diff --git a/.sops.yaml b/.sops.yaml index 9d48334..bccc2bd 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,6 +1,8 @@ keys: - &lander 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92 - &wodan age15m0pdv8mkt4aue8wjay9k4endyymtka5je3gc2t63dgamfzh9vts7774hh + - &db-01 age1a5zz4cyda0aqh0hgf8svpyh9ktwy6z5x3gnnu5ysvpvek9rn03csx7dyqn + - &hosting-01 age18g4z53ykxzq35dsjq3a2np4f88xwat0kwtax229l3zn0ykhlpvqqy8fgtv - &mail-01 age1u2a7wakgsyct6ed7ah2pksymh7jjl08ankedeyl5pa5jcs8r0uks02jpza creation_rules: @@ -16,6 +18,14 @@ creation_rules: - *wodan pgp: - *lander + - path_regex: hosts/common/servers/secrets.yam?l$ + key_groups: + - age: + - *db-01 + - *hosting-01 + - *mail-01 + pgp: + - *lander - path_regex: hosts/mail-01/secrets.yam?l$ key_groups: - age: diff --git a/hosts/common/servers/default.nix b/hosts/common/servers/default.nix index 7811bce..f5c94f1 100644 --- a/hosts/common/servers/default.nix +++ b/hosts/common/servers/default.nix @@ -1,4 +1,9 @@ -{ inputs, pkgs, ... }: +{ + config, + inputs, + pkgs, + ... +}: { imports = [ inputs.disko.nixosModules.disko @@ -25,6 +30,21 @@ ]; }; + sops.secrets.tailscale-authkey = { + owner = "root"; + group = "root"; + sopsFile = ./secrets.yaml; + }; + + services.tailscale = { + enable = true; + openFirewall = true; + extraUpFlags = [ + "--login-server=https://headscale.escapeangle.com" + ]; + authKeyFile = config.sops.secrets.tailscale-authkey.path; + }; + nix = { settings = { trusted-users = [ "lander" ]; diff --git a/hosts/common/servers/secrets.yaml b/hosts/common/servers/secrets.yaml new file mode 100644 index 0000000..6bccbee --- /dev/null +++ b/hosts/common/servers/secrets.yaml @@ -0,0 +1,46 @@ +tailscale-authkey: ENC[AES256_GCM,data:qXgDw5Ua+J7XinLap+sco/9lVM/NMaj4Tpy6hlUJ+tcRoiSFVV1dQB1w20tt8/Rg,iv:bvKua+uX8jbfPAD5LwcEX+lDmCQpKImK7bfw9kKeDt4=,tag:J3hI/0BP99yjw6juYX/JSw==,type:str] +sops: + age: + - recipient: age1a5zz4cyda0aqh0hgf8svpyh9ktwy6z5x3gnnu5ysvpvek9rn03csx7dyqn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFVVNJRFc4S2NOVTdVZGFu + VjVPSXlJcytGTUdSZ2RhZ0UraElweVVVTUZZClF6SWs2NkdnVUdDVmFPUXhDeGE3 + RFJaV1c5QVQ4NEFjWVowU21hL2IyRFUKLS0tIE5rZVQzY1FSYmRWT1JaNDgzZXB1 + bHlYRWF1TWVkTTZ2SzdXbENPc1U2VmcKTPJ3SeHHoA5FOvOUMiWJdcKYGr9aXriZ + DuW/ijGrVV5zELOgXc/vAOSrsE9ZYW83QDXB80NRvOUnRNGyaax5Sg== + -----END AGE ENCRYPTED FILE----- + - recipient: age18g4z53ykxzq35dsjq3a2np4f88xwat0kwtax229l3zn0ykhlpvqqy8fgtv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUSHZNazl3WVJIL2N6dUx6 + cUVZZCtpZWVnVklkU0FnL2REYkZuc0JPREgwCnFIZ2lyMW1HdjZLNDRpRTczMmJC + eDJLSkw2S0dyWXBSNlpPOTRJU0ZNQ28KLS0tIHErZENXUkJnektyazdFS2FNQ1JU + ZFhhRm92SFpCc042U1p2VkE1a0dOZDAKFZuxY5YkAeINQRX/kcxAxIQMSEa7FATx + 8v8eFMZLCpHH3wS2+CgtAzxxDX4bIMsPhwDa4C1bvtWkGmUg/2R86Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1u2a7wakgsyct6ed7ah2pksymh7jjl08ankedeyl5pa5jcs8r0uks02jpza + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZnhqOGtXS1RMY3BaRjdz + M2ViM3c2QzhCbTMvejdaOU9sRHd6M0ZzRHdRCnVmd0xiSUNqOHBaZGFkcmpaRU95 + cW5oMHNycjZJN0RCc25tanJSQ1Q0TmMKLS0tIG9KeTdjdTJ2Vk43Um5BWmZVYlJ0 + SnBFVkJBMk5DdDR0YlpjbHFDVlFDTHMKtjJMgkybidVzSvSCjrdUVgAXjLzhWBv/ + x7nYJp7O5PqKZRcWdmpDp6bNG4+ENrtnMBXw1AwR2iWvlZC9YOtmdw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-02T21:02:01Z" + mac: ENC[AES256_GCM,data:oxLmFXvuLNbdiLFC8BCh8jb1gMctbdJeS88xuv27etLgn0P38KI2G4OFg7T03s/QK26lWvwt/0FSGc6o51p6FZ2KJLL8FtB96x2Q1QaJqNIUmU5WWnaJhQfRxiE+IDJgS4DkFYs8FMQhMorr1X8iVhQhoxpB5qKs7kVARAyF1FU=,iv:qhxdpeZCzEMoKJw5oVI6S1Y2OqpHRo67oI1guC1iRdM=,tag:F/YhPTth3NNtCZ/RVlQF1g==,type:str] + pgp: + - created_at: "2025-07-02T21:01:46Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DARdpY4woM6wSAQdAVK+ifhksSiXmYzGNYQcv2dZbhYrgQQSsqmIKMfyYuk4w + SEEGAA7mcqg9j4Cd2ozLnsX/3p5q41cdRapC0r4Tx/pW5dhE53g+K1OWkKNoq/1f + 0l4BG9rFb0AiidaQU/A2WcOZ7Idgy4CuimDCVW1j6Th6k3QHkVDdCv4oQRTVc48P + 48VQ2A1jp0gyRQHFbjE1dwUSSvLrFaJu3O7kGz7WuCwAZH25HonUx9ParK18nB+j + =jICO + -----END PGP MESSAGE----- + fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92 + unencrypted_suffix: _unencrypted + version: 3.10.2