added wgautomesh to secret management, handling of the secret happens inside the wgautomesh module
This commit is contained in:
parent
ef09f73a5e
commit
0743facbde
3 changed files with 51 additions and 3 deletions
|
|
@ -2,13 +2,14 @@
|
||||||
- &Lyn age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv
|
- &Lyn age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv
|
||||||
- &forgenite age1u4dtlq4lavqufzsqfqlsnu67u3x2t3d7ffxkqrah2des4dlxns2slegl38
|
- &forgenite age1u4dtlq4lavqufzsqfqlsnu67u3x2t3d7ffxkqrah2des4dlxns2slegl38
|
||||||
- &forgejo-ci age13pau3xqusxuczm9kwpxg4fdze4xhenfwmjw80ed7g336a8x7tqpqdqvjjj
|
- &forgejo-ci age13pau3xqusxuczm9kwpxg4fdze4xhenfwmjw80ed7g336a8x7tqpqdqvjjj
|
||||||
|
- &wg-gateway age1xm5ewmhxsdn34c6h9v3hzs0ka0qvmywnkgw94j7r2cxpqh2c8v4q7h6qhd
|
||||||
creation_rules:
|
creation_rules:
|
||||||
- path_regex: secrets/all/[^/]+\.yaml$
|
- path_regex: secrets/all/[^/]+\.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *Lyn
|
- *Lyn
|
||||||
- *forgenite
|
- *forgenite
|
||||||
|
- *wg-gateway
|
||||||
#hosts
|
#hosts
|
||||||
- path_regex: secrets/hosts/forgenite.yaml
|
- path_regex: secrets/hosts/forgenite.yaml
|
||||||
key_groups:
|
key_groups:
|
||||||
|
|
@ -19,4 +20,4 @@
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *Lyn
|
- *Lyn
|
||||||
- *forgejo-ci
|
- *forgejo-ci
|
||||||
|
|
@ -7,6 +7,11 @@
|
||||||
}: let
|
}: let
|
||||||
prefix = "lyn";
|
prefix = "lyn";
|
||||||
|
|
||||||
|
# decrypt gossip secret
|
||||||
|
# change this to comply with you secret management
|
||||||
|
${prefix}.sops.secrets."all/meshnetwork/gossip_secret" = {};
|
||||||
|
gossip_secret_path = config.sops.secrets."all/meshnetwork/gossip_secret".path;
|
||||||
|
|
||||||
# function to make a peerlist suitable for wgautomesh
|
# function to make a peerlist suitable for wgautomesh
|
||||||
buildPeerlist = version: hosts: let
|
buildPeerlist = version: hosts: let
|
||||||
#filter out hosts that have wg.enabled set to false
|
#filter out hosts that have wg.enabled set to false
|
||||||
|
|
@ -14,7 +19,7 @@
|
||||||
#filter out hosts that don't support IP{$version}
|
#filter out hosts that don't support IP{$version}
|
||||||
filteredHosts = lib.filterAttrs (_: host: host.${version}.public != "") wgEnabledHosts;
|
filteredHosts = lib.filterAttrs (_: host: host.${version}.public != "") wgEnabledHosts;
|
||||||
in
|
in
|
||||||
lib.mapAttrs (name: host: {
|
lib.mapAttrsToList (name: host: {
|
||||||
pubkey = host.wg.pubkey;
|
pubkey = host.wg.pubkey;
|
||||||
#if there is no public IP, make endpoint null so wgautomesh knows it unknown
|
#if there is no public IP, make endpoint null so wgautomesh knows it unknown
|
||||||
endpoint = host.${version}.public;
|
endpoint = host.${version}.public;
|
||||||
|
|
@ -52,6 +57,7 @@ in {
|
||||||
else buildPeerlist "v4" meshnetwork.hosts;
|
else buildPeerlist "v4" meshnetwork.hosts;
|
||||||
upnp_forward_external_port = wireguardPort;
|
upnp_forward_external_port = wireguardPort;
|
||||||
};
|
};
|
||||||
|
gossipSecretFile = gossip_secret_path;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
41
secrets/all/meshnetwork.yaml
Normal file
41
secrets/all/meshnetwork.yaml
Normal file
|
|
@ -0,0 +1,41 @@
|
||||||
|
all:
|
||||||
|
meshnetwork:
|
||||||
|
gossip_secret: ENC[AES256_GCM,data:Dl8eq6gtO7sr/eUSYLzP9pipQeP4AWG4//5zG2kfBZG+z9cJx3c0EKcH8Q8=,iv:tBkTBPD2gINdw8K/G0eS8VAvMZield37bef7jv3EmOg=,tag:WGKuN6dYSR3o4DV75txeuQ==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByK1hQNlZINThQaStmVXNN
|
||||||
|
aTdtUXFibFVxQnYvMmllZnN3RVZJYWVSdWs0CitRWnZuUHdPWjRmOTJtbVVxZk9O
|
||||||
|
ZUlraEU5RlNGd05sNmxUMTBCV0daR2cKLS0tIGt1dlVKdzVKRUJlbmNhYk5UakFm
|
||||||
|
Sy9kVUFRT3QweHlpMEV6M1c2WlptRW8KSBnHRZi+anBigok7Xz7yKWZmrS4uz10j
|
||||||
|
nlS+hWl786Ck04X6eLNLtySQpqhmVtHazzEUZmvT1VOqbaoijxQf6A==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1u4dtlq4lavqufzsqfqlsnu67u3x2t3d7ffxkqrah2des4dlxns2slegl38
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTjhCdW5FT2I0NkdCdmpN
|
||||||
|
SjBHczFGd2hVTGIySUdoakxoZXhtNjdhM2dnCmFrbUhpVGFlNVBpbm94OS9zSE80
|
||||||
|
TWRoUmtsdklRVjNtaXNYNzFPNFpLd28KLS0tIHMwMDh0TmNlUlFTWnIwWUZGQ1Bu
|
||||||
|
eVFQc1lyODJIZi93RXJxZzYvSzQ4Z3MKl2OQ3XoJjuXYTYZqgusWzaO0laBeyzc6
|
||||||
|
yy5MCXAmw73f81ng+zm/51UsY/TXzE96Zywm/Tsd+v2BkZSHDPHENg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1xm5ewmhxsdn34c6h9v3hzs0ka0qvmywnkgw94j7r2cxpqh2c8v4q7h6qhd
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4d3JnNk9TcXNiRW1zQzFF
|
||||||
|
THdZVmZqeHplQWcrTlllekVBZTlNbDhSZmhJCnVsY0xabDNOVncwdjY2RzRuNnI4
|
||||||
|
djNNcHpCem1sOE90TEdTYmNmZ3lyejQKLS0tIGNmM3FoTWJFd1FyVHFrR08rc1g3
|
||||||
|
S3dUbkV1Zld1NW1iZ3ZZU3RZQnVhTk0KsmZCvYGehH+EHWsFfMspf177MLwV1RrI
|
||||||
|
+KEvBIU+j7ab7Sdm/q17KxCxp5MrHYzp2LxWoF6Su7vTWt4mEg36iA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-11-13T21:32:40Z"
|
||||||
|
mac: ENC[AES256_GCM,data:s2xkpc3MgU6iL+nw7YsMPj2oJ9sxXfEUYzMLhc13iBT/0eP+Nuu5vRCZAStPXSHdVyXtjjDAlZShKyo9MgLb0tImYy1hqJRwXDBuckIxXd90I9h3oTg/Y78lnKBsPvEpqsVQSgn1gmiOwO48fFEG3rwzdnM1BG4ZRvAoE1oVET0=,iv:9zYxrc/AvbF+D1lNyqAkPtQvPDUsTx3O3yUnIkO1IJY=,tag:oAlkPPakwrVwpahDdxp3GA==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.1
|
||||||
Loading…
Reference in a new issue