gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(tf): more tailscale tags

Browse source
This commit is contained in:
arcnmx 2024-09-05 13:51:29 -07:00
parent 08cd0e2203
commit 70e3c0cab4
7 changed files with 214 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

148
nixos/secrets/tailscale.yaml Normal file
View file

@ -0,0 +1,148 @@
tailscale-key-reisen: ENC[AES256_GCM,data:+1bVMPZuIY3JvjkoW6MPetYHwEwQvnEGLuq/Z8sz8hEo2/FUnyC6cuNTONwOSslUYAQH2pzMmvlukgZjPw==,iv:uFC2ye9+VivOI0zvGpnSLut00slDhrSWesNQigY0QYw=,tag:tahk1HX2YaqY6BFOlrKohg==,type:str]
tailscale-key-gensokyo: ENC[AES256_GCM,data:x5H+5/7Q/3jnZMSyQYxbBRX1dsKnH6bfrXA/7iAH29dYhM+GJnzZGbJGSmWYxyVTBkxAEjZ52R4Jzh1MF1I=,iv:YitklVniLloLnKi74xz/zGHRO1/361zFSFOug076tE4=,tag:UcTW8mzHomxgDv6Nl23XBw==,type:str]
sops:
shamir_threshold: 1
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUdkpHMlpmMUhJUTJwQ04v
ME9uMm5iUnZKRWg4bVh6MlpqQUdYUkZud2dNCmQ1bjlXTEcyYWJuRHNvQkNCc0du
TjY1SlpvT2NMemZLaWdiam9UN2o4RmcKLS0tIHlhcCtHZXRvOEVlaEpNUUZpZ0ZU
bysxOVlTNVFadEVKc2cranZvNFMxM2MKWniIRvlyJYE6gSs/Yl2Q86UMm7MDFZ7k
Q+W8fmAwBLhtBwB/yl1UQks/qBY3YheVVEGb7SEfyYeqS/q2nJGjSQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2MFVoUHNodldFcVcxTFVi
Z005Mi9hOVA4bDVDcG5GK1VRbERzMFI5LzJRCkg3RDV2ckEyMStXUTk2MDJLck94
VG03OGllY0FOMzY0dE5IRE85Ym1yWlUKLS0tIE1KaHFiQ2pMNlBaN2FRdDNHWjc3
RVhXUlMyd0hoYTNndEtBWWxIaWsvNmMK2JUdF/eRGEmeU8nbc1xP7czUjTSAybJ/
PiIkyTbkXotczhc+syCv+m+jLXxhW1YgomNJykNCWnd3hHN7LMss0w==
-----END AGE ENCRYPTED FILE-----
- recipient: age15hmlkd9p5rladsjzpmvrh6u34xvggu9mzdsdxdj3ms43tltxeuhq4g7g9k
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3bFovNG9OQzR1ZENPRnpX
REk0bjMyQ0pDZ3RkcHduRHhJVUxqVDFMTjAwClovMEpudzg5S3YxNzhpRk5vV0lQ
UkVET1pZbktRUU5zREtCTSttOHN6VVkKLS0tIDQ2UmZSWEtwc2VCaE5PVmh4czEw
dTB2ZktuK2RQVTRnbU55M2NKeXRUVFkK0+RnjTNJRqfjENUgZt60Lg29CP0DUp8o
GalbJhyiUL0FsO8ejP9AO7wWjCStd3Mr5YZTKC3EO3uAD76sjlL48g==
-----END AGE ENCRYPTED FILE-----
- recipient: age10t6kc5069cyky929vvxk8aznqyxpkx3k5h5rmlyz83xtjmr22ahqe8mzes
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPWmNiOTRaQS96TU5oekhk
MXEvaWp4QzVWU1VsTlJhT2xKVGswODV6TXdZClpYek90N05rVlZycldWTGNGMTM0
c0NGWVY5S3ozeXBFSzFlNmI2eTVWc3cKLS0tIHBVQVhtL3k2R0xwUlVHYytDdkg4
YVU4T0NGaGdvNnVZcTNYOSt4dE5ZMncKWroS+oJ7H4dIvtkrGvWYh52gqJSLabuH
VlRK5EkWbSetPnalTw4pFQsKwzETQhBuEYID+xDxwh14f5jtw8E/oQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxUHFFc3VtVWoxSVJSSVBh
Y2JlV2pVS1Jja00wOS9zcEpzNkJ3d0FYc3lJCjI3ajE2V3Voam1UdHRxZlQyYlA5
Mk0vc1lhNWtUZ2JjQ2o1UkY3b0QvbFkKLS0tIE42NHlqcEpFL09IYmkwcmJDem9p
NTV3SjdMQTY5QjB0aVdQQ2duQmNsVHcK1CItf2pHQL8EDQgb0ypc4WZup7MSOQuJ
VHbH79XWiO5/MyignAMNll5Jar7AEmqg3V7IctYYHpoPAQyeSMUnzw==
-----END AGE ENCRYPTED FILE-----
- recipient: age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBVGZYZklGbjBpMDlnTUpq
UE1rNk1PeEx0UlhDRmtGeUoydHhyaU1GN2xNCkZqR2F2KysrdnRiaElpdzRxakY0
aU81andSL293VE5PcFdzNk9JRmZPZHcKLS0tIGZaeG94VTlvN0kvOUpaK1FBUzVC
R3R0ejBCOWUrSzdDT0FPekkrWjdGTGcKWbIvjJ/3hM7SQMpgo0iJqq+sjD6z8vTJ
+ZMiE1Mn5cpO3Ys8Dg7ysjMUrZ6jPBhgeteZJjcf2v8aW9JMK/Otmg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1xg6zm9t25wjakljm54m38pjdr9q53jysdcl82r5xwkrn0cgyuvvsuh63eh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ZGVhVVEzeWhpU2F2ZFht
a25XbnIxK0hvWDllZDNmOXpkZk0wZXIwalgwClVPZFpmYmM5VmUvWXUzbW9MQUlK
TEkrdmZWS3h2RGtBZ2p1R2pRbTR0bmcKLS0tIGJuaWU0b2VDL0s1YUdBeWowMGd0
ZS8vakpqTk9ZbUpyeDk3ZGY4TFlGS1UKNkMGeKg4xZy1Aa9wWAm0rLr17+DMAOv7
l5Cns2IhN/iou98EyYH75DPUzFmDiMMR6VninT8kq29zHH1U4ZSbrg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ktmx2szedfnpe5xumnzs8vkk0ffqgga6ved3drtksg9pye6ndsnsnqq488
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwRzh1NG1QVnlibjdNcUQv
enk4ZXlNbWVNZ1habjhsUWgwV201aVJFaWxRCmF1L1JrOElVZEdYU1JKYk80LzFx
NTFSSzlOQlc5TnpGaEQxQ2oxZW5uZmsKLS0tIGoyL0pWU2g3SVRVWmZPY3NBWmN2
VERMRTlhMnRBODIrSXVZTXpTWjUrc0UKU/iSLvsUZ2+Tsu2q6PHhxI6qOQVJPRc9
nqnAGAC24nQ5rinlTR+AaRraCmsp2pwWbx6gEyXQzpQFaVpu+blkJA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1fjcafp0j45sz03zq5srnxyq2mujndmn25vceg3wj2cgzymqm73ssmhdgku
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbE5NaDVhLzFpRHhwdkov
RmxEYjJ5QVZFc2g2MDhGRFZtVTVhWC9XUUE0CnlGZUZ3ZG52VU90MSs5NXVsandm
ZW9xSTdFM1RzZHhiRFl0SWtiTFFtRmMKLS0tIDIwd2hKeU81SExaM29PZ1BzamRC
T3FDdHpHZlJYVVdWVkVibnlla2FHZGMK0gDUbMxZLD3kdnIZtUTL5RU7Q/oyz+Dw
b6l+yOVeW4BgxiOR3sn8qf1tK908D5/0m7hynOpmEjEYpOfa1PdZDg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ehdj6hghtr8sf5s5c03rru4y3a02nwrt694e36tjnd6g7eq4l43qfradn6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCZjV4UGNnOElCK01Sejc3
OXV5MlVWdnhxRDE2RTJXWG9XOURhRzN4eURVClJxeGxuRTJ2N2ZISEsvSEVOeVhy
Z21ZN3NIVWxPV2lUOUkvVVFsbUtqWXMKLS0tIGFmcXg3UmYwTGpVNVVQK3R1Tyt2
bjdwa1l6ZmNCTUl5M2MwaEFId0FXR0EKtFkV1iv/J/ltpJypCEOEs12CA4LxeEa5
FJfzZm68EkxmOhMJx8OaTpT5V669vG3TIbpxIQyHq7QwgN2V7RZLKg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tkkau8vk5h9dh3kemash4eghn7lk84j0hhpmvvf7j6phgcsm9vmsphv0py
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5eDkrTmpJZFlDM3dZZi90
RS8raXB3OVAyTndrejJ4L3lPY3gyd2ZVVVc4ClZaa1dqcXVJMmtQMDhlbUp6dXcv
QTJRNVpuSjZTOElEMzRZVFpKS0RuKzQKLS0tIG1RTWw0Z2ZwRTFuUXkvaVMxZWVw
MzRORVZxVEk2OGxsZnpIZ3NZd2xURm8Ko3goG8Us6/vPzlwqvjGyA2nZyt9TMYn9
15j2zGPcTiOMEI7ez3SulAMC36RdyQAUKJkFoeCFvlncx+8L7qHLHg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-05T20:54:01Z"
mac: ENC[AES256_GCM,data:nSmR/TD/I0XZNDZv7Iv8PQqVtm0kSWaW+jIvlPbc+rbHJFRboiU6+G6nEsjEQ+DHIa4u3Pj4DWc9m11kkSACMzOnPY7FEur1g4rDlypHE5nFmDuaCnonz8RsPL2M0nYK9ihEWKl3m5G7w/UEV76x3nVGg4h/pxeI2Hivc+2iFrU=,iv:oZIexRyzxEkYAvUqcpESGh2IZpvksacsbAZhkt+YxHU=,tag:2uX9zSWyd8tm9PVDPebC+Q==,type:str]
pgp:
- created_at: "2024-09-05T20:14:39Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA82M54yws73UARAAxUkw1znvQa/y7Ro/vcMUM86+q8BPUNNO24MpHscQwp25
VO1xP3qfZYq5HYSEHppAVucYN/54q5yp6JM7Ts4JFlKivHWrBKUlxlla7yxMv3Rr
WQLNDu6eZzSOuxuJaAvoEMXcEArsA8liJgaUHT2MKXgU+pUojt1CtEeSZ+GShCpa
rops69gmTEUX64zuH+AkQFBIda8nJn3zcFnWMFfP/A+Z13RolDurcpFpGXq/BI8F
X8GWJZJGC8Q+YJUaPqa1GUfvMMdGd9yadCdt7bA4LROlmyjCFkP9f1Jz9QUo/Hhr
H+hZ4qU0VRCREr7bfIgbbN1R4x5ps+sbpIuIW8YwDrfNDiRjUQLCDK3OuZOFXWd2
ccdlEx0Xq5L199iRtXI2TwiSjWmfUPpjXg3eREBZU4wyGQB9RuMoA1+zqgIpQ39S
ll0wEnq0TqTG2P4u1yGSsq4537pPRkZKvv2qQK0im04B+DFWW8NKamfyDqrwsTx0
JWxci6uT6Aq9NdLJR6+/RPyyEgVaZFs49zfObelJNG9mJde8xORwCUlALniTYr8/
NYFGqAFjU+GJ7r101yJrHSQ0CyM92RV8txF4MIE+oNovqTR2WeqqMLHuqrMa2cYp
/Xta4o1QqkunfvhEqVDuAkvexCXdHiwvsVZhpFpweAeV1GpFvB1sFyZEiairl8nS
XAH6QRdIusJUrPvjbrCFcGzS5JeDzdHhnGrhXLFoiAhMINWsHeJsWpzXwKKC6Ry6
4NNzkIYC2W7PrVLhINwh14rWG3n/KIvLeSll/XDVyO00HiTI6ddwaUMhYIqY
=2jPD
-----END PGP MESSAGE-----
fp: CD8CE78CB0B3BDD4
- created_at: "2024-09-05T20:14:39Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMA2W9MER3HLb7AQf/VPVFngNBzP3tt/ayU4XeaBNonvLfJl5UTj5a37zlYQ0U
nIaRbVVG6w0/Og+yVclQXYqBTDHcZHQ777nSEEKv6KExKN1Nrs08Gte6ELjHNAzY
2WIiiVIHeT7/sHSyxa/7tatVYor3PEXfuB75oFQ7N5KQC/aFh6VkdFCDHJFW6mb8
q0vJZK4WHrnv2zdg2AwngVPB9gZPYgysI/8fn3I8PCnHzYtXDjcCt+0umaCuhsMp
wsIubO4BseABTtwKgeQXk9M3W0XmKu90W/xHyXmhy8aSOcTRvjQz9b2j2WejaZ/A
cjBnojJ9Hsq+9JJVOL9DDRRqY5ohvSi3E2jWXCpMftJcAb0hlevhcm7J1ve5EbXl
y2jXzMc6JoU7qDVXbD1GcDeF+/mUp2RTltGIxE0s7XcJVlYXIHmvXYXXpxfH17W6
tuMdLtAzZ/j4duNLd8NlCK+vzoFzSmIxdSs3kWM=
=pFGe
-----END PGP MESSAGE-----
fp: 65BD3044771CB6FB
unencrypted_suffix: _unencrypted
version: 3.9.0

28
nixos/tailscale.nix
View file

@ -1,17 +1,20 @@
{
config,
systemConfig,
gensokyo-zone,
lib,
pkgs,
...
}:
let
}: let
inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
inherit (lib.options) mkEnableOption;
inherit (lib.modules) mkIf mkDefault;
inherit (lib.modules) mkIf mkMerge mkDefault;
inherit (lib.lists) elem;
inherit (lib.strings) optionalString;
inherit (lib.meta) getExe;
cfg = config.services.tailscale;
in {
options.services.tailscale = with types; {
options.services.tailscale = with lib.types; {
advertiseExitNode = mkEnableOption "exit node";
};
config = {
@ -31,9 +34,20 @@ in {
services.tailscale.enable = mkDefault true;
sops.secrets.tailscale-key = mkIf cfg.enable {
sopsFile = mkDefault ./secrets/tailscale.yaml;
};
sops.secrets.tailscale-key = let
keyReisen = "tailscale-key-reisen";
keyGenso = "tailscale-key-gensokyo";
sharedKeys = [keyReisen keyGenso];
in
mkIf cfg.enable {
key = mkMerge [
(mkIf (systemConfig.proxmox.enabled && systemConfig.proxmox.node.name == "reisen") (mkDefault keyReisen))
(mkIf (config.networking.domain == gensokyo-zone.lib.domain) (mkAlmostOptionDefault keyGenso))
];
sopsFile = mkIf (elem config.sops.secrets.tailscale-key.key sharedKeys) (
mkDefault ./secrets/tailscale.yaml
);
};
systemd.services.tailscale-autoconnect = mkIf cfg.enable rec {
description = "Automatic connection to Tailscale";

5
systems/litterbox/nixos.nix
View file

@ -8,7 +8,10 @@
nixos.syncthing-kat
];
sops.defaultSopsFile = ./secrets.yaml;
sops = {
defaultSopsFile = ./secrets.yaml;
secrets.tailscale-key.key = "tailscale-key";
};
system.stateVersion = "23.11";
}

7
systems/mediabox/secrets.yaml
View file

@ -1,4 +1,3 @@
tailscale-key: ENC[AES256_GCM,data:TnXZW2c5NhMYHutOdDn8NG5RcdcNTzcTXuC27Ir+OO/4abF0rCEts1A=,iv:OK2nUBJ6LyP9w9L05JGtHe5rxmfoNyk8+zF6M6jYIG8=,tag:McbAMcTJ93C5OluGzYMvCw==,type:str]
cloudflare_mediabox_tunnel: ENC[AES256_GCM,data:ZQ+4dpo/DaCzO+767HWzSpLRUhNhQYXF7qgYtJ+x/RKQoQpj227rwS42FJtTnGDYp1ABxuQ8tbkWu3792VTjraD4gFxQcYhpgsnbNYfSm4b/6opRZXtIO53c0K1kBz7SJB/U0OcqHwGXUhVUIoJeuJrNu8rgIU9zWujzWypI7JDWoaryHEN8tnMYOkzZ3PD5WHyDUjxmCdhM5srkon+poarCbEg2Xihc+qZ9Z3uos2wqk4ptzwmW9+e5xFijXhsrrTHm/3N+,iv:hG/Dtg6bC6nSonSYQ1P3kWARXME1W+10Pgc2AFZvWxI=,tag:u2a0s/L+5GuAAnkvMpOsnw==,type:str]
sops:
shamir_threshold: 1
@ -16,8 +15,8 @@ sops:
aDVRZTJtTzh5aElnN3hpcitZWmluQ3MK/je9HcOaN+DiSi2JsCThRXOEbydNQcRM
ZBjYlbtPILMjrn4NoUtxnwbmm7vNgGdXVu7EDfQ0OxjWbo9Cv95WZg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-16T19:24:33Z"
mac: ENC[AES256_GCM,data:cJy03khBCiXbZOwUM7xKnCMU9080WZ/3BZ4xlL3xAyG/1Krqnwa0dbx7OtOzRLBHV5UivB8Ba5diP4O+05II8UOKKV/bOMKQngaDZCyQ+bMBp/RB0+xCvMlLGuXC8KkHIOAYvo3QYUZ7dbPO/L1rxwZhvl5KAqqinvnZQS1OuUI=,iv:SwCpszFFiX/vvz9h23pUcPEqXJfrmvQPRKo0bbJhZh0=,tag:tpr+st4EoOpOuhWcH3OwsA==,type:str]
lastmodified: "2024-09-05T21:02:00Z"
mac: ENC[AES256_GCM,data:bmPlIrNDumamV+kgC3eI+yPPUB4QatGdu1Rf2I+h9zO3S9efe1ex1NxqCLG8R9JlHEXbJQvU9URD6Ft2/Kqdyo0YKe7gImsecrR8Uj+mJqe7gAZErgAjZRlPtdBQcYJ3A3ji3UxcfiR3DzCf6x6EgJM0f4g9e/tsTFWkymmRki4=,iv:62W+MXoN+lQQZnSy9pJ3D1G4F2UnUfcRmtR2YcUkFNk=,tag:0mNvX440xkCZ9SMvL0ucTw==,type:str]
pgp:
- created_at: "2024-01-11T22:30:58Z"
enc: |-
@ -55,4 +54,4 @@ sops:
-----END PGP MESSAGE-----
fp: 65BD3044771CB6FB
unencrypted_suffix: _unencrypted
version: 3.8.1
version: 3.9.0

7
systems/reimu/secrets.yaml
View file

@ -1,4 +1,3 @@
tailscale-key: ENC[AES256_GCM,data:X1oDglyEjyFyeBgkV52IAcvS7krEeUfuJYhp/GN0cLH7She/RLdScbMcGBLwkDdtgoBkSK/HEjk=,iv:7eJg2IMVxZX7O3rzqeai3gjbAMLu3ScU49rrQPxnl0s=,tag:L2EgzeAvr4PLxaTBe9vObg==,type:str]
krb5-keytab: ENC[AES256_GCM,data:3Dx4YkMFnxpg7HzylRbqe1KdfYgqBNvKYU7tb1lZQ1uwghdSn4U3ZztOE8SO5t2wGaIPHhOwv6eR0MWZnjU3vjWAPrrNlrc3mK3WLw+Gvbe/hfiLSKDvqzDcaYfBSFNvG9LFai5o8fGfPnAS/5AUY8iBY+NaPflsK+HV5MfadXg5J6EYduGSo82C6eWmLJcsBMieI3CLg/OCPI5rfo1ibbVJR2ma2EyiUl9KujqCJL3Nb5DH87YCFuiBScMkQP+GRL5Rf1p3otF14HsK9sVvJjkF7NgGvM/OUHv5u9eq7gBiWJSoGBE3Vsl5odep5x0r259nZy9oAQenhmJ9layVI40c4UI5B4m5nwKvUYeXnINX09dtBZy1+7iOBdjFwzP+cCbliW8GbtqwWDVYuuqSTosQPBtUWFBKPwn9HcSmVowN9VsuAjdOIFao6xNcTmUT4EJc4FTcbtsOXzynILYmb8n0S1nsT6h20i5hC7ltiwUOFOxOwl0Q/I1wQDFZH4HeGYNeqE/Icy2z1jnkj5g4XK+WFzNSJmdKzFE9fOnO5gwSkqoy72ohqz9giyKvEtAhBDBjuUcHnVmnNHWEGhFUCy2GP3f9KaowD6isJ9ICIa1mrHsol8agjpCvUTNLz/8LV6235vk/RZ96QoI8Hue/5M5p+0Qe8bRLfYmKQ7WPB6ywWr2NJFvgep+95XmVJvhzUXa6Zdj7RSWa+AVuK+lhWBpCO5Yo5s/3XF+1OLEGc6sErbjXOD5ofUmQYXfvh+P6IjtrUYoq96EZzQqC4pYx63q+E2zLIX3Ua6XFtoISs3qvduRVu0CROfBY3rMzbEEgwwR55fyoKomIs6ihxl1XyK0kvyRTWtQ6oky3HDmWee1AYXo598K6HeZnxDbyC/ov5sdccFgcG7aGhCn036AThJajZHHyC3Vg/47iqREpV84vqpoAj5c=,iv:xzjH/RaRSHx39TkQW3Ns7pLf6/ogeFHWqNvfkgOgsEA=,tag:IvmpHdZi04cdYFaXh3YTIg==,type:str]
sops:
shamir_threshold: 1
@ -16,8 +15,8 @@ sops:
UERXZU1FaTNGU09mTm91M05MNitvQzgKhaWavZCVVMA+MqdX4LDsywN9ySSskH0X
2K+YRI34/3oY0Mv2s6OEIa+laYf2XRImSh6BN1F4b/AezQa1LCTTaw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-03-16T20:48:49Z"
mac: ENC[AES256_GCM,data:si2YKYqOtaNm1xOlcK698jeK5XWnRIFW6OTyUxv2TxlmgoqximGVl7a/dv/CePQSA1m7pPBZFCAMGV9lmMtMGMM9ipxlaFIkHDRHcBndriy+a9Cijdc/Q5OybYOh6FA+Jktqn7afuF8IrWETWK7wO1E3lg1QmNQrW04gzzwNXLU=,iv:rGNEBBuZIT4asB3JsEF0AImxjgpbhCNeRjIeB1RFpyk=,tag:eKwBpWNVXGmU63gAg+TQ3g==,type:str]
lastmodified: "2024-09-05T21:02:06Z"
mac: ENC[AES256_GCM,data:hnctaM7VRQgAPCCvQmtQLo7XbEEjNatZmGoLYB0XZFI47Fy04u3BkcThLrb+/YzRuuMBO9JcVm8I671aQGiep2XLXjNBpqk4riTDWimJcS/f708rVS7PKwWZlcLgS9hzor4KF7zz5zKBmuhUpxgCETDwWkRiSjF23DIyjI429cA=,iv:QrDy7fJZsOus86mlJJ1pVq+sEIQovFGMNkgGHnH0iUg=,tag:Q8uyts2PDTMHEhm9NHePuw==,type:str]
pgp:
- created_at: "2024-01-30T23:58:18Z"
enc: |-
@ -55,4 +54,4 @@ sops:
-----END PGP MESSAGE-----
fp: 65BD3044771CB6FB
unencrypted_suffix: _unencrypted
version: 3.8.1
version: 3.9.0

5
systems/sakuya/secrets.yaml
View file

@ -1,4 +1,3 @@
tailscale-key: ENC[AES256_GCM,data:MnCZvQHOE4rtQ0snTo1igA0HSP0vsa1tx2AU3mdyaoNof7L1/73fKOk7sU1pj1xPfEONt+g0vQvCuqpWdA==,iv:IbcL4oYiulQhMCdlLneC2xF5ytNvZgv/1pw1KzprOvQ=,tag:B9hK7l3mEH5VwaknchlBNQ==,type:str]
sops:
shamir_threshold: 1
kms: []
@ -15,8 +14,8 @@ sops:
TlhHWmdGY2NNUFVTNFM0QlFnZG9kMzQKTmEA+Q18XxHwGD28kmO+M/TXw1wJLo8m
Ea8/36iM04M/ik5EH9GrWGp8ctX7Mp4p+VqDr3WNwSFZZFBp7sga+Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-05T07:37:01Z"
mac: ENC[AES256_GCM,data:2Q48p8IS8gHjzYkYahrRGwqMTRR9WbL8DykcgbLrPZYn0BaM7n6XfNKBhlM5jk9WZ1lF1KD89YNAnsY+QUUZzr9zBoX8JCWDU/YABSC2FuJKjn5wIUlGzRJJ92T/95KJVXmRiE6CzXukXWIApWagPRjF8B3UbJb9K0BmniKVmFU=,iv:7FdZaWEV/Y3seIhFguQiHlbop0etZnb/RGgvVWjm/oY=,tag:Om7nsDsyzNK+AorZYFg7mQ==,type:str]
lastmodified: "2024-09-05T21:01:52Z"
mac: ENC[AES256_GCM,data:0cBH6ZsC2UAy9S8pMnhJf199npssC39hcksvabeXEnpiHl1wIChb8O3hnuIxzS4MSwU2B0tLDmkMoXqZ1nHowlNDAjVXigGhmvkawawusREqr6aWgnZB8oGje6w2Muo/pLSRpK6qm1y64eH/C+7gqBci8qyOPK8paVbnPuLXk0k=,iv:u8KzRAOcToHg6BMjeEy0of3R8lPEkMrXTl8pc3Oap8k=,tag:UslLisTOuVt/IcNaK1qXgA==,type:str]
pgp:
- created_at: "2024-09-05T07:54:38Z"
enc: |-

36
tf/tailscale_devices.tf
View file

@ -1,8 +1,24 @@
locals {
tailscale_tag_infra = "tag:infrastructure"
tailscale_tag_genso = "tag:gensokyo"
tailscale_tag_reisen = "tag:reisen"
tailscale_tag_arc = "tag:arc"
tailscale_tag_kat = "tag:kat"
tailscale_group_admin = "autogroup:admin"
tailscale_user_arc = "arc@${var.tailscale_tailnet}"
tailscale_user_kat = "kat@${var.tailscale_tailnet}"
}
resource "tailscale_acl" "tailnet" {
acl = jsonencode({
tagOwners = {
"tag:reisen" : ["autogroup:admin"],
"tag:gensokyo" : ["autogroup:admin"],
"${local.tailscale_tag_infra}" : [local.tailscale_group_admin],
"${local.tailscale_tag_reisen}" : [local.tailscale_group_admin, local.tailscale_tag_infra],
"${local.tailscale_tag_genso}" : [local.tailscale_group_admin, local.tailscale_tag_arc, local.tailscale_tag_kat],
"${local.tailscale_tag_arc}" : [local.tailscale_user_arc],
"${local.tailscale_tag_kat}" : [local.tailscale_user_kat],
}
acls = [
{
@ -30,7 +46,16 @@ resource "tailscale_tailnet_key" "reisen" {
ephemeral = false
preauthorized = true
description = "Reisen VM"
tags = ["tag:gensokyo", "tag:reisen"]
tags = [local.tailscale_tag_infra, local.tailscale_tag_genso, local.tailscale_tag_reisen]
depends_on = [tailscale_acl.tailnet]
}
resource "tailscale_tailnet_key" "gensokyo" {
reusable = true
ephemeral = false
preauthorized = true
description = "Reisen VM"
tags = [local.tailscale_tag_infra, local.tailscale_tag_genso]
depends_on = [tailscale_acl.tailnet]
}
@ -38,3 +63,8 @@ output "tailscale_key_reisen" {
value = tailscale_tailnet_key.reisen.key
sensitive = true
}
output "tailscale_key_gensokyo" {
value = tailscale_tailnet_key.gensokyo.key
sensitive = true
}