dn42: sopsify

2022-01-06 23:30:33 +01:00 · 2022-01-06 23:30:33 +01:00 · 36f9213db7
parent 72060d6d33
commit 36f9213db7
3 changed files with 22 additions and 7 deletions
--- a/flake.lock
+++ b/flake.lock
@ -327,11 +327,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1640802687,
-        "narHash": "sha256-ITEKxmlg4ectAqSp8mM3M/VCHu973UEcdt8yDb+hzDg=",
+        "lastModified": 1641509208,
+        "narHash": "sha256-W6BJOARYB3bUTBsOT4mBw3sEWNNOzWmlIv/LXlH99y4=",
        "ref": "master",
-        "rev": "6ae85faf2f864c6a004915cce7d071e827dda314",
-        "revCount": 115,
+        "rev": "c5957e417db3bd82d14c5b3c2198a04e13dc3f7e",
+        "revCount": 117,
        "type": "git",
        "url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
      },
--- a/flake.nix
+++ b/flake.nix
@ -347,7 +347,9 @@
            ./hosts/containers/dn42
            (_: {
              nixpkgs.overlays = [ secrets.overlays.dn42 ];
+              sops.defaultSopsFile = "${secrets}/hosts/dn42/secrets.yaml";
            })
+            sops-nix.nixosModules.sops
          ];
          system = "x86_64-linux";
        };
--- a/hosts/containers/dn42/default.nix
+++ b/hosts/containers/dn42/default.nix
@ -38,8 +38,20 @@ in {
      Exec "collectd" "${routecount}"
    '';

-  # SSH for nixops
+  # SSH for deployment
  services.openssh.enable = true;
+  sops.secrets = builtins.foldl' (result: name:
+    let
+      conf = neighbors.${name};
+    in result // (
+      if conf ? openvpn
+      then { "neighbors/${name}/openvpn/key" = {}; }
+      else if conf ? wireguard
+      then { "neighbors/${name}/wireguard/privateKey" = {}; }
+      else {}
+    )
+  ) {} (builtins.attrNames neighbors);
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

  boot.kernel.sysctl = {
    "net.ipv4.conf.all.forwarding" = true;
@ -69,7 +81,7 @@ in {
        ping-restart 45
        verb 1
        ${conf.openvpn}
-        secret ${pkgs.openvpn-keyfile name}
+        secret ${config.sops.secrets."neighbors/${name}/openvpn/key".path}
      '';
      up = ''
        ${pkgs.iproute}/bin/ip addr flush dev $1
@ -88,7 +100,8 @@ in {
      wireguardNeighbors =
        lib.filterAttrs (_: conf: conf ? wireguard) neighbors;
    in builtins.mapAttrs (name: conf: {
-      inherit (conf.wireguard) listenPort privateKey;
+      inherit (conf.wireguard) listenPort;
+      privateKeyFile = config.sops.secrets."neighbors/${name}/wireguard/privateKey".path;
      ips = [ "${address4}/32" "${address6}/64" ];
      allowedIPsAsRoutes = false;
      postSetup = ''