fi/nix-infra
1
2
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity

Migrate valkyrie to sops-nix

Browse source
This commit is contained in:
Fiona Grzebien 2026-05-24 02:00:19 +02:00
commit d845904ecd
Signed by: fi
SSH key fingerprint: SHA256:HQgl5VGC4+Yw3ds/0I/DqTge63SPBXvXwhNG/gRW26U
4 changed files with 75 additions and 59 deletions
Download patch file Download diff file Expand all files Collapse all files

49
config/hosts/valkyrie/configuration.nix
View file

@ -23,26 +23,26 @@
{ {
name = "site1-grzb"; name = "site1-grzb";
publicKey = "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg="; publicKey = "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg=";
presharedKeyFile = "/secrets/wireguard-valkyrie-site1-grzb-psk.secret"; presharedKeyFile = "/run/secrets/wireguard-valkyrie-site1-grzb-psk";
endpoint = "site1.grzb.de:51826"; endpoint = "site1.grzb.de:51826";
allowedIPs = [ "10.203.10.1/32" "10.201.0.0/16" ]; allowedIPs = [ "10.203.10.1/32" "10.201.0.0/16" ];
} }
{ {
name = "site2-grzb"; name = "site2-grzb";
publicKey = "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4="; publicKey = "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4=";
presharedKeyFile = "/secrets/wireguard-valkyrie-site2-grzb-psk.secret"; presharedKeyFile = "/run/secrets/wireguard-valkyrie-site2-grzb-psk";
endpoint = "site2.grzb.de:51826"; endpoint = "site2.grzb.de:51826";
allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ]; allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ];
} }
{ {
name = "site1-jsts"; name = "site1-jsts";
publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE="; publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE=";
presharedKeyFile = "/secrets/wireguard-valkyrie-site1-jsts-psk.secret"; presharedKeyFile = "/run/secrets/wireguard-valkyrie-site1-jsts-psk";
endpoint = "site1.jsts.xyz:51823"; endpoint = "site1.jsts.xyz:51823";
allowedIPs = [ "10.203.10.4/32" ]; allowedIPs = [ "10.203.10.4/32" ];
} }
]; ];
privateKeyFile = "/secrets/wireguard-valkyrie-wg0-privatekey.secret"; privateKeyFile = "/run/secrets/wireguard-valkyrie-wg0-privatekey";
}; };
# mail-1 VPN # mail-1 VPN
wg1 = { wg1 = {
@ -54,7 +54,7 @@
{ {
name = "mail-1"; name = "mail-1";
publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs="; publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs=";
presharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-valkyrie-psk.secret"; presharedKeyFile = "/run/secrets/wireguard-valkyrie-mail-1-valkyrie-psk";
allowedIPs = [ "172.18.50.2/32" ]; allowedIPs = [ "172.18.50.2/32" ];
} }
]; ];
@ -66,7 +66,7 @@
${pkgs.iptables}/bin/iptables -D FORWARD -i wg1 -j ACCEPT ${pkgs.iptables}/bin/iptables -D FORWARD -i wg1 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.18.50.0/24 -o ens3 -j MASQUERADE ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.18.50.0/24 -o ens3 -j MASQUERADE
''; '';
privateKeyFile = "/secrets/wireguard-valkyrie-wg1-privatekey.secret"; privateKeyFile = "/run/secrets/wireguard-valkyrie-wg1-privatekey";
}; };
}; };
}; };
@ -96,5 +96,42 @@
services.prometheus.exporters.node.enable = false; services.prometheus.exporters.node.enable = false;
sops.secrets."wireguard-valkyrie-wg0-privatekey" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "wireguard-wg0.service" ];
};
sops.secrets."wireguard-valkyrie-site1-grzb-psk" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "wireguard-wg0.service" ];
};
sops.secrets."wireguard-valkyrie-site2-grzb-psk" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "wireguard-wg0.service" ];
};
sops.secrets."wireguard-valkyrie-site1-jsts-psk" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "wireguard-wg0.service" ];
};
sops.secrets."wireguard-valkyrie-wg1-privatekey" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "wireguard-wg1.service" ];
};
sops.secrets."wireguard-valkyrie-mail-1-valkyrie-psk" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "wireguard-wg1.service" ];
};
system.stateVersion = "24.11"; system.stateVersion = "24.11";
} }

53
config/hosts/valkyrie/secrets.nix
View file

@ -1,53 +0,0 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"wireguard-valkyrie-wg0-privatekey.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-wg0-privatekey" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"wireguard-valkyrie-site1-grzb-psk.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site1-grzb/psk" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"wireguard-valkyrie-site2-grzb-psk.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site2-grzb/psk" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"wireguard-valkyrie-site1-jsts-psk.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site1-jsts/psk" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"wireguard-valkyrie-wg1-privatekey.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-wg1-privatekey" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
"wireguard-valkyrie-mail-1-valkyrie-psk.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-mail-1/psk" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

30
config/hosts/valkyrie/secrets.yaml Normal file
View file

@ -0,0 +1,30 @@
wireguard-valkyrie-wg0-privatekey: ENC[AES256_GCM,data:9swm9dqXWFAcYIHyGjDEyxxr9BTio6RiRKCkdpNp4Y9Sr7W47j84w6kGcH4=,iv:kNOoW38EasmwgdY3P6+Tsd0ufJCL6n9SU9IjMgN5E+U=,tag:vLZqiv+ONLuKpogXM/Lbng==,type:str]
wireguard-valkyrie-site1-grzb-psk: ENC[AES256_GCM,data:b9OrqPFS0oBO8CegA23T9Vxb68hN5F2td6Z7NuIs8Rkr8dcfTAFnsBRNybY=,iv:B/qO6alDlDohDUMnDadMbqXTWi7q1c3B3sx7wk2MvL4=,tag:/Ene7PsPErH5rU+qaOA9wQ==,type:str]
wireguard-valkyrie-site2-grzb-psk: ENC[AES256_GCM,data:DTpDyVXnH9Vz+4YnLY3WbVhFEvjVh5t/M6l9N+gQSAVAg+NDZxhveBuR0O8=,iv:idIPxZ6Oxn0sob2lrGt2wsUWR8mlZ+ddRSlcb5uHbcA=,tag:qNXbUtwtY5KnPp1wHniD9g==,type:str]
wireguard-valkyrie-site1-jsts-psk: ENC[AES256_GCM,data:BJ2U779egMGG1DyuxcGYcX1yZdqybXqmtFJpzOZ5xOeHo98sb+j4O8Q3VVs=,iv:FDqcFdqPTn2CqY+lXSdXowEHAWIugkj+o+p3QNzYNWo=,tag:RXXhL3hgFjFPOSzNvqbpXw==,type:str]
wireguard-valkyrie-wg1-privatekey: ENC[AES256_GCM,data:5fyjBs7ZH1DomFKFXelVSRF0QvHnLrhztYCy2rghpNkHWEWaf0RJaCZHQ+8=,iv:aoYbWKcPW1LBljYFN5s3Le0LbQOBltTicEbyZCSFQ3o=,tag:MjmOG+79D3szR9tEFIaKCA==,type:str]
wireguard-valkyrie-mail-1-valkyrie-psk: ENC[AES256_GCM,data:g3IHwa5KBLGBYcl27UtHEn3oa2oFY9cZ4vVodhF3sHUmVPhwfrLulEkqXi0=,iv:yom0odezXCMf9uHVAJWil38R7jSy+D8spJC37EFnq1s=,tag:uCNG66hs3zKntrzBfWVdZg==,type:str]
sops:
age:
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdkltL1RSSG1CczZnanRV
Zzd4aW1BbUR2S2NpcFZmNXZCQTNGdmQxVW5BCkVDRnZPNEl5MW5lY1ZDRnFBN3Y3
bm1MSTVyZnp0M2pCbXhCQ2NjT28zdzgKLS0tIEFuNDhvMGZkaE5UbGQ4WlVvZUZo
YzR2Mm9sd3hWQkdvOGJ6MkhSa2J5bEEKWWzpmcva3cXFa53SrrSM+CPaj6tHRnRX
UkJELp8VQDgUOCWnWAy6gbmmu9bNYSEyjzufu0eW1GArOs9F/QvQPg==
-----END AGE ENCRYPTED FILE-----
recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7
- enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZ2VNVGxWc3JLeFZDMFF2
c3g0V2ZybnFNVkJUZlF4WWFHWWRCNHl5QVJNCk1PcU9yM3ZjakhMazZWSlFSN3pW
eEZTaWdqaDZkUE1qZ2MyM1RodkxOeUEKLS0tIGRicURwV1lhck1DTVo2YzhkeXlN
QnBnY3ViYUw4NkszVWhaMXhPM1BQdjAKFzJexdsikV4im1B50bKM6FKfN3RQHTqa
9fU5X3xjdH7jpBhGn5HGROvMNjmPrlbz5DaxIJ1hUtUtc8fpYPoNgA==
-----END AGE ENCRYPTED FILE-----
recipient: age1guqc5pnajp2whkla6vws4yqnpe5hq4z89w6te3n5yql5pugzfqlqczjlee
lastmodified: "2026-05-24T00:00:10Z"
mac: ENC[AES256_GCM,data:Ioke9QIDw2GM36EMiHKVC00WyBbZbqNd+e/hF+ZUiFudH7GAVDfWBM8FaP3Q5uQBpoPvHzVsYIMV+15daVEKvU0zIep2Aqluxclijb9ljuxmn6JpC29tImyMzEMUw18bgqaoHQvCa5qscC01QFzpFN3mASeVlAJCPl8ggOu4gsE=,iv:JEwH0GLrLJd1ptQDJKpUJLCreYJGVeWzONBasIJ4ors=,tag:jo7p7HDBrV5XBPyKtpep+w==,type:str]
unencrypted_suffix: _unencrypted
version: 3.13.0

2
config/hosts/valkyrie/services.nix
View file

@ -30,5 +30,7 @@ in
User = "root"; User = "root";
Group = "root"; Group = "root";
}; };
wantedBy = [ "multi-user.target" ];
}; };
} }