From a028f337f371ecdd37799a0f9717ea86232c9f79 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+julm-nix@sourcephile.fr>
Date: Thu, 9 Jun 2022 23:46:52 +0200
Subject: [PATCH] wireguard: use LoadCrendentialEncrypted=
---
.gitattributes | 7 -------
flake.nix | 5 ++++-
hosts/oignon.nix | 1 +
nixos/profiles/wireguard/wg-intra.nix | 5 +++--
private/.gitattributes | 10 ++++++++++
.../oignon/wireguard/wg-intra/privateKey.secret | Bin 0 -> 213 bytes
private/root/oignon/credential.secret | Bin 0 -> 4134 bytes
private/root/oignon/decrypt.sh | Bin 0 -> 278 bytes
private/root/oignon/encrypt.sh | Bin 0 -> 328 bytes
9 files changed, 18 insertions(+), 10 deletions(-)
delete mode 100644 .gitattributes
create mode 100644 private/.gitattributes
create mode 100644 private/credentials/oignon/wireguard/wg-intra/privateKey.secret
create mode 100644 private/root/oignon/credential.secret
create mode 100755 private/root/oignon/decrypt.sh
create mode 100755 private/root/oignon/encrypt.sh
diff --git a/.gitattributes b/.gitattributes
deleted file mode 100644
index 4039ea8..0000000
--- a/.gitattributes
+++ /dev/null
@@ -1,7 +0,0 @@
-private/world/julm/** filter=git-crypt-julm diff=git-crypt-julm
-private/world/sevy/** filter=git-crypt-sevy diff=git-crypt-sevy
-
-private/root/oignon/** filter=git-crypt-julm diff=git-crypt-julm
-private/root/patate/** filter=git-crypt-sevy diff=git-crypt-sevy
-
-private/shared/** filter=git-crypt-shared diff=git-crypt-shared
diff --git a/flake.nix b/flake.nix
index a5f1831..90c9c03 100644
--- a/flake.nix
+++ b/flake.nix
@@ -39,7 +39,10 @@ outputs = inputs: let
system = "x86_64-linux";
specialArgs = {
inherit hostName inputs;
- private = "/root/private"; # Kept out of /nix/store
+ # Encrypted using git-crypt, hence kept out of /nix/store
+ private = "/root/private";
+ # Encrypted using systemd-creds, hence can go into the /nix/store
+ credentials = private/credentials + "/${hostName}";
};
pkgs = import nixpkgsPath {
inherit system;
diff --git a/hosts/oignon.nix b/hosts/oignon.nix
index e3f0738..af2b6a7 100644
--- a/hosts/oignon.nix
+++ b/hosts/oignon.nix
@@ -53,6 +53,7 @@ users.users.julm = {
nix = {
extraOptions = ''
+ #secret-key-files = /run/credentials/nix-daemon.service/secret-key-files.pem
secret-key-files = ${private}/${hostName}/nix/binary-cache/priv.pem
'';
settings = {
diff --git a/nixos/profiles/wireguard/wg-intra.nix b/nixos/profiles/wireguard/wg-intra.nix
index 47fe251..f34e225 100644
--- a/nixos/profiles/wireguard/wg-intra.nix
+++ b/nixos/profiles/wireguard/wg-intra.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, config, hostName, private, ... }:
+{ pkgs, lib, config, hostName, credentials, ... }:
let
iface = "wg-intra";
peers = import wg-intra/peers.nix;
@@ -10,6 +10,7 @@ options.networking.wireguard.${iface}.peers =
enable = lib.mkEnableOption "this peer";
});
config = {
+systemd.services."wireguard-${iface}".serviceConfig.LoadCredentialEncrypted = "privateKey:${credentials}/wireguard/${iface}/privateKey.secret";
networking.wireguard.interfaces.${iface} = lib.recursiveUpdate
(removeAttrs peers.${hostName} ["ipv4" "persistentKeepalive" "peer"])
{
@@ -26,7 +27,7 @@ networking.wireguard.interfaces.${iface} = lib.recursiveUpdate
(removeAttrs
(lib.filterAttrs (peerName: _: config.networking.wireguard.${iface}.peers.${peerName}.enable) peers)
[hostName]);
- privateKeyFile = lib.mkDefault "${private}/${hostName}/wireguard/${iface}/privateKey";
+ privateKeyFile = "$CREDENTIALS_DIRECTORY/privateKey";
# Set the MTU to a minimum
# (IPv4 requires at least 68 but it's 1280 for IPv6).
diff --git a/private/.gitattributes b/private/.gitattributes
new file mode 100644
index 0000000..ae48278
--- /dev/null
+++ b/private/.gitattributes
@@ -0,0 +1,10 @@
+credentials/oignon/** filter=git-crypt-julm diff=git-crypt-julm
+credentials/patate/** filter=git-crypt-sevy diff=git-crypt-sevy
+
+root/oignon/** filter=git-crypt-julm diff=git-crypt-julm
+root/patate/** filter=git-crypt-sevy diff=git-crypt-sevy
+
+shared/** filter=git-crypt-shared diff=git-crypt-shared
+
+world/julm/** filter=git-crypt-julm diff=git-crypt-julm
+world/sevy/** filter=git-crypt-sevy diff=git-crypt-sevy
diff --git a/private/credentials/oignon/wireguard/wg-intra/privateKey.secret b/private/credentials/oignon/wireguard/wg-intra/privateKey.secret
new file mode 100644
index 0000000000000000000000000000000000000000..299e0c5a84cf65779a1cc770efa6250598e1c762
GIT binary patch
literal 213
zcmV;`04o0gM@dveQdv+`0KZ*FMA$d2N~l2h>2^%x?Lz=;{i3gSz6jDqoenz<x!=YF
zPhF^J>6=*^81oaYeHlv7Fm`c#IJ!Q?d|2U-8LsgM@jQbp?-g8|OF4jf6xKOq4PuQ~
z5TnKmUlpXZa)lm^pYYE;m@@;>l3{Nqy#&Imw_HbXgA%V^R>`etX4X_GNmnMI`8^0Z
zrVv;?IZvUT_ar5uEYCRSUkJz8SmgI+@FBh)C{ODTQ-SzFU9k(kR@i^r7c`pPlYssF
Pag-hQ;#~i3C)#11+u&m=
literal 0
HcmV?d00001
diff --git a/private/root/oignon/credential.secret b/private/root/oignon/credential.secret
new file mode 100644
index 0000000000000000000000000000000000000000..50ca27860d7243b7dbd94d459d77ab93e8fcf770
GIT binary patch
literal 4134
zcmV+>5ZUhlM@dveQdv+`01K49!I9dbt034PVPAC)wA0amaUCuX!c~;pgYjPUy-`8?
zA3(pOR5Mc~?Gcee4BTphot>ZD#wO7wZf!7vPX8EkO`P`UHU!6`$Yiu}eC$nlIoiQO
zMmD9{o6Rw%+3g|O?O*LW^XM{X2q*hNjwIN6$k8{DEMwxp1UNTza-iM`ajA90E^-^>
zhMO%BqQiUh%$<1KN3&1iW8c2;Mceq#oshStn&jr2s-Orkq*J7~yXKwY_zl4C1^Zf*
zC@Ouco(Fdq?WHjuQrh(_lLAdr=MjrWE?82A1AGbsXIOHZ(IJ15HkPqY_{)8w#=p7C
z%N2tal+BDi#MVbOVn{4Mls=dW&{o`v0b1KVoymXLIXPm2(MzoA*RCX?^AFgcsofv)
za(xQF>}LBuV9-2UD5t*Lf31ZNr@+|b=7~&KRf0DcT^220YS6n7zY@8;65szR5sZ8W
ze7I(z)x7KhFY;-puP!g4$~5m^KRizjvX$!EPv1NB1O8HQ>1OsZoSeFC+?4eG5}e;7
zy?by#?%;NR^`!4sOsRRs4Dd*i8SntT7q;d={%n}%9f1Zy+f*Z%b`3SuDZ$dCv7I!@
zs8&l*d>b}up$Z4`n;-tVBy6^@IKMxr*WH>V7icBLlK|Bo$mwg^LUmk=K!3?HPaqWa
zGuYc-hs8j8n8g%>vY6CpN~Cjta4v}_TedHer(j-y2sBgvDRm)hCr!H+L#FOq!M-Xc
z%R)~|;!%b@66S5<plvB9cI#Y<VTqK{am#ZI%TARmUcLk2NElTZomFB+#|Li?Y=<jz
zMZ4sQya*|#{1OA86^JXMLuFDuseOcA$Vuh-ZpP=kgF`zyluc2ui3|f<WdyV45RCz)
zDBCirw@g6+*m1d2nV5ev_6+MN?{vfraZ2jF?mjsf?V$;ii{YiDdLOna>mW<vv|ZdM
zGWhU!oVaOm*RFEfK8W=Gd+G6MxS0TQGAPMa$5r1mi0wJ%8ItkH&0<?v$~&~0p<@Uy
z()9<jXZ^odJO>Uo%nw!)m$$Hal`_rgwajdUbw`~dZdaL}_39k4QyHUl3+9^h1y%Ja
zUH?D{2^fmZS=dTV#jQaG&=K(wq)G5bkVn`^wG@-FtPbU{&^2I{Y+#q@!VG(}cX5KH
zwZmCyl!A~)#(SDSqrbv-|9~sgBWV?P-VFH&t5l0pzX}~pj6c9uuR_D4ZV4y)Zc&o%
z;Ox{9lpsn7$*5nmko3W09znKfSv0;D0m5#TG)!#DXV{mFSVT&pp#63{Ca;-zw+xVm
zm!k3xi>S^(*HglmKli6ttCu!dGn<ZBd`EPA_<`zh3@ww5Tr(cR3n~d_E%8DTqLF*c
z?qlRcqU{-m-iONoL7)Stk;Xn96<vD4+q$mQBs@4)N%)ZRvk&G{&p?@oAjz3ZmR22w
z&4u1e-5;H`NqV_M9FAbmu*aql{WLxqs`jGY^Dti6ig9O*m^iG-s-2QEZ-)T=E|GFL
z7!O*#B;Hq?9VR8mc2n-v{VJP0wv$~t%^tL>kT$J()AK<69cH+5U3p!I+Q_`h>nY?6
zzwbKU3@%C{U};&kRqne&CE!ygrt3JmM-zDlxFf|gNhE-0wcybT=VOuC|E}t=k2n#g
zLs}0VO|XY2`$C{mFdnY_a<||_u0}K<xNxolM)9|r;#gFnh*te$AcDc&$!PS%vvM_u
zn!4jPh)by96YE3TV?KC9g?3cHR7IzAH_vxQ(0&WDxVCoBS!@69No1rHTgGOSIKVD}
zF1?Y9zc+dqh477bQ?%6VRy#zPISb?Wxv&+C38S(U92nT?HM?j)TX)y)b^PnqqCnDI
zC+|e~{i(RdfPo4&DX&41HYqPLuirgQ7ltG0US6YCU#S73C+ErCFN0I(JOxSLz_J&$
zI>C4p@+zp#HpFdqXU_2{L&j5iv|GL?iKzN$pfkUgS=}mMy@_*P?S}yIuVv=GLJ*&k
zCAXjjL8RTS5|K0qW!Cdl)N0Aoc&SbNC7a{X>1@M-?dynMj9l3LNd`^WJQ$M0(K;;|
z_=E;2|M7}CNzeB$HeoK5`Iz#mCu?lPY5qYt1`H))(jD-v=elXLmz8f^9A5J7{pe+h
zzS}Io?b44A`Mrhb-5|yWJ6l_RP*!WsP%pY+Xm3tyiw+UEcHCqHWn`I3MA5%1G%a8h
zI<PYS_Dql=E9vc_woq^|Tr(BDD&)P^Z}C~VEo)nKRs6LV83|5xl<In;zS8gDX5vG)
zgC}ei(#+rC)0<BeZ-V8xljNKwYh9%?x#B;LN_SC=OAqFNM}}G(V^N)2rQ1CuH-H9y
zD%+f-c4`4LYWJmdA&R_NaNv)O>J5Ok8oNz{dZ%yhtwzc5m**o7TkV`YOGY#KnvJh}
zL&F~x<J1XR-n>If9hPJ_6`^DiGmu3r?>n)WykARqp=ZVq0D?d+9e3Iw!sqpws%B+7
zCd3fLSa#2@I0W79YuroTi?$^T{>Fz-cp&H9c&*P&Yh~R`QeFP&Sat5`BZl%J7Vz-@
zbpwT3TS@T)aJpHJzZ&p5Xz`Mvyx(utn1J-76vPrg_;OPPV~LWyuxa#kXm@LDZJSfj
zdTt5*+{@GY|Id`;wwB0{m}6p}DZ42+)^YR^<sl1{;jbShFC8&YONO6WZvN#;B5RWZ
zKS@GzRKHR4XPA18ucm+jj9zi+CbitH3|hR6_qBUAE>pUFvj#gv;z=!qnrWk`uTjyn
z61*D7KVQ?SFgi$M;5}ZXcq27qM{Sg-4>LY$q?@D~%yqraScjE4wPAEwssW}JtmwZc
zq{$9#jv`UB&OAWTQqGNjcBogv=6~BbaDyy(EBI%$F#sG*p~KsSbcWUA1s*KD%|W8J
zNQVLSw215m_0jX+My$|kklX+g*ou#Yweb*G@&c4c0S7vk(*qle0A0aIml2I8J*$_J
zmB((px%^=;Q@lHmRSYz{3ep)H%pUd{AwI<Km4A4~^HGBVKMa<n8$KqqW=vdLUlkJZ
zT(jXvWdywbYQ|yn?`c<KqOwGSPg%9*a2<ffef}vVy-(iqx3ko8o34zrQEuIl?(&|Y
z@uQY!SN+oIua+{3>GZukU!kZ+V2APPF~BCt`+lI|qilyt|8j7%*Qj);9Z$+~wE@5l
znA9I0dZO6x7t5E*^F^cu(kV-;(`H7~OJS#YdK`*1t7kO0cd+|3l}K#>N>FKoIZ_53
zIx^PN3if#i4`AJmes%k=SdUgGSL5a4Su9T&Xf|34An$NbkD{2msKAR`fCZ@>JR~Gq
zoF_!LUFYK6a`#kB6!EXQ-7)^15`xgfh91983^*FHI(6zRO>_?WUtcX0tRvn=Ov`iF
zNEJDw3718mQ5<N8<{W)`dIuz27WkoKRlHmyoJdf=x8MfzqK@QKwS3bx2rX{&+%@*G
z_9OC@dwLEK(Zownp_sY1W`0$~7vC=vg$Iy}ad!|w_m6!V!_;8x%5hPoT77$BLvCzG
zKoiHdf~GzU3fCCu^Ia(mr#Opmi?8<YIev%h%;3g<zM0b%@_$E#YD#<Vo|Rg_gk3{z
zyrdqH_K7jW00sdrvr&8ruf;~o9d(06*q8c;UJ9vOSEd9{1={d7Uz>x#ozMckCV}wF
z`9S_1>vL7B^(l{0wAJ++mPonp|qB!aF{rXsnuQ!#U;e9==Vu&B3&a1iGn)KxJrI
zQr!83GJAD)-b!s&n2rKcs*nZws*3uW`pP{e543a|W-wFo=p9bdk%~e5DQ_D7>X)rH
zk%%ewrwIEkH#}k%Qj91_1Y%o&9j4#pSjj4`IP0$66G~R2s2qehN-{BYgw%RYIq4C^
zUV^2p!LaaBt?+&sl<He|beSLd{TU~aS!y6ygWqB#;{&mhDk<VQ*i`8>UM99l8)Ij(
zp`y-(F*T6?*Mq*QqY$#TQK_f^8Se8L?4{Fgb)#Z;KH)rH7k}#4ZS7B?zwW8N4zj0$
z6+7~K7PHQLPD~Yrp>&(%Q`j^2q}oTZ1&jH;TnS_Su-5R;!czMRWup^^fgyRyD~l<4
z1n5gxH%Tjd4aK^)SIR}lu~}IM%ySkSkCM1Q<rQ8fohUY@ZLe}7U?y4mzIc-=z&1D;
zq}psU8Ek53oUYJ{z51Cdf!MOC>nHDH@$#DpE<Y-tt1+3P7w!QrTl&FoWi6w!09z?$
zQhL~s5&o=iFs~532R*G9jXSya+f*fo{WHPpGFK$xerayc9dh`7_g_=9-VC$c^l&Bk
z4-dP8z)Q}hz;cDnawS+64W<RV7$tS&3KUI$e0B?J{fh0aGV-?lHQ&)nM@`M+ySqBy
zpju5VM0tRI$l7aa*vl+_cJh}oumAu_GnYCeEh!J{<iBS3#?cwnhp`;j)f0ox;4J)1
zPUE#T)>wgjaAPk6{YIUV55ukkdJac79~LxG3t2i0smu@m<W3y$t|?2#jP{N-jd;AK
zc~F8kJ_wOR;Q0b`H90QfT)VPN7B=wH^ia-yf}!L6aE|Do0a=29%IY^S0+pdBqXMAl
zVzc?vDh1C3rH)TaGXv{oN)HaKtSX6@{E$_9+b2-rV_DVShLi{OBkTb8z_rr<lQB6(
zR1Mlfh)rx*CFT6E$Cb%U3&8V#<?-?dB9KvdFBv|qu0~J8=D~JYO&d_U9!I(q`I{A*
z3K;HJ7Ty$zoZz9T57Yl#Nb$?2{f9AsnIoLSn6!@410eGOTg=vK{dS6-2A$5+P=lI`
zO$9_ReV_qKo-vm3eydK;WY3$zgMDS|bo+Ff;n87>aIZdOm1I@lx6Hdc|HcYw5)>dt
z=!&x+yXPwev$QVrgRuT+%UTmI>j1+r({VPxGXSwOfPphNQ>G-F`*l#vXt0H~HN4Z<
zqMon-b2k$vhgz9??B1<wDctdnb-xh#PvS<aV|u)rt!#lExXjipiz&?uUOu~<;kJP{
zYeI|%solF74-Z9n!qKC7FI;Z+ftB6uC;YYPTmT=cI+K0#bf+37a-}zXXc>yznEIIz
zX$qs8KxSuJ^0B%A<s=g6Ep*A>gT6Xyj-WjNKiY*Gv`K6K3Mw9XWpf%;eN~9xkE{PN
zbowg)m~afylW8<bV<Ido_@3+Pc{0F0(K{T0fO*K|yqR<&9@#IU+2u%R8zXfv@&V5!
z29YGIQ+SHdl~_v+&mL`HchXq5XV|^I#dTnNB6p+7bwR5(3}634al{rJu~#n_<hIhz
ziB``=+c~z{mMs*?6%7^HV6zM`t-}+cZ{(ZuRc~5I1Se7rF_9IwmhkEj0X}F~7nTX*
zY`H=~Luh>Cr_ULSFA_`_GFBBL-T?-*66UnVznNFV+maY8)On$+h-xkNE?11xp_Nua
z*KmTy*b_1~v(!O@QyZ3Jt6hi>zA-H>nQ}e80AOD-^*YYtdk6C&DlftmLb214IuJPy
ka3*iEoQeGR^gD1U^Yp+m|JR*Ttjy#1btQ_nY`96`ap1cC+W-In
literal 0
HcmV?d00001
diff --git a/private/root/oignon/decrypt.sh b/private/root/oignon/decrypt.sh
new file mode 100755
index 0000000000000000000000000000000000000000..adc677f18713f17bbfda63541e3eb22e655f0ed6
GIT binary patch
literal 278
zcmV+x0qOn#M@dveQdv+`0Q0OZZMM|K<>J44=yBQz>$;{$wlJQZ;p69}3WmDlMoYAe
zXeAqhDA8DAe6s|*q7SYI(zoyr$M#7T2uDH*n{|)$_QVHv24M7hCj`+d|AgMXFB={T
zB#of+d8&Aybl(E=zzIjX0(yBRr+gPI88AUur%*n<z}Id~Ds$N_SPzR6kR;dv{^8G(
z5Y%-^w!sea$2aY!MnCGtgC4{_M5y*h8W!T)JS{8ZqPOi9Z?F}y>{3N+99L*0jHswd
z(p7yfQA-9J^EB^5{eBN_vKOEG{blh=FimP;si_+xIK<SD!cYEkL-y#W6RJ#;+S%DN
ccd*NjWScQC$ADbp$jU1G?3{7taumTngDAC#%K!iX
literal 0
HcmV?d00001
diff --git a/private/root/oignon/encrypt.sh b/private/root/oignon/encrypt.sh
new file mode 100755
index 0000000000000000000000000000000000000000..d2236d2d3956aec9ea473a3627f24f9c365bf15d
GIT binary patch
literal 328
zcmV-O0k{4DM@dveQdv+`02!L?T@Db>`XZ9}3qNmZFOl9`MKKvXv$#MK(fw+TUjqfS
z(Mx6G!rO*5qF1|BHuJqb1T~@bH?{8+qIiA_0W(_e^<Q&@^;A&}j;^qc;OXiW*S3)O
z4nT4(e);M7NYkHD(H-U)zSEpNBC_yE@>t(B`}>Gc#32#s%MZV$Fhm5FEbH*w*CSGJ
zt>%>|#)BH9mlIp=<4cGMM{34wH4k!+FkjQN+#XmRAtP!tZVD@^)m`iC>x>Qh<Mjt5
zOqmoa^;ojOjN2z*Hn|%2$8p2p8>FuJv5U%0vn#7jYO*d!o9YK=7zHWPDJwz!dD<ea
zzhQ@mL!(MH`a^}V1&-NvsN>f~OP)pphB*8E!Gi+Y*GqXPlZtGxbs+;;OaNVOdyBcO
aV^9#ujmPseiSBL(ZI4G{Z!W{3tDKR6+Mlfe
literal 0
HcmV?d00001
--
2.47.2