VSinerva/nixos-conf
1
0
Fork 0
Code Activity Actions

Move wg-rpi to sops-nix

Browse source
This commit is contained in:
Vili Sinervä 2025-06-21 16:45:38 +03:00
parent f7cc7cdbc2
commit 9e59881b3c
Signed by: Vili Sinervä
SSH key fingerprint: SHA256:FladqYjaE4scJY3Hi+gnShZ6ygnTJgixy0I6BAoHyos
4 changed files with 44 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.sops.yaml
View file

@ -6,6 +6,7 @@ keys:
- &idacloud age1actwp5rqczazhgl94npwc0phxuxzjgrk9v82e32sahanw8cyuc7stxkls2 - &idacloud age1actwp5rqczazhgl94npwc0phxuxzjgrk9v82e32sahanw8cyuc7stxkls2
- &nextcloud age1rf6h87qp9ckpmf7yrvkmq3faqn5fnqx4lyg83zf5v09wnew7muzsmmnx9x - &nextcloud age1rf6h87qp9ckpmf7yrvkmq3faqn5fnqx4lyg83zf5v09wnew7muzsmmnx9x
- &vaultwarden age1g9xu0m2wkpcrj0lr6sjcx6ak2akwtuxdxh2lct44wkkkzklgjsss5zt3r9 - &vaultwarden age1g9xu0m2wkpcrj0lr6sjcx6ak2akwtuxdxh2lct44wkkkzklgjsss5zt3r9
- &wg-rpi age139sl09xkjm4hd0q5e09e0w4ppu8yd65uhu7upjx5v8jn8ef62vfqg309x6
creation_rules: creation_rules:
- path_regex: ^secrets/helium/.*\.yaml$ - path_regex: ^secrets/helium/.*\.yaml$
key_groups: key_groups:
@ -43,3 +44,8 @@ creation_rules:
- age: - age:
- *vili-bw - *vili-bw
- *vaultwarden - *vaultwarden
- path_regex: ^secrets/wg-rpi.yaml$
key_groups:
- age:
- *vili-bw
- *wg-rpi

1
flake.nix
View file

@ -74,6 +74,7 @@
system = "aarch64-linux"; system = "aarch64-linux";
modules = [ modules = [
{ networking.hostName = host; } { networking.hostName = host; }
sops-nix.nixosModules.sops
./hosts/aarch64-linux/${host}/configuration.nix ./hosts/aarch64-linux/${host}/configuration.nix
]; ];
} }

20
hosts/aarch64-linux/wg-rpi/configuration.nix
View file

@ -1,15 +1,22 @@
{ pkgs, ... }: { config, pkgs, ... }:
let let
# SSID = "ENTER_SSID"; # SSID = "ENTER_SSID";
# SSIDpassword = "ENTER_PASSWORD"; # SSIDpassword = "ENTER_PASSWORD";
# interface = "wlan0"; # interface = "wlan0";
wg_interface = "end0"; wg_interface = "end0";
hostname = "wg-rpi"; hostname = "wg-rpi";
ddPassFile = "/root/wg-conf/ddPassFile";
in in
{ {
imports = [ ../../../shared/base.nix ]; imports = [ ../../../shared/base.nix ];
sops.secrets = {
priv-netflix-wg = {
sopsFile = ../../../secrets/wg-rpi.yaml;
restartUnits = [ "wg-quick-wg0.service" ];
};
dd-pass.sopsFile = ../../../secrets/wg-rpi.yaml;
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
wireguard-tools wireguard-tools
qrencode qrencode
@ -43,12 +50,7 @@ in
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ${wg_interface} -j MASQUERADE ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ${wg_interface} -j MASQUERADE
''; '';
# Path to the private key file. privateKeyFile = config.sops.secrets.priv-netflix-wg.path;
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "/root/wg-conf/private";
peers = [ peers = [
{ {
@ -91,7 +93,7 @@ in
domains = [ "netflix.vsinerva.fi" ]; domains = [ "netflix.vsinerva.fi" ];
server = "www.ovh.com"; server = "www.ovh.com";
username = "vsinerva.fi-dynraspi"; username = "vsinerva.fi-dynraspi";
passwordFile = ddPassFile; passwordFile = config.sops.secrets.dd-pass.path;
}; };
#################### EVERYTHING BELOW THIS SHOULD NOT NEED TO CHANGE #################### #################### EVERYTHING BELOW THIS SHOULD NOT NEED TO CHANGE ####################
system.stateVersion = "24.11"; system.stateVersion = "24.11";

26
secrets/wg-rpi.yaml Normal file
View file

@ -0,0 +1,26 @@
priv-netflix-wg: ENC[AES256_GCM,data:KpC4tto8D0jiCSza5cqFkVtA9Mjl3H8SUoYNuCUVtPwwgbQS4AUOTcWUmHg=,iv:0YOyBhUrYSqFlhdbtP3v/oD8HkZ84anLojL3vCZF9zo=,tag:S6RZFi6RLx01VFzpv3YzNA==,type:str]
dd-pass: ENC[AES256_GCM,data:ZdKTZSxW3CQl2OwMeHfips9+pLnYkS0hbQC2fos1tw==,iv:x7u+TWq7OM2R5oboaTR24Ra1glZdwnIr/Xol08iR824=,tag:y89NNqwEeWBSQuHTCsXwEg==,type:str]
sops:
age:
- recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4aEJIRmt1T1BrY1FNS3RP
SHZWWlB6Z010SkhBZ0UrUUJDWlJBQXZkWDFjCk80UTd5dlRSa3F1aXhSNmlwU1BI
YWs4d2ZSMm53bmdMKzR0WGhobnpTbVEKLS0tIFIwSEdDV0Zha3pETks3UlRtVmtZ
UjFKSFo4ZDVPc2NiWi9RSThhTktlelEK6PJuaJzDyGJwwf7xpXZ29Fmnsn1/URmY
Kwc5BCSW2vZWzh0JEfv0L0/gB7Z57y7rMcYqgYCypSn8oT1zc1fdbQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age139sl09xkjm4hd0q5e09e0w4ppu8yd65uhu7upjx5v8jn8ef62vfqg309x6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRLzdqdXZHS2cwTHJwcks3
RHdsc1paaW0xRitIUjgyWDluWjlmaHR0Q1FvCkdxUnNLejk1U3pxWXZyM0VDdnEz
eTFjWFZMbnl3Q2R5SlJYMlJIZ3B6T3cKLS0tIEhCVVZDdEtTR25BUWg1WTlhVUpy
RFpsakNSbDkrR1RNRFRMMEJ1Qm9HeU0Kr6W85PfUsLiuov+DSaVWxJ7hNRVbNZn4
zrFHRuri8F1MRAabOMIxB42MYJbCM64eDfDB/qLRTJ92iWLV6i8enA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-21T13:41:38Z"
mac: ENC[AES256_GCM,data:xfvH9PkS91VkoXejPilQ+f1pzJZbXiNuj9JtavZKFLUZ8wiYVOsk7dIIz5YhXo0YtEcNy9Uff9Rm5dYzS49aTPVyJHXNKndc7L7sZifZ137VeOgOgE85wXRLm+iGyJbjMYqVcwOQKJ/ERQPzg+uC7NMkdqpqczis1WUm0OHhNfo=,iv:8FybEXz+aLoLmKPHvyQPrawAMzF79dgM0JRta01fCJU=,tag:QgM3pKDA23XGQT1Q0lKnlw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2