From 1f5c5695323a0d44b29f6d9daa9051661054b20e Mon Sep 17 00:00:00 2001 From: Adithya Nair Date: Tue, 2 Jul 2024 23:20:11 +0530 Subject: [PATCH] all: cleanup wireguard secrets --- hosts/rico0/wireguard.nix | 22 ++++++++++++++-------- hosts/rico1/wireguard.nix | 22 ++++++++++++++-------- hosts/rico2/wireguard.nix | 23 +++++++++++++++-------- hosts/skipper/network/wireguard.nix | 20 +++++++++++++------- secrets.yaml | 21 ++++++++++++++------- 5 files changed, 70 insertions(+), 38 deletions(-) diff --git a/hosts/rico0/wireguard.nix b/hosts/rico0/wireguard.nix index 8156ff0..73a2c15 100644 --- a/hosts/rico0/wireguard.nix +++ b/hosts/rico0/wireguard.nix @@ -1,8 +1,15 @@ { config, ... }: { - sops.secrets."wireguard/psk/rico0" = { - mode = "400"; - owner = config.users.users.root.name; - group = config.users.users.root.group; + sops.secrets = { + "wireguard/rico0/pk" = { + mode = "400"; + owner = config.users.users.root.name; + group = config.users.users.root.group; + }; + "wireguard/rico0/psk" = { + mode = "400"; + owner = config.users.users.root.name; + group = config.users.users.root.group; + }; }; networking.firewall.trustedInterfaces = [ "wg0" ]; @@ -14,15 +21,14 @@ "10.10.10.10/24" "fd7c:585c:c4ae::10/64" ]; - listenPort = 51822; - privateKeyFile = "/persist/secrets/wireguard/private.key"; - generatePrivateKeyFile = true; + listenPort = 51830; + privateKeyFile = config.sops.secrets."wireguard/rico0/pk".path; peers = [ { name = "Proxy"; endpoint = "165.232.180.97:51821"; publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4="; - presharedKeyFile = config.sops.secrets."wireguard/psk/rico0".path; + presharedKeyFile = config.sops.secrets."wireguard/rico0/psk".path; persistentKeepalive = 20; allowedIPs = [ "10.10.10.0/24" diff --git a/hosts/rico1/wireguard.nix b/hosts/rico1/wireguard.nix index 759434f..cc1a913 100644 --- a/hosts/rico1/wireguard.nix +++ b/hosts/rico1/wireguard.nix @@ -1,8 +1,15 @@ { config, ... }: { - sops.secrets."wireguard/psk/rico1" = { - mode = "400"; - owner = config.users.users.root.name; - group = config.users.users.root.group; + sops.secrets = { + "wireguard/rico1/pk" = { + mode = "400"; + owner = config.users.users.root.name; + group = config.users.users.root.group; + }; + "wireguard/rico1/psk" = { + mode = "400"; + owner = config.users.users.root.name; + group = config.users.users.root.group; + }; }; networking.firewall.trustedInterfaces = [ "wg0" ]; @@ -14,15 +21,14 @@ "10.10.10.11/24" "fd7c:585c:c4ae::11/64" ]; - listenPort = 51822; - privateKeyFile = "/persist/secrets/wireguard/private.key"; - generatePrivateKeyFile = true; + listenPort = 51831; + privateKeyFile = config.sops.secrets."wireguard/rico1/pk".path; peers = [ { name = "Proxy"; endpoint = "165.232.180.97:51821"; publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4="; - presharedKeyFile = config.sops.secrets."wireguard/psk/rico1".path; + presharedKeyFile = config.sops.secrets."wireguard/rico1/psk".path; persistentKeepalive = 20; allowedIPs = [ "10.10.10.0/24" diff --git a/hosts/rico2/wireguard.nix b/hosts/rico2/wireguard.nix index b59587d..b65f71f 100644 --- a/hosts/rico2/wireguard.nix +++ b/hosts/rico2/wireguard.nix @@ -1,9 +1,17 @@ { config, ... }: { - sops.secrets."wireguard/psk/rico2" = { - mode = "400"; - owner = config.users.users.root.name; - group = config.users.users.root.group; + sops.secrets = { + "wireguard/rico2/pk" = { + mode = "400"; + owner = config.users.users.root.name; + group = config.users.users.root.group; + }; + "wireguard/rico2/psk" = { + mode = "400"; + owner = config.users.users.root.name; + group = config.users.users.root.group; + }; }; + networking.firewall.trustedInterfaces = [ "wg0" ]; networking.wireguard = { enable = true; @@ -13,15 +21,14 @@ "10.10.10.12/24" "fd7c:585c:c4ae::12/64" ]; - listenPort = 51822; - privateKeyFile = "/persist/secrets/wireguard/private.key"; - generatePrivateKeyFile = true; + listenPort = 51832; + privateKeyFile = config.sops.secrets."wireguard/rico2/pk".path; peers = [ { name = "Proxy"; endpoint = "165.232.180.97:51821"; publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4="; - presharedKeyFile = config.sops.secrets."wireguard/psk/rico2".path; + presharedKeyFile = config.sops.secrets."wireguard/rico2/psk".path; persistentKeepalive = 20; allowedIPs = [ "10.10.10.0/24" diff --git a/hosts/skipper/network/wireguard.nix b/hosts/skipper/network/wireguard.nix index fd05840..1e36c60 100644 --- a/hosts/skipper/network/wireguard.nix +++ b/hosts/skipper/network/wireguard.nix @@ -1,8 +1,15 @@ { config, ... }: { - sops.secrets."wireguard/psk/skipper" = { - mode = "400"; - owner = config.users.users.root.name; - group = config.users.users.root.group; + sops.secrets = { + "wireguard/skipper/pk" = { + mode = "400"; + owner = config.users.users.root.name; + group = config.users.users.root.group; + }; + "wireguard/skipper/psk" = { + mode = "400"; + owner = config.users.users.root.name; + group = config.users.users.root.group; + }; }; networking.firewall.trustedInterfaces = [ "wg0" ]; networking.wireguard = { @@ -14,14 +21,13 @@ "fd7c:585c:c4ae::2/64" ]; listenPort = 51822; - privateKeyFile = "/persist/secrets/wireguard/private.key"; - generatePrivateKeyFile = true; + privateKeyFile = config.sops.secrets."wireguard/skipper/pk".path; peers = [ { name = "Proxy"; endpoint = "165.232.180.97:51821"; publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4="; - presharedKeyFile = config.sops.secrets."wireguard/psk/skipper".path; + presharedKeyFile = config.sops.secrets."wireguard/skipper/psk".path; persistentKeepalive = 20; allowedIPs = [ "10.10.10.0/24" diff --git a/secrets.yaml b/secrets.yaml index d64bd08..fa9f444 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -2,11 +2,18 @@ passwd: root: ENC[AES256_GCM,data:sT8S6EgqlUTOj8wx/FWde1ht/LCfhnnJW8aLNR3IawGcjbWh+JCKnlQ/1FpuGuVF7Qm8qScRcl7FPUZPFpBtj9OJ3984S9DtFJachwSNEJ2TRU+9YdYB1WsXx9ZunMQcTLK9MIyWfIVzqw==,iv:1qfkkj3NMvS50Q84BtqYTiNIMVjdxPh1k52MudEK/5A=,tag:HUwaVYDwjKmnHhEIejnfxg==,type:str] adtya: ENC[AES256_GCM,data:xBr14ZVeblPbgO2YT+6DPrENsJElj+UkTJebv3/x0U/u+srx82G2Lloda5zZwVBIEc5f6ZPSS4Oko3dM2PW9KUNO7IjDa+Wsm5MQogSjGT+aNtjlub2PkVts5gp+TtCOd6bUQjnf95VXNQ==,iv:ytKVRBsQWJWwXn6DpCOTDYJOVI3N/KnWtyp/GkSs7UQ=,tag:zbPtMMH6MFE6LpBga5X1GQ==,type:str] wireguard: - psk: - skipper: ENC[AES256_GCM,data:9C94ZSteiLH/C5Q3QC/amN5QI9bSj5/xO+ClbQesE+DLrnz5ROD9jVwj0/c=,iv:PBJ5Bj169EhxBvxVJELbxGCFeaEHtPNNEsBqBp2XWg4=,tag:VRVqoF1il0/kRvFLv99V6A==,type:str] - rico0: ENC[AES256_GCM,data:ITH8jg35ut9hBCvf2UQL3IYuGL6pEBMzlMUYxfB0VpoGVbEaZprIA4vXm78=,iv:gDDxXf7GpOil4ujTQx/a9nBfHmUH8rgn9gDhmQ15q8w=,tag:U392BI5N4trOZ+0MynKY4g==,type:str] - rico1: ENC[AES256_GCM,data:7aH6lvmUXGOxjxhauvJq5kW3lx8VxH2nhtEnJgIlNcrEltW2G+0Rk7X1lQw=,iv:+Z5FvzvSItfY5wY6Y0c4fUZDKEEd1/hX4KFJSerMmzs=,tag:A1hJThrO2job0e68j/JorA==,type:str] - rico2: ENC[AES256_GCM,data:WGpDzfIbZhBXWI6K7Ra1ntDkQiKLQEnfYVWd8uM58fMSLHxJztt6rjV4msA=,iv:eLMDXe7sWCqFS0mifaJeHCkOyOnXnQ8rOg5bW74os3k=,tag:GBA8eLpkoeY4nqHFc99k0g==,type:str] + skipper: + pk: ENC[AES256_GCM,data:by1Cqt1IYK1+MTGrj8Y6JQcKGuUun3b4XNDi6+eyR2bviRhfEQdxHEEA+ZI=,iv:V8dZy4iWe7t54aDgn22pGYaqf+tN1drt3nFo0ctoUlE=,tag:x4GfT9kY8+fGrM1ELOMbRA==,type:str] + psk: ENC[AES256_GCM,data:D6S3XPit4SkwsFzOFL7NXXzaxZg5R0oBvTsHVkUDHQxBzfBUA9u1iDRl2Jw=,iv:eqI5twDHGcJDDqPmBelU2XxIi84jV9k+bORgKEpz7EA=,tag:Ljj/7oA7RBEMSd6dXC7FKw==,type:str] + rico0: + pk: ENC[AES256_GCM,data:VGhOm7s/wU15h2nhDzrJdImTDv7SvmUNNQhsCJIzFmZh0mKS81au8uDJhVA=,iv:+8sTtCEXyw2fnNXS7kayOb5ldwUPnPzGaJ39UOpXKrQ=,tag:gyejp28gbMbRKaBMYYAoKA==,type:str] + psk: ENC[AES256_GCM,data:XlnEVm3nIGIB/e5dVnwtoAXyjYAc5iElP5mPXlqX8zttXUsEjD3ifL9/rwc=,iv:K/8EyZaNCAxSscfVrO84P86pEkdvnP9ibBDs2SWoXx8=,tag:HS8CxiSaHxyukdfk5zWIvg==,type:str] + rico1: + pk: ENC[AES256_GCM,data:pXAPjrmKYZ2HZtwEhASOIv24BAu1hmA+Gaave4IegqpJyQlpcoPnmUKWnZ8=,iv:FiFq8Uoo0pA7rJCiM5pHss2ElEzIBZ7K73wWfn9oLl8=,tag:PKzhRmqmKwMXQYeKo7nBVw==,type:str] + psk: ENC[AES256_GCM,data:yaSQc/NT1Res1LjU19GNFK9poeaY2M7BSSicmV237bQKxBo1hM4corPATM4=,iv:d4mOelgktH6wX6vmXhdjC6PQZ04bmCWkqHBP4IGyKog=,tag:B3xSy4avb8hNNzjq3K3uMg==,type:str] + rico2: + pk: ENC[AES256_GCM,data:XyiOlPelFLAhW7Dbko+zGnrxvDAcwxLhBPXye+tBEZ4rs/gcoczjqPhfUJo=,iv:DoMIXLUClnosQPg4VhXBdWV41MJ2sN3C3xgZ9jw2qkY=,tag:m0ZfLdWX8u1h1RgIMfVE9w==,type:str] + psk: ENC[AES256_GCM,data:vKHqJDkpyj05UnnSU0PTG3byrXs9gwJISRmwgG93jaOUCUKfsJuSDeQCfQw=,iv:/v7sEH03zsVfDxY6oCvnRfNQfNvqXi5Bt5ONM7zFxoI=,tag:WzDTlFU7frYwAGHkUHlxEQ==,type:str] sops: kms: [] gcp_kms: [] @@ -58,8 +65,8 @@ sops: Yk9BeXR2dmdoYjJycGhFVFY2eU1BM0kKuYnQ88CjewMQ0JAs+H1/abBaWKldtSPm ZyZ0ibyH0PdTeXwPIyngkl0c2z1ge96ntS1/rH+6NcTdS8z8WvJ0nQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-30T12:15:56Z" - mac: ENC[AES256_GCM,data:+Ir3XD2Pm1GLPXSd+xrWACDxmJjm+ZU1GQF3Jb1PyiKd4K4snvKcRTT8Esbxvef9Ge0hu5+id3d+jd4I6Kr/AXoZJ+UBCwzU9mQPPGhKKXxNufEEqFTxEBlFm9biSASwXLbdskQBoqln9g/qSl4D4AIvAqjrc77khr8SOY8XyZg=,iv:Hu8q8YhxKM/OhQWRCvFMQ3zZuwTOmOtgY3QeFrrnI9c=,tag:vi+K6ZWKlNM4taTDEaGlWQ==,type:str] + lastmodified: "2024-07-02T17:20:30Z" + mac: ENC[AES256_GCM,data:+3elFjThp7PkfI2kAzMfp6k1bPKgSDmGcEFcKk5LJXIoxt0rPZalwHyYu9GTut7LsiQ2Hm2xvGKsIzNFJ2nLsyFCxRu4bXUv3wYvZeohp1pMnL7LfTrKZYCZP1YJX1nWK8vYnlHbqLZgQy7SgZP/rDdajg3OzK2Rrsd1wx39pno=,iv:pBthbHczEhmRt3yKJeVpnl4KHFUvSHw/9yT+U5lL9M4=,tag:Q2CmXp/AAsVqKydKkqr6TA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1