dn42: sopsify
This commit is contained in:
parent
72060d6d33
commit
36f9213db7
|
@ -327,11 +327,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1640802687,
|
"lastModified": 1641509208,
|
||||||
"narHash": "sha256-ITEKxmlg4ectAqSp8mM3M/VCHu973UEcdt8yDb+hzDg=",
|
"narHash": "sha256-W6BJOARYB3bUTBsOT4mBw3sEWNNOzWmlIv/LXlH99y4=",
|
||||||
"ref": "master",
|
"ref": "master",
|
||||||
"rev": "6ae85faf2f864c6a004915cce7d071e827dda314",
|
"rev": "c5957e417db3bd82d14c5b3c2198a04e13dc3f7e",
|
||||||
"revCount": 115,
|
"revCount": 117,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
|
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
|
||||||
},
|
},
|
||||||
|
|
|
@ -347,7 +347,9 @@
|
||||||
./hosts/containers/dn42
|
./hosts/containers/dn42
|
||||||
(_: {
|
(_: {
|
||||||
nixpkgs.overlays = [ secrets.overlays.dn42 ];
|
nixpkgs.overlays = [ secrets.overlays.dn42 ];
|
||||||
|
sops.defaultSopsFile = "${secrets}/hosts/dn42/secrets.yaml";
|
||||||
})
|
})
|
||||||
|
sops-nix.nixosModules.sops
|
||||||
];
|
];
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
};
|
};
|
||||||
|
|
|
@ -38,8 +38,20 @@ in {
|
||||||
Exec "collectd" "${routecount}"
|
Exec "collectd" "${routecount}"
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# SSH for nixops
|
# SSH for deployment
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
|
sops.secrets = builtins.foldl' (result: name:
|
||||||
|
let
|
||||||
|
conf = neighbors.${name};
|
||||||
|
in result // (
|
||||||
|
if conf ? openvpn
|
||||||
|
then { "neighbors/${name}/openvpn/key" = {}; }
|
||||||
|
else if conf ? wireguard
|
||||||
|
then { "neighbors/${name}/wireguard/privateKey" = {}; }
|
||||||
|
else {}
|
||||||
|
)
|
||||||
|
) {} (builtins.attrNames neighbors);
|
||||||
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
|
||||||
boot.kernel.sysctl = {
|
boot.kernel.sysctl = {
|
||||||
"net.ipv4.conf.all.forwarding" = true;
|
"net.ipv4.conf.all.forwarding" = true;
|
||||||
|
@ -69,7 +81,7 @@ in {
|
||||||
ping-restart 45
|
ping-restart 45
|
||||||
verb 1
|
verb 1
|
||||||
${conf.openvpn}
|
${conf.openvpn}
|
||||||
secret ${pkgs.openvpn-keyfile name}
|
secret ${config.sops.secrets."neighbors/${name}/openvpn/key".path}
|
||||||
'';
|
'';
|
||||||
up = ''
|
up = ''
|
||||||
${pkgs.iproute}/bin/ip addr flush dev $1
|
${pkgs.iproute}/bin/ip addr flush dev $1
|
||||||
|
@ -88,7 +100,8 @@ in {
|
||||||
wireguardNeighbors =
|
wireguardNeighbors =
|
||||||
lib.filterAttrs (_: conf: conf ? wireguard) neighbors;
|
lib.filterAttrs (_: conf: conf ? wireguard) neighbors;
|
||||||
in builtins.mapAttrs (name: conf: {
|
in builtins.mapAttrs (name: conf: {
|
||||||
inherit (conf.wireguard) listenPort privateKey;
|
inherit (conf.wireguard) listenPort;
|
||||||
|
privateKeyFile = config.sops.secrets."neighbors/${name}/wireguard/privateKey".path;
|
||||||
ips = [ "${address4}/32" "${address6}/64" ];
|
ips = [ "${address4}/32" "${address6}/64" ];
|
||||||
allowedIPsAsRoutes = false;
|
allowedIPsAsRoutes = false;
|
||||||
postSetup = ''
|
postSetup = ''
|
||||||
|
|
Loading…
Reference in New Issue