diff --git a/home/private_dot_ssh/config b/home/private_dot_ssh/config index 5346f648..c171514b 100644 --- a/home/private_dot_ssh/config +++ b/home/private_dot_ssh/config @@ -1,3 +1,3 @@ Host github.com AddKeysToAgent yes - IdentityFile /run/secrets/github/private + IdentityFile /run/secrets/github/starr-dusT diff --git a/home/private_dot_wireguard/adjudicator.conf.tmpl b/home/private_dot_wireguard/adjudicator.conf.tmpl deleted file mode 100644 index bc558541..00000000 --- a/home/private_dot_wireguard/adjudicator.conf.tmpl +++ /dev/null @@ -1,11 +0,0 @@ -[Interface] -# your own IP on the wireguard network -Address = 192.168.3.2/24 -PrivateKey = {{ (secret "Wireguard - Adjudicator Secret" "NOTES") }} - -[Peer] -PublicKey = bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ= -# restrict this to the wireguard subnet if you don't want to route everything to the tunnel -AllowedIPs = 0.0.0.0/0, ::/0 -# ip and port of the peer -Endpoint = 66.218.43.87:51820 diff --git a/home/private_dot_wireguard/adjudicator.pub b/home/private_dot_wireguard/adjudicator.pub deleted file mode 100644 index 5813cede..00000000 --- a/home/private_dot_wireguard/adjudicator.pub +++ /dev/null @@ -1 +0,0 @@ -r2/IeYCO1T+l248387wUBoNnc2DK9O8pHcIr/NQqezM= diff --git a/home/private_dot_wireguard/adjudicator.tmpl b/home/private_dot_wireguard/adjudicator.tmpl deleted file mode 100644 index 068aff98..00000000 --- a/home/private_dot_wireguard/adjudicator.tmpl +++ /dev/null @@ -1 +0,0 @@ -{{ (secret "Wireguard - Adjudicator Secret" "NOTES") }} diff --git a/home/private_dot_wireguard/bulwark.conf.tmpl b/home/private_dot_wireguard/bulwark.conf.tmpl deleted file mode 100644 index 58a300a5..00000000 --- a/home/private_dot_wireguard/bulwark.conf.tmpl +++ /dev/null @@ -1,11 +0,0 @@ -[Interface] -# your own IP on the wireguard network -Address = 192.168.3.4/24 -PrivateKey = {{ (secret "Wireguard - Bulwark Secret" "NOTES") }} - -[Peer] -PublicKey = bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ= -# restrict this to the wireguard subnet if you don't want to route everything to the tunnel -AllowedIPs = 0.0.0.0/0, ::/0 -# ip and port of the peer -Endpoint = 66.218.43.87:51820 diff --git a/home/private_dot_wireguard/bulwark.pub b/home/private_dot_wireguard/bulwark.pub deleted file mode 100644 index 18151923..00000000 --- a/home/private_dot_wireguard/bulwark.pub +++ /dev/null @@ -1 +0,0 @@ -CDoy/XI8FRQV/ySHigLWG2tpWVw8hgEZXRQCEE3qYHQ= diff --git a/home/private_dot_wireguard/bulwark.tmpl b/home/private_dot_wireguard/bulwark.tmpl deleted file mode 100644 index 6aaf4465..00000000 --- a/home/private_dot_wireguard/bulwark.tmpl +++ /dev/null @@ -1 +0,0 @@ -{{ (secret "Wireguard - Bulwark Secret" "NOTES") }} diff --git a/home/private_dot_wireguard/kestrel.pub b/home/private_dot_wireguard/kestrel.pub deleted file mode 100644 index d4d0402e..00000000 --- a/home/private_dot_wireguard/kestrel.pub +++ /dev/null @@ -1 +0,0 @@ -hPso657fppLYvBU31Rtqqg792JEoPv7r82JgLoF8S2Y= diff --git a/home/private_dot_wireguard/kestrel.tmpl b/home/private_dot_wireguard/kestrel.tmpl deleted file mode 100644 index 400eef8b..00000000 --- a/home/private_dot_wireguard/kestrel.tmpl +++ /dev/null @@ -1 +0,0 @@ -{{ (secret "Wireguard - Kestrel Secret" "NOTES") }} diff --git a/provision/hosts/kestrel/configuration.nix b/provision/hosts/kestrel/configuration.nix index e6305ca2..8dd72ca0 100644 --- a/provision/hosts/kestrel/configuration.nix +++ b/provision/hosts/kestrel/configuration.nix @@ -102,7 +102,7 @@ terminal.enable = true; wireguard-client = { enable = true; - privateKeyFile = "/home/${user}/.wireguard/kestrel"; + privateKeyFile = "/run/secrets/wireguard/kestrel"; address = [ "192.168.3.3/24" ]; publicKey = "bd7bbZOngl/FTdBlnbIhgCLNf6yx5X8WjiRB7E1NEQQ="; endpoint = "66.218.43.87"; diff --git a/provision/modules/system/secrets.nix b/provision/modules/system/secrets.nix index 9413dbc9..6ca4e913 100644 --- a/provision/modules/system/secrets.nix +++ b/provision/modules/system/secrets.nix @@ -10,8 +10,13 @@ in { defaultSopsFormat = "yaml"; age.keyFile = "/home/${user}/.config/sops/age/keys.txt"; - # Github private key - secrets."github/private" = { owner = "${user}"; }; + # Github secrets + secrets."github/starr-dusT" = { owner = "${user}"; }; + + # Wireguard secrets + secrets."wireguard/kestrel" = { owner = "${user}"; }; + secrets."wireguard/bulwark" = { owner = "${user}"; }; + secrets."wireguard/adjudicator" = { owner = "${user}"; }; }; }; } diff --git a/provision/secrets/secrets.yaml b/provision/secrets/secrets.yaml index c2d8909f..601ec367 100644 --- a/provision/secrets/secrets.yaml +++ b/provision/secrets/secrets.yaml @@ -1,5 +1,9 @@ github: - private: ENC[AES256_GCM,data:DIIKWqeqCAKJKCffAEIbPKvYiJ1j/zqIzpeBPwJUEXlDgcKHCb7fdIwuHMGYYocNX7hKwGQQWsI/48Karot6EGJ+TbsTlD6WG3tintS2R9Gw3PFdvuKVKybjQ/3yDvFm/CJlEl0+2XG5sjHoanMtJPXEIIeRbbLxgrH2uu5W6Xt8DgT8R0BR69+rJ6U4tBcfBgrssYNHTOC/aOCAltq2tS5XoZ4i8tv94iZPZPdV5dntoXDiSNnJwFRvofrakVCuCt/8MBZMNzzUPlbkR73gwNUWMJDgr1OZCzJJNDXhl6H+LsW3DRy9/8wFeAlwb0oGOn0j+DR9VmYKSxjJYeS3LxulslEtCFNirLlK1Ht5vKjeMUAVSS8ALHKFw0VeCYitF+IYev8opcWwU7ZLWZgi/iAIP+WzLLzEhYPnTfvindtffSOzBmRLbPmtjwiNe3SJTR8UA/APlilRYDruO7jVgftFB3iAnw5vCEjBsnGYvloe5Q4qBlGsJLSUS1xoeAyvHL2rVh9Pirs3BA==,iv:8WSRbanE8hM1O039BjsXsxnAUKFrvPxyZhFEYpJ7kSk=,tag:34VH6H600ow+B0CV8hQNTA==,type:str] + starr-dusT: ENC[AES256_GCM,data:rNds9CsqxjPQg5uSkFNEsMHh7EZfU5Cdqx2MBhlTmkWmA9YY7QOxtskoL7elZzYTldCkzNQyeBrxQsuTbxzMhZxtKXXcEjaS0PpZToQGyw/mkXGXLOrf5YGkBnKUCPUrMgs5PecaE2CTlv/Dy95R/7IF6iKd1ZWJ6F6WbxihzokR42BYd1vAuAhaR/Yy3rwpYc488H9zWserBni+aB/f/lWX1kmoxeD+c+7D/1SZvSTSnd0ObNVJ4Na8GJ0MTmnF2l1lCoIATSjNsNo4sWtOsQSshyX2GmccAJvulGCAVQjevoBDZdBY/+qzzjgoP9PyBwBTcdHwYX7HQPY8KKwmBwHLwawPIV5aqTjJ4JeeHKwkkqtMX9nnWwWlTBUuo0lRz2dk9zUgXocV4T8dTbEQuhi26lf1EdW1MJlzBbkjcFCFpbnV9y4A35NAyPnxQx4ZBiXyXw8S6+RgClIqB5gi70FqR4GgObwUl7LpOzaPaJBBrm/BNDCJ5w6rh6DV4WErBSi9TK8T0DwDTA==,iv:ZP/u6lV+GE7MpwQDrmNrfoHCBvA5B8+5pd6NNVUNt18=,tag:fKnHXbCibkP/3is8/gboiA==,type:str] +wireguard: + kestrel: ENC[AES256_GCM,data:RLDesKMUtpurv+C2YkxMcbBdiP6cHHUGRCYkgO5Qf6FZLxl4vKRyhTdDzWc=,iv:V/9bpCMTT9YQ8QCNYdpfrhu0lc4Yt5Eu0DJMc0uZkNA=,tag:kFnN7GwT4UKqUyvOdlbXxg==,type:str] + bulwark: ENC[AES256_GCM,data:wMMZ1zJ2nPvkAFA5SgcSyl1z+9blDqf/6pVp8olmGaXJsbWc+/gBtDKzTog=,iv:2lZdsFYZhiTumRmYN/q2606gpyS7lCjf4cgeaCIjoxo=,tag:o81+t3pRwfomEys1veQecA==,type:str] + adjudicator: ENC[AES256_GCM,data:sK2e6miw5UDLV0RQa/pSoI3boKn39/z+jEI0OSGQjhv6PXqIx4HiEtZJptM=,iv:2XjVv5gxL+E0fCzi1/3I1bbxLBOAYzmtu5S4VlZwyxU=,tag:8cahB2CJ4YDN/LSGqWUPnQ==,type:str] sops: kms: [] gcp_kms: [] @@ -15,8 +19,8 @@ sops: ajM3YlJYU21PaHRyaGlUNy84RHN2SE0KAvMFdqnfV0TzfNcBdY7OvRLZrBb9uXSI 3y50yFhYnyXtWKLQFTwjN6S5dLaZgqhaGhEQyNCQxb5RGZJDR6g7Yw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-11-20T06:27:54Z" - mac: ENC[AES256_GCM,data:U15biwKX1mCmnqqutKTOigSzdF5MyS6WrfpMvAW1n5fx0CGMZY07FWRK52ACHNP/eF5Zayq+BfzIAtkyMVfF37J8q5PO6o/G1F6OvldXagvMY4UbqUIb64kHr1aCeQAp+Yd4tGxmsyprkRDLZsJb0Q9Dj8PX30ZiWKUyoWfSlkE=,iv:GRjli6tHFUXAHoc+K4IRP9iAOWEwUlKHQHcdeNyWV3Y=,tag:kntSZLX/te2o6SCmJxhK9g==,type:str] + lastmodified: "2023-11-20T07:18:51Z" + mac: ENC[AES256_GCM,data:c2jgENQOU6PpskH67qBlH73/9ETExMIClbBTH5yBHUus6UeghWlQ5JZ7FGv1RtQiJ+sqXIsyyjt8vaGzcqMtMuUPtJP7I/YEz/IylSVuDQu5bi2E5tsuRh0U5bSfL1AP6vzrJ7E36FOGX+vqVtDjzgDcwqR1NzWj91mq+5o0KSY=,iv:5xUPWZC4pHdfdhS+YHkX9EOzJseIkFlfYcyri+jY3mI=,tag:2wTru+9n7E/88ma9zaNocw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3