diff options
author | Freya Murphy <freya@freyacat.org> | 2025-07-02 20:07:50 -0400 |
---|---|---|
committer | Freya Murphy <freya@freyacat.org> | 2025-07-02 20:07:50 -0400 |
commit | b130948ddf03010ef7c2fc9b4b4841e41f5e6b73 (patch) | |
tree | e73fe706908fe79afeaab72157216584d7ad25ce | |
parent | add rosepine themes (diff) | |
download | dotfiles-nix-b130948ddf03010ef7c2fc9b4b4841e41f5e6b73.tar.gz dotfiles-nix-b130948ddf03010ef7c2fc9b4b4841e41f5e6b73.tar.bz2 dotfiles-nix-b130948ddf03010ef7c2fc9b4b4841e41f5e6b73.zip |
add freyanet and sops to thinkpad
-rw-r--r-- | .sops.yaml | 5 | ||||
-rw-r--r-- | home/gpg.nix | 15 | ||||
-rw-r--r-- | hosts/shinji/sops.nix | 6 | ||||
-rw-r--r-- | hosts/thinkpad/default.nix | 2 | ||||
-rw-r--r-- | hosts/thinkpad/secrets.yaml | 29 | ||||
-rw-r--r-- | hosts/thinkpad/sops.nix | 25 | ||||
-rw-r--r-- | hosts/thinkpad/wireguard.nix | 27 |
7 files changed, 96 insertions, 13 deletions
@@ -13,3 +13,8 @@ creation_rules: - pgp: - *freya - *shinji + - path_regex: ^hosts/thinkpad/secrets.yaml$ + key_groups: + - pgp: + - *freya + - *thinkpad diff --git a/home/gpg.nix b/home/gpg.nix index 411cc30..d17611a 100644 --- a/home/gpg.nix +++ b/home/gpg.nix @@ -9,14 +9,13 @@ # install keys into gpg keyring programs.gpg = { enable = true; - # FIXME: this is broken, fails during home-manager activation :( - # - # publicKeys = - # map (path: { - # source = path; - # trust = 5; - # }) - # self.lib.gpgKeys; + + publicKeys = + map (path: { + source = path; + trust = 5; + }) + self.lib.gpgKeys; }; # global gpg agent diff --git a/hosts/shinji/sops.nix b/hosts/shinji/sops.nix index fa3272c..a0724e1 100644 --- a/hosts/shinji/sops.nix +++ b/hosts/shinji/sops.nix @@ -3,11 +3,7 @@ pkgs, inputs, ... -}: let - isEd25519 = k: k.type == "ed25519"; - getKeyPath = k: k.path; - keys = builtins.filter isEd25519 config.services.openssh.hostKeys; -in { +}: { imports = [ inputs.sops-nix.nixosModules.sops ]; diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix index 4f10489..31b1e6f 100644 --- a/hosts/thinkpad/default.nix +++ b/hosts/thinkpad/default.nix @@ -3,6 +3,8 @@ {...}: { imports = [ ./hardware.nix + ./sops.nix + ./wireguard.nix ]; # options diff --git a/hosts/thinkpad/secrets.yaml b/hosts/thinkpad/secrets.yaml new file mode 100644 index 0000000..33ef635 --- /dev/null +++ b/hosts/thinkpad/secrets.yaml @@ -0,0 +1,29 @@ +freyanetWg: ENC[AES256_GCM,data:Smy7s+aH8+4QsNkIbK4YCT0KKUBY+9xMviTtep6lRl31hLxmym6sntqDQl4=,iv:V2OJt6y9bE/sWC4S+aKSmNpyYiZ0WOPHi1FZ1IOMfjc=,tag:UK5R8iE7wed3iZSAdI+WJQ==,type:str] +sops: + lastmodified: "2025-07-02T23:48:03Z" + mac: ENC[AES256_GCM,data:0+UiaZgu6cfQTTRZTl89/sYXL8BV2/XUHsNAuYQsPUY6udWb7j4Nfj1cDMi+O7rnhl3TK61ms6QhdQkkLiMIUVlngzFHi+iWYTQ8WU1V2YneeepVDJuxiQn5PhzSlFDqDvdgPwVRT/HM/KeJ7iUsHKTFBF+MTuKUZTbftCL9ZaM=,iv:3QBubDeW27udjHjJlPXWihNLnFsu0PP5c4CcxCvpzQM=,tag:N0wKnLVVrIhn+aHUJeHWzw==,type:str] + pgp: + - created_at: "2025-07-02T23:48:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DNAX7itQ/dpkSAQdA5m1vsAEbOtx2mD+j92sAXoEYFS7TkokwB/zFnRWVE2Iw + aGhhIFroNipYmWbwsrWJ1rcel4NmOCJYkA28Hfs1Ejvl8Hpi6NursNFeObYJMITG + 0l4BzejxDHvEH2dkOFOtoKqAOkgVbIZGQCPhBM3p9T3ul5vVO9HTC8ZN+UvGAk+c + AwbBUa54h4pa6kx0XsYn3dbHB/AGPakZt1IpTFroK/rzBfrWj4SoiO/gS3H4riYw + =/Tcr + -----END PGP MESSAGE----- + fp: ED1C2FCA9DF4A843D740222A2320AAE969A6A53D + - created_at: "2025-07-02T23:48:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4D0Q846mnV8HYSAQdAchFpGB9bS32W0KTAG+NVsMcVEPKiY4CVg9LZi7faHDkw + gZeHWvnIonpC3WHPGeB1z8oUAxkFY/rF6pmT/jCbEZg4D0BEJ+F74gErquyFpOai + 0l4BFL74dFWqtZv/a1Rod/tie3vvXm9H8KrsP+IDdoS0Inv4n+5dXsWHYA7VM7Wc + lnsXiP7W8mIGmmQQCeH09DPvUQeq36WmvITOlyhZ1z+MirZhpcUHnWBP1wFmAAYa + =FTmy + -----END PGP MESSAGE----- + fp: D9AF0A4209B7C2DE11A884BFACBC553660D9993D + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/hosts/thinkpad/sops.nix b/hosts/thinkpad/sops.nix new file mode 100644 index 0000000..a7ede54 --- /dev/null +++ b/hosts/thinkpad/sops.nix @@ -0,0 +1,25 @@ +{ + config, + pkgs, + inputs, + ... +}: { + imports = [ + inputs.sops-nix.nixosModules.sops + ]; + + environment.systemPackages = with pkgs; [ + sops + ]; + + sops = { + defaultSopsFile = ./secrets.yaml; + + gnupg.home = config.homePath + "/.gnupg"; + gnupg.sshKeyPaths = []; + + secrets = { + freyanetWg = {}; + }; + }; +} diff --git a/hosts/thinkpad/wireguard.nix b/hosts/thinkpad/wireguard.nix new file mode 100644 index 0000000..84ba8d1 --- /dev/null +++ b/hosts/thinkpad/wireguard.nix @@ -0,0 +1,27 @@ +{ + config, + pkgs, + ... +}: { + environment.systemPackages = with pkgs; [ + wireguard-tools + ]; + + networking.wg-quick.interfaces = { + freyanet = { + address = ["10.2.0.10/32" "fd:cafe:dead:bee::10/128" "fe80::10/128"]; + dns = ["10.3.0.138"]; + privateKeyFile = config.sops.secrets.freyanetWg.path; + autostart = false; + + peers = [ + { + publicKey = "x0ykwakpYCvI/pG+nR83lNUyeOE9m54thnX3bvZ+FUk="; + allowedIPs = ["10.0.0.0/14" "fd:cafe::/32"]; + endpoint = "cid.freya.cat:3000"; + persistentKeepalive = 25; + } + ]; + }; + }; +} |