diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index e581f8c..3534c33 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -23,26 +23,26 @@ { name = "site1-grzb"; publicKey = "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg="; - presharedKeyFile = "/secrets/wireguard-valkyrie-site1-grzb-psk.secret"; + presharedKeyFile = "/run/secrets/wireguard-valkyrie-site1-grzb-psk"; endpoint = "site1.grzb.de:51826"; allowedIPs = [ "10.203.10.1/32" "10.201.0.0/16" ]; } { name = "site2-grzb"; publicKey = "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4="; - presharedKeyFile = "/secrets/wireguard-valkyrie-site2-grzb-psk.secret"; + presharedKeyFile = "/run/secrets/wireguard-valkyrie-site2-grzb-psk"; endpoint = "site2.grzb.de:51826"; allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ]; } { name = "site1-jsts"; publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE="; - presharedKeyFile = "/secrets/wireguard-valkyrie-site1-jsts-psk.secret"; + presharedKeyFile = "/run/secrets/wireguard-valkyrie-site1-jsts-psk"; endpoint = "site1.jsts.xyz:51823"; allowedIPs = [ "10.203.10.4/32" ]; } ]; - privateKeyFile = "/secrets/wireguard-valkyrie-wg0-privatekey.secret"; + privateKeyFile = "/run/secrets/wireguard-valkyrie-wg0-privatekey"; }; # mail-1 VPN wg1 = { @@ -54,7 +54,7 @@ { name = "mail-1"; publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs="; - presharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-valkyrie-psk.secret"; + presharedKeyFile = "/run/secrets/wireguard-valkyrie-mail-1-valkyrie-psk"; allowedIPs = [ "172.18.50.2/32" ]; } ]; @@ -66,7 +66,7 @@ ${pkgs.iptables}/bin/iptables -D FORWARD -i wg1 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.18.50.0/24 -o ens3 -j MASQUERADE ''; - privateKeyFile = "/secrets/wireguard-valkyrie-wg1-privatekey.secret"; + privateKeyFile = "/run/secrets/wireguard-valkyrie-wg1-privatekey"; }; }; }; @@ -96,5 +96,42 @@ services.prometheus.exporters.node.enable = false; + sops.secrets."wireguard-valkyrie-wg0-privatekey" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "wireguard-wg0.service" ]; + }; + sops.secrets."wireguard-valkyrie-site1-grzb-psk" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "wireguard-wg0.service" ]; + }; + sops.secrets."wireguard-valkyrie-site2-grzb-psk" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "wireguard-wg0.service" ]; + }; + sops.secrets."wireguard-valkyrie-site1-jsts-psk" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "wireguard-wg0.service" ]; + }; + sops.secrets."wireguard-valkyrie-wg1-privatekey" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "wireguard-wg1.service" ]; + }; + sops.secrets."wireguard-valkyrie-mail-1-valkyrie-psk" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "wireguard-wg1.service" ]; + }; + system.stateVersion = "24.11"; } diff --git a/config/hosts/valkyrie/secrets.nix b/config/hosts/valkyrie/secrets.nix deleted file mode 100644 index 3acc555..0000000 --- a/config/hosts/valkyrie/secrets.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys = { - "wireguard-valkyrie-wg0-privatekey.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-wg0-privatekey" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "wireguard-valkyrie-site1-grzb-psk.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site1-grzb/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "wireguard-valkyrie-site2-grzb-psk.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site2-grzb/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "wireguard-valkyrie-site1-jsts-psk.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site1-jsts/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "wireguard-valkyrie-wg1-privatekey.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-wg1-privatekey" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "wireguard-valkyrie-mail-1-valkyrie-psk.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-mail-1/psk" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - }; -} diff --git a/config/hosts/valkyrie/secrets.yaml b/config/hosts/valkyrie/secrets.yaml new file mode 100644 index 0000000..57e5ccb --- /dev/null +++ b/config/hosts/valkyrie/secrets.yaml @@ -0,0 +1,30 @@ +wireguard-valkyrie-wg0-privatekey: ENC[AES256_GCM,data:9swm9dqXWFAcYIHyGjDEyxxr9BTio6RiRKCkdpNp4Y9Sr7W47j84w6kGcH4=,iv:kNOoW38EasmwgdY3P6+Tsd0ufJCL6n9SU9IjMgN5E+U=,tag:vLZqiv+ONLuKpogXM/Lbng==,type:str] +wireguard-valkyrie-site1-grzb-psk: ENC[AES256_GCM,data:b9OrqPFS0oBO8CegA23T9Vxb68hN5F2td6Z7NuIs8Rkr8dcfTAFnsBRNybY=,iv:B/qO6alDlDohDUMnDadMbqXTWi7q1c3B3sx7wk2MvL4=,tag:/Ene7PsPErH5rU+qaOA9wQ==,type:str] +wireguard-valkyrie-site2-grzb-psk: ENC[AES256_GCM,data:DTpDyVXnH9Vz+4YnLY3WbVhFEvjVh5t/M6l9N+gQSAVAg+NDZxhveBuR0O8=,iv:idIPxZ6Oxn0sob2lrGt2wsUWR8mlZ+ddRSlcb5uHbcA=,tag:qNXbUtwtY5KnPp1wHniD9g==,type:str] +wireguard-valkyrie-site1-jsts-psk: ENC[AES256_GCM,data:BJ2U779egMGG1DyuxcGYcX1yZdqybXqmtFJpzOZ5xOeHo98sb+j4O8Q3VVs=,iv:FDqcFdqPTn2CqY+lXSdXowEHAWIugkj+o+p3QNzYNWo=,tag:RXXhL3hgFjFPOSzNvqbpXw==,type:str] +wireguard-valkyrie-wg1-privatekey: ENC[AES256_GCM,data:5fyjBs7ZH1DomFKFXelVSRF0QvHnLrhztYCy2rghpNkHWEWaf0RJaCZHQ+8=,iv:aoYbWKcPW1LBljYFN5s3Le0LbQOBltTicEbyZCSFQ3o=,tag:MjmOG+79D3szR9tEFIaKCA==,type:str] +wireguard-valkyrie-mail-1-valkyrie-psk: ENC[AES256_GCM,data:g3IHwa5KBLGBYcl27UtHEn3oa2oFY9cZ4vVodhF3sHUmVPhwfrLulEkqXi0=,iv:yom0odezXCMf9uHVAJWil38R7jSy+D8spJC37EFnq1s=,tag:uCNG66hs3zKntrzBfWVdZg==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdkltL1RSSG1CczZnanRV + Zzd4aW1BbUR2S2NpcFZmNXZCQTNGdmQxVW5BCkVDRnZPNEl5MW5lY1ZDRnFBN3Y3 + bm1MSTVyZnp0M2pCbXhCQ2NjT28zdzgKLS0tIEFuNDhvMGZkaE5UbGQ4WlVvZUZo + YzR2Mm9sd3hWQkdvOGJ6MkhSa2J5bEEKWWzpmcva3cXFa53SrrSM+CPaj6tHRnRX + UkJELp8VQDgUOCWnWAy6gbmmu9bNYSEyjzufu0eW1GArOs9F/QvQPg== + -----END AGE ENCRYPTED FILE----- + recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZ2VNVGxWc3JLeFZDMFF2 + c3g0V2ZybnFNVkJUZlF4WWFHWWRCNHl5QVJNCk1PcU9yM3ZjakhMazZWSlFSN3pW + eEZTaWdqaDZkUE1qZ2MyM1RodkxOeUEKLS0tIGRicURwV1lhck1DTVo2YzhkeXlN + QnBnY3ViYUw4NkszVWhaMXhPM1BQdjAKFzJexdsikV4im1B50bKM6FKfN3RQHTqa + 9fU5X3xjdH7jpBhGn5HGROvMNjmPrlbz5DaxIJ1hUtUtc8fpYPoNgA== + -----END AGE ENCRYPTED FILE----- + recipient: age1guqc5pnajp2whkla6vws4yqnpe5hq4z89w6te3n5yql5pugzfqlqczjlee + lastmodified: "2026-05-24T00:00:10Z" + mac: ENC[AES256_GCM,data:Ioke9QIDw2GM36EMiHKVC00WyBbZbqNd+e/hF+ZUiFudH7GAVDfWBM8FaP3Q5uQBpoPvHzVsYIMV+15daVEKvU0zIep2Aqluxclijb9ljuxmn6JpC29tImyMzEMUw18bgqaoHQvCa5qscC01QFzpFN3mASeVlAJCPl8ggOu4gsE=,iv:JEwH0GLrLJd1ptQDJKpUJLCreYJGVeWzONBasIJ4ors=,tag:jo7p7HDBrV5XBPyKtpep+w==,type:str] + unencrypted_suffix: _unencrypted + version: 3.13.0 diff --git a/config/hosts/valkyrie/services.nix b/config/hosts/valkyrie/services.nix index dc0fa6d..83ad8ff 100644 --- a/config/hosts/valkyrie/services.nix +++ b/config/hosts/valkyrie/services.nix @@ -30,5 +30,7 @@ in User = "root"; Group = "root"; }; + + wantedBy = [ "multi-user.target" ]; }; }