Emulate sops-nix for edrahil network configuration

author: David Morgan <djm_uk@protonmail.com> 2024-08-30 12:14:21 +0100
committer: David Morgan <djm_uk@protonmail.com> 2024-08-30 12:14:21 +0100
commit: 97d6fc0c1e0b371f75f8621cde388811c3309159 (patch)
tree: 52379284e1338ba6442d90225c3ed505af592de0 /nix-conf
parent: 921200a6490cc87af4e5e1ad955ef3cce75fa3d3 (diff)
download: dotfiles-97d6fc0c1e0b371f75f8621cde388811c3309159.tar.gz
4 files changed, 44 insertions, 0 deletions
diff --git a/nix-conf/.sops.yaml b/nix-conf/.sops.yaml
index 58f5e63..8c4f2d6 100644
--- a/nix-conf/.sops.yaml
+++ b/nix-conf/.sops.yaml
@@ -1,6 +1,11 @@
 keys:
   - &admin_djm age1w7kjp0qdgfyg9cyj5w4qc4fc9qz3w65xw2veazesfgdenqrd3ucqsc5ejv
+  - &server_edrahil age1tjfctwnwldmyxnu6qmeufgr9l79vyzmrs7fy58v3d0qj4x4nhqhq2gjmlp
 creation_rules:
+  - path_regex: secrets/edrahil\.(json|yaml)$
+    key_groups:
+    - age:
+      - *server_edrahil
   - path_regex: secrets/[^/]+\.(json|yaml)$
     key_groups:
     - age:
diff --git a/nix-conf/home/includes/common.nix b/nix-conf/home/includes/common.nix
index 630dc7b..ce320a5 100644
--- a/nix-conf/home/includes/common.nix
+++ b/nix-conf/home/includes/common.nix
@@ -68,6 +68,7 @@ in
     rlwrap
     sd
     sops
+    ssh-to-age
     tealdeer
     tre-command
     ugrep
diff --git a/nix-conf/machines/edrahil/network-configuration.nix b/nix-conf/machines/edrahil/network-configuration.nix
new file mode 100644
index 0000000..7a1b0b0
--- /dev/null
+++ b/nix-conf/machines/edrahil/network-configuration.nix
@@ -0,0 +1,17 @@
+{ ... }:
+{
+  networking = {
+    interfaces.ens3.ipv6.addresses = [{
+      # Emulate nix-sops. Technically an anti-pattern, but IP addresses aren't real secrets, and this has to be embedded here,
+      # as we cannot set a file path to read it from.
+      # Populate/update with:
+      # doas su -c "SOPS_AGE_KEY=$(doas ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key) `which sops` -d --extract '[\"ipv6_address\"]' secrets/edrahil.yaml > /root/.config/secrets/ipv6_address"
+      address = builtins.readFile "/root/.config/secrets/ipv6_address";
+      prefixLength = 64;
+    }];
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "ens3";
+    };
+  };
+}
diff --git a/nix-conf/secrets/edrahil.yaml b/nix-conf/secrets/edrahil.yaml
new file mode 100644
index 0000000..1b15022
--- /dev/null
+++ b/nix-conf/secrets/edrahil.yaml
@@ -0,0 +1,21 @@
+ipv6_address: ENC[AES256_GCM,data:4oIZakw5l3axCBc4aMTj1kxpUNg=,iv:/wocTWNcxkgOQQF31XJ3/tMuUm9u+oDSwa2IqWkTMnI=,tag:vx8gYah7r3qSt/dbd4U/cA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1tjfctwnwldmyxnu6qmeufgr9l79vyzmrs7fy58v3d0qj4x4nhqhq2gjmlp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpOExVL2dvUGloajRUM042
+            a2xQMTcrRDdmUWJmdkxMdnZleHYyZGordW5rCjBTQmRWdndYbjNsQnd2QXo5VVRs
+            aytvOVEvZUtBMm9lYlVNTjlaN3JvS00KLS0tIFBJVWlNQzB2ZXA4ZWRKdmRaSjYy
+            L2owQXVwRXRnWmhuVGk5QjVwQjdweEEKxksatVlA9RP4CqRCRAiXjLE4W3iZa1P6
+            pOtqoPB+QtcnJtEo5rOU+Bw7nlHVocy9oshwrgN+vNWoiCoQwAGUSw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-08-30T08:39:18Z"
+    mac: ENC[AES256_GCM,data:jRAyoYXXG6AKugVUyqv6tDp3orSZn66zn7ypVh5wsmbQictV8jeY6lrN/0AZsKZyTDuOlguG1NYRm8WHdSndZtPyv18LAme4nnAcMkqBGFQ4Uo5kx1zNv/+fi6CzLNYwiok1UbJGtMdASqpSXKgMiuGaBct5OohXzzgvHE7npFY=,iv:PCYwNQpBnhvZNhnwUO4iMuO6/A09XvPrRucQX4Hzx+4=,tag:d8MhigIjNM49fnas7JeaTg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
author	David Morgan <djm_uk@protonmail.com>	2024-08-30 12:14:21 +0100
committer	David Morgan <djm_uk@protonmail.com>	2024-08-30 12:14:21 +0100
commit	97d6fc0c1e0b371f75f8621cde388811c3309159 (patch)
tree	52379284e1338ba6442d90225c3ed505af592de0 /nix-conf
parent	921200a6490cc87af4e5e1ad955ef3cce75fa3d3 (diff)
download	dotfiles-97d6fc0c1e0b371f75f8621cde388811c3309159.tar.gz