From a113294ec1dcbf045771864ac79f7e801c00d40f Mon Sep 17 00:00:00 2001 From: Lauren Lagarde Date: Sat, 23 Aug 2025 01:15:41 -0500 Subject: [PATCH] Stronghold WIP --- systems/fortress/.sops.yaml | 6 --- systems/fortress/configuration.nix | 2 +- systems/stronghold/.sops.yaml | 10 ++++ systems/stronghold/configuration.nix | 68 ++++++++++++----------- systems/stronghold/secrets.yaml | 81 ++++++++++++++++++++++++++++ systems/stronghold/wireguard.nix | 56 +++++++++++++++++++ 6 files changed, 186 insertions(+), 37 deletions(-) create mode 100644 systems/stronghold/.sops.yaml create mode 100644 systems/stronghold/secrets.yaml create mode 100644 systems/stronghold/wireguard.nix diff --git a/systems/fortress/.sops.yaml b/systems/fortress/.sops.yaml index a7fa975..8103afe 100644 --- a/systems/fortress/.sops.yaml +++ b/systems/fortress/.sops.yaml @@ -1,9 +1,3 @@ -# Get new (host) keys with: -# nix-shell -p ssh-to-age --run 'ssh-keyscan example.com | ssh-to-age' -# nix-shell -p ssh-to-age --run 'ssh-to-age -i /etc/ssh/ssh_host_ed25519_key.pub' -# Get new (user) keys with: -# mkdir -p ~/.config/sops/age && nix-shell -p ssh-to-age --run 'ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt' -# nix-shell -p ssh-to-age --run 'ssh-to-age -i ~/.ssh/id_ed25519.pub' keys: - &system_fortress age1fraz2lnnqtcxnu6tnjy4f7y9tuc0fnqekzmdynnhtt0h8a230v5qddpxdu - &system_ll_latitude age19v2gpucsykaqu3hsvskl67ss8mpqstp59vn687am6px9nmg585ksvlhctz diff --git a/systems/fortress/configuration.nix b/systems/fortress/configuration.nix index c69fd75..5f1ab1c 100644 --- a/systems/fortress/configuration.nix +++ b/systems/fortress/configuration.nix @@ -155,7 +155,7 @@ sops.secrets."dotspace/fortress/keys/tinc/rsa_key.priv" = { sopsFile = ./secrets.yaml; }; sops.secrets."dotspace/fortress/keys/tinc/ed25519_key.priv" = { sopsFile = ./secrets.yaml; }; - systemd.network.networks."90-tinc" = { + systemd.network.networks."90-tinc-dotspace" = { matchConfig.Name = "tinc.dotspace"; address = [ "10.86.84.1/32" ]; routes = [ { Destination = "10.86.84.0/24"; } ]; diff --git a/systems/stronghold/.sops.yaml b/systems/stronghold/.sops.yaml new file mode 100644 index 0000000..da7781a --- /dev/null +++ b/systems/stronghold/.sops.yaml @@ -0,0 +1,10 @@ +keys: + - &system_ll_latitude age19v2gpucsykaqu3hsvskl67ss8mpqstp59vn687am6px9nmg585ksvlhctz + - &yubikey_lauren_primary 5F78261B65C565041662A3B7FF8FC3C735BD4A51 +creation_rules: + - path_regex: secrets.yaml$ + key_groups: + - pgp: + - *yubikey_lauren_primary + age: + - *system_ll_latitude diff --git a/systems/stronghold/configuration.nix b/systems/stronghold/configuration.nix index c85cf79..94a2862 100644 --- a/systems/stronghold/configuration.nix +++ b/systems/stronghold/configuration.nix @@ -15,7 +15,6 @@ # Core Tweaks ../../nixos/tweaks/zram.nix ../../nixos/tweaks/enable_flakes.nix - ../../nixos/tweaks/disable_nixos_user.nix ../../nixos/tweaks/systemd-resolved_nonsense.nix # Dotspace @@ -28,17 +27,31 @@ # Docker Host Stuff ../../nixos/tweaks/disable_firewall.nix ../../nixos/features/virtualization/docker.nix - ../../nixos/features/virtualization/dockge.nix - # UEFI SSH ZFS - #../../nixos/tweaks/zfs.nix - #../../nixos/features/initrd-ssh.nix - #../../nixos/features/virtualization/libvirt-guest-uefi.nix + ../../secrets/dotspace.nix - #../../nixos/disko/libvirt/uefi-zfs-base.nix - #../../nixos/disko/libvirt/zfs-encrypted.nix + # Local Config + #./gatus.nix + #./haproxy.nix + ./wireguard.nix ]; + ############################################################################## + ############################################################################## + ############################################################################## + # Services + + services.smartd.enable = lib.mkForce false; + + virtualisation.oci-containers.backend = "docker"; + virtualisation.oci-containers.containers = { + dozzle = { + image = "amir20/dozzle:latest"; + ports = [ "10.86.84.3:9999:8080" ]; + volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ]; + }; + }; + ############################################################################## ############################################################################## ############################################################################## @@ -46,35 +59,30 @@ # To generate keys: # sudo mkdir -p /root/wireguard && wg genkey | sudo tee /root/wireguard/dotspace.priv | wg pubkey - networking.wireguard.enable = true; - networking.wireguard.interfaces."wg.dotspace" = { - ips = [ "10.13.13.2" ]; - listenPort = 51820; - privateKeyFile = "/root/wireguard/dotspace.priv"; - }; + networking.useNetworkd = true; systemd.network = { - networks = { - "90-tinc-dotspace" = { - matchConfig.Name = "tinc.dotspace"; - address = [ "10.86.84.3/32" ]; - routes = [ { Destination = "10.86.84.0/24"; } ]; - }; - }; + enable = true; + + # TODO: Interfaces + }; + + ############################################################################## + # Tinc + + sops.secrets."dotspace/stronghold/keys/tinc/ed25519_key.priv" = { sopsFile = ./secrets.yaml; }; + + systemd.network.networks."90-tinc-dotspace" = { + matchConfig.Name = "tinc.dotspace"; + address = [ "10.86.84.2/32" ]; # TODO: 2? + routes = [ { Destination = "10.86.84.0/24"; } ]; }; - # To Generate Keys: - # sudo tinc -b -n dotspace generate-ed25519-keys; cat /etc/tinc/dotspace/hosts/$(hostname) | grep "^Ed" services.tinc.networks.dotspace = { name = "stronghold"; - ed25519PrivateKeyFile = "/etc/tinc/dotspace/ed25519_key.priv"; + ed25519PrivateKeyFile = "/run/secrets/dotspace/stronghold/keys/tinc/ed25519_key.priv"; chroot = false; - settings.ConnectTo = [ "fortress" "citadel" ]; + settings.ConnectTo = [ "fortress" ]; }; - - ############################################################################## - ############################################################################## - ############################################################################## - # Services } diff --git a/systems/stronghold/secrets.yaml b/systems/stronghold/secrets.yaml new file mode 100644 index 0000000..16922ec --- /dev/null +++ b/systems/stronghold/secrets.yaml @@ -0,0 +1,81 @@ +dotspace: + stronghold: + keys: + wireguard: + private.key: ENC[AES256_GCM,data:8Ay1/jxFay9NuJyyab3bq0RH9S+nBLEtUW82SN8wNWYVdV+wdKhVHQdmOks=,iv:A0hnQJL1mc6MNhite33L1zk4QZFPwPfB9GtXEIT+CXM=,tag:oaHrFPAdTgig9pCqEpVPBg==,type:str] + lauren-phone.psk: ENC[AES256_GCM,data:fZCG7LobFo1vI84jn8gdLoLEXwFHsF3z6hHa5pOqkxHYyOf/ljWpcgYMXNE=,iv:9W4Y8Z9voYEC8SrHWhtkBY0jflfcqTfIYi2HS4VIEV0=,tag:+3vTGZgIppAV+INBdPA90A==,type:str] + tinc: + ed25519_key.pub: ENC[AES256_GCM,data:a2GF7wUoQmIzhBSrOHEcs8oTm81QzsZayorlAiPPt3piOl1gmi4iac1qvK9lV/6wK3Oq4NRrvoIWKtZyvGw=,iv:RcAjzpZIpjmtqQYK+c4W90NyJJgnngR2quLWI7R2fXU=,tag:ABwOJXqJ33GTUQ5hBAI0oA==,type:str] + ed25519_key.priv: ENC[AES256_GCM,data:EDAKMQFfq5vAsDZUtU2aqUuio71r3EUx7Gn+hBptKEFQWYRhSazSj5MD7IImgbqbbyfA3dWrnt2UT/JO/X6sp73qsOw2sk9mJ9RmW5OrutHRYe3z5DFyku+JyFEKLxHnuelogIS0ebvUxz6vJhj28jpSTjUExqAndGHx2wJcu6Tj+peB3bXSOUjlY6K8sCNYJGJDGdoHMhSA0q5q3TDdSmhex3P6izA++A8vmWqNOvZFyNGBwYrxHb77eibcuqY9ybE6tUPdMA==,iv:vmm5yjzueV8BDEGNRlXZZlykfacMxqigdUHUV+5GL24=,tag:rzmdFrYFm9i6q52iSKf2Tg==,type:str] +sops: + age: + - recipient: age1up8uth9hwtd9gup3v32l8dypdarj77s2lysm8js8w8mwa80rk4ds76ke6d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1NU5aN0w1czVkc2VoaW5m + VUp4VmVKbVFpb0JUeTlEcjNBQjVLMW52Vm1zCng3ZktjczVIZlBUZ2E0d2JkckZR + bzUyQnNEeTRpdExTYm56dmFJYkZPQ28KLS0tIElicWxZbzNUNlRkRDgzSlJWU2Ew + WWJIN1d6ckdjbWh4U1Z1SGlQNWpjR2sKz2/MwI8rq5Wf7wBVcV0BMMuYAQNpMrAc + Ns/Md9FKDjxEsRo5NrJS0bNWedLuWhedzgyvaZ3aCGLJju5BfqSp0g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1fraz2lnnqtcxnu6tnjy4f7y9tuc0fnqekzmdynnhtt0h8a230v5qddpxdu + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDbDNRaVBrdFJCRktpZmRm + V2JFMnJZYkZnQTlLU0RUMWo4eHJqY1IxVFNNCldRK1BwSUpnbzhCWXY0NmtQaFNF + NUNGSFQ4aVJ2V05lMTJLUittUzdSaGcKLS0tIFM5d0JzN3d3VDY3a09EU2xDdGlk + RTd5MDB0c090OURSMms5VS9KczBUWkUKUxj8bT1gx+y4BJNogGENhS0eL6aOxvFj + 31mxJkEhLzjB3W/miDgVIR/MbrH+WD5jQ5mdHb8g/hRw5KOBMr758w== + -----END AGE ENCRYPTED FILE----- + - recipient: age14j6ns297c49wx5d8jddctfmek0kvn8rvw3y03nw3pankc03dlpuqhvvy7c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGN3N4Y29lNFVhOTI0bUxj + eXJxamVtakNGS01EMWtWbnp1UHRPbUhHeDJZClMzZWJSNXhhRjhYQmFKTkZjY3VD + UDk1SDRIbmNXZGt2SExuM29ZYzN5aUEKLS0tIGxzME9PMnVBeU9acEpLNTdxUDZk + QlF0Y0RyV2pRYlNQU0EyRHlwQm5kMDgKdQ/c0vekhFGnjMq1uwBHwpIMOInWgxpC + vbONLm8pEwVYn77lfJDD6IgAILyUFy9fvSBmTGW4QP6agW1rYLqoew== + -----END AGE ENCRYPTED FILE----- + - recipient: age1kmt2khucyvscmwvrjnt0v90zggttuap9utx7rw54g9amhtrkzdlq94fe4j + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvMDR1bTU5U0VYNUhEbFI2 + QlZjdkxvZkRZczFjZTRyWjVOUjh3SVFVdEJ3CjhQT1k2M09LSU9WdlpVR3RXczl1 + TDlKMU90a0NPT0pWUFZFbE1ieGdBRGMKLS0tIHBUTWgrNTNwS2g2ZVdmR3dYdG05 + R0dCeStsTXlBc2xSQ2lma2EwVGJ1aVkKvF2UTTn19Lvd7nzTAsLUTh+PvurCSZpR + jHcCC/53HThnsBHClaKzKSnY1OyJsrptQjSGAsM/8MJMhUdij5+pqA== + -----END AGE ENCRYPTED FILE----- + - recipient: age19v2gpucsykaqu3hsvskl67ss8mpqstp59vn687am6px9nmg585ksvlhctz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPZXd1dnBVTmRoVkhxNXlT + M3Nsb2tWVHlyNnh2UElRRlZqeXJsWU44ZkhZCmZIdjZHY3ZRa3VqRVY3R29DRWF2 + K3QxZmZlNTBzTlgrZGxZekcyU3J3QXMKLS0tIEdrdTdBaFlXbHlaTGc3Q0ExN1Z3 + Mmo0UnZiNDhvLzVNRVVjZ2VDWENxeXcKk7iiXOU59DOZC3pP2l7KqlCrPR7ARiVO + Uz6VONBvL+IKj8zoIqzozjrh7Q0WMtUIyChhhgEG+vDSC9beWEZvpg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-08-06T23:31:48Z" + mac: ENC[AES256_GCM,data:rSF7ScSmJKZgmEi4avv0Dt1qhjlCFwBFMH5TCevvm2nWFwivtLWLzygaIJOM70J80XDV+9QuFgdALbUUS5yxL5RWj3QYYlsXA35RwFZa1Juh7NNqew26sQSV3K/06T7FmfBsNutXCMkFszqlphaSgnNNNtB+BG/ZzRGBqxzoHT0=,iv:WQrmpK3kx/e/gm7EHbiAjEjdmsA+BsojGiI7A+RNU8U=,tag:s8zCc+DeDq45p1NkrTf1ZQ==,type:str] + pgp: + - created_at: "2025-08-06T23:11:55Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA9BR1U1EkAnnAQ//a2tDEcDDtpnhcMH7TcFX3klc7spWbU+06WpZcdYh44TH + fYUQ1EwuVnI0wISiJRysW1uS+7nRxQGLoMheYprCVuGDRXTqz2HObXREyCejf1Wy + EYDn2Y1dNChnOFIWfMzhWSZMzKQt9eCtfVdE/IBIFOPRZK8bDhp88hobClkVQ/oM + p7Yfe7nGzN/wTzDVSWRo/pnbAVOGDGlMSr87zTPj7Uq0H8ZphlpgdFrnWzLxf2yu + tllXLeSdzJ0LFEENp0uPSaLv3psj/WVSzFRA8rrHXPBJtsxp4yDylDHU0yvVOVyx + AWs2B/K+BttNMhmBBQVYY02vzvLH/xd9ZLFfezvIPL3dxR0v7wH/aJYPGHL6iifB + WG5aZkWsDGW1v4TPKQ1T/RtGAwx5CVYQnAE8ai9oQxbfxDHUvklkqGFMnOecW3ef + E9ff7OB9cp1GcXhlywt01i+GtPvOqYmTKG0lM04zvqO/x/4ktALonesgHTbvF6ub + +1csR8v5xWcAlS3mahkhXLnHp43OMwA/kwLRM0yc9dUrIv8nzLUVHR6oJ1nG13yX + PL2ajz0/htih2t5l087pvGNNugAxeN7gGOl8Igv4HbAr2IphrVG9FfzDxMqPXoB2 + LLEHTlmhknceJUr2rOI6PJjOC7M9D5gs0uMAVuY4//mahi0erLe4gBMknG+b9B3S + XgEBQhHgCiFEuqXB+SLbujwNUNuPtQG43e6n73PZ9ept5NOyXLHyZ3QkHSgNA5GX + KbYzFip4Khh0dNBOfwYP/z+o2xAfoMC0MvDAZjjdTDuu7w9HD6zV/mg99/9wLcs= + =eDvZ + -----END PGP MESSAGE----- + fp: 5F78261B65C565041662A3B7FF8FC3C735BD4A51 + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/systems/stronghold/wireguard.nix b/systems/stronghold/wireguard.nix new file mode 100644 index 0000000..b9ad02e --- /dev/null +++ b/systems/stronghold/wireguard.nix @@ -0,0 +1,56 @@ +{ ... }: let + port = 51280; + hostname = "stronghold"; + subnet_prefix = "10.13.14"; + public_key = "fDauNyRJSNlmPGm9KHprF2qCwPbgCmEyZsXSQvZ2mRE="; + + peers = [ + { name = "lauren-phone"; id = 3; } + ]; +in { + sops.secrets = { + "dotspace/${hostname}/keys/wireguard/private.key" = { + mode = "0640"; + group = "systemd-network"; + sopsFile = ./secrets.yaml; + }; + + # TODO: Parameterize + "dotspace/${hostname}/keys/wireguard/lauren-phone.psk" = { + mode = "0640"; + group = "systemd-network"; + sopsFile = ./secrets.yaml; + }; + }; + + systemd.network.networks."90-wg.${hostname}" = { + matchConfig.Name = "wg.${hostname}"; + address = [ "${subnet_prefix}.1/24" ]; + networkConfig = { + IPMasquerade = "ipv4"; + IPv4Forwarding = true; + }; + }; + + systemd.network.netdevs."50-wg.${hostname}" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg.${hostname}"; + MTUBytes = "1300"; + }; + wireguardConfig = { + PrivateKeyFile = "/run/secrets/dotspace/${hostname}/keys/wireguard/private.key"; + ListenPort = port; + RouteTable = "main"; + }; + + # TODO: Parameterize + wireguardPeers = [ + { + PresharedKeyFile = "/run/secrets/dotspace/${hostname}/keys/wireguard/lauren-phone.psk"; + PublicKey = public_key; + AllowedIPs = [ "${subnet_prefix}.2/32" ]; + } + ]; + }; +}