c3d2/nix-config
c3d2
/
nix-config
24
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

freifunk: move ospf secret to sops

This commit is contained in:
Astro 2023-06-27 02:48:25 +02:00
parent fe6490b081
commit dae9fcd0ff
2 changed files with 15 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
hosts/freifunk/default.nix
View File

@ -125,6 +125,9 @@ in {
group = "systemd-network";
mode = "0440";
};
secrets."bird/ospf/auth" = {
owner = "bird2";
};
};
# unbreak wg-vpn6 ingress path
@ -330,6 +333,8 @@ in {
# Advertise Freifunk routes to ZW core
services.bird2 = {
enable = true;
# nix-build cannot access /run/secrets/
checkConfig = false;
config = ''
protocol kernel K4 {
ipv4 {
@ -387,8 +392,7 @@ in {
interface "core" {
hello 10;
wait 20;
authentication cryptographic;
password "${pkgs.zentralwerk-ospf-message-digest-key}";
include "${config.sops.secrets."bird/ospf/auth".path}";
};
};
}
@ -401,8 +405,7 @@ in {
interface "core" instance ${toString zentralwerk.lib.config.site.hosts.freifunk.ospf.upstreamInstance} {
hello 10;
wait 20;
authentication cryptographic;
password "${pkgs.zentralwerk-ospf-message-digest-key}";
include "${config.sops.secrets."bird/ospf/auth".path}";
};
};
}
@ -415,8 +418,7 @@ in {
interface "core" {
hello 10;
wait 20;
authentication cryptographic;
password "${pkgs.zentralwerk-ospf-message-digest-key}";
include "${config.sops.secrets."bird/ospf/auth".path}";
};
};
}
@ -435,8 +437,7 @@ in {
interface "core" instance ${toString zentralwerk.lib.config.site.hosts.${upstream}.ospf.upstreamInstance} {
hello 10;
wait 20;
authentication cryptographic;
password "${pkgs.zentralwerk-ospf-message-digest-key}";
include "${config.sops.secrets."bird/ospf/auth".path}";
};
};
};
@ -455,8 +456,7 @@ in {
interface "core" instance ${toString zentralwerk.lib.config.site.hosts.${upstream}.ospf.upstreamInstance} {
hello 10;
wait 20;
authentication cryptographic;
password "${pkgs.zentralwerk-ospf-message-digest-key}";
include "${config.sops.secrets."bird/ospf/auth".path}";
};
};
};

7
hosts/freifunk/secrets.yaml
View File

@ -1,6 +1,9 @@
wireguard:
vpn6:
privateKey: ENC[AES256_GCM,data:5xvDSbVz2r1D8MZVMgKxIeXD5oRTfXD1RfBukHaOxBz6QaDiUjK7IfZRFlw=,iv:jXZSguJofezFvOplCrRokH9vUGP67fQPkb3fea9uKYU=,tag:JXCD+ngAtAFRmf7NhP0wCQ==,type:str]
bird:
ospf:
auth: ENC[AES256_GCM,data:a3lfAIOZhm8oD2bcOsb3vfIh47EqRVsyuPp8EbVYqzCbTLDADj2R0D7C9E0a/vxIXa0ibrBHdFliLG8=,iv:91lsSop8QBT/rlmxE11gcU/voKkV8HJ9ESZEco5i2DU=,tag:ytzqbP75vzt0JiHW1mvD6w==,type:str]
sops:
kms: []
gcp_kms: []
@ -25,8 +28,8 @@ sops:
YklwNTFsUVZCU1RwZXlPeUJ6VW5iZ00KQqK0K0sizbBsKoZdfjo2QL3+syc5DQJq
lL77+ChtwzssaX6d0zCwsoES28n1bNDN65n39K3gBmjTiSFSouvmtA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-06-13T19:00:35Z"
mac: ENC[AES256_GCM,data:RhGB+CNoIAGr6W1WxDpquG76FLZ0REF5OZwvD3DyfNxNai8XzqqDEsY6XneQ0Ac992kAcXdxleYDYC6keokvkOgnNmr+Buc4+rnASAReyRN19lIUWNjAB6oZWjqwEY2lrwklJc/yi+2LOuaigVsOLxOiMtpTs+QVtofRlmNpbGU=,iv:IqZGKWXKYTGP6m+9wb6j7sSVrSJZ++F/CcL/r2LaSYQ=,tag:6MLFHzcEayEGKtIxWZoljg==,type:str]
lastmodified: "2023-06-26T23:30:17Z"
mac: ENC[AES256_GCM,data:XmY5EdBpYIcg917fhafs4PyNQZU8qxAiSIf8oe8KUXl4//ZEuS8O4hUd21XExRlBa9hQEP2W6J7FFRkfNZLHF6xtYWVWo0qWWe+twwZ/tt/LEygZspYu5G+AH/uoPRmL5XWXzKhO4p80BUxIZzLT9hvgwSMNIYFnliBecP9R7i4=,iv:5uRHki4OpT+BmxtdOzpbvdBwYDLEB7sX0yvi/R9W0dY=,tag:taeVkVqSoy13dNDSduKbIQ==,type:str]
pgp:
- created_at: "2022-12-26T19:09:40Z"
enc: |