add freyanet and sops to thinkpad

7 files changed, 96 insertions, 13 deletions

diff --git a/.sops.yaml b/.sops.yaml
index 3a664b3..7c57903 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -13,3 +13,8 @@ creation_rules:
       - pgp:
         - *freya
         - *shinji
+  - path_regex: ^hosts/thinkpad/secrets.yaml$
+    key_groups:
+      - pgp:
+        - *freya
+        - *thinkpad
diff --git a/home/gpg.nix b/home/gpg.nix
index 411cc30..d17611a 100644
--- a/home/gpg.nix
+++ b/home/gpg.nix
@@ -9,14 +9,13 @@
     # install keys into gpg keyring
     programs.gpg = {
       enable = true;
-      # FIXME: this is broken, fails during home-manager activation :(
-      #
-      # publicKeys =
-      #   map (path: {
-      #     source = path;
-      #     trust = 5;
-      #   })
-      #   self.lib.gpgKeys;
+
+      publicKeys =
+        map (path: {
+          source = path;
+          trust = 5;
+        })
+        self.lib.gpgKeys;
     };
 
     # global gpg agent
diff --git a/hosts/shinji/sops.nix b/hosts/shinji/sops.nix
index fa3272c..a0724e1 100644
--- a/hosts/shinji/sops.nix
+++ b/hosts/shinji/sops.nix
@@ -3,11 +3,7 @@
   pkgs,
   inputs,
   ...
-}: let
-  isEd25519 = k: k.type == "ed25519";
-  getKeyPath = k: k.path;
-  keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
-in {
+}: {
   imports = [
     inputs.sops-nix.nixosModules.sops
   ];
diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix
index 4f10489..31b1e6f 100644
--- a/hosts/thinkpad/default.nix
+++ b/hosts/thinkpad/default.nix
@@ -3,6 +3,8 @@
 {...}: {
   imports = [
     ./hardware.nix
+    ./sops.nix
+    ./wireguard.nix
   ];
 
   # options
diff --git a/hosts/thinkpad/secrets.yaml b/hosts/thinkpad/secrets.yaml
new file mode 100644
index 0000000..33ef635
--- /dev/null
+++ b/hosts/thinkpad/secrets.yaml
@@ -0,0 +1,29 @@
+freyanetWg: ENC[AES256_GCM,data:Smy7s+aH8+4QsNkIbK4YCT0KKUBY+9xMviTtep6lRl31hLxmym6sntqDQl4=,iv:V2OJt6y9bE/sWC4S+aKSmNpyYiZ0WOPHi1FZ1IOMfjc=,tag:UK5R8iE7wed3iZSAdI+WJQ==,type:str]
+sops:
+    lastmodified: "2025-07-02T23:48:03Z"
+    mac: ENC[AES256_GCM,data:0+UiaZgu6cfQTTRZTl89/sYXL8BV2/XUHsNAuYQsPUY6udWb7j4Nfj1cDMi+O7rnhl3TK61ms6QhdQkkLiMIUVlngzFHi+iWYTQ8WU1V2YneeepVDJuxiQn5PhzSlFDqDvdgPwVRT/HM/KeJ7iUsHKTFBF+MTuKUZTbftCL9ZaM=,iv:3QBubDeW27udjHjJlPXWihNLnFsu0PP5c4CcxCvpzQM=,tag:N0wKnLVVrIhn+aHUJeHWzw==,type:str]
+    pgp:
+        - created_at: "2025-07-02T23:48:03Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DNAX7itQ/dpkSAQdA5m1vsAEbOtx2mD+j92sAXoEYFS7TkokwB/zFnRWVE2Iw
+            aGhhIFroNipYmWbwsrWJ1rcel4NmOCJYkA28Hfs1Ejvl8Hpi6NursNFeObYJMITG
+            0l4BzejxDHvEH2dkOFOtoKqAOkgVbIZGQCPhBM3p9T3ul5vVO9HTC8ZN+UvGAk+c
+            AwbBUa54h4pa6kx0XsYn3dbHB/AGPakZt1IpTFroK/rzBfrWj4SoiO/gS3H4riYw
+            =/Tcr
+            -----END PGP MESSAGE-----
+          fp: ED1C2FCA9DF4A843D740222A2320AAE969A6A53D
+        - created_at: "2025-07-02T23:48:03Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4D0Q846mnV8HYSAQdAchFpGB9bS32W0KTAG+NVsMcVEPKiY4CVg9LZi7faHDkw
+            gZeHWvnIonpC3WHPGeB1z8oUAxkFY/rF6pmT/jCbEZg4D0BEJ+F74gErquyFpOai
+            0l4BFL74dFWqtZv/a1Rod/tie3vvXm9H8KrsP+IDdoS0Inv4n+5dXsWHYA7VM7Wc
+            lnsXiP7W8mIGmmQQCeH09DPvUQeq36WmvITOlyhZ1z+MirZhpcUHnWBP1wFmAAYa
+            =FTmy
+            -----END PGP MESSAGE-----
+          fp: D9AF0A4209B7C2DE11A884BFACBC553660D9993D
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
diff --git a/hosts/thinkpad/sops.nix b/hosts/thinkpad/sops.nix
new file mode 100644
index 0000000..a7ede54
--- /dev/null
+++ b/hosts/thinkpad/sops.nix
@@ -0,0 +1,25 @@
+{
+  config,
+  pkgs,
+  inputs,
+  ...
+}: {
+  imports = [
+    inputs.sops-nix.nixosModules.sops
+  ];
+
+  environment.systemPackages = with pkgs; [
+    sops
+  ];
+
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+
+    gnupg.home = config.homePath + "/.gnupg";
+    gnupg.sshKeyPaths = [];
+
+    secrets = {
+      freyanetWg = {};
+    };
+  };
+}
diff --git a/hosts/thinkpad/wireguard.nix b/hosts/thinkpad/wireguard.nix
new file mode 100644
index 0000000..84ba8d1
--- /dev/null
+++ b/hosts/thinkpad/wireguard.nix
@@ -0,0 +1,27 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  environment.systemPackages = with pkgs; [
+    wireguard-tools
+  ];
+
+  networking.wg-quick.interfaces = {
+    freyanet = {
+      address = ["10.2.0.10/32" "fd:cafe:dead:bee::10/128" "fe80::10/128"];
+      dns = ["10.3.0.138"];
+      privateKeyFile = config.sops.secrets.freyanetWg.path;
+      autostart = false;
+
+      peers = [
+        {
+          publicKey = "x0ykwakpYCvI/pG+nR83lNUyeOE9m54thnX3bvZ+FUk=";
+          allowedIPs = ["10.0.0.0/14" "fd:cafe::/32"];
+          endpoint = "cid.freya.cat:3000";
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+}