Move helium to sops-nix
This commit is contained in:
parent
924f738618
commit
ec685a2e86
8 changed files with 161 additions and 41 deletions
14
.sops.yaml
Normal file
14
.sops.yaml
Normal file
|
@ -0,0 +1,14 @@
|
|||
keys:
|
||||
- &vili-bw age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
|
||||
- &helium age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q
|
||||
creation_rules:
|
||||
- path_regex: ^secrets/helium/.*\.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *vili-bw
|
||||
- *helium
|
||||
- path_regex: ^secrets/users/vili.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *vili-bw
|
||||
- *helium
|
|
@ -1,15 +1,22 @@
|
|||
{ pkgs, lib, ... }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
{
|
||||
custom.home_wg_suffix = "2";
|
||||
system.autoUpgrade.allowReboot = lib.mkForce false;
|
||||
|
||||
sops.secrets.priv-netflix-wg.sopsFile = ../../secrets/helium/netflix-wg.yaml;
|
||||
|
||||
networking = {
|
||||
wg-quick.interfaces = {
|
||||
wg1 = {
|
||||
autostart = false;
|
||||
address = [ "10.100.0.7/24" ];
|
||||
dns = [ "1.1.1.1" ];
|
||||
privateKeyFile = "/persist/secrets/wireguard/priv-netflix";
|
||||
privateKeyFile = config.sops.secrets.priv-netflix-wg.path;
|
||||
listenPort = 51820;
|
||||
|
||||
peers = [
|
||||
|
|
|
@ -6,47 +6,64 @@
|
|||
description = "IPv6 GUA Suffix for Home WireGuard config";
|
||||
};
|
||||
|
||||
config = {
|
||||
networking = {
|
||||
networkmanager.settings."connection"."ipv4.dhcp-ipv6-only-preferred" = 1;
|
||||
config =
|
||||
let
|
||||
host = config.networking.hostName;
|
||||
in
|
||||
{
|
||||
sops = {
|
||||
secrets = {
|
||||
priv-home-wg = {
|
||||
sopsFile = ../../secrets/${host}/home-wg.yaml;
|
||||
restartUnits = [ "wg-quick-wg0.service" ];
|
||||
};
|
||||
psk-home-wg = {
|
||||
sopsFile = ../../secrets/${host}/home-wg.yaml;
|
||||
restartUnits = [ "wg-quick-wg0.service" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
wg-quick.interfaces = {
|
||||
wg0 = {
|
||||
autostart = true;
|
||||
address = [ "${config.custom.gua_pref}ff::${config.custom.home_wg_suffix}/64" ];
|
||||
dns = [
|
||||
"${config.custom.gua_pref}ff::1"
|
||||
"vsinerva.fi"
|
||||
];
|
||||
privateKeyFile = "/persist/secrets/wireguard/priv-home";
|
||||
listenPort = 51820;
|
||||
networking = {
|
||||
networkmanager.settings."connection"."ipv4.dhcp-ipv6-only-preferred" = 1;
|
||||
|
||||
peers = [
|
||||
{
|
||||
publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34=";
|
||||
presharedKeyFile = "/persist/secrets/wireguard/psk-home";
|
||||
allowedIPs = [ "::/0" ];
|
||||
endpoint = "home.vsinerva.fi:51820";
|
||||
}
|
||||
];
|
||||
wg-quick.interfaces = {
|
||||
wg0 = {
|
||||
autostart = true;
|
||||
address = [ "${config.custom.gua_pref}ff::${config.custom.home_wg_suffix}/64" ];
|
||||
dns = [
|
||||
"${config.custom.gua_pref}ff::1"
|
||||
"vsinerva.fi"
|
||||
];
|
||||
privateKeyFile = config.sops.secrets.priv-home-wg.path;
|
||||
listenPort = 51820;
|
||||
|
||||
peers = [
|
||||
{
|
||||
publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34=";
|
||||
presharedKeyFile = config.sops.secrets.psk-home-wg.path;
|
||||
allowedIPs = [ "::/0" ];
|
||||
endpoint = "home.vsinerva.fi:51820";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.clatd = {
|
||||
enable = true;
|
||||
settings.clat-v6-addr = "${config.custom.gua_pref}ff::c${config.custom.home_wg_suffix}";
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
"wg-quick-wg0" = {
|
||||
wants = [ "network-online.target" ];
|
||||
after = [ "network-online.target" ];
|
||||
};
|
||||
clatd = {
|
||||
wants = [ "wg-quick-wg0.service" ];
|
||||
after = [ "wg-quick-wg0.service" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.clatd = {
|
||||
enable = true;
|
||||
settings.clat-v6-addr = "${config.custom.gua_pref}ff::c${config.custom.home_wg_suffix}";
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
"wg-quick-wg0" = {
|
||||
wants = [ "network-online.target" ];
|
||||
after = [ "network-online.target" ];
|
||||
};
|
||||
clatd = {
|
||||
wants = [ "wg-quick-wg0.service" ];
|
||||
after = [ "wg-quick-wg0.service" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
26
secrets/helium/home-wg.yaml
Normal file
26
secrets/helium/home-wg.yaml
Normal file
|
@ -0,0 +1,26 @@
|
|||
priv-home-wg: ENC[AES256_GCM,data:9fvRJbHEIAZmX44BBIbReEkVxmXZE5ZYpabLOD5i7FTFpo0FN/fr3PNxxgI=,iv:pyDX/RvEN0GdOpbj2KZMCfTxPwMgqp9yKk9gqf4hVso=,tag:YYC6EvKoRFfB6/DvnuT0Tg==,type:str]
|
||||
psk-home-wg: ENC[AES256_GCM,data:dSZAaddACyaWE9xfjIsofGRnd/IaXRI9UODeHwGDVMfBTR+npf4qHkoZpps=,iv:KC2HTmIx95p/BYu9mVjSI6R+AnnjVrTNS7DGhVpgoE8=,tag:KNkSim/dPepmh+vajwqrbA==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzUU84czVBVmVFTFNyTWJJ
|
||||
Rjh6YXc2bnMrZ3RrcHBiMWdHeDJDa0VBd1NZCkhqM0FxQjRZL1lTSkF6a0s4bTNO
|
||||
SWY5THFpeTN2TUdrUjVhUUJ2WEloNDQKLS0tIGlqUFZQckhNbHpHWjBzM2NodGpH
|
||||
WCtnL2NhRUordFJpWFBtTGRWZ2x3ZWcKBJmUSDtqXwrgUbPVWG1iK5aJRAcVou4V
|
||||
RQDfUAwCEDFfakdUIlb7MNJQkOFZKLzZHurJJdrjfX6pQI66BmlQEQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMkY3Yi8yZHh1TmR0RGtD
|
||||
QVBQVVYzWW52Q0VMN2VyVzhRVW9ROTdlZEQ4CkxnMHJzaDJBeXRkSnFpb2EyWllK
|
||||
Mm0zelRGcCt5alJIdzQydThRNzR2TXMKLS0tIEcrV1ZnYjNqNHRhdGZaVXJTV0N5
|
||||
TUlqVjg3ZERFeklKM3RwNk13cWFGbW8Khn6IR562bAOAMDbtpoHKBsK2vGetZw1O
|
||||
ujE/yYzysSvBAETGPYxP/y32FvMtbkhHb+k8uCDDPUkkrzNY8qk8EA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-06-21T10:55:19Z"
|
||||
mac: ENC[AES256_GCM,data:14dAcqlAETnosllGiHa8fbjHiVuBHs9RWJTu1PKP5vQw+s6K5bxFtn6SbimA+yeraAfVGBnKnfh9L+WAAXZdKRjhu+CDogV3iOOi0dRFAVLs6P0IPYs+yZ5w22dMfeiw5kX39Gx8mjQwy19Rkomx3kaxMRx0YgkGu0CwkESJfrk=,iv:TbBjVsDJ+SLdcgGK7i6W9gK7dvQNYPLf4gRDumoMp1U=,tag:/SoN9YO5uOhzUwAWXol40Q==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
25
secrets/helium/netflix-wg.yaml
Normal file
25
secrets/helium/netflix-wg.yaml
Normal file
|
@ -0,0 +1,25 @@
|
|||
priv-netflix-wg: ENC[AES256_GCM,data:CA+ZAr4IMq78/VLbE48iNigbQ7l0JwyIT27fZSQ8g2I9VsWsJLQaOXKPdmA=,iv:Gegk1cE2KuiNkJ0rkAR28+cww5ecQCmR3h+ghgfS2+0=,tag:+MG/+q7+vXLAYP7bjRdAmQ==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtd3hhVWdWK2cvaVRjU0FF
|
||||
OFRTcTVZZE5Jc21wYXhHeDFuOGZNK0JsMm5jCklyUCtlQm0zU3BQRlFUN0pDUWtT
|
||||
RTlRVCtBVnZzdnlnSGtmQlNURTVCaGcKLS0tIHBxSk04b2l5VDQ2ZEY2aVphMUVQ
|
||||
aW9LYzhlOHJNR1pZdmNPOGZyamNOOTgKmdKtZolBC1nvBr+NZvtdTJhipxFtMPsv
|
||||
UM+uMFMJRx5tPFSDaL1r/Fp5+OV9WIZ5RN4ga9K9TDbhnGUssJkgMg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvK0NCWHRXN0NlOWNxeFN3
|
||||
YzFGbTRWQVoxcTd0TEtQQVgwK2NRWXRUcXpRClVDeU9wd2wyN3RsTnR4RElKSFcz
|
||||
WkVOTHNycURtM2h2R3B0MDdpWHhvNlEKLS0tIHhHS1VPS3lEWUx5SC9pRjJHUmQ1
|
||||
R1Vvay9kREd5RUZHb0w5ckd2Q2VHZW8KX2R8oU47VDWCFuKe/J52flfKcDURIAYB
|
||||
RKe0uufUnCgB7cx6D/+hnykkOjMPtqrcrAHnyrgnptHw0XtXTrNWBg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-06-21T12:22:52Z"
|
||||
mac: ENC[AES256_GCM,data:uvTD+QQdpndni/bjI25VWdvFowL/FPJg/wdZw1fK29C2JEQ16EKF9ajh0Dkii8M4+Nnn3RxPO5s7QPnoMmwLQEMQIvfmApJFE8j9qSb5EBCy+Ysig8gkdqMEUQAyhIpauy2MJCIzl8Hj8yfEsnffNq4nclM2VlJCeowHW4QbTgs=,iv:IceQcN6/Z40tphLY+ngAebDgdsf96/SO6oOYR3K1/zk=,tag:2t34lfOI1+MuP9EfWoqcoA==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
25
secrets/users/vili.yaml
Normal file
25
secrets/users/vili.yaml
Normal file
|
@ -0,0 +1,25 @@
|
|||
vili-password: ENC[AES256_GCM,data:SG0UVgXOrbLJZ8dj1NeuBL0QulIeZRfoD5o/QF57avce7nxlU1RLnQfZe9fsW9IqnfiAQkYNcQ3B/m36VBy87DJosRVT0dcizg==,iv:536A1+NVuvg18uh+7oEEUYJ8PM+g62boNCKCUpg0GJo=,tag:J9YL+fdK4gE7g58nSgBRcw==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdTR2Z0tSN3VXdTQ5SDNL
|
||||
WnRMcm9DTi83SWRwQXBFK3VZY3IrcUFpWXdvCkhSckQ0b0ZHVlZnZlhHSGlLNjg0
|
||||
MnA4QjBVdkx1cXBYMG9iN1JVQUk3ZjQKLS0tIGFoUDJ6NWJublZkeFkrVTVkQUM4
|
||||
bHNVT2pYYUtXenYzYkc3QnhKaDc4ZDQKTX7BT0uMjyP3Vj/mZUW/lDwKItTXx3mo
|
||||
0qkDJ/TmKdYLj/gRkb5YwsXCpcsB5ovOTI9/mbJeMwBzMM5NTKJ+mg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdGpmNWI1bmFsWlBTSmVW
|
||||
RzlQVktaQnEvc1R3YWl4TDZqV2FHVlgyVVc4CmJZZ3dUWmJ1K2RrSVR4YTg5cEZO
|
||||
UUFyOHkrcDNxUEZ6L3Noak1EU1lhQmsKLS0tIFFDTjRoeWhFK2w2QkRDNGZtOXpH
|
||||
dTlrZEl0RFA1TUl5WTdEUjNFRkYyMHcKm+EHlkTkRsUd3vtENFIgIwt5Zqt22Er4
|
||||
PHLrTG8ev41ws0jtQPLsSSz7FfXW2rTJjs5TEsly1KJJGwlNJI9gxw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2025-06-21T12:17:55Z"
|
||||
mac: ENC[AES256_GCM,data:iHPaSftY2MFHgg+426dlTtTPWbL3AO84ND1CHViJ81bUm9CYTKlLGU23ocKVJRzPy85BhOGh2R4uURP1dvQ3BiFWGK3B2t8xtg1vTz5jSgQkvWr5RRiDLOvHWb4cT4O5cI8MHkLtYAl1ungdZj+uCIIw9unzDD+HpjlOlCaf8C0=,iv:HFZfxCBQEB0G7oalRkNFykeJ3+9xssUJN5oB/j1Z3xI=,tag:PabtyU0ZvSRWlmz7y35uMA==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.10.2
|
|
@ -27,6 +27,7 @@
|
|||
termshark
|
||||
|
||||
age
|
||||
ssh-to-age
|
||||
sops
|
||||
minisign
|
||||
pwgen
|
||||
|
|
|
@ -1,5 +1,10 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
sops.secrets.vili-password = {
|
||||
sopsFile = ../../secrets/users/vili.yaml;
|
||||
neededForUsers = true;
|
||||
};
|
||||
|
||||
users.users.vili = {
|
||||
isNormalUser = true;
|
||||
home = "/home/vili";
|
||||
|
@ -11,7 +16,7 @@
|
|||
"audio"
|
||||
];
|
||||
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
|
||||
hashedPasswordFile = "/persist/secrets/hashed-passwords/vili";
|
||||
hashedPasswordFile = config.sops.secrets.vili-password.path;
|
||||
};
|
||||
|
||||
users.groups.vili.gid = 1000;
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue