commit ba8ae05518be0792a7b78d4f890fde1f9273a19c · ptr.pet/ark

-3

hosts/wolumonde/modules/nginx.nix

···

       58
       58
        
               # "bsky.gaze.systems"

     

       59
       59
        
               "dawn.gaze.systems"

     

       60
       60
        
               "guestbook.gaze.systems"

     

       61
       61
       -
               "webhook.gaze.systems"

     

       62
       61
        
               "dash.gaze.systems"

     

       63
       62
        
               "knot.gaze.systems"

     

       64
       63
        
               "spindle.gaze.systems"

     

       65
       65
       -
               "skeetdeck.gaze.systems"

     

       66
       66
       -
               "likes.gaze.systems"

     

       67
       64
        
               "id.gaze.systems"

     

       68
       65
        
               "vpn.gaze.systems"

     

       69
       66
        
             ];

+10 -1

hosts/wolumonde/modules/openbao.nix hosts/wolumonde/modules/openbao.nix/default.nix

···

       1
       1
       -
       {config, ...}: let

     

       1
       1
       +
       {lib, config, ...}: let

     

       2
       2
        
         port = 5394;

     

       3
       3
        
         domain = "bao.${config.services.headscale.settings.dns.base_domain}";

     

       4
       4
        
         cfg = config.services.openbao.settings;

     

       5
       5
        
         apiAddress = "127.0.0.1:${toString port}";

     

       6
       6
        
       in {

     

       7
       7
       +
         imports = [./spindle-proxy];

     

       8
       8
       +
       

     

       7
       9
        
         services.openbao = {

     

       8
       10
        
           enable = true;

     

       9
       11
        
           settings = {

     
···

       12
       14
        
             listener.default = {

     

       13
       15
        
               type = "tcp";

     

       14
       16
        
               address = apiAddress;

     

       17
       17
       +
               tls_disable = true;

     

       15
       18
        
             };

     

       16
       19
        
       

     

       17
       20
        
             cluster_addr = "http://127.0.0.1:8201";

     
···

       20
       23
        
             storage.file.path = "/var/lib/openbao/data";

     

       21
       24
        
           };

     

       22
       25
        
         };

     

       26
       26
       +
       

     

       27
       27
       +
         systemd.services.openbao.preStart = ''

     

       28
       28
       +
           mkdir -p /var/lib/openbao

     

       29
       29
       +
           rm -rf /var/lib/openbao/policies

     

       30
       30
       +
           cp -r ${./policies} /var/lib/openbao/policies

     

       31
       31
       +
         '';

     

       23
       32
        
       

     

       24
       33
        
         services.headscale.settings.dns.extra_records = [

     

       25
       34
        
           {

+19

hosts/wolumonde/modules/openbao.nix/policies/spindle.hcl

···

       1
       1
       +
       # Full access to spindle KV v2 data

     

       2
       2
       +
       path "spindle/data/*" {

     

       3
       3
       +
         capabilities = ["create", "read", "update", "delete"]

     

       4
       4
       +
       }

     

       5
       5
       +
       

     

       6
       6
       +
       # Access to metadata for listing and management

     

       7
       7
       +
       path "spindle/metadata/*" {

     

       8
       8
       +
         capabilities = ["list", "read", "delete", "update"]

     

       9
       9
       +
       }

     

       10
       10
       +
       

     

       11
       11
       +
       # Allow listing at root level

     

       12
       12
       +
       path "spindle/" {

     

       13
       13
       +
         capabilities = ["list"]

     

       14
       14
       +
       }

     

       15
       15
       +
       

     

       16
       16
       +
       # Required for connection testing and health checks

     

       17
       17
       +
       path "auth/token/lookup-self" {

     

       18
       18
       +
         capabilities = ["read"]

     

       19
       19
       +
       }

+21

hosts/wolumonde/modules/openbao.nix/spindle-proxy/README.md

···

       1
       1
       +
       see https://tangled.sh/@tangled.sh/core/blob/master/docs/spindle/openbao.md

     

       2
       2
       +
       

     

       3
       3
       +
       set BAO_ADDRESS: `$env.BAO_ADDRESS = "http://bao.lan.gaze.systems"`

     

       4
       4
       +
       set BAO_TOKEN: `$env.BAO_TOKEN = "<root key>"`

     

       5
       5
       +
       

     

       6
       6
       +
       create mount: `bao secrets enable -path=spindle -version=2 kv`

     

       7
       7
       +
       

     

       8
       8
       +
       setup policy: `

     

       9
       9
       +
       bao policy write spindle /var/lib/openbao/policies/spindle.hcl

     

       10
       10
       +
       bao auth enable approle

     

       11
       11
       +
       bao write auth/approle/role/spindle \

     

       12
       12
       +
           token_policies="spindle" \

     

       13
       13
       +
           token_ttl=1h \

     

       14
       14
       +
           token_max_ttl=4h \

     

       15
       15
       +
           bind_secret_id=true \

     

       16
       16
       +
           secret_id_ttl=0 \

     

       17
       17
       +
           secret_id_num_uses=0

     

       18
       18
       +
       `

     

       19
       19
       +
       

     

       20
       20
       +
       get role-id: `bao read -field=role_id auth/approle/role/spindle/role-id`

     

       21
       21
       +
       get secret-id: `bao write -f auth/approle/role/spindle/secret-id`

+63

hosts/wolumonde/modules/openbao.nix/spindle-proxy/config.hcl

···

       1
       1
       +
       vault {

     

       2
       2
       +
           address = "%vault_address%"

     

       3
       3
       +
       

     

       4
       4
       +
           # Retry configuration

     

       5
       5
       +
           retry {

     

       6
       6
       +
           num_retries = 5

     

       7
       7
       +
           }

     

       8
       8
       +
       }

     

       9
       9
       +
       

     

       10
       10
       +
       # Auto-Auth using AppRole

     

       11
       11
       +
       auto_auth {

     

       12
       12
       +
           method "approle" {

     

       13
       13
       +
           mount_path = "auth/approle"

     

       14
       14
       +
           config = {

     

       15
       15
       +
               role_id_file_path   = "%role_id%"

     

       16
       16
       +
               secret_id_file_path = "%secret_id%"

     

       17
       17
       +
               remove_secret_id_file_after_reading = false

     

       18
       18
       +
           }

     

       19
       19
       +
           }

     

       20
       20
       +
       

     

       21
       21
       +
           # Write authenticated token to file

     

       22
       22
       +
           sink "file" {

     

       23
       23
       +
           config = {

     

       24
       24
       +
               path = "/var/lib/%name%/token"

     

       25
       25
       +
               mode = 0640

     

       26
       26
       +
           }

     

       27
       27
       +
           }

     

       28
       28
       +
       }

     

       29
       29
       +
       

     

       30
       30
       +
       # API Proxy listener for Spindle

     

       31
       31
       +
       listener "tcp" {

     

       32
       32
       +
           address     = "127.0.0.1:%listener_port%"

     

       33
       33
       +
           tls_disable = true

     

       34
       34
       +
       

     

       35
       35
       +
           # Security headers

     

       36
       36
       +
           require_request_header = false

     

       37
       37
       +
       

     

       38
       38
       +
           # Enable proxy API for management

     

       39
       39
       +
           proxy_api {

     

       40
       40
       +
           enable_quit = true

     

       41
       41
       +
           }

     

       42
       42
       +
       }

     

       43
       43
       +
       

     

       44
       44
       +
       # Enable API proxy with auto-auth token

     

       45
       45
       +
       api_proxy {

     

       46
       46
       +
           use_auto_auth_token = true

     

       47
       47
       +
       }

     

       48
       48
       +
       

     

       49
       49
       +
       cache {

     

       50
       50
       +
       }

     

       51
       51
       +
       

     

       52
       52
       +
       # Logging configuration

     

       53
       53
       +
       log_level = "info"

     

       54
       54
       +
       log_format = "standard"

     

       55
       55
       +
       log_file = "/var/lib/%name%/proxy.log"

     

       56
       56
       +
       log_rotate_duration = "24h"

     

       57
       57
       +
       log_rotate_max_files = 30

     

       58
       58
       +
       

     

       59
       59
       +
       # Process management

     

       60
       60
       +
       pid_file = "/var/lib/%name%/proxy.pid"

     

       61
       61
       +
       

     

       62
       62
       +
       # Disable idle connections for reliability

     

       63
       63
       +
       disable_idle_connections = ["auto-auth", "proxying"]

+93

hosts/wolumonde/modules/openbao.nix/spindle-proxy/default.nix

···

       1
       1
       +
       { config, lib, pkgs, ... }:

     

       2
       2
       +
       let

     

       3
       3
       +
         port = 8945;

     

       4
       4
       +
         secrets = config.age.secrets;

     

       5
       5
       +
         cfgFile = pkgs.writeText "openbao-proxy-spindle-config.hcl" (

     

       6
       6
       +
           lib.replaceStrings

     

       7
       7
       +
           [

     

       8
       8
       +
             "%role_id%"

     

       9
       9
       +
             "%secret_id%"

     

       10
       10
       +
             "%vault_address%"

     

       11
       11
       +
             "%listener_port%"

     

       12
       12
       +
             "%name%"

     

       13
       13
       +
           ]

     

       14
       14
       +
           [

     

       15
       15
       +
             secrets.spindleOpenbaoRoleId.path

     

       16
       16
       +
             secrets.spindleOpenbaoSecretId.path

     

       17
       17
       +
             config.services.openbao.settings.api_addr

     

       18
       18
       +
             (toString port)

     

       19
       19
       +
             name

     

       20
       20
       +
           ]

     

       21
       21
       +
           (lib.fileContents ./config.hcl)

     

       22
       22
       +
         );

     

       23
       23
       +
         domain = "spindle.bao.lan.gaze.systems";

     

       24
       24
       +
         name = "openbao-proxy-spindle";

     

       25
       25
       +
       in

     

       26
       26
       +
       {

     

       27
       27
       +
         age.secrets.spindleOpenbaoRoleId = {

     

       28
       28
       +
           file = ../../../../../secrets/spindleOpenbaoRoleId.age;

     

       29
       29
       +
           mode = "600";

     

       30
       30
       +
           owner = name;

     

       31
       31
       +
           group = name;

     

       32
       32
       +
         };

     

       33
       33
       +
         age.secrets.spindleOpenbaoSecretId = {

     

       34
       34
       +
           file = ../../../../../secrets/spindleOpenbaoSecretId.age;

     

       35
       35
       +
           mode = "600";

     

       36
       36
       +
           owner = name;

     

       37
       37
       +
           group = name;

     

       38
       38
       +
         };

     

       39
       39
       +
       

     

       40
       40
       +
         users.users.${name} = {

     

       41
       41
       +
           isSystemUser = true;

     

       42
       42
       +
           group = name;

     

       43
       43
       +
         };

     

       44
       44
       +
         users.groups.${name} = {

     

       45
       45
       +
           members = [name];

     

       46
       46
       +
         };

     

       47
       47
       +
       

     

       48
       48
       +
         systemd.services.${name} = {

     

       49
       49
       +
           description = "OpenBao Proxy with Auto-Auth for tangled spindle";

     

       50
       50
       +
           after = [ "openbao.service" ];

     

       51
       51
       +
           before = [ "spindle.service" ];

     

       52
       52
       +
           requires = [ "openbao.service" ];

     

       53
       53
       +
           wantedBy = [ "multi-user.target" ];

     

       54
       54
       +
           serviceConfig = {

     

       55
       55
       +
             ExecStart = "${pkgs.openbao}/bin/bao proxy -config=${cfgFile}";

     

       56
       56
       +
             Restart = "on-failure";

     

       57
       57
       +
             RestartSec = "5";

     

       58
       58
       +
             LimitNOFILE = "65536";

     

       59
       59
       +
             User = name;

     

       60
       60
       +
             Group = name;

     

       61
       61
       +
             RuntimeDirectory=name;

     

       62
       62
       +
             RuntimeDirectoryMode=0700;

     

       63
       63
       +
             StateDirectory=name;

     

       64
       64
       +
             StateDirectoryMode=0700;

     

       65
       65
       +
             ProcSubset="pid";

     

       66
       66
       +
             ProtectClock=true;

     

       67
       67
       +
             ProtectControlGroups=true;

     

       68
       68
       +
             ProtectHome=true;

     

       69
       69
       +
             ProtectHostname=true;

     

       70
       70
       +
             ProtectKernelLogs=true;

     

       71
       71
       +
             ProtectKernelModules=true;

     

       72
       72
       +
             ProtectKernelTunables=true;

     

       73
       73
       +
             ProtectProc="invisible";

     

       74
       74
       +
             RestrictNamespaces=true;

     

       75
       75
       +
             RestrictRealtime=true;

     

       76
       76
       +
             RestrictAddressFamilies=["AF_INET" "AF_INET6" "AF_UNIX"];

     

       77
       77
       +
             SystemCallArchitectures="native";

     

       78
       78
       +
             SystemCallFilter=["@system-service" "@resources" "~@privileged"];

     

       79
       79
       +
           };

     

       80
       80
       +
         };

     

       81
       81
       +
       

     

       82
       82
       +
         services.headscale.settings.dns.extra_records = [

     

       83
       83
       +
           {

     

       84
       84
       +
             name = domain;

     

       85
       85
       +
             type = "A";

     

       86
       86
       +
             value = "100.64.0.2";

     

       87
       87
       +
           }

     

       88
       88
       +
         ];

     

       89
       89
       +
         services.nginx.virtualHosts.${domain} = {

     

       90
       90
       +
           quic = true;

     

       91
       91
       +
           locations."/".proxyPass = "http://127.0.0.1:${toString port}";

     

       92
       92
       +
         };

     

       93
       93
       +
       }

+2 -2

hosts/wolumonde/modules/tangled.nix

···

       49
       49
        
             owner = "did:plc:dfl62fgb7wtjj3fcbb72naae";

     

       50
       50
        
             secrets = {

     

       51
       51
        
               provider = "openbao";

     

       52
       52
       -
               openbao.proxyAddr = "http://bao.lan.gaze.systems";

     

       52
       52
       +
               openbao.proxyAddr = "http://spindle.bao.lan.gaze.systems";

     

       53
       53
        
             };

     

       54
       54
        
           };

     

       55
       55
        
         };

     
···

       60
       60
        
         users.groups.spindle = { };

     

       61
       61
        
         users.groups.podman.members = [ "spindle" ];

     

       62
       62
        
         systemd.services.spindle = {

     

       63
       63
       -
           after = lib.mkForce [ "network.target" ];

     

       63
       63
       +
           after = lib.mkForce [ "network.target" "openbao-proxy-spindle.service" ];

     

       64
       64
        
           serviceConfig = {

     

       65
       65
        
             User = "spindle";

     

       66
       66
        
             Group = "spindle";

secrets/secrets.nix

···

       70
       70
        
           yusdacra

     

       71
       71
        
           develMobi

     

       72
       72
        
         ];

     

       73
       73
       +
         "spindleOpenbaoRoleId.age".publicKeys = [

     

       74
       74
       +
           yusdacra

     

       75
       75
       +
           wolumonde

     

       76
       76
       +
         ];

     

       77
       77
       +
         "spindleOpenbaoSecretId.age".publicKeys = [

     

       78
       78
       +
           yusdacra

     

       79
       79
       +
           wolumonde

     

       80
       80
       +
         ];

     

       73
       81
        
       }

+17

secrets/spindleOpenbaoRoleId.age

···

       1
       1
       +
       age-encryption.org/v1

     

       2
       2
       +
       -> ssh-rsa Abmvag

     

       3
       3
       +
       i1WEFfFEf7rvpH8pfM4+Z7mBSJwzAa/xNP5YMp0aVk9AMpFoT/39mwzr0LMtnruk

     

       4
       4
       +
       u8Dz3ILegSyc69L9Ge1rNX6L5mN0qUyjsN1h/cMCh9Cgw4DxYkRB9NYI3xNUQFau

     

       5
       5
       +
       xHVbgJ8DBDwZ3XnM0JYf9c23Kk1oft+PV07JKtyBN6r8JGCpu7N5Ccb/oj4epnS0

     

       6
       6
       +
       0DgoEDLT9DgiZXVo+Q6w++gfSq58ClYaguoHaDCTBdRKHans9BWIqJ7pAOu9hXcl

     

       7
       7
       +
       vyuw/jz0bwKKh474xiCHArw4xN+ji7aFTRG3FkeK52giWoK95+P4z5ieaHJKz2jk

     

       8
       8
       +
       I4HiGjgpfDGJzsgz5yEJFhntlnOWVHChvyZ1QSEKe2OIGAQmfGSbDRBYPS2wrfeL

     

       9
       9
       +
       v8JueFHCG4ABh53+guzmjTMZTRjh8O5d2YEcrrWhGgwssHxUTzNE4KUCVkNV4/OS

     

       10
       10
       +
       6+hvmU1NC8rYBNMRiZtYiu6osmtWndYYFCsJpURfyFoDzCWmvjl6pxNFTtTTukMm

     

       11
       11
       +
       WBgKxC2K4EwQ27k6IExm2epDH5kwdJrPGe8yZIl3zK9Y1Sa+Q3LYp8D5QWUv2uts

     

       12
       12
       +
       lQXTVvJVrg9wn1AfxCnGBApCPIvEiw8PwU/adfa+UMKN/kGMvE6iL0+J2aGTxO4l

     

       13
       13
       +
       zmyLUErh9f8iBIF/90DIqf9FrjBWcbtv3zphmgHZkII

     

       14
       14
       +
       -> ssh-ed25519 KjIL7g GZl/qIbkVajzJn0ZsI0ImzIyGdjm1tMFbEh4LnOALAA

     

       15
       15
       +
       WXYCRfsfYU+nI67+4d6PX/iER2aA7Flt6xWPlvYELDg

     

       16
       16
       +
       --- Y8pLVkJQfP5piXtWJ3AegPsLLj3NDWXpmt3aoiwicgo

     

       17
       17
       +
       E�RR�y��������@����X���t�$ǻ��s���Ǟ���~��|�r�F�~�n��NG

+17

secrets/spindleOpenbaoSecretId.age

···

       1
       1
       +
       age-encryption.org/v1

     

       2
       2
       +
       -> ssh-rsa Abmvag

     

       3
       3
       +
       G3DtXBNVhNcRiXlpQ7iJ8kZrsu59WF62pnLheEGKj2JGg6m+LLOqLChQg1YOSjB1

     

       4
       4
       +
       zIy3QwpfXB4Rn081lXEXKvs6Jr1FbAkhggeLLtflPEAouxPiJ1HkxtyCNv02L+Pj

     

       5
       5
       +
       uBvi32fMnTw3Kep6LTNBqkAhsvFNf02zsNxm+KfFpwn+kWvUtGdsHeAsWIXO/4lL

     

       6
       6
       +
       FjbPI860FvbfrAp0r7Hv79MRLYTUhki7gX+VZooEngobCImTiq9NR++MpdsMmovC

     

       7
       7
       +
       hst6CESEuTdqhw2SrTteGU10E+5q1jd1z0T+ttHe0GqKmQwuQB4S1KtSx74xiQhV

     

       8
       8
       +
       gg8ZyVAVdSt49s9YLRMdJjFWHXNPC3GKQzlXWZ4xLrpeBc3YrQhp3+7iRhRB92gX

     

       9
       9
       +
       GhWdw/UN9fKPbILi2W+3bSEByGzJ2iBo0BMxK0I7541ZgpQHOOvySLHzElnpRdwD

     

       10
       10
       +
       I3+GuDif1cHusLBVruwUubfr11UwzOLkUgzP504Sf55liMSjnq5DxzkaUERzTg/T

     

       11
       11
       +
       SNmC9misXkxUpwWSYKjSEe5p3x8CsJwmVkrXh+N9GFiYD+Al/9aWPrmw+Kl4CMe6

     

       12
       12
       +
       MJlxCpfVKTdx3ePA7d7POx1RQuBf78nTg5XCyBf2BB2lycKkg05hX+1VzTCYMChZ

     

       13
       13
       +
       zLh1RiSWtRxgIbljwWanPW0AmZaDkRTxdilbFg2sa7U

     

       14
       14
       +
       -> ssh-ed25519 KjIL7g C+NvzMVX+2NdIXoYGPv1yeGRaHnSEQQuG7MS3e5SKlE

     

       15
       15
       +
       L5TFRde0T/sn8teeFuBy3c8fydmiI07NT+pFnIIyYwE

     

       16
       16
       +
       --- fcPjYFQG6lbT2cGzt/oZhO5PahAoiN4yUT12xa4Kc8s

     

       17
       17
       +
       �ZZ�/h��������p�]�AR!�O��`�2��K<���Eo��R����VN
�����G�p��0u