change torus wireguard to sops-nix

2025-02-19 19:27:31 -08:00 · 2023-11-19 23:43:26 -08:00 · 2023-11-19 23:43:26 -08:00 · 4b5a21c946
commit 4b5a21c946
parent 602eaf2138
4 changed files with 6 additions and 3 deletions
--- a/provision/hosts/torus/configuration.nix
+++ b/provision/hosts/torus/configuration.nix
@ -150,6 +150,7 @@
    system = {
      terminal.enable = true;
      ssh.enable = true;
+      secrets.enable = true;
    };
  };
  # Did you read the comment?
--- a/provision/hosts/torus/wireguard-server.nix
+++ b/provision/hosts/torus/wireguard-server.nix
@ -22,7 +22,7 @@
      # The port that WireGuard listens to - recommended that this be changed from default
      listenPort = 51820;
      # Path to the server's private key
-      privateKeyFile = "/engi/apps/wireguard/private";
+      privateKeyFile = "/run/secrets/wireguard/torus";
  
      # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
      postUp = ''
--- a/provision/modules/system/secrets.nix
+++ b/provision/modules/system/secrets.nix
@ -17,6 +17,7 @@ in {
      secrets."wireguard/kestrel" = { owner = "${user}"; };
      secrets."wireguard/bulwark" = { owner = "${user}"; };
      secrets."wireguard/adjudicator" = { owner = "${user}"; };
+      secrets."wireguard/torus" = { owner = "${user}"; };
    };
  };
 }
--- a/provision/secrets/secrets.yaml
+++ b/provision/secrets/secrets.yaml
@ -4,6 +4,7 @@ wireguard:
    kestrel: ENC[AES256_GCM,data:RLDesKMUtpurv+C2YkxMcbBdiP6cHHUGRCYkgO5Qf6FZLxl4vKRyhTdDzWc=,iv:V/9bpCMTT9YQ8QCNYdpfrhu0lc4Yt5Eu0DJMc0uZkNA=,tag:kFnN7GwT4UKqUyvOdlbXxg==,type:str]
    bulwark: ENC[AES256_GCM,data:wMMZ1zJ2nPvkAFA5SgcSyl1z+9blDqf/6pVp8olmGaXJsbWc+/gBtDKzTog=,iv:2lZdsFYZhiTumRmYN/q2606gpyS7lCjf4cgeaCIjoxo=,tag:o81+t3pRwfomEys1veQecA==,type:str]
    adjudicator: ENC[AES256_GCM,data:sK2e6miw5UDLV0RQa/pSoI3boKn39/z+jEI0OSGQjhv6PXqIx4HiEtZJptM=,iv:2XjVv5gxL+E0fCzi1/3I1bbxLBOAYzmtu5S4VlZwyxU=,tag:8cahB2CJ4YDN/LSGqWUPnQ==,type:str]
+    torus: ENC[AES256_GCM,data:BPID5S71fSlwwu5HaYr25n1N7dznKCWx4CZ3VqppsC7Sc5envnGDm2nnqHU=,iv:8sYeuwxd4typ2n5xq0laQEwc1vc3cFbBx9B38q92/Z4=,tag:t7f8z/Jq3/fTNQasOOpgsA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -19,8 +20,8 @@ sops:
            ajM3YlJYU21PaHRyaGlUNy84RHN2SE0KAvMFdqnfV0TzfNcBdY7OvRLZrBb9uXSI
            3y50yFhYnyXtWKLQFTwjN6S5dLaZgqhaGhEQyNCQxb5RGZJDR6g7Yw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-11-20T07:18:51Z"
-    mac: ENC[AES256_GCM,data:c2jgENQOU6PpskH67qBlH73/9ETExMIClbBTH5yBHUus6UeghWlQ5JZ7FGv1RtQiJ+sqXIsyyjt8vaGzcqMtMuUPtJP7I/YEz/IylSVuDQu5bi2E5tsuRh0U5bSfL1AP6vzrJ7E36FOGX+vqVtDjzgDcwqR1NzWj91mq+5o0KSY=,iv:5xUPWZC4pHdfdhS+YHkX9EOzJseIkFlfYcyri+jY3mI=,tag:2wTru+9n7E/88ma9zaNocw==,type:str]
+    lastmodified: "2023-11-20T07:39:39Z"
+    mac: ENC[AES256_GCM,data:jucZ9Ofxk1yDLPHHi2M3bX7zvZAYjnigizEKqWi7/Ubn9xOdj6M8XSv0QQhhFpRvggLQf7be4ATATS8P+/9liFy+j9fK+4Zv1ryuYYKTNZyTwbTZfNPR1FholuVDcwSsgR+TmdVHkD4ypOPpTlSFllJbuk1R4ebI48WOJix6ao0=,iv:SbTXmFr9Un1YEpVxi3uMTZmPePZsQR3uWQP40LX+qSc=,tag:to3wH9YnOerEIZ37aAo+lA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3