router: add ppp-secrets

2022-07-23 16:46:03 +02:00 · 2022-07-23 16:46:03 +02:00 · 7f6c224c23
commit 7f6c224c23
parent d2474d943f
5 changed files with 66 additions and 12 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,10 +1,18 @@
 keys:
  - &admin_clerie DD2D88B9FCB74C81E6F63AAD5B5D448C88684BC3
  - &admin_n0emis 6E10217E3187069E057DF5ABE0262A773B824745
+  - &host_router age1ghrvqrw92y355qw2m48jxvlu34pxf9c68nkus9lspfm05nes63gqmh5av5
  - &host_nerd age1x69924s94z4k7s50utyuqrwshpt8p8yzwaxny2gle7yeyg4w3spqml95mu
  - &host_yate age10pxa70g3ekxdrk788l52s93a6ftavdw3r8x6d23gmsluudmwq3asmu6ah9
  - &host_yate_dialup age14zsha5c5238v6hzchdfkjgjjwzc2qc79tl0ngmqrdquck5f945zs35vps4
 creation_rules:
+  - path_regex: hosts/router/.*
+    key_groups:
+    - pgp:
+      - *admin_clerie
+      - *admin_n0emis
+      age:
+      - *host_router
  - path_regex: hosts/nerd/.*
    key_groups:
    - pgp:
--- a/hosts/router/101-net-uplink-a.nix
+++ b/hosts/router/101-net-uplink-a.nix
@ -6,15 +6,10 @@
    interface = "ens18";
  };

-  networking.vlans."net-uplink-a.7" = {
-    id = 7;
-    interface = "net-uplink-a";
-  };
-
  services.pppd = {
    peers.uplink-a = {
      config = ''
-        plugin rp-pppoe.so net-uplink-a.7
+        plugin rp-pppoe.so net-uplink-a
        user "002742928961551138009163#0001@t-online.de"
        ifname ppp-uplink-a
        persist
--- a/hosts/router/102-net-uplink-b.nix
+++ b/hosts/router/102-net-uplink-b.nix
@ -6,15 +6,10 @@
    interface = "ens18";
  };

-  networking.vlans."net-uplink-b.7" = {
-    id = 7;
-    interface = "net-uplink-b";
-  };
-
  services.pppd = {
    peers.uplink-b = {
      config = ''
-        plugin rp-pppoe.so net-uplink-b.7
+        plugin rp-pppoe.so net-uplink-b
        user "002269158219551138009162#0001@t-online.de"
        ifname ppp-uplink-b
        persist
--- a/hosts/router/ppp.nix
+++ b/hosts/router/ppp.nix
@ -1,6 +1,10 @@
 { config, pkgs, ... }:

 {
+  sops.secrets.ppp_secrets = {
+    path = "/etc/ppp/pap-secrets";
+    mode = "0440";
+  };
  # Setting default routes based on interfaces in different tables
  environment.etc."ppp/ip-up" = {
    text = ''
--- a/hosts/router/secrets.yaml
+++ b/hosts/router/secrets.yaml
@ -0,0 +1,52 @@
+ppp_secrets: ENC[AES256_GCM,data:FQQdo1xFu+pW4wshQBVEBFqyhyTpprVZ9QAeasht1p82x5cODiGqnRNxNohnVVVxJmOtcuwIh1vN6dSEN8ju1XyuUn7suURnZ4og4Fk5yqHMFlBptAdViYLONV6dngGskIGug60Kyy8ysgBJSoq3LKy0plivSQ==,iv:RM+aYOP7zVO62h28EQHgvIEw96d7BNK5W0ut2TCfe4g=,tag:ZDAazjUtll+mEDWK8vlyGQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ghrvqrw92y355qw2m48jxvlu34pxf9c68nkus9lspfm05nes63gqmh5av5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBibE1jbGFjZUdBZjNZY0h4
+            RkdCTElUS0xtMzQ5WHNScDR0dnBZRzBHanlVCi8vTE52Y0V2QW1SbUR0OFNwc0Rt
+            UVU5bWxKc0U3OEloOXFnYldvUjVOSW8KLS0tIDcyeHFWR2d3Q3V0U013QzdvODJi
+            WmdZQ2h3Qi9LWXhBbTNxSlkxaFlBSDgKPSe9TF+kKct2YYL0mmGYK5pAfGpeobUI
+            SsQPevDyZG8qTiBDnzw9uFfCJO9XSwaWms2hfEtNNFMFmgdBdbBrMQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-07-23T14:37:21Z"
+    mac: ENC[AES256_GCM,data:TRGnDcBjfuKa/VyiWJiYB9FVtztUeJAHwSrZHmK3+9Y9Ae6Q+JNUiep+tUY2c5yhTyD8IJ/0IZ/ad+lKi+W5gfPOnmpSGEhqckc8CwM2dAHN5+jFIdu8RYGIxwpevn38ZjNmRFII/FGc08JMtiGTIvDL6WPe0+KdKxnMCn1ps3k=,iv:FFh5Vw8vAl2vwcMGTM/gCKmief8J9C4RlLr4g4aNs2s=,tag:iEdFCwQDWbfDeRKs3nrFOQ==,type:str]
+    pgp:
+        - created_at: "2022-07-23T14:30:56Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6BIUohpxMXcAQ/9Hl6jRICaP6tNYoAc2STPLgv0s0KL24ef5VtwZb56pAkL
+            p8Rd76UhFSaw5VgEaDpJV/FEtOL7Pc6BO6LkqUZcdINVj53IIBazt2zf6GEcFcL7
+            vu+CahApzlotMC9X3IMoo4zmii9DXoJ+xekqA/WWc0cB6w8IS7xcTjYVid/4JlPh
+            L80gC/+o7fDeDYaNAQKvDq6vhvqkeC6KxogdKlVV6BKragS8GRfhJuTQrT7DLH5+
+            QJhKf0BNVNBvbR+KbDSvih8o9Duv55OTrnN2UiOefHJe/nRK2zy7CPeLmkGG6Ifa
+            spRdq2kyJ/E9wzfsmnTtfP6YSGb0y5MLzG9Y5QhwZjzLfR9MOvZMtBJVTG/4wXqL
+            sJGF2FstSmPaFdFdDnbHOt4vnamHnO1VtYkSuHJZKHPW7gCJvelspHCevl14C2Hs
+            VZCYfWck3wwXtVDyoV/7s3QFyoXdtq5sqksJ3LHZmXR1czB6WpZ2ITdwWTR5IxO1
+            QBBeYjnlec4bHVz9wDx46lNvzK+oUam4tWuB1puderzSFkTcM9VTGhrwqJ2gGiD0
+            nWMjsNW0PtwfmKTO33BPIqwcqxRBlzPoDG2XBVk/+Vp1gwlGJ+VhhRoShMxi72S3
+            CHEHxJLybMGzhJFFe4GwEf1qicj52OiuwrBoYAZKDzwH0rApjLQZwQVGzzDPwhHS
+            XgG70cfHZA9iUVTQ3RH5YLWqYMTj8vsCtAczZoMADdDboZZ3XoKJZzP9mneus2a+
+            5wHBf12QzICj2bdawGeUtwmJ7AdKVOz9orpScPvv0q7wuHt2VTUr/EHwjZuX+ZU=
+            =tuD3
+            -----END PGP MESSAGE-----
+          fp: DD2D88B9FCB74C81E6F63AAD5B5D448C88684BC3
+        - created_at: "2022-07-23T14:30:56Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hE4D6iFd6webPCUSAQdAVZFfxX2qwqqOTdVKP3Gwgr9hGjsMw9LjuOke+MQIzU0g
+            V4ZfuxxGV5jur+KQgzyinpS7OsGlE6+VTHdKzvk0zI3SXgHZlR2Scbu1GayIBd1D
+            Gjw2TzhA5Oglwi0sp19JJscY0YEAiKEN35EefAhIY6ZDPg/rRogY3nMSNcrjMNgW
+            yHe/WT5QsAP97rqDls7dnXmN2nfQtw151T9f1/+hC28=
+            =l5ht
+            -----END PGP MESSAGE-----
+          fp: 6E10217E3187069E057DF5ABE0262A773B824745
+    unencrypted_suffix: _unencrypted
+    version: 3.7.1