diff --git a/flake.lock b/flake.lock index a517395..4d0b791 100644 --- a/flake.lock +++ b/flake.lock @@ -18,13 +18,31 @@ "type": "github" } }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "hardware": { "locked": { - "lastModified": 1699159446, - "narHash": "sha256-cL63IjsbPl2otS7R4kdXbVOJOXYMpGw5KGZoWgdCuCM=", + "lastModified": 1699701045, + "narHash": "sha256-mDzUXK7jNO/utInWpSWEX1NgEEunVIpJg+LyPsDTfy0=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "627bc9b88256379578885a7028c9e791c29fb581", + "rev": "b689465d0c5d88e158e7d76094fca08cc0223aad", "type": "github" }, "original": { @@ -41,11 +59,11 @@ ] }, "locked": { - "lastModified": 1695108154, - "narHash": "sha256-gSg7UTVtls2yO9lKtP0yb66XBHT1Fx5qZSZbGMpSn2c=", + "lastModified": 1699748081, + "narHash": "sha256-MOmMapBydd7MTjhX4eeQZzKlCABWw8W6iSHSG4OeFKE=", "owner": "nix-community", "repo": "home-manager", - "rev": "07682fff75d41f18327a871088d20af2710d4744", + "rev": "04bac349d585c9df38d78e0285b780a140dc74a4", "type": "github" }, "original": { @@ -73,11 +91,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1699291058, - "narHash": "sha256-5ggduoaAMPHUy4riL+OrlAZE14Kh7JWX4oLEs22ZqfU=", + "lastModified": 1699596684, + "narHash": "sha256-XSXP8zjBZJBVvpNb2WmY0eW8O2ce+sVyj1T0/iBRIvg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "41de143fda10e33be0f47eab2bfe08a50f234267", + "rev": "da4024d0ead5d7820f6bd15147d3fe2a0c0cec73", "type": "github" }, "original": { @@ -87,12 +105,49 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1699099776, + "narHash": "sha256-X09iKJ27mGsGambGfkKzqvw5esP1L/Rf8H3u3fCqIiU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "85f1ba3e51676fa8cc604a3d863d729026a6b8eb", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "psql-k8s-sa": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1699970230, + "narHash": "sha256-zwzYopJxSpdVBdx+0nOiM8ABfYTC4l/RAYwLQVafTgg=", + "owner": "arnarg", + "repo": "psql-k8s-sa-auth", + "rev": "fb19f2710d9967eb8763067daae951eb11b2bc86", + "type": "github" + }, + "original": { + "owner": "arnarg", + "ref": "main", + "repo": "psql-k8s-sa-auth", + "type": "github" + } + }, "root": { "inputs": { "hardware": "hardware", "home": "home", "impermanence": "impermanence", "nixpkgs": "nixpkgs", + "psql-k8s-sa": "psql-k8s-sa", "unstable": "unstable", "utils": "utils" } @@ -112,6 +167,21 @@ "type": "github" } }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "unstable": { "locked": { "lastModified": 1699099776, @@ -130,7 +200,7 @@ }, "utils": { "inputs": { - "flake-utils": "flake-utils" + "flake-utils": "flake-utils_2" }, "locked": { "lastModified": 1696281284, diff --git a/flake.nix b/flake.nix index 978f5ba..30808c9 100644 --- a/flake.nix +++ b/flake.nix @@ -10,6 +10,7 @@ utils.url = "github:gytis-ivaskevicius/flake-utils-plus/v1.4.0"; hardware.url = "github:nixos/nixos-hardware/master"; impermanence.url = "github:nix-community/impermanence/master"; + psql-k8s-sa.url = "github:arnarg/psql-k8s-sa-auth/main"; home = { url = "github:nix-community/home-manager/release-23.05"; @@ -26,6 +27,7 @@ home, unstable, impermanence, + psql-k8s-sa, ... }: utils.lib.mkFlake { @@ -38,6 +40,7 @@ ############ sharedOverlays = [ self.overlay + psql-k8s-sa.overlays.default (p: _: { home-manager = home.packages.${p.system}.home-manager; tailscale = unstable.legacyPackages.${p.system}.tailscale; diff --git a/machines/terra/configuration.nix b/machines/terra/configuration.nix index e3b3e87..d3605e9 100644 --- a/machines/terra/configuration.nix +++ b/machines/terra/configuration.nix @@ -159,6 +159,8 @@ kube-apiserver-arg = [ # Set admission control config "admission-control-config-file=${admissionControlConfig}" + # Allow anonymous auth + "anonymous-auth=true" ]; }); in "--config ${serverConfig}"; @@ -180,6 +182,37 @@ services.postgresql.enableTCPIP = true; services.postgresql.authentication = '' host sameuser +ext 192.168.0.0/24 scram-sha-256 + host all +k8s_sa 192.168.0.0/24 pam pamservice=psql-k8s-sa + ''; + + # Nixpkgs' postgresql isn't built with PAM support. + # Here I enable that. + # See: https://github.com/NixOS/nixpkgs/pull/267393 + services.postgresql.package = pkgs.postgresql.overrideAttrs (final: prev: { + buildInputs = prev.buildInputs ++ [pkgs.linux-pam]; + configureFlags = prev.configureFlags ++ ["--with-pam"]; + }); + + # Configure PAM module k8s-sa-auth + environment.etc."rancher/k3s/ca.crt".text = '' + -----BEGIN CERTIFICATE----- + MIIBdjCCAR2gAwIBAgIBADAKBggqhkjOPQQDAjAjMSEwHwYDVQQDDBhrM3Mtc2Vy + dmVyLWNhQDE2OTg5MjU5NjUwHhcNMjMxMTAyMTE1MjQ1WhcNMzMxMDMwMTE1MjQ1 + WjAjMSEwHwYDVQQDDBhrM3Mtc2VydmVyLWNhQDE2OTg5MjU5NjUwWTATBgcqhkjO + PQIBBggqhkjOPQMBBwNCAAQrAs7S23Vz4zrkIX+aE+sp+u+fThVGN6rDCOxVfsdf + V2ROZHTeURMGuDtg7uTkjtK8g7rl361dbuSBsDpdS7F2o0IwQDAOBgNVHQ8BAf8E + BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUHW2vATCQpZShfxOrWcKz + OvBd6AQwCgYIKoZIzj0EAwIDRwAwRAIhAKar0ufLAd0cspHEu1R2HgEFc2/WuacD + utPMTsi9boiZAh9E/tUltRzSwnzcD4ElJECdmmuhJfUpBYpqXtVNE307 + -----END CERTIFICATE----- + ''; + security.pam.services."psql-k8s-sa".text = '' + account required ${pkgs.pam_k8s_sa}/lib/security/pam_k8s_sa.so + auth required ${pkgs.pam_k8s_sa}/lib/security/pam_k8s_sa.so \ + discovery_url=https://127.0.0.1:6443 \ + issuer=https://kubernetes.default.svc.cluster.local \ + ca_file=/etc/rancher/k3s/ca.crt \ + audience=k3s ''; #######################