add more things under the purview of agenix

2024-12-27 00:47:55 -06:00 · 2024-12-27 00:47:55 -06:00 · 5d028f5659
commit 5d028f5659
parent 7212b80c3d bcda626017
10 changed files with 68 additions and 14 deletions
--- a/boxes/copernicus/services/wireguard.nix
+++ b/boxes/copernicus/services/wireguard.nix
@ -1,4 +1,4 @@
-{ lib, config, pkgs, ... }:
+{ machines, ... }:

 {
  networking = {
@ -12,7 +12,7 @@
        privateKeyFile = "/home/usr/wg-keys/private";
        peers = [
          { # netbox
-            publicKey = "0fOqAfsYO4HvshMPnlkKL7Z1RChq98hjDr0Q8o7OJFE=";
+            publicKey = machines.wg-pubkey;
            allowedIPs = [ "10.100.0.0/24" ]; # only stuff in the wg-subnet (10.100.0.*)
            endpoint = "149.28.63.115:50000";
            persistentKeepalive = 25;
--- a/boxes/netbox/agenix.nix
+++ b/boxes/netbox/agenix.nix
@ -1,3 +1,24 @@
 {
-  age.secrets.gitea-postgres-password.file = ../../secrets/gitea-postgres-password.age;
+  age.secrets = {
+    gitea-postgres-password = {
+      file = ../../secrets/gitea-postgres-password.age;
+      mode = "0700";
+      owner = "gitea";
+      group = "gitea";
+    };
+
+    mailaccount = {
+      file = ../../secrets/mailaccount.age;
+    };
+
+    netbox-wg-priv = {
+      file = ../../secrets/netbox-wg-priv.age;
+    };
+
+    radicale-passwd = {
+      file = ../../secrets/radicale-passwd.age;
+      owner = "radicale";
+      group = "radicale";
+    };
+  };
 }
--- a/boxes/netbox/mail.nix
+++ b/boxes/netbox/mail.nix
@ -1,4 +1,4 @@
-{ inputs, ...}:
+{ config, inputs, ... }:
 {
  imports = [
    inputs.simple-nixos-mailserver.nixosModule
@ -11,16 +11,13 @@
    loginAccounts = {
      "ryan@beepboop.systems" = {
        # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' > /hashed/password/file/location
-        hashedPasswordFile = "/etc/ryan-beepboop-systemsuser-pass";
-  
+        hashedPasswordFile = config.age.secrets.mailaccount.path;
+
        aliases = [
            "info@beepboop.systems"
            "postmaster@beepboop.systems"
        ];
      };
-      "machines@beepboop.systems" = {
-        hashedPasswordFile = "/etc/ryan-beepboop-systemsuser-pass";
-      };
    };
    certificateScheme = "acme-nginx";
  };
--- a/boxes/netbox/radicale.nix
+++ b/boxes/netbox/radicale.nix
@ -5,7 +5,7 @@
    settings = {
      auth = {
        type = "htpasswd";
-        htpasswd_filename = "radicale-passwd";
+        htpasswd_filename = config.age.secrets.radicale-passwd.path;
        htpasswd_encryption = "plain";
      };
    };
--- a/boxes/netbox/wireguard.nix
+++ b/boxes/netbox/wireguard.nix
@ -1,4 +1,4 @@
-{ lib, config, pkgs, ... }:
+{ config, machines, pkgs, ... }:

 {
  networking = {
@ -22,15 +22,15 @@
          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
        '';

-        privateKeyFile = "/home/ryan/wg-keys/private";
+        privateKeyFile = config.age.secrets.netbox-wg-priv.path;

        peers = [
          { # copernicus
-            publicKey = "JlH1X4KRT+B8Uau+qTLtBqyapkbGClIj1db7znU77kc=";
+            publicKey = machines.copernicus.wg-pubkey;
            allowedIPs = [ "10.100.0.2/32" ];
          }
          { # aristotle
-            publicKey = "Sw2yyMhyS8GOCWm1VuGn3Y7cfx606dXOGK5mux8ckQU=";
+            publicKey = machines.aristotle.wg-pubkey;
            allowedIPs = [ "10.100.0.3/32" ];
          }
        ];
--- a/lib/machines.nix
+++ b/lib/machines.nix
@ -1,11 +1,17 @@
 {
  copernicus = {
    pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILBGh1FHPneg7PCDkhMs2BCJPTIRVJkRTKpOj1w02ydD usr";
+    wg-pubkey = "JlH1X4KRT+B8Uau+qTLtBqyapkbGClIj1db7znU77kc=";
  };
  phone = {
    pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILuVT5W3kzjzsuMIWk1oeGtL8jZGtAhRSx8dK8oBJQcG u0_a291";
  };
  aristotle = {
    pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTDyKneaM44I5to883ghEnnPonedCKDbCX+OnrQ9vO5 usr";
+    wg-pubkey = "Sw2yyMhyS8GOCWm1VuGn3Y7cfx606dXOGK5mux8ckQU=";
+  };
+  netbox = {
+    wg-privkey = ../secrets/netbox-wg-priv.age;
+    wg-pubkey = "0fOqAfsYO4HvshMPnlkKL7Z1RChq98hjDr0Q8o7OJFE=";
  };
 }
--- a/secrets/mailaccount.age
+++ b/secrets/mailaccount.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 q1rODg N9raIGsxBIwKzWUGXNpJtxGt+khysyCP5SYf4dGOEFg
+6L4KT8jfwQABmOmUenMFdFI1ss2A9Jop4S5VwqndYK4
+-> ssh-ed25519 NIIFZw bGZd0al85zVh9nmJ/FYyi0Vow1NUcvPsn/KXxnmk6Hw
+fw4HsXms6qBCTRsr0qdx5prd7dotrZI7LMCYvk0y3YU
+-> ssh-ed25519 E0Y+lw PqH2afTaz/TgaeABRHUyaiknaspWKeISmAgpLxdzSFM
+mVN/f4ExuY/8ZgL96QF4IseEJFLx4t2uSvk7lDQ2y/k
+--- pxkjc19JOs7YD5Pu+jNcFiYCeYmLK1CaEx29968SWWU
+5\èäDÙ	ò¼þ¦€|,$ë\}†hô#ÕXmëuÌw=YäÁtÿÙC§¨\‰0`5!€údºl·¢‡ÍŽÄoCœÔÝÔL`z¡Î³¦ðb)»nƒSê9¸i×Ý6
--- a/secrets/netbox-wg-priv.age
+++ b/secrets/netbox-wg-priv.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 q1rODg ZkRkO4kd24pzgGtZW9srOrmIlaWPUA6WaOKW0K6vuRQ
+gQXG/RidDPTtneur2zUl7eKjHYZjovp0akKMJKMF2EY
+-> ssh-ed25519 NIIFZw 6cAsAQ3kCJakKzncxLUq0zhBIfXPtJob0wwcP4X9MWM
+j5JZwjI7Xy3uIuCOveGLTdipjTJHIujtUQXcWtmYMZ0
+-> ssh-ed25519 E0Y+lw 0fViUYxACmTM7RA7997CANGYluwE3kaaTcgDh3GC7go
+AHyUXoxakKxfLYSqVqfzKhmgyy/UpB4jeNSvpljwn+8
+--- 1H0rIdM75PzfEn+35D9z6WBUJ/idTgX+Ipu5IwrvHjQ
+ocŠƒ°Q{Šß$¹ g<C2A0>`T¦‰£LÛ
+)^…üyUîS<C3AE>Õñá7 ¡6GSBÄ€—ý¸·ècÓÇX<C387>Ób
Þu<C39E>´½0ðMçœø¬
--- a/secrets/radicale-passwd.age
+++ b/secrets/radicale-passwd.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -4,5 +4,16 @@ let

  all = [ server-netbox machines.copernicus.pubkey machines.aristotle.pubkey ];
 in {
+  # gitea
  "gitea-postgres-password.age".publicKeys = all;
+
+  # mailserver
+  "mailaccount.age".publicKeys = all;
+
+  # wireguard
+  "netbox-wg-priv.age".publicKeys = all;
+  "copernicus-wg-priv.age".publicKeys = all;
+
+  # radicale
+  "radicale-passwd.age".publicKeys = all;
 }