From 15cf859638080f5d3db663414646312f1d78f64c Mon Sep 17 00:00:00 2001
From: materus <materus@podkos.pl>
Date: Thu, 21 Mar 2024 19:30:54 +0100
Subject: [PATCH] waffentrager: add secrets

---
 .../host/waffentrager/configuration.nix       |   1 +
 .../host/waffentrager/secrets/default.nix     |  27 ++++++++++++++
 .../waffentrager/secrets/private/default.nix  | Bin 0 -> 507 bytes
 .../host/waffentrager/secrets/secrets.yaml    |  35 ++++++++++++++++++
 4 files changed, 63 insertions(+)
 create mode 100644 configurations/host/waffentrager/secrets/default.nix
 create mode 100644 configurations/host/waffentrager/secrets/private/default.nix
 create mode 100644 configurations/host/waffentrager/secrets/secrets.yaml

diff --git a/configurations/host/waffentrager/configuration.nix b/configurations/host/waffentrager/configuration.nix
index 4ce7b9e..1423faf 100644
--- a/configurations/host/waffentrager/configuration.nix
+++ b/configurations/host/waffentrager/configuration.nix
@@ -26,6 +26,7 @@
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPEDY+H8Hc/RSLE064AAh8IojvqxPd8BE5gec2aOfYMh materus@podkos.pl"
     ];
+    hashedPasswordFile = config.sops.secrets."users/materus".path;
   };
 
   nix = {
diff --git a/configurations/host/waffentrager/secrets/default.nix b/configurations/host/waffentrager/secrets/default.nix
new file mode 100644
index 0000000..a0dba32
--- /dev/null
+++ b/configurations/host/waffentrager/secrets/default.nix
@@ -0,0 +1,27 @@
+{ config, pkgs, lib, materusCfg, ... }:
+{
+  imports =
+    [
+
+    ] ++ (if (materusCfg.materusFlake.decrypted) then [ ./private ] else [ ]);
+
+  sops.age.generateKey = false;
+  sops.gnupg.home = null;
+  sops.gnupg.sshKeyPaths = [ ];
+  sops.defaultSopsFile = materusCfg.hostPath + "/secrets/secrets.yaml";
+
+  services.openssh.hostKeys = [
+    {
+      bits = 4096;
+      path = "/materus/root/ssh_host_rsa_key";
+      type = "rsa";
+    }
+    {
+      path = "/materus/root/ssh_host_ed25519_key";
+      type = "ed25519";
+    }
+  ];
+  sops.secrets.wireguard = { };
+  sops.secrets."users/materus" = { neededForUsers = true; };
+
+}
diff --git a/configurations/host/waffentrager/secrets/private/default.nix b/configurations/host/waffentrager/secrets/private/default.nix
new file mode 100644
index 0000000000000000000000000000000000000000..2b36e7a27b1499b48ea3461ba41c15c7fe603779
GIT binary patch
literal 507
zcmV<X0R;X4M@dveQdv+`053Mp=j&XMk23Ep$N;qiZE(l3ec09p;Vk9gR8x-JYO%yC
zJ9JFf2=nld9KH73#HT@qWV)3?Z{$SS=>s#8MrKAHWH9YfiornwEP7}j?`%_}g1AU@
zA4gx{OsGj)Y?d1P6I5;}$8Fp`*9Pch44Ikk(=GY(ofTf?6!wrSfzde?jfmXcES-EZ
zHFH%A+VmbY4c^O!GU4b2iwLrmfK2o`OcAL*iu<bs#Eci`R55+Gxp#i7Wkm*iI?Jn3
zd6N3~X*Tgy2~*xTK|0x-0!%e|Xd#6fjjbs+4Jx#GV{bQt>IHtv*KhoZhHnCE+skaF
zL^S8Y@Am;|GUuMekiZ-{NL&0&jP!wnb(Uz++5r&^MaZo3XF)K)bl2}`>!5kxQ8tPp
zZ&2o-AUg?Ha1SGi0lpfyS%1c^sQS0ew~xaMoXfQY?hV_;Jr$tSPH-^@GF9|#KdBnA
zCD0DP%R%{lr)iupcPM5AyrO?q{tb0|_iUW|KEP#^E(*I3&I`K7hu^lcmWGs;(2GKL
z?pNV6DpnHo_zsAQKh3aU7kb<GQ(0!NV~wLp7EFyl?e#M%89_J|IWU&M6gihc+JoM>
xIh2DuoX}#98QxD^n4x^zd<jQnl$KaiaDv+dhNGjVd)p%2@QD>3EB@oaHL%nE^?m>V

literal 0
HcmV?d00001

diff --git a/configurations/host/waffentrager/secrets/secrets.yaml b/configurations/host/waffentrager/secrets/secrets.yaml
new file mode 100644
index 0000000..8bf7f0f
--- /dev/null
+++ b/configurations/host/waffentrager/secrets/secrets.yaml
@@ -0,0 +1,35 @@
+wireguard: ENC[AES256_GCM,data:QLngCAtEa6wfRRrZwywbARhsS1oGj9+hGTlC1QV6xnRmlZLorAoftGb8jTg=,iv:rNbE0tfJKTjo0pPwfw3oKxOZmSO9PGgW/xDo9zi8lCU=,tag:ZT4mfXaToiR6SjzOwSz4HA==,type:str]
+users:
+    materus: ENC[AES256_GCM,data:MhPrMJ4/0oxEsFZDUKcYb3WMUWLI2ZbRTgnh1fQZG1Ly2J781jcUWtA8vVAdMBedNfWky0mDq5+KEQ/2fJNGU4IkTBvLdAqnWw==,iv:Dpl+M+x1weNIVkEsf3I/uXpG0SM6bDz+d9w7AYwn/MY=,tag:yGc1D2ODp6Te/QAztOj7yA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1j34lqh0z6ak2c94n564wgyjeykn9srma34f5e5e7xvf498fwk3rqxvwx0l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvejRrcGVwZHNkTVB5dkYr
+            RnhVVjNEblFVd0xXSStqdjFhWVVNS3ljUTNZCnBFVmRRVVVENGhJUVg2L1lSM1NO
+            dkQydVhOaFVxd0p0aFhVcmp6eXdGeVEKLS0tIFIvRDlvZDdsbm1USEZUZ3FYMmla
+            eFN4VVdUMkVjcTVWNFdLM0xtbExLdncK6LYUufWzIcd2jFyEeZDypo0xkJQ4z91F
+            ULyGxJLLWl6/inYXtxHNdxIIPfwW+5yppBAbXaOgvABi1E7tf1JZcA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-21T18:19:14Z"
+    mac: ENC[AES256_GCM,data:W+DPXTyAZCMawijkbvNNe6UItS4ZVHY4qZ7hDOGkaMlziu9+e1awkvgmqg7H7gM0DgoAz17UE4uVIGB9Y/fnSc80Rk9sPZoNP8wnTwqzujmCyYIroi570aNQuNc6riTgaNcrSEefkzoATRUJvjbv63m+Sp5Vbl1kXepD3qaDDAU=,iv:HLOBwzemB8kqAE2DLoWeIIUUmp9i913bTG0onNdHAWY=,tag:cW0gP2TlUPY42NkWiWqICg==,type:str]
+    pgp:
+        - created_at: "2024-03-21T18:15:00Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4D5fSX77p80GYSAQdAWetrf0jhs/b9qcQc4b21+PJUPdSjk372BjokfwJ2oXQw
+            4LaIaNB3LRmY4FF3UOqk28NwkwBw6n0AzYKC/k1G4ntaNBMI9eDtFJ1c1+KkxSl2
+            1GYBCQIQMCKcu2aBEMiIGOyG08vcRW2T23DUAfTQqQdRKD/SgSTqAZLSICVJ91xU
+            TBsdiPBKO2cRDfPc7DlVLbPNe/SUqVUX9N4GTGPUocXc1s6lvgx3NBP5cGoSNx+A
+            xCmXl373IDc=
+            =uSyc
+            -----END PGP MESSAGE-----
+          fp: 28D140BCA60B4FD1
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1