diff --git a/boxes/copernicus/services/wireguard.nix b/boxes/copernicus/services/wireguard.nix index 6f4d745..2b16e55 100644 --- a/boxes/copernicus/services/wireguard.nix +++ b/boxes/copernicus/services/wireguard.nix @@ -1,4 +1,4 @@ -{ lib, config, pkgs, ... }: +{ machines, ... }: { networking = { @@ -12,7 +12,7 @@ privateKeyFile = "/home/usr/wg-keys/private"; peers = [ { # netbox - publicKey = "0fOqAfsYO4HvshMPnlkKL7Z1RChq98hjDr0Q8o7OJFE="; + publicKey = machines.wg-pubkey; allowedIPs = [ "10.100.0.0/24" ]; # only stuff in the wg-subnet (10.100.0.*) endpoint = "149.28.63.115:50000"; persistentKeepalive = 25; diff --git a/boxes/netbox/agenix.nix b/boxes/netbox/agenix.nix index a4d0215..73fbfce 100644 --- a/boxes/netbox/agenix.nix +++ b/boxes/netbox/agenix.nix @@ -1,3 +1,24 @@ { - age.secrets.gitea-postgres-password.file = ../../secrets/gitea-postgres-password.age; + age.secrets = { + gitea-postgres-password = { + file = ../../secrets/gitea-postgres-password.age; + mode = "0700"; + owner = "gitea"; + group = "gitea"; + }; + + mailaccount = { + file = ../../secrets/mailaccount.age; + }; + + netbox-wg-priv = { + file = ../../secrets/netbox-wg-priv.age; + }; + + radicale-passwd = { + file = ../../secrets/radicale-passwd.age; + owner = "radicale"; + group = "radicale"; + }; + }; } diff --git a/boxes/netbox/mail.nix b/boxes/netbox/mail.nix index b781924..2413191 100644 --- a/boxes/netbox/mail.nix +++ b/boxes/netbox/mail.nix @@ -1,4 +1,4 @@ -{ inputs, ...}: +{ config, inputs, ... }: { imports = [ inputs.simple-nixos-mailserver.nixosModule @@ -11,16 +11,13 @@ loginAccounts = { "ryan@beepboop.systems" = { # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' > /hashed/password/file/location - hashedPasswordFile = "/etc/ryan-beepboop-systemsuser-pass"; - + hashedPasswordFile = config.age.secrets.mailaccount.path; + aliases = [ "info@beepboop.systems" "postmaster@beepboop.systems" ]; }; - "machines@beepboop.systems" = { - hashedPasswordFile = "/etc/ryan-beepboop-systemsuser-pass"; - }; }; certificateScheme = "acme-nginx"; }; diff --git a/boxes/netbox/radicale.nix b/boxes/netbox/radicale.nix index 25bb425..26e09ad 100644 --- a/boxes/netbox/radicale.nix +++ b/boxes/netbox/radicale.nix @@ -5,7 +5,7 @@ settings = { auth = { type = "htpasswd"; - htpasswd_filename = "radicale-passwd"; + htpasswd_filename = config.age.secrets.radicale-passwd.path; htpasswd_encryption = "plain"; }; }; diff --git a/boxes/netbox/wireguard.nix b/boxes/netbox/wireguard.nix index 5835923..19df201 100644 --- a/boxes/netbox/wireguard.nix +++ b/boxes/netbox/wireguard.nix @@ -1,4 +1,4 @@ -{ lib, config, pkgs, ... }: +{ config, machines, pkgs, ... }: { networking = { @@ -22,15 +22,15 @@ ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE ''; - privateKeyFile = "/home/ryan/wg-keys/private"; + privateKeyFile = config.age.secrets.netbox-wg-priv.path; peers = [ { # copernicus - publicKey = "JlH1X4KRT+B8Uau+qTLtBqyapkbGClIj1db7znU77kc="; + publicKey = machines.copernicus.wg-pubkey; allowedIPs = [ "10.100.0.2/32" ]; } { # aristotle - publicKey = "Sw2yyMhyS8GOCWm1VuGn3Y7cfx606dXOGK5mux8ckQU="; + publicKey = machines.aristotle.wg-pubkey; allowedIPs = [ "10.100.0.3/32" ]; } ]; diff --git a/lib/machines.nix b/lib/machines.nix index 691e8ae..c9f8802 100644 --- a/lib/machines.nix +++ b/lib/machines.nix @@ -1,11 +1,17 @@ { copernicus = { pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILBGh1FHPneg7PCDkhMs2BCJPTIRVJkRTKpOj1w02ydD usr"; + wg-pubkey = "JlH1X4KRT+B8Uau+qTLtBqyapkbGClIj1db7znU77kc="; }; phone = { pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILuVT5W3kzjzsuMIWk1oeGtL8jZGtAhRSx8dK8oBJQcG u0_a291"; }; aristotle = { pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTDyKneaM44I5to883ghEnnPonedCKDbCX+OnrQ9vO5 usr"; + wg-pubkey = "Sw2yyMhyS8GOCWm1VuGn3Y7cfx606dXOGK5mux8ckQU="; + }; + netbox = { + wg-privkey = ../secrets/netbox-wg-priv.age; + wg-pubkey = "0fOqAfsYO4HvshMPnlkKL7Z1RChq98hjDr0Q8o7OJFE="; }; } diff --git a/secrets/mailaccount.age b/secrets/mailaccount.age new file mode 100644 index 0000000..747d955 --- /dev/null +++ b/secrets/mailaccount.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 q1rODg N9raIGsxBIwKzWUGXNpJtxGt+khysyCP5SYf4dGOEFg +6L4KT8jfwQABmOmUenMFdFI1ss2A9Jop4S5VwqndYK4 +-> ssh-ed25519 NIIFZw bGZd0al85zVh9nmJ/FYyi0Vow1NUcvPsn/KXxnmk6Hw +fw4HsXms6qBCTRsr0qdx5prd7dotrZI7LMCYvk0y3YU +-> ssh-ed25519 E0Y+lw PqH2afTaz/TgaeABRHUyaiknaspWKeISmAgpLxdzSFM +mVN/f4ExuY/8ZgL96QF4IseEJFLx4t2uSvk7lDQ2y/k +--- pxkjc19JOs7YD5Pu+jNcFiYCeYmLK1CaEx29968SWWU +5\D |,$\}h#Xmuw=YtC\0`5!dl͎oCL`zγb)nS9i6 \ No newline at end of file diff --git a/secrets/netbox-wg-priv.age b/secrets/netbox-wg-priv.age new file mode 100644 index 0000000..54330fe --- /dev/null +++ b/secrets/netbox-wg-priv.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 q1rODg ZkRkO4kd24pzgGtZW9srOrmIlaWPUA6WaOKW0K6vuRQ +gQXG/RidDPTtneur2zUl7eKjHYZjovp0akKMJKMF2EY +-> ssh-ed25519 NIIFZw 6cAsAQ3kCJakKzncxLUq0zhBIfXPtJob0wwcP4X9MWM +j5JZwjI7Xy3uIuCOveGLTdipjTJHIujtUQXcWtmYMZ0 +-> ssh-ed25519 E0Y+lw 0fViUYxACmTM7RA7997CANGYluwE3kaaTcgDh3GC7go +AHyUXoxakKxfLYSqVqfzKhmgyy/UpB4jeNSvpljwn+8 +--- 1H0rIdM75PzfEn+35D9z6WBUJ/idTgX+Ipu5IwrvHjQ +ocQ{$g`T L +)^yUS7 6GSBcXb u0M \ No newline at end of file diff --git a/secrets/radicale-passwd.age b/secrets/radicale-passwd.age new file mode 100644 index 0000000..fbd9a8c Binary files /dev/null and b/secrets/radicale-passwd.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 8dda21d..c98e589 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -4,5 +4,16 @@ let all = [ server-netbox machines.copernicus.pubkey machines.aristotle.pubkey ]; in { + # gitea "gitea-postgres-password.age".publicKeys = all; + + # mailserver + "mailaccount.age".publicKeys = all; + + # wireguard + "netbox-wg-priv.age".publicKeys = all; + "copernicus-wg-priv.age".publicKeys = all; + + # radicale + "radicale-passwd.age".publicKeys = all; }