asmir/nixos_flake_config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: asmir:d7096e405185d72ad6e25b9c0a713a9059367cb8
Branches Tags
asmir:master
asmir:gitea_typst
asmir:magento2
...
compare: asmir:871df5a5144faf8c964ee3921bfd8d6b2d954a68
Branches Tags
asmir:master
asmir:gitea_typst
asmir:magento2

4 Commits
d7096e4051 ... 871df5a514

Author SHA1 Message Date
Asmir A
871df5a514
all: wireguard add preshared keys and update hierarchy 2024-04-20 20:44:36 +02:00
Asmir A
dab24f0302
sops/wireguard: update key hierarchy 2024-04-20 20:40:32 +02:00
Asmir A
370d0089a2
all/sops/wireguard: add common preshared key file 2024-04-20 20:36:36 +02:00
Asmir A
b578f250e1
sops: add common file 2024-04-20 20:36:03 +02:00
5 changed files with 65 additions and 6 deletions
Show Stats Expand all files Collapse all files

12
.sops.yaml Normal file
View File

@ -0,0 +1,12 @@
keys:
- &magpie age153y8mz6gqy5t54q4fnrdvjj4v5ls9cgp3hhpd2hzf5tvkcnncf6q4xns0j
- &mediabox age19yrl6pr73cv067ksfz0txp3zm2au25jfyjeerw23ml55ps5cyyfqtm3kmt
- &nixy age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s
creation_rules:
- path_regex: secrets/[^/]+\.yaml$
key_groups:
- age:
- *magpie
- *mediabox
- *nixy

41
common/secrets/wg_preshared.yaml Normal file
View File

@ -0,0 +1,41 @@
wg_preshared:
nixy: ENC[AES256_GCM,data:kP+Vt48NMpdBSGjpWzzxt+nqxPNXrofV4kLwgU4o62riB9rxU1CZ4Ddr17k=,iv:xCqR/rbGrJYBkxOpsAg1qxxEGXRD+577JGTNDqshcOQ=,tag:9rAdg6Zw6kVzLxwF1U+pNg==,type:str]
mediabox: ENC[AES256_GCM,data:BL9vCUE6wWtmTNPMCvJNZjiAMUWRmLLHOk73v1Z8EOJWcsZ5G3U+08TxBBg=,iv:XTZnF2kMVurTD+TPL0T7uDDu1gGjOdO7AWHXsZS5yO8=,tag:6RIAsbe0Ue4MX28VxzbPCg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age153y8mz6gqy5t54q4fnrdvjj4v5ls9cgp3hhpd2hzf5tvkcnncf6q4xns0j
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzQ3JGNWRMeGhwM1dIOU5T
ZEt4WVhFa2lSaklpM3hmR04wY213TGd6K1FvCnltWFpqNHdrQ2V1V2ZDdTVOYlhP
M0x2TVRJbUtZK2xaOGE5Ri93YmV6R1UKLS0tIDQ3VkNrYjFNTjNrRTNFRmhYaENt
ZkRpMnZ3ZldOdWJ3VGw1T1RnRG15WDQKeZ9VBkcu2j83Hjofy1AAtBBqM9Tk3uFi
F/wgzV7mBXiBB/4w17iJsU5mB6s/JXXnGq11pu9QXC5tu072huCNYQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age19yrl6pr73cv067ksfz0txp3zm2au25jfyjeerw23ml55ps5cyyfqtm3kmt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBheWtsbnArT3BwSVJ4QTJB
ZENTK2ZpS0lLUmJ1d1VaUVVGNnNXMEZ4RFJvCmFueFNiQjk5MkdnTVkvVVk1TkVV
M2Izamo0M1lGaVRPaGFOQUhkNGpmSmsKLS0tIGxtSXVackdsTTN1cTIvSEo4bGg3
a0dVL2FmL05TRllrZjBuOStPNTBHcU0KOaJFNhr0emSiAJFOFsaJ4sdUwjzg5TOW
Mh3JvRJINefiBUsFnFx8d3gn0+jHn+kXw22WMGRcbGgZTxJbFylmeA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5UVJiMENSeFdGWHRVVkt0
UEI4ek9jRFdYYkN5Nlc5Qi85MDhPRTA2bGt3CnZJcThNU1huczJGaEF6WWpzcHdV
dWhIczMzWSt0ZEVXeXdVQlBOZTZsN3cKLS0tIHRBQlhPT1FDcEZWU3JyNEZ0UWxC
eDhXVWo2UHVCaFUrak9aVEU5N0FxRVEKDKBpbHWwTkW3BFAXQ213/glZyTz88OjZ
JHh0phDzFZG0+nzBz3TAi0ZyYnlbOYAuEvQh1uUg9MI1XUCr8GC9Qw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-20T18:39:51Z"
mac: ENC[AES256_GCM,data:VyhkViFZAHM22OxlqzFPRvgJvK/54GhcVS9U3B8HYrZnShxLO5VC2HOVDIvheDflewOv8Wt5wA+kloDv9y/L45Wa/lUPvOser0ruvEYcJBmNiPpxKNoR+/MOIHeUuSMpzBoiCob1LY4qkM8nU4xDU6N1GkPGxbg67UkHcpAfV/U=,iv:P2Xup7rQZibEaGGLpaVsyRPTp4WiJxwO6SuJ7H7eaTc=,tag:y1iTx4PMuTAVvZU72RipIg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

7
magpie/configuration.nix
View File

@ -300,8 +300,8 @@
sopsFile = ./secrets/wg_privkey.yaml; sopsFile = ./secrets/wg_privkey.yaml;
}; };
sops.secrets."wg_preshared" = { sops.secrets."wg_preshared/nixy" = {
sopsFile = ./secrets/wg_preshared.yaml; sopsFile = ../common/secrets/wg_preshared.yaml;
}; };
sops.secrets."borgbase_enc_key" = { sops.secrets."borgbase_enc_key" = {
@ -346,11 +346,12 @@
peers = [ peers = [
{ {
publicKey = builtins.readFile ../nixy/wg_pubkey; publicKey = builtins.readFile ../nixy/wg_pubkey;
presharedKeyFile = config.sops.secrets."wg_preshared".path; presharedKeyFile = config.sops.secrets."wg_preshared/nixy".path;
allowedIPs = ["10.100.0.6/32"]; allowedIPs = ["10.100.0.6/32"];
} }
{ {
publicKey = builtins.readFile ../mediabox/wg_pubkey; publicKey = builtins.readFile ../mediabox/wg_pubkey;
presharedKeyFile = config.sops.secrets."wg_preshared/mediabox".path;
allowedIPs = ["10.100.0.5/32"]; allowedIPs = ["10.100.0.5/32"];
} }
]; ];

5
mediabox/configuration.nix
View File

@ -26,6 +26,10 @@
sopsFile = ./secrets/wg_privkey.yaml; sopsFile = ./secrets/wg_privkey.yaml;
}; };
sops.secrets."wg_preshared/mediabox" = {
sopsFile = ../common/secrets/wg_privkey.yaml;
};
nix = { nix = {
optimise.automatic = true; optimise.automatic = true;
gc.automatic = true; gc.automatic = true;
@ -101,6 +105,7 @@
peers = [ peers = [
{ {
publicKey = builtins.readFile ../magpie/wg_pubkey; publicKey = builtins.readFile ../magpie/wg_pubkey;
presharedKeyFile = config.sops.secrets."wg_preshared/mediabox".path;
allowedIPs = ["10.100.0.0/24"]; allowedIPs = ["10.100.0.0/24"];
endpoint = "5.75.229.224:51820"; endpoint = "5.75.229.224:51820";
persistentKeepalive = 25; persistentKeepalive = 25;

6
nixy/configuration.nix
View File

@ -24,8 +24,8 @@
sopsFile = ./secrets/wg_privkey.yaml; sopsFile = ./secrets/wg_privkey.yaml;
}; };
sops.secrets."wg_preshared" = { sops.secrets."wg_preshared/nixy" = {
sopsFile = ./secrets/wg_preshared.yaml; sopsFile = ../common/secrets/wg_preshared.yaml;
}; };
sops.secrets."borgbase_enc_key" = { sops.secrets."borgbase_enc_key" = {
@ -133,7 +133,7 @@
peers = [ peers = [
{ {
publicKey = builtins.readFile ../magpie/wg_pubkey; publicKey = builtins.readFile ../magpie/wg_pubkey;
presharedKeyFile = config.sops.secrets."wg_preshared".path; presharedKeyFile = config.sops.secrets."wg_preshared/nixy".path;
allowedIPs = ["10.100.0.0/24"]; allowedIPs = ["10.100.0.0/24"];
endpoint = "5.75.229.224:51820"; endpoint = "5.75.229.224:51820";
persistentKeepalive = 25; persistentKeepalive = 25;