From 5dbd3988a12af6bed3ce3d284c4d9208bc9196ef Mon Sep 17 00:00:00 2001
From: Grisha Shipunov <blame@oxapentane.com>
Date: Fri, 13 Jun 2025 00:58:20 +0200
Subject: [PATCH] setup 0xa-proxy

---
 .sops.yaml                |  7 +++++++
 hosts/stream/default.nix  | 17 +++++++++--------
 hosts/stream/secrets.yaml | 38 ++++++++++++++++++++++++++++++++++++++
 modules/wg/proxy.nix      |  8 ++++++++
 4 files changed, 62 insertions(+), 8 deletions(-)
 create mode 100644 hosts/stream/secrets.yaml

diff --git a/.sops.yaml b/.sops.yaml
index dd882ca..649c351 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -11,6 +11,7 @@ keys:
   - &immich age1afyntwvj672lcq2e4dpxmw3syplzurnnd8q8j3265843jeedpveqkp465z
   - &miniflux age15ja22wd9tt60vn32sk59pp6c7vtjsn8y3rypn8qfnvxthug8sp0q6f72uh
   - &radicale age1j6z39kmnxkqa7jdcjsydy5cryjce7fttf225fh3pldyvq06ax3fq58mk8c
+  - &stream age148r2q3cy9sjem37rvgtcc4qjx8usxkdg77pqexa56gmcexn58aaslh3cnj
 creation_rules:
   - path_regex: hosts/toaster/[^/]+\.yaml$
     key_groups:
@@ -66,3 +67,9 @@ creation_rules:
         - *admin_oxa
         age:
         - *conduwuit
+  - path_regex: hosts/stream/[^/]+\.yaml$
+    key_groups:
+      - pgp:
+        - *admin_oxa
+        age:
+        - *stream
diff --git a/hosts/stream/default.nix b/hosts/stream/default.nix
index 8a382f7..68be56f 100644
--- a/hosts/stream/default.nix
+++ b/hosts/stream/default.nix
@@ -5,14 +5,15 @@ in
 {
   imports = [
   ];
-  # sops.defaultSopsFile = ./secrets.yaml;
-  # sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  # 
-  # sops.secrets = {
-  #   "wg/0xa-proxy" = {
-  #     owner = config.users.users.systemd-network.name;
-  #   };
-  # };
+
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  sops.secrets = {
+    "wg/0xa-proxy" = {
+      owner = config.users.users.systemd-network.name;
+    };
+  };
 
   microvm = {
     hypervisor = "qemu";
diff --git a/hosts/stream/secrets.yaml b/hosts/stream/secrets.yaml
new file mode 100644
index 0000000..a75b120
--- /dev/null
+++ b/hosts/stream/secrets.yaml
@@ -0,0 +1,38 @@
+wg:
+    0xa-proxy: ENC[AES256_GCM,data:uZfFc4elxCAVZvdIHJ7lgoPs9qKkD9ZvLhcYbexDcqn0alaMzIr++CY52FI=,iv:CREMt6GrLHs4Jwj/55awDFHh9hQlJPEi4ZQ7ZLMPvRA=,tag:iJAGdqzQbyezmDj+tzjdNQ==,type:str]
+sops:
+    age:
+        - recipient: age148r2q3cy9sjem37rvgtcc4qjx8usxkdg77pqexa56gmcexn58aaslh3cnj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSko5L1BCOTR1QmZabGw3
+            QS9kbDZyWEJvV09MNkNqbTNncjZrOXl6WFZrCmxQelVzbjdvUUl4aVl3UVFVL0Q5
+            S0VDNkdvcDZnZytCdjBrZUZYTFlEZncKLS0tIG1NWnlnRGovcWxDL2JYMTc2bEY5
+            K29Dd0t6b3FMZjU2cXFBbEw3RktkQlkKCh+jXv65KfAsSR4/0+UWwU5tCphrEEgE
+            WDbIdUZ8j5xHHQwJ58cU7uQ+BSy0yZlwwr8vPoaKdXQzMgyrQfq3gg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-12T22:54:11Z"
+    mac: ENC[AES256_GCM,data:15EU9VupWfvR8CrfKrX3nhpD60hYB2LY3vuAPvdqzKLliqSqolNj956fOFicfSHvmW/s+7x+M+5FROnOzSbToTZotFtvALQihHH999veGZMx8Q8oIyljT1PBw/SU9djXPI1KjG/zzYOAwu7y/Ffm0QKhMRziH7CQLn30KR0o2w0=,iv:ghdyTvcpgnBi2L9s4UrzwWwt9TeU0WkGquZ64+w9IN8=,tag:4m4hYFgejlEaQROB/OEi6g==,type:str]
+    pgp:
+        - created_at: "2025-06-12T22:51:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7zUOKwzpAE7AQ/8ClHQoCuiC0AH28bDit4qjNh/TnYq3IbAdyITOqUYPRc6
+            th8MCDY0CfxvzDTLYxTlHH4MNDOiWWTMg/shC8xV3MrAIpEQV79ivYMay04aWpCH
+            HqlhjBynCwAnJRanc9Ch5zW1wCjpgMp+kMDX8JhhUL0Rmt2fd2nSp4R2bb+/HRvn
+            vAaDq3TTLkLr1OHcTNKFFbXafGLKMahxkQGRMgD1DIPCLW+nUxerUnlxHo4yjj3B
+            WKXBVKeWowgBHvelHqUVf6yeSmWZyFDP/jFxFEi75A+BYmwxlQcRDn0L0NKUlMa/
+            uF3jtW3XBMS/sLX7aRscBFeEq9XPce9urJK4KPFNVFI3X1WbD6O/Z87Y+MHa2n0s
+            DuxIwrffpw8p4qSVBAJLbSW1vR/suGh/0Cr31mzo4FJT92A93wc8JdLdpHUfTXL/
+            bEbt6M7OSqvIt5/mor7Ad6/HRkEl+sZJnHqeU/qKfAIKKfz5UVG/ZCZDZlVGTmpp
+            lV9Dn8QjA1ut4lMvACJBocnrlH4T6150ULL0r3gHuVy5YhnGR+LWFdgaCJ4v3f1J
+            A59eAyQENNMoSGZU/YZx95kFPc1O/GIkmiMpXZxBISN3F70QP30ieqbP1qnZRfMg
+            GldVAFhfaHct4lujlgRfOkmwcNG3gTIru4wAqg+wzriI9jm9vEoF0MDJs2cwNYTS
+            XgE32jq6Li59TMUQH9iB4l0cM42QbQ8BcSn6o/NhmF6HHq9W5yuD6EIs4KNfdHv6
+            ikgqQuGGO9v7qDMd0piyqeLRGMANepxrR5uMsbFmMnah9RUq9CjRbMADLa+8DeU=
+            =fEVm
+            -----END PGP MESSAGE-----
+          fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
diff --git a/modules/wg/proxy.nix b/modules/wg/proxy.nix
index 3b92b8d..7427829 100644
--- a/modules/wg/proxy.nix
+++ b/modules/wg/proxy.nix
@@ -71,6 +71,14 @@
           publicKey = "dj5/CnTAFe5ELnZ5oWonYc+5VdzDyooTYGb/bqcxf3Y=";
           privateKeyFile = config.sops.secrets."wg/0xa-proxy".path;
         };
+        "stream" = {
+          address = [
+            "10.89.88.17/24"
+            "fd31:185d:722f::17/48"
+          ];
+          publicKey = "RDxbOvd/1FSWqIp5v1++wPBcG1hScAT4mhIlMZdvxU4=";
+          privateKeyFile = config.sops.secrets."wg/0xa-proxy".path;
+        };
       };
     }
   ];