add copernicus wg-privkey to age secrets

2024-12-31 12:14:17 -06:00 · 2024-12-31 12:14:17 -06:00 · e656c395f3
commit e656c395f3
parent 053ce2b76b
7 changed files with 25 additions and 4 deletions
--- a/boxes/copernicus/agenix.nix
+++ b/boxes/copernicus/agenix.nix
@ -0,0 +1,11 @@
+{ machines, ... }:
+{
+  age = {
+    secrets = {
+      copernicus-wg-priv = {
+        file = machines.copernicus.wg-privkey;
+      };
+    };
+    identityPaths = [ "/home/usr/.ssh/id_ed25519" ];
+  };
+}
--- a/boxes/copernicus/default.nix
+++ b/boxes/copernicus/default.nix
@ -4,6 +4,7 @@
  imports = [
    ./hardware-configuration.nix
    ./nvidia.nix
+    ./agenix.nix
    ./services
    ../../config/copernicus.nix
    ../../lib/bootstrap.nix
--- a/boxes/copernicus/services/wireguard.nix
+++ b/boxes/copernicus/services/wireguard.nix
@ -1,4 +1,4 @@
-{ machines, ... }:
+{ config, machines, ... }:

 {
  networking = {
@ -9,7 +9,7 @@
        ips = [ "10.100.0.2/24" ];
        listenPort = 50000;

-        privateKeyFile = "/home/usr/wg-keys/private";
+        privateKeyFile = config.age.secrets.copernicus-wg-priv.path;
        peers = [
          { # netbox
            publicKey = machines.netbox.wg-pubkey;
--- a/boxes/netbox/agenix.nix
+++ b/boxes/netbox/agenix.nix
@ -1,3 +1,4 @@
+{ machines, ... }:
 {
  age.secrets = {
    gitea-postgres-password = {
@ -12,7 +13,7 @@
    };

    netbox-wg-priv = {
-      file = ../../secrets/netbox-wg-priv.age;
+      file = machines.netbox.wg-privkey;
    };

    radicale-passwd = {
--- a/lib/machines.nix
+++ b/lib/machines.nix
@ -6,6 +6,7 @@
  };
  copernicus = {
    pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILBGh1FHPneg7PCDkhMs2BCJPTIRVJkRTKpOj1w02ydD usr";
+    wg-privkey = ../secrets/copernicus-wg-priv.age;
    wg-pubkey = "JlH1X4KRT+B8Uau+qTLtBqyapkbGClIj1db7znU77kc=";
    ip-addrs = {
      localnet = "192.168.1.201";
--- a/secrets/copernicus-wg-priv.age
+++ b/secrets/copernicus-wg-priv.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 NIIFZw YHF+5qXQXLGyPhIbvC0sE/6lyZp7iTRZuLbwBRtDfn8
+fOQwQb77gbEiChooxgbyIEznDypgWOH+/QZ2+nwjlNw
+-> ssh-ed25519 E0Y+lw QwZ+JNHFmF/O7e0I+B5579dMG/R5iJss2JQeW0c170I
+YznmSpxQunboeWIR4L7WyuUOPviyU7gtkxiCvH67jnE
+--- ZKBmup5lFUVa1OAIDWHiPp4ocuxpkshqbqhw7D5kOMo
+<EFBFBD>ÎýíÀfaFyº$¹žÕ$t¬³ò=8†‡]rdî‰ÔðúHþÐë˜aE	&çÆ<C3A7>Á^@ lSÄ¨‡€Š¯kç¢Ÿ>šî{eôŒûöõý)•
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -12,7 +12,7 @@ in {

  # wireguard
  "netbox-wg-priv.age".publicKeys = all;
-  "copernicus-wg-priv.age".publicKeys = all;
+  "copernicus-wg-priv.age".publicKeys = with machines; [ copernicus.pubkey aristotle.pubkey ];

  # radicale
  "radicale-passwd.age".publicKeys = all;