Marisa:added vault

2021-06-07 09:37:50 +05:30
parent e5910e3477
commit b9b297ae0f
5 changed files with 189 additions and 11 deletions
--- a/hosts/servers/marisa/networking.nix
+++ b/hosts/servers/marisa/networking.nix
@@ -3,7 +3,7 @@
  networking = {
    hostName = "Marisa";
    firewall = {
-      allowedTCPPorts = [ 22 80 8000 6060 5001 ];
+      allowedTCPPorts = [ 22 80 6060 5001 8800 ];
      allowedUDPPorts = [ 17840 ];
    };
    wireless = {
@@ -20,17 +20,15 @@
      };
    };
    wireguard.interfaces.wg0 = {
-      ips = [ "100.0.0.2/24" ];
+      ips = [ "10.55.0.2/24" ];
      listenPort = 17840;
-#       postSetup = "${pkgs.iproute}/bin/ip route add weirdnatto.in via 192.168.0.1";
-#       postShutdown = "${pkgs.iproute}/bin/ip route del weirdnatto.in via 192.168.0.1";
-      privateKeyFile = "/var/secrets/wg";
+      privateKeyFile = "/var/secrets/wg.key";
      peers = [
        {
          #Oracle VM1
          publicKey = "z0Y2VNEWcyVQVSqRHiwmiJ5/0MgSPM+HZfEcwIccSxM=";
-          allowedIPs = [ "100.0.0.0/24" ];
-          endpoint = "140.238.230.155:17840";
+          allowedIPs = [ "10.55.0.0/24" ];
+          endpoint = "weirdnatto.in:17840";
          persistentKeepalive = 25;
        }
      ];
--- a/hosts/servers/marisa/services.nix
+++ b/hosts/servers/marisa/services.nix
@@ -9,17 +9,59 @@
      enable = true;
      enableImap = true;
    };
- /*   vault = {
+    vault = {
+      package = pkgs.vault-bin;
      enable = true;
-      address = "127.0.0.1:8000";
+      tlsCertFile = "/var/certs/cert.pem";
+      tlsKeyFile = "/var/certs/key.pem";
+      address = "0.0.0.0:8800";
+      extraSettingsPaths = [ /var/vault/vault.hcl ];
      storageBackend = "postgresql";
-    };*/
+      extraConfig = ''
+        api_addr = "https://127.0.0.1:8800"
+        ui = true
+      '';
+    };
+    vault-agent = {
+      enable = true;
+      settings = {
+        vault = {
+          address = "https://10.55.0.2:8800";
+          client_cert = "/var/vault/cert.pem";
+          client_key = "/var/vault/key.pem";
+        };
+        auto_auth = {
+          method = [
+            {
+              "cert" = {
+                name = "Marisa";
+              };
+            }
+          ];
+        };
+        template = [
+          {
+            source = pkgs.writeText "gitea.tpl" ''
+              {{ with secret "kv/systems/Marisa" }}{{ .Data.data.gitea }}{{ end }}
+            '';
+            destination = "/var/secrets/gitea.key";
+          }
+          {
+            source = pkgs.writeText "wg.tpl" ''
+              {{ with secret "kv/systems/Marisa/wg" }}{{ .Data.data.private }}{{ end }}
+            '';
+            destination = "/var/secrets/wg.key";
+          }
+        ];
+      };
+    };
    postgresql = {
      enable = true;
      port = 6060;
      enableTCPIP = true;
      authentication = ''
        local gitea all ident map=gitea-map
+        host vault all 10.55.0.2/32 md5
        host all all 192.168.0.110/32 md5
        '';
      identMap = ''
@@ -37,7 +79,7 @@
        port = 6060;
        name = "gitea";
        user = name;
-        passwordFile = "/var/secrets/gitea";
+        passwordFile = "/var/secrets/gitea.key";
        type = "postgres";
      };
      settings = {
@@ -57,5 +99,7 @@
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHingN2Aho+KGgEvBMjtoez+W1svl9uVoa4vG0d646j"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPX1HDzWpoaOcU8GDEGuDzXgxkCpyeqxRR6gLs/8JgHw"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK06ZUa9BKmZ6m+xapBjOAm10OCLzxIm8ais20wQC47m"
  ];
+  security.pki.certificateFiles = [ ../../../cert.pem ];
 }