From 6cc02abdb81a02d73d8a529b71e0e944ea305d98 Mon Sep 17 00:00:00 2001
From: Astro <astro@spaceboyz.net>
Date: Thu, 13 Jan 2022 23:40:43 +0100
Subject: [PATCH] yggdrasil: properly add a static key

---
 config/net/c3d2.nix                      |   4 +-
 config/secrets-production.nix.gpg        | 114 ++++++++++++-----------
 config/secrets.nix                       |   7 ++
 nix/lib/config/options.nix               |  12 ++-
 nix/nixos-module/container/yggdrasil.nix |  11 ++-
 5 files changed, 86 insertions(+), 62 deletions(-)

diff --git a/config/net/c3d2.nix b/config/net/c3d2.nix
index 69f75ca..4f491d8 100644
--- a/config/net/c3d2.nix
+++ b/config/net/c3d2.nix
@@ -81,11 +81,11 @@
       c3d2-gw2 = "2a00:8180:2c00:223::c3d2:3";
       c3d2-gw3 = "2a00:8180:2c00:223::c3d2:4";
     };
-    hosts6.yggdrasil.c3d2-gw3 = "303:feb7:b244:77c3::1";
+    hosts6.yggdrasil.c3d2-gw3 = "30c:c3d2:b946:76d0::1";
     subnets6 = {
       dn42 = "fd23:42:c3d2:523::/64";
       up4 = "2a00:8180:2c00:223::/64";
-      yggdrasil = "303:feb7:b244:77c3::/64";
+      yggdrasil = "30c:c3d2:b946:76d0::/64";
     };
   };
 
diff --git a/config/secrets-production.nix.gpg b/config/secrets-production.nix.gpg
index c6b4941..f4cad42 100644
--- a/config/secrets-production.nix.gpg
+++ b/config/secrets-production.nix.gpg
@@ -1,58 +1,62 @@
 -----BEGIN PGP MESSAGE-----
 
-hQEMA2PKcvDMvlKLAQf/Z5k1mYsMgxZQiA86eHoYBuMIK93QIQW8dH5eYk0P7Wj6
-RM0AZqvmkaD3iIeTtjURUaHL3RCoeaOdFfAaTb+kkL8sby0jtD+2SdyNGVgwxgXG
-MH1f3U0WpdmfCCtvnkNxjIx783BgBH0Eb84FO2BbGJZ9t8udDd1atmyqu25n7h6W
-0oVR3jV3+zxbZbfjPTvBIGMjdn5diIYK37qgrW9xOQcdM8CtnocXJifNxo++Ge86
-HM8TDWu2qN0FRAWib+O2KM/uKBErw3kr3LTdMIhReivirdGLSRWqsR0uCGuyjaCY
-3a0gI+ZBfauzTajIPmW+OGjMhjwwIXo3VW1OqceszdLrAeGluxzglWRHe0VCWga9
-K6bIoaJ+VoVVCKU0WvObSJXjRXcQ6u7jJBTdndyz/6qzPHLH+qSfJQHr6IDpVNEv
-mupghJnejgm4UYPtqy5bVsg5P7F2crvh/wRW9W0qAC2u6Ts47VY78xcBF5VO9t5T
-T/j5RQvCTz3msFcbPhXFBL+OpzYC0/AKnD8CyhCEx7QYROIT/OnHBwUbfBQpeYmg
-KB5+aAN3sTtbxI7BlUZoanVgeNjkj5JpvYtjj5Xe6biMNF5lJayYXtg7YKlkoJAP
-VAE0Uso/mFw3UFBL6TYkSx7aOHyaOkgkw530uK1sGoatOgPyy5ZxSTxdE+Rorggi
-l5qevJUfOO4aV7A1cedmw8GqooxjSRrnfrQOMpTAEklUgJqk2GT7N5aNMHvKyxu7
-ey1P6LGHs3U1B9l8pZfpiz5amR3xI6XhJ3WN+G+rqA6hcE1QbtAg2eGu8XTqkty8
-do/TT5qtHpTCLVlUByIoNmM2DkZulXFkwFqgEqKTI8zyuPMuO7994vzqBQV7s4ea
-NrYvBqvhGQVsBox/OAp8v2Kqtqb/rVpJqjOffj8W3EYgLF/I23Z7ycXS0Gnz2lSE
-9lWWCC9TBO7X70GRx1QxU8WctXxuOhRUzWSeUJHAhnGFfQ2hLLY0ZM1QhYXAhKpo
-6DN3i9+8zSr+sOoXrFWc/vf0CkkK3HB7J8dNHjrfhkST9wbEXjfKYhCMT73tMT8r
-7pF7NHLnw2+iM2M1muez6PB9TBaHmeI5X8hm+LJf7L9dQf1DOI9c8UVlGm0Qcz6z
-TtNlAkClXOeGeSABC2K+Kkt0uDuOJhRmKdNErLN5rAxirzRo4TMVSmQ8oRdrh8ZV
-AeZstpmt7glsccyXGi51AH9YYl6orTR9rSjxJPHff5QxpXpUBfQPta0nAJNUtyXf
-bfDqY75Z79Q6ROEQpvMbZWFOGHvCqjKTMeUSL9tos4kX7hDYz9QV/xYjGgUJIpXy
-SgsTCgiCTJbXr9rRsIFnEXa4xrxFcO1YAhLsAkE+VsR5bKZT9l6IQlWHIbPoudWU
-acb5Fa6Aft+EmPD0vlnMIPEuenDg1HJU/Ehx54GDUkJIiK505GNSatraWgt5gUuR
-PIJtDgaHyaAEAVWJQtb4GPlM0jmTl2jFpmCruZ98UnPZdTrgiPRGv6JVGj3ysZsj
-ivssxMfXii3CzxxTFI0ZJ38VV9O3vF6ygysFrw/wYlGrPes1NoX8x73zVKQpV6E7
-Ip/gh0rgofgUmdJP6CT0fz7aEyVUarhWj9Vv5dRHnTvh817DEPhOylRTR8K0gtJV
-oEZ0H9bsG0WeSA2VMFyocSC5HkTGCnjUJzbQkUDnzswQ2S36SrArp0Wo+p65Iy6Q
-VHCVZD49HazQG3uuhsHgBY2VMvuS3XaZHWbHviceU4HzvSRykq5j0BIM+bCpFB8X
-YMhIjMBy8Z4B+UuiBEAz7zjduXwkZ2liSL0ZgXdtNmSY5CVtP2c3piY1J0ZFgYIR
-kQUI1rByBeDNP1Ic3aPwq1/mMsFfLRle9goZ/swCGu+/7smYQ3CDfJeavjJcPIVf
-YJoP0PYZbqv2/C+Yve9KKsgYQSAfj3XordOpz/kB0hLtrMER07LTEhcGdeCbzGWc
-Tx2fQXYHMpR+2dtgaiCQSsPIshlfcJkZY5F+Vt8LFhYKwFgXLUR/EJplgoFmcOSc
-Ckfjmk2Mvgo/BffrcaoeyQGcVY5t96+pDPnRCZpNgfCHhcqkYVhZeATBLm85Tywt
-6FMnxbNCjl4LsvR9zP5RvO4LbRLY+d8QxloVlS8CkX6MbSHLr3varL6M0ldGSJ1G
-rqXYwhf0PDBVGUJKdZMLfvE7kqf9CaxHM5wR9V6lld2U5PEKKulS/6rCi2FewVhW
-nydfZiUhopQhSDjjY5/xZQ33hkoZwkMaQFgLQgp1bEJLwC/c1pNrkw3uTBY5Z0VG
-vKwgiQ+i4VuF1OHZkv17VUBoyhFnC0/Q4PmeXQ8EV9FJ1uDmSEK25j9gqJLEm65z
-saePYZRvHlPd4VoMs6IEy6g/4SidFd5078tm2smG3aeaup97u+Ss2ndh54l1O96i
-Zx3HfSjDvQ2XMSHkB2+ucu3dv9krchvJyV3zAxLPvZZvtpGQv/C5wY3h+tzR9dAR
-U4794sqwm/slPyzSc2CKfe2r7KEWKQiONFJqoLdnPJ36BKM2uzpBhCdxD++wvpFL
-+qVWToMy32CyZMn9VP5X4zSyHEM2b1IZdyPnwqwZD8gqYid78MOkbr22hBnsLePW
-nizQL7/k6V1pp1cPcSwrbss1r27thclXh4RtkJxFdJj3WUyh0XP5y3YBhiXmBG/+
-P/TnvIC4L7JzBjZEAe33qIq9C1L8vxAPGCc4t/PifgP/pZkmmYt/3wPQ1gW+jjwx
-eCuVq1L35q13FUj4XDHmJo64OyA1JalSN+FsogfyAzPSeKKNzkbTdH7F9+hLco3O
-wfbrX0u9dmxn9LtEUlndBV4JkycjJtg+IhEcLcuhhyQMY4Z+znyO/Tq44ZBFNl7h
-TZmtUtbvE/Sw8eWZUEytGE3J4OeCMOuNNRJT161IYBkUjmUxYqeYXumQIkiFmgcU
-dnCvbkcNgDdJiI1/qlV0hEmvILlOV2Le84O1dybTTzhn4AjFJuMPGa1+VwlsprDe
-H6B/BQcq52/AlB6Px+blI3Zam8Xs1799PpHJ1SxZMp7blINp9myc+6sHp51mzfI2
-wENoS2Ri+SLxp3t0F15Us7DATaPDau/QLYRxDJIIr7IyoagjOFD1lBM2v2GJZW73
-nevLGnxmYi+bW7yw5FYVgDsR75szHMD3eJyCaRuoHY2th44XbwZGNP57Kb3v7URi
-CLFEiFgug4CJCLX3YZDPYm6ZXCNcGayNIFZRDUoCo4fdBkXWoFkPI+XfTtDIbzYt
-3P2UlMT7ucA9NM/1tl6uAFXlVT0ou1sNbs6pp534VlXmrkVoBivmqacL8004PU3Z
-e2VEnTWA4fSiHyGu024Y6CbxDWOsT/RqdqdilHsi1i79/5xpaPNQlmmhKC9XiHnt
-C6FTA+tGzLKoDc+mtrlz1UDRyuGDeNcldgDD2HURarFWZHOHoR4LPfulryw8ZQRu
-=pc7u
+hQEMA2PKcvDMvlKLAQf/VrM3oRXn8dHbFyxWAps/OAhk83HD4RCIlSQUcEHYHi9i
+hMr44NqNVms4/E02bWMKlkUZmeEaVo92QmTUYyDF8hZUgZ59Kh0gQoXbSukA+8Kn
+lJ0HWg3HuAr/XqCDm3AWBzHAhuL8rYg8tKxwbvKNjk5uKd3VhpyEHYapBKmPgP5D
+yeP+OoMwHxm9ltCrNKehWJavGpI0NolcLqoaOVrltwwlLCC6cWxH0SWnM1NUigJ5
+3FfakgI2uD4wsfUB2DsIfP5rraCmC/K7PFSRxJ8z4LRDAG1WNxK7CA9oYFSqEIo7
+axMDZvRfFViqs1grXruTQzI2GAodvMt4Sqw9TXGi4tLrAU8a+GvXDcoIYHe2MmUP
+dxN/tq8nJUE+PEq6RtdIcuOv1yhkgXHAfzcf7gWIugREglGywfX0Ops9+Mp8UQnz
+kRbPI4m7zkzIozsq0Q7CSrKVAwT/CC+gpMFtOx+uZOPC02p4za6yL5GMgPBKHmr8
+qbMujryv30Ua48SeVRhgI+ScnUxXBau6VGWOPX4U7v6Y5jtJkea9lFHurNpByAaf
+4y12GFlePqbcVrGdcfCL15fDkhfi5ba1nlpi+dILJYegttis5iNMyueKb2jDzFjk
+vpY9PG0Npxa9YCq1IPawTEwU4/sFh00psM9jdXBNne33FNyYcpy+gF0+fCU6Y0o6
+qXB2V1iSaVLxW1te5UQV2rn0QAKwpbE+c7IL2oEizktBzNEDB94ls0hdzo8j1Umd
+wCk6x7UGU0iJCZtg/a6THmDEoa7ib7U4qeBB8XoJYW6VA113ROc+VFbdl1aDyA3o
+jCB5zQR0/RI+xrvc9Vn57bmlrOsTVkG0kf17a3MWVfYobpHCg2OBTLlaGEfvdcZ1
+EwMGTJhnakJIkbKJdO1b2ljp6NaJMxJdQLVHjyFB6JjDRosZPeW4qO5jRgShMaVL
+4ZZb3XORms679ItX19DanCEP2ouo8MP9Fbt3y6C/s0YqOOAOOa5o4Wb04098Upod
+7TH70faAtzgcx9nZ4aoPsXWgbvoEGWyJZvoRxF/6X887z+cLYtY+6K709TSsYc+F
+3TGt8gpt+kzfwuGv9QUQ/tDAdvR3LPQ4zKJ4COJ89ybuop4+GlrQC2v/FvE58LJ+
+q1yS/kim+/FsvmwAM+7vYj/wn6hXAWn2rleWTcFgmu4MwIyxfwjUcTXRrUptvnRS
+juY71sqQMe/44QB2KZNDvNX6efj2ay0Uvx6MXBN2Wfkn0lFrlspcgP1eDdQZDgDU
+HyemCXAYmylUYXVNgwENksKpaV5vbSZSuN0QHzzcpNR/ur3Jne9uPe2AqzXanep9
+ozQoz7YCOlXxqqWzI2dV0JqszoLQA0OarFlGAmR1eA2tfxnUayMjHl85LEk2PGI6
+IMyKIyB28tkue1ualu/deq+3CHBdJmWLUeC7DSSUH8NLzChcnJDZA+Vyiic4Ovdr
+N+hTeUQM6BHIGNtgX7LtH+2phdA4Mc9Vl2b7AtDghZmz5IcBA90G8PVkhSBY0I/j
+ssphtIroQwfC9Z8vQmmQkwAv/VgHIstp8UM51K1c24ckCFduu2Vo6SOaDUwV2efF
+x/F4RPHr/A2TzdAZj3cIe5S4Gkc9D/5p8PJ2w2MuP+fKWTE9Z3IM7BlbO6VlLbxq
+VZTIzjtivJKaD7B0hpyWcjqI6GU3o3FvMyOLCFTJvrXpWfCAErsHf1I8vtPI2T7I
+eBYl85LNOiqPTDkjqQHFe/BahPzNS8c1tdfdCmY1ILRdYCN2DM9RVZmbyypyt49z
+K3IHMi3G4RizGXQ+tdfmsqO/n7TInY9p3td2RcYcUT1AfQOkiMV9jBrBuylPcsvh
+q7AlmlIEPikhlXCxFIkt/zQPy6qyka2GS1n5yl0MyqE40e5pSZkkvBN1dt6+Kvxw
+EIUyxRPlFjoQXtDgtAA8vEgl5feNkD1QviM+72dvPOo4lszHLHxdI87hqYCysRCA
+XGaCa/qExxuG0Hl+6X7iI9adGlFz9iiQrVYjZoGOXC2z7Vkd8Dr4LY2xSyVHZDaQ
+W4h7PJ5OPGKhwUY9V8ZDgSdiwLa0Bgoc+fSf/mDZhzOjV34tDh8G4gU3GaZGjG4Z
+8J2Hj1H4At4McETx+Tg5aqJfFM71EG8no5PNBaKXQ5lInMR5dFh+OUVizGmLDQmi
+a2aK6SzvwEegijKQWMyHTvPEzJAg/mghM2s1EN4kg12VvO9LEMC7F65YWkpGktg3
+Zch0J4b5z+QMMDOC/gAkYfalRvraV6rDRzhbrLsQe870zqvdyArurHbmpBpvE1Sv
+sDgcYKWwZ4w8gcxaju4qk9NNkFkPaZP/Cz346HWUDWPr8SbZGZ3O7WNm0JvFy9oS
+HwOm32yc8RT2dfzRIj4faGMrGUsXG5dULoyrYfatxDM3ohMt8BvvqJ8i2EVHpZI2
+ZElpBo7qM08+9VpwBpBseBxjE3uAkqBAaBBwRfecJvQuFjgQowk8uOmhGvvPQ+v3
+lcTIErizNHDyKhbwMvzURNELa6TqThaeHQi3X9djiSvl+uUgu1nGnCZwK/ApYa0a
+Z0BvM7sap63DTdete3iWo/OKKTL+yU6QpmV69wUNmVn867E+naX7GeqgMS2PcwdI
+kFmWFzKf4m4BpodfJ8II0M3tE3nWYwGRKy72DjrP1TittRyhTIRMKh0N4jnYlh+g
+TeTodvcZL5xL2lwLvxBbULtz0wRVcloB1BPla2LiBlclpdKvKmgRk36gvq3E5N6/
+CJ+BQ94QjLa1EcEBjYtK557nyFW2s3Km8tD1+FAO+uj2X9BLq9Qyax/FMteiSwF5
+rPEfy9OhZH2v2jkYCfc9scFA69PkskfJQ6ZfnJT4mYMmn1UEN3L+Q2b66hdaeIbo
+SmH7Es9xofBN+2MYOYPTg5ptyYUAlLVdnJrgAnKIylPr3iedBLJ2mYK6aDoj3PWT
+7klVaCJfxNxb7siiwKJjTvs7Y/7eI1mN5dsPW0OWCWONzR+XGu4wwT+CcZURB086
+yD4DyFOpZb42RN8NBTwyiKOYVsd/7jUKXat0HQswRy7hDW3qs5aIkLJCaX1vd9an
+56b1Fwu9FMhIzEdLPPrJQMLA3xYDh4NiOwO0oy370Pdoy1aPa6lMA7QrQrZXfpsz
+eFpgRSEkzJFlDRTSYsdczx3Kdpe8L9Ha3KJ3m261mQIUucnIFQlES1tfv2au87x6
+48dZRT8EyAoTQiCH8e7sRpZUYllgM71peyQNWSnqoNERp9PL3eRTWzfa9xn9IglD
+CyuSAuRgivvSanVqNOX3xFQ1doAT4mfJ2HyA1IZOPXOxSGiueyAAOeUbQOsl7xHv
+7L7UdvHpVta2Rn1I8kuPrvAGiFkM5ROyMF6bBqkwu+cZ+oNdP8xwZ6ovxOBNeAwV
+Fx/ZEJZpnU2BAjkZrHA/OLJ7sgFo+Pqo0BpnDaZVO0xtVLYHUMBTqt4uGaHJ/qIJ
+3KPJDjHq1CRyLFwQ+HKT3QYu9IsvJ33PQGwFcqP8pyuhXX0z3QaLUs9tZ93jW4d3
+70XDQ0udMjazKHQnpLpqleVqvG6vDI5KcXRn8GzMyDHsSObak+pKNIm01TjYmDEj
+cDk7a+5d5DNA4ELExj0Py/C3D8JtcQzycnZv6EwGsyLsDTtQhSkGHcvfK6u0SfvD
+aWg=
+=2R32
 -----END PGP MESSAGE-----
diff --git a/config/secrets.nix b/config/secrets.nix
index bc17539..c318298 100644
--- a/config/secrets.nix
+++ b/config/secrets.nix
@@ -77,6 +77,13 @@
       publicKey = "encrypted";
     };
 
+    yggdrasil.services.yggdrasil.keys = ''
+      {
+        "PublicKey": "0000000000000000000000000000000000000000000000000000000000000000",
+        "PrivateKey": "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+      }
+    '';
+
     ap1.wifi."platform/qca953x_wmac".ssids."uebergangsnetz".psk = "encrypted";
     ap10.wifi."platform/qca953x_wmac".ssids = {
       "Ebs 2000".psk = "encrypted";
diff --git a/nix/lib/config/options.nix b/nix/lib/config/options.nix
index 7e23cb8..918be04 100644
--- a/nix/lib/config/options.nix
+++ b/nix/lib/config/options.nix
@@ -401,9 +401,15 @@ let
         type = types.bool;
         default = false;
       };
-      services.yggdrasil.enable = mkOption {
-        type = types.bool;
-        default = false;
+      services.yggdrasil = {
+        enable = mkOption {
+          type = types.bool;
+          default = false;
+        };
+        keys = mkOption {
+          type = types.str;
+          default = "";
+        };
       };
       links = mkOption {
         description = "Which port is connected to what other device? Keys are either network names or known hostnames.";
diff --git a/nix/nixos-module/container/yggdrasil.nix b/nix/nixos-module/container/yggdrasil.nix
index 3c4f6c7..44324e8 100644
--- a/nix/nixos-module/container/yggdrasil.nix
+++ b/nix/nixos-module/container/yggdrasil.nix
@@ -1,6 +1,9 @@
 { pkgs, lib, config, hostName, ... }:
 
-lib.mkIf config.site.hosts.${hostName}.services.yggdrasil.enable {
+let
+  hostConf = config.site.hosts.${hostName};
+  cfg = hostConf.services.yggdrasil;
+in lib.mkIf cfg.enable {
   networking.firewall.enable = false;
 
   boot.postBootCommands = ''
@@ -20,6 +23,11 @@ lib.mkIf config.site.hosts.${hostName}.services.yggdrasil.enable {
       '';
   };
 
+  systemd.tmpfiles.rules = [
+    "d /var/lib/yggdrasil 0700 root root -"
+    "L+ /var/lib/yggdrasil/keys.json - - - - ${builtins.toFile "keys.json" cfg.keys}"
+  ];
+
   services.yggdrasil = {
     enable = true;
     persistentKeys = true;
@@ -44,5 +52,4 @@ lib.mkIf config.site.hosts.${hostName}.services.yggdrasil.enable {
       };
     };
   };
-
 }