From 2b3eb84bdddbe0f5a4614734c8f7234811c29945 Mon Sep 17 00:00:00 2001 From: arcnmx Date: Tue, 30 Jan 2024 16:17:35 -0800 Subject: [PATCH] feat(reimu): tailscale --- systems/reimu/nixos.nix | 3 ++ systems/reimu/secrets.yaml | 57 ++++++++++++++++++++++++++++++++++++++ tf/cloudflare_records.tf | 2 ++ tf/proxmox_vms.tf | 2 +- 4 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 systems/reimu/secrets.yaml diff --git a/systems/reimu/nixos.nix b/systems/reimu/nixos.nix index e4a52c37..3ceb2ada 100644 --- a/systems/reimu/nixos.nix +++ b/systems/reimu/nixos.nix @@ -8,6 +8,7 @@ nixos.sops nixos.base nixos.reisen-ct + nixos.tailscale nixos.nfs nixos.samba ./nfs.nix @@ -22,5 +23,7 @@ DHCP = "no"; }; + sops.defaultSopsFile = ./secrets.yaml; + system.stateVersion = "23.11"; } diff --git a/systems/reimu/secrets.yaml b/systems/reimu/secrets.yaml new file mode 100644 index 00000000..14d9a8d6 --- /dev/null +++ b/systems/reimu/secrets.yaml @@ -0,0 +1,57 @@ +tailscale-key: ENC[AES256_GCM,data:X1oDglyEjyFyeBgkV52IAcvS7krEeUfuJYhp/GN0cLH7She/RLdScbMcGBLwkDdtgoBkSK/HEjk=,iv:7eJg2IMVxZX7O3rzqeai3gjbAMLu3ScU49rrQPxnl0s=,tag:L2EgzeAvr4PLxaTBe9vObg==,type:str] +sops: + shamir_threshold: 1 + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCZDdoM2Q0YkZhSUpoYlVm + ZE1SN1hKNmZjU203V1lVRFlXNVUrV2VneVNFCml1cVVSM1l0REpmaDU3bTdjNGx5 + ZHpMMHJnZXdpbERFR0grQ3VqMERhRTQKLS0tIGFqaHhCR21VTElQYUxEcjJVMTRR + UERXZU1FaTNGU09mTm91M05MNitvQzgKhaWavZCVVMA+MqdX4LDsywN9ySSskH0X + 2K+YRI34/3oY0Mv2s6OEIa+laYf2XRImSh6BN1F4b/AezQa1LCTTaw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-30T23:58:54Z" + mac: ENC[AES256_GCM,data:ih1RwcmiaD4yQnSoxo+uoJFZCEQp5xs1+O976EeLIUxkhcbpJ3//jhch591TyQbCf6IHBkjrmTbsQdEX6607n4KV6RLYW1822Fc34d76QdJMAJOxRD8oYpf9+iUN8VmfkO2PqPFvxub/iOmt38AkV+1cK+8LYaTXPT+yY6fJ2h4=,iv:Yb7MAsyH980A8hAifhzk+jtOoVsAapsH+mD1h7oWjKI=,tag:IcVWkobQWg2zwrXP7kRAyA==,type:str] + pgp: + - created_at: "2024-01-30T23:58:18Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA82M54yws73UAQ//c1co5nvsAMHPrxuPoFG/3u/xVoS0gffjC/A95a8x6yvj + OxyN+PpRCmLd87z0O89hB/WoXaZuzbFgMPRH7krtI/ZQcl7EVBXH8rTTh4WBrRn2 + KH2qmGVClK4CSuNGZ0/iZXu+5RHyIbNtYJAYSD1fyIeqiw2dbMX2jr5Vw0lV49Cw + 9Pxwyn/zWeskdzdwFIle+GW503mlLkUKEVj4RkQ/r1u3v8rAhE3fQyZv5hOKQ8vz + NI4VhQg7vfAg3TkKm0pozu7iFGE7+VITfxkokBz79PVZJadSzTAAS3xSyMQvQMWC + qL7u6QLzzg+wqQJxcwSOw1Q3jv3GAQ10tkX9r3Dl9kHnuwUgrLu6e3ibF5OflHL3 + +HNHA4ShC7CMdaf3SrS8kvYeMUGhErCYDiCuJh20mzA/mL9lrxKi1161u0QSbvuo + Ijus2I2aqPW0lBJgYNIraLO5HW9LlTDvcJJROi8UWiRXGBZaEU2d/4Lx9rXXAGFe + tAQ/SXpRkoM3tQx2vrXSJM4r5WCk4M9s6Idsphr9W0n/EUvvLVfbhpBWUKEXXFRl + RpO/qE5FyKzERTnx7/qg/2yOdM3GkUIPat0y6tn4xh5b5k9gYtfvLNf8tNqfKamw + 6ILJKYc1u8v4IDxsUiV/h3HkzvzXeegAoXFMOtc9+P2WAC73Ku9JfZRy2m5CqRLS + XgH9u7Dm0x585U4pb/hvQOxp2NeyGeYzYyxVjVl3qP5oCIEPb3vrsJK0wrhVvkmP + jfDL0ewfdeSUHdhFSusAhGQMKsyQbMGM0KQHSzHZSMPvIu0vrWiEs6iSOW8kAmM= + =8V40 + -----END PGP MESSAGE----- + fp: CD8CE78CB0B3BDD4 + - created_at: "2024-01-30T23:58:18Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA2W9MER3HLb7AQgAl1jD9pnnJ+q+BrJxtHhAP8Re1b1hqik1FyYkvOLD9YKP + DnPtvatbo8JAggBdqIDrTQRgwziIGsd/UlqPKIJna4yRE3sTcXt9TqF4wuvbbwr/ + kag8usnwX0cdIqEf2JWtdxnpiB6AqfIK+ZtvJeA4+busCH6CIbLLe2j9iGKmdeiv + 4ikLZDblIln+M92QLP6keCc6JQpAOhd97c3bDTsZNHoqJPth+ae9dIR7Hr4pzbv8 + atULj4r0s6sx7dliOuB84+1MjI1ltiP9aUe8oCjjbUveSLJv9c0m6YEYHuYB5FCB + qrB06KKq6KZYlbzC7YfPjlWJ1j0+Bc97BaKbjPhRd9JeAUxs5+OfB0O6mR+HPStV + 1Q4dJTZlULnnCy4evvTPMyxQbS9Yv7vru5zoknAQPoBzpq4/4/NE219a9TjVSuvP + crzg7HUjjKCBaun38fccfClGBRVg8LKZoSEzL+YvIA== + =aTkP + -----END PGP MESSAGE----- + fp: 65BD3044771CB6FB + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/tf/cloudflare_records.tf b/tf/cloudflare_records.tf index 77331ae2..1a2719a7 100644 --- a/tf/cloudflare_records.tf +++ b/tf/cloudflare_records.tf @@ -31,6 +31,8 @@ module "reimu_system_records" { name = "reimu" zone_id = cloudflare_zone.gensokyo-zone_zone.id zone_zone = cloudflare_zone.gensokyo-zone_zone.zone + tailscale_v4 = "100.113.253.48" + tailscale_v6 = "fd7a:115c:a1e0::f1b1:fd30" local_v6 = "fd0a::be24:11ff:fec4:66a8" local_subdomains = [ "nfs", diff --git a/tf/proxmox_vms.tf b/tf/proxmox_vms.tf index 0635fb42..de2a92fc 100644 --- a/tf/proxmox_vms.tf +++ b/tf/proxmox_vms.tf @@ -77,7 +77,7 @@ resource "terraform_data" "proxmox_reimu_config" { provisioner "remote-exec" { inline = [ - "sudo /opt/infra/bin/lxc-config ${proxmox_virtual_environment_container.reimu.vm_id} unprivileged 0 features 'nesting=1,mount=nfs,mknod=1' lxc.mount.entry '/dev/net/tun dev/net/tun none bind,optional,create=file' lxc.mount.entry '/mnt/kyuuto-media mnt/kyuuto-media none bind,optional,create=dir'", + "sudo /opt/infra/bin/lxc-config ${proxmox_virtual_environment_container.reimu.vm_id} unprivileged 0 features 'nesting=1,mount=nfs,mknod=1' lxc.mount.entry '/dev/net/tun dev/net/tun none bind,optional,create=file' lxc.mount.entry '/mnt/kyuuto-media mnt/kyuuto-media none bind,optional,create=dir' lxc.cgroup2.devices.allow 'c 10:200 rwm'", ] } }