added wgautomesh to secret management, handling of the secret happens inside the wgautomesh module

2024-11-13 22:40:30 +01:00 · 2024-11-13 22:40:30 +01:00 · 0743facbde
commit 0743facbde
parent ef09f73a5e
3 changed files with 51 additions and 3 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -2,13 +2,14 @@
    - &Lyn age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv
    - &forgenite age1u4dtlq4lavqufzsqfqlsnu67u3x2t3d7ffxkqrah2des4dlxns2slegl38
    - &forgejo-ci age13pau3xqusxuczm9kwpxg4fdze4xhenfwmjw80ed7g336a8x7tqpqdqvjjj
-
+    - &wg-gateway age1xm5ewmhxsdn34c6h9v3hzs0ka0qvmywnkgw94j7r2cxpqh2c8v4q7h6qhd
  creation_rules:
    - path_regex: secrets/all/[^/]+\.yaml$
      key_groups:      
      - age:
        - *Lyn
        - *forgenite
+        - *wg-gateway
    #hosts
    - path_regex: secrets/hosts/forgenite.yaml
      key_groups:
@ -19,4 +20,4 @@
      key_groups:
        - age:
          - *Lyn
-          - *forgejo-ci
+          - *forgejo-ci
--- a/modules/services/wgautomesh.nix
+++ b/modules/services/wgautomesh.nix
@ -7,6 +7,11 @@
 }: let
  prefix = "lyn";

+  # decrypt gossip secret
+  # change this to comply with you secret management
+  ${prefix}.sops.secrets."all/meshnetwork/gossip_secret" = {};
+  gossip_secret_path = config.sops.secrets."all/meshnetwork/gossip_secret".path;
+
  # function to make a peerlist suitable for wgautomesh
  buildPeerlist = version: hosts: let
    #filter out hosts that have wg.enabled set to false
@ -14,7 +19,7 @@
    #filter out hosts that don't support IP{$version}
    filteredHosts = lib.filterAttrs (_: host: host.${version}.public != "") wgEnabledHosts;
  in
-    lib.mapAttrs (name: host: {
+    lib.mapAttrsToList (name: host: {
      pubkey = host.wg.pubkey;
      #if there is no public IP, make endpoint null so wgautomesh knows it unknown
      endpoint = host.${version}.public;
@ -52,6 +57,7 @@ in {
          else buildPeerlist "v4" meshnetwork.hosts;
        upnp_forward_external_port = wireguardPort;
      };
+      gossipSecretFile = gossip_secret_path;
    };
  };
 }
--- a/secrets/all/meshnetwork.yaml
+++ b/secrets/all/meshnetwork.yaml
@ -0,0 +1,41 @@
+all:
+    meshnetwork:
+        gossip_secret: ENC[AES256_GCM,data:Dl8eq6gtO7sr/eUSYLzP9pipQeP4AWG4//5zG2kfBZG+z9cJx3c0EKcH8Q8=,iv:tBkTBPD2gINdw8K/G0eS8VAvMZield37bef7jv3EmOg=,tag:WGKuN6dYSR3o4DV75txeuQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByK1hQNlZINThQaStmVXNN
+            aTdtUXFibFVxQnYvMmllZnN3RVZJYWVSdWs0CitRWnZuUHdPWjRmOTJtbVVxZk9O
+            ZUlraEU5RlNGd05sNmxUMTBCV0daR2cKLS0tIGt1dlVKdzVKRUJlbmNhYk5UakFm
+            Sy9kVUFRT3QweHlpMEV6M1c2WlptRW8KSBnHRZi+anBigok7Xz7yKWZmrS4uz10j
+            nlS+hWl786Ck04X6eLNLtySQpqhmVtHazzEUZmvT1VOqbaoijxQf6A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1u4dtlq4lavqufzsqfqlsnu67u3x2t3d7ffxkqrah2des4dlxns2slegl38
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTjhCdW5FT2I0NkdCdmpN
+            SjBHczFGd2hVTGIySUdoakxoZXhtNjdhM2dnCmFrbUhpVGFlNVBpbm94OS9zSE80
+            TWRoUmtsdklRVjNtaXNYNzFPNFpLd28KLS0tIHMwMDh0TmNlUlFTWnIwWUZGQ1Bu
+            eVFQc1lyODJIZi93RXJxZzYvSzQ4Z3MKl2OQ3XoJjuXYTYZqgusWzaO0laBeyzc6
+            yy5MCXAmw73f81ng+zm/51UsY/TXzE96Zywm/Tsd+v2BkZSHDPHENg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1xm5ewmhxsdn34c6h9v3hzs0ka0qvmywnkgw94j7r2cxpqh2c8v4q7h6qhd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4d3JnNk9TcXNiRW1zQzFF
+            THdZVmZqeHplQWcrTlllekVBZTlNbDhSZmhJCnVsY0xabDNOVncwdjY2RzRuNnI4
+            djNNcHpCem1sOE90TEdTYmNmZ3lyejQKLS0tIGNmM3FoTWJFd1FyVHFrR08rc1g3
+            S3dUbkV1Zld1NW1iZ3ZZU3RZQnVhTk0KsmZCvYGehH+EHWsFfMspf177MLwV1RrI
+            +KEvBIU+j7ab7Sdm/q17KxCxp5MrHYzp2LxWoF6Su7vTWt4mEg36iA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-13T21:32:40Z"
+    mac: ENC[AES256_GCM,data:s2xkpc3MgU6iL+nw7YsMPj2oJ9sxXfEUYzMLhc13iBT/0eP+Nuu5vRCZAStPXSHdVyXtjjDAlZShKyo9MgLb0tImYy1hqJRwXDBuckIxXd90I9h3oTg/Y78lnKBsPvEpqsVQSgn1gmiOwO48fFEG3rwzdnM1BG4ZRvAoE1oVET0=,iv:9zYxrc/AvbF+D1lNyqAkPtQvPDUsTx3O3yUnIkO1IJY=,tag:oAlkPPakwrVwpahDdxp3GA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1