From e656c395f370738aee6f9703b68ee458cfff7fc2 Mon Sep 17 00:00:00 2001 From: stupidcomputer Date: Tue, 31 Dec 2024 12:14:17 -0600 Subject: [PATCH] add copernicus wg-privkey to age secrets --- boxes/copernicus/agenix.nix | 11 +++++++++++ boxes/copernicus/default.nix | 1 + boxes/copernicus/services/wireguard.nix | 4 ++-- boxes/netbox/agenix.nix | 3 ++- lib/machines.nix | 1 + secrets/copernicus-wg-priv.age | 7 +++++++ secrets/secrets.nix | 2 +- 7 files changed, 25 insertions(+), 4 deletions(-) create mode 100644 boxes/copernicus/agenix.nix create mode 100644 secrets/copernicus-wg-priv.age diff --git a/boxes/copernicus/agenix.nix b/boxes/copernicus/agenix.nix new file mode 100644 index 0000000..7673700 --- /dev/null +++ b/boxes/copernicus/agenix.nix @@ -0,0 +1,11 @@ +{ machines, ... }: +{ + age = { + secrets = { + copernicus-wg-priv = { + file = machines.copernicus.wg-privkey; + }; + }; + identityPaths = [ "/home/usr/.ssh/id_ed25519" ]; + }; +} diff --git a/boxes/copernicus/default.nix b/boxes/copernicus/default.nix index 7319a03..579f8ef 100644 --- a/boxes/copernicus/default.nix +++ b/boxes/copernicus/default.nix @@ -4,6 +4,7 @@ imports = [ ./hardware-configuration.nix ./nvidia.nix + ./agenix.nix ./services ../../config/copernicus.nix ../../lib/bootstrap.nix diff --git a/boxes/copernicus/services/wireguard.nix b/boxes/copernicus/services/wireguard.nix index a9c97cf..60a5c99 100644 --- a/boxes/copernicus/services/wireguard.nix +++ b/boxes/copernicus/services/wireguard.nix @@ -1,4 +1,4 @@ -{ machines, ... }: +{ config, machines, ... }: { networking = { @@ -9,7 +9,7 @@ ips = [ "10.100.0.2/24" ]; listenPort = 50000; - privateKeyFile = "/home/usr/wg-keys/private"; + privateKeyFile = config.age.secrets.copernicus-wg-priv.path; peers = [ { # netbox publicKey = machines.netbox.wg-pubkey; diff --git a/boxes/netbox/agenix.nix b/boxes/netbox/agenix.nix index aa0491a..40f5d0f 100644 --- a/boxes/netbox/agenix.nix +++ b/boxes/netbox/agenix.nix @@ -1,3 +1,4 @@ +{ machines, ... }: { age.secrets = { gitea-postgres-password = { @@ -12,7 +13,7 @@ }; netbox-wg-priv = { - file = ../../secrets/netbox-wg-priv.age; + file = machines.netbox.wg-privkey; }; radicale-passwd = { diff --git a/lib/machines.nix b/lib/machines.nix index 7cd50b4..cd379b2 100644 --- a/lib/machines.nix +++ b/lib/machines.nix @@ -6,6 +6,7 @@ }; copernicus = { pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILBGh1FHPneg7PCDkhMs2BCJPTIRVJkRTKpOj1w02ydD usr"; + wg-privkey = ../secrets/copernicus-wg-priv.age; wg-pubkey = "JlH1X4KRT+B8Uau+qTLtBqyapkbGClIj1db7znU77kc="; ip-addrs = { localnet = "192.168.1.201"; diff --git a/secrets/copernicus-wg-priv.age b/secrets/copernicus-wg-priv.age new file mode 100644 index 0000000..d631741 --- /dev/null +++ b/secrets/copernicus-wg-priv.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 NIIFZw YHF+5qXQXLGyPhIbvC0sE/6lyZp7iTRZuLbwBRtDfn8 +fOQwQb77gbEiChooxgbyIEznDypgWOH+/QZ2+nwjlNw +-> ssh-ed25519 E0Y+lw QwZ+JNHFmF/O7e0I+B5579dMG/R5iJss2JQeW0c170I +YznmSpxQunboeWIR4L7WyuUOPviyU7gtkxiCvH67jnE +--- ZKBmup5lFUVa1OAIDWHiPp4ocuxpkshqbqhw7D5kOMo +faFy$$t=8]rdHaE &Ɓ^@lSĨk碟>{e) \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 53970f8..1d2f200 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -12,7 +12,7 @@ in { # wireguard "netbox-wg-priv.age".publicKeys = all; - "copernicus-wg-priv.age".publicKeys = all; + "copernicus-wg-priv.age".publicKeys = with machines; [ copernicus.pubkey aristotle.pubkey ]; # radicale "radicale-passwd.age".publicKeys = all;