Move helium to sops-nix

This commit is contained in:
Vili Sinervä 2025-06-21 14:03:46 +03:00
parent 924f738618
commit ec685a2e86
Signed by: Vili Sinervä
SSH key fingerprint: SHA256:FladqYjaE4scJY3Hi+gnShZ6ygnTJgixy0I6BAoHyos
8 changed files with 161 additions and 41 deletions

14
.sops.yaml Normal file
View file

@ -0,0 +1,14 @@
keys:
- &vili-bw age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
- &helium age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q
creation_rules:
- path_regex: ^secrets/helium/.*\.yaml$
key_groups:
- age:
- *vili-bw
- *helium
- path_regex: ^secrets/users/vili.yaml$
key_groups:
- age:
- *vili-bw
- *helium

View file

@ -1,15 +1,22 @@
{ pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
{ {
custom.home_wg_suffix = "2"; custom.home_wg_suffix = "2";
system.autoUpgrade.allowReboot = lib.mkForce false; system.autoUpgrade.allowReboot = lib.mkForce false;
sops.secrets.priv-netflix-wg.sopsFile = ../../secrets/helium/netflix-wg.yaml;
networking = { networking = {
wg-quick.interfaces = { wg-quick.interfaces = {
wg1 = { wg1 = {
autostart = false; autostart = false;
address = [ "10.100.0.7/24" ]; address = [ "10.100.0.7/24" ];
dns = [ "1.1.1.1" ]; dns = [ "1.1.1.1" ];
privateKeyFile = "/persist/secrets/wireguard/priv-netflix"; privateKeyFile = config.sops.secrets.priv-netflix-wg.path;
listenPort = 51820; listenPort = 51820;
peers = [ peers = [

View file

@ -6,47 +6,64 @@
description = "IPv6 GUA Suffix for Home WireGuard config"; description = "IPv6 GUA Suffix for Home WireGuard config";
}; };
config = { config =
networking = { let
networkmanager.settings."connection"."ipv4.dhcp-ipv6-only-preferred" = 1; host = config.networking.hostName;
in
{
sops = {
secrets = {
priv-home-wg = {
sopsFile = ../../secrets/${host}/home-wg.yaml;
restartUnits = [ "wg-quick-wg0.service" ];
};
psk-home-wg = {
sopsFile = ../../secrets/${host}/home-wg.yaml;
restartUnits = [ "wg-quick-wg0.service" ];
};
};
};
wg-quick.interfaces = { networking = {
wg0 = { networkmanager.settings."connection"."ipv4.dhcp-ipv6-only-preferred" = 1;
autostart = true;
address = [ "${config.custom.gua_pref}ff::${config.custom.home_wg_suffix}/64" ];
dns = [
"${config.custom.gua_pref}ff::1"
"vsinerva.fi"
];
privateKeyFile = "/persist/secrets/wireguard/priv-home";
listenPort = 51820;
peers = [ wg-quick.interfaces = {
{ wg0 = {
publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34="; autostart = true;
presharedKeyFile = "/persist/secrets/wireguard/psk-home"; address = [ "${config.custom.gua_pref}ff::${config.custom.home_wg_suffix}/64" ];
allowedIPs = [ "::/0" ]; dns = [
endpoint = "home.vsinerva.fi:51820"; "${config.custom.gua_pref}ff::1"
} "vsinerva.fi"
]; ];
privateKeyFile = config.sops.secrets.priv-home-wg.path;
listenPort = 51820;
peers = [
{
publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34=";
presharedKeyFile = config.sops.secrets.psk-home-wg.path;
allowedIPs = [ "::/0" ];
endpoint = "home.vsinerva.fi:51820";
}
];
};
};
};
services.clatd = {
enable = true;
settings.clat-v6-addr = "${config.custom.gua_pref}ff::c${config.custom.home_wg_suffix}";
};
systemd.services = {
"wg-quick-wg0" = {
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
};
clatd = {
wants = [ "wg-quick-wg0.service" ];
after = [ "wg-quick-wg0.service" ];
}; };
}; };
}; };
services.clatd = {
enable = true;
settings.clat-v6-addr = "${config.custom.gua_pref}ff::c${config.custom.home_wg_suffix}";
};
systemd.services = {
"wg-quick-wg0" = {
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
};
clatd = {
wants = [ "wg-quick-wg0.service" ];
after = [ "wg-quick-wg0.service" ];
};
};
};
} }

View file

@ -0,0 +1,26 @@
priv-home-wg: ENC[AES256_GCM,data:9fvRJbHEIAZmX44BBIbReEkVxmXZE5ZYpabLOD5i7FTFpo0FN/fr3PNxxgI=,iv:pyDX/RvEN0GdOpbj2KZMCfTxPwMgqp9yKk9gqf4hVso=,tag:YYC6EvKoRFfB6/DvnuT0Tg==,type:str]
psk-home-wg: ENC[AES256_GCM,data:dSZAaddACyaWE9xfjIsofGRnd/IaXRI9UODeHwGDVMfBTR+npf4qHkoZpps=,iv:KC2HTmIx95p/BYu9mVjSI6R+AnnjVrTNS7DGhVpgoE8=,tag:KNkSim/dPepmh+vajwqrbA==,type:str]
sops:
age:
- recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzUU84czVBVmVFTFNyTWJJ
Rjh6YXc2bnMrZ3RrcHBiMWdHeDJDa0VBd1NZCkhqM0FxQjRZL1lTSkF6a0s4bTNO
SWY5THFpeTN2TUdrUjVhUUJ2WEloNDQKLS0tIGlqUFZQckhNbHpHWjBzM2NodGpH
WCtnL2NhRUordFJpWFBtTGRWZ2x3ZWcKBJmUSDtqXwrgUbPVWG1iK5aJRAcVou4V
RQDfUAwCEDFfakdUIlb7MNJQkOFZKLzZHurJJdrjfX6pQI66BmlQEQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMkY3Yi8yZHh1TmR0RGtD
QVBQVVYzWW52Q0VMN2VyVzhRVW9ROTdlZEQ4CkxnMHJzaDJBeXRkSnFpb2EyWllK
Mm0zelRGcCt5alJIdzQydThRNzR2TXMKLS0tIEcrV1ZnYjNqNHRhdGZaVXJTV0N5
TUlqVjg3ZERFeklKM3RwNk13cWFGbW8Khn6IR562bAOAMDbtpoHKBsK2vGetZw1O
ujE/yYzysSvBAETGPYxP/y32FvMtbkhHb+k8uCDDPUkkrzNY8qk8EA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-21T10:55:19Z"
mac: ENC[AES256_GCM,data:14dAcqlAETnosllGiHa8fbjHiVuBHs9RWJTu1PKP5vQw+s6K5bxFtn6SbimA+yeraAfVGBnKnfh9L+WAAXZdKRjhu+CDogV3iOOi0dRFAVLs6P0IPYs+yZ5w22dMfeiw5kX39Gx8mjQwy19Rkomx3kaxMRx0YgkGu0CwkESJfrk=,iv:TbBjVsDJ+SLdcgGK7i6W9gK7dvQNYPLf4gRDumoMp1U=,tag:/SoN9YO5uOhzUwAWXol40Q==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2

View file

@ -0,0 +1,25 @@
priv-netflix-wg: ENC[AES256_GCM,data:CA+ZAr4IMq78/VLbE48iNigbQ7l0JwyIT27fZSQ8g2I9VsWsJLQaOXKPdmA=,iv:Gegk1cE2KuiNkJ0rkAR28+cww5ecQCmR3h+ghgfS2+0=,tag:+MG/+q7+vXLAYP7bjRdAmQ==,type:str]
sops:
age:
- recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtd3hhVWdWK2cvaVRjU0FF
OFRTcTVZZE5Jc21wYXhHeDFuOGZNK0JsMm5jCklyUCtlQm0zU3BQRlFUN0pDUWtT
RTlRVCtBVnZzdnlnSGtmQlNURTVCaGcKLS0tIHBxSk04b2l5VDQ2ZEY2aVphMUVQ
aW9LYzhlOHJNR1pZdmNPOGZyamNOOTgKmdKtZolBC1nvBr+NZvtdTJhipxFtMPsv
UM+uMFMJRx5tPFSDaL1r/Fp5+OV9WIZ5RN4ga9K9TDbhnGUssJkgMg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvK0NCWHRXN0NlOWNxeFN3
YzFGbTRWQVoxcTd0TEtQQVgwK2NRWXRUcXpRClVDeU9wd2wyN3RsTnR4RElKSFcz
WkVOTHNycURtM2h2R3B0MDdpWHhvNlEKLS0tIHhHS1VPS3lEWUx5SC9pRjJHUmQ1
R1Vvay9kREd5RUZHb0w5ckd2Q2VHZW8KX2R8oU47VDWCFuKe/J52flfKcDURIAYB
RKe0uufUnCgB7cx6D/+hnykkOjMPtqrcrAHnyrgnptHw0XtXTrNWBg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-21T12:22:52Z"
mac: ENC[AES256_GCM,data:uvTD+QQdpndni/bjI25VWdvFowL/FPJg/wdZw1fK29C2JEQ16EKF9ajh0Dkii8M4+Nnn3RxPO5s7QPnoMmwLQEMQIvfmApJFE8j9qSb5EBCy+Ysig8gkdqMEUQAyhIpauy2MJCIzl8Hj8yfEsnffNq4nclM2VlJCeowHW4QbTgs=,iv:IceQcN6/Z40tphLY+ngAebDgdsf96/SO6oOYR3K1/zk=,tag:2t34lfOI1+MuP9EfWoqcoA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2

25
secrets/users/vili.yaml Normal file
View file

@ -0,0 +1,25 @@
vili-password: ENC[AES256_GCM,data:SG0UVgXOrbLJZ8dj1NeuBL0QulIeZRfoD5o/QF57avce7nxlU1RLnQfZe9fsW9IqnfiAQkYNcQ3B/m36VBy87DJosRVT0dcizg==,iv:536A1+NVuvg18uh+7oEEUYJ8PM+g62boNCKCUpg0GJo=,tag:J9YL+fdK4gE7g58nSgBRcw==,type:str]
sops:
age:
- recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdTR2Z0tSN3VXdTQ5SDNL
WnRMcm9DTi83SWRwQXBFK3VZY3IrcUFpWXdvCkhSckQ0b0ZHVlZnZlhHSGlLNjg0
MnA4QjBVdkx1cXBYMG9iN1JVQUk3ZjQKLS0tIGFoUDJ6NWJublZkeFkrVTVkQUM4
bHNVT2pYYUtXenYzYkc3QnhKaDc4ZDQKTX7BT0uMjyP3Vj/mZUW/lDwKItTXx3mo
0qkDJ/TmKdYLj/gRkb5YwsXCpcsB5ovOTI9/mbJeMwBzMM5NTKJ+mg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdGpmNWI1bmFsWlBTSmVW
RzlQVktaQnEvc1R3YWl4TDZqV2FHVlgyVVc4CmJZZ3dUWmJ1K2RrSVR4YTg5cEZO
UUFyOHkrcDNxUEZ6L3Noak1EU1lhQmsKLS0tIFFDTjRoeWhFK2w2QkRDNGZtOXpH
dTlrZEl0RFA1TUl5WTdEUjNFRkYyMHcKm+EHlkTkRsUd3vtENFIgIwt5Zqt22Er4
PHLrTG8ev41ws0jtQPLsSSz7FfXW2rTJjs5TEsly1KJJGwlNJI9gxw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-21T12:17:55Z"
mac: ENC[AES256_GCM,data:iHPaSftY2MFHgg+426dlTtTPWbL3AO84ND1CHViJ81bUm9CYTKlLGU23ocKVJRzPy85BhOGh2R4uURP1dvQ3BiFWGK3B2t8xtg1vTz5jSgQkvWr5RRiDLOvHWb4cT4O5cI8MHkLtYAl1ungdZj+uCIIw9unzDD+HpjlOlCaf8C0=,iv:HFZfxCBQEB0G7oalRkNFykeJ3+9xssUJN5oB/j1Z3xI=,tag:PabtyU0ZvSRWlmz7y35uMA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2

View file

@ -27,6 +27,7 @@
termshark termshark
age age
ssh-to-age
sops sops
minisign minisign
pwgen pwgen

View file

@ -1,5 +1,10 @@
{ config, ... }: { config, ... }:
{ {
sops.secrets.vili-password = {
sopsFile = ../../secrets/users/vili.yaml;
neededForUsers = true;
};
users.users.vili = { users.users.vili = {
isNormalUser = true; isNormalUser = true;
home = "/home/vili"; home = "/home/vili";
@ -11,7 +16,7 @@
"audio" "audio"
]; ];
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
hashedPasswordFile = "/persist/secrets/hashed-passwords/vili"; hashedPasswordFile = config.sops.secrets.vili-password.path;
}; };
users.groups.vili.gid = 1000; users.groups.vili.gid = 1000;