all: cleanup wireguard secrets

This commit is contained in:
Adithya 2024-07-02 23:20:11 +05:30
parent 450a919922
commit 1f5c569532
Signed by: adtya
GPG key ID: B8857BFBA2C47B9C
5 changed files with 70 additions and 38 deletions

View file

@ -1,9 +1,16 @@
{ config, ... }: { { config, ... }: {
sops.secrets."wireguard/psk/rico0" = { sops.secrets = {
"wireguard/rico0/pk" = {
mode = "400"; mode = "400";
owner = config.users.users.root.name; owner = config.users.users.root.name;
group = config.users.users.root.group; group = config.users.users.root.group;
}; };
"wireguard/rico0/psk" = {
mode = "400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
};
};
networking.firewall.trustedInterfaces = [ "wg0" ]; networking.firewall.trustedInterfaces = [ "wg0" ];
networking.wireguard = { networking.wireguard = {
@ -14,15 +21,14 @@
"10.10.10.10/24" "10.10.10.10/24"
"fd7c:585c:c4ae::10/64" "fd7c:585c:c4ae::10/64"
]; ];
listenPort = 51822; listenPort = 51830;
privateKeyFile = "/persist/secrets/wireguard/private.key"; privateKeyFile = config.sops.secrets."wireguard/rico0/pk".path;
generatePrivateKeyFile = true;
peers = [ peers = [
{ {
name = "Proxy"; name = "Proxy";
endpoint = "165.232.180.97:51821"; endpoint = "165.232.180.97:51821";
publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4="; publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=";
presharedKeyFile = config.sops.secrets."wireguard/psk/rico0".path; presharedKeyFile = config.sops.secrets."wireguard/rico0/psk".path;
persistentKeepalive = 20; persistentKeepalive = 20;
allowedIPs = [ allowedIPs = [
"10.10.10.0/24" "10.10.10.0/24"

View file

@ -1,9 +1,16 @@
{ config, ... }: { { config, ... }: {
sops.secrets."wireguard/psk/rico1" = { sops.secrets = {
"wireguard/rico1/pk" = {
mode = "400"; mode = "400";
owner = config.users.users.root.name; owner = config.users.users.root.name;
group = config.users.users.root.group; group = config.users.users.root.group;
}; };
"wireguard/rico1/psk" = {
mode = "400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
};
};
networking.firewall.trustedInterfaces = [ "wg0" ]; networking.firewall.trustedInterfaces = [ "wg0" ];
networking.wireguard = { networking.wireguard = {
@ -14,15 +21,14 @@
"10.10.10.11/24" "10.10.10.11/24"
"fd7c:585c:c4ae::11/64" "fd7c:585c:c4ae::11/64"
]; ];
listenPort = 51822; listenPort = 51831;
privateKeyFile = "/persist/secrets/wireguard/private.key"; privateKeyFile = config.sops.secrets."wireguard/rico1/pk".path;
generatePrivateKeyFile = true;
peers = [ peers = [
{ {
name = "Proxy"; name = "Proxy";
endpoint = "165.232.180.97:51821"; endpoint = "165.232.180.97:51821";
publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4="; publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=";
presharedKeyFile = config.sops.secrets."wireguard/psk/rico1".path; presharedKeyFile = config.sops.secrets."wireguard/rico1/psk".path;
persistentKeepalive = 20; persistentKeepalive = 20;
allowedIPs = [ allowedIPs = [
"10.10.10.0/24" "10.10.10.0/24"

View file

@ -1,9 +1,17 @@
{ config, ... }: { { config, ... }: {
sops.secrets."wireguard/psk/rico2" = { sops.secrets = {
"wireguard/rico2/pk" = {
mode = "400"; mode = "400";
owner = config.users.users.root.name; owner = config.users.users.root.name;
group = config.users.users.root.group; group = config.users.users.root.group;
}; };
"wireguard/rico2/psk" = {
mode = "400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
};
};
networking.firewall.trustedInterfaces = [ "wg0" ]; networking.firewall.trustedInterfaces = [ "wg0" ];
networking.wireguard = { networking.wireguard = {
enable = true; enable = true;
@ -13,15 +21,14 @@
"10.10.10.12/24" "10.10.10.12/24"
"fd7c:585c:c4ae::12/64" "fd7c:585c:c4ae::12/64"
]; ];
listenPort = 51822; listenPort = 51832;
privateKeyFile = "/persist/secrets/wireguard/private.key"; privateKeyFile = config.sops.secrets."wireguard/rico2/pk".path;
generatePrivateKeyFile = true;
peers = [ peers = [
{ {
name = "Proxy"; name = "Proxy";
endpoint = "165.232.180.97:51821"; endpoint = "165.232.180.97:51821";
publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4="; publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=";
presharedKeyFile = config.sops.secrets."wireguard/psk/rico2".path; presharedKeyFile = config.sops.secrets."wireguard/rico2/psk".path;
persistentKeepalive = 20; persistentKeepalive = 20;
allowedIPs = [ allowedIPs = [
"10.10.10.0/24" "10.10.10.0/24"

View file

@ -1,9 +1,16 @@
{ config, ... }: { { config, ... }: {
sops.secrets."wireguard/psk/skipper" = { sops.secrets = {
"wireguard/skipper/pk" = {
mode = "400"; mode = "400";
owner = config.users.users.root.name; owner = config.users.users.root.name;
group = config.users.users.root.group; group = config.users.users.root.group;
}; };
"wireguard/skipper/psk" = {
mode = "400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
};
};
networking.firewall.trustedInterfaces = [ "wg0" ]; networking.firewall.trustedInterfaces = [ "wg0" ];
networking.wireguard = { networking.wireguard = {
enable = true; enable = true;
@ -14,14 +21,13 @@
"fd7c:585c:c4ae::2/64" "fd7c:585c:c4ae::2/64"
]; ];
listenPort = 51822; listenPort = 51822;
privateKeyFile = "/persist/secrets/wireguard/private.key"; privateKeyFile = config.sops.secrets."wireguard/skipper/pk".path;
generatePrivateKeyFile = true;
peers = [ peers = [
{ {
name = "Proxy"; name = "Proxy";
endpoint = "165.232.180.97:51821"; endpoint = "165.232.180.97:51821";
publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4="; publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=";
presharedKeyFile = config.sops.secrets."wireguard/psk/skipper".path; presharedKeyFile = config.sops.secrets."wireguard/skipper/psk".path;
persistentKeepalive = 20; persistentKeepalive = 20;
allowedIPs = [ allowedIPs = [
"10.10.10.0/24" "10.10.10.0/24"

View file

@ -2,11 +2,18 @@ passwd:
root: ENC[AES256_GCM,data:sT8S6EgqlUTOj8wx/FWde1ht/LCfhnnJW8aLNR3IawGcjbWh+JCKnlQ/1FpuGuVF7Qm8qScRcl7FPUZPFpBtj9OJ3984S9DtFJachwSNEJ2TRU+9YdYB1WsXx9ZunMQcTLK9MIyWfIVzqw==,iv:1qfkkj3NMvS50Q84BtqYTiNIMVjdxPh1k52MudEK/5A=,tag:HUwaVYDwjKmnHhEIejnfxg==,type:str] root: ENC[AES256_GCM,data:sT8S6EgqlUTOj8wx/FWde1ht/LCfhnnJW8aLNR3IawGcjbWh+JCKnlQ/1FpuGuVF7Qm8qScRcl7FPUZPFpBtj9OJ3984S9DtFJachwSNEJ2TRU+9YdYB1WsXx9ZunMQcTLK9MIyWfIVzqw==,iv:1qfkkj3NMvS50Q84BtqYTiNIMVjdxPh1k52MudEK/5A=,tag:HUwaVYDwjKmnHhEIejnfxg==,type:str]
adtya: ENC[AES256_GCM,data:xBr14ZVeblPbgO2YT+6DPrENsJElj+UkTJebv3/x0U/u+srx82G2Lloda5zZwVBIEc5f6ZPSS4Oko3dM2PW9KUNO7IjDa+Wsm5MQogSjGT+aNtjlub2PkVts5gp+TtCOd6bUQjnf95VXNQ==,iv:ytKVRBsQWJWwXn6DpCOTDYJOVI3N/KnWtyp/GkSs7UQ=,tag:zbPtMMH6MFE6LpBga5X1GQ==,type:str] adtya: ENC[AES256_GCM,data:xBr14ZVeblPbgO2YT+6DPrENsJElj+UkTJebv3/x0U/u+srx82G2Lloda5zZwVBIEc5f6ZPSS4Oko3dM2PW9KUNO7IjDa+Wsm5MQogSjGT+aNtjlub2PkVts5gp+TtCOd6bUQjnf95VXNQ==,iv:ytKVRBsQWJWwXn6DpCOTDYJOVI3N/KnWtyp/GkSs7UQ=,tag:zbPtMMH6MFE6LpBga5X1GQ==,type:str]
wireguard: wireguard:
psk: skipper:
skipper: ENC[AES256_GCM,data:9C94ZSteiLH/C5Q3QC/amN5QI9bSj5/xO+ClbQesE+DLrnz5ROD9jVwj0/c=,iv:PBJ5Bj169EhxBvxVJELbxGCFeaEHtPNNEsBqBp2XWg4=,tag:VRVqoF1il0/kRvFLv99V6A==,type:str] pk: ENC[AES256_GCM,data:by1Cqt1IYK1+MTGrj8Y6JQcKGuUun3b4XNDi6+eyR2bviRhfEQdxHEEA+ZI=,iv:V8dZy4iWe7t54aDgn22pGYaqf+tN1drt3nFo0ctoUlE=,tag:x4GfT9kY8+fGrM1ELOMbRA==,type:str]
rico0: ENC[AES256_GCM,data:ITH8jg35ut9hBCvf2UQL3IYuGL6pEBMzlMUYxfB0VpoGVbEaZprIA4vXm78=,iv:gDDxXf7GpOil4ujTQx/a9nBfHmUH8rgn9gDhmQ15q8w=,tag:U392BI5N4trOZ+0MynKY4g==,type:str] psk: ENC[AES256_GCM,data:D6S3XPit4SkwsFzOFL7NXXzaxZg5R0oBvTsHVkUDHQxBzfBUA9u1iDRl2Jw=,iv:eqI5twDHGcJDDqPmBelU2XxIi84jV9k+bORgKEpz7EA=,tag:Ljj/7oA7RBEMSd6dXC7FKw==,type:str]
rico1: ENC[AES256_GCM,data:7aH6lvmUXGOxjxhauvJq5kW3lx8VxH2nhtEnJgIlNcrEltW2G+0Rk7X1lQw=,iv:+Z5FvzvSItfY5wY6Y0c4fUZDKEEd1/hX4KFJSerMmzs=,tag:A1hJThrO2job0e68j/JorA==,type:str] rico0:
rico2: ENC[AES256_GCM,data:WGpDzfIbZhBXWI6K7Ra1ntDkQiKLQEnfYVWd8uM58fMSLHxJztt6rjV4msA=,iv:eLMDXe7sWCqFS0mifaJeHCkOyOnXnQ8rOg5bW74os3k=,tag:GBA8eLpkoeY4nqHFc99k0g==,type:str] pk: ENC[AES256_GCM,data:VGhOm7s/wU15h2nhDzrJdImTDv7SvmUNNQhsCJIzFmZh0mKS81au8uDJhVA=,iv:+8sTtCEXyw2fnNXS7kayOb5ldwUPnPzGaJ39UOpXKrQ=,tag:gyejp28gbMbRKaBMYYAoKA==,type:str]
psk: ENC[AES256_GCM,data:XlnEVm3nIGIB/e5dVnwtoAXyjYAc5iElP5mPXlqX8zttXUsEjD3ifL9/rwc=,iv:K/8EyZaNCAxSscfVrO84P86pEkdvnP9ibBDs2SWoXx8=,tag:HS8CxiSaHxyukdfk5zWIvg==,type:str]
rico1:
pk: ENC[AES256_GCM,data:pXAPjrmKYZ2HZtwEhASOIv24BAu1hmA+Gaave4IegqpJyQlpcoPnmUKWnZ8=,iv:FiFq8Uoo0pA7rJCiM5pHss2ElEzIBZ7K73wWfn9oLl8=,tag:PKzhRmqmKwMXQYeKo7nBVw==,type:str]
psk: ENC[AES256_GCM,data:yaSQc/NT1Res1LjU19GNFK9poeaY2M7BSSicmV237bQKxBo1hM4corPATM4=,iv:d4mOelgktH6wX6vmXhdjC6PQZ04bmCWkqHBP4IGyKog=,tag:B3xSy4avb8hNNzjq3K3uMg==,type:str]
rico2:
pk: ENC[AES256_GCM,data:XyiOlPelFLAhW7Dbko+zGnrxvDAcwxLhBPXye+tBEZ4rs/gcoczjqPhfUJo=,iv:DoMIXLUClnosQPg4VhXBdWV41MJ2sN3C3xgZ9jw2qkY=,tag:m0ZfLdWX8u1h1RgIMfVE9w==,type:str]
psk: ENC[AES256_GCM,data:vKHqJDkpyj05UnnSU0PTG3byrXs9gwJISRmwgG93jaOUCUKfsJuSDeQCfQw=,iv:/v7sEH03zsVfDxY6oCvnRfNQfNvqXi5Bt5ONM7zFxoI=,tag:WzDTlFU7frYwAGHkUHlxEQ==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -58,8 +65,8 @@ sops:
Yk9BeXR2dmdoYjJycGhFVFY2eU1BM0kKuYnQ88CjewMQ0JAs+H1/abBaWKldtSPm Yk9BeXR2dmdoYjJycGhFVFY2eU1BM0kKuYnQ88CjewMQ0JAs+H1/abBaWKldtSPm
ZyZ0ibyH0PdTeXwPIyngkl0c2z1ge96ntS1/rH+6NcTdS8z8WvJ0nQ== ZyZ0ibyH0PdTeXwPIyngkl0c2z1ge96ntS1/rH+6NcTdS8z8WvJ0nQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-30T12:15:56Z" lastmodified: "2024-07-02T17:20:30Z"
mac: ENC[AES256_GCM,data:+Ir3XD2Pm1GLPXSd+xrWACDxmJjm+ZU1GQF3Jb1PyiKd4K4snvKcRTT8Esbxvef9Ge0hu5+id3d+jd4I6Kr/AXoZJ+UBCwzU9mQPPGhKKXxNufEEqFTxEBlFm9biSASwXLbdskQBoqln9g/qSl4D4AIvAqjrc77khr8SOY8XyZg=,iv:Hu8q8YhxKM/OhQWRCvFMQ3zZuwTOmOtgY3QeFrrnI9c=,tag:vi+K6ZWKlNM4taTDEaGlWQ==,type:str] mac: ENC[AES256_GCM,data:+3elFjThp7PkfI2kAzMfp6k1bPKgSDmGcEFcKk5LJXIoxt0rPZalwHyYu9GTut7LsiQ2Hm2xvGKsIzNFJ2nLsyFCxRu4bXUv3wYvZeohp1pMnL7LfTrKZYCZP1YJX1nWK8vYnlHbqLZgQy7SgZP/rDdajg3OzK2Rrsd1wx39pno=,iv:pBthbHczEhmRt3yKJeVpnl4KHFUvSHw/9yT+U5lL9M4=,tag:Q2CmXp/AAsVqKydKkqr6TA==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1