shelvacu/nix-stuff
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: shelvacu:master
Branches Tags
shelvacu:master shelvacu:doofnet shelvacu:feat-nice shelvacu:repos shelvacu:wip-2024-09-doof shelvacu:fw-experiment shelvacu:wip-2024-09-verify-system shelvacu:restricted-inputs shelvacu:liam-relay shelvacu:add-mar shelvacu:wip-commands2 shelvacu:wip-commands shelvacu:wip-devver shelvacu:wip-nod
...
pull from: shelvacu:wip-2024-09-doof
Branches Tags
shelvacu:master shelvacu:doofnet shelvacu:feat-nice shelvacu:repos shelvacu:wip-2024-09-doof shelvacu:fw-experiment shelvacu:wip-2024-09-verify-system shelvacu:restricted-inputs shelvacu:liam-relay shelvacu:add-mar shelvacu:wip-commands2 shelvacu:wip-commands shelvacu:wip-devver shelvacu:wip-nod

1 Commits
master ... wip-2024-0

Author SHA1 Message Date
Shelvacu
135354ea65 wip 2024-09-18 11:17:59 -07:00
5 changed files with 177 additions and 1 deletions
Expand all files Collapse all files

15
.sops.yaml
View File

@@ -34,6 +34,21 @@ creation_rules:
- *j
- *k
- *liam
- path_regex: ^secrets/triple-dezert/
key_groups:
- age:
- *a
- *b
- *c
- *d
- *e
- *f
- *g
- *h
- *i
- *j
- *k
- *trip
- path_regex: ^tests/test_secrets/
key_groups:
- age:

2
flake.nix
View File

@@ -118,7 +118,7 @@
modules = [ ./triple-dezert ];
specialArgs = {
inputs = defaultInputs // {
inherit (inputs) most-winningest;
inherit (inputs) most-winningest sops;
};
};
};

120
secrets/triple-dezert/main.yaml Normal file
View File

@@ -0,0 +1,120 @@
wireguard_key: ENC[AES256_GCM,data:Ioqe0/obRUgMNJsM/R92HB+OMsyRbQxvzjI7we6X4gOw7B+QlsP3ofAd4HI=,iv:tcw8FSYKh3yIKDivM7TRD832KiFFbr2NA9UrUjo74D4=,tag:st6P6iYXxg4aPO7a2g9gIQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1y4zp4ddq6xyffd8fgmn2jkl78qfh4m94gcls2cu6vvjnwwznx5uqywjekm
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZGlscG0ySERXNU44cWFu
a2NYL1NGMjlNeUVpbTZkWWVFRk5aMUVGTGxVCm50ditHM3JHUnBzTWxvVnRvblhq
YjhQQWZOeXIwUUxEeVlhVlJyM1I3c0UKLS0tIEVHcDFTa0c0YUd2OEcxSG5Pd3V3
Sm45MXdxbDlnME00OU14NWROQkIzbkUKa047XyOqiwi/x8pf2zOk1j3jBCxGdU2e
vL1csTIcipPN1RVdoauCzQd5KPTsRXUarD44eHVIz1VS8WZZuXoOfw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1g9sh8u6s344569d3cg8h30g9h7thld5pexcwzc4549jc84jvceqqjt9cfh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBReXh1SW1SUVJBaGowTjhp
NnE1NHZzeE1KUGFJSWs5a085NW9MT0JZYUVBCktxMWlHeEN1SDJISEFqM1prSEdY
cTFSMFVVNDRQMGd2TkhMcWoySDJ6OWsKLS0tIGl4eXdFR1dBVWMyeWVsVHlaWlZU
OG95ZUV0M0g2YlBpY2pnT3FRczhtUFEKaOMBpksiSZx4QD8WbwuHEvPV4QkOKriG
MIMxbs6C5aAmvS9PwbBwpYCntI+tnuZyvKU+rFzxs4yQO8Al+hf/XA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1t5s3txyj403rfecdhq5q2z3cnavy6m543gzyhkl2nu5t8fz0zctqtvm2tj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UkFQSXROaGpONGNYbCtD
NzBVcjY0SHVQS0FUaWFZYUFSR1luRWpaY3gwCmI0N3FpbGNReGRQTVMzMmtOTGdS
MFFLbnhwWUdueHFUUVBDbVREL3JYZ0UKLS0tIG4zK3dHejBWeDljckp6ZlVVeXpp
TjZIZTllaEJDQ3hGcTFoMm1LYzh1bG8KLs2VVtIaM6iLON8HYpR+YUKFZe2MKYZH
z4pIVN1LGu5pQ3woN341FD7U4ewhMFkDy/LveQ6Q99VjnyTmeHEhlg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1dzdf4rgep3ctk3dnrmrqtdgrchaa8nszfc4dp29gqwsst3z6jyrq57vfsj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhUXVZQjdEZWxzemdmTTVF
cVhvYzJFbWkvdERLdjJBblpWUHJXdmpzS1RzCkdlNXpxYm1DWTUxZVVHcmtmT2Zx
cUZlSXoyOWMzSnhzOStmbHA4YlJBcGMKLS0tIDhqSG0rUWRKMzJISjlWSzRoVDQ3
NjJwbUlaK0JoMi9kU0FyM3NGUEVzazQKXzxR+hFpk8zQD7OMvf6ub7OG4BXsLRXJ
aHXwbu0DcEvBm66CDDkmvAJVrZ+dntyWt9CRD7WRgJ1C36qq8l2eMQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age197a33mlf5294amjx59hycctu6wm4l3cu3w7n9rv3fs9340ql64rqjzpr7s
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyaDdBZytQc1ZHU2drVmdQ
c25kbmhEajlQOVB0dEZHK3FFV2lIL1E4R0VvCjdoK2NaNlE4aVZPOFNQbWxxNjBv
b3diWFJ3c0g0cnN0aWFPODlHVExiejgKLS0tIEwvMlR0aG94QWRsazEwTm9xdFM2
ZDExY3UwRzcrNCtybFJUbW5Ga3JkcmMK2U2GtnIfUHTpqW2nikOVqCMjynLiRyv+
qFu5i7gpf/O5pzEOoTOO6ezFwY4WbnUJydbjAEFQ8Zymr1cWaR5g5Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sqj8z3feqm2dk3gj8mxpfn5dpqnsmus862e8ayd0d4cdresqffdswcf9ru
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxUE8yRzNCbnhGQ2FXTWJS
M2M0cDl5R2NxT1ZKNXMwaHlDdUorbmRtWGdzCmdocnh2a29LczZ5czhUTHJpYlVE
NkFOUE50SGZMZXFjRXZueEk3bnpzNXcKLS0tIDBvZkNyWHdMNzVkbzZRK212VW1M
WkFXaGZEOGdsbjN4UnNUYVZ0MTdNN0EKPMY1BU1RpECDLvGY0TJKtTdXuRX8HTtW
i+VTbWFsw92itL5Sjy3dAYBECpopQWQRNFz9WYH8LpfUOO9jhAGNyQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1rz75dqzfd6gulwh270ukmt5amcau6j8dpxgzx8fm6u8sjkyx9usq69y4s2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArd1hwM2FQUUZkMDZIcS9G
UGVESCs5UzhYaTFXMkxaWTdYdGFEMnZVZFNzCm1ubXF2Ulpkek0zVytkRU9KOGZF
Qzc1M0lpN0ZyVE5tZWZHOTRhYk8yZjAKLS0tIFFMMWU0MzFSNVBxbS9JL2RlS0xm
Y01DWlBqVW9UbGI0bnR3Z0dnOHpDM28KzmIZ130SqrzrDHt/T7EuRcrhDudxkaWg
uOquZK6CmGhI0ZvLWwpCvANj6drTL7c+aVcATxOsrOp1FNi4c5jzoA==
-----END AGE ENCRYPTED FILE-----
- recipient: age148huz6rc3q9xx5t873ncx75sja2sazlescwspxl7lsmxsqkz0apsy8cldp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBncjBwUUl6blJTTXBNRHpo
U1VKYlV5OS9SWkN2UlpQUGdFZWU5OG5KT1ZrCnpkeXA2WnlrSm0zQUJJVFRuNXY5
SFFiMnp3alJxOCtRQTdpM0JGb0s2cGsKLS0tIDFHVFhXb211ZXVHNUgrYkJQTTdY
elZzWGVLamN5dVVBQmhURGdVdWhxQ2MKbeFLihAg/OfeAiEgtCL+FBBGrzwNIijS
oNAjQiMN+g2+5P1Z6J9KN+zU3tVPeHk2vSTceZQA2kbRdOOZUYsunA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ck6lhd8thjcrdcnkn2epc8npztg0sfswahunjkwcf57rr0xaevys8fh0x6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHQk8xVnVxaVNPTXdWOGl4
N2hLdFpNMDlPQUF1bXU0eXFBRDFKVEZ3bERRCkNWektSK3kzOGdIQjF3K0xUc08x
MHRkUUx1U0hBUmhoSUprUWNsd3BNUHMKLS0tIE9scFhHcWtNM0I1M05jVEh4OE92
R1BYdGRqemNLRHhsK1NtM3JIempuUzQKWwGrRKR3rtynmqqYgvQiyg3YZhpppfmS
7e5YYCGTcrKgexXF1NYpsHqx3Fu4g1l2a1axmBKEmSkadxh/q+yeiQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age13j6l33g0ghk4vezn0qwfal2qmcgqwkv89ejwezpe3n47mw8yxyuslj6y7d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUEpaUnloOHEwaXoxMGpy
Z0s2YUlRQUMrQ0FYREFzL2hqbWZiSFpPMUFFCk1pT2ZKczNCRjRnelpFKy9GTGgv
MFZIdTFtbjVQdEc2QnRKZkhWMmI4TDgKLS0tIGlTWU9CM1E2aXoxOUFDSWtmQTF0
RTFQZ3VWejFKcFZwcHo2NDh0Zlh6NTgKCVV5rjpJYzO/l3Ys0N765CIUaUMwqlv2
7DGu9Wrn+Hlgeu3hxggau1tOBBYWIMywjn/aEM/dK6mrZGgkiddoOg==
-----END AGE ENCRYPTED FILE-----
- recipient: age13x0f3glnz4jvqty2v92cxrrnjcna6ed4qegrhulw9jjy08zuy3aqzvrfc6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBya1c5ay80d1ZhRVZHc0Mw
K25oWjFrNGVhSFFKdEJ0VW8vaEEvUG1rbW00CmUrL1FsYUdBa2lEd2liakREaE1X
YkcrNC9OdkJEM2VLU3ZNNmdkQmlsYkEKLS0tIDNlbXJsNnhEZEw4bWticE1JTlZO
MEhjMTRyN1BnODN2UGNnN3lhdzROSFUK7XPx0X7GDM5IHFjQ0L8gxKBRoSouwPND
rgrz/a3Wm0dJhZ/dmGVM0SK0E2etAif/odNZdzydQphU9jfOd8DQ2A==
-----END AGE ENCRYPTED FILE-----
- recipient: age10lv32k2guszr5y69sez3z5xj92wzmdxvfejd6hm8xr0pmclw2cvq0hk6pe
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4UHpKN2dMTUNBL3BVZlRC
cUM2ZkMzK1drbTdZbUJwN3I3Vk5CdGxUQ2pJCkVCZ2hqLzN0OFBGSWIzcXMwbGdW
OVRibnpiSkFWcWtyNlBGSnYrOW90Nk0KLS0tIDFObnRuV1NwYWVTL2xqakVISExW
M3poNGc3TU1lQVBkWXVkUXpWMnpCZ2cKdtJQTIXfjb7KS4Twsv3+ecZdMl0uw8Bo
IlzM681gtSJzv9ONW5dyjUb/MxqhOkaMTnh7fV0bnCOo9Q7YBNg6Gw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-12T00:54:14Z"
mac: ENC[AES256_GCM,data:oUKTbXa8vaQKWiySoNNRp5wbSJXRYXzrwoWSc8u9Hg8fmala6YIYj1+rb/YkS+DFzsT8/C6XqD1XYMpFgiJJLtZ4aa3LbuHqKw/pESqgKhsssT/wvnV7svgmlUXJhTtKY1wWcF5nE++nOLDMmyaIzfCkBPnX1OmbSZiveEDBDgI=,iv:S6UAXB0bNEcZv1Sb76oWQCcRMnDt5MRsFFG9/zZWf7g=,tag:2tdlnyF1SsPyQAcuD9McEg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

21
triple-dezert/networking.nix
View File

@@ -3,6 +3,7 @@
let
bridge = config.vacu.network.lan_bridge;
lan_port = "eno1";
doof-wg = config.vacu.network.doof-wg;
in
{
options = {
@@ -11,6 +12,10 @@ in
default = "br-main";
readOnly = true;
};
vacu.network.doof-wg = lib.mkOption {
default = "doof-wg";
readOnly = true;
};
};
config = {
networking.useNetworkd = true;
@@ -30,6 +35,22 @@ in
};
};
systemd.network.netdevs.${doof-wg} = {
netdevConfig = {
Name = doof-wg;
Kind = "wireguard";
};
extraConfig = ''
[WireGuard]
PrivateKeyFile = ${config.sops.secrets.wireguard_key.path}
[WireGuardPeer]
PublicKey = shel/wMBU/Ut2rhAZymW/AYG3ycGfaEN6R2LsEpkqDU=
AllowedIPs = 0.0.0.0/0
Endpoint = tun-sea.doof.net:53263
'';
};
systemd.network.networks."01-lan-bridge".extraConfig = ''
DHCP = no
Address = 172.83.159.53/32

20
triple-dezert/sops.nix Normal file
View File

@@ -0,0 +1,20 @@
{
inputs,
lib,
config,
...
}:
{
imports = [ inputs.sops-nix.nixosModules.sops ];
options.vacu.secretsFolder = lib.mkOption {
type = lib.types.path;
default = ../secrets;
};
config = {
sops.defaultSopsFile = config.vacu.secretsFolder + "/${config.vacu.hostName}/main.yaml";
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets.wireguard_key = {};
};
}