chore(os/kay): refactor sops

2 files changed, 102 insertions, 0 deletions

diff --git a/os/kay/modules/network/ppp/default.nix b/os/kay/modules/network/ppp/default.nix
new file mode 100644
index 0000000..43059b6
--- /dev/null
+++ b/os/kay/modules/network/ppp/default.nix
@@ -0,0 +1,74 @@
+{ config, pkgs, ... }:
+
+let
+  inetVlan = 1003;
+  wanInterface = "enp3s0";
+  nameServer = [
+    "1.0.0.1"
+    "1.1.1.1"
+  ];
+in
+{
+  sops.secrets = {
+    "ppp/chap-secrets".sopsFile = ./secrets.yaml;
+    "ppp/pap-secrets".sopsFile = ./secrets.yaml;
+    "ppp/username".sopsFile = ./secrets.yaml;
+  };
+
+  networking = {
+    tempAddresses = "disabled";
+    vlans.wan = {
+      id = inetVlan;
+      interface = wanInterface;
+    };
+  };
+
+  services = {
+    dnsmasq = {
+      enable = true;
+      settings = {
+        server = nameServer;
+        bind-interfaces = true;
+      };
+    };
+
+    pppd = {
+      enable = true;
+
+      config = ''
+        plugin pppoe.so
+        debug
+
+        nic-wan
+        defaultroute
+        ipv6 ::1337,
+        noauth
+
+        persist
+        lcp-echo-adaptive
+        lcp-echo-interval 1
+        lcp-echo-failure 5
+      '';
+
+      script."01-ipv6-ra" = {
+        type = "ip-up";
+        runtimeInputs = [ pkgs.procps ];
+
+        text = ''
+          sysctl net.ipv6.conf.ppp0.accept_ra=2
+        '';
+      };
+
+      peers.keralavision = {
+        enable = true;
+        autostart = true;
+        configFile = config.sops.secrets."ppp/username".path;
+      };
+
+      secret = {
+        chap = config.sops.secrets."ppp/chap-secrets".path;
+        pap = config.sops.secrets."ppp/pap-secrets".path;
+      };
+    };
+  };
+}
diff --git a/os/kay/modules/network/ppp/secrets.yaml b/os/kay/modules/network/ppp/secrets.yaml
new file mode 100644
index 0000000..3df903a
--- /dev/null
+++ b/os/kay/modules/network/ppp/secrets.yaml
@@ -0,0 +1,28 @@
+ppp:
+    chap-secrets: ENC[AES256_GCM,data:WAQwrIt66iL7rOPR0WQgRxTYHHjrMNXUqf/DoiE=,iv:ZOs3OQ0Lu9zr/6slG/q07jZ94VRx8XaomNFP1isHo9o=,tag:I1dzfINQvU2fiVku8IDK9A==,type:str]
+    pap-secrets: ENC[AES256_GCM,data:QWMpPeJSUd3KJa6c//3Zu3nlsnE4l0FBhEqFggw=,iv:uTziGG8dSaklA3uRn+JqfONde6oL/3q5wXS2TP2e264=,tag:R5+q4k2XAEW+8nYPMLVObg==,type:str]
+    username: ENC[AES256_GCM,data:PBZlPw8SgUfm0apbVf6GVNkn,iv:ivYn9irS7hwdvN8f3kDDGs8gGx+kWtW1YHheKgQMF2w=,tag:VPokCflGM4pDL/+VBfbTsA==,type:str]
+sops:
+    age:
+        - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIcUt4blkrZzZHMjFjT1o2
+            TDRUZ09DckRNQzhhNmgvZi9tRVQ0WUdIZXhjCmpXQ0craFRkQU5neFdnZTVmbHcx
+            STFSYk51cDVyZ3I2UmFwT1pHQnJKc2sKLS0tIFNhKzNKRzJ4OVBUVm00ZjJ5NHZi
+            RDNTZDVLM05heXh3cXdMZFF4TVhCeFEK0YogisCvzPS1KgQFGjziGFLpiqBtfIAx
+            90qk4c/8Wmqnt2bW5GBCEl5iUHW7S7etCIZHTZp7WY6Y/y4KEQcFQA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age15989j5lkkf2kn5wa2p6qc8wlxjjksc63k5ync8rz8t4e87394pzqm7h4rm
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWTkt0SjA1YXd6OGx0N2Ix
+            RmZzVHNOZUZ1V0taeGk4TDFrNi96bi9CTUhzClpDcGVQTFJqZWgzUWxLTmJXd0pT
+            UGhlUTlpS1QxRmFmbTIxYzlLbGxpTWMKLS0tIHIxTHduRXNJdHpkdm1xYWZlbjZ3
+            bWdUcDlLVVljcTVoVEpaTWFIeDlUZGsKMFwWXXb0CsVdb2neSbZlPuKH4p+esW8u
+            fNzL8nrZmqqcRzncXFB0PHU4iNKhwzouHEC+6Ny4V7v5bbOSyb2jAg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-27T03:17:57Z"
+    mac: ENC[AES256_GCM,data:43K/T2qFlgHh9008KAiRoYDB9K0B+PqDQfy9pRconml37FuSQhFHowpsjGXEh/md78i6xr4B1wQal+G2BLlWNF5BEKFpZ59Bkpe3OUa/I8yTDUIHPjvoSLAMVdsRxpn3qgFUeLhEpYEycB0sYwQY3XS9Vu3cOx1T+5I9jn6K6d4=,iv:OGvhVzYUtncE1LaSDOFVLhDuD+uOKA1bgYUavgqgLf8=,tag:P9gKH394XXWggXgVBCcspg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0