wireguard secrets

2024-04-27 22:54:20 -04:00 · 2024-04-27 22:54:20 -04:00 · a5e2c0e496
commit a5e2c0e496
parent b469af3d5b
2 changed files with 43 additions and 2 deletions
--- a/secrets/zeus/wireguard.yaml
+++ b/secrets/zeus/wireguard.yaml
@ -0,0 +1,31 @@
+private_key: ENC[AES256_GCM,data:HuO60p+jAmsdMbUUF6pcgdsOVW9uU+W1cLn4dvqb9MopCgdukZtRoTwMTFU=,iv:Z1YkYxZBCstfI7aQEhZhT4eGlbjqwQ2VN01Y5HUbO7E=,tag:FXi/mTAiOoYcdXrgKDvt/g==,type:str]
+preshared_key: ENC[AES256_GCM,data:iFEFO7SMNrLqqpRQF57XSe9+59YdFdTXvP3QKxHkRrOzMRzJqGhi3wrjbAI=,iv:S4OA4GLK8wBkHwtq2Rqo76wxsJd5GJnJMjpPk/zRTAQ=,tag:vZaOaVTOAkuN8HgabOKkyA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age15va8dthvmn30ymex0kkrrk034aq25drmsx4mkmf480a8uq4tvcyqw5s4uk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAycG1rZmpXZTExVEtEZVMz
+            NVBqTkNyQ2Noa1hjMFBDVGxOczRadnVaRWhBCmNFSTVoVlcvbDVXTHRpaFlQVE4y
+            UGZHb1lVWEF2N29hMW5QM1V0UVNteHcKLS0tIG1HM2JRdnVabERGODltS3EyM0U3
+            ei9xcG8wY0FnRzJZUEdqeXAzdWtCM0EKHYGaKJRDJ4OlPlCnGlZBTybpYmUQJ6Kg
+            aZlmeezY8JqpFH3zsXfyWuMZ6j6rs63UXVL7vZ3fEloUXHV7F57gVQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1y06hfa8ctp3tr7g2rukmst4cl064hxaqfsx8w0yq4tgmcrv7qvksct7mnl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RFdoTzlTNU9yem1QTWtj
+            UTYxcWcxYXlGeks3TEw5bWtOczdub1lDRjJFCmdiWi9ZMkF3Vk15Y1VrMTBvM3du
+            ZDRpKytaMTRGZ1g3ZHhhNTlxWkYrS3cKLS0tIGhxSUcyWmRCMVp3Q1daZGt1Tk51
+            d3pqdWU4NXVTMGZ5dTkvNnZyYjdvck0Khp1IPBPKelQ41FPqi/uuPFqN7T0bic8+
+            AKld/MUNWxLIZpbqDeXyfJAJVAbgKdk1lrIYpgshOZNV6u/SHAcmzA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-28T02:47:34Z"
+    mac: ENC[AES256_GCM,data:Zq4M8qr5PPOk+uPx/f3C24D4uTL82C1Cs7c5y66aAgnydR1ro9Pu5//Jj4fSOY59aKgeOGmx0DqV3k+1E6FttNy/8qpzJFCCDlgqB/BPqzJElFQ9FlgdCqoMehu9ETys1SgAhWi8aEZZAYbGKFQ/MX6LCAP2zx8NZ/wkbtUEU3E=,iv:k5RnwFwiEAugD/DTpOSCmSzpZCRzdkpTmOS3PTz44/c=,tag:T7HJFVr6VwzHCWIUD/uwXA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/systems/zeus/configuration.nix
+++ b/systems/zeus/configuration.nix
@ -17,6 +17,16 @@

  networking.hostName = "zeus"; # Define your hostname.
  networking.hostId = "9e95b576";
+  sops.secrets = {
+    private_key = {
+      sopsFile = ../../secrets/zeus/wireguard.yaml;
+      owner = "systemd-network";
+    };
+    preshared_key = {
+      sopsFile = ../../secrets/zeus/wireguard.yaml;
+      owner = "systemd-network";
+    };
+  };
  systemd.network.netdevs = {
    bond0 = {
      netdevConfig = {
@ -43,14 +53,14 @@
        Kind = "wireguard";
      };
      wireguardConfig = {
-        PrivateKeyFile = "/etc/nixos/wireguard.priv";
+        PrivateKeyFile = config.sops.secrets.private_key.path;
        ListenPort = 51821;
      };
      wireguardPeers = [{
        wireguardPeerConfig = {
          PublicKey = "ZT+n0XONAZ6dkiIJR+2bmTT9y7WTxDNdnZo5S7b8vxE=";
          AllowedIPs = [ "10.98.0.0/31" ];
-          PresharedKeyFile = "/etc/nixos/wireguard.psk";
+          PresharedKeyFile = config.sops.secrets.preshared_key.path;
          PersistentKeepalive = 25;
          Endpoint = "remote.kow.is:51821";
        };