diff --git a/.sops.yaml b/.sops.yaml index 4880a05..32352ee 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,13 +1,29 @@ keys: - &london_system age1rr2u4kk5jc0zk5mmgcfzlddzz82u9ldqwnd2mkcspnps7pzegsms7fys7u - &london_dala age19m7s6rl4l88nv0f7el70k9u9mv6fd0nq5nw5a3f6p3ffzch274lsksu3y7 + - &camelot_system age1qp54d5gzvpyedcv26uckz7lmy2a48m27astawa62hkey59qgmg8setufp5 + - &pgp_dala 2763F2B50E63CE401A3EB9C040DE2FEE4D3C5E2C creation_rules: + # London - path_regex: configurations/london/secrets/secrets.yaml$ key_groups: - age: - *london_system + pgp: + - *pgp_dala + - path_regex: configurations/london/secrets/users/dala.yaml$ key_groups: - age: - *london_dala + pgp: + - *pgp_dala + + # Camelot + - path_regex: configurations/camelot/secrets/secrets.yaml$ + key_groups: + - age: + - *camelot_system + pgp: + - *pgp_dala diff --git a/configurations/camelot/default.nix b/configurations/camelot/default.nix index 26d4310..b9a63d5 100644 --- a/configurations/camelot/default.nix +++ b/configurations/camelot/default.nix @@ -28,6 +28,7 @@ imports = [ ./jellyfin.nix + ./wireguard.nix ]; swapDeviceUUID = "a7c628ab-c5cb-4094-89d0-19b153fbead4"; @@ -43,6 +44,18 @@ hwAccelerationGPU = "intel"; + /* System secrets */ + sops = { + gnupg.sshKeyPaths = [ ]; + age = { + sshKeyPaths = [ ]; + keyFile = "/var/lib/sops-nix/key.txt"; + }; + defaultSopsFile = ./secrets/secrets.yaml; + secrets.wg0_private = { }; + secrets.wg1_private = { }; + }; + machineUsers = { dala = { description = "Dala"; diff --git a/configurations/camelot/jellyfin.nix b/configurations/camelot/jellyfin.nix index 1bddc3a..a505a62 100644 --- a/configurations/camelot/jellyfin.nix +++ b/configurations/camelot/jellyfin.nix @@ -1,4 +1,4 @@ -{ pkgs, extraInfo, ... }: +{ extraInfo, ... }: { services.jellyfin.enable = true; services.nginx.virtualHosts.${extraInfo.jellyfinURI} = { @@ -32,4 +32,9 @@ enable = true; web.enable = true; }; + + systemd.services.deluged.bindsTo = [ "wireguard-wg1.service" ]; + systemd.services.deluged.requires = [ "network-online.target" ]; + systemd.services.deluged.serviceConfig.NetworkNamespacePath = "/var/run/netns/wg1ns"; + systemd.services.deluged.serviceConfig.PrivateNetwork = true; } diff --git a/configurations/camelot/secrets/secrets.yaml b/configurations/camelot/secrets/secrets.yaml new file mode 100644 index 0000000..af1feeb --- /dev/null +++ b/configurations/camelot/secrets/secrets.yaml @@ -0,0 +1,34 @@ +wg0_private: ENC[AES256_GCM,data:nuHHAwi+l9BQ8oJupm+i47EbfFc62QZXDeATeE+23RAEq/grJ/bN6sTn/o4=,iv:hZQAvvcCe2DOTvM1mABB26PsEqw8jpQUNhGbBaK/l0I=,tag:9VMaJys4IzelbBdCDuiy0Q==,type:str] +wg1_private: ENC[AES256_GCM,data:Ly3C3TQB2Aul40m/wk+mr5C2zviMhiNFfqTHknjJ4v4V09XA0XeyHtHo0ro=,iv:ph3vEIuI3F3B3eHLtu8Kfwv9Z7DdC2c+qphDn+Vn+CM=,tag:ntISjElZZB0PHtwC0mi+AA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1qp54d5gzvpyedcv26uckz7lmy2a48m27astawa62hkey59qgmg8setufp5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqa1NFWmk3TUdLMTF2RHVX + K2EvSDlNSFdDZ0dOMlNHOFErOGlBUGxrSjJNClV2NS9ZQVVxWTAycWJFeE9oc3Ux + NUxDS010azIxV1ZWR2dkdEtWUU1uTGMKLS0tIHA0cWg0ekNPSVdzVlFRMkZqb1VB + b00xT3ZHWTJBNFlUbTUrRjlVV0FoM1UKtfWg4R4Y28r2w8MYp1B1yhFEOBT8rEkz + P5qEP0p1i/zXlglaxxXTiQSuloG1Fwi2l5VGrhm6Hse07u3fEmS2VQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-10T17:25:27Z" + mac: ENC[AES256_GCM,data:JRk9QRRq0+UxenGSm2qwLZ+dJmCPG7QROCfmyByaOpdxOIi6CQQV03vHUPx50mTj4VeeAYAa/2LVWiot37kkQ/W8XzPJowG9f6iLcqriusU4BorAVEHwv0q4Pa9Wf8f+CbqALCwxdUAK9ehXl6TGzbiaqiENWXI4reMIovDKdnI=,iv:OWni9uRrAUFKeJAWMVbN6P4MFumoR13r75GZS7f+gE8=,tag:hAytWM5OvGa0Tg1vv+vqpA==,type:str] + pgp: + - created_at: "2023-12-10T17:24:42Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4D0ZiEKlLM+TsSAQdAh6/VJpfjaEo02UPMjcuLmQpZoCbmJfCULS0c0e5rQRIw + N2jwiFXYCzT50cMS8QpVJqAyb/unMYFas+pJqXUB83hg/eBZ9BeCKcTz/jkH42xa + 1GYBCQIQbx5GjfFH7IuGyi9XtFE93UmwLVGLcD2J2uM7iDRR+cuFfiPXHHvP4eNA + Q3eRDwZWQQznDfcBfzMo6bF2IvmVBGC8cPzFNYjkVJGX0gP564DWJm4+ByZthhwW + UfQcyCKBYEI= + =zjUa + -----END PGP MESSAGE----- + fp: 2763F2B50E63CE401A3EB9C040DE2FEE4D3C5E2C + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/configurations/camelot/wireguard.nix b/configurations/camelot/wireguard.nix new file mode 100644 index 0000000..6445769 --- /dev/null +++ b/configurations/camelot/wireguard.nix @@ -0,0 +1,67 @@ +{ config, pkgs, extraInfo, ... }: +{ + networking.firewall.allowedUDPPorts = [ + 51821 + ]; + + /* Wireguard */ + networking.wireguard.interfaces.wg0 = { + ips = [ "10.100.0.6/24" ]; + + listenPort = 51820; + privateKeyFile = config.sops.secrets.wg0_private.path; + + peers = [ + # Rock Pro 64 + { + publicKey = "XVmG3/rNsCqc8KCmOx3+UUn9DJOnJ40Uxid5JGdChR4="; + endpoint = "${extraInfo.wireguard.rockProEndpoint}:51820"; + allowedIPs = [ "10.100.0.1" ]; + persistentKeepalive = 25; + } + + # london + { + publicKey = "AvW61c9iSO0NiMrXpPsdeWigTO3JTCadqY5Wq5xLPH8="; + allowedIPs = [ "10.100.0.4" ]; + } + + # fuyuki + { + publicKey = "maCF41/gOh5p0BBgOh0x9S/ourGSM7qrFfEgmB+XGHY="; + allowedIPs = [ "10.100.0.3" ]; + } + + # Mobile + { + publicKey = "JoW+Iwysip46WWKJINneXWWG2YszzKEKlI3dW4SIjg0="; + allowedIPs = [ "10.100.0.5" ]; + } + ]; + }; + + networking.wireguard.interfaces.wg1 = { + ips = [ "10.100.1.1" ]; + listenPort = 51821; + privateKeyFile = config.sops.secrets.wg1_private.path; + interfaceNamespace = "wg1ns"; + + preSetup = '' + ip netns add wg1ns + ''; + + + postShutdown = '' + ip netns del wg1ns + ''; + + peers = [ + { + publicKey = "T0BlFaNi01Cu7sZkoJH4CtKLagTgoK1NZ6Qdt0pL7kQ="; + endpoint = "${extraInfo.wireguard.VPSEndpoint}:51821"; + allowedIPs = [ "0.0.0.0/0" ]; + persistentKeepalive = 25; + } + ]; + }; +}