wg-home: port away from derived-secrets

and now i can kill derived secrets?
2024-09-28 11:34:48 +00:00
parent d7c26b736c
commit 9bd80447f6
5 changed files with 123 additions and 15 deletions
--- a/hosts/modules/wg-home.nix
+++ b/hosts/modules/wg-home.nix
@@ -59,13 +59,7 @@ in
  };

  config = lib.mkIf cfg.enable {
-    # generate a (deterministic) wireguard private key
-    sane.derived-secrets."/run/wg-home.priv" = {
-      len = 32;
-      encoding = "base64";
-      acl.mode = "0640";
-      acl.group = "systemd-network";
-    };
+    sops.secrets."wg-home.priv".owner = "systemd-network";

    # wireguard VPN which allows everything on my domain to speak to each other even when
    # not behind a shared LAN.
@@ -82,13 +76,7 @@ in

    networking.wireguard.interfaces.wg-home = lib.mkIf (!cfg.routeThroughServo) ({
      listenPort = 51820;
-      privateKeyFile = "/run/wg-home.priv";
-      # TODO: make this `wants` and `after`, instead of manually starting it
-      preSetup =
-        let
-          gen-key = config.sane.fs."/run/wg-home.priv".unit;
-        in
-          "${pkgs.systemd}/bin/systemctl start '${gen-key}'";
+      privateKeyFile = "/run/secrets/wg-home.priv";

      ips = [
        "${cfg.ip}/24"
@@ -123,7 +111,7 @@ in
      dns = [
        config.sane.hosts.by-name."servo".wg-home.ip
      ];
-      privateKeyFile = "/run/wg-home.priv";
+      privateKeyFile = "/run/secrets/wg-home.priv";
    };
  };
 }
--- a/secrets/desko/wg-home.priv.bin
+++ b/secrets/desko/wg-home.priv.bin
@@ -0,0 +1,28 @@
+{
+	"data": "ENC[AES256_GCM,data:dnJ0lv///AAeQlCWTitk1wld9vAxoDmopMRDOG8ioBMzKZvM8Xlo5xL76ec1,iv:GSOcpgdSJFpQYJXDQ9ZWSvYmcdtDgOAiaWnSd83IjjE=,tag:0mzqnFlugc+HPCM97/9mOQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKQmtsZDFyaTgrb2Zyb1Zs\nN2ZxWmx2RllUYVNoTVQwN3BJTVNHR2F1Y3p3CmU4S1dJbExKRU52TWhwTGlZai9Y\nS0tIQlRnY3ZUTW9iYnJvalgwL1QrM0UKLS0tIDRHczRsQ0NYdmgzd050SWxqalB4\nVE5LZmN1d1ZYM01EYWg1TllVVjBUUWsKwAiRFZY1GmvteFq520a2k7IKb+ZWQveP\nuIvl28ZmTWYUws6g6ugwo8Kk6qLjDlRS7VkDMNkLDUvvPL/PyMSJwg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQQlYwUEszUmhPY3c4bCt5\ncHZoa216UGJFUUhiaUtCellMV3ErVzJQc1RnClYyUExyV1ZobUdNeHVWZjhscVRU\na3QwU2cvVEtQUDNsQnpZNWdUQjJEUWMKLS0tIDBuQ1FXRVpMVUdTRWQwcHZEUnJU\nTk9TMlJkQTRiYlZKbnMrK0NnTU0vQXcKEoDInPl6oevKt9xhWEHzM5DaliMAiZXd\nhcRbjmKS3DfLQ5QzHLqlXvO/AU7cqVdbA9dLhZT+suK3tqtWmcamKQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1vnw7lnfpdpjn62l3u5nyv5xt2c965k96p98kc43mcnyzpetrts9q54mc9v",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHMTh5UzcxUk90d3psM2k3\nb00rKzErVC9BRTN4dmZWTkUwc1VkSHBJN0QwCjBMVUE2UjdBZ2FYQ1poRkVDOWdK\nbGRrQ3h2ekxiS2dQZzdsQUliOW93alkKLS0tIEdzeWpkellzWWc0ZSs0MzNJUVNN\nbEs3MWpyMnlkRUcyd244dTc4VmswbVUKP/aDo5IhTR9O/tVfxpSPNjexsWE4JKPs\nEQlrFabvlQiDCCoZhb0ugeDd30yy7gl6iYdc3AZTaqSNRaKJEER/IQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-09-28T11:21:34Z",
+		"mac": "ENC[AES256_GCM,data:qIcldwKRVJAtJBgp6ZeeVV67AxTScxyAmv+klbTDz6Ax09+eAB3i2uY6sooDIvwd0rRXR0CSu6pKCX3A/0nUbVDxenXkEXgUYE58wDCGZ2oJDFwCymNKIFZYW3vtG4oPS7QIEvi/XoR2473nBEzRdAicq0VV1jbACTNulEN1GUc=,iv:thx5ZCmTo9UdKXHHctGUQLHTZYU8E/Ckd4rKMxy+CJ8=,tag:vAnHo3hVIcDsEw4BieOGRw==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.0"
+	}
+}
--- a/secrets/lappy/wg-home.priv.bin
+++ b/secrets/lappy/wg-home.priv.bin
@@ -0,0 +1,28 @@
+{
+	"data": "ENC[AES256_GCM,data:wg9QLva+50qwa8x5nPPasSFoNfm2N0C1yhJPbB4nSZEgoStAEmXQocEvfMaY,iv:mLCWBa9cNeu5eJk8zHj/GFEeTlNJG830m1sUtA5ssh0=,tag:CMKB+K9wKRHo1W7iQY00tQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5UENabGRCd0UwS0J3cUF1\naVRJZkxxci8vTmtuMFA1VWVSNDQ0UzFWSW1jCjRHd243dUZmaVZFd1dmUDhqNi9K\nalF1cUlybTZOUVd0VGZhZGJ4U2tVQXMKLS0tIEY4Ty84VkU1WkxyeHVncDVBS3Jn\nUldaWS9kY24vVWtPMmpFTjZiOVVpRmcKQjUALlsooXnjj++EWtI3fuoWUzYySGtd\nMVjNTSOm3KnMkhiR3FbXtgqoCfcoNw3nydQMAUMt/ssfkxKLPQM0Bw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZMlhFMklxSk5zTVpKTWhq\nNVhrS0szUUd0SnJMaWs5Rm9uVldxSkcyUHpnCitObzhQL3lxcFcybytWa25QUk55\nSktkWVdyQUp1NFBISDlIMlpzS3NIdVUKLS0tIDQ1aU1pZS9PdGZQVFdvTW1rVC96\nNkVQcjRxNzJORFBGeG0zY25Db0IxYkEKd2ux5OaCtgtphvgqioV6aP5yBjY0GuAU\nBNKtdKwcOQbp8zhPTTXYMqTkCo2sAd+pmAukuGDxEEJuS/KCzaes9Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1w7mectcjku6x3sd8plm8wkn2qfrhv9n6zhzlf329e2r2uycgke8qkf9dyn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaZWZkOXpzYm1sTFA2bHVs\naU5EbWJHOTk4T0xnRzNEUFA1TFlMK3kvUWhBCjl5QXdJbkk3bzU0NjZBZ2xrdEVm\nMm14d1JCM08wUnRIN0xhaHEyTGQzZE0KLS0tIDBRT2JZL3lLZXc0ODdVYThKYW9L\nK3hQRmtKS0wxbWNVOHBhenUwU01pOEEKkseVWgbQAconi8mIUjUxW2P3RINEfkAX\n47zP0CJ+mvdJv0iO3+96IoiJ+Jz+OsKxDjCnKRP/WB5jM2UVdbqlzA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-09-28T11:21:49Z",
+		"mac": "ENC[AES256_GCM,data:RGzvyARFK/S1ot1s6FakC3IGevvT/7mlpfqB3k/n0320uPM3mp9LSaBSHrTuFUD7ATxtBa3F465/X2+NCgVXMR95v3mhPKDB7uDoO6PRtHyuIGKJ3tPznOzKYJYMsFyujCjLqv+/8T1Ot1nEFGLRdJ7MokqSZdniWc8xGEZigzo=,iv:5YNYhd9x8+NVmbBQu2ldBq4eBWhAA3tMWOVM8Th1nW0=,tag:LpdHZP1NCojFXM3EM3l33Q==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.0"
+	}
+}
--- a/secrets/moby/wg-home.priv.bin
+++ b/secrets/moby/wg-home.priv.bin
@@ -0,0 +1,32 @@
+{
+	"data": "ENC[AES256_GCM,data:zfFv/ANpk8SopPa/FfvtgzPcl+0MeGh6V0otJXS0ay9eJOo3RtC7De4ouLaI,iv:+0wR3E0ZP7OuTA4tuNU7Wv+EEZJkAMWd2m3rGdDXvKQ=,tag:eckDhUzQa0h2Eo5VGm4W0Q==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2YnpTYlhqRUJGQmk4THhQ\nL1BVTVNVdmFlQkFKT1BkSXJOS3J5dUNSaEVBCnhud0g1bm81SFdTT3EwcnFSVWh5\nMFR6N1dKS3RJdEFOZ2ZXWDBlNzZCOW8KLS0tIHh5Ymg5VzRmaHVXRUJRekxNWGdK\ndGg3dzZNT05TZVYzM0J1c1VtMHF5MjQKSvndrOxYZtuZYBfReg2nUaxs8siOcNAz\nqQvWfzO5uN+4Fobrq0qgMquA5nqE2j1UUUnFSOzcYCRoktFK1pTVmg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSWmdmS2NiRk9tT1FIdFFE\nUXNscUlLSVYzeWwrQkgzbE5pMUhxODcwdnpZCmFhMEI3WXZRUkVWdVV1TGFzdHh2\ndWtycVFZVnRuQXptdGpkdUVWNThpSW8KLS0tIGlQUWJEWFg4OTBxU05jamtmVmhx\ndTNnaHhkUmRFdkdBUXBQc2JYWTVuWnMKYN4toN4g68o0G7nsewE1pz1lKycTxYLt\n5xOWoRs7YkUxS4qDQnCzbH5VyFzmmiQhWWb5edoKVDo2It/T2MdFvA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1zsrsvd7j6l62fjxpfd2qnhqlk8wk4p8r0dtxpe4sdgnh2474095qdu7xj9",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIWTltL3Z0eWl4aDFMK2ha\nRkFGTGo2N3JMbGlGaXhmOUhqWjU0Y3BNN2xJCnU3a1ZHMStHNXYrajhOUjBpajRi\nMG5UUDVYKzYzN3J5WXZabGg2amJzc2cKLS0tIFFkamZ5REVPcm93RXlFMEQvUEll\nbWE0bzdHSm9zS2xtM2dHc0s4OFJjNlEKTzEvxRKoFkWonGf5UdD/ptptoz0CwxJa\nPgrv5LWHc9avInwOfmLP0KxFLStsGZEEpy7B8FnQ7rNIba61T3nQ/w==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age18vq5ktwgeaysucvw9t67drqmg5zd5c5k3le34yqxckkfj7wqdqgsd4ejmt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0OFlMa1BTQ1JqOVI3RW9B\nZ2V6M3VRb0N2aTVqcHhsYnpJcmVsS3VKbG4wCkpicE1xTGRJWVJMODJnUmlhVDA4\naTZaaVRsQ1FyUk5GTjA1ZDltVHJjZ1kKLS0tIGMremhLRGZ6bmJUcUlKZkJyclB4\nM3owemVld0dHRFhpTWdialZTZE43eEUKbj92S8464pbx6Dijgl3u/x8xDYmwTW3/\n/EqT/BSQ6BDZu0Eshi32jczhmdtVdst3CQSov7PHANDiN4enMDn2HA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-09-28T11:22:28Z",
+		"mac": "ENC[AES256_GCM,data:I5XHMfFUT8vNGn3fFRZCTmJdyUtapt6/jj56t//DvKrm9FRImhSZ2Q9g1KySgL1rKWLWJdlQlWDtpKCkCGgwEOGY80n/kfEq0e/tjZ/SyswmoYbrFevMzfA9imfLG9Yt9BvCW6dyFTFUOxevgHeSUSa+McIQaSIeczExCfbpTIk=,iv:qSe93b+zEs9FXzddOqKPLETY+vkf2g79Wt4rbRN+bAs=,tag:51Vk+VkCJLCMOqj2AHr2DA==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.0"
+	}
+}
--- a/secrets/servo/wg-home.priv.bin
+++ b/secrets/servo/wg-home.priv.bin
@@ -0,0 +1,32 @@
+{
+	"data": "ENC[AES256_GCM,data:DrDf+Tp6WI6IrvSwjP9OZt8cadYWuzo6UiiWrtEFk9aadJ4Iat0G7Qfs/voK,iv:i3ibMiD1jHSsItAOs/u2Je3Ph9iMV/IBsfLfA89Ufec=,tag:FwlIKWkUhXRe6sZyk5TBAQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDSzJRVzJlbkRTUHRJNUFl\nd1lYNzJ6ZXlmaXcwMU5jN1BJcFdlSGM2MkhFClNEWVZ1UTNZU1pjN1dEdHREZWxB\nSXUwZU9LbW12MzE3Z3dUUnJucFlNZmsKLS0tIDFKaUtHSXVPR0ljMFlZM1lTTGlP\nc1Bmdk1lbGVqRGwxRUNpS0l5SUdmRUkKFJAv4Rvhim9fjAZAXtMxHEDBRe953LdO\nKb2cVT5JaXRcHudZtCUnGWtE5ddiecaBhGcDCep7ZpK5CzZO2GwcpQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwRjl1RUVWdzdNSzNndG10\nNkhPZVk0RXlxMkJnNWJHaUNqMVk3YmQ1UVU4Cnk4MWV0NU1CZ0FVTit4R2IyQndJ\nTmtBWnlFQzE3ckJPSTdQVHBDWEQ0UTAKLS0tIGNlSVJoUDZuMkFlYlRDQ1g1VFhX\nMVhtKzA2YVd5dlplWm1XUFI1U0dNem8Kwuq8P73HtB8xNqF2U2uMHTJNP2HiAJfs\nLc2gJgEqSYfKqLkq++x4V5KXs2/T0Dsfc44+59++/KUlETmDAxQECw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnLzkxeWNMU0kxNUFrdzdy\nMzREU2k2MWs1TSt2OFRERGNRdkJoZnRTamlZClU0QkgrTk5qY01DdE5xNk56QzE3\nZHRubjJzKytXY3V6OW44Q20vMEdYa1UKLS0tIHVFVExwcTRHcXRjQVJQQkt1alNS\nSUszYUJOYTg1bHA3aHJVVnZQM1pjRzgKQLoOJ8EB4TTZkybMNwagGx6xnT8XtvIm\nTg6AzXxwIMY7aNdreL0VaR/h/z/EK8nK1cKqeY5g0f9dzstV7d9lKw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRQkV6UGZ1cUpsZmZNOVYx\na2pvVUFZTGhETlNGRnlNdlVvWFRLRnVGb2lJCjJhSldpQ1hVT013SDBVUnBNaFBo\nOUY0UjYrV1JWL3BXeldDMzNCSVNYTzgKLS0tIHZJcUpFNjk5YUJKT3JxL2FEVEJw\nbHpCbUZMZ2hWNEtJVmI3b2lleVg2TWcKOLQQf7SsJ7kBgr9DWMDkY+X7/xubpCET\noWPlET1GF9+mLjpCFYPUrfrk92PJHh6gjYkvnob84BuF5tXC4+zdng==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-09-28T12:15:45Z",
+		"mac": "ENC[AES256_GCM,data:gPCEcMGYxlZOxOC5nwDN0t8h7ZK3O4cJZRhfYkffhZhr2vcMIZN70wA6VIzkjxcJtiSNPTaD40SbwIXjOhCzy9Q8pZFDFxmHLgg6SzOpPdSsB3SnxzCtGGksZ8bwQ2SFnaVPM9JKSzYDhmUziboObl5bpc34X+vOapKI/mAbO8Y=,iv:DMUzwk8QrkvDLzize0YmvMsCEeyLh/BgVeQd/7T+7iI=,tag:FzPF50ITKctqy/5ZurpRpQ==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.0"
+	}
+}