diff --git a/flake.nix b/flake.nix index 0cadda2..35b0862 100644 --- a/flake.nix +++ b/flake.nix @@ -174,8 +174,23 @@ system = "x86_64-linux"; specialArgs = inputs; modules = [ + ./modules/dump-dvb ./hosts/watch-me-senpai + ./modules/watch-me-senpai/secrets.nix microvm.nixosModules.microvm + sops-nix.nixosModules.sops + dump-dvb.nixosModules.default + { + nixpkgs.overlays = [ + dump-dvb.overlays.default + (final: prev: { + inherit documentation-src; + options-docs = (pkgs.nixosOptionsDoc { + options = self.nixosConfigurations.data-hoarder.options.dump-dvb; + }).optionsCommonMark; + }) + ]; + } ]; }; }; @@ -184,4 +199,4 @@ sops-binaries."x86_64-linux" = sops-nix.packages."x86_64-linux".sops-install-secrets; }; }; - } +} diff --git a/hosts/watch-me-senpai/configuration.nix b/hosts/watch-me-senpai/configuration.nix index a538bc9..2019751 100644 --- a/hosts/watch-me-senpai/configuration.nix +++ b/hosts/watch-me-senpai/configuration.nix @@ -1,6 +1,6 @@ { self, ... }: let - mac_addr = "02:db:db:db:db:db"; + mac_addr = "03:db:db:db:db:db"; in { microvm = { hypervisor = "cloud-hypervisor"; diff --git a/hosts/watch-me-senpai/wireguard_server.nix b/hosts/watch-me-senpai/wireguard_server.nix index c8f5de9..95d7c3c 100644 --- a/hosts/watch-me-senpai/wireguard_server.nix +++ b/hosts/watch-me-senpai/wireguard_server.nix @@ -1,6 +1,7 @@ { config, ... }: let port = 51820; + mac_addr = "03:db:db:db:db:db"; in { boot.kernel.sysctl."net.ipv4.ip_forward" = 1; @@ -30,7 +31,7 @@ in addr4 = "10.13.37.6"; prefix4 = 24; privateKeyFile = config.sops.secrets.wg-seckey.path; - publicKey = "zaMM8Fa/PK0Fq4pYl0KAyOYkOjHBrZ4RVgfqqFIzq3I="; + publicKey = "aNd+oXT3Im3cA0EqK+xL+MRjIx4l7qcXZk+Pe2vmRS8="; }; }; diff --git a/modules/watch-me-senpai/secrets.nix b/modules/watch-me-senpai/secrets.nix new file mode 100644 index 0000000..a71c1ef --- /dev/null +++ b/modules/watch-me-senpai/secrets.nix @@ -0,0 +1,34 @@ +{ config, ... }: +let + clicky-bunty-user = config.dump-dvb.clickyBuntyServer.user; + data-accumulator-user = config.dump-dvb.dataAccumulator.user; + trekkie-user = config.dump-dvb.trekkie.user; +in +{ + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + + users.groups = { + postgres-dvbdump = { + name = "postgres-dvbdump"; + members = [ clicky-bunty-user data-accumulator-user trekkie-user "postgres" ]; + }; + + password-salt = { + name = "password-salt"; + members = [ clicky-bunty-user trekkie-user "postgres" ]; + }; + + #TODO: remove this the two databases got merged + postgres-telegrams = { + name = "postgres-telegrams"; + members = [ clicky-bunty-user data-accumulator-user "postgres" ]; + }; + + }; + + sops.secrets = { + wg-seckey = { + owner = config.users.users.systemd-network.name; + }; + }; +} diff --git a/secrets/watch-me-senpai/secrets.yaml b/secrets/watch-me-senpai/secrets.yaml new file mode 100644 index 0000000..d17eddc --- /dev/null +++ b/secrets/watch-me-senpai/secrets.yaml @@ -0,0 +1,91 @@ +wg-seckey: ENC[AES256_GCM,data:kG99JwoEz2ZKzsqSl2/gCZ+u/UGi7Rf1z0Iv6hDr1yMJ3F8v49axmmHsnJk=,iv:iFreGQyC3+5i/oxIlHQVoHHPgidgcdOBJ6HSCApy/mU=,tag:YVUQdNtRJ2lUqMr6b5Re8g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18q907v2706qxmjewqan7xng2su3z6zyz9a2q444jew22apd46y7q8wjjku + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDYndZRDlqZGVQclpEVkZL + Y1lrK1BwZXgwemt5NFRHQmY1bXNEc2dNOWtjCldUMk5EQkIwV1VkMFpaL1R4a0ZL + WmRoNnliOU1Qc1dqUG54Rk1tWWtuUXcKLS0tIGEzOUVCakV5cXRTOGw5N2JvWmpk + SlB0aktyeEo2VjY0bW93TXg2YXJ1bzQKkm1eCnbcSyVHAIbQ1cIcU5RabUYSgsUp + VXq8j515D7MhdngnTW5uvk7og+Qe4iIgRXGsTLgelP5JEiHcOs/WPg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-12-07T22:24:25Z" + mac: ENC[AES256_GCM,data:hybiH3hiMmN+YOcx7ydFuIpxsjbUk69t2tSoEsguRubLMgsQLaaxCwwIDkHk63ktDs/fobVqFOtdv7rEYfdxnkWrk4RmtWVdKALQRabKiJ1j9qwoqDsS2cdUF7mZzGQkHQcnOVQkRdmTtpFBJf9OUYJxORizHp3RHpn+Djj2cH4=,iv:8rhZcNP0yw9jCxtcp3VRpBTGOTOpBgtdfXF7KDZX30I=,tag:pIK4BZcY0OouxLGPPR37Zw==,type:str] + pgp: + - created_at: "2022-12-07T22:24:12Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7zUOKwzpAE7AQ//fMom3jJ6gUONSojJ5yMdKiFtJPHqU/abK5raH20zi4hS + /NBi+xYWz6bapX0gFIFFwsM5nEquoRWv+yVKbyro/PC2t050EntPgQfi/kdOY9EW + wCVYyBWm2GvYIV4jtrdPEW2bbITJhriJMSm8L56TpOyQhM/AJm6hK67JlbyQPFMU + 0Mx9HehnFFYlb4wm+be/sg8zcCZOhtH8mDY0qcFn96LDx6W24I+v37Ejj2Yr9Ul6 + w7J9FInYaCMh4g+sCc07nSQvQ9kaeXOt6nQJbzVPhW4H7SCBMC9MIVe8vCiIotkQ + 9a5ZjZSA70IlGaXR1xGn+RvLA2DpIKcUQ3JYjcLafRgZaTouF6FWW4QnzjtcLbhP + HwL7R+AZ1plxt+yFUhn6SYjLwheu+ACVtMnMA6msqdHYsi1vReNkoUljYeJgL0AW + VPOtzmWrnv1NxaK6XarwIOtJ164aIjOA9lkE/qaFV6haZ8bekH7YvLQdPchjS+br + UYZ7dXWLyUU1JKDCKBBntTtOZhyIOjs/u+NErd9Sk+X6Db5wtGFKGT2u8w1KrSM5 + 7nGEg9D4KCzfwGJ2ohm8Z74DhUH3bSdTjpOnoeEcXT/SMq6B2+CbiAlL1LBCWvWR + dZ/blfvQ65PbR0sg1Fo6qbp0yqAT67lvbk3kBdXW9GnwU8AP6r4fodt2pY7aGn3S + UQGzugfZM6GTmfVdkUJZzn/62pts4lvLYWt1SlCLmq/zGuMUvwGBtA6H9WZBh6Pt + wvZtMIaFsOTWJj3aKPfVLELv9S+y6+Qv+ZbsOvXc6cbtjA== + =Ftcl + -----END PGP MESSAGE----- + fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C + - created_at: "2022-12-07T22:24:12Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA/YLzOYaRIJJAQ/7B+o+Rqi1f/qoDRy1mLwKAzu70v20sZe719RXssu0qH6U + C8OTaipGNZQSR7ykifEUJvBLd0gwDpNDylL6IJkP/lbRgRc978y/mM3ixjQwj6wZ + x4W6akq16RyPRFTbEGtWg+c+jMxkRU86xWxHrkulEQ4f8N7sXVEvhqQ+OghQuSw8 + rxS5JgXbQg28a3DEt328DqSoaJg/SLdBg1MFsVJoJZ4c4qAlg+s1zP20oQNlZaWE + fC1sYJJnz8RFCPgwNu68anVgmW5UHjkq5KN0CIXbOifz+u3XDlHxoagd4kwTk5Ci + FdXsyCeBeW228UmVcXswB7s7yHUNU4XVmevwqjX9kzvgQs75+6BoMCa8XnRF4TrH + +MMZTaljkqIBVEKfqO9erhUrKR6Jsp4p6zn9wsQUmfy6VDI0kQpPXcnbq2hndDcQ + m3RRzAfF5N0QUECKytECEoON10KE4qG+UbeKjOyrVi8xBZKt75A2yyNPCVlX0vOO + o/xQ0ltpVHWwaGxpU0LYd+KblLuipeWnx5UwNApEwS0fWKyvkfWJdG5Vph+l1ao/ + Jda/MHpuCYqqNa+Cq/EOZugQXGr49pUwU3ldjGwAzQcv1d58lmwSqy/f8WUW/21c + dvYfSlXLycVk7NekNvAfpfkr1e+DGXf9jvVVf0YLuekr43YNDNCPp8l6iKn/z5jS + XgGZmvUC9x8gWD94OF6XdRItD0wwoLTUT/75tb/5YynnjDvDhKFRy2xAF/KnhCLB + YeKCmBEMeikPuS3K15QiXwytfrugQlCb2tPwHKdm4mSjyNE26AFl9LU4vqaMRao= + =eTR4 + -----END PGP MESSAGE----- + fp: 91EBE87016391323642A6803B966009D57E69CC6 + - created_at: "2022-12-07T22:24:12Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMA1N/l9+zlMQzAQf+Ls+um2eBmqTNnrkSUv+1keEH9jSkjie+Gky2netGSJpb + oxAoycep5HQHqNmWdsMDInJ+r/jufnLV23xufOokhJQcpXYiJm0LYSYqRhSkGAD0 + NXOO1sEjEmETU5+jdKjJGa97hwOZ3Y0vgHKCKGivpVbyguR5tquaEt7NEoRCObY3 + 4ZkqFyAQCLtFF9YJ52jAgfMuAjINGdMVNWFgWD84rXOnC51B35E4/Plf3TtR9/lM + yb3kYxOAwhGH5xQ6cWrMgi43pzTTMw9xE7Tl3bOQjiOYtSuNh4dxoZvU45CI/pLQ + NH73Is2IKiolhkMpcb5rszMbrF91jiZcWol8a3VIbtJeAWsieJtKYlFkptupqYfP + xR7BhTBWH73cE/wmoaiMoY8s9NoGm4CLdRhw5A4jcdjztNmGwRhvkIfrWWa+VWhi + Yxt5G1u95z3hvQV9VpaBv6Y+rCnIPK5yuYUJpukFHw== + =8sFN + -----END PGP MESSAGE----- + fp: 069836A578F7939612DB4934F77D0F7E247A1EE4 + - created_at: "2022-12-07T22:24:12Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMA1N/l9+zlMQzAQgAjS4wueWqzWR66ow1ERnS8JwD0FEW6dj/18QWqvE+1ods + WD28+6WEqb/SEb5ZO4yBNJYrncuR9brHFfUfNa2CxWn39uBoHixcTL1uQ3iAPZ86 + xQhzmInrdHfkIsjtMNuIbGq9mMAsRhtOkEkmvjUWTwZkoUXNSKRrzfzaiAMs5Neh + W+NFwz6mCZOYkiZpk2YGY4Ej0Xd5aVwvcZ4JTG1MgSfmNOJCF1A9eaPpvxfcAbky + x7kfUjDUCzYDU3F1sVFjitI7Qu/BKx1dwxuiDIgS2Or7BjxUMigpR4xC34YivAjZ + VG512GN0A6a+rsiVWVAV+JP5tKvBYu6yQ/vJrxCJu9JeAQ7GtA9oknDH3ope0lrQ + kSYWU2ab1ydfNjJxb36JWKatn2rozVPbbGxceEecE3VIhqSCY/tRZ7EuIhdVrp5j + jAI26G6r+vxUikMUjsizbIAuVm79nBnv7GbRtRmSsg== + =55m4 + -----END PGP MESSAGE----- + fp: ED06986DFAAE6A61B751DC2F537F97DFB394C433 + unencrypted_suffix: _unencrypted + version: 3.7.3