Update from updated-inputs-2025-04-16-01-03

2025-04-16 03:03:08 +02:00 · 2025-04-16 03:03:08 +02:00 · 943685e6fb
commit 943685e6fb
parent e5afc5ff73 37748d6a80
8 changed files with 129 additions and 5 deletions
--- a/hosts/backup-4/configuration.nix
+++ b/hosts/backup-4/configuration.nix
@ -7,6 +7,7 @@

      ./backup.nix
      ./restic-server.nix
+      ./wg-b-palladium.nix
    ];

  profiles.clerie.mercury-vm.enable = true;
--- a/hosts/backup-4/secrets.json
+++ b/hosts/backup-4/secrets.json
@ -1,5 +1,6 @@
 {
 	"restic-server-magenta-htpasswd": "ENC[AES256_GCM,data:gfvmAd7z+jQwoYDJf/Hv2sR9ISJT+Hw4jrHmvW64PXjoETy+LjdsmqEPuRyq/YhrGA2rqW+YodPlkh/eE4crdTL2eNim+ij/OUubliUwBMyJuxsdGKuDUMc+txqN2x6Q24MnnU88P08SKpsm3jciMhz7JEg62W77jhesWlkzsuJDmg9oTlA9SeYOEac3pIKpekfRyE77GSFVUflwwCA+xvcEg5xyuRosFzBWGGEC3kDNB0licF0X6epz3HtlqhCLd/mkuEkftjpkNOFm9oJYzdwYv5PwVNg7G7JOgsUx9e5I29mwWPfhinX1yEFNwxKeB1FbUhYOKhRhdqWD6THVLkDzU0zP8vrm5FXTaxLHZr5+EpKit8/MJS5UBVvpSTDQ0cLExJyonWP2T+zr6rxKwU/q1jQRvsU6DJ7Bt8+9chrXBNOeyPM9xzWN1Zyyrntm9j5Ufj1YFwyrDT5ve2rOgNHA4KoS28+vsP1fcVO8XlLR24zFx5+/1BPG25qSECTPn6KkcL+yV+WS4oOnu4Oo0GVPEz+4SfyYIEVmaV61KC61pKa/6ACeUd6nABcDbReMqPXU7/bksM4sTDoFSmmiAycnxT4xavbaFdfbYIOXVQwYAIjaR1tAqQ6gYVCQ/LtKhIHCGCg10xRXNV3qkPqOUvJ7JnRcre+pQVDVLg==,iv:tvhvTPzhHoG4yG3C+o9s8yh4DafMpPb67nNxbUZcFxQ=,tag:8P5lYeP2EB5AfKgeeBISLg==,type:str]",
+	"wg-b-palladium": "ENC[AES256_GCM,data:XTenrGQFLDndt/XPaDGRLQthVq1UFKJ2mWK3Z+YfT54YpnWO81cslrMMtPc=,iv:tW8NHOcNj3Q26BJBIz7UPR3bmw3nrb0UkkD+gqngw/w=,tag:XDYkIqj6z2Jvhaoiqeyn0g==,type:str]",
 	"wg-monitoring": "ENC[AES256_GCM,data:lCuE2EgUo3ER9NNg1rD24Z4cZS+VZ4KmDojnfCsb/LyBsfyu6uOJ4IVtxOE=,iv:KHRP1pXYXk8Fi23cjUZVUUadu9yWoJ2ddxj2fMJJYE0=,tag:TiFlekXM7WLLHAPlmYbP8w==,type:str]",
 	"sops": {
 		"kms": null,
@ -12,8 +13,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdFREUEVzb2JFd3hSaG9y\neVA2a2Fodko0OTI4ZGM0NlZxRmNtYmFDY1hVCm9ncXdWYTJlSU1FSG1WdlNBZ3VW\nM2VtRmZiWldzalRsRWJ0UkV1L1hSMkEKLS0tIGVLQU9kQXhZbC9SUW9CS2JnWGlJ\nQ3RoeXVkRXNkUWNaZ0VQOW1hcEJnNjAKHgZ48PERJlfkkh2TyCLl52zUZY674BXW\n4zPtmhZrb4xlExetINrOd4hZtL7S7qn5GnTxhoxvCddeU+JPPsfWoQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-02-16T18:13:41Z",
-		"mac": "ENC[AES256_GCM,data:O+E3UbWbmlbpUPeSS/BFcJpWr2WEXbu0aaj9u3XUwstp4ba6e0xuVdzfbntQwbN378sDNpDMkAuxp1+R/0THBSs+nqXC9q9IgK+hfSBd7q2v4lvdhxRdM1x4wysTDJGtjFNdfz8EzqMz42Y2IWjxSozgPNpjZSIGhwMBA2TS/gU=,iv:1waH/yUGt5jGJbQlYmp5b97NGVyRykgzI2g1xX+Jo/U=,tag:4bxFxkClt3LbqCH552XePw==,type:str]",
+		"lastmodified": "2025-04-15T18:44:05Z",
+		"mac": "ENC[AES256_GCM,data:re/vIg7xa9fEBZM3xa/jZzsAutHHNgDNnHiGjXkR5W0ORYPjlBuSV5NYZTbr7y1rqWbjmPsbo1KjJgt8OF8kn1XxXaUprWYOtHh7NtyhMFUL+mgftRvdLeacZfcnTnOm95GNLR7sG1/qsMHQf+JmUU0fNEX/a/EmDXY2GTYzJ6o=,iv:9RY4yMrGxuVdfWOCL/hlZznHrfeWPEc1V5neZgS4g+Q=,tag:mfVGmPvnJa+XqmBnfIu6DA==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-05-04T12:30:52Z",
@ -22,6 +23,6 @@
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.8.1"
+		"version": "3.9.4"
 	}
 }
--- a/hosts/backup-4/wg-b-palladium.nix
+++ b/hosts/backup-4/wg-b-palladium.nix
@ -0,0 +1,40 @@
+{ config, ... }:
+
+{
+
+  sops = {
+    secrets.wg-b-palladium = {
+      owner = "systemd-network";
+      group = "systemd-network";
+    };
+  };
+
+  systemd.network.netdevs."10-wg-b-palladium" = {
+    netdevConfig = {
+      Kind = "wireguard";
+      Name = "wg-b-palladium";
+    };
+    wireguardConfig = {
+      PrivateKeyFile = config.sops.secrets.wg-b-palladium.path;
+      ListenPort = 51844;
+    };
+    wireguardPeers = [
+      {
+        PublicKey = "YMTOhRAKWfFX1UVBoROPvgcQxTSN4tny35brAocdnwo=";
+        AllowedIPs = [ "fd90:37fd:ddec:d921::/64" ];
+        PersistentKeepalive = 25;
+      }
+    ];
+  };
+
+  systemd.network.networks."10-wg-b-palladium" = {
+    matchConfig.Name = "wg-b-palladium";
+    address = [
+      "fd90:37fd:ddec:d921::1/64"
+    ];
+    linkConfig.RequiredForOnline = "no";
+  };
+
+  networking.firewall.allowedUDPPorts = [ 51844 ];
+
+}
--- a/hosts/gatekeeper/configuration.nix
+++ b/hosts/gatekeeper/configuration.nix
@ -74,7 +74,7 @@
        {
          # palladium
          allowedIPs = [ "2a01:4f8:c0c:15f1::8103/128" "10.20.30.103/32" ];
-          publicKey = "kxn69ynVyPJeShsAlVz5Xnd7U74GmCAw181b0+/qj3k=";
+          publicKey = "AetxArlP6uiPEPnrk9Yx+ofhBOgOY4NLTqcKM/EA9mk=";
        }
        #{
        #  allowedIPs = [ "2a01:4f8:c0c:15f1::8104/128" "10.20.30.104/32" ];
--- a/hosts/palladium/configuration.nix
+++ b/hosts/palladium/configuration.nix
@ -4,6 +4,8 @@
  imports =
    [
      ./hardware-configuration.nix
+
+      ./wg-b-palladium.nix
    ];

  boot.kernelParams = [ "console=ttyS0,115200n8" ];
@ -45,6 +47,18 @@
    KERNEL=="sd?[0-9]", ENV{ID_MODEL}=="ST1000DM003-1SB102", ACTION=="add", RUN+="${pkgs.hdparm}/sbin/hdparm -S 24 /dev/%k"
  '';

+  profiles.clerie.wg-clerie = {
+    enable = true;
+    ipv6s = [ "2a01:4f8:c0c:15f1::8103/128" ];
+    ipv4s = [ "10.20.30.103/32" ];
+  };
+
+  clerie.monitoring = {
+    enable = true;
+    id = "206";
+    pubkey = "2Q8mO4Y09Oi9CCfUUvWpZ8yIQezwtE94tz6ZbA0EDwE=";
+  };
+
  system.stateVersion = "25.05";

 }
--- a/hosts/palladium/secrets.json
+++ b/hosts/palladium/secrets.json
@ -0,0 +1,28 @@
+{
+	"wg-b-palladium": "ENC[AES256_GCM,data:VBDyrDYwICbiND8jfkiIr/3oDtP1X9817WhonFYXNSTPZHziEY7U886/DFc=,iv:syqo77FROChv4WKgiGWCUa2ziH2Ds14CT5vVRxGmEvQ=,tag:X2G3JUrabXYmsKPBltOafw==,type:str]",
+	"wg-clerie": "ENC[AES256_GCM,data:fLGZCRbnDrSWQ+9Q/7l3DUKOgw7blcHpd8svHMZFEKMoTfGeZCc37oKAOKU=,iv:GlPXkeVnzSzAnpdSGIydZP+hhEshJ3X/N1fhwJk5Ol4=,tag:0E9RhBPha0Gun6KUNtvYUg==,type:str]",
+	"wg-monitoring": "ENC[AES256_GCM,data:3RHk/VI8t9ba/qiWqLkwIxaOt+e0yXw7+f1qpIVdr3JE2NzkVvX6aeP3o2Q=,iv:f4VIK1oyaUilCia1EfEiL18a3zk4+7Ol4ihyhzPounw=,tag:XeTI3iL4qIPS+Z+PDJRGrA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1s3f9hxcd89dk3st2r5funjw7cjcq85nuz4gq8w0aplky9v2wqy7qwukagx",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpY3p1Mi85WTNxK2U5bFVP\ncmlFRXNlK2dWMUt1eW1abzIrb0liR043VHpnClIvaHZ1VWxRSFR3ajc0MmJyMFAw\nSWdVclB2OGJqUjNXTmI4MktXVTVQbncKLS0tIFpJTTZJRmJGeE1xNFFScE81R29J\nR3MzOGY1cVhmalNEaHdyWjkyaHVRTDAKXyz/+WdHsC2AppYNf3/W1xx2Zcfg4p50\nCAamBntNMUK8zYLdhoSBT54qVYJJuYZ6eD6WOIZrdCK4HKGy0d13uw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-04-15T18:43:12Z",
+		"mac": "ENC[AES256_GCM,data:qcMFYqFrxzM8BNGuSeDZWJI/NVadvzIjGM2WF54cV5ty5O4iqb1Q0qOQBQMBVqYNO5BrQ2JeTXl2foLE1WncFY3JSg2v/Q8m1Kh1vFE2FbwYPh5bLGizI20JpBkqx0dMK8r4gvzaHwx2Cth7IWTGw/qGeO1wb4RWDh2E7xBlKRA=,iv:klutWxyHHhngjya93Sv3Tim69ozRuJdCsosMnn7pcYs=,tag:2w0okYEH8tzjJiODjxOHKw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2025-04-15T17:32:56Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA5OzEzXewpmPAQ//aQe91iy/RiR2PJqXhrZVyovraUmm4ivCjPSoookMCHhY\n5HGNdyzttnBjzHNqT8OFo43nu1VPlOYllgQXNbwEj7rSQN5CZQTx35Fhkc2q9q1N\ns3uI+o/RfCLiZMvr5S80lFvmw25hpopGoF0i3sHrORbh5ennzGV2Dsn2RfcQx5Ji\n11kO4QBDNs37cqZEBP4N4R5xEWFMrWPqxVrRuGZkzxR0MPLy+zCSjic0OIXWxi5G\nSTO3rPGn06s3gbMmFgAPVBMR/nyT2kPDwQFbvv7SWNqnyZ1z5S5C7eSpcEa+49IZ\ngHo3hRa0O30bvgc+yhQ9TxhyFmlgk+HWRsc7p1c7B+HK+mwxxnoixfHQLpWEwiQz\nfT32rTG/v4MqNokiyMCvUqffGwBy57YQ0Koggm8kv3GYPbCSXFuGgdxBCUufaIkj\n5n6WmMfjESOEq0+wRw1FZPp6hl1vtCpldlYqm7raOWyzncULvPKbD8AHj7g0QgP/\ndmcVV2ca1V3vklb+FsuiUOJDkGnvue+uUjQ2f/t4JqLYy1dHlfPSX3X+WEJ4U/Nw\nZtpPb7XdgbWLbcDUTpEUGMhlnrLhdjt9w8iDKjZ+kN95fFfR9J4jTyUANIHd0sW1\nuLGphdWX62nmldEIJeselBaVhwiv5qQduNCdDssgZaMlmmdvZUHiABYh8rqKByOF\nAgwDvZ9WSAhwutIBD/4kxHpGFsX6wsP5dfJHGbh6dakqXjidwgkfbgq9eWd3nM9B\nYbmUZNz4vjdWGFIg/zitxpV6SRHItPPLkF0HEqecKrwBC41iczkMTXJsCN19zCEG\nGyMFtiTgYrkLZiN3yMViKbv5sOwm+38dQCE3tL6TZl8Rqi2Wm390DQ/dFSJSdJFb\nLZmOEvUkyChFvS+C6aCIsChoPSRnoqpxzrpJLoozS3EKGb5hKa7SN7zuSyNbUJgR\n4DaruQGNbbSKmInsigqJWtlUbJsYxbOxRGojw2waMRHEvWJfIN6NdsFuCBCMqHA7\nsil+siC7BXqef7nD9UcsjVBPyl7UAtvBAvWpfA83vYwtvSCR8tBPZ7EifyOWplfS\ntdJQFDd14ZGs/kO6j9Ck5d49Y6NuPEfa+wjs8vZGBevWGiErf+RlN7yYRLmX9pr1\nR72U0jC5rhA7+X1JZHEx1DdpNfGDj8MUokXf82aTzQPpOJPPUXOnJP9a6oHFW3Uv\nWmfTSjVbw//B9i/KM5XmVNgp3TyNZmszU36d79W23tnNQhSFpLNz4E/yr+vhvoO1\neowV8gi0BYxNGnUeM+QOFxdvoW4pNyTwVGFbqrJ7xY0m2gYiRpjxf1qpAP5pzm4Z\nrc4c+en8/71oI3Pt2D1IOHMA1VoJbemCxQKjXMb45RJxtSMZTX6kUMeWgXFLvIUC\nDAM1GWv08EiACgEP/RRLSlzAyA297eWSKzDehvMeuf3XL6EgwGo3W4VUjFQLy/k7\nzgJyzmClLaWxoUnhJY26ciaUVX5xzlyamzsuOk+S/Ke/UxHctFhT4jiSfpCj7SJU\n5E+fl4Q1vaH9CwolP/TppYRHw2PrBFHw62+/5o5PzOuSnOQ9M1Yen0sEv3aK1FYb\nCH5lDD12eZ8Qn+aTQUc4DfHGYUZckKp/yWSOYA3/O80bIimSYWjq73CclNQMXeXU\nE520z43xKArHcmbSVcJhxH+tkG+BNJ16l5XQaiKK9p9LlkPyouVvSmedXLsKdt4U\njYGywDAWh39UiepzTNc8I26eM4XcbDZjfF2D9EoNttTXWaHQpIyP/DyzJwShpVGF\nj5l1FmiCXvBxUXUJHP+4ONRtnEjMTQB/6IMWQJ5etVku+8eFRAqrn5J9B5w5/qqj\nf+99lXlORQXo9RDSANinCn6l/zORCUmNqgqfjnuVgsFPJFnUycbyzFsPgZXyF83H\nc/bqAYkjqSlMWzNuhOTgHuDJzt/SPhmbJXJmBH/ZKR52lQRlYonon9+hNE6Ti1aP\nBUdxIpMl89Cj8IPyg24cWlRIRGssIR/7e2iim76lH8VY5QT0M3qUye7KOtKOiJv/\n38kIftzORJ4PQwJnSl2TFqjs/mYSHEx0xc3WednF5ZCDicMYTjkePKJRMHuT0l4B\nYc0BSK8isG7x9SUNSxXUrb26d67ABWRmik+K+B9o7HeQRbPQuPV65m+qBxVEueVu\nYTi+79/6X2pmj/54NbN6Lqaj9SPthnhyDUrduulMRQBvxC2n9gVQ/+UnxEMy\n=Sp14\n-----END PGP MESSAGE-----",
+				"fp": "0C982F87B7AFBA0F504F90A2629E741947C87928"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.4"
+	}
+}
--- a/hosts/palladium/wg-b-palladium.nix
+++ b/hosts/palladium/wg-b-palladium.nix
@ -0,0 +1,38 @@
+{ config, ... }:
+
+{
+
+  sops = {
+    secrets.wg-b-palladium = {
+      owner = "systemd-network";
+      group = "systemd-network";
+    };
+  };
+
+  systemd.network.netdevs."10-wg-b-palladium" = {
+    netdevConfig = {
+      Kind = "wireguard";
+      Name = "wg-b-palladium";
+    };
+    wireguardConfig = {
+      PrivateKeyFile = config.sops.secrets.wg-b-palladium.path;
+    };
+    wireguardPeers = [
+      {
+        PublicKey = "VstE42L1SmZCIShH5sOqcpVQOV0Xb9cFgljD0lhvKFQ=";
+        AllowedIPs = [ "fd90:37fd:ddec:d921::/64" ];
+        PersistentKeepalive = 25;
+        Endpoint = "backup-4.net.clerie.de:51844";
+      }
+    ];
+  };
+
+  systemd.network.networks."10-wg-b-palladium" = {
+    matchConfig.Name = "wg-b-palladium";
+    address = [
+      "fd90:37fd:ddec:d921::2/64"
+    ];
+    linkConfig.RequiredForOnline = "no";
+  };
+
+}
--- a/pkgs/clerie-sops/clerie-sops.nix
+++ b/pkgs/clerie-sops/clerie-sops.nix
@ -11,6 +11,8 @@ pkgs.writeShellApplication {
    if GIT_ROOT=$(git rev-parse --show-toplevel); then
      REPO_ROOT="$GIT_ROOT"
    fi
-    exec sops --config <(clerie-sops-config "$REPO_ROOT") "$@"
+    CONFIG_FILE="$(mktemp)"
+    clerie-sops-config "$REPO_ROOT" > "$CONFIG_FILE"
+    exec sops --config "$CONFIG_FILE" "$@"
  '';
 }