Commit graph

1600 commits

Author SHA1 Message Date
f5d66318a3 go/access: set principal name, set presence required by host 2022-03-25 01:47:18 +00:00
3a32590571 go/access: init 2022-03-25 01:24:21 +00:00
eb163962a4 nixos/common: add wireguard-tools 2022-03-24 22:22:18 +00:00
4d00448f55 heptapod: 0.29.1 -> 0.30.0 2022-03-24 22:20:56 +00:00
dbaabf1295 vault: deployer should be allowed to read nix-daemon secrets 2022-03-24 22:20:44 +00:00
b8acd6e31b swann: re-enable vault-agent 2022-03-20 19:10:24 +00:00
7592e76a31 tokend: init
tokend is responsible for issuing service-scoped tokens based on the token held
and generated by the Vault Agent.

It can also generate "server-user" scoped tokens, which exist for convenience's
sake: they are not a strong attestation of the user on the machine, and have
limited privileges compared to a Vault token issued using e.g. `vault login
-method=oidc`.
2022-03-20 17:47:52 +00:00
08b68745f0 ops/vault: move policies to token_policies
I want to be able to rescope these policies down in tokend, which means that I
can't have policies attached to the server's *identity*. Instead, we put these
on the approle instead, which allows us to down-scope all of these.
2022-03-20 11:29:10 +00:00
58a907b700 nixos/vault-agent: listen on UDS only
This UDS is going to be private to vault-agent and tokend (which doesn't exist
yet).

As a stopgap, for the moment, secretsmgrd will be granted direct access to
speak to the Vault Agent over the UDS.

tokend will be responsible for provisioning applications with tokens, by
issuing subtokens which have roles corresponding to the user account requesting
access.
2022-03-20 11:14:51 +00:00
d97a1b7437 bvm-radius: reenable roaming2.ja.net 2022-03-20 11:08:34 +00:00
c60a68a354 nix/gitlab-ci: try to restrict deploy steps to only default 2022-03-20 10:26:56 +00:00
4020f310ce ops/vault: destroy existing secrets before provisioning a new one 2022-03-20 10:20:25 +00:00
132cb805b3 ops/vault: use wrapping token to protect secret IDs in transit 2022-03-20 10:14:02 +00:00
829d179d37 nixos/common: make the EnvironmentFile optional to avoid... problems
In general, it's better for us to fail to pass credentials to the Nix daemon
than it is for the Nix daemon to fail to start up entirely.

We will restart the daemon once the secrets have been delivered anyway.
2022-03-20 10:00:17 +00:00
c9ffb4ed3e secretsmgr: actually _enable_ the timer unit 2022-03-18 01:08:35 +00:00
ce698ab382 nixos/secretsmgr: add the timer unit 2022-03-18 01:03:55 +00:00
b719181dfe nixos: migrate to secretsmgr for sshd and ACME 2022-03-17 23:31:55 +00:00
702cd972ab nixos/vault-agent: should care about /var/lib/vault-agent instead 2022-03-17 12:27:10 +00:00
deployer@bvm-nixosmgmt.blade.as205479.net
b4b3484e6c nix/pkgs/plex-pass: update version to 1.25.7.5604-980a13e02 2022-03-17 02:10:56 +00:00
037c6f0fd8 go/secretsmgr: add support for ACME certificate issuance 2022-03-17 01:26:18 +00:00
b0d2782369 nixos/vault-agent: set a longer timeout on HTTP requests to upstream 2022-03-17 01:25:44 +00:00
d2481b1461 vault-acme: sleep in lieu of waiting "properly" for DNS propagation
Once we've seen the TXT record on any nameserver, assume that it'll reach the
rest of them within 60 seconds.

This is an awful hack because some peculiarities of my setup don't work
properly with the upstream lego code.
2022-03-17 01:03:41 +00:00
148e071c21 ops/vault/cfg: add acme-ca 2022-03-16 00:18:47 +00:00
fb7e18260a ops/vault/cfg: where we're going, we don't need secrets.nix 2022-03-16 00:06:46 +00:00
165fc4559c go/secretsmgr: init
Currently this only handles signing SSH certificates, but let's see where we go from here.
2022-03-15 03:07:34 +00:00
0dacea5ff8 3p/gopkgs: add a bunch of dependencies of github.com/hashicorp/vault/api 2022-03-15 03:07:06 +00:00
23df8e3b18 ops/vault/cfg: initial configuration 2022-03-14 23:34:33 +00:00
92998b5d36 ops/vault/cfg: init terranix stuff 2022-03-14 21:29:15 +00:00
b469b24c5a totoro: add live2 alias 2022-03-14 21:28:58 +00:00
f55dc46170 ssh-ca-vault: disable SSH host key signing for now 2022-03-14 21:28:37 +00:00
8c6c7af3f7 ops/vault: add reissue-secret-id utility 2022-03-14 21:28:16 +00:00
262620f177 swann: also put v6 RA routes into the correct route table
(fixes ee)
2022-03-13 20:35:11 +00:00
615c30ed54 swann: reduce write activity on disk 2022-03-13 17:34:23 +00:00
edf6671aff 3p/nixpkgs: add pr164025 2022-03-13 17:33:59 +00:00
b29a330382 ubi_reader: init 2022-03-13 17:32:59 +00:00
c41914e274 nixos/networkd: add support for configuring networkd.conf settings
networkd.conf controls a few interesting options, such as enabling
systemd-networkd's speed meterer and, crucially, allowing you to disable the
behaviour where networkd will delete any routes or policy-based routing rules
that it doesn't recognise.

This also adds support for configuring routing table names and mirroring them
into the iproute2 config.
2022-03-13 04:00:48 +00:00
Default email
aa526eb20f Project import generated by Copybara.
GitOrigin-RevId: fcd48a5a0693f016a5c370460d0c2a8243b882dc
2022-03-10 11:12:11 -08:00
c9bd0696ed heptapod: enable SSH CA 2022-03-13 00:24:57 +00:00
f1fcda810a vault-agent-acme: disable 2022-03-12 23:39:45 +00:00
5283ee4fee swann: migrate fully to using networkd
networkd appears to have gotten very aggressive about clearing routing rules it didn't insert itself
2022-03-12 19:38:54 +00:00
9099ee2a45 swann: only rename physical interfaces 2022-03-12 07:25:48 +00:00
fb2dc81bc0 bvm-radius: ensure acme user 2022-03-11 23:10:01 +00:00
6353ce6603 swann: make systemd-networkd-wait-online wait for _any_ NIC 2022-03-11 22:57:08 +00:00
f15e112da7 ssh-ca-vault: by default enable user matches 2022-03-11 22:31:57 +00:00
ae97fddae2 vault-agent-acme: migrate to using a single token file that writes the other files as a side-effect
This avoids annoying problems like "too many" retries for certificate issuance,
since we only ask for the secret once.
2022-03-11 22:07:31 +00:00
ac0c6eccef ssh-ca-vault: init 2022-03-11 21:48:06 +00:00
86a6191a56 vault-agent-secrets: add wantedBy for all restartable units too 2022-03-11 18:48:54 +00:00
ada466bae0 vault-agent-secrets: put Before in the correct place 2022-03-11 18:48:08 +00:00
a66bd4822a totoro: disable RP filter 2022-03-11 18:45:41 +00:00
fde964db82 hm/client: add VAULT_ADDR env variable 2022-03-11 18:44:52 +00:00