move shiniji wireguard secretes to only shinji host (refactor hosts)

author: Freya Murphy <freya@freyacat.org> 2025-06-21 22:33:33 -0400
committer: Freya Murphy <freya@freyacat.org> 2025-06-21 22:33:33 -0400
commit: b8c3752242ba2362a875dba555ff2527043bfe66 (patch)
tree: 8e6c0758546c262c22e04acc1913b0e1ac8ec5c9 /hosts/shinji
parent: run wl-clip-persist (diff)
download: dotfiles-nix-b8c3752242ba2362a875dba555ff2527043bfe66.tar.gz
dotfiles-nix-b8c3752242ba2362a875dba555ff2527043bfe66.tar.bz2
dotfiles-nix-b8c3752242ba2362a875dba555ff2527043bfe66.zip
4 files changed, 187 insertions, 0 deletions
diff --git a/hosts/shinji/default.nix b/hosts/shinji/default.nix
new file mode 100644
index 0000000..df49157
--- /dev/null
+++ b/hosts/shinji/default.nix
@@ -0,0 +1,88 @@
+# Shinji
+# System configuration for my laptop
+{
+  inputs,
+  options,
+  ...
+}:
+inputs.nixpkgs.lib.nixosSystem rec {
+  system = "x86_64-linux";
+  specialArgs = {inherit inputs;};
+  modules = [
+    options
+    ../../config
+    ../../home
+    ../../programs
+    ../../system
+    {
+      # imports
+      imports = [
+        ./sops.nix
+        ./wireguard.nix
+      ];
+
+      # options
+      hostName = "shinji";
+      monitors = [
+        {
+          name = "eDP-1";
+          scale = 1.25;
+        }
+      ];
+
+      # set power btn to suspend
+      services.logind.extraConfig = ''
+        HandlePowerKey=suspend
+      '';
+
+      # hardware
+      hardware.graphics.enable = true;
+      hardware.bluetooth.enable = true;
+      security.tpm2.enable = false;
+
+      # bootloader
+      boot.loader.systemd-boot.enable = true;
+      boot.loader.efi = {
+        canTouchEfiVariables = true;
+        efiSysMountPoint = "/boot/efi";
+      };
+
+      # kernel modules
+      boot.initrd.availableKernelModules = [
+        "nvme"
+        "xhci_pci"
+        "thunderbolt"
+        "usb_storage"
+        "sd_mod"
+      ];
+      boot.initrd.kernelModules = [];
+      boot.kernelModules = ["kvm-amd"];
+      boot.extraModulePackages = [];
+
+      # firmware
+      hardware.enableRedistributableFirmware = true;
+      hardware.cpu.amd.updateMicrocode = true;
+
+      # luks device
+      boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/ad489bfa-4280-44ea-8ad2-60347b516d60";
+
+      # root
+      fileSystems."/" = {
+        device = "/dev/disk/by-uuid/b43a7cf6-b9aa-44c2-ad29-da24ffa56901";
+        fsType = "btrfs";
+      };
+
+      # boot
+      fileSystems."/boot/efi" = {
+        device = "/dev/disk/by-uuid/6F93-6A0B";
+        fsType = "vfat";
+        options = ["fmask=0022" "dmask=0022"];
+      };
+
+      # swap
+      swapDevices = [
+        {device = "/dev/disk/by-uuid/57caa02d-8569-43e3-8bf9-09dd6f02b191";}
+      ];
+    }
+  ];
+}
diff --git a/hosts/shinji/secrets.yaml b/hosts/shinji/secrets.yaml
new file mode 100644
index 0000000..44667df
--- /dev/null
+++ b/hosts/shinji/secrets.yaml
@@ -0,0 +1,30 @@
+freyanetWg: ENC[AES256_GCM,data:mUI3eIwFzanJz9iJCbIBDg3FMKdDMcOQ6u96mk5/zZd8MG5kuOG39wu8xZQ=,iv:Sd6EjuQiNhD0QupGpbRPJF7aIBCJJ3/LNNmUYlBMRNI=,tag:KFKoL0JbSfEQidaEzi049Q==,type:str]
+tinternetWg: ENC[AES256_GCM,data:5ajGIfQp06v4g3AbJFCzXrbxXw7cnoMWwwV8Ti03IDVUxSHlfDiGvB+F2XE=,iv:JOTd7Mc+gnckPAH9ev83y+ZGWwMsZJSQ34VHosNv0p4=,tag:5oAlaF7EgExiNPrZc+KMvw==,type:str]
+sops:
+    lastmodified: "2025-04-11T19:33:22Z"
+    mac: ENC[AES256_GCM,data:eD9BZlEgriyrmFqtb/EBmfQieI3/fh5vat1yPc3cQsBvs+lRlsYKBL367TiJ/giXso5KLqoIXAjeJwW/ogimMLACljgw9b3BbUcyhjvcUCXJS3BLe60oTDxLxY+PDyIM5BfrAVSK+1u8ruiOnIIaxfjc+cRsrQ8m5OZB+IoGAL8=,iv:k0tRFqW/syl+fcbzgaI7R6Pcen9+A2aWRCnAe9ydE+k=,tag:JpTyhYKMjP4a7BfdkGe1Hw==,type:str]
+    pgp:
+        - created_at: "2025-06-22T02:32:57Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4D0Q846mnV8HYSAQdAiydHrfiuvIlOIMBqpPWX/05MP5d5gIQjXIyc8tzdsycw
+            ZzzKJKsNh4XZd726Toks0CVF5NZLYLtMyAs8S2huf3gz6cgt3k8MI2qPmaEJMDBQ
+            0lwBjTp5//gCK0YbO76IxvteL+TgiklwJN03ryMl9Mj8JVVMmiBh25PGuxblbi52
+            pEJMVlxJVUxrHQY+XREZKhNp73JLRovZHFDMpSR5TAZxD6ZmtChElk5ofKVFiw==
+            =suGj
+            -----END PGP MESSAGE-----
+          fp: D9AF0A4209B7C2DE11A884BFACBC553660D9993D
+        - created_at: "2025-06-22T02:32:57Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4D/YCJcy0T0DkSAQdA3Vc35wBJSjwWaNbYa2s4wKGsXOnz6ucSk62vnXGxYTUw
+            Y8uSyG6Jf040oEgAixd46s1H30CmT0+Hi6zF7jGweo1yGzEFZ53v+VVusCv2JbI7
+            0lwB7LnU2M6SAkvhr/SJTEVz9Uu/cx6xJnFeGXWXwY6mPN+InOee7UJW3Ffv2n/t
+            7PoojznXONSma2Xc8u3Ywk83jMrKqnNLMEATqnCg/1FZHe8Asr6Lan6KD0U81g==
+            =azav
+            -----END PGP MESSAGE-----
+          fp: 2A8A27879715447AEEC59D0C18DCCBE353963394
+    unencrypted_suffix: _unencrypted
+    version: 3.10.1
diff --git a/hosts/shinji/sops.nix b/hosts/shinji/sops.nix
new file mode 100644
index 0000000..fa3272c
--- /dev/null
+++ b/hosts/shinji/sops.nix
@@ -0,0 +1,30 @@
+{
+  config,
+  pkgs,
+  inputs,
+  ...
+}: let
+  isEd25519 = k: k.type == "ed25519";
+  getKeyPath = k: k.path;
+  keys = builtins.filter isEd25519 config.services.openssh.hostKeys;
+in {
+  imports = [
+    inputs.sops-nix.nixosModules.sops
+  ];
+
+  environment.systemPackages = with pkgs; [
+    sops
+  ];
+
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+
+    gnupg.home = config.homePath + "/.gnupg";
+    gnupg.sshKeyPaths = [];
+
+    secrets = {
+      freyanetWg = {};
+      tinternetWg = {};
+    };
+  };
+}
diff --git a/hosts/shinji/wireguard.nix b/hosts/shinji/wireguard.nix
new file mode 100644
index 0000000..13669b3
--- /dev/null
+++ b/hosts/shinji/wireguard.nix
@@ -0,0 +1,39 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  environment.systemPackages = with pkgs; [
+    wireguard-tools
+  ];
+
+  networking.wg-quick.interfaces = {
+    freyanet = {
+      address = ["10.2.0.2/32" "fd:cafe:dead:bee::2/128" "fe80::2/128"];
+      dns = ["10.3.0.138"];
+      privateKeyFile = config.sops.secrets.freyanetWg.path;
+
+      peers = [
+        {
+          publicKey = "x0ykwakpYCvI/pG+nR83lNUyeOE9m54thnX3bvZ+FUk=";
+          allowedIPs = ["10.0.0.0/14" "fd:cafe::/32"];
+          endpoint = "cid.freya.cat:3000";
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+
+    #tinternet = {
+    #  address = [ "69.0.0.2/32" "cafe::2/128" "fe80::2/128" ];
+    #  dns = [ "1.1.1.1" ];
+    #  privateKeyFile = config.sops.secrets.tinternetWg.path;
+
+    #  peers = [{
+    #    publicKey = "8Ice49Yc7N75OYJW59ohDbfUjgrkwIuGWKWocJQGgzI=";
+    #    allowedIPs = [ "0.0.0.0/0" "::/0" ];
+    #    endpoint = "freya.cat:51282";
+    #    persistentKeepalive = 25;
+    #  }];
+    #};
+  };
+}
author	Freya Murphy <freya@freyacat.org>	2025-06-21 22:33:33 -0400
committer	Freya Murphy <freya@freyacat.org>	2025-06-21 22:33:33 -0400
commit	b8c3752242ba2362a875dba555ff2527043bfe66 (patch)
tree	8e6c0758546c262c22e04acc1913b0e1ac8ec5c9 /hosts/shinji
parent	run wl-clip-persist (diff)
download	dotfiles-nix-b8c3752242ba2362a875dba555ff2527043bfe66.tar.gz dotfiles-nix-b8c3752242ba2362a875dba555ff2527043bfe66.tar.bz2 dotfiles-nix-b8c3752242ba2362a875dba555ff2527043bfe66.zip