Make some more changes to machine setup

Work being done as an attempt to be able to create a small monitoring server
2025-07-09 15:12:11 +02:00 · 2025-07-09 15:12:11 +02:00 · f7d4bef46c
commit f7d4bef46c
parent 89d410cb6c
17 changed files with 449 additions and 289 deletions
--- a/nix/modules/nixos/infrastructure/default.nix
+++ b/nix/modules/nixos/infrastructure/default.nix
@ -1 +0,0 @@
-{ ... }: { }
--- a/nix/modules/nixos/networking/default.nix
+++ b/nix/modules/nixos/networking/default.nix
@ -1 +0,0 @@
-{ ... }: { }
--- a/nix/modules/nixos/networking/fqdn/default.nix
+++ b/nix/modules/nixos/networking/fqdn/default.nix
@ -21,6 +21,8 @@ in
    {
      networking.hostName = lib.mkForce hostname;
      networking.domain = lib.mkForce domain;
+      # Add the name of the server to the ssh host certificate domains, but let other configs enable getting the host certificates.
+      khscodes.services.openssh.hostCertificate.hostNames = [ cfg ];
      boot.kernel.sysctl = {
        "kernel.hostname" = cfg;
      };
--- a/nix/modules/nixos/opentofu-openbao/default.nix
+++ b/nix/modules/nixos/opentofu-openbao/default.nix
@ -1 +0,0 @@
-{ pkgs, ... }: { }
--- a/nix/modules/nixos/security/default.nix
+++ b/nix/modules/nixos/security/default.nix
@ -1 +0,0 @@
-{ ... }: { }
--- a/nix/modules/nixos/services/default.nix
+++ b/nix/modules/nixos/services/default.nix
@ -1,8 +0,0 @@
-{ ... }:
-{ }
-# let
-#   modules = lib.khscodes.dirsInPath ./.;
-# in
-# {
-#   imports = lib.lists.map (d: import d args) modules;
-# }
--- a/nix/modules/nixos/services/openssh/default.nix
+++ b/nix/modules/nixos/services/openssh/default.nix
@ -5,16 +5,55 @@ in
 {
  options.khscodes.services.openssh = {
    enable = lib.mkEnableOption "Enables openssh service for the instance";
-  };
-
-  config = lib.mkIf cfg.enable {
-    services.openssh = {
-      enable = true;
-      settings = {
-        PasswordAuthentication = false;
-        PermitRootLogin = "no";
-        KbdInteractiveAuthentication = false;
+    hostCertificate = {
+      enable = lib.mkEnableOption "Enables getting host certificates from OpenBAO";
+      secretName = lib.mkOption {
+        type = lib.types.str;
+        description = "Secret where the certificate is stored";
+        example = "ssh-host/sign/ca-kaareskovgaard.net";
+      };
+      hostNames = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        description = "The list of host names to get certificates for";
+        default = [ ];
      };
    };
  };
+
+  config = lib.mkIf cfg.enable (
+    let
+      certificateNames = lib.lists.unique cfg.hostCertificate.hostNames;
+      hostCertificatEnable = cfg.hostCertificate.enable && cfg.hostCertificate.hostNames != [ ];
+    in
+    {
+      services.openssh = {
+        enable = true;
+        settings = {
+          PasswordAuthentication = false;
+          PermitRootLogin = "no";
+          KbdInteractiveAuthentication = false;
+        };
+        extraConfig = lib.mkIf hostCertificatEnable ''
+          HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
+        '';
+      };
+      khscodes.services.vault-agent = lib.mkIf hostCertificatEnable {
+        enable = true;
+        templates = [
+          {
+            contents = ''
+              {{- $public_key := file "/etc/ssh/ssh_host_ed25519_key.pub" -}}
+              {{- $public_key = printf "public_key=%s" $public_key -}}
+              {{- with secret "${cfg.hostCertificate.secretName}" "cert_type=host" $public_key "valid_principals=${lib.strings.concatStringsSep "," certificateNames}" -}}
+              {{ .Data.signed_key }}
+              {{- end -}}
+            '';
+            destination = "/etc/ssh/ssh_host_ed25519_key-cert.pub";
+            perms = "0644";
+            restartUnits = [ "sshd.service" ];
+          }
+        ];
+      };
+    }
+  );
 }
--- a/nix/modules/nixos/services/vault-agent/default.nix
+++ b/nix/modules/nixos/services/vault-agent/default.nix
@ -0,0 +1,187 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.input-output.openbao.agent;
+  secretIdFilePath = "/var/lib/vault-agent/secret-id";
+  roleIdFilePath = "/var/lib/vault-agent/role-id";
+  mkSubmodule =
+    {
+      options,
+      description,
+    }:
+    lib.types.submoduleWith {
+      description = description;
+      shorthandOnlyDefinesConfig = true;
+      modules = lib.toList { inherit options; };
+    };
+  restartUnits =
+    svcs:
+    lib.strings.concatStringsSep "\n" (
+      lib.lists.map (svc: "systemctl restart ${lib.escapeShellArg svc}") svcs
+    );
+  reloadOrRestartUnits =
+    svcs:
+    lib.strings.concatStringsSep "\n" (
+      lib.lists.map (svc: "systemctl reload-or-restart ${lib.escapeShellArg svc}") svcs
+    );
+  mapTemplate =
+    template:
+    let
+      command = lib.getExe (
+        pkgs.writeShellApplication {
+          name = "restart-command";
+          runtimeInputs = [ pkgs.systemd ];
+          text = ''
+            ${restartUnits template.restartUnits}
+            ${reloadOrRestartUnits template.reloadOrRestartUnits}
+            ${template.exec}
+          '';
+          meta = {
+            mainProgram = "restart-command";
+          };
+        }
+      );
+    in
+    {
+      inherit (template) destination perms contents;
+      exec = {
+        command = command;
+      };
+    };
+  settings = {
+    vault = {
+      address = cfg.vault.address;
+    };
+    auto_auth = {
+      method = [
+        {
+          type = "approle";
+          config = {
+            mount_path = "auth/approle";
+            role_id_file_path = roleIdFilePath;
+            secret_id_file_path = secretIdFilePath;
+            remove_secret_id_file_after_reading = false;
+          };
+        }
+      ];
+    };
+
+    template_config = {
+      exit_on_retry_failure = true;
+      static_secret_render_interval = "60m";
+      max_connections_per_host = 10;
+      leases_renewal_threshold = 0.5;
+    };
+    template = lib.mkIf (cfg.templates != [ ]) (lib.lists.map mapTemplate cfg.templates);
+  };
+  unitsDependsOnAgent = lib.lists.unique (
+    lib.lists.flatten (lib.lists.map (t: t.restartUnits ++ t.reloadOrRestartUnits) cfg.templates)
+  );
+in
+{
+  options.khscodes.services.vault-agent = {
+    enable = lib.mkEnableOption "Enables the OpenBAO agent";
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.openbao;
+      defaultText = "pkgs.openbao";
+    };
+    vault.address = lib.mkOption {
+      type = lib.types.str;
+      description = "Address of the Vault/OpenBAO service";
+      default = "https://vault.kaareskovgaard.net";
+    };
+    templates = lib.mkOption {
+      default = [ ];
+      type = lib.types.listOf (mkSubmodule {
+        description = "List of templates to render";
+        options = {
+          contents = lib.mkOption {
+            type = lib.types.str;
+            description = "Contents of the template (.ctmpl)";
+          };
+          destination = lib.mkOption {
+            type = lib.types.str;
+            description = "Destination file for the template";
+          };
+          restartUnits = lib.mkOption {
+            type = lib.types.listOf lib.types.str;
+            description = "List of systemd units to restart when template changes";
+            default = [ ];
+          };
+          reloadOrRestartUnits = lib.mkOption {
+            type = lib.types.listOf lib.types.str;
+            description = "List of systemd units to reload-or-restart when template changes";
+            default = [ ];
+          };
+          perms = lib.mkOption {
+            type = lib.types.str;
+            description = "Permissions of the generated file, by default will only be readable by root";
+            default = "0600";
+          };
+          exec = lib.mkOption {
+            type = lib.types.lines;
+            default = '''';
+            description = "Command to execute when template renders new data";
+          };
+        };
+      });
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.vault-agent.instances.openbao = {
+      inherit settings;
+      enable = true;
+      package = cfg.package;
+      user = "root";
+      group = "root";
+    };
+    systemd.services."vault-agent-openbao" = {
+      before = unitsDependsOnAgent;
+      wantedBy = unitsDependsOnAgent;
+      unitConfig = {
+        ConditionPathExists = [
+          secretIdFilePath
+          roleIdFilePath
+        ];
+      };
+    };
+    environment.systemPackages = [
+      (pkgs.writeShellApplication {
+        name = "vault-agent-load-credentials";
+        meta = {
+          mainProgram = "vault-agent-load-credentials";
+        };
+        runtimeInputs = [
+          pkgs.systemd
+          pkgs.openbao
+        ];
+        text = ''
+          if [[ -z "''${1:-}" || -z "''${2:-}" ]]; then
+            >&2 echo "Usage: vault-agent-load-credentials <role-id> <secret-id-wrapped>"
+            exit 1
+          fi
+          role_id="$1"
+          secret_id_wrapped="$2"
+          secret_id="$(BAO_ADDR=${lib.escapeShellArg cfg.vault.address} bao unwrap -field=secret_id "$secret_id_wrapped")"
+          mkdir -p "$(dirname ${lib.escapeShellArg secretIdFilePath})"
+          mkdir -p "$(dirname ${lib.escapeShellArg roleIdFilePath})"
+          echo -n "$role_id" > ${lib.escapeShellArg roleIdFilePath}
+          echo -n "$secret_id" > ${lib.escapeShellArg secretIdFilePath}
+          chown root:root "$${lib.escapeShellArg secretIdFilePath}"
+          chmod 0600 "$${lib.escapeShellArg secretIdFilePath}"
+          chown root:root "$${lib.escapeShellArg roleIdFilePath}"
+          chmod 0600 "$${lib.escapeShellArg roleIdFilePath}"
+          systemctl restart vault-agent-openbao.service
+          ${restartUnits unitsDependsOnAgent}
+          ${reloadOrRestartUnits unitsDependsOnAgent}
+        '';
+      })
+    ];
+  };
+}
--- a/nix/modules/nixos/users/default.nix
+++ b/nix/modules/nixos/users/default.nix
@ -1 +0,0 @@
-{ ... }: { }
--- a/nix/modules/nixos/virtualisation/default.nix
+++ b/nix/modules/nixos/virtualisation/default.nix
@ -1 +0,0 @@
-{ ... }: { }