Spaenny/nix-config
Spaenny/nix-config
1
0
Fork 0
Code Activity

add(newt): add newt to aquarius

Browse source
This commit is contained in:
Philipp 2026-02-21 15:50:30 +01:00
parent 93870202d6
commit f381478fe1
Signed by: Philipp
GPG key ID: B27C3DE2FD94AFC3
6 changed files with 68 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.sops.yaml
View file

@ -29,7 +29,7 @@ creation_rules:
key_groups:
- age:
- *primary
- path_regex: secrets/aquarius-wg.yaml
- path_regex: secrets/aquarius-newt.env
key_groups:
- age:
- *primary

30
modules/nixos/services/newt/default.nix Normal file
View file

@ -0,0 +1,30 @@
{
lib,
pkgs,
config,
namespace,
...
}:
with lib;
with lib.${namespace};
let
cfg = config.${namespace}.services.newt;
in
{
options.${namespace}.services.newt = {
enable = mkEnableOption "Newt";
};
config = mkIf cfg.enable {
services.newt = {
enable = true;
environmentFile = "/run/secrets/aquarius-newt.env";
};
sops.secrets."aquarius-newt.env" = {
format = "dotenv";
sopsFile = ../../../../secrets/aquarius-newt.env;
};
};
}

9
secrets/aquarius-newt.env Normal file
View file

@ -0,0 +1,9 @@
NEWT_ID=ENC[AES256_GCM,data:wLn8WaasJl+ybcxK0Zvi,iv:UMUjGIS/L0euTjq5leFJWhtFjXpw6b+nibP0+kB/nSc=,tag:ObgBQYHpqYXIpOpU7pdrVg==,type:str]
NEWT_SECRET=ENC[AES256_GCM,data:idg8gcFzBX3vxQJqOlDfpeuEPhJId3tA+d6baCvdhwReGadPMnrNJPLK/OAZx15t,iv:WPwPBDLj67d7OFJ3XWdR3yv6ZkizBGzVm0jjTjWcUXw=,tag:CoE8lLMKvNxNhm1v3UHPQw==,type:str]
PANGOLIN_ENDPOINT=ENC[AES256_GCM,data:N3SeIG9IEAkb9XGhIb+DrwyPEGS///Pjgh6pZw==,iv:rZWw+R9MtREx9ZgNwniUkjZ1EK/qzNtvnotJDSsZpWg=,tag:3d7a/+0hPTOHjBUV9toOpA==,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwUFVXT2tvTU5mZDJ1SHlS\nN1o4OVBxZXZ0N2pONDFvUUxOMS83MzI4VXowCmlHQUZvRms4LzFwYzBYdWJsUHR6\nWnBlUDdDcEN5S09DSkJ6QVpyOTMrOGMKLS0tIGF3aVVNVVYvRERvQkY3UUVnd2tj\nME1yYjU1elRZTzFZYklJbkRNR2psczAKhpFPCJxz5bwLqGx82jAkzYa+7xUqwzuv\nbZluxUfSbZFUDn5rZNJMNZW4xAQ6+8OXaSRcs3mqucuXNIkJnzh3WQ==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_0__map_recipient=age132m0pg4utk3cjve2lgcjffvz7cevl0fq5krufu9sgud7wu2wgurqk49kgl
sops_lastmodified=2025-12-26T19:37:13Z
sops_mac=ENC[AES256_GCM,data:rD5AmdlYw/Mauk26cokq2xwUv3i3ZbNEjeCBazkWUGmhWx4YFliDzWFnlwLoj5l96SIzReXx866KFAXaIMczU6VXJXomP/NIe6Ed4bTvkVlnJoXtI01ltmpPlUiPIDH5xCRK3UGQcYYuQbhPdnJtz8N41xegZ/U15BH66GHG7J8=,iv:cN5xXvfajCZpKyPUWGTrzZDzYtpsvLM/gxdOHv7U0Xg=,tag:vhaxlm7fsvOyhK35ihcWXw==,type:str]
sops_unencrypted_suffix=_unencrypted
sops_version=3.11.0

11
secrets/aquarius-wg.yaml
View file

@ -1,6 +1,5 @@
privateKey: ENC[AES256_GCM,data:WtmzHDKRbqbJJ3VXKqqKnqKTcvVDV+yFgFfeKxLv+UErOiEBgqtDhKEs0Io=,iv:admaUfhhKLlu58wKpRvgyGSqOsiY82ix2xJgT0GL8Xs=,tag:eP9Ka0jo2BYxZX0w7eKGqA==,type:str]
publicKey: ENC[AES256_GCM,data://Kq875vV3gpE3tbMRVt/q7m5LqPRXOka8fzoA2oZzglfE1xtS/kAMPMR44=,iv:5fLk4lBTHwIcGiAM325ykceViCBwRHFLnxZkcqm3Ao4=,tag:g6R0ZSRa2m9JNB2UH3JIJg==,type:str]
presharedKey: ENC[AES256_GCM,data:EpOJCMzi1XHDbbqdEB+SoC/6LxkHwxZ2DxQINBnGhjXl6JhNYswqTWQuFVU=,iv:GFcxLghV+SQMaJ5J4bQOBPGDQatkSwPLtx57wlWaB+8=,tag:2ofR6eSplwLwe/vYyGyrLg==,type:str]
privateKey: ENC[AES256_GCM,data:9fcuUdAOxNNqXZbhhMve0lA53aeDUfeV39AkqN0v3EpuONRpyekoTFf3W04=,iv:QPUE6/YyHwHmdYdOZyWnXdibQBaukDu/fMlrah76Yok=,tag:0iItXvMxqB0j24ksY4GrJA==,type:str]
publicKey: ENC[AES256_GCM,data:WGsDyRPEyN555s0VlNw5++zOMgpBV+jCtsbQ+0npwDcWdsTueW7OMQMLEtA=,iv:B1Suqh6u1MutuQbYgimFBxlI7j7qkimGRGklx6KsbnU=,tag:2TYj44b2qqQjMJAIELZIKg==,type:str]
sops:
age:
- recipient: age132m0pg4utk3cjve2lgcjffvz7cevl0fq5krufu9sgud7wu2wgurqk49kgl
@ -12,7 +11,7 @@ sops:
ekZnYTVDS1habTBpSUtOaURWTFBxRU0KblHpvcdwLANZdxUmT4hDQqooPXDiRvH1
f8qVPOVveoOBzmoN9HN08TFbQcwZ6YM0IQggxdtMyhZk/qyhy+CqNw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-08-02T12:06:55Z"
mac: ENC[AES256_GCM,data:T9trFCzxJm3eINbuJIDN04feEHViZz6yiaA59yf9+WyJrLB467DagDc4Qv90vdRJXzakwZSYvprDtglrVReT+Wg2GLdVtNIZmPEaLrfpfBgVaBCEZch48dOh+Ytgc09f95ecyXJV/2xNLBtW8YUs3JZsIAcJQTOOrLLhhPjj96A=,iv:wrwIeLhEsN6LFpO/6RF+DE343xdFhshd4TSeF+le+m8=,tag:rNXmYSJsStd5HeDCgtKSRQ==,type:str]
lastmodified: "2025-12-16T15:06:00Z"
mac: ENC[AES256_GCM,data:2kmKA3KlJ35uUSwgehX7TmsAZPo9ylKKFMJdh3+VUPt376wSWvXtBh8kys3tjcN3Q9Uh+S/wik/p0hDYLx8W0pIMIJKEkejzdJsivo4eDr72cZG4nfSwEq2q5dkEs6sPNItHbot3Jf5JhxSBpSRkUa0/4ttA2Vcs1S+13YWONQ0=,iv:xLJOf0VRjddN+aQu44nfoIe3VphCZwPKTwE4VFH0ZzY=,tag:q4fcu428QAWuzg56akoU3Q==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2
version: 3.11.0

1
systems/aarch64-linux/aquarius/default.nix
View file

@ -62,6 +62,7 @@ with lib.${namespace};
services = {
ssh = enabled;
technitium-dns-server = enabled;
newt = enabled;
};
system.sops = enabled;

56
systems/aarch64-linux/aquarius/networking.nix
View file

@ -1,51 +1,37 @@
{
networking = {
hostName = "aquarius";
networkmanager.enable = false;
dhcpcd.enable = true;
dhcpcd.enable = false;
interfaces.end0.useDHCP = true;
firewall = {
enable = true;
allowedUDPPorts = [ 51820 ];
firewall.enable = true;
};
wireguard = {
enable = true;
interfaces."wg0" = {
ips = [
"192.168.100.10/24"
"fd00:100::10/64"
];
listenPort = 51820;
mtu = 1400;
privateKeyFile = "/run/secrets/privateKey";
peers = [
{
publicKey = "ylsjhpKiq3B6Kv4q2uiHXUJpyxY2b1DOAlGc/FWdflQ=";
presharedKeyFile = "/run/secrets/presharedKey";
allowedIPs = [
"192.168.100.1/32"
"fd00:100::1/128"
];
endpoint = "neuruppin.boehm.sh:51820";
persistentKeepalive = 25;
}
];
systemd.network.enable = true;
services.resolved.enable = true;
systemd.network.networks."99-ignore-wg" = {
matchConfig.Name = "wg*";
networkConfig = {
ConfigureWithoutCarrier = true;
};
linkConfig = {
Unmanaged = "yes";
};
};
sops.secrets = {
privateKey = {
sopsFile = ../../../secrets/aquarius-wg.yaml;
key = "privateKey";
systemd.network.networks."10-end0" = {
matchConfig.Name = "end0";
networkConfig.DHCP = "yes";
dhcpV4Config = {
UseDNS = true;
UseRoutes = true;
};
presharedKey = {
sopsFile = ../../../secrets/aquarius-wg.yaml;
key = "presharedKey";
dhcpV6Config = {
UseDNS = true;
};
};