From 0c91bb90ab0aeae1ecb6688bacacdf16634c3e7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Thu, 28 Sep 2023 17:51:37 +0200 Subject: [PATCH 1/3] also encrypt secret for the machine itself --- pkgs/clan-cli/clan_cli/secrets/sops_generate.py | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/clan-cli/clan_cli/secrets/sops_generate.py b/pkgs/clan-cli/clan_cli/secrets/sops_generate.py index f93c6a8..1f9384f 100644 --- a/pkgs/clan-cli/clan_cli/secrets/sops_generate.py +++ b/pkgs/clan-cli/clan_cli/secrets/sops_generate.py @@ -64,6 +64,7 @@ export secrets={shlex.quote(str(secrets_dir))} encrypt_secret( sops_secrets_folder() / f"{machine_name}-{secret['name']}", secret_file.read_text(), + add_machines=[machine_name], ) for fact in secret_options["facts"].values(): fact_file = facts_dir / fact["name"] From be6592c82c0e150d987ec2c30c269cbab98ec550 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Thu, 28 Sep 2023 17:57:44 +0200 Subject: [PATCH 2/3] also generate zerotier secret for vm --- pkgs/clan-cli/tests/test_secrets_generate.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/clan-cli/tests/test_secrets_generate.py b/pkgs/clan-cli/tests/test_secrets_generate.py index 142bea1..d5c9885 100644 --- a/pkgs/clan-cli/tests/test_secrets_generate.py +++ b/pkgs/clan-cli/tests/test_secrets_generate.py @@ -40,3 +40,6 @@ def test_upload_secret( cli.run(["secrets", "generate", "vm1"]) assert age_key.lstat().st_mtime_ns == age_key_mtime assert identity_secret.lstat().st_mtime_ns == secret1_mtime + + machine_path = sops_secrets_folder().joinpath("vm1-zerotier-identity-secret").joinpath("machines").joinpath("vm1") + assert machine_path.exists() From 739d3b3578d2f869cafbe878ce2ae052bed4207b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Thu, 28 Sep 2023 17:58:27 +0200 Subject: [PATCH 3/3] zerotier: document mdns ports; drop duplicate udp firewall rules the nixos module already opens the zerotier port --- nixosModules/clanCore/zerotier/default.nix | 7 ++++--- pkgs/clan-cli/tests/test_secrets_generate.py | 7 ++++++- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/nixosModules/clanCore/zerotier/default.nix b/nixosModules/clanCore/zerotier/default.nix index 5de095d..113fed6 100644 --- a/nixosModules/clanCore/zerotier/default.nix +++ b/nixosModules/clanCore/zerotier/default.nix @@ -79,9 +79,10 @@ in KeepConfiguration = "static"; }; }; - networking.firewall.allowedUDPPorts = [ 9993 ]; - networking.firewall.interfaces."zt+".allowedTCPPorts = [ 5353 ]; - networking.firewall.interfaces."zt+".allowedUDPPorts = [ 5353 ]; + networking.firewall.interfaces."zt+".allowedTCPPorts = [ 5353 ]; # mdns + networking.firewall.interfaces."zt+".allowedUDPPorts = [ 5353 ]; # mdns + networking.networkmanager.unmanaged = [ "interface-name:zt*" ]; + services.zerotierone = { enable = true; joinNetworks = [ cfg.networkId ]; diff --git a/pkgs/clan-cli/tests/test_secrets_generate.py b/pkgs/clan-cli/tests/test_secrets_generate.py index d5c9885..44b6aa9 100644 --- a/pkgs/clan-cli/tests/test_secrets_generate.py +++ b/pkgs/clan-cli/tests/test_secrets_generate.py @@ -41,5 +41,10 @@ def test_upload_secret( assert age_key.lstat().st_mtime_ns == age_key_mtime assert identity_secret.lstat().st_mtime_ns == secret1_mtime - machine_path = sops_secrets_folder().joinpath("vm1-zerotier-identity-secret").joinpath("machines").joinpath("vm1") + machine_path = ( + sops_secrets_folder() + .joinpath("vm1-zerotier-identity-secret") + .joinpath("machines") + .joinpath("vm1") + ) assert machine_path.exists()