Add SOPS and wireless configuration for arrakis

author: Mark Nipper <nipsy@bitgnome.net> 2024-10-12 18:00:07 -0700
committer: Mark Nipper <nipsy@bitgnome.net> 2024-10-12 18:00:07 -0700
commit: a157ad4de2f8c51d49cce0a790bd081779056fa4 (patch)
tree: b1f0221c98c2016521be25822b4e65557e89cd3f
parent: 3b639e5ccd56bfdd4936c2aef22f1b8ad0ec2999 (diff)
download: nix-a157ad4de2f8c51d49cce0a790bd081779056fa4.tar
nix-a157ad4de2f8c51d49cce0a790bd081779056fa4.tar.gz
nix-a157ad4de2f8c51d49cce0a790bd081779056fa4.tar.bz2
nix-a157ad4de2f8c51d49cce0a790bd081779056fa4.tar.lz
nix-a157ad4de2f8c51d49cce0a790bd081779056fa4.tar.xz
nix-a157ad4de2f8c51d49cce0a790bd081779056fa4.tar.zst
nix-a157ad4de2f8c51d49cce0a790bd081779056fa4.zip
4 files changed, 53 insertions, 8 deletions
diff --git a/.sops.yaml b/.sops.yaml
index 449e292..b1838e2 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -14,6 +14,7 @@
 # sops updatekeys file.yaml
 
 keys:
+  - &arrakis age1mkqxkwse7hrnxtcgqe0wdzhhrxk55syx2wpcngemecz0d7hugsnqupw3de
   - &darkstar age1z6g6etwcer433v97lwjrruetdh9fswkgjh9w702wzdc2ydvy5q8ssrfy9r
   - &ginaz age1900zc5caephklavvjxp0g4qqvyqlzg3sux69y9p092g3d3qck3kqz62reh
   - &nipsy age1a9gp70y8576pkvklz2arz6h9ecnrjeue2vvh9mvvk92z4ymqrg4qdqm9va
@@ -23,6 +24,11 @@ creation_rules:
     key_groups:
     - age:
       - *nipsy
+  - path_regex: ^hosts/secrets/arrakis.yaml$
+    key_groups:
+    - age:
+      - *arrakis
+      - *nipsy
   - path_regex: ^hosts/secrets/darkstar.yaml$
     key_groups:
     - age:
diff --git a/flake.nix b/flake.nix
index cf4189a..28781de 100644
--- a/flake.nix
+++ b/flake.nix
@@ -41,7 +41,7 @@
             home-manager.users.root = import ./home/root/arrakis.nix;
             home-manager.users.nipsy = import ./home/nipsy/arrakis.nix;
           }
-          #sops-nix.nixosModules.sops
+          sops-nix.nixosModules.sops
         ];
       };
 
diff --git a/hosts/arrakis/default.nix b/hosts/arrakis/default.nix
index 3ae89c6..9be2392 100644
--- a/hosts/arrakis/default.nix
+++ b/hosts/arrakis/default.nix
@@ -49,19 +49,28 @@
     hostId = "2ae4c89f";
     hostName = "arrakis";
     nftables.enable = true;
+    wireless = {
+      enable = true;
+      networks = {
+        "Crystal Palace" = {
+          pskRaw = "ext:psk_crystal_palace";
+        };
+      };
+      secretsFile = "/run/secrets/wpa_supplicant";
+    };
   };
 
   services.openssh.settings.X11Forwarding = true;
   services.xserver.videoDrivers = [ "nvidia" ];
 
-  #sops = {
-  #  age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  #  defaultSopsFile = ../secrets/arrakis.yaml;
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    defaultSopsFile = ../secrets/arrakis.yaml;
 
-  #  secrets = {
-  #    "nftables/ssh" = {};
-  #  };
-  #};
+    secrets = {
+      "wpa_supplicant" = {};
+    };
+  };
 
   system.stateVersion = "23.11";
 
diff --git a/hosts/secrets/arrakis.yaml b/hosts/secrets/arrakis.yaml
new file mode 100644
index 0000000..54b24f5
--- /dev/null
+++ b/hosts/secrets/arrakis.yaml
@@ -0,0 +1,30 @@
+wpa_supplicant: ENC[AES256_GCM,data:HHs6g3qaaeinVGgteExQvhE0CEC94WjJ0tV7pyI=,iv:6F+DYHieaWWo+V1F9yjwWT7PcdiIpH48nv1SUrFHePk=,tag:cpimCP+YNmCI+t+wpuXwHg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1mkqxkwse7hrnxtcgqe0wdzhhrxk55syx2wpcngemecz0d7hugsnqupw3de
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5UjB1Tk9rajRIVFJWc2Zo
+            SHZoaFN1ZTltaTBHOHZKZTNGQzk1UnBMSTFnCisrbDZHQTBETldnYmF5aGl0bE14
+            aisxZEJYMzdYS0VoSmphT0FOeDZUb1EKLS0tIFp5L1Jjbnd3NXVwcmQ4RThtWDgv
+            ZXdGdkxHeXN2YkhyNHF4SFFWNS9NbzQKXG65eqAP0pCfXshk2gUFAfyOplcvTb6F
+            0sboWmSBPwWi0ARKQHvOO0/Qu4AETRgUQHu/SJH0yc59mr9Nmhzwqg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1a9gp70y8576pkvklz2arz6h9ecnrjeue2vvh9mvvk92z4ymqrg4qdqm9va
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBieDFPVE11OXRSOCs0Y3Q3
+            QVBveUZNMTFmcHZWUSsxNXdLdG1KVmdYQlNnCnNlZndCekV5RmJLK0V6aDczYktG
+            TS9uWklmOFhyZy9Db0Z4ZnJEZ1liUHcKLS0tIDk1R3RuRVR3UUk0RU5yK1M1WDB2
+            ejRLb2Vkd1B3QmxLSE1wUzgrazZJT0UKz1IQxYm7hagYtBsWTpk+f6/79ArRUgNL
+            MfhHMQAwuuXjBSmuFolyU3UoWnDYK6uGAv5nlTJxESqj5eQBafItSw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-10-13T00:57:02Z"
+    mac: ENC[AES256_GCM,data:5TPECBIcH0HaWiidl8SKYo7ztWowRmCHKWLWS/fGY0DCf60wVMe6U+ybyWguBhHyCjchS0lpOW73Yy+VRYgUZ6amtKdM5w/iD9OEwdW6QoFbveU88Dx+pgp4OLjYHI4nJeWAs1XkGUttEd9imd57UgAn5mlnQjozhHkKD2Xjz4I=,iv:iwAVxJ92lqT6zexMRDUs4BaonuIQbDjZyRy5Fm0/E0Y=,tag:T8tUILp8u/7j5zcSFlVpYg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1
author	Mark Nipper <nipsy@bitgnome.net>	2024-10-12 18:00:07 -0700
committer	Mark Nipper <nipsy@bitgnome.net>	2024-10-12 18:00:07 -0700
commit	a157ad4de2f8c51d49cce0a790bd081779056fa4 (patch)
tree	b1f0221c98c2016521be25822b4e65557e89cd3f
parent	3b639e5ccd56bfdd4936c2aef22f1b8ad0ec2999 (diff)
download	nix-a157ad4de2f8c51d49cce0a790bd081779056fa4.tar nix-a157ad4de2f8c51d49cce0a790bd081779056fa4.tar.gz nix-a157ad4de2f8c51d49cce0a790bd081779056fa4.tar.bz2 nix-a157ad4de2f8c51d49cce0a790bd081779056fa4.tar.lz nix-a157ad4de2f8c51d49cce0a790bd081779056fa4.tar.xz nix-a157ad4de2f8c51d49cce0a790bd081779056fa4.tar.zst nix-a157ad4de2f8c51d49cce0a790bd081779056fa4.zip