Move helium to sops-nix
This commit is contained in:
parent
924f738618
commit
ec685a2e86
8 changed files with 161 additions and 41 deletions
14
.sops.yaml
Normal file
14
.sops.yaml
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
keys:
|
||||||
|
- &vili-bw age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
|
||||||
|
- &helium age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q
|
||||||
|
creation_rules:
|
||||||
|
- path_regex: ^secrets/helium/.*\.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *vili-bw
|
||||||
|
- *helium
|
||||||
|
- path_regex: ^secrets/users/vili.yaml$
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *vili-bw
|
||||||
|
- *helium
|
|
@ -1,15 +1,22 @@
|
||||||
{ pkgs, lib, ... }:
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}:
|
||||||
{
|
{
|
||||||
custom.home_wg_suffix = "2";
|
custom.home_wg_suffix = "2";
|
||||||
system.autoUpgrade.allowReboot = lib.mkForce false;
|
system.autoUpgrade.allowReboot = lib.mkForce false;
|
||||||
|
|
||||||
|
sops.secrets.priv-netflix-wg.sopsFile = ../../secrets/helium/netflix-wg.yaml;
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
wg-quick.interfaces = {
|
wg-quick.interfaces = {
|
||||||
wg1 = {
|
wg1 = {
|
||||||
autostart = false;
|
autostart = false;
|
||||||
address = [ "10.100.0.7/24" ];
|
address = [ "10.100.0.7/24" ];
|
||||||
dns = [ "1.1.1.1" ];
|
dns = [ "1.1.1.1" ];
|
||||||
privateKeyFile = "/persist/secrets/wireguard/priv-netflix";
|
privateKeyFile = config.sops.secrets.priv-netflix-wg.path;
|
||||||
listenPort = 51820;
|
listenPort = 51820;
|
||||||
|
|
||||||
peers = [
|
peers = [
|
||||||
|
|
|
@ -6,47 +6,64 @@
|
||||||
description = "IPv6 GUA Suffix for Home WireGuard config";
|
description = "IPv6 GUA Suffix for Home WireGuard config";
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config =
|
||||||
networking = {
|
let
|
||||||
networkmanager.settings."connection"."ipv4.dhcp-ipv6-only-preferred" = 1;
|
host = config.networking.hostName;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
sops = {
|
||||||
|
secrets = {
|
||||||
|
priv-home-wg = {
|
||||||
|
sopsFile = ../../secrets/${host}/home-wg.yaml;
|
||||||
|
restartUnits = [ "wg-quick-wg0.service" ];
|
||||||
|
};
|
||||||
|
psk-home-wg = {
|
||||||
|
sopsFile = ../../secrets/${host}/home-wg.yaml;
|
||||||
|
restartUnits = [ "wg-quick-wg0.service" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
wg-quick.interfaces = {
|
networking = {
|
||||||
wg0 = {
|
networkmanager.settings."connection"."ipv4.dhcp-ipv6-only-preferred" = 1;
|
||||||
autostart = true;
|
|
||||||
address = [ "${config.custom.gua_pref}ff::${config.custom.home_wg_suffix}/64" ];
|
|
||||||
dns = [
|
|
||||||
"${config.custom.gua_pref}ff::1"
|
|
||||||
"vsinerva.fi"
|
|
||||||
];
|
|
||||||
privateKeyFile = "/persist/secrets/wireguard/priv-home";
|
|
||||||
listenPort = 51820;
|
|
||||||
|
|
||||||
peers = [
|
wg-quick.interfaces = {
|
||||||
{
|
wg0 = {
|
||||||
publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34=";
|
autostart = true;
|
||||||
presharedKeyFile = "/persist/secrets/wireguard/psk-home";
|
address = [ "${config.custom.gua_pref}ff::${config.custom.home_wg_suffix}/64" ];
|
||||||
allowedIPs = [ "::/0" ];
|
dns = [
|
||||||
endpoint = "home.vsinerva.fi:51820";
|
"${config.custom.gua_pref}ff::1"
|
||||||
}
|
"vsinerva.fi"
|
||||||
];
|
];
|
||||||
|
privateKeyFile = config.sops.secrets.priv-home-wg.path;
|
||||||
|
listenPort = 51820;
|
||||||
|
|
||||||
|
peers = [
|
||||||
|
{
|
||||||
|
publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34=";
|
||||||
|
presharedKeyFile = config.sops.secrets.psk-home-wg.path;
|
||||||
|
allowedIPs = [ "::/0" ];
|
||||||
|
endpoint = "home.vsinerva.fi:51820";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.clatd = {
|
||||||
|
enable = true;
|
||||||
|
settings.clat-v6-addr = "${config.custom.gua_pref}ff::c${config.custom.home_wg_suffix}";
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services = {
|
||||||
|
"wg-quick-wg0" = {
|
||||||
|
wants = [ "network-online.target" ];
|
||||||
|
after = [ "network-online.target" ];
|
||||||
|
};
|
||||||
|
clatd = {
|
||||||
|
wants = [ "wg-quick-wg0.service" ];
|
||||||
|
after = [ "wg-quick-wg0.service" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.clatd = {
|
|
||||||
enable = true;
|
|
||||||
settings.clat-v6-addr = "${config.custom.gua_pref}ff::c${config.custom.home_wg_suffix}";
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services = {
|
|
||||||
"wg-quick-wg0" = {
|
|
||||||
wants = [ "network-online.target" ];
|
|
||||||
after = [ "network-online.target" ];
|
|
||||||
};
|
|
||||||
clatd = {
|
|
||||||
wants = [ "wg-quick-wg0.service" ];
|
|
||||||
after = [ "wg-quick-wg0.service" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
26
secrets/helium/home-wg.yaml
Normal file
26
secrets/helium/home-wg.yaml
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
priv-home-wg: ENC[AES256_GCM,data:9fvRJbHEIAZmX44BBIbReEkVxmXZE5ZYpabLOD5i7FTFpo0FN/fr3PNxxgI=,iv:pyDX/RvEN0GdOpbj2KZMCfTxPwMgqp9yKk9gqf4hVso=,tag:YYC6EvKoRFfB6/DvnuT0Tg==,type:str]
|
||||||
|
psk-home-wg: ENC[AES256_GCM,data:dSZAaddACyaWE9xfjIsofGRnd/IaXRI9UODeHwGDVMfBTR+npf4qHkoZpps=,iv:KC2HTmIx95p/BYu9mVjSI6R+AnnjVrTNS7DGhVpgoE8=,tag:KNkSim/dPepmh+vajwqrbA==,type:str]
|
||||||
|
sops:
|
||||||
|
age:
|
||||||
|
- recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzUU84czVBVmVFTFNyTWJJ
|
||||||
|
Rjh6YXc2bnMrZ3RrcHBiMWdHeDJDa0VBd1NZCkhqM0FxQjRZL1lTSkF6a0s4bTNO
|
||||||
|
SWY5THFpeTN2TUdrUjVhUUJ2WEloNDQKLS0tIGlqUFZQckhNbHpHWjBzM2NodGpH
|
||||||
|
WCtnL2NhRUordFJpWFBtTGRWZ2x3ZWcKBJmUSDtqXwrgUbPVWG1iK5aJRAcVou4V
|
||||||
|
RQDfUAwCEDFfakdUIlb7MNJQkOFZKLzZHurJJdrjfX6pQI66BmlQEQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMkY3Yi8yZHh1TmR0RGtD
|
||||||
|
QVBQVVYzWW52Q0VMN2VyVzhRVW9ROTdlZEQ4CkxnMHJzaDJBeXRkSnFpb2EyWllK
|
||||||
|
Mm0zelRGcCt5alJIdzQydThRNzR2TXMKLS0tIEcrV1ZnYjNqNHRhdGZaVXJTV0N5
|
||||||
|
TUlqVjg3ZERFeklKM3RwNk13cWFGbW8Khn6IR562bAOAMDbtpoHKBsK2vGetZw1O
|
||||||
|
ujE/yYzysSvBAETGPYxP/y32FvMtbkhHb+k8uCDDPUkkrzNY8qk8EA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2025-06-21T10:55:19Z"
|
||||||
|
mac: ENC[AES256_GCM,data:14dAcqlAETnosllGiHa8fbjHiVuBHs9RWJTu1PKP5vQw+s6K5bxFtn6SbimA+yeraAfVGBnKnfh9L+WAAXZdKRjhu+CDogV3iOOi0dRFAVLs6P0IPYs+yZ5w22dMfeiw5kX39Gx8mjQwy19Rkomx3kaxMRx0YgkGu0CwkESJfrk=,iv:TbBjVsDJ+SLdcgGK7i6W9gK7dvQNYPLf4gRDumoMp1U=,tag:/SoN9YO5uOhzUwAWXol40Q==,type:str]
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.10.2
|
25
secrets/helium/netflix-wg.yaml
Normal file
25
secrets/helium/netflix-wg.yaml
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
priv-netflix-wg: ENC[AES256_GCM,data:CA+ZAr4IMq78/VLbE48iNigbQ7l0JwyIT27fZSQ8g2I9VsWsJLQaOXKPdmA=,iv:Gegk1cE2KuiNkJ0rkAR28+cww5ecQCmR3h+ghgfS2+0=,tag:+MG/+q7+vXLAYP7bjRdAmQ==,type:str]
|
||||||
|
sops:
|
||||||
|
age:
|
||||||
|
- recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtd3hhVWdWK2cvaVRjU0FF
|
||||||
|
OFRTcTVZZE5Jc21wYXhHeDFuOGZNK0JsMm5jCklyUCtlQm0zU3BQRlFUN0pDUWtT
|
||||||
|
RTlRVCtBVnZzdnlnSGtmQlNURTVCaGcKLS0tIHBxSk04b2l5VDQ2ZEY2aVphMUVQ
|
||||||
|
aW9LYzhlOHJNR1pZdmNPOGZyamNOOTgKmdKtZolBC1nvBr+NZvtdTJhipxFtMPsv
|
||||||
|
UM+uMFMJRx5tPFSDaL1r/Fp5+OV9WIZ5RN4ga9K9TDbhnGUssJkgMg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvK0NCWHRXN0NlOWNxeFN3
|
||||||
|
YzFGbTRWQVoxcTd0TEtQQVgwK2NRWXRUcXpRClVDeU9wd2wyN3RsTnR4RElKSFcz
|
||||||
|
WkVOTHNycURtM2h2R3B0MDdpWHhvNlEKLS0tIHhHS1VPS3lEWUx5SC9pRjJHUmQ1
|
||||||
|
R1Vvay9kREd5RUZHb0w5ckd2Q2VHZW8KX2R8oU47VDWCFuKe/J52flfKcDURIAYB
|
||||||
|
RKe0uufUnCgB7cx6D/+hnykkOjMPtqrcrAHnyrgnptHw0XtXTrNWBg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2025-06-21T12:22:52Z"
|
||||||
|
mac: ENC[AES256_GCM,data:uvTD+QQdpndni/bjI25VWdvFowL/FPJg/wdZw1fK29C2JEQ16EKF9ajh0Dkii8M4+Nnn3RxPO5s7QPnoMmwLQEMQIvfmApJFE8j9qSb5EBCy+Ysig8gkdqMEUQAyhIpauy2MJCIzl8Hj8yfEsnffNq4nclM2VlJCeowHW4QbTgs=,iv:IceQcN6/Z40tphLY+ngAebDgdsf96/SO6oOYR3K1/zk=,tag:2t34lfOI1+MuP9EfWoqcoA==,type:str]
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.10.2
|
25
secrets/users/vili.yaml
Normal file
25
secrets/users/vili.yaml
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
vili-password: ENC[AES256_GCM,data:SG0UVgXOrbLJZ8dj1NeuBL0QulIeZRfoD5o/QF57avce7nxlU1RLnQfZe9fsW9IqnfiAQkYNcQ3B/m36VBy87DJosRVT0dcizg==,iv:536A1+NVuvg18uh+7oEEUYJ8PM+g62boNCKCUpg0GJo=,tag:J9YL+fdK4gE7g58nSgBRcw==,type:str]
|
||||||
|
sops:
|
||||||
|
age:
|
||||||
|
- recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdTR2Z0tSN3VXdTQ5SDNL
|
||||||
|
WnRMcm9DTi83SWRwQXBFK3VZY3IrcUFpWXdvCkhSckQ0b0ZHVlZnZlhHSGlLNjg0
|
||||||
|
MnA4QjBVdkx1cXBYMG9iN1JVQUk3ZjQKLS0tIGFoUDJ6NWJublZkeFkrVTVkQUM4
|
||||||
|
bHNVT2pYYUtXenYzYkc3QnhKaDc4ZDQKTX7BT0uMjyP3Vj/mZUW/lDwKItTXx3mo
|
||||||
|
0qkDJ/TmKdYLj/gRkb5YwsXCpcsB5ovOTI9/mbJeMwBzMM5NTKJ+mg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdGpmNWI1bmFsWlBTSmVW
|
||||||
|
RzlQVktaQnEvc1R3YWl4TDZqV2FHVlgyVVc4CmJZZ3dUWmJ1K2RrSVR4YTg5cEZO
|
||||||
|
UUFyOHkrcDNxUEZ6L3Noak1EU1lhQmsKLS0tIFFDTjRoeWhFK2w2QkRDNGZtOXpH
|
||||||
|
dTlrZEl0RFA1TUl5WTdEUjNFRkYyMHcKm+EHlkTkRsUd3vtENFIgIwt5Zqt22Er4
|
||||||
|
PHLrTG8ev41ws0jtQPLsSSz7FfXW2rTJjs5TEsly1KJJGwlNJI9gxw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2025-06-21T12:17:55Z"
|
||||||
|
mac: ENC[AES256_GCM,data:iHPaSftY2MFHgg+426dlTtTPWbL3AO84ND1CHViJ81bUm9CYTKlLGU23ocKVJRzPy85BhOGh2R4uURP1dvQ3BiFWGK3B2t8xtg1vTz5jSgQkvWr5RRiDLOvHWb4cT4O5cI8MHkLtYAl1ungdZj+uCIIw9unzDD+HpjlOlCaf8C0=,iv:HFZfxCBQEB0G7oalRkNFykeJ3+9xssUJN5oB/j1Z3xI=,tag:PabtyU0ZvSRWlmz7y35uMA==,type:str]
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.10.2
|
|
@ -27,6 +27,7 @@
|
||||||
termshark
|
termshark
|
||||||
|
|
||||||
age
|
age
|
||||||
|
ssh-to-age
|
||||||
sops
|
sops
|
||||||
minisign
|
minisign
|
||||||
pwgen
|
pwgen
|
||||||
|
|
|
@ -1,5 +1,10 @@
|
||||||
{ config, ... }:
|
{ config, ... }:
|
||||||
{
|
{
|
||||||
|
sops.secrets.vili-password = {
|
||||||
|
sopsFile = ../../secrets/users/vili.yaml;
|
||||||
|
neededForUsers = true;
|
||||||
|
};
|
||||||
|
|
||||||
users.users.vili = {
|
users.users.vili = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
home = "/home/vili";
|
home = "/home/vili";
|
||||||
|
@ -11,7 +16,7 @@
|
||||||
"audio"
|
"audio"
|
||||||
];
|
];
|
||||||
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
|
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
|
||||||
hashedPasswordFile = "/persist/secrets/hashed-passwords/vili";
|
hashedPasswordFile = config.sops.secrets.vili-password.path;
|
||||||
};
|
};
|
||||||
|
|
||||||
users.groups.vili.gid = 1000;
|
users.groups.vili.gid = 1000;
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue