all: cleanup wireguard secrets
This commit is contained in:
parent
450a919922
commit
1f5c569532
5 changed files with 70 additions and 38 deletions
|
@ -1,9 +1,16 @@
|
||||||
{ config, ... }: {
|
{ config, ... }: {
|
||||||
sops.secrets."wireguard/psk/rico0" = {
|
sops.secrets = {
|
||||||
|
"wireguard/rico0/pk" = {
|
||||||
mode = "400";
|
mode = "400";
|
||||||
owner = config.users.users.root.name;
|
owner = config.users.users.root.name;
|
||||||
group = config.users.users.root.group;
|
group = config.users.users.root.group;
|
||||||
};
|
};
|
||||||
|
"wireguard/rico0/psk" = {
|
||||||
|
mode = "400";
|
||||||
|
owner = config.users.users.root.name;
|
||||||
|
group = config.users.users.root.group;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
networking.firewall.trustedInterfaces = [ "wg0" ];
|
networking.firewall.trustedInterfaces = [ "wg0" ];
|
||||||
networking.wireguard = {
|
networking.wireguard = {
|
||||||
|
@ -14,15 +21,14 @@
|
||||||
"10.10.10.10/24"
|
"10.10.10.10/24"
|
||||||
"fd7c:585c:c4ae::10/64"
|
"fd7c:585c:c4ae::10/64"
|
||||||
];
|
];
|
||||||
listenPort = 51822;
|
listenPort = 51830;
|
||||||
privateKeyFile = "/persist/secrets/wireguard/private.key";
|
privateKeyFile = config.sops.secrets."wireguard/rico0/pk".path;
|
||||||
generatePrivateKeyFile = true;
|
|
||||||
peers = [
|
peers = [
|
||||||
{
|
{
|
||||||
name = "Proxy";
|
name = "Proxy";
|
||||||
endpoint = "165.232.180.97:51821";
|
endpoint = "165.232.180.97:51821";
|
||||||
publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=";
|
publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=";
|
||||||
presharedKeyFile = config.sops.secrets."wireguard/psk/rico0".path;
|
presharedKeyFile = config.sops.secrets."wireguard/rico0/psk".path;
|
||||||
persistentKeepalive = 20;
|
persistentKeepalive = 20;
|
||||||
allowedIPs = [
|
allowedIPs = [
|
||||||
"10.10.10.0/24"
|
"10.10.10.0/24"
|
||||||
|
|
|
@ -1,9 +1,16 @@
|
||||||
{ config, ... }: {
|
{ config, ... }: {
|
||||||
sops.secrets."wireguard/psk/rico1" = {
|
sops.secrets = {
|
||||||
|
"wireguard/rico1/pk" = {
|
||||||
mode = "400";
|
mode = "400";
|
||||||
owner = config.users.users.root.name;
|
owner = config.users.users.root.name;
|
||||||
group = config.users.users.root.group;
|
group = config.users.users.root.group;
|
||||||
};
|
};
|
||||||
|
"wireguard/rico1/psk" = {
|
||||||
|
mode = "400";
|
||||||
|
owner = config.users.users.root.name;
|
||||||
|
group = config.users.users.root.group;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
networking.firewall.trustedInterfaces = [ "wg0" ];
|
networking.firewall.trustedInterfaces = [ "wg0" ];
|
||||||
networking.wireguard = {
|
networking.wireguard = {
|
||||||
|
@ -14,15 +21,14 @@
|
||||||
"10.10.10.11/24"
|
"10.10.10.11/24"
|
||||||
"fd7c:585c:c4ae::11/64"
|
"fd7c:585c:c4ae::11/64"
|
||||||
];
|
];
|
||||||
listenPort = 51822;
|
listenPort = 51831;
|
||||||
privateKeyFile = "/persist/secrets/wireguard/private.key";
|
privateKeyFile = config.sops.secrets."wireguard/rico1/pk".path;
|
||||||
generatePrivateKeyFile = true;
|
|
||||||
peers = [
|
peers = [
|
||||||
{
|
{
|
||||||
name = "Proxy";
|
name = "Proxy";
|
||||||
endpoint = "165.232.180.97:51821";
|
endpoint = "165.232.180.97:51821";
|
||||||
publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=";
|
publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=";
|
||||||
presharedKeyFile = config.sops.secrets."wireguard/psk/rico1".path;
|
presharedKeyFile = config.sops.secrets."wireguard/rico1/psk".path;
|
||||||
persistentKeepalive = 20;
|
persistentKeepalive = 20;
|
||||||
allowedIPs = [
|
allowedIPs = [
|
||||||
"10.10.10.0/24"
|
"10.10.10.0/24"
|
||||||
|
|
|
@ -1,9 +1,17 @@
|
||||||
{ config, ... }: {
|
{ config, ... }: {
|
||||||
sops.secrets."wireguard/psk/rico2" = {
|
sops.secrets = {
|
||||||
|
"wireguard/rico2/pk" = {
|
||||||
mode = "400";
|
mode = "400";
|
||||||
owner = config.users.users.root.name;
|
owner = config.users.users.root.name;
|
||||||
group = config.users.users.root.group;
|
group = config.users.users.root.group;
|
||||||
};
|
};
|
||||||
|
"wireguard/rico2/psk" = {
|
||||||
|
mode = "400";
|
||||||
|
owner = config.users.users.root.name;
|
||||||
|
group = config.users.users.root.group;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
networking.firewall.trustedInterfaces = [ "wg0" ];
|
networking.firewall.trustedInterfaces = [ "wg0" ];
|
||||||
networking.wireguard = {
|
networking.wireguard = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -13,15 +21,14 @@
|
||||||
"10.10.10.12/24"
|
"10.10.10.12/24"
|
||||||
"fd7c:585c:c4ae::12/64"
|
"fd7c:585c:c4ae::12/64"
|
||||||
];
|
];
|
||||||
listenPort = 51822;
|
listenPort = 51832;
|
||||||
privateKeyFile = "/persist/secrets/wireguard/private.key";
|
privateKeyFile = config.sops.secrets."wireguard/rico2/pk".path;
|
||||||
generatePrivateKeyFile = true;
|
|
||||||
peers = [
|
peers = [
|
||||||
{
|
{
|
||||||
name = "Proxy";
|
name = "Proxy";
|
||||||
endpoint = "165.232.180.97:51821";
|
endpoint = "165.232.180.97:51821";
|
||||||
publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=";
|
publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=";
|
||||||
presharedKeyFile = config.sops.secrets."wireguard/psk/rico2".path;
|
presharedKeyFile = config.sops.secrets."wireguard/rico2/psk".path;
|
||||||
persistentKeepalive = 20;
|
persistentKeepalive = 20;
|
||||||
allowedIPs = [
|
allowedIPs = [
|
||||||
"10.10.10.0/24"
|
"10.10.10.0/24"
|
||||||
|
|
|
@ -1,9 +1,16 @@
|
||||||
{ config, ... }: {
|
{ config, ... }: {
|
||||||
sops.secrets."wireguard/psk/skipper" = {
|
sops.secrets = {
|
||||||
|
"wireguard/skipper/pk" = {
|
||||||
mode = "400";
|
mode = "400";
|
||||||
owner = config.users.users.root.name;
|
owner = config.users.users.root.name;
|
||||||
group = config.users.users.root.group;
|
group = config.users.users.root.group;
|
||||||
};
|
};
|
||||||
|
"wireguard/skipper/psk" = {
|
||||||
|
mode = "400";
|
||||||
|
owner = config.users.users.root.name;
|
||||||
|
group = config.users.users.root.group;
|
||||||
|
};
|
||||||
|
};
|
||||||
networking.firewall.trustedInterfaces = [ "wg0" ];
|
networking.firewall.trustedInterfaces = [ "wg0" ];
|
||||||
networking.wireguard = {
|
networking.wireguard = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -14,14 +21,13 @@
|
||||||
"fd7c:585c:c4ae::2/64"
|
"fd7c:585c:c4ae::2/64"
|
||||||
];
|
];
|
||||||
listenPort = 51822;
|
listenPort = 51822;
|
||||||
privateKeyFile = "/persist/secrets/wireguard/private.key";
|
privateKeyFile = config.sops.secrets."wireguard/skipper/pk".path;
|
||||||
generatePrivateKeyFile = true;
|
|
||||||
peers = [
|
peers = [
|
||||||
{
|
{
|
||||||
name = "Proxy";
|
name = "Proxy";
|
||||||
endpoint = "165.232.180.97:51821";
|
endpoint = "165.232.180.97:51821";
|
||||||
publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=";
|
publicKey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=";
|
||||||
presharedKeyFile = config.sops.secrets."wireguard/psk/skipper".path;
|
presharedKeyFile = config.sops.secrets."wireguard/skipper/psk".path;
|
||||||
persistentKeepalive = 20;
|
persistentKeepalive = 20;
|
||||||
allowedIPs = [
|
allowedIPs = [
|
||||||
"10.10.10.0/24"
|
"10.10.10.0/24"
|
||||||
|
|
21
secrets.yaml
21
secrets.yaml
|
@ -2,11 +2,18 @@ passwd:
|
||||||
root: ENC[AES256_GCM,data:sT8S6EgqlUTOj8wx/FWde1ht/LCfhnnJW8aLNR3IawGcjbWh+JCKnlQ/1FpuGuVF7Qm8qScRcl7FPUZPFpBtj9OJ3984S9DtFJachwSNEJ2TRU+9YdYB1WsXx9ZunMQcTLK9MIyWfIVzqw==,iv:1qfkkj3NMvS50Q84BtqYTiNIMVjdxPh1k52MudEK/5A=,tag:HUwaVYDwjKmnHhEIejnfxg==,type:str]
|
root: ENC[AES256_GCM,data:sT8S6EgqlUTOj8wx/FWde1ht/LCfhnnJW8aLNR3IawGcjbWh+JCKnlQ/1FpuGuVF7Qm8qScRcl7FPUZPFpBtj9OJ3984S9DtFJachwSNEJ2TRU+9YdYB1WsXx9ZunMQcTLK9MIyWfIVzqw==,iv:1qfkkj3NMvS50Q84BtqYTiNIMVjdxPh1k52MudEK/5A=,tag:HUwaVYDwjKmnHhEIejnfxg==,type:str]
|
||||||
adtya: ENC[AES256_GCM,data:xBr14ZVeblPbgO2YT+6DPrENsJElj+UkTJebv3/x0U/u+srx82G2Lloda5zZwVBIEc5f6ZPSS4Oko3dM2PW9KUNO7IjDa+Wsm5MQogSjGT+aNtjlub2PkVts5gp+TtCOd6bUQjnf95VXNQ==,iv:ytKVRBsQWJWwXn6DpCOTDYJOVI3N/KnWtyp/GkSs7UQ=,tag:zbPtMMH6MFE6LpBga5X1GQ==,type:str]
|
adtya: ENC[AES256_GCM,data:xBr14ZVeblPbgO2YT+6DPrENsJElj+UkTJebv3/x0U/u+srx82G2Lloda5zZwVBIEc5f6ZPSS4Oko3dM2PW9KUNO7IjDa+Wsm5MQogSjGT+aNtjlub2PkVts5gp+TtCOd6bUQjnf95VXNQ==,iv:ytKVRBsQWJWwXn6DpCOTDYJOVI3N/KnWtyp/GkSs7UQ=,tag:zbPtMMH6MFE6LpBga5X1GQ==,type:str]
|
||||||
wireguard:
|
wireguard:
|
||||||
psk:
|
skipper:
|
||||||
skipper: ENC[AES256_GCM,data:9C94ZSteiLH/C5Q3QC/amN5QI9bSj5/xO+ClbQesE+DLrnz5ROD9jVwj0/c=,iv:PBJ5Bj169EhxBvxVJELbxGCFeaEHtPNNEsBqBp2XWg4=,tag:VRVqoF1il0/kRvFLv99V6A==,type:str]
|
pk: ENC[AES256_GCM,data:by1Cqt1IYK1+MTGrj8Y6JQcKGuUun3b4XNDi6+eyR2bviRhfEQdxHEEA+ZI=,iv:V8dZy4iWe7t54aDgn22pGYaqf+tN1drt3nFo0ctoUlE=,tag:x4GfT9kY8+fGrM1ELOMbRA==,type:str]
|
||||||
rico0: ENC[AES256_GCM,data:ITH8jg35ut9hBCvf2UQL3IYuGL6pEBMzlMUYxfB0VpoGVbEaZprIA4vXm78=,iv:gDDxXf7GpOil4ujTQx/a9nBfHmUH8rgn9gDhmQ15q8w=,tag:U392BI5N4trOZ+0MynKY4g==,type:str]
|
psk: ENC[AES256_GCM,data:D6S3XPit4SkwsFzOFL7NXXzaxZg5R0oBvTsHVkUDHQxBzfBUA9u1iDRl2Jw=,iv:eqI5twDHGcJDDqPmBelU2XxIi84jV9k+bORgKEpz7EA=,tag:Ljj/7oA7RBEMSd6dXC7FKw==,type:str]
|
||||||
rico1: ENC[AES256_GCM,data:7aH6lvmUXGOxjxhauvJq5kW3lx8VxH2nhtEnJgIlNcrEltW2G+0Rk7X1lQw=,iv:+Z5FvzvSItfY5wY6Y0c4fUZDKEEd1/hX4KFJSerMmzs=,tag:A1hJThrO2job0e68j/JorA==,type:str]
|
rico0:
|
||||||
rico2: ENC[AES256_GCM,data:WGpDzfIbZhBXWI6K7Ra1ntDkQiKLQEnfYVWd8uM58fMSLHxJztt6rjV4msA=,iv:eLMDXe7sWCqFS0mifaJeHCkOyOnXnQ8rOg5bW74os3k=,tag:GBA8eLpkoeY4nqHFc99k0g==,type:str]
|
pk: ENC[AES256_GCM,data:VGhOm7s/wU15h2nhDzrJdImTDv7SvmUNNQhsCJIzFmZh0mKS81au8uDJhVA=,iv:+8sTtCEXyw2fnNXS7kayOb5ldwUPnPzGaJ39UOpXKrQ=,tag:gyejp28gbMbRKaBMYYAoKA==,type:str]
|
||||||
|
psk: ENC[AES256_GCM,data:XlnEVm3nIGIB/e5dVnwtoAXyjYAc5iElP5mPXlqX8zttXUsEjD3ifL9/rwc=,iv:K/8EyZaNCAxSscfVrO84P86pEkdvnP9ibBDs2SWoXx8=,tag:HS8CxiSaHxyukdfk5zWIvg==,type:str]
|
||||||
|
rico1:
|
||||||
|
pk: ENC[AES256_GCM,data:pXAPjrmKYZ2HZtwEhASOIv24BAu1hmA+Gaave4IegqpJyQlpcoPnmUKWnZ8=,iv:FiFq8Uoo0pA7rJCiM5pHss2ElEzIBZ7K73wWfn9oLl8=,tag:PKzhRmqmKwMXQYeKo7nBVw==,type:str]
|
||||||
|
psk: ENC[AES256_GCM,data:yaSQc/NT1Res1LjU19GNFK9poeaY2M7BSSicmV237bQKxBo1hM4corPATM4=,iv:d4mOelgktH6wX6vmXhdjC6PQZ04bmCWkqHBP4IGyKog=,tag:B3xSy4avb8hNNzjq3K3uMg==,type:str]
|
||||||
|
rico2:
|
||||||
|
pk: ENC[AES256_GCM,data:XyiOlPelFLAhW7Dbko+zGnrxvDAcwxLhBPXye+tBEZ4rs/gcoczjqPhfUJo=,iv:DoMIXLUClnosQPg4VhXBdWV41MJ2sN3C3xgZ9jw2qkY=,tag:m0ZfLdWX8u1h1RgIMfVE9w==,type:str]
|
||||||
|
psk: ENC[AES256_GCM,data:vKHqJDkpyj05UnnSU0PTG3byrXs9gwJISRmwgG93jaOUCUKfsJuSDeQCfQw=,iv:/v7sEH03zsVfDxY6oCvnRfNQfNvqXi5Bt5ONM7zFxoI=,tag:WzDTlFU7frYwAGHkUHlxEQ==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -58,8 +65,8 @@ sops:
|
||||||
Yk9BeXR2dmdoYjJycGhFVFY2eU1BM0kKuYnQ88CjewMQ0JAs+H1/abBaWKldtSPm
|
Yk9BeXR2dmdoYjJycGhFVFY2eU1BM0kKuYnQ88CjewMQ0JAs+H1/abBaWKldtSPm
|
||||||
ZyZ0ibyH0PdTeXwPIyngkl0c2z1ge96ntS1/rH+6NcTdS8z8WvJ0nQ==
|
ZyZ0ibyH0PdTeXwPIyngkl0c2z1ge96ntS1/rH+6NcTdS8z8WvJ0nQ==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-06-30T12:15:56Z"
|
lastmodified: "2024-07-02T17:20:30Z"
|
||||||
mac: ENC[AES256_GCM,data:+Ir3XD2Pm1GLPXSd+xrWACDxmJjm+ZU1GQF3Jb1PyiKd4K4snvKcRTT8Esbxvef9Ge0hu5+id3d+jd4I6Kr/AXoZJ+UBCwzU9mQPPGhKKXxNufEEqFTxEBlFm9biSASwXLbdskQBoqln9g/qSl4D4AIvAqjrc77khr8SOY8XyZg=,iv:Hu8q8YhxKM/OhQWRCvFMQ3zZuwTOmOtgY3QeFrrnI9c=,tag:vi+K6ZWKlNM4taTDEaGlWQ==,type:str]
|
mac: ENC[AES256_GCM,data:+3elFjThp7PkfI2kAzMfp6k1bPKgSDmGcEFcKk5LJXIoxt0rPZalwHyYu9GTut7LsiQ2Hm2xvGKsIzNFJ2nLsyFCxRu4bXUv3wYvZeohp1pMnL7LfTrKZYCZP1YJX1nWK8vYnlHbqLZgQy7SgZP/rDdajg3OzK2Rrsd1wx39pno=,iv:pBthbHczEhmRt3yKJeVpnl4KHFUvSHw/9yT+U5lL9M4=,tag:Q2CmXp/AAsVqKydKkqr6TA==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.8.1
|
version: 3.8.1
|
||||||
|
|
Loading…
Reference in a new issue