From 46d43562ad86ebcb59d38d9d50573ad45b3ba851 Mon Sep 17 00:00:00 2001
From: Grisha Shipunov <blame@oxapentane.com>
Date: Sat, 11 Jan 2025 02:34:54 +0100
Subject: [PATCH] add wg 0xa-mgmt secrets

---
 hosts/cloud/default.nix      |  1 +
 hosts/cloud/secrets.nix      | 11 ++++++++++
 hosts/minime/default.nix     |  1 +
 hosts/minime/secrets.nix     | 11 ++++++++++
 hosts/toaster/secrets.nix    |  2 +-
 secrets/cloud/secrets.yaml   | 42 ++++++++++++++++++++++++++++++++++++
 secrets/minime/secrets.yaml  | 42 ++++++++++++++++++++++++++++++++++++
 secrets/toaster/secrets.yaml |  6 +++---
 8 files changed, 112 insertions(+), 4 deletions(-)
 create mode 100644 hosts/cloud/secrets.nix
 create mode 100644 hosts/minime/secrets.nix
 create mode 100644 secrets/cloud/secrets.yaml
 create mode 100644 secrets/minime/secrets.yaml

diff --git a/hosts/cloud/default.nix b/hosts/cloud/default.nix
index adac89e..1cb37c6 100644
--- a/hosts/cloud/default.nix
+++ b/hosts/cloud/default.nix
@@ -3,5 +3,6 @@
     ./configuration.nix
     ./hardware-configuration.nix
     ./networking.nix
+    ./secrets.nix
   ];
 }
diff --git a/hosts/cloud/secrets.nix b/hosts/cloud/secrets.nix
new file mode 100644
index 0000000..d9d5b51
--- /dev/null
+++ b/hosts/cloud/secrets.nix
@@ -0,0 +1,11 @@
+{ config, ... }:
+{
+  sops.defaultSopsFile = ../../secrets/cloud/secrets.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  sops.secrets = {
+    "wg/0xa-mgmt" = {
+      owner = config.users.users.systemd-network.name;
+    };
+  };
+}
diff --git a/hosts/minime/default.nix b/hosts/minime/default.nix
index 8d6fb09..44cca38 100644
--- a/hosts/minime/default.nix
+++ b/hosts/minime/default.nix
@@ -2,6 +2,7 @@
   imports = [
     ./configuration.nix
     ./hardware-configuration.nix
+    ./secrets.nix
     ./zfs.nix
   ];
 }
diff --git a/hosts/minime/secrets.nix b/hosts/minime/secrets.nix
new file mode 100644
index 0000000..3bf2649
--- /dev/null
+++ b/hosts/minime/secrets.nix
@@ -0,0 +1,11 @@
+{ config, ... }:
+{
+  sops.defaultSopsFile = ../../secrets/minime/secrets.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  sops.secrets = {
+    "wg/0xa-mgmt" = {
+      owner = config.users.users.systemd-network.name;
+    };
+  };
+}
diff --git a/hosts/toaster/secrets.nix b/hosts/toaster/secrets.nix
index 4cf23d7..f60c734 100644
--- a/hosts/toaster/secrets.nix
+++ b/hosts/toaster/secrets.nix
@@ -13,7 +13,7 @@
     "wg/mullvad" = {
       owner = config.users.users.systemd-network.name;
     };
-    "wg/oxalab" = {
+    "wg/0xa-mgmt" = {
       owner = config.users.users.systemd-network.name;
     };
   };
diff --git a/secrets/cloud/secrets.yaml b/secrets/cloud/secrets.yaml
new file mode 100644
index 0000000..6c197d9
--- /dev/null
+++ b/secrets/cloud/secrets.yaml
@@ -0,0 +1,42 @@
+wg:
+    0xa-mgmt: ENC[AES256_GCM,data:Xbeo+c8F+0JcTEE/LICWH4tEiqyGwCJ7JJZhkWxNFgKC9hVD6t3sPDWcJ2U=,iv:B0cbrPHdr+eA6FebKL/UrJpE06yOi+nUeyZ7x+Y65go=,tag:yTgVkzSKVhYyNPauVdNZxg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1j3xpuuqaph5z885er90mftfsu6g3hw4q469k37a3veqktwntzdpqgue4z5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPTStCSnBiakNsbHFmaEFU
+            dEJYVjdMZ0NlSkcvQWNha2VPLzdjYmxETG13CitSUis4U0h2eWNnRGJBWlJkZkVm
+            OUJLdWI3K0txNFJHSER1NjZDdFQ4L0EKLS0tIEtmMytkeFRmeWtKd0RCaEprREVy
+            aC9tSTVrY0RFcys0LzZONXhhczNjckEK+3E6zeUkyikrZUD8WFkwWgldVfOez51y
+            EgDsxxynkRx7nX8ASne7pdP6e26hooVsrS2oWW45JXpuKkn0ELv7Xg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-11T01:27:03Z"
+    mac: ENC[AES256_GCM,data:Uhi21S5zPjX4+qUR/2hgWj+07TsKKFhNh4fcFBL+EObZAxh02Wry1ktGnXafEhp8xVSgOGxon6DMvM7iZxQXe7NPv2aC2UeOjOzPTOTqHUe810xY6R/NhVOqOTqg8IhgvLiSihUXtBLU2Mynx/mfFfXNsLCWLmGiwg9pZHub9YU=,iv:ztZ8q/woGI9ZYsPc8c0QgpFda0AC9R8vHOtxc2i7Hmk=,tag:1f7AHxKKuPTuhiM5cfjClQ==,type:str]
+    pgp:
+        - created_at: "2025-01-11T01:25:31Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7zUOKwzpAE7AQ/9Ew7Ubwz4AQ4S/a3fD6jscD3bDFgTM7UbaIyIb9iNf4MI
+            j1IJtNVEVbLf7gg/CVeRZaD1OzRB8LYWkkVwco7JPsSygtRA4ntVBUTpZfpCKD5R
+            Z2CvamM1Lzkap4Yk1oYWAbOtKp/8mZsjlKv9+Xaf/XuHXg06ZumThtQBxGBVOMSX
+            v+ClGxUY7nYSOf+jrqcfyq/zCCyD19AmMw/DfpqJ9w4x6mQ2T4yiQz+FugXDVqHI
+            LCaiyCvg96Jk/5zega0ePtXOKFaBPgSi+0sWuvoLIbCTbLJKGOliWfyQhMLit/XB
+            BjV7McHIgNpwQ9E+TX20GEVCukQDmL8LiB5DVPaOxiFzT7ZVWUU60BrM04RBZA5f
+            DYm9a9njaZ76L67VGyS1WiHmfKMIYWQanLattsMpBs3kH6YoRVLDEN44LXVHq3gJ
+            gcQj6piT+GyKdrmCP0J5KznvK7UGUF1L/blEZMl4x47K2La+ehlBT7V1AAMf0Pjp
+            VlstcqFVJAaYl/Y/+jiHvgTgazSuWQWlhjfjMn/gbvEKfnVf154AHGbM6xsytTya
+            hgBgrU+Dtow0IIgcHEofDuAYgQG33w/WQwOG3aeCIG3gRr5nt8rfEd8kYxaRgsLN
+            PzCIB2h7Nz4BVoPxIYqajA4D0XYRtZt0/akqXk+sbEwdY92Qrt9nJ5pBUMTpYSHS
+            XAGflfE1sdOQvDiKsftF+3V1MBzrm3qhoz9XIP/X0x1CktgJHK41lz7nEzXWu5Fg
+            G+OhkAN27nNOgyaHq5AGVkE+XpsXqUNzV/gH/cmyqd2MJ2KCzb5+MqGPNsv6
+            =x2MX
+            -----END PGP MESSAGE-----
+          fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
diff --git a/secrets/minime/secrets.yaml b/secrets/minime/secrets.yaml
new file mode 100644
index 0000000..93275ec
--- /dev/null
+++ b/secrets/minime/secrets.yaml
@@ -0,0 +1,42 @@
+wg:
+    0xa-mgmt: ENC[AES256_GCM,data:ki7/S+BA3vXtv9FcHcfLvcLW7Gm8/88RiIeHUryrJHdRo3MeGAa/sFGSPp8=,iv:bsfjP2Le69u4MMA3ZzWJL0chmg9OD0hjSLRgdse1aJo=,tag:l6NNLzdpaKeX1/R52phaGw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1chq5k0t38882rtyljez8cwmvtcstu4tafzvveuhjrujvsqk72f9s9guc06
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKUTdwRzk4anJPTTMvOFk3
+            MXBTQTdLTTVXcklPL1VHeERrTTZTQUVNeTB3ClFWWmt1dy84VUhaSWlOcnBDZ1VU
+            STNKbVZTRVcrWC94WWtrV0ppL2ZDSVkKLS0tIDRxT0twSHUxN1dvcUJPb1F2aXBv
+            Y1hHaWlQVzdnbjlHeEgxTjdMNkpSM2sK41qX3+ggD5PSm4lR8kka3roYmiLco/55
+            HIHxHZhw1K+FaHGy2DxeGmXi8gnVSA5oyihqvAn7PDPi/L3sB0dLuQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-11T01:29:33Z"
+    mac: ENC[AES256_GCM,data:h7PY7X5uIykwnnocTU/cUQrZB0cRUgjY0cG6XeQelwZXPcPUDalptT0uim/E9xs9cUV2OepMYu+Wf1+YoRNHjsl5GZ6SgY8KxlJM6P37VY5h0L5a6HXTIJnr1Z5KeMZgh0c8kXBQNsn0YTWGI0OcFlpLlWsDNtJlupqlVbK82qo=,iv:P8TDZOJnVNK7ETD1pbJMrtGnDfSH52o9/dUVRIV/Yzc=,tag:lGD0h7am7rumn3PvRoWhdA==,type:str]
+    pgp:
+        - created_at: "2025-01-11T01:27:13Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7zUOKwzpAE7AQ/8CuvFPV+eO0SG3zNZLsy/DNeqLDnMRJen/qOwXspjCSzI
+            mwl3Npdp1d9sX1MJYUvMZDby/EArrIs2MSkk9iAKLPTHf14ZxJfYTYbhRUn/SNuK
+            JJBj/hEL4GoOFNkEjUC53ywSpplP6TO+q7k48kYzPXuCA2EMBz2MHRbeiTdztRJv
+            r1dhpwNGwvcAWNLbEeqOgceYpQ6F3ou+FDI8W7873LMoUAXinN6I3f7XKP8ew/N4
+            8OOgvhfZOQqAaTqAaaz3ILQzrMTUzPM7cvYbtYL87OKYeezxgOmZhBmg6d62q4fD
+            lTc28GpMx0Xxycir8CImpcHL43J8b3WuYehk934tInaWH68TxvRAgvS9ZuMa1KhX
+            cVFFCwZAxnJZF0gbcE9OZCgI2VSH8u7Iys8mPwsEvUJtbDN4Qb+TpBaD+xxg6xBk
+            HGqxDeT9Lybzsn2wTxjUUfiwFZyDeYRlcU+UyGJzLQcPNvSaHWcwWKfRtBE4VNE0
+            8jwopfWE7pVYvABXC8hGLhYKT8OwIPzRWuXoDhw61XiMDnkN71afZLbpExi77lE6
+            39Wizb3KhRLbPdwPquwS2QLNIY/3gjGW1Ml4Hy0WC6S4MeCo9gOsdLJ+j7GeEA9Z
+            wtiy5LPHhYZuw81gzmDWsBvLAsPEWLHBdHsSZucaOPozMeS2VCglL6EH6liECkXS
+            XgGPtg8IY+YtmkX9maGKOz+GUsEVaQV7RhQfPxJSZrEyRb2SwEKHmuBROQFXgNdd
+            obcZeQQWizccZZO00ojD8K38MFf4m9WKePcNoV5iMvDzq2xISgFe8LW2osTf2BI=
+            =QTzx
+            -----END PGP MESSAGE-----
+          fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2
diff --git a/secrets/toaster/secrets.yaml b/secrets/toaster/secrets.yaml
index 01670ae..34ad250 100644
--- a/secrets/toaster/secrets.yaml
+++ b/secrets/toaster/secrets.yaml
@@ -1,7 +1,7 @@
 wg:
     mullvad: ENC[AES256_GCM,data:P9acMXooRll8i81RIBVb0OxFdzx2WsGgVKqX+BoV7cvPGWJK5FRIF8KAcqg=,iv:kq+3guPx2+reDqmfHuhWEvUsKNynG+t7LYRNp5kFLoQ=,tag:Aj0P7IrrTdRK59aBMjPx5Q==,type:str]
     zw: ENC[AES256_GCM,data:CXrLvV+b9DUfmr+CwH8dBTHvDHtgVmiF9g+QpzFqMcc91yQDzQqT1d4AQSk=,iv:Wdj11qlGWGm2XSieFZ4csqdIyR0epzPCkeWyUUmjJbk=,tag:UO07WUwr138B5TtMGujvew==,type:str]
-    oxalab: ENC[AES256_GCM,data:YRN3fSzukqgDK3Bf5O7I8U3QmJAINCsjSseOZfzM/4xGXfGbBNeH3UmD0PI=,iv:U3kXH1HdT4OWcFZ+40a5W+jQ1hdS4UYYXxxyy+SqHEU=,tag:w65VyfylSKnM7c50BRCVgQ==,type:str]
+    0xa-mgmt: ENC[AES256_GCM,data:THKgWJs4bxNYwnl1FQzXSC0xIuv1r0jSByQgwoKau34sddgTzztRHbSztGs=,iv:wn08l8hlSORlyD8XpF6pk6F3HTsT345xp8XxkJVUKcY=,tag:oP+5+cunkQ5KVf6PB5Rirw==,type:str]
     dvb: ENC[AES256_GCM,data:1+IM6ORPtlIroeekaJSkOwYArh0fN6ycJNaXo680pE2Xv4DUBrIlh8q3V2A=,iv:btf3IpM4Wntkf3RYPwUdhH+4WUUqZp0zYp0aj2sdGM0=,tag:MDvS4CWYQLdp2YGs3/5Htw==,type:str]
 mail:
     oxapentane.com: ENC[AES256_GCM,data:HW1xcclr5CiUFVF8As79ZZH1c14sl4T0l18=,iv:leAVYaQkMuJewkCZc3fTUUNzZ9BDjV5CuT84bzvhrrs=,tag:Mm8OB8gLbmUwKSLugTR6GA==,type:str]
@@ -23,8 +23,8 @@ sops:
             bDRBWjJJSDl3bDkxenR1S2NMZW91dW8Kzhc/6HeEJfLGDaKdRSbpaMdR7XaBxdQI
             jnAySJCGsXxCPebRtCIdDnoLjdqdzEggEhRh27JOpeOiEukLmakPMA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-03T16:03:33Z"
-    mac: ENC[AES256_GCM,data:+Dxu5qh09OJ9KDnzl4IkX4ZjB0wkn6o2tzV+OsvKwOH1p51ezWxf7LIpjLumk9tbNm+0gRD/ZPlufxIA+jHydWxBty/JvnjZjYaaaBh2LeUpqM24PnRn9jReSVki5yRGoonXxZ7OjUpgX26wKSff7iQh2DjMVGdL6E4OhBJL6iM=,iv:kUDVXycpcyfiPgMe9u1KCrxIvUEEtIZr/z6h5rdCY4c=,tag:xTsdPaxtlIVUrHjcU2uerg==,type:str]
+    lastmodified: "2025-01-11T01:25:11Z"
+    mac: ENC[AES256_GCM,data:Y11oSAhVwjYkuONxlWFKRTswaCMsj6/61HQgEZ9tKOxHK0mfx6CiJGqNKud7XDAebmqB3uIYNJ8zYKvM2D0+vLBp5Kk+bQX0tNXf1HXVJPYzE1GA+Wg5ZKYM5HZ339XiEEBZEbTU+ptMw2YO9mhDxYA6UnPPQ2IHNPgB/yrgfxM=,iv:iHERfH1sf35DgFYr6FkwxRxnF+qppWOqw1XJ/rJi3DU=,tag:L09jwVXKzSnACp2TSpEV2w==,type:str]
     pgp:
         - created_at: "2025-01-02T22:57:16Z"
           enc: |-