use clan-fact-generators now
Update facts/secrets for service tinc_secret in machine cherry Update facts/secrets for service tinc_private in machine cherry Update facts/secrets for service zerotier in machine test Update facts/secrets for service wireguard in machine test Update facts/secrets for service tinc in machine test Update facts/secrets for service ssh in machine test Update facts/secrets for service openssh in machine test
This commit is contained in:
parent
63aa6f5831
commit
b75c2e9e0a
9 changed files with 45 additions and 16 deletions
|
@ -9,6 +9,8 @@
|
|||
flake-parts.url = "github:hercules-ci/flake-parts";
|
||||
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
|
||||
|
||||
clan-fact-generators.url = "github:mrvandalo/clan-fact-generators";
|
||||
|
||||
clan-core = {
|
||||
url = "git+https://git.clan.lol/clan/clan-core";
|
||||
#url = "git+file:///home/palo/dev/nixos/clan-core";
|
||||
|
@ -98,6 +100,7 @@
|
|||
outputs =
|
||||
inputs@{ self
|
||||
, clan-core
|
||||
, clan-fact-generators
|
||||
, flake-parts
|
||||
, home-manager
|
||||
, home-manager-utils
|
||||
|
@ -139,7 +142,6 @@
|
|||
"python-2.7.18.7"
|
||||
"python-2.7.18.8"
|
||||
];
|
||||
|
||||
overlays = [
|
||||
(_self: _super: {
|
||||
# todo : remove this, we are on unstable in the future
|
||||
|
@ -163,8 +165,8 @@
|
|||
specialArgs = {
|
||||
inherit private_assets;
|
||||
assets = ./nixos/assets;
|
||||
factsGenerator = clan-fact-generators.lib { inherit pkgs; };
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
clanSetup =
|
||||
|
@ -209,7 +211,7 @@
|
|||
# ssh keys
|
||||
({ config, ... }: {
|
||||
users.users.root.openssh.authorizedKeys.keyFiles = [
|
||||
# master key
|
||||
# master key
|
||||
./nixos/assets/ssh/palo_rsa.pub
|
||||
# backup key
|
||||
"${config.clanCore.clanDir}/machines/chungus/facts/syncoid.ssh.id_ed25519.pub"
|
||||
|
@ -301,6 +303,7 @@
|
|||
specialArgs = meta.specialArgs;
|
||||
|
||||
machines = {
|
||||
|
||||
sternchen = clanSetup {
|
||||
name = "sternchen";
|
||||
#host = "sternchen.secure";
|
||||
|
|
1
machines/cherry/facts/tinc.private.ed25519_key.pub
Normal file
1
machines/cherry/facts/tinc.private.ed25519_key.pub
Normal file
|
@ -0,0 +1 @@
|
|||
Ed25519PublicKey = +9pGGFqwrjryr+nBHAZ5kpFlKZHUCNpDazFAlgC36xH
|
13
machines/cherry/facts/tinc.private.rsa_key.pub
Normal file
13
machines/cherry/facts/tinc.private.rsa_key.pub
Normal file
|
@ -0,0 +1,13 @@
|
|||
-----BEGIN RSA PUBLIC KEY-----
|
||||
MIICCgKCAgEAtEgBjP8UvC7xHy6Q2heK1OY6bzZaGnf788rfwyoijBvGm6jbU2Fo
|
||||
vmFqbJjWzmk8b70M7tE+WIwi+X8iLaG62VQ6k+W7LOUEtAPaT3A/qrrh1B35jkLq
|
||||
Par6DXad0DjMb5+pdOAdpTdOmA32stP73KIkatd3oVlIUXnktekuwS0Jiv2Y0UJi
|
||||
gfczV5//F5Jfz+j1sNicQLGHD6ZTnWdmfLGUlOxipdsd02lpCp7gXexejet6kc0R
|
||||
w4qlO/JZwUlyGW9+wsxwl5G750afJ3/jLg8Pq7P2g4KfnveqNi+aEng5owmjw/kW
|
||||
d7zSLYfdfo5ObAdI9W9fUh+sq6arzbKyCOBwZZ7z3ozR3gR0VxD259zY1FxCm8Lg
|
||||
bQeSDylWbMar/rTsY2UkBjdQAR1Ep3fvListmw3Ar6CfKUhacXBd3QZL+3jV04fh
|
||||
REM/vQD38M7sZf/gXF+pHeFHOLO7WEuJikypJielAYXd5NryEiZGocshrb5x9wQW
|
||||
q0UaFMkCvqQqmY4Ug02dx0TQdVoz0R7ExwtQ7FmpvaL3caEoTMppCzLhSU4HAkNI
|
||||
fdGq7NlZpZ5H/RqmNBkLNveVqI9oVleoV7+ZvRjpJTtmahj99LWl8Jmih9MT9Ztm
|
||||
5ISa9+/BuoMVK+yRuEm4sAwMrgJ8ixNQ7acfVyaPq8FpYwy9otk7X5ECAwEAAQ==
|
||||
-----END RSA PUBLIC KEY-----
|
1
machines/cherry/facts/tinc.secret.ed25519_key.pub
Normal file
1
machines/cherry/facts/tinc.secret.ed25519_key.pub
Normal file
|
@ -0,0 +1 @@
|
|||
Ed25519PublicKey = FPA3cyMfOFhyNIiPfrqBz6J2iC7dIqwMBGtzwzk4AGP
|
13
machines/cherry/facts/tinc.secret.rsa_key.pub
Normal file
13
machines/cherry/facts/tinc.secret.rsa_key.pub
Normal file
|
@ -0,0 +1,13 @@
|
|||
-----BEGIN RSA PUBLIC KEY-----
|
||||
MIICCgKCAgEAz24q7llZDc5cYTndRfzJe3LY2cVU/An43k8heLMkNfBtjwF1yAuZ
|
||||
6VRreDeMa6ZXX3TA1f20VfCKQZMRVdiWncYRg/h6+1efdh6U5REnNeURp1My5zKJ
|
||||
n9edZdaWM72aWg0pKOz+iyBTiREVvwcfaqnfnFl0ZjuxsOMJQiqzycAG747sYHqY
|
||||
1OiUJ//6q9udI/Q4cQtiK63Qb0lUrYM1OgBN2mh3tQoAZievelutZCIHTzZy7e5q
|
||||
SoOXUMF9ppD51zKUCsjaGeGa8svkCbQQRjcaUFnWu3R/ztE+AJqJ91pNMKPDiGpd
|
||||
TZ4WxPXpIP7kOKL/dpleahIZNJVyxbWM786aPww1GMkCmDlGrevG+BbxLpM3B7Sq
|
||||
u/mpNId3yuXwkGTO0PTr+qQaVK0XS5aqOi43wchZDFhyWsORSjLk0gozYAqxTtRY
|
||||
lWjSQjJzo4E6YgVQwSHG+19R833dCoLjD+XZFo0TMMvByzpSBEWzgjMN9khaYJ6+
|
||||
IW4m037Dpfyyd4m41l8nt937H2uCdx7yYq6vI5hrNRKOTfz5lAz1QXmA6Pfib4o3
|
||||
I6kWgqpnytKYwE2vigTnV5SUcNvLOj5oWQWfsDfpme7QfWhtU1Ho2kQYg6fEmQLM
|
||||
SRGc4tqB7e08A6csDBQxXnbnT3v6pSnZgutMGTqEOs9CesJKYDx6sOECAwEAAQ==
|
||||
-----END RSA PUBLIC KEY-----
|
|
@ -1,4 +1,4 @@
|
|||
{ lib, config, ... }:
|
||||
{ lib, config, factsGenerator, ... }:
|
||||
with lib;
|
||||
{
|
||||
|
||||
|
@ -24,13 +24,13 @@ with lib;
|
|||
ipv4 = config.tinc.private.ipv4;
|
||||
ipv6 = null;
|
||||
inherit (lib) optionalString concatStringsSep mapAttrsToList;
|
||||
inherit config;
|
||||
inherit config factsGenerator;
|
||||
}))
|
||||
(mkIf config.tinc.secret.enable (import ./secret.nix {
|
||||
ipv4 = config.tinc.secret.ipv4;
|
||||
ipv6 = null;
|
||||
inherit (lib) optionalString concatStringsSep mapAttrsToList;
|
||||
inherit config;
|
||||
inherit config factsGenerator;
|
||||
}))
|
||||
];
|
||||
}
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
, config
|
||||
, optionalString
|
||||
, concatStringsSep
|
||||
, factsGenerator
|
||||
, mapAttrsToList
|
||||
, ...
|
||||
}:
|
||||
|
@ -58,15 +59,11 @@ in
|
|||
{
|
||||
networking.firewall.trustedInterfaces = [ "tinc.${network}" ];
|
||||
|
||||
clanCore.facts.services.tinc_private = {
|
||||
secret."tinc_private.ed25519_key" = { };
|
||||
generator.script = "";
|
||||
};
|
||||
clanCore.facts.services.tinc_private = factsGenerator.tinc { name = "private"; };
|
||||
|
||||
# nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
|
||||
services.tinc.networks = {
|
||||
${network} = {
|
||||
ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_private.secret."tinc_private.ed25519_key".path;
|
||||
ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_private.secret."tinc.private.ed25519_key.priv".path;
|
||||
interfaceType = "tap";
|
||||
extraConfig = ''
|
||||
LocalDiscovery = yes
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
, optionalString
|
||||
, concatStringsSep
|
||||
, mapAttrsToList
|
||||
, factsGenerator
|
||||
, ...
|
||||
}:
|
||||
let
|
||||
|
@ -18,11 +19,11 @@ let
|
|||
network = "secret";
|
||||
in
|
||||
{
|
||||
sops.secrets.tinc_ed25519_key = { };
|
||||
clanCore.facts.services.tinc_secret = factsGenerator.tinc { name = "secret"; };
|
||||
|
||||
services.tinc.networks = {
|
||||
${network} = {
|
||||
ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path;
|
||||
ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.secret.ed25519_key.priv".path;
|
||||
extraConfig = ''
|
||||
LocalDiscovery = yes
|
||||
Port = ${toString port}
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
tinc.private.enable = true;
|
||||
tinc.private.ipv4 = "10.23.42.29";
|
||||
|
||||
#tinc.secret.enable = true;
|
||||
#tinc.secret.ipv4 = "10.123.42.29";
|
||||
tinc.secret.enable = true;
|
||||
tinc.secret.ipv4 = "10.123.42.29";
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue