From 1666065809ae9644a926d6e7c51ba070e118e67b Mon Sep 17 00:00:00 2001 From: Skyler Grey Date: Sun, 28 Jul 2024 08:54:30 +0000 Subject: [PATCH] feat(axol): Add headscale module Headscale is an open server for tailscale. Clicks, another group I work on nix stuff with, has a module which makes it extremely easy to set up a headscale server. I've spent a while over the past week making it safe to import, and it's finally ready for Auxolotl to have! We want to use headscale for internal communication between servers, so it's OK to avoid setting up OIDC ... similarly, the only people who are on the headscale should be relatively-well trusted. The expectation is that to start with, this will be people who want to run buildbot workers --- flake.lock | 483 +++++++++++++++++- flake.nix | 19 +- .../auxolotl/security/secrets/default.nix | 4 +- ...vices.headscale.database_password_path.age | 11 + ...958b9dc8070761e8e3a0425d8e4dcbbe86325d.age | 7 + systems/x86_64-linux/axol/default.nix | 17 + 6 files changed, 525 insertions(+), 16 deletions(-) create mode 100644 secrets/generated/axol/clicks.services.headscale.database_password_path.age create mode 100644 secrets/rekeyed/axol/c8d99c55c1546d3c2295c1e91c6db9e6-6d7837d2fe4c729d0aee7dabf3958b9dc8070761e8e3a0425d8e4dcbbe86325d.age diff --git a/flake.lock b/flake.lock index dd47834..38145ea 100644 --- a/flake.lock +++ b/flake.lock @@ -44,6 +44,97 @@ "type": "github" } }, + "agenix-rekey_2": { + "inputs": { + "devshell": "devshell_2", + "flake-utils": "flake-utils_3", + "nixpkgs": [ + "clicks", + "nixpkgs" + ], + "pre-commit-hooks": "pre-commit-hooks_2" + }, + "locked": { + "lastModified": 1722597419, + "narHash": "sha256-YbMzll0Dh2ln/TryDP+S3IGm8nRHkzcSQIubI4ZEOAw=", + "owner": "oddlama", + "repo": "agenix-rekey", + "rev": "126b4a5133eb361cbf5bf90e44c71b6f830845ec", + "type": "github" + }, + "original": { + "owner": "oddlama", + "repo": "agenix-rekey", + "type": "github" + } + }, + "agenix_2": { + "inputs": { + "darwin": "darwin_2", + "home-manager": "home-manager_2", + "nixpkgs": "nixpkgs_3", + "systems": "systems_5" + }, + "locked": { + "lastModified": 1722339003, + "narHash": "sha256-ZeS51uJI30ehNkcZ4uKqT4ZDARPyqrHADSKAwv5vVCU=", + "owner": "ryantm", + "repo": "agenix", + "rev": "3f1dae074a12feb7327b4bf43cbac0d124488bb7", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "aux--docs-site": { + "inputs": { + "flake-utils": "flake-utils_4", + "nixpkgs": [ + "clicks", + "nixpkgs" + ], + "snowfall-lib": [ + "clicks", + "snowfall-lib" + ], + "wiki": [ + "clicks", + "aux--wiki" + ] + }, + "locked": { + "lastModified": 1716650000, + "narHash": "sha256-JmR6GR0gzSvtz4BdcfickEqU2m9jBIzzP0XDWA1llZA=", + "ref": "refs/heads/main", + "rev": "c403a8151b87654a0cb24ad28fb23edc3f78906e", + "revCount": 14, + "type": "git", + "url": "https://git.auxolotl.org/auxolotl/docs-site" + }, + "original": { + "type": "git", + "url": "https://git.auxolotl.org/auxolotl/docs-site" + } + }, + "aux--wiki": { + "flake": false, + "locked": { + "lastModified": 1722641105, + "narHash": "sha256-jdDGNg/qcsFmacZQX2RoEILoRLeMRWtA7OEre1ZRDxc=", + "ref": "refs/heads/main", + "rev": "9269687c6d49976d904516120dcf84bbe659900c", + "revCount": 210, + "type": "git", + "url": "https://git.auxolotl.org/auxolotl/wiki" + }, + "original": { + "type": "git", + "url": "https://git.auxolotl.org/auxolotl/wiki" + } + }, "auxolotl-website": { "inputs": { "nixpkgs": [ @@ -85,6 +176,42 @@ "url": "https://git.auxolotl.org/auxolotl/buildbot-nix.git" } }, + "clicks": { + "inputs": { + "agenix": "agenix_2", + "agenix-rekey": "agenix-rekey_2", + "aux--docs-site": "aux--docs-site", + "aux--wiki": "aux--wiki", + "deploy-rs": [ + "deploy-rs" + ], + "flake-utils": "flake-utils_5", + "home-manager": "home-manager_3", + "impermanence": "impermanence", + "nixpkgs": [ + "nixpkgs" + ], + "snowfall-lib": [ + "snowfall-lib" + ], + "unstable": [ + "unstable" + ] + }, + "locked": { + "lastModified": 1723155917, + "narHash": "sha256-wCGcBVZs6VuE/8K0tniJk+heyeZpdpNUxBDGFk1sPvo=", + "ref": "refs/heads/main", + "rev": "4123759130ad663a3409048bbc93f3c47ae7af35", + "revCount": 51, + "type": "git", + "url": "https://git.clicks.codes/Infra/NixFiles.git" + }, + "original": { + "type": "git", + "url": "https://git.clicks.codes/Infra/NixFiles.git" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -107,9 +234,32 @@ "type": "github" } }, + "darwin_2": { + "inputs": { + "nixpkgs": [ + "clicks", + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "deploy-rs": { "inputs": { - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_4", "nixpkgs": [ "nixpkgs" ], @@ -151,6 +301,29 @@ "type": "github" } }, + "devshell_2": { + "inputs": { + "nixpkgs": [ + "clicks", + "agenix-rekey", + "nixpkgs" + ], + "systems": "systems_6" + }, + "locked": { + "lastModified": 1695195896, + "narHash": "sha256-pq9q7YsGXnQzJFkR5284TmxrLNFc0wo4NQ/a5E93CQU=", + "owner": "numtide", + "repo": "devshell", + "rev": "05d40d17bf3459606316e3e9ec683b784ff28f16", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "devshell", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -184,6 +357,22 @@ } }, "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_4": { "flake": false, "locked": { "lastModified": 1696426674, @@ -199,7 +388,7 @@ "type": "github" } }, - "flake-compat_4": { + "flake-compat_5": { "flake": false, "locked": { "lastModified": 1650374568, @@ -274,7 +463,7 @@ }, "flake-utils-plus_2": { "inputs": { - "flake-utils": "flake-utils_3" + "flake-utils": "flake-utils_6" }, "locked": { "lastModified": 1715533576, @@ -311,7 +500,61 @@ }, "flake-utils_3": { "inputs": { - "systems": "systems_6" + "systems": "systems_7" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_4": { + "inputs": { + "systems": "systems_8" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_5": { + "inputs": { + "systems": "systems_9" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_6": { + "inputs": { + "systems": "systems_11" }, "locked": { "lastModified": 1694529238, @@ -349,6 +592,29 @@ "type": "github" } }, + "gitignore_2": { + "inputs": { + "nixpkgs": [ + "clicks", + "agenix-rekey", + "pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -370,6 +636,64 @@ "type": "github" } }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "clicks", + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_3": { + "inputs": { + "nixpkgs": [ + "clicks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722630065, + "narHash": "sha256-QfM/9BMRkCmgWzrPDK+KbgJOUlSJnfX4OvsUupEUZvA=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "afc892db74d65042031a093adb6010c4c3378422", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "impermanence": { + "locked": { + "lastModified": 1719091691, + "narHash": "sha256-AxaLX5cBEcGtE02PeGsfscSb/fWMnyS7zMWBXQWDKbE=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "23c1f06316b67cb5dabdfe2973da3785cfe9c34a", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "impermanence", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1703013332, @@ -402,6 +726,22 @@ "type": "github" } }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1685801374, + "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c37ca420157f4abc31e26f436c1145f8951ff373", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1721838734, @@ -419,6 +759,22 @@ } }, "nixpkgs_3": { + "locked": { + "lastModified": 1703013332, + "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { "locked": { "lastModified": 1721743106, "narHash": "sha256-adRZhFpBTnHiK3XIELA3IBaApz70HwCYfv7xNrHjebA=", @@ -462,14 +818,45 @@ "type": "github" } }, + "pre-commit-hooks_2": { + "inputs": { + "flake-compat": "flake-compat_3", + "flake-utils": [ + "clicks", + "agenix-rekey", + "flake-utils" + ], + "gitignore": "gitignore_2", + "nixpkgs": [ + "clicks", + "agenix-rekey", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1694364351, + "narHash": "sha256-oadhSCqopYXxURwIA6/Anpe5IAG11q2LhvTJNP5zE6o=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "4f883a76282bc28eb952570afc3d8a1bf6f481d7", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", "agenix-rekey": "agenix-rekey", "auxolotl-website": "auxolotl-website", "buildbot-nix": "buildbot-nix", + "clicks": "clicks", "deploy-rs": "deploy-rs", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_4", "snowfall-lib": "snowfall-lib_2", "unstable": "unstable" } @@ -499,23 +886,22 @@ }, "snowfall-lib_2": { "inputs": { - "flake-compat": "flake-compat_4", + "flake-compat": "flake-compat_5", "flake-utils-plus": "flake-utils-plus_2", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1717625599, - "narHash": "sha256-qX9VJizFEoiRWDEiVs5+2w4FclQNQVVPvGPESsZ1F8k=", + "lastModified": 1719005984, + "narHash": "sha256-mpFl3Jv4fKnn+5znYXG6SsBjfXHJdRG5FEqNSPx0GLA=", "owner": "snowfallorg", "repo": "lib", - "rev": "5a10d2e37b6c6223763fa7c00b974875e49f93cc", + "rev": "c6238c83de101729c5de3a29586ba166a9a65622", "type": "github" }, "original": { "owner": "snowfallorg", - "ref": "dev", "repo": "lib", "type": "github" } @@ -535,6 +921,36 @@ "type": "github" } }, + "systems_10": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_11": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "systems_2": { "locked": { "lastModified": 1681028828, @@ -610,6 +1026,51 @@ "type": "github" } }, + "systems_7": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_8": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_9": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ @@ -649,7 +1110,7 @@ }, "utils": { "inputs": { - "systems": "systems_5" + "systems": "systems_10" }, "locked": { "lastModified": 1701680307, diff --git a/flake.nix b/flake.nix index 0723e81..17f6522 100644 --- a/flake.nix +++ b/flake.nix @@ -9,7 +9,7 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; unstable.url = "github:nixos/nixpkgs/nixos-unstable"; snowfall-lib = { - url = "github:snowfallorg/lib/dev"; + url = "github:snowfallorg/lib"; inputs.nixpkgs.follows = "nixpkgs"; }; @@ -28,6 +28,16 @@ buildbot-nix.url = "git+https://git.auxolotl.org/auxolotl/buildbot-nix.git"; # Do not override nixpkgs in buildbot-nix (see https://github.com/nix-community/buildbot-nix) + clicks = { + url = "git+https://git.clicks.codes/Infra/NixFiles.git"; + inputs = { + deploy-rs.follows = "deploy-rs"; + nixpkgs.follows = "nixpkgs"; + snowfall-lib.follows = "snowfall-lib"; + unstable.follows = "unstable"; + }; + }; + deploy-rs = { url = "github:serokell/deploy-rs"; inputs.nixpkgs.follows = "nixpkgs"; @@ -56,7 +66,7 @@ inputs.agenix-rekey.nixosModules.default inputs.buildbot-nix.nixosModules.buildbot-master inputs.buildbot-nix.nixosModules.buildbot-worker - ]; + ] ++ (lib.attrsets.attrValues inputs.clicks.nixosModules); deploy = lib.mkDeploy { inherit (inputs) self; @@ -67,7 +77,10 @@ }; agenix-rekey = inputs.agenix-rekey.configure { - userFlake = inputs.self; + userFlake = inputs.self // { outPath = lib.pipe "" [ + lib.snowfall.fs.get-snowfall-file + (lib.strings.removeSuffix "/") + ]; }; nodes = inputs.self.nixosConfigurations; }; diff --git a/modules/nixos/auxolotl/security/secrets/default.nix b/modules/nixos/auxolotl/security/secrets/default.nix index ecea233..0f44b5c 100644 --- a/modules/nixos/auxolotl/security/secrets/default.nix +++ b/modules/nixos/auxolotl/security/secrets/default.nix @@ -12,7 +12,7 @@ "${inputs.self}/secrets/keys/minion/iyubikey.pub" ]; storageMode = "local"; - generatedSecretsDir = "${inputs.self}/secrets/generated/${config.networking.hostName}"; - localStorageDir = "${inputs.self}/secrets/rekeyed/${config.networking.hostName}"; + generatedSecretsDir = lib.snowfall.fs.get-snowfall-file "secrets/generated/${config.networking.hostName}"; + localStorageDir = lib.snowfall.fs.get-snowfall-file "secrets/rekeyed/${config.networking.hostName}"; }; } diff --git a/secrets/generated/axol/clicks.services.headscale.database_password_path.age b/secrets/generated/axol/clicks.services.headscale.database_password_path.age new file mode 100644 index 0000000..1ad2d9b --- /dev/null +++ b/secrets/generated/axol/clicks.services.headscale.database_password_path.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> piv-p256 xE4ypg AotC1OcKc0ti5K6mtsUMYAqbatTWQDKp/2FrnOlzkjdO +0rQChKMRXxIcSYDstypsXuielQrocv4BA5A1sl13OI4 +-> piv-p256 Hpt/+Q ApUzYGw2STuEvWzD9ApOVYZt6chkddNNUqMdFrHVLfob +fuEK2OPd+RZ6NyTGDkT9XDqKoRM3PKIH+7uXT2vloeQ +-> piv-p256 zfskmQ A6tQg5bZLRhR6P7Ch1OYGB+8epuYWVgY8NHVt2/duCX4 +UZ/siP1+Ee5fOucjCuy9OdJdYr2+HA4UElUJKfR/Z+w +-> :98mk-F1-grease . NZ)[K^Y dH +lNVgE+LU+g +--- jnqRYlJ+O2Gyyq3F+Bg6wbeWnr+BrvnyS7yZJSBVdMA +¾2<ž½úG²öw;Á•–¨É2}æAmw˜Y6ºa©5TÖÉd ssh-ed25519 JMblKQ K3PuGxokm5IVyWvKINebQ78IludSXmPQ6TszMlJ+y2Y +gSIZJVDNkGEwKqMoqnVWQnZlCtquX8OiY+zokAE3qCs +-> y`qQqQ*-grease K- +uoC/ +--- psxc2ttdWjZPh1yijDIrFPs4Mc7naugmqC58dH2UKD4 +4¥S0íRî)x´¬Úb’Ú‘ð¤hì˜W±Záö•·?‚U|ì÷é!qéK¶Œ±ÙŽsö³Û Ÿßù·^‰]‡ºå)ïªð1§Á®A‚˜>Ù \ No newline at end of file diff --git a/systems/x86_64-linux/axol/default.nix b/systems/x86_64-linux/axol/default.nix index 383666c..b777f12 100644 --- a/systems/x86_64-linux/axol/default.nix +++ b/systems/x86_64-linux/axol/default.nix @@ -6,13 +6,17 @@ # 137.184.177.239 { pkgs, + lib, modulesPath, + config, ... }: { imports = [ (modulesPath + "/virtualisation/digital-ocean-config.nix") ]; + age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+vSEiWVIn53Jyhs0QmVa7d7qkoArCWVbP1yKv46FDX"; + boot.loader.grub.enable = true; virtualisation.digitalOcean.rebuildFromUserData = false; @@ -47,5 +51,18 @@ }; }; + clicks.services.headscale = { + enable = true; + domain = "vpn.auxolotl.org"; + database_password_path = config.age.secrets."clicks.services.headscale.database_password_path".path; + }; + + age.secrets."clicks.services.headscale.database_password_path" = { + generator.script = "alnum"; + group = "headscale"; + mode = "0440"; # Needed to allow headscale group to read + unstableName = true; # Clicks option to base the name on a hash of the contents ... helps with autorestarting services + }; + system.stateVersion = "23.11"; }