summaryrefslogtreecommitdiff
path: root/os/kay/modules/network
diff options
context:
space:
mode:
Diffstat (limited to 'os/kay/modules/network')
-rw-r--r--os/kay/modules/network/headscale/default.nix (renamed from os/kay/modules/network/headscale.nix)24
-rw-r--r--os/kay/modules/network/headscale/secrets.yaml33
-rw-r--r--os/kay/modules/network/hurricane/default.nix (renamed from os/kay/modules/network/hurricane.nix)6
-rw-r--r--os/kay/modules/network/hurricane/secrets.yaml28
-rw-r--r--os/kay/modules/network/ppp/default.nix (renamed from os/kay/modules/network/default.nix)12
-rw-r--r--os/kay/modules/network/ppp/secrets.yaml28
6 files changed, 113 insertions, 18 deletions
diff --git a/os/kay/modules/network/headscale.nix b/os/kay/modules/network/headscale/default.nix
index 077aa8b..6f35c5d 100644
--- a/os/kay/modules/network/headscale.nix
+++ b/os/kay/modules/network/headscale/default.nix
@@ -97,13 +97,25 @@ in
sops.secrets = {
# server
- "headplane/cookie_secret".owner = config.services.headscale.user;
- "headplane/preauth_key".owner = config.services.headscale.user;
- "namescale/preauth_key" = { };
- "headscale/noise_private_key".owner = config.services.headscale.user;
- "headscale/derp_private_key".owner = config.services.headscale.user;
+ "headplane/cookie_secret" = {
+ owner = config.services.headscale.user;
+ sopsFile = ./secrets.yaml;
+ };
+ "headplane/preauth_key" = {
+ owner = config.services.headscale.user;
+ sopsFile = ./secrets.yaml;
+ };
+ "namescale/preauth_key".sopsFile = ./secrets.yaml;
+ "headscale/noise_private_key" = {
+ owner = config.services.headscale.user;
+ sopsFile = ./secrets.yaml;
+ };
+ "headscale/derp_private_key" = {
+ owner = config.services.headscale.user;
+ sopsFile = ./secrets.yaml;
+ };
# client
- "headscale/pre_auth_key" = { };
+ "headscale/pre_auth_key".sopsFile = ./secrets.yaml;
};
networking = {
diff --git a/os/kay/modules/network/headscale/secrets.yaml b/os/kay/modules/network/headscale/secrets.yaml
new file mode 100644
index 0000000..d45ed72
--- /dev/null
+++ b/os/kay/modules/network/headscale/secrets.yaml
@@ -0,0 +1,33 @@
+headplane:
+ cookie_secret: ENC[AES256_GCM,data:lJxNpktCyTn99/6ihN+Igz+u3V5LRvh3QxjIiwZ25bU=,iv:YppMXzI2raebGkgyGnFl7jDWtvQgyc5YRmNesby6iOE=,tag:LRWMzUiXqPA7Q1qakeABhQ==,type:str]
+ preauth_key: ENC[AES256_GCM,data:UthaalTL3pw5YLvDGU/j7FoKWstsize+Z3TQ8EGwEBS2769HaZFGwjArPM5emXEV,iv:3hbdnFUeUMoRyEC9EcoxTpK9YPI0wbPT9dP70X2bsFo=,tag:ety2kbaCU0VsJj8d6rvSSQ==,type:str]
+namescale:
+ preauth_key: ENC[AES256_GCM,data:4gLo5nknO081l4YZ8oa0/PPQNcB/Ef2hv3OgjTb90gHj6jC3pccMKxf0FBKxbQSii7GNQbSd9cYXHkHRBg==,iv:XnwajNYuBtRTyjP+QDzsjgLeq5qUM3O+PmHX4eIPWuY=,tag:Khp+LU0lovF2hF/Ak8Lpqg==,type:str]
+headscale:
+ noise_private_key: ENC[AES256_GCM,data:Hh67ck/aaWmWSPmWpWG8op8kruhVUg32TzBs6TgNZxy/FuB5CUqbWZ9C86yq9awS8fgZDFmqPtSUWQdtNP2AglC2PjVcZVlP,iv:unfxTZ5WV1a01dYZWFYGeQh4ytmruWq7Ytb0xbPERDg=,tag:qK7O4tA/Y38pwyDE4gyN/w==,type:str]
+ derp_private_key: ENC[AES256_GCM,data:H154flCLVnRv8U3hOXyaEtKPQQo4UWAiZnLZxpf99Cmppp6VEt5hXsu+PQYiUERWWjL3Bry5Az2JBBENOk75S2cXXuHzehkY,iv:ALLHs2S1xkNf/tFYCKYFLHOV9AXeCFUjgq65LoKtMqA=,tag:MDRlnksrUwWOD1KO086VgA==,type:str]
+ pre_auth_key: ENC[AES256_GCM,data:lFAVurZSbAIGLX+C/Y9IWHUdBnAK2+r8gfyptYDxxM1vUjfZLysc2Znl8J6hOTt9,iv:KnqejSz5Dso6Qt6AUEHL5WaKFkPjzfKPKcFPrQ08vak=,tag:cj20F8xBlUt+7YIH0898UQ==,type:str]
+sops:
+ age:
+ - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBocjExRHZxTlBLQno5d0w1
+ WjFuTnpRZjVDQTR0WnZxc1ZFVHVXZVpHVG1NCmVlbWdMS1RkeWtacE1rTTRaVE9h
+ RE1XRDhoU2JmbTJKR3RCMnMvZWZMWlkKLS0tIFIvVEtWb0F5QmRPRHNuU2xhcWdm
+ ZUpud0gveWlDNWl4andHTm85OWZuQ28KigPDOPCX3Q6LnTZAe8triJUpz0nhmJ+K
+ XD+VuUHhX/52GU7p3selEwn5O//Bc7zeneolniA79F69RDBpK4OYeA==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age15989j5lkkf2kn5wa2p6qc8wlxjjksc63k5ync8rz8t4e87394pzqm7h4rm
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCQmRMaGRBcmJwZVI0RWlT
+ ajl0WHZwTnBLdEcybHRHYzVjTWlkczlYVEVBCmxrQXNiM1dRSlJoRDdtVDZEZjVZ
+ WUVtZjMrbGhjdWFITElWa3VGZHpxYUUKLS0tIGJ5eUovbHE2R1JzcTRwdXBkNVM4
+ NExtOUJrT3pvTmNndUlxekVhbXAxNDAKVYgJ3XNqWyJ5XHYbNnODMUdufFTBG+xE
+ Nkks0GuJCWMyho4jkksF+mWohGJz50DAZCcve38fGcD9Zkhp1gcYgw==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2025-12-27T03:24:25Z"
+ mac: ENC[AES256_GCM,data:wDNxc6cPdUOILZKJ86dYdC+YuOYpC/tkrGQkFSaC84rjhYzYm5rSkwo4NNTqZVamNC5i+8IaFiR+zq8NJM88KUoiFij7FMda6yDdexhgeBLMwCdX6nrjIFavZpJEhwxyHfjuy2mBYO4TU5xGaAgG2Dr6N0eqBNDMJoZzlKmHgo0=,iv:09nC3k+fCCxp+u8qKba3m2mX7K5izUnPcmhGpXjDr7M=,tag:fQFMRFnIIUcmWJGQEfiBzQ==,type:str]
+ unencrypted_suffix: _unencrypted
+ version: 3.11.0
diff --git a/os/kay/modules/network/hurricane.nix b/os/kay/modules/network/hurricane/default.nix
index e815136..63be43e 100644
--- a/os/kay/modules/network/hurricane.nix
+++ b/os/kay/modules/network/hurricane/default.nix
@@ -57,9 +57,9 @@ in
};
sops.secrets = {
- "hurricane/username" = { };
- "hurricane/update_key" = { };
- "hurricane/tunnel_id" = { };
+ "hurricane/username".sopsFile = ./secrets.yaml;
+ "hurricane/update_key".sopsFile = ./secrets.yaml;
+ "hurricane/tunnel_id".sopsFile = ./secrets.yaml;
};
systemd.services."network-route-${iface}" = {
diff --git a/os/kay/modules/network/hurricane/secrets.yaml b/os/kay/modules/network/hurricane/secrets.yaml
new file mode 100644
index 0000000..bbb0b57
--- /dev/null
+++ b/os/kay/modules/network/hurricane/secrets.yaml
@@ -0,0 +1,28 @@
+hurricane:
+ username: ENC[AES256_GCM,data:qPZB7icdzaYt,iv:EeucYLIWUOTKeWsnbzc5KrNwXj3EGAECoz5wdPrfMiY=,tag:65zQIFgUL8jNejzIGN56zQ==,type:str]
+ update_key: ENC[AES256_GCM,data:q9tzqMMT9nI69KeC9utyiRQuzPuPnwwn4pEU01QF074m+J+FP53RDQ==,iv:8ZZ0Nc/8fIQYxC51Fsz5NwEXytgMYvLoqS2uqLDP5sw=,tag:QyKcz9IgOjcvSiEP8HrROQ==,type:str]
+ tunnel_id: ENC[AES256_GCM,data:at2gf+GP,iv:ilIJ+MUXUugRGZMJjHIs/E7nt/daDBxjmCODcldkCC8=,tag:qB3xE6WP4O4aQgyb+jO5SQ==,type:str]
+sops:
+ age:
+ - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1M250TTZNT0U5TE14T1Ar
+ OGF3MzZKanFWeVJ6NDVyR0ptNWdqVmFQUDMwCmhESnVwTlpSaEJSRDg4dUo3d0Jp
+ M2ZzZmlYZ3BCcWpHcXYwU1NZbXFsejAKLS0tIDd3ZkdmRTczN3V1ZFN0VXhOM0hz
+ NC9IWU80RkdrTUFGTWhjOXpwTTdzK3cKX6P58b/Zf81CkQopzQgXEH38BVJ8dm3c
+ T3il1Di+oV4da29QOdgQPLthpoa8c/6Mfw70XC1pCqJViTYGQSV/ww==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age15989j5lkkf2kn5wa2p6qc8wlxjjksc63k5ync8rz8t4e87394pzqm7h4rm
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFd3dDTmFiRjkwSTNlY2lQ
+ bWpMTHpCNFhVei9EcUR1RkxteUtXdzRsMUUwCjNqYW5UdTFXdzFWMW1HL1pZL2pz
+ Q2lIbktpUGtVSStoekdrQUJkcDZGSFkKLS0tIFIwZUo1SDd5UUxvaHU5aDg2alFO
+ K1ZsMGtjb0ZJUzdRNllxc3lxRVpPb2MK7jYH9Vd/BQW6M2w4gpZ/7/Fvup2enPct
+ z8b9coCmFfYkQMOopar5Qq+1Tf+sXmt+e9T4XWdRTGer3si8/X+jmA==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2025-12-27T03:19:40Z"
+ mac: ENC[AES256_GCM,data:kHw69RgfHhmMzaIUoPL0DziPOmY+7dBXWVzLO2Yo8fun7egtqPLqjmDT11BSvGO7SBBBJkzTUjoV/8kQuui2mEaNZ9Pu6yaLEuGoWU/yN8rwGyEAvMW/jsyRKI/featE1kUgmWrTrRdHw/oXCDUEABRGk51v67NwQef0nlGhjM8=,iv:GWRU/avtXRSJ3tjgt4tKH5A6srOp/N7jV0kZAC/GX8Q=,tag:2k/1UwWj56mUXMVQBBM5ng==,type:str]
+ unencrypted_suffix: _unencrypted
+ version: 3.11.0
diff --git a/os/kay/modules/network/default.nix b/os/kay/modules/network/ppp/default.nix
index 281751a..43059b6 100644
--- a/os/kay/modules/network/default.nix
+++ b/os/kay/modules/network/ppp/default.nix
@@ -9,16 +9,10 @@ let
];
in
{
- imports = [
- ./router.nix
- ./hurricane.nix
- ./headscale.nix
- ];
-
sops.secrets = {
- "ppp/chap-secrets" = { };
- "ppp/pap-secrets" = { };
- "ppp/username" = { };
+ "ppp/chap-secrets".sopsFile = ./secrets.yaml;
+ "ppp/pap-secrets".sopsFile = ./secrets.yaml;
+ "ppp/username".sopsFile = ./secrets.yaml;
};
networking = {
diff --git a/os/kay/modules/network/ppp/secrets.yaml b/os/kay/modules/network/ppp/secrets.yaml
new file mode 100644
index 0000000..3df903a
--- /dev/null
+++ b/os/kay/modules/network/ppp/secrets.yaml
@@ -0,0 +1,28 @@
+ppp:
+ chap-secrets: ENC[AES256_GCM,data:WAQwrIt66iL7rOPR0WQgRxTYHHjrMNXUqf/DoiE=,iv:ZOs3OQ0Lu9zr/6slG/q07jZ94VRx8XaomNFP1isHo9o=,tag:I1dzfINQvU2fiVku8IDK9A==,type:str]
+ pap-secrets: ENC[AES256_GCM,data:QWMpPeJSUd3KJa6c//3Zu3nlsnE4l0FBhEqFggw=,iv:uTziGG8dSaklA3uRn+JqfONde6oL/3q5wXS2TP2e264=,tag:R5+q4k2XAEW+8nYPMLVObg==,type:str]
+ username: ENC[AES256_GCM,data:PBZlPw8SgUfm0apbVf6GVNkn,iv:ivYn9irS7hwdvN8f3kDDGs8gGx+kWtW1YHheKgQMF2w=,tag:VPokCflGM4pDL/+VBfbTsA==,type:str]
+sops:
+ age:
+ - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIcUt4blkrZzZHMjFjT1o2
+ TDRUZ09DckRNQzhhNmgvZi9tRVQ0WUdIZXhjCmpXQ0craFRkQU5neFdnZTVmbHcx
+ STFSYk51cDVyZ3I2UmFwT1pHQnJKc2sKLS0tIFNhKzNKRzJ4OVBUVm00ZjJ5NHZi
+ RDNTZDVLM05heXh3cXdMZFF4TVhCeFEK0YogisCvzPS1KgQFGjziGFLpiqBtfIAx
+ 90qk4c/8Wmqnt2bW5GBCEl5iUHW7S7etCIZHTZp7WY6Y/y4KEQcFQA==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age15989j5lkkf2kn5wa2p6qc8wlxjjksc63k5ync8rz8t4e87394pzqm7h4rm
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWTkt0SjA1YXd6OGx0N2Ix
+ RmZzVHNOZUZ1V0taeGk4TDFrNi96bi9CTUhzClpDcGVQTFJqZWgzUWxLTmJXd0pT
+ UGhlUTlpS1QxRmFmbTIxYzlLbGxpTWMKLS0tIHIxTHduRXNJdHpkdm1xYWZlbjZ3
+ bWdUcDlLVVljcTVoVEpaTWFIeDlUZGsKMFwWXXb0CsVdb2neSbZlPuKH4p+esW8u
+ fNzL8nrZmqqcRzncXFB0PHU4iNKhwzouHEC+6Ny4V7v5bbOSyb2jAg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2025-12-27T03:17:57Z"
+ mac: ENC[AES256_GCM,data:43K/T2qFlgHh9008KAiRoYDB9K0B+PqDQfy9pRconml37FuSQhFHowpsjGXEh/md78i6xr4B1wQal+G2BLlWNF5BEKFpZ59Bkpe3OUa/I8yTDUIHPjvoSLAMVdsRxpn3qgFUeLhEpYEycB0sYwQY3XS9Vu3cOx1T+5I9jn6K6d4=,iv:OGvhVzYUtncE1LaSDOFVLhDuD+uOKA1bgYUavgqgLf8=,tag:P9gKH394XXWggXgVBCcspg==,type:str]
+ unencrypted_suffix: _unencrypted
+ version: 3.11.0