Set up tinc for framework

2024-08-15 18:37:13 +02:00 · 2024-08-15 18:37:13 +02:00 · f4c514baa6
parent 58a49a71a8
commit f4c514baa6
11 changed files with 94 additions and 12 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -5,6 +5,7 @@ keys:
  - &nkagami_main age1n8tnmmgredzltzwkspag7aufhrn6034ny8ysjeulhkwdnf7vqqaqec4mg5
  - &nkagami_do age1z2h24mjt80fryqupajkh3kg5r4sjgw65uqy489xeqxhqj8u2a9fsm3ff36
  - &nki_yoga age1vhjhmxura35apu5zdwg5ur5r40xay45ld9szh07dy0ph9chgsu7shfm4h9
+  - &nki_framework age188tgu3psvywk6shq85mk2q0jdjwd0tcswzwlwu5pa5n3pndx75dq090z59
 creation_rules:
  - path_regex: kagami-air-m1/secrets\.yaml$
    key_groups:
@ -17,6 +18,7 @@ creation_rules:
        - *nki_pc
        - *nkagami_main
        - *nkagami_do
+        - *nki_framework
  - path_regex: nki-home/secrets/secrets\.yaml$
    key_groups:
    - age:
@ -28,3 +30,8 @@ creation_rules:
    - age:
        - *nki_yoga
        - age1axvjllyv2gutngwmp3pvp4xtq2gqneldaq2c4nrzmaye0uwmk9lqsealdv # The machine itself
+  - path_regex: nki-framework/secrets\.yaml$
+    key_groups:
+    - age:
+        - *nki_framework
+        - age1vgh6kvee8lvxylm7z86fpl3xzjyjs4u3zdfkyf064rjvxk9fpumsew7n27 # The machine itself
--- a/flake.lock
+++ b/flake.lock
@ -237,15 +237,16 @@
      "locked": {
        "lastModified": 1723470164,
        "narHash": "sha256-ZWcDD4HTmFtEJgEA2Ydg2mA+yu0FVcfEHbCGVXDatfw=",
-        "ref": "refs/heads/dtth-fork",
+        "ref": "dtth-fork",
        "rev": "c72bd47bbd18523b951b3fa73c789629504d0eb3",
        "revCount": 2721,
        "type": "git",
-        "url": "ssh://gitea@git.dtth.ch/nki/phanpy?branch=dtth-fork"
+        "url": "ssh://gitea@git.dtth.ch/nki/phanpy"
      },
      "original": {
+        "ref": "dtth-fork",
        "type": "git",
-        "url": "ssh://gitea@git.dtth.ch/nki/phanpy?branch=dtth-fork"
+        "url": "ssh://gitea@git.dtth.ch/nki/phanpy"
      }
    },
    "fenix": {
--- a/flake.nix
+++ b/flake.nix
@ -43,7 +43,7 @@
      url = github:natsukagami/mpd-mpris;
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    dtth-phanpy.url = "git+ssh://gitea@git.dtth.ch/nki/phanpy?branch=dtth-fork";
+    dtth-phanpy.url = "git+ssh://gitea@git.dtth.ch/nki/phanpy?ref=dtth-fork";
    conduit.url = "gitlab:famedly/conduit/v0.8.0";
    nix-gaming.url = github:fufexan/nix-gaming;

--- a/modules/common/linux/default.nix
+++ b/modules/common/linux/default.nix
@ -115,7 +115,19 @@ let
  };
 in
 {
-  imports = with modules; [ adb ios graphics wlr logitech kwallet virtualisation accounts rt-audio ];
+  imports = with modules; [
+    ./sops.nix
+
+    adb
+    ios
+    graphics
+    wlr
+    logitech
+    kwallet
+    virtualisation
+    accounts
+    rt-audio
+  ];

  options.common.linux = {
    enable = mkOption {
--- a/modules/common/linux/sops.nix
+++ b/modules/common/linux/sops.nix
@ -0,0 +1,18 @@
+{ config, lib, ... }:
+with { inherit (lib) types mkOption mkEnableOption; };
+let
+  cfg = config.common.linux.sops;
+in
+{
+  options.common.linux.sops = {
+    enable = mkEnableOption "Enable sops configuration";
+    file = mkOption {
+      type = types.path;
+      description = "Path to the default sops file";
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    sops.defaultSopsFile = cfg.file;
+    sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  };
+}
--- a/modules/my-tinc/hosts/default.nix
+++ b/modules/my-tinc/hosts/default.nix
@ -27,4 +27,9 @@
    subnetAddr = "11.0.0.5";
    ed25519PublicKey = "n+gIZjuuTPxi0OBqw2oOcmXd3loOHG+GQHBMXNlgyqI";
  };
+
+  framework = {
+    subnetAddr = "11.0.0.6";
+    ed25519PublicKey = "YL7NA6Ydv/3FBfSzOPvyHlGweAViPvsG3b0Zh8L0NzF";
+  };
 }
--- a/nki-framework/configuration.nix
+++ b/nki-framework/configuration.nix
@ -17,6 +17,10 @@
      ./wireless.nix
    ];

+  # Sops
+  common.linux.sops.enable = true;
+  common.linux.sops.file = ./secrets.yaml;
+
  # services.xserver.enable = true;
  # services.xserver.displayManager.sddm.enable = true;
  # services.xserver.displayManager.sddm.wayland.enable = true;
@ -77,6 +81,16 @@
  security.pam.services.swaylock.fprintAuth = true;
  security.pam.services.login.fprintAuth = true;

+  # tinc network
+  sops.secrets."tinc-private-key" = { };
+  services.my-tinc = {
+    enable = true;
+    hostName = "framework";
+    ed25519PrivateKey = config.sops.secrets."tinc-private-key".path;
+    bindPort = 6565;
+  };
+
+
  # Secrets
  # sops.defaultSopsFile = ./secrets.yaml;
  # sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
--- a/nki-framework/secrets.yaml
+++ b/nki-framework/secrets.yaml
@ -0,0 +1,30 @@
+tinc-private-key: ENC[AES256_GCM,data:cKtOFrF5FRSHWxe/QxH5O9GAba1WcWeCwW1IOzmbgdtFufRoWbCtYeaLP+WQhQ70z6xobiY9DN8Jrh7mDptKSsfKrrx2SH5JrdpsoINhLMbetXq7E29+q6CkS8NlLgE/KyV8eFjQySNsYiA/+Efq9xj9e1wOmHBDsND/jgiJDkA1qsEIFZg/vuv8LdoRY3TV/oKJ4pao9+70G4H+8Ef1sMZHGNe9qJ94Wa71nNX2fTSjKH5YBbRijMAePWr/IeCpZ9Phs7RqjBs=,iv:l0iB136X7nLVblQjFi7K4f42JKSxdsiLIRy5GPzK1nc=,tag:HAgkvWkl0Rx62ejGZckdKA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age188tgu3psvywk6shq85mk2q0jdjwd0tcswzwlwu5pa5n3pndx75dq090z59
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmL2Z1RzBWaTI1TDl6WDNa
+            NTNVdEhTSFU5enNlTGVNWTI5anBZb1BtaVhjCm1BRnJDSXl1cWdBRUs1VnREVjBU
+            QWZxdkgzdm9JL0k5WmhDL1RCNTltdm8KLS0tIFhvQTlKMDZiVklTRWd4TzVmc2ll
+            bmpjcWdBV1doZml2NjlzQzdQczJ3alEKBMRP3POxtPIqBWnrvxY/++5jtVE70Uxa
+            EVfhsUO76A/hzyxfzpLEy1QGFE+DB/zlU0CK7HkNGPD2TrBHbzkPJA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1vgh6kvee8lvxylm7z86fpl3xzjyjs4u3zdfkyf064rjvxk9fpumsew7n27
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2MUxQU0dZOGRaekF4MWdo
+            T0krcERtRTJndFR1RHZmL0t6MjBxMW5PSENNCkR6SUhxQ0FoaEhuaWpiUzJ0MnJE
+            RXRERzVhL0lRVW1iRUlac0c5OHZsckEKLS0tIC9VM1dNZTNzdkFnMWk2YUwvcDNB
+            TDZnVjBaVzZBem5lZDB1MW4xQ0RmZ28K6d7mF+f3ZyilXlSIQGT2pBrTWuYLccE1
+            rYIJjHjFft/2wPX2gAW9VTiwfMT3lKJhJRqNdoie5phV5BZhkb3D9w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-08-15T16:27:40Z"
+    mac: ENC[AES256_GCM,data:T1dTmWEY1c5QFzROnzFc1/dnfXN96B/OisPObZiwXQLHeh29AWjfqpd6eoYdAZW1Iipih7Nn1VUMxkf5xDuWziDrJhun2PaU3UOg/U6VrRIScnySV/VTQGyaJLJZuJmvgvyAV+G8KqxC4Biv7k0PBSZn6uvTg36D4f+IfItReE8=,iv:dgiDux8AxbWFtTd2jzd+XJ0eBMALcI8moDUDlgdnBiE=,tag:cYzL71xT8DBMn9j4pPUBpA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0
--- a/nki-home/configuration.nix
+++ b/nki-home/configuration.nix
@ -27,10 +27,11 @@ with lib;
  # Plasma!
  services.desktopManager.plasma6.enable = true;

-
  ## Encryption
  # Kernel modules needed for mounting USB VFAT devices in initrd stage
  common.linux.luksDevices.root = "/dev/disk/by-uuid/7c6e40a8-900b-4f85-9712-2b872caf1892";
+  common.linux.sops.enable = true;
+  common.linux.sops.file = ./secrets.yaml;

  # Networking
  common.linux.networking =
--- a/nki-home/secrets/secrets.yaml
+++ b/nki-home/secrets/secrets.yaml
--- a/nki-home/secrets/default.nix
+++ b/nki-home/secrets/default.nix
@ -1,6 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  sops.defaultSopsFile = ./secrets.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-}