08b68745f0
ops/vault: move policies to token_policies
...
I want to be able to rescope these policies down in tokend, which means that I
can't have policies attached to the server's *identity*. Instead, we put these
on the approle instead, which allows us to down-scope all of these.
2022-03-20 11:29:10 +00:00
58a907b700
nixos/vault-agent: listen on UDS only
...
This UDS is going to be private to vault-agent and tokend (which doesn't exist
yet).
As a stopgap, for the moment, secretsmgrd will be granted direct access to
speak to the Vault Agent over the UDS.
tokend will be responsible for provisioning applications with tokens, by
issuing subtokens which have roles corresponding to the user account requesting
access.
2022-03-20 11:14:51 +00:00
d97a1b7437
bvm-radius: reenable roaming2.ja.net
2022-03-20 11:08:34 +00:00
c60a68a354
nix/gitlab-ci: try to restrict deploy steps to only default
2022-03-20 10:26:56 +00:00
4020f310ce
ops/vault: destroy existing secrets before provisioning a new one
2022-03-20 10:20:25 +00:00
132cb805b3
ops/vault: use wrapping token to protect secret IDs in transit
2022-03-20 10:14:02 +00:00
829d179d37
nixos/common: make the EnvironmentFile optional to avoid... problems
...
In general, it's better for us to fail to pass credentials to the Nix daemon
than it is for the Nix daemon to fail to start up entirely.
We will restart the daemon once the secrets have been delivered anyway.
2022-03-20 10:00:17 +00:00
c9ffb4ed3e
secretsmgr: actually _enable_ the timer unit
2022-03-18 01:08:35 +00:00
ce698ab382
nixos/secretsmgr: add the timer unit
2022-03-18 01:03:55 +00:00
b719181dfe
nixos: migrate to secretsmgr for sshd and ACME
2022-03-17 23:31:55 +00:00
702cd972ab
nixos/vault-agent: should care about /var/lib/vault-agent instead
2022-03-17 12:27:10 +00:00
deployer@bvm-nixosmgmt.blade.as205479.net
b4b3484e6c
nix/pkgs/plex-pass: update version to 1.25.7.5604-980a13e02
2022-03-17 02:10:56 +00:00
037c6f0fd8
go/secretsmgr: add support for ACME certificate issuance
2022-03-17 01:26:18 +00:00
b0d2782369
nixos/vault-agent: set a longer timeout on HTTP requests to upstream
2022-03-17 01:25:44 +00:00
d2481b1461
vault-acme: sleep in lieu of waiting "properly" for DNS propagation
...
Once we've seen the TXT record on any nameserver, assume that it'll reach the
rest of them within 60 seconds.
This is an awful hack because some peculiarities of my setup don't work
properly with the upstream lego code.
2022-03-17 01:03:41 +00:00
148e071c21
ops/vault/cfg: add acme-ca
2022-03-16 00:18:47 +00:00
fb7e18260a
ops/vault/cfg: where we're going, we don't need secrets.nix
2022-03-16 00:06:46 +00:00
165fc4559c
go/secretsmgr: init
...
Currently this only handles signing SSH certificates, but let's see where we go from here.
2022-03-15 03:07:34 +00:00
0dacea5ff8
3p/gopkgs: add a bunch of dependencies of github.com/hashicorp/vault/api
2022-03-15 03:07:06 +00:00
23df8e3b18
ops/vault/cfg: initial configuration
2022-03-14 23:34:33 +00:00
92998b5d36
ops/vault/cfg: init terranix stuff
2022-03-14 21:29:15 +00:00
b469b24c5a
totoro: add live2 alias
2022-03-14 21:28:58 +00:00
f55dc46170
ssh-ca-vault: disable SSH host key signing for now
2022-03-14 21:28:37 +00:00
8c6c7af3f7
ops/vault: add reissue-secret-id utility
2022-03-14 21:28:16 +00:00
262620f177
swann: also put v6 RA routes into the correct route table
...
(fixes ee)
2022-03-13 20:35:11 +00:00
615c30ed54
swann: reduce write activity on disk
2022-03-13 17:34:23 +00:00
edf6671aff
3p/nixpkgs: add pr164025
2022-03-13 17:33:59 +00:00
b29a330382
ubi_reader: init
2022-03-13 17:32:59 +00:00
c41914e274
nixos/networkd: add support for configuring networkd.conf settings
...
networkd.conf controls a few interesting options, such as enabling
systemd-networkd's speed meterer and, crucially, allowing you to disable the
behaviour where networkd will delete any routes or policy-based routing rules
that it doesn't recognise.
This also adds support for configuring routing table names and mirroring them
into the iproute2 config.
2022-03-13 04:00:48 +00:00
Default email
aa526eb20f
Project import generated by Copybara.
...
GitOrigin-RevId: fcd48a5a0693f016a5c370460d0c2a8243b882dc
2022-03-10 11:12:11 -08:00
c9bd0696ed
heptapod: enable SSH CA
2022-03-13 00:24:57 +00:00
f1fcda810a
vault-agent-acme: disable
2022-03-12 23:39:45 +00:00
5283ee4fee
swann: migrate fully to using networkd
...
networkd appears to have gotten very aggressive about clearing routing rules it didn't insert itself
2022-03-12 19:38:54 +00:00
9099ee2a45
swann: only rename physical interfaces
2022-03-12 07:25:48 +00:00
fb2dc81bc0
bvm-radius: ensure acme user
2022-03-11 23:10:01 +00:00
6353ce6603
swann: make systemd-networkd-wait-online wait for _any_ NIC
2022-03-11 22:57:08 +00:00
f15e112da7
ssh-ca-vault: by default enable user matches
2022-03-11 22:31:57 +00:00
ae97fddae2
vault-agent-acme: migrate to using a single token file that writes the other files as a side-effect
...
This avoids annoying problems like "too many" retries for certificate issuance,
since we only ask for the secret once.
2022-03-11 22:07:31 +00:00
ac0c6eccef
ssh-ca-vault: init
2022-03-11 21:48:06 +00:00
86a6191a56
vault-agent-secrets: add wantedBy for all restartable units too
2022-03-11 18:48:54 +00:00
ada466bae0
vault-agent-secrets: put Before in the correct place
2022-03-11 18:48:08 +00:00
a66bd4822a
totoro: disable RP filter
2022-03-11 18:45:41 +00:00
fde964db82
hm/client: add VAULT_ADDR env variable
2022-03-11 18:44:52 +00:00
0187120a24
ops/nixos: move nix cache tokens into vault
2022-03-11 16:46:50 +00:00
4100b021aa
etheroute-lon01: add google service account token
2022-03-11 16:20:34 +00:00
dd746bec32
etheroute-lon01: use FQDN for Pomerium DNS
2022-03-11 16:20:24 +00:00
72a647b80f
baserow: disable moto tests which are broken for some reason
2022-03-11 15:53:04 +00:00
3cb0fa9787
3p/nixpkgs: add pr163678 to fix mercurial
2022-03-11 15:46:15 +00:00
e8b2667c01
heptapod-runner: make a separate drv and stop maintaining it as a patchset on top of gitlab-runner
2022-03-11 15:15:30 +00:00
34fa21a171
treewide: fix eval fallout from nixpkgs bump
2022-03-11 14:56:55 +00:00
