lynatic/flake
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

added wgautomesh to secret management, handling of the secret happens inside the wgautomesh module

Browse source
This commit is contained in:
Lyn 2024-11-13 22:40:30 +01:00
parent ef09f73a5e
commit 0743facbde
3 changed files with 51 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.sops.yaml
View file

@ -2,13 +2,14 @@
- &Lyn age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv
- &forgenite age1u4dtlq4lavqufzsqfqlsnu67u3x2t3d7ffxkqrah2des4dlxns2slegl38
- &forgejo-ci age13pau3xqusxuczm9kwpxg4fdze4xhenfwmjw80ed7g336a8x7tqpqdqvjjj
- &wg-gateway age1xm5ewmhxsdn34c6h9v3hzs0ka0qvmywnkgw94j7r2cxpqh2c8v4q7h6qhd
creation_rules:
- path_regex: secrets/all/[^/]+\.yaml$
key_groups:
- age:
- *Lyn
- *forgenite
- *wg-gateway
#hosts
- path_regex: secrets/hosts/forgenite.yaml
key_groups:

8
modules/services/wgautomesh.nix
View file

@ -7,6 +7,11 @@
}: let
prefix = "lyn";
# decrypt gossip secret
# change this to comply with you secret management
${prefix}.sops.secrets."all/meshnetwork/gossip_secret" = {};
gossip_secret_path = config.sops.secrets."all/meshnetwork/gossip_secret".path;
# function to make a peerlist suitable for wgautomesh
buildPeerlist = version: hosts: let
#filter out hosts that have wg.enabled set to false
@ -14,7 +19,7 @@
#filter out hosts that don't support IP{$version}
filteredHosts = lib.filterAttrs (_: host: host.${version}.public != "") wgEnabledHosts;
in
lib.mapAttrs (name: host: {
lib.mapAttrsToList (name: host: {
pubkey = host.wg.pubkey;
#if there is no public IP, make endpoint null so wgautomesh knows it unknown
endpoint = host.${version}.public;
@ -52,6 +57,7 @@ in {
else buildPeerlist "v4" meshnetwork.hosts;
upnp_forward_external_port = wireguardPort;
};
gossipSecretFile = gossip_secret_path;
};
};
}

41
secrets/all/meshnetwork.yaml Normal file
View file

@ -0,0 +1,41 @@
all:
meshnetwork:
gossip_secret: ENC[AES256_GCM,data:Dl8eq6gtO7sr/eUSYLzP9pipQeP4AWG4//5zG2kfBZG+z9cJx3c0EKcH8Q8=,iv:tBkTBPD2gINdw8K/G0eS8VAvMZield37bef7jv3EmOg=,tag:WGKuN6dYSR3o4DV75txeuQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByK1hQNlZINThQaStmVXNN
aTdtUXFibFVxQnYvMmllZnN3RVZJYWVSdWs0CitRWnZuUHdPWjRmOTJtbVVxZk9O
ZUlraEU5RlNGd05sNmxUMTBCV0daR2cKLS0tIGt1dlVKdzVKRUJlbmNhYk5UakFm
Sy9kVUFRT3QweHlpMEV6M1c2WlptRW8KSBnHRZi+anBigok7Xz7yKWZmrS4uz10j
nlS+hWl786Ck04X6eLNLtySQpqhmVtHazzEUZmvT1VOqbaoijxQf6A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u4dtlq4lavqufzsqfqlsnu67u3x2t3d7ffxkqrah2des4dlxns2slegl38
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTjhCdW5FT2I0NkdCdmpN
SjBHczFGd2hVTGIySUdoakxoZXhtNjdhM2dnCmFrbUhpVGFlNVBpbm94OS9zSE80
TWRoUmtsdklRVjNtaXNYNzFPNFpLd28KLS0tIHMwMDh0TmNlUlFTWnIwWUZGQ1Bu
eVFQc1lyODJIZi93RXJxZzYvSzQ4Z3MKl2OQ3XoJjuXYTYZqgusWzaO0laBeyzc6
yy5MCXAmw73f81ng+zm/51UsY/TXzE96Zywm/Tsd+v2BkZSHDPHENg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1xm5ewmhxsdn34c6h9v3hzs0ka0qvmywnkgw94j7r2cxpqh2c8v4q7h6qhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4d3JnNk9TcXNiRW1zQzFF
THdZVmZqeHplQWcrTlllekVBZTlNbDhSZmhJCnVsY0xabDNOVncwdjY2RzRuNnI4
djNNcHpCem1sOE90TEdTYmNmZ3lyejQKLS0tIGNmM3FoTWJFd1FyVHFrR08rc1g3
S3dUbkV1Zld1NW1iZ3ZZU3RZQnVhTk0KsmZCvYGehH+EHWsFfMspf177MLwV1RrI
+KEvBIU+j7ab7Sdm/q17KxCxp5MrHYzp2LxWoF6Su7vTWt4mEg36iA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-13T21:32:40Z"
mac: ENC[AES256_GCM,data:s2xkpc3MgU6iL+nw7YsMPj2oJ9sxXfEUYzMLhc13iBT/0eP+Nuu5vRCZAStPXSHdVyXtjjDAlZShKyo9MgLb0tImYy1hqJRwXDBuckIxXd90I9h3oTg/Y78lnKBsPvEpqsVQSgn1gmiOwO48fFEG3rwzdnM1BG4ZRvAoE1oVET0=,iv:9zYxrc/AvbF+D1lNyqAkPtQvPDUsTx3O3yUnIkO1IJY=,tag:oAlkPPakwrVwpahDdxp3GA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1