wg-home: derive wireguard key from ssh privkey
This commit is contained in:
parent
7c18d77046
commit
7c2ab92302
|
@ -67,9 +67,6 @@
|
||||||
sops.secrets."wg_ovpnd_ukr_privkey" = {
|
sops.secrets."wg_ovpnd_ukr_privkey" = {
|
||||||
sopsFile = ../../secrets/universal.yaml;
|
sopsFile = ../../secrets/universal.yaml;
|
||||||
};
|
};
|
||||||
sops.secrets."wg_home_privkey" = {
|
|
||||||
sopsFile = ../../secrets/universal.yaml;
|
|
||||||
};
|
|
||||||
|
|
||||||
sops.secrets."snippets" = {
|
sops.secrets."snippets" = {
|
||||||
sopsFile = ../../secrets/universal/snippets.bin;
|
sopsFile = ../../secrets/universal/snippets.bin;
|
||||||
|
|
|
@ -2,6 +2,7 @@
|
||||||
|
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
|
./derived-secrets.nix
|
||||||
./hardware
|
./hardware
|
||||||
./hosts.nix
|
./hosts.nix
|
||||||
./roles
|
./roles
|
||||||
|
|
47
hosts/modules/derived-secrets.nix
Normal file
47
hosts/modules/derived-secrets.nix
Normal file
|
@ -0,0 +1,47 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
inherit (builtins) toString;
|
||||||
|
inherit (lib) mapAttrs mkOption types;
|
||||||
|
cfg = config.sane.derived-secrets;
|
||||||
|
secret = types.submodule {
|
||||||
|
options = {
|
||||||
|
len = mkOption {
|
||||||
|
type = types.int;
|
||||||
|
};
|
||||||
|
encoding = mkOption {
|
||||||
|
type = types.enum [ "base64" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
sane.derived-secrets = mkOption {
|
||||||
|
type = types.attrsOf secret;
|
||||||
|
default = {};
|
||||||
|
description = ''
|
||||||
|
fs path => secret options.
|
||||||
|
for each entry, we create an item at the given path whose value is deterministic,
|
||||||
|
but also pseudo-random and not predictable by anyone without root access to the machine.
|
||||||
|
as PRNG source we use the host ssh key, and derived secrets are salted based on the destination path.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
sane.fs = mapAttrs (path: c: {
|
||||||
|
generated.script.script = ''
|
||||||
|
echo "$1" | cat /dev/stdin /etc/ssh/host_keys/ssh_host_ed25519_key \
|
||||||
|
| sha512sum \
|
||||||
|
| cut -c 1-${toString (c.len * 2)} \
|
||||||
|
| tr a-z A-Z \
|
||||||
|
| basenc -d --base16 \
|
||||||
|
| basenc --${c.encoding} \
|
||||||
|
> "$1"
|
||||||
|
'';
|
||||||
|
generated.script.scriptArgs = [ path ];
|
||||||
|
generated.acl.mode = "0600";
|
||||||
|
}) cfg;
|
||||||
|
};
|
||||||
|
}
|
|
@ -52,7 +52,7 @@ in
|
||||||
sane.hosts.by-name."lappy" = {
|
sane.hosts.by-name."lappy" = {
|
||||||
ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
|
ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
|
||||||
ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
|
ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
|
||||||
wg-home.pubkey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
|
wg-home.pubkey = "FTUWGw2p4/cEcrrIE86PWVnqctbv8OYpw8Gt3+dC/lk=";
|
||||||
};
|
};
|
||||||
|
|
||||||
sane.hosts.by-name."moby" = {
|
sane.hosts.by-name."moby" = {
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, lib, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (lib) mkIf mkMerge mkOption optionalAttrs types;
|
inherit (lib) mkIf mkMerge mkOption optionalAttrs types;
|
||||||
|
@ -17,6 +17,12 @@ in
|
||||||
|
|
||||||
config = mkIf cfg.enable (mkMerge [
|
config = mkIf cfg.enable (mkMerge [
|
||||||
{
|
{
|
||||||
|
# generate a (deterministic) wireguard private key
|
||||||
|
sane.derived-secrets."/run/wg-home.priv" = {
|
||||||
|
len = 32;
|
||||||
|
encoding = "base64";
|
||||||
|
};
|
||||||
|
|
||||||
# wireguard VPN which allows everything on my domain to speak to each other even when
|
# wireguard VPN which allows everything on my domain to speak to each other even when
|
||||||
# not behind a shared LAN.
|
# not behind a shared LAN.
|
||||||
# this config defines both the endpoint (server) and client configs
|
# this config defines both the endpoint (server) and client configs
|
||||||
|
@ -25,12 +31,17 @@ in
|
||||||
networking.firewall.allowedUDPPorts = [ 51820 ];
|
networking.firewall.allowedUDPPorts = [ 51820 ];
|
||||||
networking.wireguard.interfaces.wg-home = {
|
networking.wireguard.interfaces.wg-home = {
|
||||||
listenPort = 51820;
|
listenPort = 51820;
|
||||||
|
privateKeyFile = "/run/wg-home.priv";
|
||||||
|
preSetup =
|
||||||
|
let
|
||||||
|
gen-key = config.sane.fs."/run/wg-home.priv".unit;
|
||||||
|
in
|
||||||
|
"${pkgs.systemd}/bin/systemctl start '${gen-key}'";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
networking.wireguard.interfaces.wg-home = lib.mkIf (cfg.role == "client") {
|
networking.wireguard.interfaces.wg-home = lib.mkIf (cfg.role == "client") {
|
||||||
privateKeyFile = config.sops.secrets.wg_home_privkey.path;
|
|
||||||
# client IP (TODO: make host-specific)
|
# client IP (TODO: make host-specific)
|
||||||
ips = [ "10.0.10.20/24" ];
|
ips = [ "10.0.10.20/24" ];
|
||||||
|
|
||||||
|
@ -54,7 +65,6 @@ in
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
networking.wireguard.interfaces.wg-home = lib.mkIf (cfg.role == "server") {
|
networking.wireguard.interfaces.wg-home = lib.mkIf (cfg.role == "server") {
|
||||||
privateKeyFile = config.sops.secrets.wg_home_server_privkey.path;
|
|
||||||
ips = [
|
ips = [
|
||||||
"10.0.10.5/24"
|
"10.0.10.5/24"
|
||||||
];
|
];
|
||||||
|
|
|
@ -9,7 +9,6 @@ wg_ovpnd_us_privkey: ENC[AES256_GCM,data:5YkQ4r7HNWiRr/5pa1XfexxtJAz6kDjX+hNiZch
|
||||||
wg_ovpnd_us-atl_privkey: ENC[AES256_GCM,data:NMguzx35VvOAo37U9pGD5bYa/ghWeSK5tVh2XRNsfKjMPhMa44lm3pTscdU=,iv:f9hBhMksL0VGT8k2RsztU9AjR2AIIL+Z2Ls24UOPeNA=,tag:C46xDGb2d32mmHWl7WQb2g==,type:str]
|
wg_ovpnd_us-atl_privkey: ENC[AES256_GCM,data:NMguzx35VvOAo37U9pGD5bYa/ghWeSK5tVh2XRNsfKjMPhMa44lm3pTscdU=,iv:f9hBhMksL0VGT8k2RsztU9AjR2AIIL+Z2Ls24UOPeNA=,tag:C46xDGb2d32mmHWl7WQb2g==,type:str]
|
||||||
wg_ovpnd_us-mi_privkey: ENC[AES256_GCM,data:uEC3UOOqn1l7KwGmOxKvXccPR9Gu8/BNTlpXxXlNWf19/pIX1CLPORUWme0=,iv:cnPGghGBAsIsR86F1hPZawLWlY/pLCNF/1cg6gjrIKE=,tag:LqMbpGklQH0GX7dNNV3/8Q==,type:str]
|
wg_ovpnd_us-mi_privkey: ENC[AES256_GCM,data:uEC3UOOqn1l7KwGmOxKvXccPR9Gu8/BNTlpXxXlNWf19/pIX1CLPORUWme0=,iv:cnPGghGBAsIsR86F1hPZawLWlY/pLCNF/1cg6gjrIKE=,tag:LqMbpGklQH0GX7dNNV3/8Q==,type:str]
|
||||||
wg_ovpnd_ukr_privkey: ENC[AES256_GCM,data:5zfhsZnBk0Kb9Nb/3igsV/fN0ZDjwTAGTKyMLMly/l7MlJe6MEmd5Lv+JT8=,iv:Mov9eUP8WfvzfZ6NljgLolJ49GSqR7eSV+k0dgE1+1I=,tag:O9UtGX2qt+qEvabcsA0vIA==,type:str]
|
wg_ovpnd_ukr_privkey: ENC[AES256_GCM,data:5zfhsZnBk0Kb9Nb/3igsV/fN0ZDjwTAGTKyMLMly/l7MlJe6MEmd5Lv+JT8=,iv:Mov9eUP8WfvzfZ6NljgLolJ49GSqR7eSV+k0dgE1+1I=,tag:O9UtGX2qt+qEvabcsA0vIA==,type:str]
|
||||||
wg_home_privkey: ENC[AES256_GCM,data:c8wabBMlip3QlJ6P0ZMU/Y1Sp5V9NjVRB0sQGr9BGm1LFoSs9pkS+Su+SD8=,iv:hnIjd15g+zWqPnXu4puLrKSn2N4zVrXp32xnb315VQk=,tag:hFKSV6qb5ns9CvvuXBWLLg==,type:str]
|
|
||||||
#ENC[AES256_GCM,data:qlF8rpSMUv6Z/YrOTp7WYs0lcpmSIi/r+gCuiw==,iv:cneNp/0av/ttQvnW4JVX9mj3261QFAzkLIzEMwiKwE8=,tag:FFsPUQBsSeImtymawY4eSg==,type:comment]
|
#ENC[AES256_GCM,data:qlF8rpSMUv6Z/YrOTp7WYs0lcpmSIi/r+gCuiw==,iv:cneNp/0av/ttQvnW4JVX9mj3261QFAzkLIzEMwiKwE8=,tag:FFsPUQBsSeImtymawY4eSg==,type:comment]
|
||||||
router_passwd: ENC[AES256_GCM,data:Tya3Pd75Yu4=,iv:lqi7SavFnymL+uOQXDEzGxgikB6/ckNOBifjhyjXn1Q=,tag:HG3kf6e2g53uNUGI9FXyqQ==,type:str]
|
router_passwd: ENC[AES256_GCM,data:Tya3Pd75Yu4=,iv:lqi7SavFnymL+uOQXDEzGxgikB6/ckNOBifjhyjXn1Q=,tag:HG3kf6e2g53uNUGI9FXyqQ==,type:str]
|
||||||
jackett_apikey: ENC[AES256_GCM,data:2oGczau3f/w/5iCx3aft0V/t0tO5zsr5Xi/HQ1koTTo=,iv:33VPT8GYCPPJ2RUBP6yuLep9YX/VMW9Kt3MyQPmZuO0=,tag:TUIbutJKV5e3Kc9INk5VUA==,type:str]
|
jackett_apikey: ENC[AES256_GCM,data:2oGczau3f/w/5iCx3aft0V/t0tO5zsr5Xi/HQ1koTTo=,iv:33VPT8GYCPPJ2RUBP6yuLep9YX/VMW9Kt3MyQPmZuO0=,tag:TUIbutJKV5e3Kc9INk5VUA==,type:str]
|
||||||
|
@ -91,8 +90,8 @@ sops:
|
||||||
YmhsY0FaSW5oWVNJMlhUSDRCeWQ4KzAKaQp321XYtAZ98f4QMl5PxivAYm6VMF43
|
YmhsY0FaSW5oWVNJMlhUSDRCeWQ4KzAKaQp321XYtAZ98f4QMl5PxivAYm6VMF43
|
||||||
wCThiQgvYAP59jvVDTZngvfWAD5PyWVVvMNbjHGvAzK5WnsTPmxlsg==
|
wCThiQgvYAP59jvVDTZngvfWAD5PyWVVvMNbjHGvAzK5WnsTPmxlsg==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2023-01-19T09:45:50Z"
|
lastmodified: "2023-01-20T06:57:29Z"
|
||||||
mac: ENC[AES256_GCM,data:v+gQu9PFcLXxatllrlMX67ZaIr4MIn7v0YuQEfw2ZnIgcxlukW/wInCf8aOt+172Yme1e/YVf4X8KePUNQlFwPdfw4S+NDUSC92Kuu3/ZD3tYk46VGNPGfhiz9APeCej6oBebo4RBrIhFq5HUJe5pm2W5So/YAldUnCmfgSNyBs=,iv:plMcyLC3fj7KpOBbYcSDmY7vZpV/klHre12jbTKUhVw=,tag:yiJR3HmVYApF9CXruGGq4g==,type:str]
|
mac: ENC[AES256_GCM,data:J/yLlcmlX6st/d6c8eL/6DKZiHAELb0/zj+5qOjoE2uAgTTFnojaP4ssrmt7BaLQF1MQNnvkchvuwRv+dAVTXkuYPuDWS3YriAKQIXUx9sHIEoY6Aqa37eBwUNUBuxoR6FvfOGtXrIZuS0f7hZr+ddBZgCSBBE54yeH68Va1tZk=,iv:Y/T8qykrqRVQ8eMkNH2DZa6XoGd5nL18h/2SJucVAD8=,tag:OwZfOyLc29c1bJJIA9IW3Q==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.7.3
|
version: 3.7.3
|
||||||
|
|
Loading…
Reference in New Issue
Block a user