add(newt): add newt to aquarius
This commit is contained in:
parent
93870202d6
commit
f381478fe1
GPG key ID:
B27C3DE2FD94AFC3
6 changed files with 68 additions and 43 deletions
|
|
@ -29,7 +29,7 @@ creation_rules:
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *primary
|
- *primary
|
||||||
- path_regex: secrets/aquarius-wg.yaml
|
- path_regex: secrets/aquarius-newt.env
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *primary
|
- *primary
|
||||||
|
|
|
||||||
30
modules/nixos/services/newt/default.nix
Normal file
30
modules/nixos/services/newt/default.nix
Normal file
|
|
@ -0,0 +1,30 @@
|
||||||
|
{
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
config,
|
||||||
|
namespace,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
with lib;
|
||||||
|
with lib.${namespace};
|
||||||
|
let
|
||||||
|
cfg = config.${namespace}.services.newt;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.${namespace}.services.newt = {
|
||||||
|
enable = mkEnableOption "Newt";
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
services.newt = {
|
||||||
|
enable = true;
|
||||||
|
environmentFile = "/run/secrets/aquarius-newt.env";
|
||||||
|
};
|
||||||
|
|
||||||
|
sops.secrets."aquarius-newt.env" = {
|
||||||
|
format = "dotenv";
|
||||||
|
sopsFile = ../../../../secrets/aquarius-newt.env;
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
}
|
||||||
9
secrets/aquarius-newt.env
Normal file
9
secrets/aquarius-newt.env
Normal file
|
|
@ -0,0 +1,9 @@
|
||||||
|
NEWT_ID=ENC[AES256_GCM,data:wLn8WaasJl+ybcxK0Zvi,iv:UMUjGIS/L0euTjq5leFJWhtFjXpw6b+nibP0+kB/nSc=,tag:ObgBQYHpqYXIpOpU7pdrVg==,type:str]
|
||||||
|
NEWT_SECRET=ENC[AES256_GCM,data:idg8gcFzBX3vxQJqOlDfpeuEPhJId3tA+d6baCvdhwReGadPMnrNJPLK/OAZx15t,iv:WPwPBDLj67d7OFJ3XWdR3yv6ZkizBGzVm0jjTjWcUXw=,tag:CoE8lLMKvNxNhm1v3UHPQw==,type:str]
|
||||||
|
PANGOLIN_ENDPOINT=ENC[AES256_GCM,data:N3SeIG9IEAkb9XGhIb+DrwyPEGS///Pjgh6pZw==,iv:rZWw+R9MtREx9ZgNwniUkjZ1EK/qzNtvnotJDSsZpWg=,tag:3d7a/+0hPTOHjBUV9toOpA==,type:str]
|
||||||
|
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwUFVXT2tvTU5mZDJ1SHlS\nN1o4OVBxZXZ0N2pONDFvUUxOMS83MzI4VXowCmlHQUZvRms4LzFwYzBYdWJsUHR6\nWnBlUDdDcEN5S09DSkJ6QVpyOTMrOGMKLS0tIGF3aVVNVVYvRERvQkY3UUVnd2tj\nME1yYjU1elRZTzFZYklJbkRNR2psczAKhpFPCJxz5bwLqGx82jAkzYa+7xUqwzuv\nbZluxUfSbZFUDn5rZNJMNZW4xAQ6+8OXaSRcs3mqucuXNIkJnzh3WQ==\n-----END AGE ENCRYPTED FILE-----\n
|
||||||
|
sops_age__list_0__map_recipient=age132m0pg4utk3cjve2lgcjffvz7cevl0fq5krufu9sgud7wu2wgurqk49kgl
|
||||||
|
sops_lastmodified=2025-12-26T19:37:13Z
|
||||||
|
sops_mac=ENC[AES256_GCM,data:rD5AmdlYw/Mauk26cokq2xwUv3i3ZbNEjeCBazkWUGmhWx4YFliDzWFnlwLoj5l96SIzReXx866KFAXaIMczU6VXJXomP/NIe6Ed4bTvkVlnJoXtI01ltmpPlUiPIDH5xCRK3UGQcYYuQbhPdnJtz8N41xegZ/U15BH66GHG7J8=,iv:cN5xXvfajCZpKyPUWGTrzZDzYtpsvLM/gxdOHv7U0Xg=,tag:vhaxlm7fsvOyhK35ihcWXw==,type:str]
|
||||||
|
sops_unencrypted_suffix=_unencrypted
|
||||||
|
sops_version=3.11.0
|
||||||
|
|
@ -1,6 +1,5 @@
|
||||||
privateKey: ENC[AES256_GCM,data:WtmzHDKRbqbJJ3VXKqqKnqKTcvVDV+yFgFfeKxLv+UErOiEBgqtDhKEs0Io=,iv:admaUfhhKLlu58wKpRvgyGSqOsiY82ix2xJgT0GL8Xs=,tag:eP9Ka0jo2BYxZX0w7eKGqA==,type:str]
|
privateKey: ENC[AES256_GCM,data:9fcuUdAOxNNqXZbhhMve0lA53aeDUfeV39AkqN0v3EpuONRpyekoTFf3W04=,iv:QPUE6/YyHwHmdYdOZyWnXdibQBaukDu/fMlrah76Yok=,tag:0iItXvMxqB0j24ksY4GrJA==,type:str]
|
||||||
publicKey: ENC[AES256_GCM,data://Kq875vV3gpE3tbMRVt/q7m5LqPRXOka8fzoA2oZzglfE1xtS/kAMPMR44=,iv:5fLk4lBTHwIcGiAM325ykceViCBwRHFLnxZkcqm3Ao4=,tag:g6R0ZSRa2m9JNB2UH3JIJg==,type:str]
|
publicKey: ENC[AES256_GCM,data:WGsDyRPEyN555s0VlNw5++zOMgpBV+jCtsbQ+0npwDcWdsTueW7OMQMLEtA=,iv:B1Suqh6u1MutuQbYgimFBxlI7j7qkimGRGklx6KsbnU=,tag:2TYj44b2qqQjMJAIELZIKg==,type:str]
|
||||||
presharedKey: ENC[AES256_GCM,data:EpOJCMzi1XHDbbqdEB+SoC/6LxkHwxZ2DxQINBnGhjXl6JhNYswqTWQuFVU=,iv:GFcxLghV+SQMaJ5J4bQOBPGDQatkSwPLtx57wlWaB+8=,tag:2ofR6eSplwLwe/vYyGyrLg==,type:str]
|
|
||||||
sops:
|
sops:
|
||||||
age:
|
age:
|
||||||
- recipient: age132m0pg4utk3cjve2lgcjffvz7cevl0fq5krufu9sgud7wu2wgurqk49kgl
|
- recipient: age132m0pg4utk3cjve2lgcjffvz7cevl0fq5krufu9sgud7wu2wgurqk49kgl
|
||||||
|
|
@ -12,7 +11,7 @@ sops:
|
||||||
ekZnYTVDS1habTBpSUtOaURWTFBxRU0KblHpvcdwLANZdxUmT4hDQqooPXDiRvH1
|
ekZnYTVDS1habTBpSUtOaURWTFBxRU0KblHpvcdwLANZdxUmT4hDQqooPXDiRvH1
|
||||||
f8qVPOVveoOBzmoN9HN08TFbQcwZ6YM0IQggxdtMyhZk/qyhy+CqNw==
|
f8qVPOVveoOBzmoN9HN08TFbQcwZ6YM0IQggxdtMyhZk/qyhy+CqNw==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2025-08-02T12:06:55Z"
|
lastmodified: "2025-12-16T15:06:00Z"
|
||||||
mac: ENC[AES256_GCM,data:T9trFCzxJm3eINbuJIDN04feEHViZz6yiaA59yf9+WyJrLB467DagDc4Qv90vdRJXzakwZSYvprDtglrVReT+Wg2GLdVtNIZmPEaLrfpfBgVaBCEZch48dOh+Ytgc09f95ecyXJV/2xNLBtW8YUs3JZsIAcJQTOOrLLhhPjj96A=,iv:wrwIeLhEsN6LFpO/6RF+DE343xdFhshd4TSeF+le+m8=,tag:rNXmYSJsStd5HeDCgtKSRQ==,type:str]
|
mac: ENC[AES256_GCM,data:2kmKA3KlJ35uUSwgehX7TmsAZPo9ylKKFMJdh3+VUPt376wSWvXtBh8kys3tjcN3Q9Uh+S/wik/p0hDYLx8W0pIMIJKEkejzdJsivo4eDr72cZG4nfSwEq2q5dkEs6sPNItHbot3Jf5JhxSBpSRkUa0/4ttA2Vcs1S+13YWONQ0=,iv:xLJOf0VRjddN+aQu44nfoIe3VphCZwPKTwE4VFH0ZzY=,tag:q4fcu428QAWuzg56akoU3Q==,type:str]
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.10.2
|
version: 3.11.0
|
||||||
|
|
|
||||||
|
|
@ -62,6 +62,7 @@ with lib.${namespace};
|
||||||
services = {
|
services = {
|
||||||
ssh = enabled;
|
ssh = enabled;
|
||||||
technitium-dns-server = enabled;
|
technitium-dns-server = enabled;
|
||||||
|
newt = enabled;
|
||||||
};
|
};
|
||||||
|
|
||||||
system.sops = enabled;
|
system.sops = enabled;
|
||||||
|
|
|
||||||
|
|
@ -1,51 +1,37 @@
|
||||||
{
|
{
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "aquarius";
|
hostName = "aquarius";
|
||||||
|
|
||||||
networkmanager.enable = false;
|
networkmanager.enable = false;
|
||||||
dhcpcd.enable = true;
|
dhcpcd.enable = false;
|
||||||
|
|
||||||
interfaces.end0.useDHCP = true;
|
firewall.enable = true;
|
||||||
|
|
||||||
firewall = {
|
|
||||||
enable = true;
|
|
||||||
allowedUDPPorts = [ 51820 ];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
wireguard = {
|
systemd.network.enable = true;
|
||||||
enable = true;
|
services.resolved.enable = true;
|
||||||
interfaces."wg0" = {
|
|
||||||
ips = [
|
systemd.network.networks."99-ignore-wg" = {
|
||||||
"192.168.100.10/24"
|
matchConfig.Name = "wg*";
|
||||||
"fd00:100::10/64"
|
networkConfig = {
|
||||||
];
|
ConfigureWithoutCarrier = true;
|
||||||
listenPort = 51820;
|
|
||||||
mtu = 1400;
|
|
||||||
privateKeyFile = "/run/secrets/privateKey";
|
|
||||||
peers = [
|
|
||||||
{
|
|
||||||
publicKey = "ylsjhpKiq3B6Kv4q2uiHXUJpyxY2b1DOAlGc/FWdflQ=";
|
|
||||||
presharedKeyFile = "/run/secrets/presharedKey";
|
|
||||||
allowedIPs = [
|
|
||||||
"192.168.100.1/32"
|
|
||||||
"fd00:100::1/128"
|
|
||||||
];
|
|
||||||
endpoint = "neuruppin.boehm.sh:51820";
|
|
||||||
persistentKeepalive = 25;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
|
linkConfig = {
|
||||||
|
Unmanaged = "yes";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
sops.secrets = {
|
systemd.network.networks."10-end0" = {
|
||||||
privateKey = {
|
matchConfig.Name = "end0";
|
||||||
sopsFile = ../../../secrets/aquarius-wg.yaml;
|
networkConfig.DHCP = "yes";
|
||||||
key = "privateKey";
|
|
||||||
|
dhcpV4Config = {
|
||||||
|
UseDNS = true;
|
||||||
|
UseRoutes = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
presharedKey = {
|
dhcpV6Config = {
|
||||||
sopsFile = ../../../secrets/aquarius-wg.yaml;
|
UseDNS = true;
|
||||||
key = "presharedKey";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue