diff --git a/provision/age-secrets/secrets.nix b/provision/age-secrets/secrets.nix index 2a843958..6e0842af 100644 --- a/provision/age-secrets/secrets.nix +++ b/provision/age-secrets/secrets.nix @@ -10,6 +10,8 @@ in { "git/github_personal.age".publicKeys = users ++ systems; "wireguard/kestrel.age".publicKeys = users ++ systems; + "wireguard/torus.age".publicKeys = systems; + "wireguard/bulwark.age".publicKeys = systems; "git/gitea-runner-1.age".publicKeys = systems; "nextcloud/password.age".publicKeys = systems; } diff --git a/provision/age-secrets/wireguard/bulwark.age b/provision/age-secrets/wireguard/bulwark.age new file mode 100644 index 00000000..32016e3e --- /dev/null +++ b/provision/age-secrets/wireguard/bulwark.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 Fz/sQw yxwMTsp4T8/0jQd/epX7CixYs0lU1UsGZovNr5hlWhM +XzKWVFgT131qf2jXfG3VP7n78vf7wySkj4ds6JZNguo +-> ssh-ed25519 47GzQA rbcR3Scal1cbF5jkIvEVp0BnChrgrD6QTRVwAbKRv0o +cUlM7OtA9TpiNOoM7LjMaiQIddHC6+bROBq9B7qGR64 +--- TxdiaR51NWXpRxklcJ2eIDJn/kDS7LqduNbB3Og6N+0 +eZ渀xwNh_Sگtx7'Labqԑ*MPWO+%Gr;75bk \ No newline at end of file diff --git a/provision/age-secrets/wireguard/torus.age b/provision/age-secrets/wireguard/torus.age new file mode 100644 index 00000000..4b3620d0 Binary files /dev/null and b/provision/age-secrets/wireguard/torus.age differ diff --git a/provision/hosts/bulwark/configuration.nix b/provision/hosts/bulwark/configuration.nix index 3f0f8f5f..47fc7b3c 100644 --- a/provision/hosts/bulwark/configuration.nix +++ b/provision/hosts/bulwark/configuration.nix @@ -64,6 +64,9 @@ environment.systemPackages = with pkgs; [ ]; + # host secrets + age.secrets."wireguard/bulwark".file = ../../age-secrets/wireguard/bulwark.age; + # Enable modules modules = { desktop = { diff --git a/provision/hosts/kestrel/configuration.nix b/provision/hosts/kestrel/configuration.nix index e7ebcdec..7e814a35 100644 --- a/provision/hosts/kestrel/configuration.nix +++ b/provision/hosts/kestrel/configuration.nix @@ -71,6 +71,9 @@ distrobox # Platform for creating and managing Linux distribution images. ]; + # host secrets + age.secrets."wireguard/kestrel".file = ../../age-secrets/wireguard/kestrel.age; + # Enable modules modules = { desktop = { diff --git a/provision/hosts/torus/wireguard-server.nix b/provision/hosts/torus/wireguard-server.nix index acdbef02..8bcb143d 100644 --- a/provision/hosts/torus/wireguard-server.nix +++ b/provision/hosts/torus/wireguard-server.nix @@ -14,6 +14,8 @@ allowedUDPPorts = [ 53 51820 ]; }; + age.secrets."wireguard/torus".file = ../../age-secrets/wireguard/torus.age; + networking.wg-quick.interfaces = { # "wg0" is the network interface name. You can name the interface arbitrarily. wg0 = { @@ -22,7 +24,7 @@ # The port that WireGuard listens to - recommended that this be changed from default listenPort = 51820; # Path to the server's private key - privateKeyFile = "/run/secrets/wireguard/torus"; + privateKeyFile = "/run/agenix/wireguard/torus"; # This allows the wireguard server to route your traffic to the internet and hence be like a VPN postUp = '' diff --git a/provision/modules/system/secrets.nix b/provision/modules/system/secrets.nix index 53ac28b6..d132268a 100644 --- a/provision/modules/system/secrets.nix +++ b/provision/modules/system/secrets.nix @@ -15,11 +15,5 @@ in { owner = "${user}"; group = "users"; }; - - # wireguard secrets - age.secrets."wireguard/kestrel".file = ../../age-secrets/wireguard/kestrel.age; - #age.secrets."wireguard/bulwark".file = ../../age-secrets/wireguard/bulwark.age; - #age.secrets."wireguard/adjudicator".file = ../../age-secrets/wireguard/adjudicator.age; - #age.secrets."wireguard/torus".file = ../../age-secrets/wireguard/torus.age; }; }