From 1e5d5f7ab6e85a5f17c928b022e9817501d3e4d6 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Wed, 27 Apr 2022 10:32:05 +0000 Subject: [PATCH] Add wireguard key for tbcore --- .sops.yaml | 15 +++++++++++ machines/hafnium/configuration.nix | 7 ++++- machines/hafnium/secrets.yaml | 41 ++++++++++++++++++++++++++++++ 3 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 .sops.yaml create mode 100644 machines/hafnium/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..f994f14 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,15 @@ +keys: + - &admin_jalr 66FB54F6081375106EEBF651A222365EB448F934 + - &admin_jalr_tb FE170812543DF81393EA56BA5042B8317A10617E + - &host_hafnium age1ahnfjspcpwxxk7getcxkj3fypwt37rr6p3xsmp8n2tqqqz8jtg7q2am0et +creation_rules: + - path_regex: machines/hafnium/secrets\.yaml$ + key_groups: + - pgp: + - *admin_jalr_tb + age: + - *host_hafnium + - path_regex: secrets\.yaml$ + key_groups: + - pgp: + - *admin_jalr diff --git a/machines/hafnium/configuration.nix b/machines/hafnium/configuration.nix index 9462275..be141db 100644 --- a/machines/hafnium/configuration.nix +++ b/machines/hafnium/configuration.nix @@ -79,11 +79,16 @@ tradebyte.enable = true; }; + + sops.secrets.wireguard_key_tbcore = { + sopsFile = ./secrets.yaml; + }; + networking.wg-quick.interfaces.tbcore = { address = [ "172.27.27.16/32" ]; - privateKeyFile = "/root/wireguard-keys/tradebyte-core"; + privateKeyFile = config.sops.secrets.wireguard_key_tbcore.path; listenPort = 51930; peers = [ diff --git a/machines/hafnium/secrets.yaml b/machines/hafnium/secrets.yaml new file mode 100644 index 0000000..1a48ced --- /dev/null +++ b/machines/hafnium/secrets.yaml @@ -0,0 +1,41 @@ +wireguard_key_tbcore: ENC[AES256_GCM,data:/VdCVC6xciihm2suOiuNabAWPhWPGSyWSKbLKRpy8EK7aXpyxZPybnANc1E=,iv:/LxrjPLzUkHdyT45RIfbfc4Xa3vsnQNiamnbiMdubpg=,tag:N5nFx1QsH9FGiK9DrMg2hQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ahnfjspcpwxxk7getcxkj3fypwt37rr6p3xsmp8n2tqqqz8jtg7q2am0et + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWlZBSFBKNXJ4QmpDZUpT + NE91ek10QkwxSU1XTE81cGxHZXZmL1JncEY0ClZFbVd5dG14L1hqQlRWTDVkZmpx + V1EzSG9rMC80WTNIZExXOXU1VjcrMk0KLS0tIElWdkh4MzNyeTNteDJTY3RvanQx + ai9YdFdleXNNY2pXQzZMem0vdDdSMjgKvngMU5Y1/Pp+G/a9SyewkN9wr22ZcGP6 + XHHadzk6NE7BJWqquY+2B0Rh3B1Ow+rC8yJd7FhJlHw+i0Bp/d/ESw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-04-20T21:30:01Z" + mac: ENC[AES256_GCM,data:10Zom+LCbbfPsiFi9O+988jbGNmKS432CHTWejO0XRQduumKk/hvMIG6JTSM303H1lwZdQMj1YI5QcHuyAAU76t87ZrRvvaz+P2sazvta5iRywDS0mA27cf6z6n5n+B5vWNXmaKNu9v521oxLCQEIDGsLi8d8RXzpt+JzzxjBZs=,iv:KR1lpU/Egc7Ns2YGhOXj1W+UDgCCm112JPHhzfMyM6Q=,tag:chGl8SLCKP6ugrzR5QNJ4g==,type:str] + pgp: + - created_at: "2022-04-20T21:27:25Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA6jlFWJ+id7kARAArP1hdPwQk2XyKsXYnSj6vxK81GhfZp3tkYEqsU3Jdpwn + OR+0SnuoNWk4dN4JE4ooS5DOhS0ZaVsglLPtiLLohGWYY4OrX33JHZN4oEa5GMBK + t9b0YNb9owow0MSFN679tmiCMvzXGprT0mdWO3/X/HlKvCcTYPRqul4BVeVR/LyG + V94MSaF3BUwFb4p/Q8jcWfsfH5gmMpiFHQsmtci4LjDHvAVCFzI3AjcbRRJUfO5v + ampZ+9yUNo8Y6btrQQWvMoGpOp6U7cj6rTk+eZuW16/7WbHMz6WSpolDyy01QjzQ + szS5RuACnUTMqG4YWQk90H3Srgq/6CFBVLSTm2h8zdO9UZcgkJRYLTFczbYbyqgN + 2Vpjf0UwIv5MHvdo1QZJeBEl8TxjI5UZY2/UDOb9OZXktcAxW5U0Wy6pZIfUsJpk + GJeAb+P3pLvs62hkNSS+rGoGvLX2u0R/Xvw1btTdLLOeIOPNGF8lau32mBuErIZ9 + 2E44N1qV8uQDkDdvaKpj4ikf/0MURPW4GWXST3K/BwD1Gos2SzVD17kXGGOVdeOP + Q19LSo06h2Cq+zNcyKU4C0IdRPvFLKJbyEN3vDYXGnJK7lqGr/UDDcPgYPHVPn1Q + gTdmAk2e8lZY6O0OP5tth5cMjJZj5msvjbww9J1PA3VnBuo8+17zCJ/IYwCUlEbS + XgEWH0LKnwjG7Ufr8eT0DzeCJoD2U/2h+8/+Q2dc4YqokIPW7VuZhR+HZygVAX65 + 1yT/1z+1Hr6kLr9cDLzjyPRu5rNgZJHc8pxkbrQsT764oclvfbgIcmvko9Fsg4o= + =S5XT + -----END PGP MESSAGE----- + fp: FE170812543DF81393EA56BA5042B8317A10617E + unencrypted_suffix: _unencrypted + version: 3.7.2