From b75c2e9e0a5707ae33204d8c1e826a62cf92a0a8 Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Sat, 1 Jun 2024 14:48:25 +0200 Subject: [PATCH] use clan-fact-generators now Update facts/secrets for service tinc_secret in machine cherry Update facts/secrets for service tinc_private in machine cherry Update facts/secrets for service zerotier in machine test Update facts/secrets for service wireguard in machine test Update facts/secrets for service tinc in machine test Update facts/secrets for service ssh in machine test Update facts/secrets for service openssh in machine test --- flake.nix | 9 ++++++--- machines/cherry/facts/tinc.private.ed25519_key.pub | 1 + machines/cherry/facts/tinc.private.rsa_key.pub | 13 +++++++++++++ machines/cherry/facts/tinc.secret.ed25519_key.pub | 1 + machines/cherry/facts/tinc.secret.rsa_key.pub | 13 +++++++++++++ nixos/components/network/tinc/default.nix | 6 +++--- nixos/components/network/tinc/private.nix | 9 +++------ nixos/components/network/tinc/secret.nix | 5 +++-- nixos/machines/cherry/tinc.nix | 4 ++-- 9 files changed, 45 insertions(+), 16 deletions(-) create mode 100644 machines/cherry/facts/tinc.private.ed25519_key.pub create mode 100644 machines/cherry/facts/tinc.private.rsa_key.pub create mode 100644 machines/cherry/facts/tinc.secret.ed25519_key.pub create mode 100644 machines/cherry/facts/tinc.secret.rsa_key.pub diff --git a/flake.nix b/flake.nix index b63e10c..69e45d4 100644 --- a/flake.nix +++ b/flake.nix @@ -9,6 +9,8 @@ flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs"; + clan-fact-generators.url = "github:mrvandalo/clan-fact-generators"; + clan-core = { url = "git+https://git.clan.lol/clan/clan-core"; #url = "git+file:///home/palo/dev/nixos/clan-core"; @@ -98,6 +100,7 @@ outputs = inputs@{ self , clan-core + , clan-fact-generators , flake-parts , home-manager , home-manager-utils @@ -139,7 +142,6 @@ "python-2.7.18.7" "python-2.7.18.8" ]; - overlays = [ (_self: _super: { # todo : remove this, we are on unstable in the future @@ -163,8 +165,8 @@ specialArgs = { inherit private_assets; assets = ./nixos/assets; + factsGenerator = clan-fact-generators.lib { inherit pkgs; }; }; - }; clanSetup = @@ -209,7 +211,7 @@ # ssh keys ({ config, ... }: { users.users.root.openssh.authorizedKeys.keyFiles = [ - # master key + # master key ./nixos/assets/ssh/palo_rsa.pub # backup key "${config.clanCore.clanDir}/machines/chungus/facts/syncoid.ssh.id_ed25519.pub" @@ -301,6 +303,7 @@ specialArgs = meta.specialArgs; machines = { + sternchen = clanSetup { name = "sternchen"; #host = "sternchen.secure"; diff --git a/machines/cherry/facts/tinc.private.ed25519_key.pub b/machines/cherry/facts/tinc.private.ed25519_key.pub new file mode 100644 index 0000000..74f1566 --- /dev/null +++ b/machines/cherry/facts/tinc.private.ed25519_key.pub @@ -0,0 +1 @@ +Ed25519PublicKey = +9pGGFqwrjryr+nBHAZ5kpFlKZHUCNpDazFAlgC36xH diff --git a/machines/cherry/facts/tinc.private.rsa_key.pub b/machines/cherry/facts/tinc.private.rsa_key.pub new file mode 100644 index 0000000..41f2b37 --- /dev/null +++ b/machines/cherry/facts/tinc.private.rsa_key.pub @@ -0,0 +1,13 @@ +-----BEGIN RSA PUBLIC KEY----- +MIICCgKCAgEAtEgBjP8UvC7xHy6Q2heK1OY6bzZaGnf788rfwyoijBvGm6jbU2Fo +vmFqbJjWzmk8b70M7tE+WIwi+X8iLaG62VQ6k+W7LOUEtAPaT3A/qrrh1B35jkLq +Par6DXad0DjMb5+pdOAdpTdOmA32stP73KIkatd3oVlIUXnktekuwS0Jiv2Y0UJi +gfczV5//F5Jfz+j1sNicQLGHD6ZTnWdmfLGUlOxipdsd02lpCp7gXexejet6kc0R +w4qlO/JZwUlyGW9+wsxwl5G750afJ3/jLg8Pq7P2g4KfnveqNi+aEng5owmjw/kW +d7zSLYfdfo5ObAdI9W9fUh+sq6arzbKyCOBwZZ7z3ozR3gR0VxD259zY1FxCm8Lg +bQeSDylWbMar/rTsY2UkBjdQAR1Ep3fvListmw3Ar6CfKUhacXBd3QZL+3jV04fh +REM/vQD38M7sZf/gXF+pHeFHOLO7WEuJikypJielAYXd5NryEiZGocshrb5x9wQW +q0UaFMkCvqQqmY4Ug02dx0TQdVoz0R7ExwtQ7FmpvaL3caEoTMppCzLhSU4HAkNI +fdGq7NlZpZ5H/RqmNBkLNveVqI9oVleoV7+ZvRjpJTtmahj99LWl8Jmih9MT9Ztm +5ISa9+/BuoMVK+yRuEm4sAwMrgJ8ixNQ7acfVyaPq8FpYwy9otk7X5ECAwEAAQ== +-----END RSA PUBLIC KEY----- diff --git a/machines/cherry/facts/tinc.secret.ed25519_key.pub b/machines/cherry/facts/tinc.secret.ed25519_key.pub new file mode 100644 index 0000000..629e9de --- /dev/null +++ b/machines/cherry/facts/tinc.secret.ed25519_key.pub @@ -0,0 +1 @@ +Ed25519PublicKey = FPA3cyMfOFhyNIiPfrqBz6J2iC7dIqwMBGtzwzk4AGP diff --git a/machines/cherry/facts/tinc.secret.rsa_key.pub b/machines/cherry/facts/tinc.secret.rsa_key.pub new file mode 100644 index 0000000..f40ca66 --- /dev/null +++ b/machines/cherry/facts/tinc.secret.rsa_key.pub @@ -0,0 +1,13 @@ +-----BEGIN RSA PUBLIC KEY----- +MIICCgKCAgEAz24q7llZDc5cYTndRfzJe3LY2cVU/An43k8heLMkNfBtjwF1yAuZ +6VRreDeMa6ZXX3TA1f20VfCKQZMRVdiWncYRg/h6+1efdh6U5REnNeURp1My5zKJ +n9edZdaWM72aWg0pKOz+iyBTiREVvwcfaqnfnFl0ZjuxsOMJQiqzycAG747sYHqY +1OiUJ//6q9udI/Q4cQtiK63Qb0lUrYM1OgBN2mh3tQoAZievelutZCIHTzZy7e5q +SoOXUMF9ppD51zKUCsjaGeGa8svkCbQQRjcaUFnWu3R/ztE+AJqJ91pNMKPDiGpd +TZ4WxPXpIP7kOKL/dpleahIZNJVyxbWM786aPww1GMkCmDlGrevG+BbxLpM3B7Sq +u/mpNId3yuXwkGTO0PTr+qQaVK0XS5aqOi43wchZDFhyWsORSjLk0gozYAqxTtRY +lWjSQjJzo4E6YgVQwSHG+19R833dCoLjD+XZFo0TMMvByzpSBEWzgjMN9khaYJ6+ +IW4m037Dpfyyd4m41l8nt937H2uCdx7yYq6vI5hrNRKOTfz5lAz1QXmA6Pfib4o3 +I6kWgqpnytKYwE2vigTnV5SUcNvLOj5oWQWfsDfpme7QfWhtU1Ho2kQYg6fEmQLM +SRGc4tqB7e08A6csDBQxXnbnT3v6pSnZgutMGTqEOs9CesJKYDx6sOECAwEAAQ== +-----END RSA PUBLIC KEY----- diff --git a/nixos/components/network/tinc/default.nix b/nixos/components/network/tinc/default.nix index d6d232c..abe5aba 100644 --- a/nixos/components/network/tinc/default.nix +++ b/nixos/components/network/tinc/default.nix @@ -1,4 +1,4 @@ -{ lib, config, ... }: +{ lib, config, factsGenerator, ... }: with lib; { @@ -24,13 +24,13 @@ with lib; ipv4 = config.tinc.private.ipv4; ipv6 = null; inherit (lib) optionalString concatStringsSep mapAttrsToList; - inherit config; + inherit config factsGenerator; })) (mkIf config.tinc.secret.enable (import ./secret.nix { ipv4 = config.tinc.secret.ipv4; ipv6 = null; inherit (lib) optionalString concatStringsSep mapAttrsToList; - inherit config; + inherit config factsGenerator; })) ]; } diff --git a/nixos/components/network/tinc/private.nix b/nixos/components/network/tinc/private.nix index 8823d47..891f381 100644 --- a/nixos/components/network/tinc/private.nix +++ b/nixos/components/network/tinc/private.nix @@ -3,6 +3,7 @@ , config , optionalString , concatStringsSep +, factsGenerator , mapAttrsToList , ... }: @@ -58,15 +59,11 @@ in { networking.firewall.trustedInterfaces = [ "tinc.${network}" ]; - clanCore.facts.services.tinc_private = { - secret."tinc_private.ed25519_key" = { }; - generator.script = ""; - }; + clanCore.facts.services.tinc_private = factsGenerator.tinc { name = "private"; }; - # nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096" services.tinc.networks = { ${network} = { - ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_private.secret."tinc_private.ed25519_key".path; + ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_private.secret."tinc.private.ed25519_key.priv".path; interfaceType = "tap"; extraConfig = '' LocalDiscovery = yes diff --git a/nixos/components/network/tinc/secret.nix b/nixos/components/network/tinc/secret.nix index e04fcd2..0f2336f 100644 --- a/nixos/components/network/tinc/secret.nix +++ b/nixos/components/network/tinc/secret.nix @@ -4,6 +4,7 @@ , optionalString , concatStringsSep , mapAttrsToList +, factsGenerator , ... }: let @@ -18,11 +19,11 @@ let network = "secret"; in { - sops.secrets.tinc_ed25519_key = { }; + clanCore.facts.services.tinc_secret = factsGenerator.tinc { name = "secret"; }; services.tinc.networks = { ${network} = { - ed25519PrivateKeyFile = config.sops.secrets.tinc_ed25519_key.path; + ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.secret.ed25519_key.priv".path; extraConfig = '' LocalDiscovery = yes Port = ${toString port} diff --git a/nixos/machines/cherry/tinc.nix b/nixos/machines/cherry/tinc.nix index a0af53d..a2754ce 100644 --- a/nixos/machines/cherry/tinc.nix +++ b/nixos/machines/cherry/tinc.nix @@ -4,7 +4,7 @@ tinc.private.enable = true; tinc.private.ipv4 = "10.23.42.29"; - #tinc.secret.enable = true; - #tinc.secret.ipv4 = "10.123.42.29"; + tinc.secret.enable = true; + tinc.secret.ipv4 = "10.123.42.29"; }