHBaQ5HK8JBoMC +AwEAAaM1MDMwCwYDVR0PBAQDAgQwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1Ud +EQQIMAaHBAo3AAIwDQYJKoZIhvcNAQELBQADggIBAANHwzKGXugcsIMZrI/bOz+F +bTEBIq/L3+mpHlt9Hnxv4RX+cE/k9keR4AHSfDPSz3KG+0FwvPfzLRJYM0znfsv8 +0tETfWaSMlLk7LO0V4jVOzQdvKquPEyRj1DuAGY5X3j6GGKznjWN2QKvvK5+dLVM +nW0ju5+2IPrC75+Hp5d52oUjtgfkZetUTmFanqZ6bkO3afxeiXVfUhWgoM4SClNK +Er0Um9ZErzz4r1rk7JSNBWUXjzkdt9NYnrILLYzDvsGzD8y7uAxJWDOsWqhLy0NU +KFcmEoVAoCQDEynXaSDqFfOeKhcEuNdkgwBYWTkKRcLbQIl1vGM89eLd1gNCv5fM +IaNF9/hOrhaUPXtCvL3l6+PtUMCcsFvoTrOuag3NVktBFjL6DoWCtcNpDEMNS50L ++LTU0PtSbkkeVut3th8BN2Ts3OeGTFTHkhgpACb0OJQZQHvE3aS5BAImmp8Pgapb +dwG3eyiPyTroCdgDTbKgrpZJ6i1z9yRzm6nHLJDz4wG9CYPaapU9QzvAm/PSWBPf +VmjgF1vEq6IRgwtxatdXLkI9hlkkdz78iHaxFd7p42kdsPgyEhTMjmU5RMer4ZFI +Q5l9vgsnwD4lHwkSkzeH8I4x7Di1VwBi/ZB/7PLGVK4bU8dNRjpVSrWdSFYGPCkP +waMVK3m6w1uNBKvuEVz1 +-----END CERTIFICATE----- diff --git a/flake.nix b/flake.nix index 6a61b7f..12c3f95 100644 --- a/flake.nix +++ b/flake.nix @@ -70,6 +70,7 @@ Marisa = nixpkgs.lib.nixosSystem { system = "aarch64-linux"; modules = [ + ./modules/vault-agent.nix ./hosts/servers/marisa.nix inputs.mailserver.nixosModules.mailserver { diff --git a/hosts/servers/marisa/networking.nix b/hosts/servers/marisa/networking.nix index d8ea489..525cc07 100755 --- a/hosts/servers/marisa/networking.nix +++ b/hosts/servers/marisa/networking.nix @@ -3,7 +3,7 @@ networking = { hostName = "Marisa"; firewall = { - allowedTCPPorts = [ 22 80 8000 6060 5001 ]; + allowedTCPPorts = [ 22 80 6060 5001 8800 ]; allowedUDPPorts = [ 17840 ]; }; wireless = { @@ -20,17 +20,15 @@ }; }; wireguard.interfaces.wg0 = { - ips = [ "100.0.0.2/24" ]; + ips = [ "10.55.0.2/24" ]; listenPort = 17840; -# postSetup = "${pkgs.iproute}/bin/ip route add weirdnatto.in via 192.168.0.1"; -# postShutdown = "${pkgs.iproute}/bin/ip route del weirdnatto.in via 192.168.0.1"; - privateKeyFile = "/var/secrets/wg"; + privateKeyFile = "/var/secrets/wg.key"; peers = [ { #Oracle VM1 publicKey = "z0Y2VNEWcyVQVSqRHiwmiJ5/0MgSPM+HZfEcwIccSxM="; - allowedIPs = [ "100.0.0.0/24" ]; - endpoint = "140.238.230.155:17840"; + allowedIPs = [ "10.55.0.0/24" ]; + endpoint = "weirdnatto.in:17840"; persistentKeepalive = 25; } ]; diff --git a/hosts/servers/marisa/services.nix b/hosts/servers/marisa/services.nix index a0f7fa5..43f8802 100755 --- a/hosts/servers/marisa/services.nix +++ b/hosts/servers/marisa/services.nix @@ -9,17 +9,59 @@ enable = true; enableImap = true; }; - /* vault = { + vault = { + package = pkgs.vault-bin; enable = true; - address = "127.0.0.1:8000"; + tlsCertFile = "/var/certs/cert.pem"; + tlsKeyFile = "/var/certs/key.pem"; + address = "0.0.0.0:8800"; + extraSettingsPaths = [ /var/vault/vault.hcl ]; storageBackend = "postgresql"; - };*/ + extraConfig = '' + api_addr = "https://127.0.0.1:8800" + ui = true + ''; + }; + vault-agent = { + enable = true; + settings = { + vault = { + address = "https://10.55.0.2:8800"; + client_cert = "/var/vault/cert.pem"; + client_key = "/var/vault/key.pem"; + }; + auto_auth = { + method = [ + { + "cert" = { + name = "Marisa"; + }; + } + ]; + }; + template = [ + { + source = pkgs.writeText "gitea.tpl" '' + {{ with secret "kv/systems/Marisa" }}{{ .Data.data.gitea }}{{ end }} + ''; + destination = "/var/secrets/gitea.key"; + } + { + source = pkgs.writeText "wg.tpl" '' + {{ with secret "kv/systems/Marisa/wg" }}{{ .Data.data.private }}{{ end }} + ''; + destination = "/var/secrets/wg.key"; + } + ]; + }; + }; postgresql = { enable = true; port = 6060; enableTCPIP = true; authentication = '' local gitea all ident map=gitea-map + host vault all 10.55.0.2/32 md5 host all all 192.168.0.110/32 md5 ''; identMap = '' @@ -37,7 +79,7 @@ port = 6060; name = "gitea"; user = name; - passwordFile = "/var/secrets/gitea"; + passwordFile = "/var/secrets/gitea.key"; type = "postgres"; }; settings = { @@ -57,5 +99,7 @@ users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHingN2Aho+KGgEvBMjtoez+W1svl9uVoa4vG0d646j" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPX1HDzWpoaOcU8GDEGuDzXgxkCpyeqxRR6gLs/8JgHw" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK06ZUa9BKmZ6m+xapBjOAm10OCLzxIm8ais20wQC47m" ]; + security.pki.certificateFiles = [ ../../../cert.pem ]; } diff --git a/modules/vault-agent.nix b/modules/vault-agent.nix new file mode 100644 index 0000000..d27da43 --- /dev/null +++ b/modules/vault-agent.nix @@ -0,0 +1,106 @@ +#Taken from https://github.com/MagicRB/dotfiles/blob/master/nix/nixos-modules/vault-agent.nix +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.vault-agent; + json = pkgs.formats.json {}; +in +{ + options = { + services.vault-agent = { + enable = mkEnableOption "Vault Agent"; + + package = mkOption { + type = types.package; + default = pkgs.vault; + description = '' + The package used for the vault agent + ''; + }; + + settings = mkOption { + type = json.type; + default = {}; + description = '' + Settings for the agent + ''; + }; + + secretsDir = mkOption { + type = types.nullOr types.path; + default = "/var/secrets"; + description = '' + Vault secrets directory; + ''; + }; + + userName = mkOption { + type = types.str; + default = "vault-agent"; + description = "Username for the service"; + }; + + groupName = mkOption { + type = types.str; + default = "vault-agent"; + description = "Vault-Agent Group Name"; + }; + + uid = mkOption { + type = types.int; + default = 1985; + }; + + gid = mkOption { + type = types.int; + default = 1985; + }; + + }; + }; + + config = mkIf cfg.enable + ({ + users = { + users = { + "${cfg.userName}" = { + group = cfg.groupName; + uid = cfg.uid; + isSystemUser = true; + description = "Vault-Agent User"; + }; + }; + groups = { + "${cfg.groupName}" = { + gid = cfg.gid; + }; + }; + }; + systemd.tmpfiles.rules = mkIf (cfg.secretsDir != null) [ + "d ${cfg.secretsDir} 6755 vault-agent ${cfg.groupName} 0" + ]; + systemd.services.vault-agent = { + description = "Vault Agent"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + path = (with pkgs; [ + glibc + ]); + serviceConfig = { + User = cfg.userName; + Group = cfg.groupName; + ExecReload = "${pkgs.busybox}/bin/kill -HUP $MAINPID"; + ExecStart = "${cfg.package}/bin/vault agent -config=${json.generate "vault.json" cfg.settings}"; + KillMode = "process"; + KillSignal = "SIGINT"; + Restart = "on-failure"; + TimeoutStopSec = "30s"; + RestartSec = 2; + ConfigurationDirectory = "vault-agent"; + ConfigurationDirectoryMode = "0600"; + }; + }; + }); +} +