From 71710a3aa0cd52e04d399550444375040083ebdf Mon Sep 17 00:00:00 2001
From: materus <materus@podkos.pl>
Date: Sat, 13 Jun 2026 23:14:06 +0200
Subject: [PATCH] oldie: init secrets, connect to wireguard

---
 nix-config/host/oldie/configuration.nix    |  38 +++++++++++++++++++++
 nix-config/host/oldie/default.nix          |   2 ++
 nix-config/host/oldie/private/default.nix  | Bin 0 -> 618 bytes
 nix-config/host/oldie/private/secrets.yaml | Bin 0 -> 1768 bytes
 nix-config/shared/private/variables.nix    | Bin 905 -> 897 bytes
 5 files changed, 40 insertions(+)
 create mode 100644 nix-config/host/oldie/private/default.nix
 create mode 100644 nix-config/host/oldie/private/secrets.yaml

diff --git a/nix-config/host/oldie/configuration.nix b/nix-config/host/oldie/configuration.nix
index 8ceb445..8a16a24 100644
--- a/nix-config/host/oldie/configuration.nix
+++ b/nix-config/host/oldie/configuration.nix
@@ -7,6 +7,7 @@
   lib,
   pkgs,
   materusArgs,
+  mkk,
   ...
 }:
 
@@ -325,6 +326,43 @@
   hardware.uinput.enable = true;
   hardware.steam-hardware.enable = true;
 
+
+  sops.templates."networkmanager.env".content = ''
+    WIREGUARD_PRIVATEKEY="${config.sops.placeholder.wg-key}"
+  '';
+  networking.networkmanager.ensureProfiles.environmentFiles = [
+    config.sops.templates."networkmanager.env".path
+  ];
+  networking.networkmanager.ensureProfiles.profiles = {
+    wg0 = {
+      connection = {
+        id = "PodKos";
+        type = "wireguard";
+        interface-name = "wg-podkos";
+      };
+      wireguard = {
+        private-key = "$WIREGUARD_PRIVATEKEY";
+      };
+      "wireguard-peer.${mkk.wireguard.peers.valkyrie.pubKey}" = {
+        endpoint = "${mkk.network.valkyrie.ip}:${mkk.wireguard.peers.valkyrie.port}";
+        allowed-ips = "${mkk.wireguard.ip-masks.main};${mkk.wireguard.ip-masks.guest};${mkk.wireguard.ip-masks.asia};${mkk.wireguard.peers.valkyrie.ip}/32;";
+        persistent-keepalive = "20";
+      };
+      ipv4 = {
+        address1 = "${mkk.wireguard.peers.oldie.ip}/32";
+        dns = "${mkk.wireguard.peers.valkyrie.ip};";
+        method = "manual";
+        never-default = "true";
+      };
+      ipv6 = {
+        addr-gen-mode = "stable-privacy";
+        method = "disabled";
+      };
+      proxy = { };
+    };
+  };
+
+
   # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
   system.stateVersion = "26.05"; # Did you read the comment?
 
diff --git a/nix-config/host/oldie/default.nix b/nix-config/host/oldie/default.nix
index 0167962..56b837a 100644
--- a/nix-config/host/oldie/default.nix
+++ b/nix-config/host/oldie/default.nix
@@ -2,5 +2,7 @@
 {
   imports = [
     ./configuration.nix
+
+    ./private
   ];
 }
diff --git a/nix-config/host/oldie/private/default.nix b/nix-config/host/oldie/private/default.nix
new file mode 100644
index 0000000000000000000000000000000000000000..db8891490c51c145fbd107f49936e797881eab2e
GIT binary patch
literal 618
zcmZQ@_Y83kiVO&0*miIhubOe73riR8ihr|vo^*fwa@df;c-Mlv%b1u?exDj&A)5RD
z{GXlDzdrvn{LIC9%W(hKu)MPAep6nn+<5VNj{FJBscA1}PjOHRba*jWd5eLG&>OoY
z8aa+jw>C^mi~M!d*;82kRBsT=0<+Yso4#J(W}{gX>hm|<c}8*Hm&{pny_|o((7CaH
z(YJrq`p52^Z;jKvzGa1MiP6sYO>31qW>0VA-}*nr?%ugP(YP@73*q7Qnpa~#S#o}w
zw50aMpMM<x?ud(QNj`pN{$3`(7tdTGSwvI};<tO9dVR=I;Z>xF-qO@hvOTsj`pZ9E
zk^bQAuKKz2m7ow)&Cj39>kn7(#-<&g5?b)a@Sa~2_lmZ6y?Z8pE4&uCyRXe`^&ffX
zC6hf~h<!f1a7xPx<7QjobFU01c37CEY)t*B&988sXNA35(OJs}7I(L2$ohE{x2pFY
zu@rW*lzSA&^t<ZGfvAQVQ`$M6i)o~PpB>a^Yf|U>QSj{YghjV^iHVE+Jk7izLV(?M
ztHyCb&C-&ov;O{Bt04B+?l<qLHID8k9~px-J}W-`aof8S(@*Y5Ta<Ox@5f|qYsc$}
zLbJjxoJIE@UhS7Y#mZXQ;q)u{UwbuDUzx^qc}@^+=URNAfwe%+B-NvNTk+Pst@re^
z4YE1&JNHg3t*Ey9<-W<+WZA|?hU+VX>gFV_jz6~b%8{iL7XN-2zwm_Dg}&^gD(tpT
z4(wQT<>{uL&Vw7cPuKG=l63G4y1Q*nl)3D~pIuG7?*nHmnVRhB*(9R-Pvkm_Lj)(I
itoqyfh7hY=mg<(u$5y5W9cs$rtQOxBQd4=tq!R!~`7h4^

literal 0
HcmV?d00001

diff --git a/nix-config/host/oldie/private/secrets.yaml b/nix-config/host/oldie/private/secrets.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..3aa042c8644cddd2f107903408a74a7cdaa48df2
GIT binary patch
literal 1768
zcmZQ@_Y83kiVO&0IIzu0G4WQhdcjO9zp4COk5oHKJEzqiOaCWWwjpJaWA^^blcKfa
z%=Q|bY|ReH^IdUlQS>?vmS-6g)Xw~!zue;L{%v7xuFsaUE(!batv&HcuUhWD*8z7{
z2w4fn>9K~Sr~LPJad-VBKd0*Wq(r^42AMWx(Zp!eMxh>=n@4B6=?2H2ell~1++WX_
zYag%qF+7=Z^Vq$FrKvU*b6pP<YtQ~KzW>XF<98IVI!(MGJ>RGANc6E~QXC%HDLT{A
zCU0YpEZFJ3$uC}Z&)q$r)IOW8%e0Kie{Fd})@1fMR<A|gjsMdv9bTC*?dEh3JKM*1
zzdz-x&{7lC7M^txr!~T*@5I;dpS{NKSH4bZ$>fZw+FPCm?Rj?o!p`P}wgOMoCq_xe
z8s_~gRdp>m`O&^=;Z8oAWnUg!WJ&O@*Zg>7Mf>hlwun^zH&5ad7kIv|5sf(9ARzwP
z-|(ys<NqHk`sQx`y-1yJwp+)ARg>?lXD8Wtoj&(?9Y-gFq3GJ<N3S|6KX|q}-_xCI
z(y0X}b>~gpcl=LCn1cARb$+idO*EUT{`_`H#kAC)C%j)XmYHWKciyhvVc*B%K6%HB
z_Ydrrd6(X?D17)fYz4=rq%Yfd9FMoG?+{#@_p|!^EWUl=`hRW~`2R|t%H6hY`fWpN
z7x&KdA9vp@EB?P=pTPBoscD+dzk~WYU+<K7yf0P9-u-&oiTTzSZ`(W6yz*cTz4@0*
z{Zg6U+he=gZf#VJIP(9i<(i1wj>*X<3=)?w`JuH#Hc?w_CtKgQuNg<*E{_v<sIp%3
zSMcg>9BmId{HLE>TdAScnH{_>*2}Y?BSZA;KI@&E9wcn2)qgQ7De&Uj+?;9aN)}cw
zD-hdqq;XdObM}#g6Mk%yNSyZSzJ6WZuW2r;OJrB~pPTY|*^3MIDYH*DXV+wOo)rk{
z{$L_^=Xzg4r<uIdxnI#|fAnT?uzWsoLBro&=I_TfA)#SyI!{$QbtdfJr{<=nJwyKe
ziMb5v--{}D-@D0fduk5b-nqt^Zx7DqZ%p{E{U-Xl-MOH(kK>BY<+vQ@f3n5=<NFDh
zr%XF~UU6Q>Tn{Cq;*O7NH&ou)P$|;4l-qX2_sT_gE<J1D`1J3w=cf;Md(%%HXkolj
zWN~1Ly_AFYF^~OAek!&c4NwleceW^c!Q`A|i6>#ZJU{u~{;gfCy)ZYW>gDhI6P7$Q
z>3Vg_WL4D3HB&lPNnhrD$rYwJ@z58&L&~d;y_{E&<y;WEhW*-?oT{aD`k|G|ry{~;
zPo1teg-fuFtKwqa`sbCaWyLF0mTj81rKzbXUg4X#!8v1dIq7&k&Fnn~B*iT6MtF%#
zUT0byBz&oBi*DwwY}pe>-MUsTJ9~<~jpve7?7Anr{S7_^2TFaezAy2OQ{{z7p#^WN
zL(-e#MO7^Sil?nC42pQVQ{fNKUDk`oXP2j3?mC&vuv2oyVvbF#f*mvrN;DGOmODJ{
z`VzJC(2r-IkG(&*v8=s7YmJZJmYW4RnU9j9gY>V++1}g|RB&p;%yh3S#`_YQenrMC
zwT~@hZ25VeLqev(UyNms{Klo1&K#9}qrtJTVx_Q`!SU|Z+3uIt>}Xdjy~Xr*X7$4;
znbL&+yonjD>lTV`%y}%9lc{v4Vp`<grxpt?JDg5Z?LW|#=bfbKZ}!1;Hru{#@i{It
zdh;@$sR?Rq<#>8K*72G86xEPfm%DCQyiN*y{PKiLY+{l+cO&!bDU4I<yB7SjWIxZ7
zEx&N@>Y8nx^P>V@otDk7xYoL4!nd8WHh$KAlcIIDiImA%)y~S(y&Am7<H4)v5w&|l
z3a@2;ke@j5qY^u#i{BT?isL(T+S(&`gsU-4z0&`t>DNrhlShBPpTFF8)-T8Pr6wPH
z+_e|Yn}7VXz18|_wti)CSG#V>xKzZ}u&tbUSmq$d$El+04AQzx-CWK-D135UOPgci
z=jbD8`=Vx8t!j;Aiu<D+E>sk>?OauMRDI~buUG8i?>xF7XSI`MVw2X}{LsK%Vw3O0
zeyKVoTcI&6yk*zlS~aWf{>irGEDL8CSO@OhJSod8M9SAwt<U`5_YJOkCr@m8w^v}v
zzfIOY#@~`^pKrE{vsixDQun^EbM@xWk36l8Zw$;^sQTbY;G@}_Upa~zuCsKVuGIAY
zsXudxxp~VxcM%)qT@LI%q9^q&7CtfN4k-Ov?Q9t1^0}{U!CH0Bm~9%L@^od^y}B#P
zWm;HjuQhFz)(lp^T<z9rQ_cpSTy|W1nuXCVN%sBX>t>tZO#kI}&R|RD@`M~CtBTdE
zMQ_B4yWM7cHcz_mwA!C{XJzc>)DExD!beWMO|<uA&u2*VRJo;i{=@Z!qP_k{8+oTr
ylHBjRZ}$9|JUV8*yeS*yQ+DarZJOj?x#y9|nV_xPbq}=^bGsd0d;M4C=`H~M9c$zO

literal 0
HcmV?d00001

diff --git a/nix-config/shared/private/variables.nix b/nix-config/shared/private/variables.nix
index 00584c25f4e472299b8be4fe1c57d1c47e485556..4a519392abcf7d92a58a5194e7c6a6dc52dbafe0 100644
GIT binary patch
literal 897
zcmZQ@_Y83kiVO&0_*K35);#l{E8Az;CU7pd-BDv~efYSKEVl#Ciwav^t;VqR=U(2~
z*uU>&YwQ0P)314d-5M0KDLOK8x@DX0%a<vy!*UmY-I8(6=~M9DPaAf|oR5t<ZDP+N
zb5V2V71P3w&ws1ZAIudwm7r3nu+7EMfamYx7vj64<xkFx-ZuYSiOTL|>&iu8vGeQC
z2_NxGimWrO;H`LZrM~`|@Z9VAB_Y=)sh^#7;KQq?$zCs)i>pa*tnodTP^NnArnAjC
zn`{4F7i2DsV_LFy<{x*jBeDwT8n0iCkO*LYS-rxI{a-+fva!2ccjANx>F2)&d9#UL
zPn^Lj=uj2E#W-8CnBQ!Hk(JHTa)UQZO&Yc>x}YBaApXGIXs1T8yj>q(sjqB*eCg}H
zSsx|}@0)%us7y04PsZ-?EZ6`2D-YI{yx-OlAadS*?#77F)9Ul@U7OFpTTD5EIjQJx
z=<>D&4<;^OytH?zTj{;i9A|c=NW9>^9hc>qHm_&(;$t@VR#`oc{P^PevsbUae75V6
zRopnMpSfhugx5M}gajL1^o}NWhIV?1Yfa2v8OHPZ(lf(wuf`SE!sNr6St5FNR~EIs
z7Jv4B-bB9{Rjs>Y-YpME)XkpL>=*7n>8WJNYP&6(2G7_<{HLw^v@JYvf$-rX+1=~P
z8H}&5YLH5MG{xh$QjKj5+l}=Td$jkQe77$!{Y?05-5I-2TWd3&_GnR0aMI?z@L#}V
zUKP*8veQrXEd?G&DQ~jvt9vq`T%`79?>lzu=XIOkr$1qvc<A+xx(Qh;rXP2Wn7sYg
z*Qns`T#0%oEoX)_UK2Svs|B{Vl@2n_u8T5lsSDFxA6z1>zU<K15*ED+F`Fk@Hl?(m
zSSik#Xl$+~zn6{6OP@>oUUn11Gbe>J=V$OMX3gN(R>9q1GozxPe`fyGs(w{v>m6y=
z7s}l}c3oqm+|(e|oavnIlPbG<-WD#KWP7X7yQJ#ra>jiJ17uexu66NfyYqk3*JEzI
zFOBE={B3*?Jt=DU$83{xZ~rZ4Y0)_sAZ;=Cd)jQZ6I%jPz5T_+B>vCN3jATVzTkF%
zSb9NlpZ33coxK8{vyWz0a~=2kKPzDAs*fMGDnB&+zJ~qM-|TuHPpJxV`{k|@5-XUj
zoYMqW+aCL<%P9OQD6}Y-qm;{T%Krkh&zJL~MKf;NAGkC}_w^Z7hku?f*1ZJ*_w%?G
OUH+s{Dz~QOvnK#mU$VLY

literal 905
zcmZQ@_Y83kiVO&0c*d+2w`AUjj46?gKi*njlc_5?aQ^Y<wih2oD~#QZ&(CS$i}ao*
z<#xMBKD6?7=k}TZGge*dJ7HFSW4-07cXzKYxwUCl@~u5DYVV6)yIA@5)4Xe<MN?ar
zZfU;N*m5UfL5cCC=&qAdC$iog%e(&GrM+gF^0Dt%9u=?5nX#|EMK<aF5zbH<t2+rV
zPM)3P{W9mH&jj%|OIM}ul1lhKFE#f%SE<pQ%j?+RtLT<*7dYR3K(645yDN*_b?r>?
zIV-pA&lO(d@Kxhit**4uU1x0u#+2=CZ7YjrKkz-~So4voOl<qyt~V!_+M7>xDY1y<
za{tA-*(Ee=lUmldsfF7G`&Lf5`PiXL@NL_Q<l9qX_WP`zS~Vxu`$U6I(pjkuPsAi1
zZ;lH-*06JVcFFXo0-ek67quyE-xViW>~Eeh)!T;Q3&VkookuQRRqha-BD!_gUFMbz
zH?Dn(Qu2|y_t%IcWx`}1?`ILqS<eLKuQ4lK?X;?mEq_|hWSwGNxiEFbXY=I*+<2#7
z++J_LM9;?Hg>c@@fT^qF7O;K)<nztic^#YDo#gpCJssjEmgV+~Wvmr%9Iz<)TQEhZ
z)@qJf!c@lu_BC_wa>XjDwwAwq6?3KW5`Xc%-TPnEbm$s1FBZ#K`zWg7;DwH7dmC?D
zRAqE|rannIL_%!Rb-u?HhUeT%N+&F>WLf%wTl2@~Z#?Bo9=Y%7I{wgbo?QClw5vg%
z-}?Nxd`6wE;JAn#U*KB)gA+f$-YEMr{T5S%yARu@%h$uUmouauWIAvl=q8tExQ`*f
z){b&nM}d?5dun)pTv=ae6CsgtzF@oP_H~N0I(9#3jI-Mi73#N3dW-A41SXGT4;8K_
zU8yeIawGMk!bdspw=2{G-nKqcs+@g6AhT8C&>E>+?OG|r$MNbG_qK?J3(9;gx~;us
zX)5Ojg(Z7<(r0+7hbd|O&8a%PO>76_(a*t4H+=ha`;*HG2gN1d0&3($I*+;C%{q6i
zbY1?d;@XE?+Dio9-nd-xBaqY1w{w-RP301`-x8N3_16jPG<~@s{^YqS2ijjO(O$7@
zQ`20b-tPBS-}QF4Xs}&ewR?#j-xG_DI6jXg@juJVr{^8swYE`@-}c+ZoT>VJ{ZkfX
zpM6yQz%pCqNPy(Z#w{=VE`6P?z}w<rd~NSBuC|5FRk=z#YBWT0z4rzB3hzsfJM@mt
Z$R=s7lR<>SuP+TDGoE<v>)myw1^`g;zoh^G