diff --git a/.sops.yaml b/.sops.yaml index 6a98abc..6adc041 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,13 +2,14 @@ - &Lyn age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv - &forgenite age1u4dtlq4lavqufzsqfqlsnu67u3x2t3d7ffxkqrah2des4dlxns2slegl38 - &forgejo-ci age13pau3xqusxuczm9kwpxg4fdze4xhenfwmjw80ed7g336a8x7tqpqdqvjjj - + - &wg-gateway age1xm5ewmhxsdn34c6h9v3hzs0ka0qvmywnkgw94j7r2cxpqh2c8v4q7h6qhd creation_rules: - path_regex: secrets/all/[^/]+\.yaml$ key_groups: - age: - *Lyn - *forgenite + - *wg-gateway #hosts - path_regex: secrets/hosts/forgenite.yaml key_groups: @@ -19,4 +20,4 @@ key_groups: - age: - *Lyn - - *forgejo-ci + - *forgejo-ci \ No newline at end of file diff --git a/modules/services/wgautomesh.nix b/modules/services/wgautomesh.nix index a078c2b..1c13fb6 100644 --- a/modules/services/wgautomesh.nix +++ b/modules/services/wgautomesh.nix @@ -7,6 +7,11 @@ }: let prefix = "lyn"; + # decrypt gossip secret + # change this to comply with you secret management + ${prefix}.sops.secrets."all/meshnetwork/gossip_secret" = {}; + gossip_secret_path = config.sops.secrets."all/meshnetwork/gossip_secret".path; + # function to make a peerlist suitable for wgautomesh buildPeerlist = version: hosts: let #filter out hosts that have wg.enabled set to false @@ -14,7 +19,7 @@ #filter out hosts that don't support IP{$version} filteredHosts = lib.filterAttrs (_: host: host.${version}.public != "") wgEnabledHosts; in - lib.mapAttrs (name: host: { + lib.mapAttrsToList (name: host: { pubkey = host.wg.pubkey; #if there is no public IP, make endpoint null so wgautomesh knows it unknown endpoint = host.${version}.public; @@ -52,6 +57,7 @@ in { else buildPeerlist "v4" meshnetwork.hosts; upnp_forward_external_port = wireguardPort; }; + gossipSecretFile = gossip_secret_path; }; }; } diff --git a/secrets/all/meshnetwork.yaml b/secrets/all/meshnetwork.yaml new file mode 100644 index 0000000..59d008c --- /dev/null +++ b/secrets/all/meshnetwork.yaml @@ -0,0 +1,41 @@ +all: + meshnetwork: + gossip_secret: ENC[AES256_GCM,data:Dl8eq6gtO7sr/eUSYLzP9pipQeP4AWG4//5zG2kfBZG+z9cJx3c0EKcH8Q8=,iv:tBkTBPD2gINdw8K/G0eS8VAvMZield37bef7jv3EmOg=,tag:WGKuN6dYSR3o4DV75txeuQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByK1hQNlZINThQaStmVXNN + aTdtUXFibFVxQnYvMmllZnN3RVZJYWVSdWs0CitRWnZuUHdPWjRmOTJtbVVxZk9O + ZUlraEU5RlNGd05sNmxUMTBCV0daR2cKLS0tIGt1dlVKdzVKRUJlbmNhYk5UakFm + Sy9kVUFRT3QweHlpMEV6M1c2WlptRW8KSBnHRZi+anBigok7Xz7yKWZmrS4uz10j + nlS+hWl786Ck04X6eLNLtySQpqhmVtHazzEUZmvT1VOqbaoijxQf6A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1u4dtlq4lavqufzsqfqlsnu67u3x2t3d7ffxkqrah2des4dlxns2slegl38 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTjhCdW5FT2I0NkdCdmpN + SjBHczFGd2hVTGIySUdoakxoZXhtNjdhM2dnCmFrbUhpVGFlNVBpbm94OS9zSE80 + TWRoUmtsdklRVjNtaXNYNzFPNFpLd28KLS0tIHMwMDh0TmNlUlFTWnIwWUZGQ1Bu + eVFQc1lyODJIZi93RXJxZzYvSzQ4Z3MKl2OQ3XoJjuXYTYZqgusWzaO0laBeyzc6 + yy5MCXAmw73f81ng+zm/51UsY/TXzE96Zywm/Tsd+v2BkZSHDPHENg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1xm5ewmhxsdn34c6h9v3hzs0ka0qvmywnkgw94j7r2cxpqh2c8v4q7h6qhd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4d3JnNk9TcXNiRW1zQzFF + THdZVmZqeHplQWcrTlllekVBZTlNbDhSZmhJCnVsY0xabDNOVncwdjY2RzRuNnI4 + djNNcHpCem1sOE90TEdTYmNmZ3lyejQKLS0tIGNmM3FoTWJFd1FyVHFrR08rc1g3 + S3dUbkV1Zld1NW1iZ3ZZU3RZQnVhTk0KsmZCvYGehH+EHWsFfMspf177MLwV1RrI + +KEvBIU+j7ab7Sdm/q17KxCxp5MrHYzp2LxWoF6Su7vTWt4mEg36iA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-13T21:32:40Z" + mac: ENC[AES256_GCM,data:s2xkpc3MgU6iL+nw7YsMPj2oJ9sxXfEUYzMLhc13iBT/0eP+Nuu5vRCZAStPXSHdVyXtjjDAlZShKyo9MgLb0tImYy1hqJRwXDBuckIxXd90I9h3oTg/Y78lnKBsPvEpqsVQSgn1gmiOwO48fFEG3rwzdnM1BG4ZRvAoE1oVET0=,iv:9zYxrc/AvbF+D1lNyqAkPtQvPDUsTx3O3yUnIkO1IJY=,tag:oAlkPPakwrVwpahDdxp3GA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1