diff --git a/.sops.yaml b/.sops.yaml index 836a896..eda386d 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,6 +4,7 @@ keys: - &nki_pc age1tt0peqg8zdfh74m5sdgwsczcqh036nhgmwvkqnvywll88uvmm9xs433rhm - &nkagami_main age1n8tnmmgredzltzwkspag7aufhrn6034ny8ysjeulhkwdnf7vqqaqec4mg5 - &nkagami_do age1z2h24mjt80fryqupajkh3kg5r4sjgw65uqy489xeqxhqj8u2a9fsm3ff36 + - &nki_yoga age1vhjhmxura35apu5zdwg5ur5r40xay45ld9szh07dy0ph9chgsu7shfm4h9 creation_rules: - path_regex: kagami-air-m1/secrets\.yaml$ key_groups: @@ -22,3 +23,8 @@ creation_rules: - *nki_pc - *nkagami_main - *nkagami_do + - path_regex: nki-yoga-g8/secrets\.yaml$ + key_groups: + - age: + - *nki_yoga + - age1axvjllyv2gutngwmp3pvp4xtq2gqneldaq2c4nrzmaye0uwmk9lqsealdv # The machine itself diff --git a/modules/my-tinc/default.nix b/modules/my-tinc/default.nix index f3e2682..d4c3e1a 100644 --- a/modules/my-tinc/default.nix +++ b/modules/my-tinc/default.nix @@ -34,11 +34,6 @@ in default = 655; description = "The port to listen on"; }; - - meshIp = mkOption { - type = types.str; - description = "The mesh ip to be assigned by hostname"; - }; }; config = mkIf cfg.enable (builtins.seq @@ -51,7 +46,6 @@ in myMeshIp = myHost.subnetAddr; in { - services.my-tinc.meshIp = myMeshIp; # Scripts that set up the tinc services environment.etc = { "tinc/${networkName}/tinc-up".source = pkgs.writeScript "tinc-up-${networkName}" '' diff --git a/modules/my-tinc/hosts/default.nix b/modules/my-tinc/hosts/default.nix index 73d966b..0459cd6 100644 --- a/modules/my-tinc/hosts/default.nix +++ b/modules/my-tinc/hosts/default.nix @@ -22,4 +22,9 @@ subnetAddr = "11.0.0.4"; ed25519PublicKey = "6MN5LVE4juavv8qJW2dTN4t/haKCADWquAQj/ADF7iN"; }; + + yoga = { + subnetAddr = "11.0.0.5"; + ed25519PublicKey = "n+gIZjuuTPxi0OBqw2oOcmXd3loOHG+GQHBMXNlgyqI"; + }; } diff --git a/nki-yoga-g8/configuration.nix b/nki-yoga-g8/configuration.nix index 5f31ae5..e8e2026 100644 --- a/nki-yoga-g8/configuration.nix +++ b/nki-yoga-g8/configuration.nix @@ -15,6 +15,18 @@ ../modules/services/edns ]; + # Secrets + sops.defaultSopsFile = ./secrets.yaml; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + ## tinc + sops.secrets."tinc-private-key" = { }; + services.my-tinc = { + enable = true; + hostName = "yoga"; + ed25519PrivateKey = config.sops.secrets."tinc-private-key".path; + }; + services.xserver.desktopManager.plasma6.enable = true; # Power Management diff --git a/nki-yoga-g8/secrets.yaml b/nki-yoga-g8/secrets.yaml new file mode 100644 index 0000000..40f588c --- /dev/null +++ b/nki-yoga-g8/secrets.yaml @@ -0,0 +1,30 @@ +tinc-private-key: ENC[AES256_GCM,data:lzmisexQPfRlIMGqbmb+uqGtOPceQ3CJGlVOeOC6nbP/IDwkufSWtxugYmUwi9IJKwO0mldijiKWuG3p9005H++8567hhPy/bU7fA4vyVC+3UVGW6l0mE+yKQXTyI7kzxkXMCK5a4Q4rUJj544vU6pt75/mytfg+Cox2woGZAHZvJ/pRuHDe2t3R6w3EYYTu6x1w5azGnFvCOVdR6XPsGJA2p3oRnEpz64L7KD2QOdtm0YsfMnorH9FbvkZgNr927VbRnBRJ1QM=,iv:4K4w6ruQxtRGjmFnWszlXZKp36TuTTnrB0sDEE/tmrM=,tag:NBP897Sw84bvZTvo/+fVfA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vhjhmxura35apu5zdwg5ur5r40xay45ld9szh07dy0ph9chgsu7shfm4h9 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBseVN3ODV1YkZnNms0Y09l + dUFBK1EyOTEydWg5KzAwcjZVSG8yYlRDWlhRCklLS2ZJNlBvSlEyOGF2ZFg2UGVW + UC9LN0hxdmtGN3JlOWJaTU5hbGwvc2MKLS0tIGM1NGZxd1NoTXNacEJqMVlsbTdi + MytuNUNydmJYWFYyQk9DaHVuVk85cjAKScucMPO8pyMlSxFw09NqzqVmDYVEh5xT + 4fSTAsMwIiuOyV7jvHYORxKWNMLr5t6fnj8+OFq5qUc//jNWf9pVuA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1axvjllyv2gutngwmp3pvp4xtq2gqneldaq2c4nrzmaye0uwmk9lqsealdv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYNXp6MWZGb2dGdW1ML2xq + ZWMvSVdWalQ5Z2NzTWd3Z1AweXlXZnRwUWtRCkY1VFhPS0NtbFZKU0VCMlAvSmhG + N2NmdWxTUEpMb05Ld3p6MzhhRkdBc3cKLS0tIGQ0TmFxdk1GV205azRzZ0hUWitj + eitNc1E2SzY5bkUxNWtNczRsWWJaU2MKUIu9GT7zu0MvvnXxiQfLW9pQcxFKOwPm + VRU2k3XQkYjSDZX29DxrOzaPS/L3OYNyBYMyOW8GyMa2V12lMH6lPQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-23T16:24:43Z" + mac: ENC[AES256_GCM,data:YTPZCX2Nkws0EJB/+PJVCYlKN0BoWqDRIH5QfhB7ayQ42tkUlz60Bt1ksbEMNtz2RS4sJSp4dlihTBLO4gRHbeMZf40f+j42Td4Dj0etqOkaspR5q5mE1XR8ml7QRzALEq5SHRi13szfO4BHaaFsSHTyFgKxA4uDzZ4JnBoxjAQ=,iv:KuO4rhO9vH+HqcgqTvOYBayitFzLhm4CQRTyzIplKnM=,tag:G/qgcxZoc89etzkUnkw02Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1