Commit graph

721 commits

Author SHA1 Message Date
4b6b4842d1 update dns 2022-03-29 21:30:09 +01:00
3a32590571 go/access: init 2022-03-25 01:24:21 +00:00
eb163962a4 nixos/common: add wireguard-tools 2022-03-24 22:22:18 +00:00
b8acd6e31b swann: re-enable vault-agent 2022-03-20 19:10:24 +00:00
7592e76a31 tokend: init
tokend is responsible for issuing service-scoped tokens based on the token held
and generated by the Vault Agent.

It can also generate "server-user" scoped tokens, which exist for convenience's
sake: they are not a strong attestation of the user on the machine, and have
limited privileges compared to a Vault token issued using e.g. `vault login
-method=oidc`.
2022-03-20 17:47:52 +00:00
58a907b700 nixos/vault-agent: listen on UDS only
This UDS is going to be private to vault-agent and tokend (which doesn't exist
yet).

As a stopgap, for the moment, secretsmgrd will be granted direct access to
speak to the Vault Agent over the UDS.

tokend will be responsible for provisioning applications with tokens, by
issuing subtokens which have roles corresponding to the user account requesting
access.
2022-03-20 11:14:51 +00:00
d97a1b7437 bvm-radius: reenable roaming2.ja.net 2022-03-20 11:08:34 +00:00
132cb805b3 ops/vault: use wrapping token to protect secret IDs in transit 2022-03-20 10:14:02 +00:00
829d179d37 nixos/common: make the EnvironmentFile optional to avoid... problems
In general, it's better for us to fail to pass credentials to the Nix daemon
than it is for the Nix daemon to fail to start up entirely.

We will restart the daemon once the secrets have been delivered anyway.
2022-03-20 10:00:17 +00:00
c9ffb4ed3e secretsmgr: actually _enable_ the timer unit 2022-03-18 01:08:35 +00:00
ce698ab382 nixos/secretsmgr: add the timer unit 2022-03-18 01:03:55 +00:00
b719181dfe nixos: migrate to secretsmgr for sshd and ACME 2022-03-17 23:31:55 +00:00
702cd972ab nixos/vault-agent: should care about /var/lib/vault-agent instead 2022-03-17 12:27:10 +00:00
b0d2782369 nixos/vault-agent: set a longer timeout on HTTP requests to upstream 2022-03-17 01:25:44 +00:00
b469b24c5a totoro: add live2 alias 2022-03-14 21:28:58 +00:00
f55dc46170 ssh-ca-vault: disable SSH host key signing for now 2022-03-14 21:28:37 +00:00
262620f177 swann: also put v6 RA routes into the correct route table
(fixes ee)
2022-03-13 20:35:11 +00:00
615c30ed54 swann: reduce write activity on disk 2022-03-13 17:34:23 +00:00
f1fcda810a vault-agent-acme: disable 2022-03-12 23:39:45 +00:00
5283ee4fee swann: migrate fully to using networkd
networkd appears to have gotten very aggressive about clearing routing rules it didn't insert itself
2022-03-12 19:38:54 +00:00
9099ee2a45 swann: only rename physical interfaces 2022-03-12 07:25:48 +00:00
fb2dc81bc0 bvm-radius: ensure acme user 2022-03-11 23:10:01 +00:00
6353ce6603 swann: make systemd-networkd-wait-online wait for _any_ NIC 2022-03-11 22:57:08 +00:00
f15e112da7 ssh-ca-vault: by default enable user matches 2022-03-11 22:31:57 +00:00
ae97fddae2 vault-agent-acme: migrate to using a single token file that writes the other files as a side-effect
This avoids annoying problems like "too many" retries for certificate issuance,
since we only ask for the secret once.
2022-03-11 22:07:31 +00:00
ac0c6eccef ssh-ca-vault: init 2022-03-11 21:48:06 +00:00
86a6191a56 vault-agent-secrets: add wantedBy for all restartable units too 2022-03-11 18:48:54 +00:00
ada466bae0 vault-agent-secrets: put Before in the correct place 2022-03-11 18:48:08 +00:00
a66bd4822a totoro: disable RP filter 2022-03-11 18:45:41 +00:00
fde964db82 hm/client: add VAULT_ADDR env variable 2022-03-11 18:44:52 +00:00
0187120a24 ops/nixos: move nix cache tokens into vault 2022-03-11 16:46:50 +00:00
4100b021aa etheroute-lon01: add google service account token 2022-03-11 16:20:34 +00:00
dd746bec32 etheroute-lon01: use FQDN for Pomerium DNS 2022-03-11 16:20:24 +00:00
34fa21a171 treewide: fix eval fallout from nixpkgs bump 2022-03-11 14:56:55 +00:00
c98f3312a7 etheroute-lon01: migrate to vault-agent-secrets 2022-03-11 14:40:55 +00:00
6e6e714cf1 ops/nixos: init vault-agent-secrets module 2022-03-11 14:40:08 +00:00
f9546ed62a ts3spotifybot: remove for now 2022-03-11 10:02:22 +00:00
e50f682237 totoro: remove cloudflare credentials from raritan-sslrenew 2022-03-11 03:46:31 +00:00
4be2eaeb6d nixos/lib/common: remove security.acme 2022-03-11 03:28:32 +00:00
0c458988de ops/nixos: misc cleanups 2022-03-11 03:27:58 +00:00
daccfa5717 ops/nixos: migrate everything to vault-agent-acme 2022-03-07 00:52:03 +00:00
0c7f785107 vault-agent-acme: tidy up 2022-03-06 23:01:51 +00:00
8be4fe603e vault-agent-acme: init 2022-03-06 22:26:49 +00:00
a3eb1e4519 totoro: enable samba 2022-03-05 11:56:22 +00:00
f0e645fccb swann: add lukegb01.ring.nlnog.net to smokeping prober 2022-03-03 18:44:56 +00:00
dfb663e659 blade-router: mark cloudflare as pending 2022-03-03 17:38:19 +00:00
c357d5ed8f blade-router: add cloudflare2 2022-03-03 17:37:41 +00:00
610d5ccf40 hm/porcorosso-wsl: add nixpkgs to NIX_PATH 2022-03-03 16:25:34 +00:00
080577e0f3 swann: fix tailscale outbound
Tailscale adds a policy-based routing rule at priority 5200-ish, which is
before all the rules that we add. This avoids any Tailscale traffic going
out... over Tailscale, which would be bad.

Anyway, this breaks us because our main table is empty, so there's nowhere
for the Tailscale traffic to actually go. Oops.

Instead, use policy-based routing to send things over our WG tunnel, or over
any of our upstream connections depending on what's available.
2022-03-02 00:32:31 +00:00
d79faeb3e0 porcorosso-wsl: add keychain 2022-02-27 19:44:48 +00:00