From f4c514baa688cd1f507c947cc0d4db01ff1225c1 Mon Sep 17 00:00:00 2001
From: Natsu Kagami <nki@nkagami.me>
Date: Thu, 15 Aug 2024 18:37:13 +0200
Subject: [PATCH] Set up tinc for framework

---
 .sops.yaml                          |  7 +++++++
 flake.lock                          |  7 ++++---
 flake.nix                           |  2 +-
 modules/common/linux/default.nix    | 14 +++++++++++++-
 modules/common/linux/sops.nix       | 18 +++++++++++++++++
 modules/my-tinc/hosts/default.nix   |  5 +++++
 nki-framework/configuration.nix     | 14 ++++++++++++++
 nki-framework/secrets.yaml          | 30 +++++++++++++++++++++++++++++
 nki-home/configuration.nix          |  3 ++-
 nki-home/{secrets => }/secrets.yaml |  0
 nki-home/secrets/default.nix        |  6 ------
 11 files changed, 94 insertions(+), 12 deletions(-)
 create mode 100644 modules/common/linux/sops.nix
 create mode 100644 nki-framework/secrets.yaml
 rename nki-home/{secrets => }/secrets.yaml (100%)
 delete mode 100644 nki-home/secrets/default.nix

diff --git a/.sops.yaml b/.sops.yaml
index eda386d..66e4321 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -5,6 +5,7 @@ keys:
   - &nkagami_main age1n8tnmmgredzltzwkspag7aufhrn6034ny8ysjeulhkwdnf7vqqaqec4mg5
   - &nkagami_do age1z2h24mjt80fryqupajkh3kg5r4sjgw65uqy489xeqxhqj8u2a9fsm3ff36
   - &nki_yoga age1vhjhmxura35apu5zdwg5ur5r40xay45ld9szh07dy0ph9chgsu7shfm4h9
+  - &nki_framework age188tgu3psvywk6shq85mk2q0jdjwd0tcswzwlwu5pa5n3pndx75dq090z59
 creation_rules:
   - path_regex: kagami-air-m1/secrets\.yaml$
     key_groups:
@@ -17,6 +18,7 @@ creation_rules:
         - *nki_pc
         - *nkagami_main
         - *nkagami_do
+        - *nki_framework
   - path_regex: nki-home/secrets/secrets\.yaml$
     key_groups:
     - age:
@@ -28,3 +30,8 @@ creation_rules:
     - age:
         - *nki_yoga
         - age1axvjllyv2gutngwmp3pvp4xtq2gqneldaq2c4nrzmaye0uwmk9lqsealdv # The machine itself
+  - path_regex: nki-framework/secrets\.yaml$
+    key_groups:
+    - age:
+        - *nki_framework
+        - age1vgh6kvee8lvxylm7z86fpl3xzjyjs4u3zdfkyf064rjvxk9fpumsew7n27 # The machine itself
diff --git a/flake.lock b/flake.lock
index 104d65d..ab61a50 100644
--- a/flake.lock
+++ b/flake.lock
@@ -237,15 +237,16 @@
       "locked": {
         "lastModified": 1723470164,
         "narHash": "sha256-ZWcDD4HTmFtEJgEA2Ydg2mA+yu0FVcfEHbCGVXDatfw=",
-        "ref": "refs/heads/dtth-fork",
+        "ref": "dtth-fork",
         "rev": "c72bd47bbd18523b951b3fa73c789629504d0eb3",
         "revCount": 2721,
         "type": "git",
-        "url": "ssh://gitea@git.dtth.ch/nki/phanpy?branch=dtth-fork"
+        "url": "ssh://gitea@git.dtth.ch/nki/phanpy"
       },
       "original": {
+        "ref": "dtth-fork",
         "type": "git",
-        "url": "ssh://gitea@git.dtth.ch/nki/phanpy?branch=dtth-fork"
+        "url": "ssh://gitea@git.dtth.ch/nki/phanpy"
       }
     },
     "fenix": {
diff --git a/flake.nix b/flake.nix
index 5e49204..8730782 100644
--- a/flake.nix
+++ b/flake.nix
@@ -43,7 +43,7 @@
       url = github:natsukagami/mpd-mpris;
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    dtth-phanpy.url = "git+ssh://gitea@git.dtth.ch/nki/phanpy?branch=dtth-fork";
+    dtth-phanpy.url = "git+ssh://gitea@git.dtth.ch/nki/phanpy?ref=dtth-fork";
     conduit.url = "gitlab:famedly/conduit/v0.8.0";
     nix-gaming.url = github:fufexan/nix-gaming;
 
diff --git a/modules/common/linux/default.nix b/modules/common/linux/default.nix
index d943e1d..3cfc6c1 100644
--- a/modules/common/linux/default.nix
+++ b/modules/common/linux/default.nix
@@ -115,7 +115,19 @@ let
   };
 in
 {
-  imports = with modules; [ adb ios graphics wlr logitech kwallet virtualisation accounts rt-audio ];
+  imports = with modules; [
+    ./sops.nix
+
+    adb
+    ios
+    graphics
+    wlr
+    logitech
+    kwallet
+    virtualisation
+    accounts
+    rt-audio
+  ];
 
   options.common.linux = {
     enable = mkOption {
diff --git a/modules/common/linux/sops.nix b/modules/common/linux/sops.nix
new file mode 100644
index 0000000..587d3a6
--- /dev/null
+++ b/modules/common/linux/sops.nix
@@ -0,0 +1,18 @@
+{ config, lib, ... }:
+with { inherit (lib) types mkOption mkEnableOption; };
+let
+  cfg = config.common.linux.sops;
+in
+{
+  options.common.linux.sops = {
+    enable = mkEnableOption "Enable sops configuration";
+    file = mkOption {
+      type = types.path;
+      description = "Path to the default sops file";
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    sops.defaultSopsFile = cfg.file;
+    sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  };
+}
diff --git a/modules/my-tinc/hosts/default.nix b/modules/my-tinc/hosts/default.nix
index 0459cd6..abae21d 100644
--- a/modules/my-tinc/hosts/default.nix
+++ b/modules/my-tinc/hosts/default.nix
@@ -27,4 +27,9 @@
     subnetAddr = "11.0.0.5";
     ed25519PublicKey = "n+gIZjuuTPxi0OBqw2oOcmXd3loOHG+GQHBMXNlgyqI";
   };
+
+  framework = {
+    subnetAddr = "11.0.0.6";
+    ed25519PublicKey = "YL7NA6Ydv/3FBfSzOPvyHlGweAViPvsG3b0Zh8L0NzF";
+  };
 }
diff --git a/nki-framework/configuration.nix b/nki-framework/configuration.nix
index d2a0adc..ea7ada1 100644
--- a/nki-framework/configuration.nix
+++ b/nki-framework/configuration.nix
@@ -17,6 +17,10 @@
       ./wireless.nix
     ];
 
+  # Sops
+  common.linux.sops.enable = true;
+  common.linux.sops.file = ./secrets.yaml;
+
   # services.xserver.enable = true;
   # services.xserver.displayManager.sddm.enable = true;
   # services.xserver.displayManager.sddm.wayland.enable = true;
@@ -77,6 +81,16 @@
   security.pam.services.swaylock.fprintAuth = true;
   security.pam.services.login.fprintAuth = true;
 
+  # tinc network
+  sops.secrets."tinc-private-key" = { };
+  services.my-tinc = {
+    enable = true;
+    hostName = "framework";
+    ed25519PrivateKey = config.sops.secrets."tinc-private-key".path;
+    bindPort = 6565;
+  };
+
+
   # Secrets
   # sops.defaultSopsFile = ./secrets.yaml;
   # sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
diff --git a/nki-framework/secrets.yaml b/nki-framework/secrets.yaml
new file mode 100644
index 0000000..f14c729
--- /dev/null
+++ b/nki-framework/secrets.yaml
@@ -0,0 +1,30 @@
+tinc-private-key: ENC[AES256_GCM,data:cKtOFrF5FRSHWxe/QxH5O9GAba1WcWeCwW1IOzmbgdtFufRoWbCtYeaLP+WQhQ70z6xobiY9DN8Jrh7mDptKSsfKrrx2SH5JrdpsoINhLMbetXq7E29+q6CkS8NlLgE/KyV8eFjQySNsYiA/+Efq9xj9e1wOmHBDsND/jgiJDkA1qsEIFZg/vuv8LdoRY3TV/oKJ4pao9+70G4H+8Ef1sMZHGNe9qJ94Wa71nNX2fTSjKH5YBbRijMAePWr/IeCpZ9Phs7RqjBs=,iv:l0iB136X7nLVblQjFi7K4f42JKSxdsiLIRy5GPzK1nc=,tag:HAgkvWkl0Rx62ejGZckdKA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age188tgu3psvywk6shq85mk2q0jdjwd0tcswzwlwu5pa5n3pndx75dq090z59
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmL2Z1RzBWaTI1TDl6WDNa
+            NTNVdEhTSFU5enNlTGVNWTI5anBZb1BtaVhjCm1BRnJDSXl1cWdBRUs1VnREVjBU
+            QWZxdkgzdm9JL0k5WmhDL1RCNTltdm8KLS0tIFhvQTlKMDZiVklTRWd4TzVmc2ll
+            bmpjcWdBV1doZml2NjlzQzdQczJ3alEKBMRP3POxtPIqBWnrvxY/++5jtVE70Uxa
+            EVfhsUO76A/hzyxfzpLEy1QGFE+DB/zlU0CK7HkNGPD2TrBHbzkPJA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1vgh6kvee8lvxylm7z86fpl3xzjyjs4u3zdfkyf064rjvxk9fpumsew7n27
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2MUxQU0dZOGRaekF4MWdo
+            T0krcERtRTJndFR1RHZmL0t6MjBxMW5PSENNCkR6SUhxQ0FoaEhuaWpiUzJ0MnJE
+            RXRERzVhL0lRVW1iRUlac0c5OHZsckEKLS0tIC9VM1dNZTNzdkFnMWk2YUwvcDNB
+            TDZnVjBaVzZBem5lZDB1MW4xQ0RmZ28K6d7mF+f3ZyilXlSIQGT2pBrTWuYLccE1
+            rYIJjHjFft/2wPX2gAW9VTiwfMT3lKJhJRqNdoie5phV5BZhkb3D9w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-08-15T16:27:40Z"
+    mac: ENC[AES256_GCM,data:T1dTmWEY1c5QFzROnzFc1/dnfXN96B/OisPObZiwXQLHeh29AWjfqpd6eoYdAZW1Iipih7Nn1VUMxkf5xDuWziDrJhun2PaU3UOg/U6VrRIScnySV/VTQGyaJLJZuJmvgvyAV+G8KqxC4Biv7k0PBSZn6uvTg36D4f+IfItReE8=,iv:dgiDux8AxbWFtTd2jzd+XJ0eBMALcI8moDUDlgdnBiE=,tag:cYzL71xT8DBMn9j4pPUBpA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0
diff --git a/nki-home/configuration.nix b/nki-home/configuration.nix
index 3c37eeb..7dfa293 100644
--- a/nki-home/configuration.nix
+++ b/nki-home/configuration.nix
@@ -27,10 +27,11 @@ with lib;
   # Plasma!
   services.desktopManager.plasma6.enable = true;
 
-
   ## Encryption
   # Kernel modules needed for mounting USB VFAT devices in initrd stage
   common.linux.luksDevices.root = "/dev/disk/by-uuid/7c6e40a8-900b-4f85-9712-2b872caf1892";
+  common.linux.sops.enable = true;
+  common.linux.sops.file = ./secrets.yaml;
 
   # Networking
   common.linux.networking =
diff --git a/nki-home/secrets/secrets.yaml b/nki-home/secrets.yaml
similarity index 100%
rename from nki-home/secrets/secrets.yaml
rename to nki-home/secrets.yaml
diff --git a/nki-home/secrets/default.nix b/nki-home/secrets/default.nix
deleted file mode 100644
index cb76173..0000000
--- a/nki-home/secrets/default.nix
+++ /dev/null
@@ -1,6 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  sops.defaultSopsFile = ./secrets.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-}