From a5e2c0e496916af920cabc6fc30aad354bbb515f Mon Sep 17 00:00:00 2001 From: Chris Dombroski Date: Sat, 27 Apr 2024 22:54:20 -0400 Subject: [PATCH] wireguard secrets --- secrets/zeus/wireguard.yaml | 31 +++++++++++++++++++++++++++++++ systems/zeus/configuration.nix | 14 ++++++++++++-- 2 files changed, 43 insertions(+), 2 deletions(-) create mode 100644 secrets/zeus/wireguard.yaml diff --git a/secrets/zeus/wireguard.yaml b/secrets/zeus/wireguard.yaml new file mode 100644 index 0000000..fd4c9ac --- /dev/null +++ b/secrets/zeus/wireguard.yaml @@ -0,0 +1,31 @@ +private_key: ENC[AES256_GCM,data:HuO60p+jAmsdMbUUF6pcgdsOVW9uU+W1cLn4dvqb9MopCgdukZtRoTwMTFU=,iv:Z1YkYxZBCstfI7aQEhZhT4eGlbjqwQ2VN01Y5HUbO7E=,tag:FXi/mTAiOoYcdXrgKDvt/g==,type:str] +preshared_key: ENC[AES256_GCM,data:iFEFO7SMNrLqqpRQF57XSe9+59YdFdTXvP3QKxHkRrOzMRzJqGhi3wrjbAI=,iv:S4OA4GLK8wBkHwtq2Rqo76wxsJd5GJnJMjpPk/zRTAQ=,tag:vZaOaVTOAkuN8HgabOKkyA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age15va8dthvmn30ymex0kkrrk034aq25drmsx4mkmf480a8uq4tvcyqw5s4uk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAycG1rZmpXZTExVEtEZVMz + NVBqTkNyQ2Noa1hjMFBDVGxOczRadnVaRWhBCmNFSTVoVlcvbDVXTHRpaFlQVE4y + UGZHb1lVWEF2N29hMW5QM1V0UVNteHcKLS0tIG1HM2JRdnVabERGODltS3EyM0U3 + ei9xcG8wY0FnRzJZUEdqeXAzdWtCM0EKHYGaKJRDJ4OlPlCnGlZBTybpYmUQJ6Kg + aZlmeezY8JqpFH3zsXfyWuMZ6j6rs63UXVL7vZ3fEloUXHV7F57gVQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1y06hfa8ctp3tr7g2rukmst4cl064hxaqfsx8w0yq4tgmcrv7qvksct7mnl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RFdoTzlTNU9yem1QTWtj + UTYxcWcxYXlGeks3TEw5bWtOczdub1lDRjJFCmdiWi9ZMkF3Vk15Y1VrMTBvM3du + ZDRpKytaMTRGZ1g3ZHhhNTlxWkYrS3cKLS0tIGhxSUcyWmRCMVp3Q1daZGt1Tk51 + d3pqdWU4NXVTMGZ5dTkvNnZyYjdvck0Khp1IPBPKelQ41FPqi/uuPFqN7T0bic8+ + AKld/MUNWxLIZpbqDeXyfJAJVAbgKdk1lrIYpgshOZNV6u/SHAcmzA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-28T02:47:34Z" + mac: ENC[AES256_GCM,data:Zq4M8qr5PPOk+uPx/f3C24D4uTL82C1Cs7c5y66aAgnydR1ro9Pu5//Jj4fSOY59aKgeOGmx0DqV3k+1E6FttNy/8qpzJFCCDlgqB/BPqzJElFQ9FlgdCqoMehu9ETys1SgAhWi8aEZZAYbGKFQ/MX6LCAP2zx8NZ/wkbtUEU3E=,iv:k5RnwFwiEAugD/DTpOSCmSzpZCRzdkpTmOS3PTz44/c=,tag:T7HJFVr6VwzHCWIUD/uwXA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/systems/zeus/configuration.nix b/systems/zeus/configuration.nix index 5259c90..fc41f47 100644 --- a/systems/zeus/configuration.nix +++ b/systems/zeus/configuration.nix @@ -17,6 +17,16 @@ networking.hostName = "zeus"; # Define your hostname. networking.hostId = "9e95b576"; + sops.secrets = { + private_key = { + sopsFile = ../../secrets/zeus/wireguard.yaml; + owner = "systemd-network"; + }; + preshared_key = { + sopsFile = ../../secrets/zeus/wireguard.yaml; + owner = "systemd-network"; + }; + }; systemd.network.netdevs = { bond0 = { netdevConfig = { @@ -43,14 +53,14 @@ Kind = "wireguard"; }; wireguardConfig = { - PrivateKeyFile = "/etc/nixos/wireguard.priv"; + PrivateKeyFile = config.sops.secrets.private_key.path; ListenPort = 51821; }; wireguardPeers = [{ wireguardPeerConfig = { PublicKey = "ZT+n0XONAZ6dkiIJR+2bmTT9y7WTxDNdnZo5S7b8vxE="; AllowedIPs = [ "10.98.0.0/31" ]; - PresharedKeyFile = "/etc/nixos/wireguard.psk"; + PresharedKeyFile = config.sops.secrets.preshared_key.path; PersistentKeepalive = 25; Endpoint = "remote.kow.is:51821"; };