dn42: sopsify
This commit is contained in:
parent
72060d6d33
commit
36f9213db7
|
@ -327,11 +327,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1640802687,
|
||||
"narHash": "sha256-ITEKxmlg4ectAqSp8mM3M/VCHu973UEcdt8yDb+hzDg=",
|
||||
"lastModified": 1641509208,
|
||||
"narHash": "sha256-W6BJOARYB3bUTBsOT4mBw3sEWNNOzWmlIv/LXlH99y4=",
|
||||
"ref": "master",
|
||||
"rev": "6ae85faf2f864c6a004915cce7d071e827dda314",
|
||||
"revCount": 115,
|
||||
"rev": "c5957e417db3bd82d14c5b3c2198a04e13dc3f7e",
|
||||
"revCount": 117,
|
||||
"type": "git",
|
||||
"url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
|
||||
},
|
||||
|
|
|
@ -347,7 +347,9 @@
|
|||
./hosts/containers/dn42
|
||||
(_: {
|
||||
nixpkgs.overlays = [ secrets.overlays.dn42 ];
|
||||
sops.defaultSopsFile = "${secrets}/hosts/dn42/secrets.yaml";
|
||||
})
|
||||
sops-nix.nixosModules.sops
|
||||
];
|
||||
system = "x86_64-linux";
|
||||
};
|
||||
|
|
|
@ -38,8 +38,20 @@ in {
|
|||
Exec "collectd" "${routecount}"
|
||||
'';
|
||||
|
||||
# SSH for nixops
|
||||
# SSH for deployment
|
||||
services.openssh.enable = true;
|
||||
sops.secrets = builtins.foldl' (result: name:
|
||||
let
|
||||
conf = neighbors.${name};
|
||||
in result // (
|
||||
if conf ? openvpn
|
||||
then { "neighbors/${name}/openvpn/key" = {}; }
|
||||
else if conf ? wireguard
|
||||
then { "neighbors/${name}/wireguard/privateKey" = {}; }
|
||||
else {}
|
||||
)
|
||||
) {} (builtins.attrNames neighbors);
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.conf.all.forwarding" = true;
|
||||
|
@ -69,7 +81,7 @@ in {
|
|||
ping-restart 45
|
||||
verb 1
|
||||
${conf.openvpn}
|
||||
secret ${pkgs.openvpn-keyfile name}
|
||||
secret ${config.sops.secrets."neighbors/${name}/openvpn/key".path}
|
||||
'';
|
||||
up = ''
|
||||
${pkgs.iproute}/bin/ip addr flush dev $1
|
||||
|
@ -88,7 +100,8 @@ in {
|
|||
wireguardNeighbors =
|
||||
lib.filterAttrs (_: conf: conf ? wireguard) neighbors;
|
||||
in builtins.mapAttrs (name: conf: {
|
||||
inherit (conf.wireguard) listenPort privateKey;
|
||||
inherit (conf.wireguard) listenPort;
|
||||
privateKeyFile = config.sops.secrets."neighbors/${name}/wireguard/privateKey".path;
|
||||
ips = [ "${address4}/32" "${address6}/64" ];
|
||||
allowedIPsAsRoutes = false;
|
||||
postSetup = ''
|
||||
|
|
Loading…
Reference in New Issue