fi/nix-infra
1
2
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity

Migrate lifeline to sops-nix

Browse source
This commit is contained in:
Fiona Grzebien 2026-05-17 03:25:55 +02:00
commit 8784537a38
Signed by: fi
SSH key fingerprint: SHA256:HQgl5VGC4+Yw3ds/0I/DqTge63SPBXvXwhNG/gRW26U
3 changed files with 42 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

18
config/hosts/lifeline/configuration.nix
View file

@ -26,7 +26,7 @@
{
name = "mail-2";
publicKey = "OIBOJlFzzM3P/u1ftVW2HWt8kA6NveB4PaBOIXhCYhM=";
presharedKeyFile = "/secrets/wireguard-lifeline-mail-2-lifeline-psk.secret";
presharedKeyFile = "/run/secrets/wireguard-lifeline-mail-2-lifeline-psk";
allowedIPs = [ "172.18.50.2/32" ];
}
];
@ -38,7 +38,7 @@
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.18.50.0/24 -o ens6 -j MASQUERADE
'';
privateKeyFile = "/secrets/wireguard-lifeline-wg0-privatekey.secret";
privateKeyFile = "/run/secrets/wireguard-lifeline-wg0-privatekey";
};
};
nat = {
@ -62,5 +62,19 @@
services.prometheus.exporters.node.enable = false;
sops.secrets."wireguard-lifeline-mail-2-lifeline-psk" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "wireguard-wg0.service" ];
};
sops.secrets."wireguard-lifeline-wg0-privatekey" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "wireguard-wg0.service" ];
};
system.stateVersion = "23.05";
}

21
config/hosts/lifeline/secrets.nix
View file

@ -1,21 +0,0 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"wireguard-lifeline-wg0-privatekey.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-wg0-privatekey" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"wireguard-lifeline-mail-2-lifeline-psk.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-mail-2/psk" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

26
config/hosts/lifeline/secrets.yaml Normal file
View file

@ -0,0 +1,26 @@
wireguard-lifeline-wg0-privatekey: ENC[AES256_GCM,data:yUIu+AC24/84w0GQPko64E89ZjzMoaa0Z8J2IFY8wDmCw+z1Als0h42XB5U=,iv:2pmy0FyeyvHbRRYnog9mth7hWfMt4mNe8/dSK3eYd2E=,tag:/gRbYT8EnbDRiFN0Ohu4ng==,type:str]
wireguard-lifeline-mail-2-lifeline-psk: ENC[AES256_GCM,data:IvgVTsgFfONCm3OJ8iKtwRUY6uTEZfpyGubm/iysOySebPuDg+/AGNUu5ZQ=,iv:HZpAqLLt/cDQo51+koS3nZ1mkN0ZmqCY7gedx6PHthM=,tag:klM8lxBmZvXn3XUD/duGMA==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLcGo4RTJsQnZWWXBadjAz
YW5VcFBwWUxUR2N2d092WmN6LzdkaStaVVNJCkdWLzF4ZU4rY3pPLzc1YUZUb2hM
bHNiRkhabG1ON2YzemdCMjQwOW5hdG8KLS0tIER4RGdZNkN4U0dTekx6MURpY0oz
ZURQbEF0c2VXNFFRVEI5YjUydzNQVTQK6Q3yE+P41Ukay2h2RVXHcCbE19piBwHa
Gdxok7ObnjTBpFxWuz4Sqvozb4R9dbkTPtSp72Yjv78QBinLmWGJ/A==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlemExaHpsTFBEYjJURjNp
WmluaHcwaUtyNmRINEJ6NXlFVWplZm9YeEJvCktMM2N0dWFxYUFKM25EdVo0RmNG
MDYzcFFnOG95SXdrU3VzWmdqQ3U0L2cKLS0tIGhHUmNNS0w0bzhhdHgzL1hYQjRr
SEczcDdWMnh3aThXK3JrLzkrTEZ0TkUKexB+HBUOWSsel9sNgUHnj5NJdj8zZX/C
XB4W6fwzMxPHHknk1y/4z/F8oNnUzXmh3QfT/15glDmmCpyM3PGWVw==
-----END AGE ENCRYPTED FILE-----
recipient: age1pmx78vda0c2qnn8epvkavl26e2939uj65608fdq959ds60d58ucsqwxsua
lastmodified: "2026-05-17T01:24:39Z"
mac: ENC[AES256_GCM,data:JyTfrwkD8GxbzzuK1CsBRr8+Hxheu1gvB2KP3jGJkvLktzzNLYH7qq7JJu2oP6X18MMa+dlMuY9lHosoWy+wA34kgrtBVqtCfTnOx3jafwfLdNVBVTORN8h7so1N0KKwuSJnFL6BqMWhiQiPVOENGThqlIqKDwSiP3hyfFLDBuM=,iv:0IkM76X2Ly3hil7XneURzQk4wVUJy/bs/9zX3r9cTVo=,tag:vC7HDnB6WCTTy5MSh4tDDg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0