0xa/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

rotate secrets, retire microwave, comission toaster

Browse source
This commit is contained in:
Grigory Shipunov 2023-01-10 00:12:15 +01:00
parent f690251f13
commit 1a5575bab8
Signed by: 0xa
GPG key ID: 91FA5E5BF9AA901C
7 changed files with 286 additions and 229 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

206
hosts/microwave/network.nix
View file

@ -62,211 +62,5 @@
IPv6AcceptRA = true;
};
};
# Wireguard
# Dump-dvb
netdevs."30-wg-dumpdvb" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-dumpdvb";
Description = "dvb.solutions enterprise network";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/wg-dvb-seckey".path;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "WDvCObJ0WgCCZ0ORV2q4sdXblBd8pOPZBmeWr97yphY=";
Endpoint = "academicstrokes.com:51820";
AllowedIPs = [ "10.13.37.0/24" ];
PersistentKeepalive = 25;
};
}
];
};
networks."30-wg-dumpdvb" = {
matchConfig.Name = "wg-dumpdvb";
networkConfig = {
Address = "10.13.37.3/24";
IPv6AcceptRA = true;
};
routes = [
{ routeConfig = { Gateway = "10.13.37.1"; Destination = "10.13.37.0/24"; }; }
];
};
# oxalab
netdevs."10-wg-oxalab" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-oxalab";
Description = "lab of oxa";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/oxalab-seckey".path;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "5nCVC21BL+1r70OGwA4Q6Z/gcPLC3+ZF8sTurdn7N0E=";
Endpoint = "95.216.166.21:51820";
AllowedIPs = [ "10.66.66.0/24" ];
PersistentKeepalive = 25;
};
}
];
};
networks."10-wg-oxalab" = {
matchConfig.Name = "wg-oxalab";
networkConfig = {
Address = "10.66.66.10/24";
IPv6AcceptRA = true;
};
routes = [
{ routeConfig = { Gateway = "10.66.66.1"; Destination = "10.66.66.1/24"; }; }
];
};
# zentralwerk
netdevs."10-wg-zentralwerk" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-zentralwerk";
Description = "Tunnel to the best basement in Dresden";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/wg-zw-seckey".path;
RouteTable = "off";
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "PG2VD0EB+Oi+U5/uVMUdO5MFzn59fAck6hz8GUyLMRo=";
Endpoint = "81.201.149.152:1337";
AllowedIPs = [ "172.20.72.0/21" "172.22.90.0/24" "172.22.99.0/24" ];
PersistentKeepalive = 25;
};
}
];
};
networks."10-wg-zentralwerk" = {
matchConfig.Name = "wg-zentralwerk";
networkConfig = {
Address = "172.20.76.226/21";
IPv6AcceptRA = true;
DNS = "172.20.73.8";
Domains = [
"~hq.c3d2.de"
"~serv.zentralwerk.org"
"~hq.zentralwerk.org"
"~cluster.zentralwerk.org"
];
};
routes = [
{
routeConfig = {
Gateway = "172.20.76.225";
Destination = "172.20.72.0/21";
Metric = 9999;
};
}
{
routeConfig = {
Gateway = "172.20.76.225";
Destination = "172.20.90.0/24";
Metric = 9999;
};
}
{
routeConfig = {
Gateway = "172.20.76.225";
Destination = "172.22.99.0/24";
Metric = 9999;
};
}
];
};
# VPN
netdevs."10-wg-mullvad" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-mullvad";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/mlwd-nl-seckey".path;
FirewallMark = 34952; # 0x8888
RouteTable = "off";
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "uUYbYGKoA6UBh1hfkAz5tAWFv4SmteYC9kWh7/K6Ah0=";
Endpoint = "92.60.40.209:51820";
AllowedIPs = [ "0.0.0.0/0" "::0/0" ];
};
}
];
};
networks."10-wg-mullvad" = {
matchConfig.Name = "wg-mullvad";
address = [ "10.66.157.228/32" "fc00:bbbb:bbbb:bb01::3:9de3/128" ];
networkConfig = {
DNS = "10.64.0.1";
DNSDefaultRoute = true;
Domains = [ "~." ];
};
routes = map
(gate: {
routeConfig = {
Gateway = gate;
Table = 1000;
};
}) [
"0.0.0.0"
"::"
];
routingPolicyRules = [
{
routingPolicyRuleConfig = {
Family = "both";
FirewallMark = 34952; # 0x8888
InvertRule = true;
Table = "1000";
Priority = 100;
};
}
{
routingPolicyRuleConfig = {
Family = "both";
SuppressPrefixLength = 0;
Table = "main";
Priority = 90;
};
}
] ++ map
(net: {
# only route global addresses over VPN
routingPolicyRuleConfig = {
Priority = 80;
To = net;
};
}) [
# Public
"92.60.40.209/32"
# "10.0.0.0/8"
"10.13.37.0/24"
"10.66.66.0/24"
# "172.16.0.0/12"
"172.16.0.0/12"
# "182.168.0.0/16"
"182.168.0.0/16"
# "fc00::/7"
];
};
};
}

15
hosts/microwave/secrets.nix
View file

@ -2,19 +2,4 @@
{
sops.defaultSopsFile = ../../secrets/microwave/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets = {
"wg/wg-zw-seckey" = {
owner = config.users.users.systemd-network.name;
};
"wg/wg-dvb-seckey" = {
owner = config.users.users.systemd-network.name;
};
"wg/mlwd-nl-seckey" = {
owner = config.users.users.systemd-network.name;
};
"wg/oxalab-seckey" = {
owner = config.users.users.systemd-network.name;
};
};
}

5
hosts/toaster/default.nix
View file

@ -1,8 +1,10 @@
{ ... }: {
imports = [
./hardware-configuration.nix
./zfs.nix
./network-vpns.nix
./network.nix
./secrets.nix
./zfs.nix
];
nixpkgs.config.allowUnfree = true;
@ -10,6 +12,7 @@
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
hardware.enableAllFirmware = true;
# Set your time zone.
time.timeZone = "Europe/Amsterdam";

210
hosts/toaster/network-vpns.nix Normal file
View file

@ -0,0 +1,210 @@
{ config, ... }: {
systemd.network = {
# Wireguard
# Dump-dvb
netdevs."30-wg-dumpdvb" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-dumpdvb";
Description = "dvb.solutions enterprise network";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/dvb".path;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "WDvCObJ0WgCCZ0ORV2q4sdXblBd8pOPZBmeWr97yphY=";
Endpoint = "academicstrokes.com:51820";
AllowedIPs = [ "10.13.37.0/24" ];
PersistentKeepalive = 25;
};
}
];
};
networks."30-wg-dumpdvb" = {
matchConfig.Name = "wg-dumpdvb";
networkConfig = {
Address = "10.13.37.3/24";
IPv6AcceptRA = true;
};
routes = [
{ routeConfig = { Gateway = "10.13.37.1"; Destination = "10.13.37.0/24"; }; }
];
};
# oxalab
netdevs."10-wg-oxalab" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-oxalab";
Description = "lab of oxa";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/oxalab".path;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "5nCVC21BL+1r70OGwA4Q6Z/gcPLC3+ZF8sTurdn7N0E=";
Endpoint = "95.216.166.21:51820";
AllowedIPs = [ "10.66.66.0/24" ];
PersistentKeepalive = 25;
};
}
];
};
networks."10-wg-oxalab" = {
matchConfig.Name = "wg-oxalab";
networkConfig = {
Address = "10.66.66.10/24";
IPv6AcceptRA = true;
};
routes = [
{ routeConfig = { Gateway = "10.66.66.1"; Destination = "10.66.66.1/24"; }; }
];
};
# zentralwerk
netdevs."10-wg-zentralwerk" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-zentralwerk";
Description = "Tunnel to the best basement in Dresden";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/zw".path;
RouteTable = "off";
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "PG2VD0EB+Oi+U5/uVMUdO5MFzn59fAck6hz8GUyLMRo=";
Endpoint = "81.201.149.152:1337";
AllowedIPs = [ "172.20.72.0/21" "172.22.90.0/24" "172.22.99.0/24" ];
PersistentKeepalive = 25;
};
}
];
};
networks."10-wg-zentralwerk" = {
matchConfig.Name = "wg-zentralwerk";
networkConfig = {
Address = "172.20.76.226/21";
IPv6AcceptRA = true;
DNS = "172.20.73.8";
Domains = [
"~hq.c3d2.de"
"~serv.zentralwerk.org"
"~hq.zentralwerk.org"
"~cluster.zentralwerk.org"
];
};
routes = [
{
routeConfig = {
Gateway = "172.20.76.225";
Destination = "172.20.72.0/21";
Metric = 9999;
};
}
{
routeConfig = {
Gateway = "172.20.76.225";
Destination = "172.20.90.0/24";
Metric = 9999;
};
}
{
routeConfig = {
Gateway = "172.20.76.225";
Destination = "172.22.99.0/24";
Metric = 9999;
};
}
];
};
# VPN
netdevs."10-wg-mullvad" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-mullvad";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/mullvad".path;
FirewallMark = 34952; # 0x8888
RouteTable = "off";
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "uUYbYGKoA6UBh1hfkAz5tAWFv4SmteYC9kWh7/K6Ah0=";
Endpoint = "92.60.40.209:51820";
AllowedIPs = [ "0.0.0.0/0" "::0/0" ];
};
}
];
};
networks."10-wg-mullvad" = {
matchConfig.Name = "wg-mullvad";
address = [ "10.66.157.228/32" "fc00:bbbb:bbbb:bb01::3:9de3/128" ];
networkConfig = {
DNS = "10.64.0.1";
DNSDefaultRoute = true;
Domains = [ "~." ];
};
routes = map
(gate: {
routeConfig = {
Gateway = gate;
Table = 1000;
};
}) [
"0.0.0.0"
"::"
];
routingPolicyRules = [
{
routingPolicyRuleConfig = {
Family = "both";
FirewallMark = 34952; # 0x8888
InvertRule = true;
Table = "1000";
Priority = 100;
};
}
{
routingPolicyRuleConfig = {
Family = "both";
SuppressPrefixLength = 0;
Table = "main";
Priority = 90;
};
}
] ++ map
(net: {
# only route global addresses over VPN
routingPolicyRuleConfig = {
Priority = 80;
To = net;
};
}) [
# Public
"92.60.40.209/32"
# "10.0.0.0/8"
"10.13.37.0/24"
"10.66.66.0/24"
# "172.16.0.0/12"
"172.16.0.0/12"
# "182.168.0.0/16"
"182.168.0.0/16"
# "fc00::/7"
];
};
};
}

20
hosts/toaster/secrets.nix Normal file
View file

@ -0,0 +1,20 @@
{ config, ... }:
{
sops.defaultSopsFile = ../../secrets/toaster/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets = {
"wg/zw" = {
owner = config.users.users.systemd-network.name;
};
"wg/dvb" = {
owner = config.users.users.systemd-network.name;
};
"wg/mullvad" = {
owner = config.users.users.systemd-network.name;
};
"wg/oxalab" = {
owner = config.users.users.systemd-network.name;
};
};
}

9
secrets/microwave/secrets.yaml
View file

@ -1,8 +1,3 @@
wg:
wg-zw-seckey: ENC[AES256_GCM,data:fkt4UEVgmmFw6UFUEs6T5/CePKo1Z/hc8pu+Bj6fWT/p/1eE14Y3TgxfMks=,iv:SN97FG5Lquhc7k9R1Aavu7hE1zoY4FAnacvapdLkBkk=,tag:l82y7vwieanfYRRjfqKJoA==,type:str]
wg-dvb-seckey: ENC[AES256_GCM,data:a1OuEOnSwCqwfL6+TYhyU1lkRcDeW2wAJetytc8ry8kJicPGMkqSHJvRdBs=,iv:oS1olgSuhR3J0LW8OSDSYMSHxxhBehdEP0VnQIKqOAM=,tag:CXkL5lOF91KluH3yGWwzTA==,type:str]
mlwd-nl-seckey: ENC[AES256_GCM,data:LfndvssZdlIerJQZRsLzlTdY9ThjmRcMvUKQgWu06vVEFZgI4KGi5b++9Jg=,iv:EoV7e0fE8RCw0K+nGx3dYGCZV0GSVtxPzi5vQ+5+Tuk=,tag:AZ78jsfL0OgUPYOiO6xn0Q==,type:str]
oxalab-seckey: ENC[AES256_GCM,data:eWdcDboE4L7/8k87kipaZXdFbo8tp+/RS5KCkfnE4OYCOtNg5WJlrJTsE3o=,iv:tjfVIiFbNa8p0NhL2No1UogHkppIdWNaXW5Qjny725s=,tag:em0g5BERF+lOR6VSW8Wh8A==,type:str]
mail:
oxapentane.com: ENC[AES256_GCM,data:9P7r1WGaGekZkCbI3iVK1cQiVXN46LilZaY=,iv:juCWeCTXjKuoC0y0l08d98i5rLlmOeRXL4H/GsouAWs=,tag:DflQZMy2WBqee/pM2njF2Q==,type:str]
shipunov.xyz: ENC[AES256_GCM,data:Lr60OLtghGxyTxs9clz6ZY8RLno3dQGLHi5w3QYXFQ==,iv:Yr+soB0e8+MQQfCuznmJRaAn9SgoDkT9B8UdGzVOcMY=,tag:8yg3GQMnllgufilNyXrdUg==,type:str]
@ -23,8 +18,8 @@ sops:
cHBBdERxM1MxaER5YWZqWTJTZnprVzgKT7C9aMo4BAS+Tewx5u+yEILRUna1P5Wu
iRQeH/SqCigoA2d3ekl7/VWcmSJPtb7FMLwX+9LEgIILo8KBYhseGA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-01-08T01:17:14Z"
mac: ENC[AES256_GCM,data:Be9tCRDHKH2iUEyAGRP9+/UeYCgXSJYd/+tARYsLb6F+msNuwQ5l9vP7X+HkFXIhOCS+6Ko8emORHFfZ2k4rvO0jT9Zw4QkN3+uR3cfSwYlL52tWfRamOXeYv8QVwdBNokHVSr7AzEStePHF31Z3pHtM2cujYTkklOMda8+mXMU=,iv:WgtucIHCLM+hY8eKh02yqssmR2o8nbQ7nM1wDLKRQDk=,tag:d1OfmwQ9MbrlxstaQE7Knw==,type:str]
lastmodified: "2023-01-09T22:52:39Z"
mac: ENC[AES256_GCM,data:UdsQLNagpdJYzNzKRVCBXeiBQVUc+kMxwzyJExfQcPHM+jM/azUtSYnT7yk9RMMA2BOcpwx/pwv9D1eyd1xxMIFvJg7yuFL7iq4DOFcjwzUqgHIvSIBc0SARfLxFu5avRPs1S81jEvCfb44OqmHush97ZtzNpKqvNRQL3C7yj2k=,iv:0q75pCrhRauFR7cJ6vooRYlX+UCm8KVuPwAoNdKUNUQ=,tag:YqfszSJlsHg7XUXREOnmCg==,type:str]
pgp:
- created_at: "2022-07-15T02:04:05Z"
enc: |-

50
secrets/toaster/secrets.yaml Normal file
View file

@ -0,0 +1,50 @@
wg:
mullvad: ENC[AES256_GCM,data:9wgZKgcVGBIkNrfeurwDOCWLE6t2z7bN5KaUAeiRAcGRKO5uAkVCp0kpWZc=,iv:c1XM8GXEeAuDM47pTA5Pa6lPCI0fwau1uZdSaDcBykI=,tag:pSjmhHw7mt7hGTLpXFPsHQ==,type:str]
zw: ENC[AES256_GCM,data:CXrLvV+b9DUfmr+CwH8dBTHvDHtgVmiF9g+QpzFqMcc91yQDzQqT1d4AQSk=,iv:Wdj11qlGWGm2XSieFZ4csqdIyR0epzPCkeWyUUmjJbk=,tag:UO07WUwr138B5TtMGujvew==,type:str]
oxalab: ENC[AES256_GCM,data:YRN3fSzukqgDK3Bf5O7I8U3QmJAINCsjSseOZfzM/4xGXfGbBNeH3UmD0PI=,iv:U3kXH1HdT4OWcFZ+40a5W+jQ1hdS4UYYXxxyy+SqHEU=,tag:w65VyfylSKnM7c50BRCVgQ==,type:str]
dvb: ENC[AES256_GCM,data:1+IM6ORPtlIroeekaJSkOwYArh0fN6ycJNaXo680pE2Xv4DUBrIlh8q3V2A=,iv:btf3IpM4Wntkf3RYPwUdhH+4WUUqZp0zYp0aj2sdGM0=,tag:MDvS4CWYQLdp2YGs3/5Htw==,type:str]
mail:
oxapentane.com: ENC[AES256_GCM,data:HW1xcclr5CiUFVF8As79ZZH1c14sl4T0l18=,iv:leAVYaQkMuJewkCZc3fTUUNzZ9BDjV5CuT84bzvhrrs=,tag:Mm8OB8gLbmUwKSLugTR6GA==,type:str]
shipunov.xyz: ENC[AES256_GCM,data:cg+P+FrZ2icjfhwDGKGyUH9DejSZHpNs2bcSBPyz8g==,iv:XZFaSXnGmTL9j2sEyt5Q7+pe6rr+WA/0UGq/2Gl5DTI=,tag:oq+5EuJWJKwK3h0/e6Uozw==,type:str]
dvb.solutions: ENC[AES256_GCM,data:GSjPIPA5TGMWfhdRzTsiHPfXFVGLVSpJvJG+I++i,iv:EBlk00wqADCuYTzuVcuX9kSn6TVBfN12UlcXyps6TtE=,tag:G7rKTngN4v2FtuhQEMdUQQ==,type:str]
tlm.solutions: ENC[AES256_GCM,data:ncTMh/jw+YmcmcVU/c1I36vV1CwtmtYwfyDUx9w9,iv:vPnmdvDnEJ9FF4rDkSfPnLWebleSgI/yG7qOgJfq5ic=,tag:z4w4LOGf2v0TBSxrHULBsw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1qyj95tsntreefqeetawqy5pf26456s9c0v3tzz8yzs706c0jsg6qv56jzk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTVmx5T0ROT1ZPZ2JmUHhn
bWZ3UlZvQTR1Y0VOSXJsSy9makswR1VTSDBZCjZmOVZQdkF3b0tkWmo2aGcrOWZs
ZDBwRVFSK3BTdVlpWUpNVW5qWWFVZjQKLS0tIFJOdWxOSGR2SXdlWXBDTkMvUDlG
T3F6NXpBbEFxemVzM0lxbEdKMlVzYlEK9YPSglPYmsk3fH7qduK/FVFIWnHaQ6O1
ZJsgmz/5H7TPbSoy6mfyROQY+b7amJDSAAqhLazKYI22yP3Gnkmmbg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-01-09T22:57:18Z"
mac: ENC[AES256_GCM,data:KqIkYp/fAMxfISULoDfOsRH3eA9M4XcPwXW8HoMqlipLr0zWekpyp+AUekglQctF6brjr8yanAdrFEGBV930zAKehgDfu1w2O1uUE47cBHqdcaQNW180CaS21cSnPiOBEHeBqw1OCTGqdmT1mu+v6Ss13kgtdQJei0CuRw5Aw8w=,iv:iO0+xmFO4sBn63zFw+6NP22s8q00P2WjzPjr7yLcY20=,tag:THfICAIPGrZPIEYVAxvN8w==,type:str]
pgp:
- created_at: "2023-01-09T22:45:17Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA7zUOKwzpAE7AQ//SREB1bVNjocJIdu1OsRi/98r/Sq66jvfvv9qN4iarhX6
nULcylhQgxMAEaY2af1aWfzH8aVOQFfFWQaFLNCs44TkSa9MCPxPrqRI4qCPl9os
V6l9IVOhmv/HIDlHvTOfsFYZjE9LOtA5y3VrQqLBG4zjpTczcQxlrHgeSZyDrS9i
eqTiVVwdiZurFUMoety63S82u62YjtEwgHbFYdKnodEPygZvU5LFftmTRdDRNCII
i6tJRe70HTg2gNBxQEwh/DTcyQBaUkermhDaok0ABW6BFfrwzaxaUXexqFAqk7XK
fpWNGUX4w8ExtZ6XH/6vlu17yhej4VP9EuHzlZTPPjBPRcdPXETo3QShB+tH4hvw
aPgOfJaneVM+MpwgVW66qWmQt7NpaHLRo2tjvZnvuVXlg/AnuphaXpfafRja2DEj
hMH+FAIiQr5tFLf9ur8VltdeOsjWj7NbfWYEGm9UW0eHC5r/NuEZiQVt7BKWPU70
DcZdN9f3Scs9mpNuD/CGhf4Oj4L0tkgt/x2mirkSQcB0lui8s1/joCCV/7cZ30jB
/FHATHlo6RW1S8uGVcb1dkfsv4ki+4bvh1ZxZRuQg9rNlPWyHEIG6VJSMmgC7e9Y
P1NS/WF35BybvXFR3UVJca9qciRvPzcRo/4sEJtuPbwXpAqHR4OavHJhmb4ZDYfS
UQE6svFmutqwRPC2WSk0Knxh5o/bUYrliT6FU01xwkkIo5SgahDe0XJeXS3poQEs
htM7FZ7w0PjcRa66cul5j5FjDI4R7ZcFupv6RF84ImP5hw==
=3z9H
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
unencrypted_suffix: _unencrypted
version: 3.7.3