diff --git a/modules/my-tinc/hosts.nix b/modules/my-tinc/hosts.nix index de412a7..9261a1c 100644 --- a/modules/my-tinc/hosts.nix +++ b/modules/my-tinc/hosts.nix @@ -14,10 +14,10 @@ in config = mkIf cfg.enable { # All hosts we know of services.tinc.networks.my-tinc.hostSettings = mapAttrs (name: host: { - addresses = [ { inherit (host) address; } ]; + addresses = [ { address = host.address; } ]; subnets = [ { address = host.subnetAddr; } ]; - rsaPublicKey = mkIf (host ? "rsaPublicKey") (builtins.readFile host.rsaPublicKey); - ed25519PublicKey = mkIf (host ? "ed25519PublicKey") (builtins.readFile host.ed25519PublicKey); + rsaPublicKey = if (host ? "rsaPublicKey") then (builtins.readFile host.rsaPublicKey) else null; + settings.Ed25519PublicKey = mkIf (host ? "ed25519PublicKey") (builtins.readFile host.ed25519PublicKey); }) hosts; }; } diff --git a/modules/my-tinc/hosts/default.nix b/modules/my-tinc/hosts/default.nix index 97fbd9d..571f011 100644 --- a/modules/my-tinc/hosts/default.nix +++ b/modules/my-tinc/hosts/default.nix @@ -1,10 +1,8 @@ { # TODO: Edit the list of hosts here. - hosts = { - nki-cloud = { - subnetAddr = "10.0.0.10"; - address = "nki.personal"; - rsaPublicKey = ./nki-cloud.pub; - }; + nki-cloud = { + subnetAddr = "10.0.0.10"; + address = "nki.personal"; + rsaPublicKey = ./nki-cloud.pub; }; } diff --git a/nki-personal-do/configuration.nix b/nki-personal-do/configuration.nix index 817a6dd..dde007c 100644 --- a/nki-personal-do/configuration.nix +++ b/nki-personal-do/configuration.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: { +{ pkgs, config, ... }: { imports = [ ./hardware-configuration.nix ./networking.nix # generated at runtime by nixos-infect @@ -20,4 +20,14 @@ system.autoUpgrade.enable = true; system.autoUpgrade.allowReboot = true; + + # Secret management + sops.defaultSopsFile = ./secrets/secrets.yaml; + sops.age.sshKeyPaths = [ "/root/.ssh/id_ed25519" ]; + + # tinc + services.my-tinc.enable = true; + services.my-tinc.hostName = "nki-cloud"; + sops.secrets.tinc-private-key = {}; + services.my-tinc.rsaPrivateKey = config.sops.secrets.tinc-private-key.path; } diff --git a/nki-personal-do/flake.lock b/nki-personal-do/flake.lock index f0e68ff..35fab50 100644 --- a/nki-personal-do/flake.lock +++ b/nki-personal-do/flake.lock @@ -68,10 +68,45 @@ "type": "github" } }, + "nixpkgs_3": { + "locked": { + "lastModified": 1625223284, + "narHash": "sha256-jjLcDSU1rRiJb+n3uez23XAa7kbnPcGZTa6jIKh1GMQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "357d2c8f6087685fe35cb1889a005a4dd4cce7b8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { "deploy-rs": "deploy-rs", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_2", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1633273832, + "narHash": "sha256-oOjpMVYpkIUpiML61PeqTk+sg4juRvF7P6jroI/YvTw=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "2e86e1698d53e5bd71d9de5f8b7e8f2f5458633c", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } }, "utils": { diff --git a/nki-personal-do/flake.nix b/nki-personal-do/flake.nix index dfc92c8..bf7020e 100644 --- a/nki-personal-do/flake.nix +++ b/nki-personal-do/flake.nix @@ -3,13 +3,15 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/21.05"; deploy-rs.url = "github:Serokell/deploy-rs"; + sops-nix.url = "github:Mic92/sops-nix"; }; - outputs = { self, nixpkgs, deploy-rs } : { + outputs = { self, nixpkgs, deploy-rs, sops-nix } : { # DigitalOcean node nixosConfigurations."nki-personal" = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ ../modules/my-tinc + sops-nix.nixosModules.sops ./configuration.nix ]; };