Add wireguard key for tbcore

2022-04-27 10:32:05 +00:00 · 2022-04-27 10:32:05 +00:00 · 1e5d5f7ab6
commit 1e5d5f7ab6
parent 97970e7fb9
3 changed files with 62 additions and 1 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,15 @@
+keys:
+  - &admin_jalr 66FB54F6081375106EEBF651A222365EB448F934
+  - &admin_jalr_tb FE170812543DF81393EA56BA5042B8317A10617E
+  - &host_hafnium age1ahnfjspcpwxxk7getcxkj3fypwt37rr6p3xsmp8n2tqqqz8jtg7q2am0et
+creation_rules:
+  - path_regex: machines/hafnium/secrets\.yaml$
+    key_groups:
+    - pgp:
+      - *admin_jalr_tb
+      age:
+      - *host_hafnium
+  - path_regex: secrets\.yaml$
+    key_groups:
+    - pgp:
+      - *admin_jalr
--- a/machines/hafnium/configuration.nix
+++ b/machines/hafnium/configuration.nix
@ -79,11 +79,16 @@
    tradebyte.enable = true;
  };

+
+  sops.secrets.wireguard_key_tbcore = {
+    sopsFile = ./secrets.yaml;
+  };
+
  networking.wg-quick.interfaces.tbcore = {
    address = [
      "172.27.27.16/32"
    ];
-    privateKeyFile = "/root/wireguard-keys/tradebyte-core";
+    privateKeyFile = config.sops.secrets.wireguard_key_tbcore.path;
    listenPort = 51930;

    peers = [
--- a/machines/hafnium/secrets.yaml
+++ b/machines/hafnium/secrets.yaml
@ -0,0 +1,41 @@
+wireguard_key_tbcore: ENC[AES256_GCM,data:/VdCVC6xciihm2suOiuNabAWPhWPGSyWSKbLKRpy8EK7aXpyxZPybnANc1E=,iv:/LxrjPLzUkHdyT45RIfbfc4Xa3vsnQNiamnbiMdubpg=,tag:N5nFx1QsH9FGiK9DrMg2hQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ahnfjspcpwxxk7getcxkj3fypwt37rr6p3xsmp8n2tqqqz8jtg7q2am0et
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWlZBSFBKNXJ4QmpDZUpT
+            NE91ek10QkwxSU1XTE81cGxHZXZmL1JncEY0ClZFbVd5dG14L1hqQlRWTDVkZmpx
+            V1EzSG9rMC80WTNIZExXOXU1VjcrMk0KLS0tIElWdkh4MzNyeTNteDJTY3RvanQx
+            ai9YdFdleXNNY2pXQzZMem0vdDdSMjgKvngMU5Y1/Pp+G/a9SyewkN9wr22ZcGP6
+            XHHadzk6NE7BJWqquY+2B0Rh3B1Ow+rC8yJd7FhJlHw+i0Bp/d/ESw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-04-20T21:30:01Z"
+    mac: ENC[AES256_GCM,data:10Zom+LCbbfPsiFi9O+988jbGNmKS432CHTWejO0XRQduumKk/hvMIG6JTSM303H1lwZdQMj1YI5QcHuyAAU76t87ZrRvvaz+P2sazvta5iRywDS0mA27cf6z6n5n+B5vWNXmaKNu9v521oxLCQEIDGsLi8d8RXzpt+JzzxjBZs=,iv:KR1lpU/Egc7Ns2YGhOXj1W+UDgCCm112JPHhzfMyM6Q=,tag:chGl8SLCKP6ugrzR5QNJ4g==,type:str]
+    pgp:
+        - created_at: "2022-04-20T21:27:25Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6jlFWJ+id7kARAArP1hdPwQk2XyKsXYnSj6vxK81GhfZp3tkYEqsU3Jdpwn
+            OR+0SnuoNWk4dN4JE4ooS5DOhS0ZaVsglLPtiLLohGWYY4OrX33JHZN4oEa5GMBK
+            t9b0YNb9owow0MSFN679tmiCMvzXGprT0mdWO3/X/HlKvCcTYPRqul4BVeVR/LyG
+            V94MSaF3BUwFb4p/Q8jcWfsfH5gmMpiFHQsmtci4LjDHvAVCFzI3AjcbRRJUfO5v
+            ampZ+9yUNo8Y6btrQQWvMoGpOp6U7cj6rTk+eZuW16/7WbHMz6WSpolDyy01QjzQ
+            szS5RuACnUTMqG4YWQk90H3Srgq/6CFBVLSTm2h8zdO9UZcgkJRYLTFczbYbyqgN
+            2Vpjf0UwIv5MHvdo1QZJeBEl8TxjI5UZY2/UDOb9OZXktcAxW5U0Wy6pZIfUsJpk
+            GJeAb+P3pLvs62hkNSS+rGoGvLX2u0R/Xvw1btTdLLOeIOPNGF8lau32mBuErIZ9
+            2E44N1qV8uQDkDdvaKpj4ikf/0MURPW4GWXST3K/BwD1Gos2SzVD17kXGGOVdeOP
+            Q19LSo06h2Cq+zNcyKU4C0IdRPvFLKJbyEN3vDYXGnJK7lqGr/UDDcPgYPHVPn1Q
+            gTdmAk2e8lZY6O0OP5tth5cMjJZj5msvjbww9J1PA3VnBuo8+17zCJ/IYwCUlEbS
+            XgEWH0LKnwjG7Ufr8eT0DzeCJoD2U/2h+8/+Q2dc4YqokIPW7VuZhR+HZygVAX65
+            1yT/1z+1Hr6kLr9cDLzjyPRu5rNgZJHc8pxkbrQsT764oclvfbgIcmvko9Fsg4o=
+            =S5XT
+            -----END PGP MESSAGE-----
+          fp: FE170812543DF81393EA56BA5042B8317A10617E
+    unencrypted_suffix: _unencrypted
+    version: 3.7.2