add more things under the purview of agenix

2024-12-27 00:47:55 -06:00 · 2024-12-27 00:47:55 -06:00 · 5d028f5659
commit 5d028f5659
parent 7212b80c3d bcda626017
10 changed files with 68 additions and 14 deletions
--- a/boxes/copernicus/services/wireguard.nix
+++ b/boxes/copernicus/services/wireguard.nix
@ -1,4 +1,4 @@
-{ lib, config, pkgs, ... }:
+{ machines, ... }:
 {
  networking = {
@ -12,7 +12,7 @@
        privateKeyFile = "/home/usr/wg-keys/private";
        peers = [
          { # netbox
-            publicKey = "0fOqAfsYO4HvshMPnlkKL7Z1RChq98hjDr0Q8o7OJFE=";
+            publicKey = machines.wg-pubkey;
            allowedIPs = [ "10.100.0.0/24" ]; # only stuff in the wg-subnet (10.100.0.*)
            endpoint = "149.28.63.115:50000";
            persistentKeepalive = 25;
--- a/boxes/netbox/agenix.nix
+++ b/boxes/netbox/agenix.nix
@ -1,3 +1,24 @@
 {
-  age.secrets.gitea-postgres-password.file = ../../secrets/gitea-postgres-password.age;
+  age.secrets = {
    gitea-postgres-password = {
      file = ../../secrets/gitea-postgres-password.age;
      mode = "0700";
      owner = "gitea";
      group = "gitea";
    };
    mailaccount = {
      file = ../../secrets/mailaccount.age;
    };
    netbox-wg-priv = {
      file = ../../secrets/netbox-wg-priv.age;
    };
    radicale-passwd = {
      file = ../../secrets/radicale-passwd.age;
      owner = "radicale";
      group = "radicale";
    };
  };
 }
--- a/boxes/netbox/mail.nix
+++ b/boxes/netbox/mail.nix
@ -1,4 +1,4 @@
-{ inputs, ...}:
+{ config, inputs, ... }:
 {
  imports = [
    inputs.simple-nixos-mailserver.nixosModule
@ -11,16 +11,13 @@
    loginAccounts = {
      "ryan@beepboop.systems" = {
        # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' > /hashed/password/file/location
-        hashedPasswordFile = "/etc/ryan-beepboop-systemsuser-pass";
+        hashedPasswordFile = config.age.secrets.mailaccount.path;
-  
+
        aliases = [
            "info@beepboop.systems"
            "postmaster@beepboop.systems"
        ];
      };
      "machines@beepboop.systems" = {
        hashedPasswordFile = "/etc/ryan-beepboop-systemsuser-pass";
      };
    };
    certificateScheme = "acme-nginx";
  };
--- a/boxes/netbox/radicale.nix
+++ b/boxes/netbox/radicale.nix
@ -5,7 +5,7 @@
    settings = {
      auth = {
        type = "htpasswd";
-        htpasswd_filename = "radicale-passwd";
+        htpasswd_filename = config.age.secrets.radicale-passwd.path;
        htpasswd_encryption = "plain";
      };
    };
--- a/boxes/netbox/wireguard.nix
+++ b/boxes/netbox/wireguard.nix
@ -1,4 +1,4 @@
-{ lib, config, pkgs, ... }:
+{ config, machines, pkgs, ... }:
 {
  networking = {
@ -22,15 +22,15 @@
          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
        '';
-        privateKeyFile = "/home/ryan/wg-keys/private";
+        privateKeyFile = config.age.secrets.netbox-wg-priv.path;
        peers = [
          { # copernicus
-            publicKey = "JlH1X4KRT+B8Uau+qTLtBqyapkbGClIj1db7znU77kc=";
+            publicKey = machines.copernicus.wg-pubkey;
            allowedIPs = [ "10.100.0.2/32" ];
          }
          { # aristotle
-            publicKey = "Sw2yyMhyS8GOCWm1VuGn3Y7cfx606dXOGK5mux8ckQU=";
+            publicKey = machines.aristotle.wg-pubkey;
            allowedIPs = [ "10.100.0.3/32" ];
          }
        ];
--- a/lib/machines.nix
+++ b/lib/machines.nix
@ -1,11 +1,17 @@
 {
  copernicus = {
    pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILBGh1FHPneg7PCDkhMs2BCJPTIRVJkRTKpOj1w02ydD usr";
    wg-pubkey = "JlH1X4KRT+B8Uau+qTLtBqyapkbGClIj1db7znU77kc=";
  };
  phone = {
    pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILuVT5W3kzjzsuMIWk1oeGtL8jZGtAhRSx8dK8oBJQcG u0_a291";
  };
  aristotle = {
    pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTDyKneaM44I5to883ghEnnPonedCKDbCX+OnrQ9vO5 usr";
    wg-pubkey = "Sw2yyMhyS8GOCWm1VuGn3Y7cfx606dXOGK5mux8ckQU=";
  };
  netbox = {
    wg-privkey = ../secrets/netbox-wg-priv.age;
    wg-pubkey = "0fOqAfsYO4HvshMPnlkKL7Z1RChq98hjDr0Q8o7OJFE=";
  };
 }
--- a/secrets/mailaccount.age
+++ b/secrets/mailaccount.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> ssh-ed25519 q1rODg N9raIGsxBIwKzWUGXNpJtxGt+khysyCP5SYf4dGOEFg
 6L4KT8jfwQABmOmUenMFdFI1ss2A9Jop4S5VwqndYK4
 -> ssh-ed25519 NIIFZw bGZd0al85zVh9nmJ/FYyi0Vow1NUcvPsn/KXxnmk6Hw
 fw4HsXms6qBCTRsr0qdx5prd7dotrZI7LMCYvk0y3YU
 -> ssh-ed25519 E0Y+lw PqH2afTaz/TgaeABRHUyaiknaspWKeISmAgpLxdzSFM
 mVN/f4ExuY/8ZgL96QF4IseEJFLx4t2uSvk7lDQ2y/k
 --- pxkjc19JOs7YD5Pu+jNcFiYCeYmLK1CaEx29968SWWU
 5\èäDÙ	ò¼þ¦€|,$ë\}†hô#ÕXmëuÌw=YäÁtÿÙC§¨\‰0`5!€údºl·¢‡ÍŽÄoCœÔÝÔL`z¡Î³¦ðb)»nƒSê9¸i×Ý6
--- a/secrets/netbox-wg-priv.age
+++ b/secrets/netbox-wg-priv.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> ssh-ed25519 q1rODg ZkRkO4kd24pzgGtZW9srOrmIlaWPUA6WaOKW0K6vuRQ
 gQXG/RidDPTtneur2zUl7eKjHYZjovp0akKMJKMF2EY
 -> ssh-ed25519 NIIFZw 6cAsAQ3kCJakKzncxLUq0zhBIfXPtJob0wwcP4X9MWM
 j5JZwjI7Xy3uIuCOveGLTdipjTJHIujtUQXcWtmYMZ0
 -> ssh-ed25519 E0Y+lw 0fViUYxACmTM7RA7997CANGYluwE3kaaTcgDh3GC7go
 AHyUXoxakKxfLYSqVqfzKhmgyy/UpB4jeNSvpljwn+8
 --- 1H0rIdM75PzfEn+35D9z6WBUJ/idTgX+Ipu5IwrvHjQ
 ocŠƒ°Q{Šß$¹ g<C2A0>`T¦‰£LÛ
 )^…üyUîS<C3AE>Õñá7 ¡6GSBÄ€—ý¸·ècÓÇX<C387>Ób
Þu<C39E>´½0ðMçœø¬
--- a/secrets/radicale-passwd.age
+++ b/secrets/radicale-passwd.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -4,5 +4,16 @@ let
  all = [ server-netbox machines.copernicus.pubkey machines.aristotle.pubkey ];
 in {
  # gitea
  "gitea-postgres-password.age".publicKeys = all;
  # mailserver
  "mailaccount.age".publicKeys = all;
  # wireguard
  "netbox-wg-priv.age".publicKeys = all;
  "copernicus-wg-priv.age".publicKeys = all;
  # radicale
  "radicale-passwd.age".publicKeys = all;
 }