natto1784/dotfiles
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Marisa:added vault

Browse Source
This commit is contained in:
Amneesh Singh
2021-06-07 09:37:50 +05:30
parent e5910e3477
commit b9b297ae0f
5 changed files with 189 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
cert.pem Normal file
View File

@@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIE6zCCAtOgAwIBAgIULw+Gpw3Q+bH8lsUs+SKS5RhRrbEwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAwwJMTAuNTUuMC4yMB4XDTIxMDYwNzAyMjQ1NFoXDTIyMDYw
NzAyMjQ1NFowFDESMBAGA1UEAwwJMTAuNTUuMC4yMIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEA0EnwkNg4T+1bvZZDM4NU4BrMMgrKyuFeGTWw+dN0W7NS
w0CwVkypqIqTHQShDoF1aU3QSHAzaJJyKbQVIOooFml4rJn4FDHGrtEMlg6lv1p3
mObH35ruizcb0gMCKZsPGc/t7fEk12jDvQIQJtsFUW5XzIpQWkrjXpK5jvZrfAcM
fk5wRln5atjIOAisA+QIRwbHLpwZvzSOldXlzO+jz2OIrwKt1G/YvjQUmGUabsW3
SZqGDcobvHWcmRILiqeYCumTXuKlu5EWFKhFu13HFBPdr+AK50IPNVoRIDgMqge5
E/k235uzC980tx38ApYoO5oT+xGGwwxwYwhw68k7x26Oi71WXWue7bkZHL76JIn/
diDMptDbrdDDMjp8wOS+eO12MSF0O539reSmpk+p4Afr6HeiCL0RfItPeOiTdh6X
H/8MdSK0wD5yo2LWexaj5kA9j29gdm9VQJ2ibbF5NliiimF0w1wW92zhbjf7HrJq
QeprPpOS/Ljzc8USmekCFm04+VwzWTxJ6VsxLrABVO4B2aoLE5FfPoEU0fDZsZQw
ClwkpWvq6Oxc6wKg8gI5HKVVXTHb/y+v45eVL8AyRZvtdriQ6jMG7newiTiISJFs
ESblNUs0cEfAnDw+g6Q11srqS6wtMCuagteKHvRkvnByPY28p6yHBaQ5HK8JBoMC
AwEAAaM1MDMwCwYDVR0PBAQDAgQwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1Ud
EQQIMAaHBAo3AAIwDQYJKoZIhvcNAQELBQADggIBAANHwzKGXugcsIMZrI/bOz+F
bTEBIq/L3+mpHlt9Hnxv4RX+cE/k9keR4AHSfDPSz3KG+0FwvPfzLRJYM0znfsv8
0tETfWaSMlLk7LO0V4jVOzQdvKquPEyRj1DuAGY5X3j6GGKznjWN2QKvvK5+dLVM
nW0ju5+2IPrC75+Hp5d52oUjtgfkZetUTmFanqZ6bkO3afxeiXVfUhWgoM4SClNK
Er0Um9ZErzz4r1rk7JSNBWUXjzkdt9NYnrILLYzDvsGzD8y7uAxJWDOsWqhLy0NU
KFcmEoVAoCQDEynXaSDqFfOeKhcEuNdkgwBYWTkKRcLbQIl1vGM89eLd1gNCv5fM
IaNF9/hOrhaUPXtCvL3l6+PtUMCcsFvoTrOuag3NVktBFjL6DoWCtcNpDEMNS50L
+LTU0PtSbkkeVut3th8BN2Ts3OeGTFTHkhgpACb0OJQZQHvE3aS5BAImmp8Pgapb
dwG3eyiPyTroCdgDTbKgrpZJ6i1z9yRzm6nHLJDz4wG9CYPaapU9QzvAm/PSWBPf
VmjgF1vEq6IRgwtxatdXLkI9hlkkdz78iHaxFd7p42kdsPgyEhTMjmU5RMer4ZFI
Q5l9vgsnwD4lHwkSkzeH8I4x7Di1VwBi/ZB/7PLGVK4bU8dNRjpVSrWdSFYGPCkP
waMVK3m6w1uNBKvuEVz1
-----END CERTIFICATE-----

1
flake.nix
View File

@@ -70,6 +70,7 @@
Marisa = nixpkgs.lib.nixosSystem { Marisa = nixpkgs.lib.nixosSystem {
system = "aarch64-linux"; system = "aarch64-linux";
modules = [ modules = [
./modules/vault-agent.nix
./hosts/servers/marisa.nix ./hosts/servers/marisa.nix
inputs.mailserver.nixosModules.mailserver inputs.mailserver.nixosModules.mailserver
{ {

12
hosts/servers/marisa/networking.nix
View File

@@ -3,7 +3,7 @@
networking = { networking = {
hostName = "Marisa"; hostName = "Marisa";
firewall = { firewall = {
allowedTCPPorts = [ 22 80 8000 6060 5001 ]; allowedTCPPorts = [ 22 80 6060 5001 8800 ];
allowedUDPPorts = [ 17840 ]; allowedUDPPorts = [ 17840 ];
}; };
wireless = { wireless = {
@@ -20,17 +20,15 @@
}; };
}; };
wireguard.interfaces.wg0 = { wireguard.interfaces.wg0 = {
ips = [ "100.0.0.2/24" ]; ips = [ "10.55.0.2/24" ];
listenPort = 17840; listenPort = 17840;
# postSetup = "${pkgs.iproute}/bin/ip route add weirdnatto.in via 192.168.0.1"; privateKeyFile = "/var/secrets/wg.key";
# postShutdown = "${pkgs.iproute}/bin/ip route del weirdnatto.in via 192.168.0.1";
privateKeyFile = "/var/secrets/wg";
peers = [ peers = [
{ {
#Oracle VM1 #Oracle VM1
publicKey = "z0Y2VNEWcyVQVSqRHiwmiJ5/0MgSPM+HZfEcwIccSxM="; publicKey = "z0Y2VNEWcyVQVSqRHiwmiJ5/0MgSPM+HZfEcwIccSxM=";
allowedIPs = [ "100.0.0.0/24" ]; allowedIPs = [ "10.55.0.0/24" ];
endpoint = "140.238.230.155:17840"; endpoint = "weirdnatto.in:17840";
persistentKeepalive = 25; persistentKeepalive = 25;
} }
]; ];

52
hosts/servers/marisa/services.nix
View File

@@ -9,17 +9,59 @@
enable = true; enable = true;
enableImap = true; enableImap = true;
}; };
/* vault = { vault = {
package = pkgs.vault-bin;
enable = true; enable = true;
address = "127.0.0.1:8000"; tlsCertFile = "/var/certs/cert.pem";
tlsKeyFile = "/var/certs/key.pem";
address = "0.0.0.0:8800";
extraSettingsPaths = [ /var/vault/vault.hcl ];
storageBackend = "postgresql"; storageBackend = "postgresql";
};*/ extraConfig = ''
api_addr = "https://127.0.0.1:8800"
ui = true
'';
};
vault-agent = {
enable = true;
settings = {
vault = {
address = "https://10.55.0.2:8800";
client_cert = "/var/vault/cert.pem";
client_key = "/var/vault/key.pem";
};
auto_auth = {
method = [
{
"cert" = {
name = "Marisa";
};
}
];
};
template = [
{
source = pkgs.writeText "gitea.tpl" ''
{{ with secret "kv/systems/Marisa" }}{{ .Data.data.gitea }}{{ end }}
'';
destination = "/var/secrets/gitea.key";
}
{
source = pkgs.writeText "wg.tpl" ''
{{ with secret "kv/systems/Marisa/wg" }}{{ .Data.data.private }}{{ end }}
'';
destination = "/var/secrets/wg.key";
}
];
};
};
postgresql = { postgresql = {
enable = true; enable = true;
port = 6060; port = 6060;
enableTCPIP = true; enableTCPIP = true;
authentication = '' authentication = ''
local gitea all ident map=gitea-map local gitea all ident map=gitea-map
host vault all 10.55.0.2/32 md5
host all all 192.168.0.110/32 md5 host all all 192.168.0.110/32 md5
''; '';
identMap = '' identMap = ''
@@ -37,7 +79,7 @@
port = 6060; port = 6060;
name = "gitea"; name = "gitea";
user = name; user = name;
passwordFile = "/var/secrets/gitea"; passwordFile = "/var/secrets/gitea.key";
type = "postgres"; type = "postgres";
}; };
settings = { settings = {
@@ -57,5 +99,7 @@
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHingN2Aho+KGgEvBMjtoez+W1svl9uVoa4vG0d646j" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHingN2Aho+KGgEvBMjtoez+W1svl9uVoa4vG0d646j"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPX1HDzWpoaOcU8GDEGuDzXgxkCpyeqxRR6gLs/8JgHw" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPX1HDzWpoaOcU8GDEGuDzXgxkCpyeqxRR6gLs/8JgHw"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK06ZUa9BKmZ6m+xapBjOAm10OCLzxIm8ais20wQC47m"
]; ];
security.pki.certificateFiles = [ ../../../cert.pem ];
} }

106
modules/vault-agent.nix Normal file
View File

@@ -0,0 +1,106 @@
#Taken from https://github.com/MagicRB/dotfiles/blob/master/nix/nixos-modules/vault-agent.nix
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.vault-agent;
json = pkgs.formats.json {};
in
{
options = {
services.vault-agent = {
enable = mkEnableOption "Vault Agent";
package = mkOption {
type = types.package;
default = pkgs.vault;
description = ''
The package used for the vault agent
'';
};
settings = mkOption {
type = json.type;
default = {};
description = ''
Settings for the agent
'';
};
secretsDir = mkOption {
type = types.nullOr types.path;
default = "/var/secrets";
description = ''
Vault secrets directory;
'';
};
userName = mkOption {
type = types.str;
default = "vault-agent";
description = "Username for the service";
};
groupName = mkOption {
type = types.str;
default = "vault-agent";
description = "Vault-Agent Group Name";
};
uid = mkOption {
type = types.int;
default = 1985;
};
gid = mkOption {
type = types.int;
default = 1985;
};
};
};
config = mkIf cfg.enable
({
users = {
users = {
"${cfg.userName}" = {
group = cfg.groupName;
uid = cfg.uid;
isSystemUser = true;
description = "Vault-Agent User";
};
};
groups = {
"${cfg.groupName}" = {
gid = cfg.gid;
};
};
};
systemd.tmpfiles.rules = mkIf (cfg.secretsDir != null) [
"d ${cfg.secretsDir} 6755 vault-agent ${cfg.groupName} 0"
];
systemd.services.vault-agent = {
description = "Vault Agent";
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
path = (with pkgs; [
glibc
]);
serviceConfig = {
User = cfg.userName;
Group = cfg.groupName;
ExecReload = "${pkgs.busybox}/bin/kill -HUP $MAINPID";
ExecStart = "${cfg.package}/bin/vault agent -config=${json.generate "vault.json" cfg.settings}";
KillMode = "process";
KillSignal = "SIGINT";
Restart = "on-failure";
TimeoutStopSec = "30s";
RestartSec = 2;
ConfigurationDirectory = "vault-agent";
ConfigurationDirectoryMode = "0600";
};
};
});
}