diff --git a/.sops.yaml b/.sops.yaml index 81d000a..6b4f967 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -31,6 +31,15 @@ creation_rules: - *mail-01 pgp: - *lander + - path_regex: hosts/servers/common.yaml$ + key_groups: + - age: + - *db-01 + - *hosting-01 + - *hosting-02 + - *mail-01 + pgp: + - *lander - path_regex: hosts/db-01/secrets.yam?l$ key_groups: - age: diff --git a/hosts/servers/common.nix b/hosts/servers/common.nix index a4cec32..26590f1 100644 --- a/hosts/servers/common.nix +++ b/hosts/servers/common.nix @@ -1,4 +1,5 @@ { + config, lib, modulesPath, pkgs, @@ -50,6 +51,21 @@ ''; }; + sops.secrets.tailscale-authkey = { + owner = "root"; + group = "root"; + sopsFile = ./common.yaml; + }; + + services.tailscale = { + enable = true; + openFirewall = false; + extraUpFlags = [ + "--login-server=https://headscale.escapeangle.com" + ]; + authKeyFile = config.sops.secrets.tailscale-authkey.path; + }; + programs.zsh.enable = true; environment.pathsToLink = [ "/share/zsh" ]; environment.shells = [ pkgs.zsh ]; diff --git a/hosts/servers/common.yaml b/hosts/servers/common.yaml new file mode 100644 index 0000000..9c57980 --- /dev/null +++ b/hosts/servers/common.yaml @@ -0,0 +1,55 @@ +tailscale-authkey: ENC[AES256_GCM,data:5gGzPfdHWB8dYJ0/pyy1ZLXgpTy0Vb3J+RDcRnSPBp9aS11iZJHBp+drNmrKGIzM,iv:bvKua+uX8jbfPAD5LwcEX+lDmCQpKImK7bfw9kKeDt4=,tag:XSTe6iLDWwPQG7ohCTjHIQ==,type:str] +sops: + age: + - recipient: age1a5zz4cyda0aqh0hgf8svpyh9ktwy6z5x3gnnu5ysvpvek9rn03csx7dyqn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0TUNKT0JtZEs3M0hEUjVt + WWJRUkFNSm9pVjRlVkk3RzVPeVZkNytUYVJRCnhzd0syd25HLzBTTFRBN3pXQUVW + VXJxakRZdzdGL3U0aFNrVEdTRVNBZUkKLS0tIDFrOC8ySVVYV3pLbDlDakpRZHhh + SzlLWGwrYjVNcGFLVGNTTmhleXNZMEEKabv69KbHpVEGpknnuEO+1OgdWCtvdkP6 + fP55S4jIHjkONG1upwIxHj3YJO55nI5kA4XAx+5AOSntwN1iAXRciA== + -----END AGE ENCRYPTED FILE----- + - recipient: age18g4z53ykxzq35dsjq3a2np4f88xwat0kwtax229l3zn0ykhlpvqqy8fgtv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOTGFJTE5oU2tUcU1XcTVy + ZDBiSTQ5bGppOGRjUEV4WG9lc2xFN1RIQTNzCmZuelNkUjhyZWtqSTNZWHhIRjhT + UEpyeE9wdC9wSVZLckVzMVdQSXlhOTAKLS0tIGRBeXlWNHRyQkFpS2l2WlJHTnBI + WVRHWmE0QU1qK0NpT1QyL1ZZWXpmc3cK4UKRpOatiXqt2DvJmMlB2D+En4ufBXhe + vdxhnMZgMlMhN0F+KkOEt8JD1jrbOQ0fn1KdDcsjqO4MBJJK1smB9Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1hvrssz7k9akz66evj4kja53zvdtrss8k2ljxsh5myh2mru62sggqznlzrt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDZGNYQW9pbEVQdTl3WEo2 + ZWtHOHZzRmRMNkZHS1FjN1UrN0VGc0swc0JZClN3ckNrcXZoWTBpRGpGa0NSMkVY + K2ZVSmhuaHlQWUtqakRNTGVacDhScUkKLS0tIDl3czNRYUpra3Y2enlkMkRxUzlN + cDdhVlUyZGhsdHMzZ0E5andLVHVoNkkKocZp5EicX0pu1xaX+wYFfLqMoXxn5KiL + DsNPjAG//EslXpYq2UxXnWYaUKBq8fUr4moMG8omaoZ6KWgG8u1PeQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1u2a7wakgsyct6ed7ah2pksymh7jjl08ankedeyl5pa5jcs8r0uks02jpza + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIdkpsYUlwVlFJVjBRQjJn + TWhpZlluTEYwV0I2cDVUYytUZisrL0lWWTBnCnc3THNqT1BzeGkraDUyV0dMWGFr + NEo0aEtkUGVxVmttc09RMXJjblRNQUUKLS0tIENIN0hFbVFsbnIwRnYxdmVqVHlN + ZWFpdkxVVFpOUzRnUUFYYkIvcG0xa00Ktrrn8R69OF8wwsz9RuvKAiVtS+thbbNp + 5DnmezbVOr6g3bNLnRQ/GDfesHqvCWTQ+Lv2t8tnXXbjXrNWcxOTgw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-09-09T21:18:09Z" + mac: ENC[AES256_GCM,data:+GzVY/9R89YOL1dm0q1q3VSdsBa8krphFk8vOup+0XRn2BaLjwCIvOXQMBycVuRgMUHf77p1ETgpoj9quTDwJK8JDcP8pT6gfa/1mLuFz1I34cVk5f7Vx2BnX2Oh0LN+PXiMggbuySiNk3huOhgnrVCwwukT6PfvOXlYY5DVPPg=,iv:mp07YVgO0Xpp/XtOvD70hF+4ZGQJbn5EXxwPh2fXPMQ=,tag:dVwF6Y73DFeaNlYWLrqJWw==,type:str] + pgp: + - created_at: "2025-09-09T21:20:01Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DARdpY4woM6wSAQdAqzNqNtPjbYWAx9XIB+bdZjhIIfCTOm1hUrpCu7emwgMw + WKfVFLeKJg+d/3PrR5hBoEfsj/IFUXiXDNrlpfr+VQCwd0XLMAM0WvFeod2gPe+1 + 0l4BXxWsyWzDdukiLzqtHelEvaJk8UU3LfhqsmdmQoApbx0AkLGUAQLgiHWtDkj6 + w+QeYq0CJbO5kCLO+kNCVSNoWDyGOokKqcMxglyaIjlkjodf/Xw56HAeF1BuxPmV + =BwAM + -----END PGP MESSAGE----- + fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92 + unencrypted_suffix: _unencrypted + version: 3.10.2