shelvacu/nix-stuff
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

stuff

Browse Source
This commit is contained in:
Shelvacu
2025-05-11 01:32:44 -07:00
committed by Shelvacu on prophecy
parent daa891c91c
commit 1863577b1d
7 changed files with 312 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
common/sops.nix
View File

@@ -19,6 +19,8 @@ let
liamKeyAge = sshToAge liamKey;
tripKey = config.vacu.ssh.knownHosts.trip.publicKey;
tripKeyAge = sshToAge tripKey;
propKey = config.vacu.ssh.knownHosts.prophecy.publicKey;
propKeyAge = sshToAge propKey;
singleGroup = keys: [ { age = keys; } ];
testAgeSecret = "AGE-SECRET-KEY-1QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQPQQ94XCHF";
testAgePublic = vaculib.outputOf {
@@ -39,6 +41,10 @@ let
path_regex = "/secrets/triple-dezert/[^/]+$";
key_groups = singleGroup (userKeysAge ++ [ tripKeyAge ]);
}
{
path_regex = "/secrets/prophecy/[^/]+$";
key_groups = singleGroup (userKeysAge ++ [ propKeyAge ]);
}
{
path_regex = "/secrets/radicle-private.key$";
key_groups = singleGroup (userKeysAge ++ [ (sshToAge config.vacu.ssh.knownHosts.fw.publicKey) ]);

2
flake.nix
View File

@@ -227,7 +227,7 @@
prophecy = mkNixosConfig {
module = ./prophecy;
system = "x86_64-linux";
inp = [ "impermanence" ];
inp = [ "impermanence" "sops-nix" ];
};
};

3
prophecy/default.nix
View File

@@ -7,6 +7,9 @@
./hardware.nix
./btrfs.nix
./genieacs.nix
./networking.nix
./doof.nix
./sops.nix
({ config, lib, pkgs, ... }: {
options.vacu.initramContents = lib.mkOption {
default =

82
prophecy/doof.nix Normal file
View File

@@ -0,0 +1,82 @@
{
lib,
config,
...
}:
let
inherit (lib) mkOption types;
cfg = config.vacu.network;
doof_if = "wg-doof";
tunnelName = "doofTun";
in
{
options.vacu.network.doofPubKey = mkOption {
type = types.str;
};
config = {
vacu.network.ips = {
doofStatic4 = "205.201.63.13";
doofStatic6 = "2602:fce8:106:10::1";
};
vacu.network.doofPubKey = "nuESyYEJ3YU0hTZZgAd7iHBz1ytWBVM5PjEL1VEoTkU=";
vacu.packages = [ "wireguard-tools" ];
sops.secrets.wireguardKey = {
owner = config.users.users.systemd-network.name;
};
systemd.network.config.routeTables.${tunnelName} = 422;
systemd.network.config.addRouteTablesToIPRoute2 = true;
systemd.network.netdevs.${doof_if} = {
netdevConfig = {
Kind = "wireguard";
Name = doof_if;
MTUBytes = 1300;
};
wireguardConfig = {
# FirewallMark = "0xd00f";
PrivateKeyFile = config.sops.secrets.wireguardKey.path;
};
wireguardPeers = lib.singleton {
PublicKey = cfg.doofPubKey;
Endpoint = "tun-sea.doof.net:53263";
AllowedIPs = [ "0.0.0.0/0" "::/0" ];
PersistentKeepalive = 5;
};
};
systemd.network.networks."15-doof" = {
matchConfig.Name = doof_if;
DHCP = "no";
networkConfig.IPv6AcceptRA = false;
routes = [
{
Gateway = "205.201.63.44"; # tun-sea.doof.net
GatewayOnLink = true;
Source = "${cfg.ips.doofStatic4}/32";
Destination = "0/0";
}
{
Gateway = "2602:fce8:1::ab";
GatewayOnLink = true;
Source = "${cfg.ips.doofStatic6}/128";
Destination = "::/0";
}
];
# routingPolicyRules = [
# # {
# # To = cfg.ips.t2dSubnets;
# # Type = "nop";
# # }
# {
# From = "${cfg.ips.doofStatic4}/32";
# Table = tunnelName;
# }
# ];
};
systemd.network.networks.${cfg.lan_bridge_network} = {
address = [
"${cfg.ips.doofStatic4}/32"
"${cfg.ips.doofStatic6}/128"
];
};
};
}

86
prophecy/networking.nix Normal file
View File

@@ -0,0 +1,86 @@
{ config, lib, ... }:
let
cfg = config.vacu.network;
bridge = cfg.lan_bridge;
lan_port = "enp7s0";
lan_route = {
Gateway = cfg.ips.t2dRouter;
GatewayOnLink = true;
};
in
{
options = {
vacu.network.lan_bridge = lib.mkOption {
type = lib.types.str;
default = "br-main";
readOnly = true;
};
vacu.network.lan_bridge_network = lib.mkOption {
type = lib.types.str;
default = "01-lan-bridge";
readOnly = true;
};
vacu.network.ips = lib.mkOption {
type = lib.types.attrsOf lib.types.anything;
default = {};
};
};
config = {
vacu.network.ips = {
t2dLANStatic = "10.78.79.22";
t2dSubnets = [ "10.78.76.0/22" "205.201.63.12/32" "172.83.159.53/32" ];
t2dRouter = "10.78.79.1";
};
networking.useNetworkd = true;
systemd.network.enable = true;
systemd.network.networks."00-lan" = {
bridge = [ bridge ];
name = lan_port;
};
systemd.network.netdevs.${bridge} = {
netdevConfig = {
Name = bridge;
Kind = "bridge";
};
};
systemd.network.networks.${cfg.lan_bridge_network} = {
name = bridge;
DHCP = "no";
address = [
"${cfg.ips.t2dLANStatic}/22"
"${cfg.ips.doofStatic4}/32"
];
routes = [
(lan_route // {
Source = cfg.ips.t2dLANStatic;
Destination = "0.0.0.0/0";
})
(lan_route // {
Source = "0.0.0.0/0";
Destination = cfg.ips.t2dSubnets;
})
(lan_route // {
Source = "${cfg.ips.doofStatic4}/32";
Destination = cfg.ips.t2dSubnets;
})
];
dns = [ cfg.ips.t2dRouter ];
};
systemd.network.networks."10-containers" = {
linkConfig.Unmanaged = true;
name = "ve-*";
};
networking.nat = {
enable = true;
internalInterfaces = [ "ve-+" ];
externalInterface = bridge;
enableIPv6 = false;
};
};
}

19
prophecy/sops.nix Normal file
View File

@@ -0,0 +1,19 @@
{
inputs,
lib,
config,
...
}:
{
imports = [ inputs.sops-nix.nixosModules.sops ];
options.vacu.secretsFolder = lib.mkOption {
type = lib.types.path;
default = ../secrets;
};
config.sops = {
defaultSopsFile = config.vacu.secretsFolder + "/prophecy/main.yaml";
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
};
}

115
secrets/prophecy/main.yaml Normal file
View File

@@ -0,0 +1,115 @@
wireguardKey: ENC[AES256_GCM,data:7QSnetieVgG5oAmr7XICZxO2R5hDs4TDXDFh2Ntihurwoap91KVtGYOn5vI=,iv:Jt7P7sNrjjkv5im4JDDxaj8btLAnzCdoHOFJQpr/KTI=,tag:FTmXKSVkWftM/XWeUFvJxw==,type:str]
sops:
age:
- recipient: age1dzdf4rgep3ctk3dnrmrqtdgrchaa8nszfc4dp29gqwsst3z6jyrq57vfsj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwTnNyQlJWalRZUndqWWVL
ajV6THNndTlkODVOQXdMNGhySHBOUmZLakNNCks1d1pXaFE2S1Z4UlhUN2U1a2NC
MjNUZjVRU0FIcStzS012S0UwU09EdUUKLS0tIHh4Y2MyTHpNQ3VuSk0wS1hOV3Av
T0RsanNRU0NGZGpmejZkYVYrYUEzY2cKGx4V+4C+wBmLSvYxvq19Dgh5h6aVOYHn
jrSDaK4MUfT3lREb2IbiELIm8/G50nFAEmuiLt31WwA/03kiujAJVg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1rz75dqzfd6gulwh270ukmt5amcau6j8dpxgzx8fm6u8sjkyx9usq69y4s2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSFdndXBjYWxSUnJFbGdk
TEpGSzluZnMxR3MrckxUVUllSUw2M3pQN1QwCk9kRWk4N2R4NWdvS2tZbkJwRTdp
RFdtVVREYU0rZ1Y4YVFqcnhsZnJjVUUKLS0tIGpDZkUrU2FUa04zT00vSkFTV1F6
akxxeXpRbHNGY1MwanNiSi9pRHVjQ1UKQDnGpvedudfN/XUfrCEQfauPwEoHRNnB
yVrAFd2c2LdPxUO6EChTawm0FuS/MewxNXYuFrpVYIbdtjFw1YSfUg==
-----END AGE ENCRYPTED FILE-----
- recipient: age13x0f3glnz4jvqty2v92cxrrnjcna6ed4qegrhulw9jjy08zuy3aqzvrfc6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrd211UmxPQUFDMDVqaTky
RTFCNWpVZ1dlbnVSSXorT2tpb1poTjBDUlVJCkM0bnZ3NUFsc0g5OWYxaWRJQU84
U0Q2dHoyUnRQZUQxN2VQSTZEL1lpVnMKLS0tIHd3U2RmU0M2R1V6cExOcGZza09X
WHJ2U3hoUmJjQ1dCaEJQQ2o0WkNRS0UKepPU1A2YsPCc/dbH8ebkRXWx4fQDwXSF
PJ//bpFMjP0vWPWg7wiIktLEJuItrbPlUiPKji4h+OrJBnF0WJw/MA==
-----END AGE ENCRYPTED FILE-----
- recipient: age13j6l33g0ghk4vezn0qwfal2qmcgqwkv89ejwezpe3n47mw8yxyuslj6y7d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsUTdaL2s1dUJpQXAyYUs3
bndaNG5zK1FMRVJURFozNURlaDhEMElVSW5NCjE0Q3BTeDhQZk5iR3R0WUppWjVv
Q3dRS3AwL2RJWUtoSDdXQU1DR0VnNVkKLS0tIFEvb0gxN0FoUG5hajlSTXpySk5U
Nk5TbkdqNTYvRG9EdmdLUjZBNnlJVEkK779Kc0vUCXQoVVjEqo+qdh0wei11+rMD
4sivsMBNMLp6mxRCYv7QdOI8y9P9cVKgFNoQ+x/RBuKMRenA3jYG+A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1vla9w33lsp03s46p9p6gc2mvr844vthdqhc2hzau2ph6h60gmyqqh9sf57
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4ZzRZQVAyaGRpMnk4cWVU
N0dzajVLNy9LVlF5MHdMeGlEYVE0YmgwWkI0CnhSVzRDQzRUa09KNzVnUFlJdXBp
SVI0ZFVxSTUxVTlPZTJCVGd6VDhSZkUKLS0tIHA1V2NtZjRCaHR3ZFlsemxadnpq
RUI4cXJwTEdPeTluc2ZxTzV6czBndmMK911SZgZn+VIZVnH1fwGK1CFr7WhM/MXm
b98zbNtKmxr2BuP047djZFdrWljCm7ks4WdNFTOK+WdmhxvDvjwU4w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jy8mxcndkw6zd6q99tjgz3gsynn78x2lwtrff85u6ud9g9y9z5mspvhufl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTjBpNUxSWFRQTXBiL055
UldVYkZlZmdLOERTbGpRZkNSZ0ErK1ROa0ZzClJBTmFobjd2WldSdGNuSkM3NmF6
Y1JnTTI0MEk3dEg5SnE5MHMwTTJtSUkKLS0tIGxOcCszdHptK1p4L2p5Z01TLzBR
WDd6N2g5enNZcXdDTWFsYzhqeWY2OWcKWyNSq/6OgQYSxrkeaVrQ0Yu2SXcjUT2A
hgMTg0gwiXBZNqZ7h4+KzGtDpvwdragAsCUsa3Jxuq7hmnoS8ZBOWQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age148huz6rc3q9xx5t873ncx75sja2sazlescwspxl7lsmxsqkz0apsy8cldp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwVFVMQjZuVzNoVC9IMTVN
bGgyY21CT2c5VUUvaHVDV2JNT0RPb1d2TFI4Ckl5WHplczVRcjZZS2lPVGJIWTFn
L214bTlESnpqalNZV3ZZRE5NSmQrU2cKLS0tICtSVTFFejljWUMyMjVrK1lvV0Vl
aHdmSjlIdzhVeUdlRjFTQ21veFN5WmMKQ/FcJ/MEZtX31h2U/t5Xd6dNKoJ9aIMf
1fJPF/Z3yDo+P7QpKkkkpQAVbPZITcMPDZq0FrjRjpgkBWyA5TWKWw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hmfhmr9jv8ll33az4w2zrdu5zl2p5dx7kx97lhvc9xn68rr9049qx0hvfe
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtajlGb01xclZNcytoV3BM
NGVYUk9TOGhiY2RwR2krQjI0SjlhMDVKOFdrCmtxNWx3MEVTa3pHWW5IS0lZNG5C
N2xaWTFXdEY0U2JsY3p6MS8rRE1Wd0kKLS0tIGpCUjRIdFBrdzA4TWw4REVTV2x5
TUtLbDk0TEZOTTNTMWd1Vjh4a1RhQ2cKGf2//pAFtMWoGvv4HujL+uRmLYNasWQN
LbvNaCZY5/FupDAuS8VDRUX84OriZ8iJb0hH1aThOJ4n86t3HkAw7Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nemhad8mc2vl3mfvzs3gax7p3u28ltmzx3mu8wx9mcu2700qjyksr8dq0g
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjZ2c0VTg3YkcwZFg4cG9N
QUNKWW13b0xDZDBpbis2ckM0YmI3bk9OVnk0CkpRazZvUHJFZUVwaXV0elZxbVVZ
V0VXTWg5U2tqUEt2RVBjZEI2ZXFZazgKLS0tIENXNUlwTmNCL2k4OCtBQXlSTWtp
a0ZCTTA5NFBmUTFObG1NdlExYi83MFUKO8UUPKeFwkcqhMnT6GHKQ4m9C9KUnc4b
jsDJtBzLZK5TRigUaxYSTGNV7tA5HwmsqHUgaHIw4peli1olijRSPA==
-----END AGE ENCRYPTED FILE-----
- recipient: age197a33mlf5294amjx59hycctu6wm4l3cu3w7n9rv3fs9340ql64rqjzpr7s
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBodUZ0R2grYUdTYjRsK3VW
c3hISHhtekdhWmR0dzBNWFhKUm5sd081WVZnCnZaU2RZTzQ2RHVNNjZmZG1hYW9D
Sld0cDJDbHk1OW9HRUJSY1RFVHlURXMKLS0tIDA0UXo2a3Vsa1oxOE9QNkZobHFE
cEt5WVN4cmNOblNYSWl4RG5kNVpWU0kKUfSTJKdrHaOFbOU08NT6+yIFYNawCAR9
QYeH1hxXC6fwNsAnnaaSYnXG8/CIRG6N3IAqIX9P32dM+YQBPFguvA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sqj8z3feqm2dk3gj8mxpfn5dpqnsmus862e8ayd0d4cdresqffdswcf9ru
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0VUl2UnlmS3RUemdMYkN1
OUpUVmFObVkzMVRKWEZ2NVpQeUdwR1dDeGxzCklDYXIvNFc4d09aazJlaEM5MDJD
OWZnSUN6cVZmdEw2Zm9wQjZsRHFLZDgKLS0tIERBdDBSK1RBNUFPSzVtS05sVk1Y
Q3M2c3duZGhhMHpkN0hkb3VWRC9aMVEKRRos0MJWyal1fNDKKFtylNXdPAqQ9Efy
WdQEvKwjrFX4kDjLkxc6ILXSzGNwAl6Fl8qNvYX3bXWrJtbWcVvZog==
-----END AGE ENCRYPTED FILE-----
- recipient: age1aj3fwaeaem7aph9f3m6tfg4dsfs3n4hdfjvgel90n8alymcn0ypsj7x9ad
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4WDBzZXpTN25TUHZQSStp
QWg5SFNMWml4aWVRS1c2dHBHcnRWK2R2SkMwCnoySjhrV1NRcmFSVHJZTTA1YmFK
RjNYNkRsTjd4ZjByc1owWGFibGNzd1UKLS0tIDlMNm9hdURYU2lLNjQydmdkUHgx
TnVCSTBGazlMQy9vYURIQVZrendaR3MKqJk5CF3YbOMY09CEuXVxJqsrkb6A/PLn
lIWLggJpKmuqOpob8YHC9uuftW1siymHOYOzVjOIsup0uK+M3tzkcQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-11T08:20:24Z"
mac: ENC[AES256_GCM,data:O6toC5E/c3bwqC2GogMsGgS8u4DV0sr1d7Kt5JNP8cDd5mqWicgSvtzmDWb6nfs8rtWiV9rzyQaITXto3pGSSm0fPbutfwd1/zv4HVm9V8tkd90P1lal2SEmJxwmXsewMoSmnM+Dttyp8iQrhxS/Vgtl4U5gjahjNqQuMvMqOEY=,iv:aPBrbrhmU6qVgjsRXvZ7hmFb05UAxeRDkXUsPe85ryU=,tag:ulAf/h7sdPJmNGhhN6sY8A==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2