diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..7d14a18 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,14 @@ +keys: + - &vili-bw age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp + - &helium age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q +creation_rules: + - path_regex: ^secrets/helium/.*\.yaml$ + key_groups: + - age: + - *vili-bw + - *helium + - path_regex: ^secrets/users/vili.yaml$ + key_groups: + - age: + - *vili-bw + - *helium diff --git a/hosts/helium/configuration.nix b/hosts/helium/configuration.nix index 164a14a..0e9e7e6 100644 --- a/hosts/helium/configuration.nix +++ b/hosts/helium/configuration.nix @@ -1,15 +1,22 @@ -{ pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: { custom.home_wg_suffix = "2"; system.autoUpgrade.allowReboot = lib.mkForce false; + sops.secrets.priv-netflix-wg.sopsFile = ../../secrets/helium/netflix-wg.yaml; + networking = { wg-quick.interfaces = { wg1 = { autostart = false; address = [ "10.100.0.7/24" ]; dns = [ "1.1.1.1" ]; - privateKeyFile = "/persist/secrets/wireguard/priv-netflix"; + privateKeyFile = config.sops.secrets.priv-netflix-wg.path; listenPort = 51820; peers = [ diff --git a/personal/networking/home-wg.nix b/personal/networking/home-wg.nix index f89e539..be1e13b 100644 --- a/personal/networking/home-wg.nix +++ b/personal/networking/home-wg.nix @@ -6,47 +6,64 @@ description = "IPv6 GUA Suffix for Home WireGuard config"; }; - config = { - networking = { - networkmanager.settings."connection"."ipv4.dhcp-ipv6-only-preferred" = 1; + config = + let + host = config.networking.hostName; + in + { + sops = { + secrets = { + priv-home-wg = { + sopsFile = ../../secrets/${host}/home-wg.yaml; + restartUnits = [ "wg-quick-wg0.service" ]; + }; + psk-home-wg = { + sopsFile = ../../secrets/${host}/home-wg.yaml; + restartUnits = [ "wg-quick-wg0.service" ]; + }; + }; + }; - wg-quick.interfaces = { - wg0 = { - autostart = true; - address = [ "${config.custom.gua_pref}ff::${config.custom.home_wg_suffix}/64" ]; - dns = [ - "${config.custom.gua_pref}ff::1" - "vsinerva.fi" - ]; - privateKeyFile = "/persist/secrets/wireguard/priv-home"; - listenPort = 51820; + networking = { + networkmanager.settings."connection"."ipv4.dhcp-ipv6-only-preferred" = 1; - peers = [ - { - publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34="; - presharedKeyFile = "/persist/secrets/wireguard/psk-home"; - allowedIPs = [ "::/0" ]; - endpoint = "home.vsinerva.fi:51820"; - } - ]; + wg-quick.interfaces = { + wg0 = { + autostart = true; + address = [ "${config.custom.gua_pref}ff::${config.custom.home_wg_suffix}/64" ]; + dns = [ + "${config.custom.gua_pref}ff::1" + "vsinerva.fi" + ]; + privateKeyFile = config.sops.secrets.priv-home-wg.path; + listenPort = 51820; + + peers = [ + { + publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34="; + presharedKeyFile = config.sops.secrets.psk-home-wg.path; + allowedIPs = [ "::/0" ]; + endpoint = "home.vsinerva.fi:51820"; + } + ]; + }; + }; + }; + + services.clatd = { + enable = true; + settings.clat-v6-addr = "${config.custom.gua_pref}ff::c${config.custom.home_wg_suffix}"; + }; + + systemd.services = { + "wg-quick-wg0" = { + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + }; + clatd = { + wants = [ "wg-quick-wg0.service" ]; + after = [ "wg-quick-wg0.service" ]; }; }; }; - - services.clatd = { - enable = true; - settings.clat-v6-addr = "${config.custom.gua_pref}ff::c${config.custom.home_wg_suffix}"; - }; - - systemd.services = { - "wg-quick-wg0" = { - wants = [ "network-online.target" ]; - after = [ "network-online.target" ]; - }; - clatd = { - wants = [ "wg-quick-wg0.service" ]; - after = [ "wg-quick-wg0.service" ]; - }; - }; - }; } diff --git a/secrets/helium/home-wg.yaml b/secrets/helium/home-wg.yaml new file mode 100644 index 0000000..7738b1d --- /dev/null +++ b/secrets/helium/home-wg.yaml @@ -0,0 +1,26 @@ +priv-home-wg: ENC[AES256_GCM,data:9fvRJbHEIAZmX44BBIbReEkVxmXZE5ZYpabLOD5i7FTFpo0FN/fr3PNxxgI=,iv:pyDX/RvEN0GdOpbj2KZMCfTxPwMgqp9yKk9gqf4hVso=,tag:YYC6EvKoRFfB6/DvnuT0Tg==,type:str] +psk-home-wg: ENC[AES256_GCM,data:dSZAaddACyaWE9xfjIsofGRnd/IaXRI9UODeHwGDVMfBTR+npf4qHkoZpps=,iv:KC2HTmIx95p/BYu9mVjSI6R+AnnjVrTNS7DGhVpgoE8=,tag:KNkSim/dPepmh+vajwqrbA==,type:str] +sops: + age: + - recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzUU84czVBVmVFTFNyTWJJ + Rjh6YXc2bnMrZ3RrcHBiMWdHeDJDa0VBd1NZCkhqM0FxQjRZL1lTSkF6a0s4bTNO + SWY5THFpeTN2TUdrUjVhUUJ2WEloNDQKLS0tIGlqUFZQckhNbHpHWjBzM2NodGpH + WCtnL2NhRUordFJpWFBtTGRWZ2x3ZWcKBJmUSDtqXwrgUbPVWG1iK5aJRAcVou4V + RQDfUAwCEDFfakdUIlb7MNJQkOFZKLzZHurJJdrjfX6pQI66BmlQEQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMkY3Yi8yZHh1TmR0RGtD + QVBQVVYzWW52Q0VMN2VyVzhRVW9ROTdlZEQ4CkxnMHJzaDJBeXRkSnFpb2EyWllK + Mm0zelRGcCt5alJIdzQydThRNzR2TXMKLS0tIEcrV1ZnYjNqNHRhdGZaVXJTV0N5 + TUlqVjg3ZERFeklKM3RwNk13cWFGbW8Khn6IR562bAOAMDbtpoHKBsK2vGetZw1O + ujE/yYzysSvBAETGPYxP/y32FvMtbkhHb+k8uCDDPUkkrzNY8qk8EA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-06-21T10:55:19Z" + mac: ENC[AES256_GCM,data:14dAcqlAETnosllGiHa8fbjHiVuBHs9RWJTu1PKP5vQw+s6K5bxFtn6SbimA+yeraAfVGBnKnfh9L+WAAXZdKRjhu+CDogV3iOOi0dRFAVLs6P0IPYs+yZ5w22dMfeiw5kX39Gx8mjQwy19Rkomx3kaxMRx0YgkGu0CwkESJfrk=,iv:TbBjVsDJ+SLdcgGK7i6W9gK7dvQNYPLf4gRDumoMp1U=,tag:/SoN9YO5uOhzUwAWXol40Q==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/secrets/helium/netflix-wg.yaml b/secrets/helium/netflix-wg.yaml new file mode 100644 index 0000000..91d4d67 --- /dev/null +++ b/secrets/helium/netflix-wg.yaml @@ -0,0 +1,25 @@ +priv-netflix-wg: ENC[AES256_GCM,data:CA+ZAr4IMq78/VLbE48iNigbQ7l0JwyIT27fZSQ8g2I9VsWsJLQaOXKPdmA=,iv:Gegk1cE2KuiNkJ0rkAR28+cww5ecQCmR3h+ghgfS2+0=,tag:+MG/+q7+vXLAYP7bjRdAmQ==,type:str] +sops: + age: + - recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtd3hhVWdWK2cvaVRjU0FF + OFRTcTVZZE5Jc21wYXhHeDFuOGZNK0JsMm5jCklyUCtlQm0zU3BQRlFUN0pDUWtT + RTlRVCtBVnZzdnlnSGtmQlNURTVCaGcKLS0tIHBxSk04b2l5VDQ2ZEY2aVphMUVQ + aW9LYzhlOHJNR1pZdmNPOGZyamNOOTgKmdKtZolBC1nvBr+NZvtdTJhipxFtMPsv + UM+uMFMJRx5tPFSDaL1r/Fp5+OV9WIZ5RN4ga9K9TDbhnGUssJkgMg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvK0NCWHRXN0NlOWNxeFN3 + YzFGbTRWQVoxcTd0TEtQQVgwK2NRWXRUcXpRClVDeU9wd2wyN3RsTnR4RElKSFcz + WkVOTHNycURtM2h2R3B0MDdpWHhvNlEKLS0tIHhHS1VPS3lEWUx5SC9pRjJHUmQ1 + R1Vvay9kREd5RUZHb0w5ckd2Q2VHZW8KX2R8oU47VDWCFuKe/J52flfKcDURIAYB + RKe0uufUnCgB7cx6D/+hnykkOjMPtqrcrAHnyrgnptHw0XtXTrNWBg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-06-21T12:22:52Z" + mac: ENC[AES256_GCM,data:uvTD+QQdpndni/bjI25VWdvFowL/FPJg/wdZw1fK29C2JEQ16EKF9ajh0Dkii8M4+Nnn3RxPO5s7QPnoMmwLQEMQIvfmApJFE8j9qSb5EBCy+Ysig8gkdqMEUQAyhIpauy2MJCIzl8Hj8yfEsnffNq4nclM2VlJCeowHW4QbTgs=,iv:IceQcN6/Z40tphLY+ngAebDgdsf96/SO6oOYR3K1/zk=,tag:2t34lfOI1+MuP9EfWoqcoA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/secrets/users/vili.yaml b/secrets/users/vili.yaml new file mode 100644 index 0000000..90690f9 --- /dev/null +++ b/secrets/users/vili.yaml @@ -0,0 +1,25 @@ +vili-password: ENC[AES256_GCM,data:SG0UVgXOrbLJZ8dj1NeuBL0QulIeZRfoD5o/QF57avce7nxlU1RLnQfZe9fsW9IqnfiAQkYNcQ3B/m36VBy87DJosRVT0dcizg==,iv:536A1+NVuvg18uh+7oEEUYJ8PM+g62boNCKCUpg0GJo=,tag:J9YL+fdK4gE7g58nSgBRcw==,type:str] +sops: + age: + - recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdTR2Z0tSN3VXdTQ5SDNL + WnRMcm9DTi83SWRwQXBFK3VZY3IrcUFpWXdvCkhSckQ0b0ZHVlZnZlhHSGlLNjg0 + MnA4QjBVdkx1cXBYMG9iN1JVQUk3ZjQKLS0tIGFoUDJ6NWJublZkeFkrVTVkQUM4 + bHNVT2pYYUtXenYzYkc3QnhKaDc4ZDQKTX7BT0uMjyP3Vj/mZUW/lDwKItTXx3mo + 0qkDJ/TmKdYLj/gRkb5YwsXCpcsB5ovOTI9/mbJeMwBzMM5NTKJ+mg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdGpmNWI1bmFsWlBTSmVW + RzlQVktaQnEvc1R3YWl4TDZqV2FHVlgyVVc4CmJZZ3dUWmJ1K2RrSVR4YTg5cEZO + UUFyOHkrcDNxUEZ6L3Noak1EU1lhQmsKLS0tIFFDTjRoeWhFK2w2QkRDNGZtOXpH + dTlrZEl0RFA1TUl5WTdEUjNFRkYyMHcKm+EHlkTkRsUd3vtENFIgIwt5Zqt22Er4 + PHLrTG8ev41ws0jtQPLsSSz7FfXW2rTJjs5TEsly1KJJGwlNJI9gxw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-06-21T12:17:55Z" + mac: ENC[AES256_GCM,data:iHPaSftY2MFHgg+426dlTtTPWbL3AO84ND1CHViJ81bUm9CYTKlLGU23ocKVJRzPy85BhOGh2R4uURP1dvQ3BiFWGK3B2t8xtg1vTz5jSgQkvWr5RRiDLOvHWb4cT4O5cI8MHkLtYAl1ungdZj+uCIIw9unzDD+HpjlOlCaf8C0=,iv:HFZfxCBQEB0G7oalRkNFykeJ3+9xssUJN5oB/j1Z3xI=,tag:PabtyU0ZvSRWlmz7y35uMA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/shared/base.nix b/shared/base.nix index 6ba8fd6..f612cc0 100644 --- a/shared/base.nix +++ b/shared/base.nix @@ -27,6 +27,7 @@ termshark age + ssh-to-age sops minisign pwgen diff --git a/shared/users/vili.nix b/shared/users/vili.nix index f1a12ff..bfb5629 100644 --- a/shared/users/vili.nix +++ b/shared/users/vili.nix @@ -1,5 +1,10 @@ { config, ... }: { + sops.secrets.vili-password = { + sopsFile = ../../secrets/users/vili.yaml; + neededForUsers = true; + }; + users.users.vili = { isNormalUser = true; home = "/home/vili"; @@ -11,7 +16,7 @@ "audio" ]; openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; - hashedPasswordFile = "/persist/secrets/hashed-passwords/vili"; + hashedPasswordFile = config.sops.secrets.vili-password.path; }; users.groups.vili.gid = 1000;