use clan-fact-generators now

Update facts/secrets for service tinc_secret in machine cherry

Update facts/secrets for service tinc_private in machine cherry

Update facts/secrets for service zerotier in machine test

Update facts/secrets for service wireguard in machine test

Update facts/secrets for service tinc in machine test

Update facts/secrets for service ssh in machine test

Update facts/secrets for service openssh in machine test
This commit is contained in:
Ingolf Wagner 2024-06-01 14:48:25 +02:00
parent 63aa6f5831
commit b75c2e9e0a
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
9 changed files with 45 additions and 16 deletions

View file

@ -9,6 +9,8 @@
flake-parts.url = "github:hercules-ci/flake-parts";
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
clan-fact-generators.url = "github:mrvandalo/clan-fact-generators";
clan-core = {
url = "git+https://git.clan.lol/clan/clan-core";
#url = "git+file:///home/palo/dev/nixos/clan-core";
@ -98,6 +100,7 @@
outputs =
inputs@{ self
, clan-core
, clan-fact-generators
, flake-parts
, home-manager
, home-manager-utils
@ -139,7 +142,6 @@
"python-2.7.18.7"
"python-2.7.18.8"
];
overlays = [
(_self: _super: {
# todo : remove this, we are on unstable in the future
@ -163,8 +165,8 @@
specialArgs = {
inherit private_assets;
assets = ./nixos/assets;
factsGenerator = clan-fact-generators.lib { inherit pkgs; };
};
};
clanSetup =
@ -209,7 +211,7 @@
# ssh keys
({ config, ... }: {
users.users.root.openssh.authorizedKeys.keyFiles = [
# master key
# master key
./nixos/assets/ssh/palo_rsa.pub
# backup key
"${config.clanCore.clanDir}/machines/chungus/facts/syncoid.ssh.id_ed25519.pub"
@ -301,6 +303,7 @@
specialArgs = meta.specialArgs;
machines = {
sternchen = clanSetup {
name = "sternchen";
#host = "sternchen.secure";

View file

@ -0,0 +1 @@
Ed25519PublicKey = +9pGGFqwrjryr+nBHAZ5kpFlKZHUCNpDazFAlgC36xH

View file

@ -0,0 +1,13 @@
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAtEgBjP8UvC7xHy6Q2heK1OY6bzZaGnf788rfwyoijBvGm6jbU2Fo
vmFqbJjWzmk8b70M7tE+WIwi+X8iLaG62VQ6k+W7LOUEtAPaT3A/qrrh1B35jkLq
Par6DXad0DjMb5+pdOAdpTdOmA32stP73KIkatd3oVlIUXnktekuwS0Jiv2Y0UJi
gfczV5//F5Jfz+j1sNicQLGHD6ZTnWdmfLGUlOxipdsd02lpCp7gXexejet6kc0R
w4qlO/JZwUlyGW9+wsxwl5G750afJ3/jLg8Pq7P2g4KfnveqNi+aEng5owmjw/kW
d7zSLYfdfo5ObAdI9W9fUh+sq6arzbKyCOBwZZ7z3ozR3gR0VxD259zY1FxCm8Lg
bQeSDylWbMar/rTsY2UkBjdQAR1Ep3fvListmw3Ar6CfKUhacXBd3QZL+3jV04fh
REM/vQD38M7sZf/gXF+pHeFHOLO7WEuJikypJielAYXd5NryEiZGocshrb5x9wQW
q0UaFMkCvqQqmY4Ug02dx0TQdVoz0R7ExwtQ7FmpvaL3caEoTMppCzLhSU4HAkNI
fdGq7NlZpZ5H/RqmNBkLNveVqI9oVleoV7+ZvRjpJTtmahj99LWl8Jmih9MT9Ztm
5ISa9+/BuoMVK+yRuEm4sAwMrgJ8ixNQ7acfVyaPq8FpYwy9otk7X5ECAwEAAQ==
-----END RSA PUBLIC KEY-----

View file

@ -0,0 +1 @@
Ed25519PublicKey = FPA3cyMfOFhyNIiPfrqBz6J2iC7dIqwMBGtzwzk4AGP

View file

@ -0,0 +1,13 @@
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAz24q7llZDc5cYTndRfzJe3LY2cVU/An43k8heLMkNfBtjwF1yAuZ
6VRreDeMa6ZXX3TA1f20VfCKQZMRVdiWncYRg/h6+1efdh6U5REnNeURp1My5zKJ
n9edZdaWM72aWg0pKOz+iyBTiREVvwcfaqnfnFl0ZjuxsOMJQiqzycAG747sYHqY
1OiUJ//6q9udI/Q4cQtiK63Qb0lUrYM1OgBN2mh3tQoAZievelutZCIHTzZy7e5q
SoOXUMF9ppD51zKUCsjaGeGa8svkCbQQRjcaUFnWu3R/ztE+AJqJ91pNMKPDiGpd
TZ4WxPXpIP7kOKL/dpleahIZNJVyxbWM786aPww1GMkCmDlGrevG+BbxLpM3B7Sq
u/mpNId3yuXwkGTO0PTr+qQaVK0XS5aqOi43wchZDFhyWsORSjLk0gozYAqxTtRY
lWjSQjJzo4E6YgVQwSHG+19R833dCoLjD+XZFo0TMMvByzpSBEWzgjMN9khaYJ6+
IW4m037Dpfyyd4m41l8nt937H2uCdx7yYq6vI5hrNRKOTfz5lAz1QXmA6Pfib4o3
I6kWgqpnytKYwE2vigTnV5SUcNvLOj5oWQWfsDfpme7QfWhtU1Ho2kQYg6fEmQLM
SRGc4tqB7e08A6csDBQxXnbnT3v6pSnZgutMGTqEOs9CesJKYDx6sOECAwEAAQ==
-----END RSA PUBLIC KEY-----

View file

@ -1,4 +1,4 @@
{ lib, config, ... }:
{ lib, config, factsGenerator, ... }:
with lib;
{
@ -24,13 +24,13 @@ with lib;
ipv4 = config.tinc.private.ipv4;
ipv6 = null;
inherit (lib) optionalString concatStringsSep mapAttrsToList;
inherit config;
inherit config factsGenerator;
}))
(mkIf config.tinc.secret.enable (import ./secret.nix {
ipv4 = config.tinc.secret.ipv4;
ipv6 = null;
inherit (lib) optionalString concatStringsSep mapAttrsToList;
inherit config;
inherit config factsGenerator;
}))
];
}

View file

@ -3,6 +3,7 @@
, config
, optionalString
, concatStringsSep
, factsGenerator
, mapAttrsToList
, ...
}:
@ -58,15 +59,11 @@ in
{
networking.firewall.trustedInterfaces = [ "tinc.${network}" ];
clanCore.facts.services.tinc_private = {
secret."tinc_private.ed25519_key" = { };
generator.script = "";
};
clanCore.facts.services.tinc_private = factsGenerator.tinc { name = "private"; };
# nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
services.tinc.networks = {
${network} = {
ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_private.secret."tinc_private.ed25519_key".path;
ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_private.secret."tinc.private.ed25519_key.priv".path;
interfaceType = "tap";
extraConfig = ''
LocalDiscovery = yes

View file

@ -4,6 +4,7 @@
, optionalString
, concatStringsSep
, mapAttrsToList
, factsGenerator
, ...
}:
let
@ -18,11 +19,11 @@ let
network = "secret";
in
{
sops.secrets.tinc_ed25519_key = { };
clanCore.facts.services.tinc_secret = factsGenerator.tinc { name = "secret"; };
services.tinc.networks = {
${network} = {
ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path;
ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.secret.ed25519_key.priv".path;
extraConfig = ''
LocalDiscovery = yes
Port = ${toString port}

View file

@ -4,7 +4,7 @@
tinc.private.enable = true;
tinc.private.ipv4 = "10.23.42.29";
#tinc.secret.enable = true;
#tinc.secret.ipv4 = "10.123.42.29";
tinc.secret.enable = true;
tinc.secret.ipv4 = "10.123.42.29";
}