diff --git a/nixos/secrets/tailscale.yaml b/nixos/secrets/tailscale.yaml new file mode 100644 index 00000000..32709437 --- /dev/null +++ b/nixos/secrets/tailscale.yaml @@ -0,0 +1,148 @@ +tailscale-key-reisen: ENC[AES256_GCM,data:+1bVMPZuIY3JvjkoW6MPetYHwEwQvnEGLuq/Z8sz8hEo2/FUnyC6cuNTONwOSslUYAQH2pzMmvlukgZjPw==,iv:uFC2ye9+VivOI0zvGpnSLut00slDhrSWesNQigY0QYw=,tag:tahk1HX2YaqY6BFOlrKohg==,type:str] +tailscale-key-gensokyo: ENC[AES256_GCM,data:x5H+5/7Q/3jnZMSyQYxbBRX1dsKnH6bfrXA/7iAH29dYhM+GJnzZGbJGSmWYxyVTBkxAEjZ52R4Jzh1MF1I=,iv:YitklVniLloLnKi74xz/zGHRO1/361zFSFOug076tE4=,tag:UcTW8mzHomxgDv6Nl23XBw==,type:str] +sops: + shamir_threshold: 1 + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUdkpHMlpmMUhJUTJwQ04v + ME9uMm5iUnZKRWg4bVh6MlpqQUdYUkZud2dNCmQ1bjlXTEcyYWJuRHNvQkNCc0du + TjY1SlpvT2NMemZLaWdiam9UN2o4RmcKLS0tIHlhcCtHZXRvOEVlaEpNUUZpZ0ZU + bysxOVlTNVFadEVKc2cranZvNFMxM2MKWniIRvlyJYE6gSs/Yl2Q86UMm7MDFZ7k + Q+W8fmAwBLhtBwB/yl1UQks/qBY3YheVVEGb7SEfyYeqS/q2nJGjSQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2MFVoUHNodldFcVcxTFVi + Z005Mi9hOVA4bDVDcG5GK1VRbERzMFI5LzJRCkg3RDV2ckEyMStXUTk2MDJLck94 + VG03OGllY0FOMzY0dE5IRE85Ym1yWlUKLS0tIE1KaHFiQ2pMNlBaN2FRdDNHWjc3 + RVhXUlMyd0hoYTNndEtBWWxIaWsvNmMK2JUdF/eRGEmeU8nbc1xP7czUjTSAybJ/ + PiIkyTbkXotczhc+syCv+m+jLXxhW1YgomNJykNCWnd3hHN7LMss0w== + -----END AGE ENCRYPTED FILE----- + - recipient: age15hmlkd9p5rladsjzpmvrh6u34xvggu9mzdsdxdj3ms43tltxeuhq4g7g9k + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3bFovNG9OQzR1ZENPRnpX + REk0bjMyQ0pDZ3RkcHduRHhJVUxqVDFMTjAwClovMEpudzg5S3YxNzhpRk5vV0lQ + UkVET1pZbktRUU5zREtCTSttOHN6VVkKLS0tIDQ2UmZSWEtwc2VCaE5PVmh4czEw + dTB2ZktuK2RQVTRnbU55M2NKeXRUVFkK0+RnjTNJRqfjENUgZt60Lg29CP0DUp8o + GalbJhyiUL0FsO8ejP9AO7wWjCStd3Mr5YZTKC3EO3uAD76sjlL48g== + -----END AGE ENCRYPTED FILE----- + - recipient: age10t6kc5069cyky929vvxk8aznqyxpkx3k5h5rmlyz83xtjmr22ahqe8mzes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPWmNiOTRaQS96TU5oekhk + MXEvaWp4QzVWU1VsTlJhT2xKVGswODV6TXdZClpYek90N05rVlZycldWTGNGMTM0 + c0NGWVY5S3ozeXBFSzFlNmI2eTVWc3cKLS0tIHBVQVhtL3k2R0xwUlVHYytDdkg4 + YVU4T0NGaGdvNnVZcTNYOSt4dE5ZMncKWroS+oJ7H4dIvtkrGvWYh52gqJSLabuH + VlRK5EkWbSetPnalTw4pFQsKwzETQhBuEYID+xDxwh14f5jtw8E/oQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxUHFFc3VtVWoxSVJSSVBh + Y2JlV2pVS1Jja00wOS9zcEpzNkJ3d0FYc3lJCjI3ajE2V3Voam1UdHRxZlQyYlA5 + Mk0vc1lhNWtUZ2JjQ2o1UkY3b0QvbFkKLS0tIE42NHlqcEpFL09IYmkwcmJDem9p + NTV3SjdMQTY5QjB0aVdQQ2duQmNsVHcK1CItf2pHQL8EDQgb0ypc4WZup7MSOQuJ + VHbH79XWiO5/MyignAMNll5Jar7AEmqg3V7IctYYHpoPAQyeSMUnzw== + -----END AGE ENCRYPTED FILE----- + - recipient: age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBVGZYZklGbjBpMDlnTUpq + UE1rNk1PeEx0UlhDRmtGeUoydHhyaU1GN2xNCkZqR2F2KysrdnRiaElpdzRxakY0 + aU81andSL293VE5PcFdzNk9JRmZPZHcKLS0tIGZaeG94VTlvN0kvOUpaK1FBUzVC + R3R0ejBCOWUrSzdDT0FPekkrWjdGTGcKWbIvjJ/3hM7SQMpgo0iJqq+sjD6z8vTJ + +ZMiE1Mn5cpO3Ys8Dg7ysjMUrZ6jPBhgeteZJjcf2v8aW9JMK/Otmg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1xg6zm9t25wjakljm54m38pjdr9q53jysdcl82r5xwkrn0cgyuvvsuh63eh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ZGVhVVEzeWhpU2F2ZFht + a25XbnIxK0hvWDllZDNmOXpkZk0wZXIwalgwClVPZFpmYmM5VmUvWXUzbW9MQUlK + TEkrdmZWS3h2RGtBZ2p1R2pRbTR0bmcKLS0tIGJuaWU0b2VDL0s1YUdBeWowMGd0 + ZS8vakpqTk9ZbUpyeDk3ZGY4TFlGS1UKNkMGeKg4xZy1Aa9wWAm0rLr17+DMAOv7 + l5Cns2IhN/iou98EyYH75DPUzFmDiMMR6VninT8kq29zHH1U4ZSbrg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktmx2szedfnpe5xumnzs8vkk0ffqgga6ved3drtksg9pye6ndsnsnqq488 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwRzh1NG1QVnlibjdNcUQv + enk4ZXlNbWVNZ1habjhsUWgwV201aVJFaWxRCmF1L1JrOElVZEdYU1JKYk80LzFx + NTFSSzlOQlc5TnpGaEQxQ2oxZW5uZmsKLS0tIGoyL0pWU2g3SVRVWmZPY3NBWmN2 + VERMRTlhMnRBODIrSXVZTXpTWjUrc0UKU/iSLvsUZ2+Tsu2q6PHhxI6qOQVJPRc9 + nqnAGAC24nQ5rinlTR+AaRraCmsp2pwWbx6gEyXQzpQFaVpu+blkJA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1fjcafp0j45sz03zq5srnxyq2mujndmn25vceg3wj2cgzymqm73ssmhdgku + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbE5NaDVhLzFpRHhwdkov + RmxEYjJ5QVZFc2g2MDhGRFZtVTVhWC9XUUE0CnlGZUZ3ZG52VU90MSs5NXVsandm + ZW9xSTdFM1RzZHhiRFl0SWtiTFFtRmMKLS0tIDIwd2hKeU81SExaM29PZ1BzamRC + T3FDdHpHZlJYVVdWVkVibnlla2FHZGMK0gDUbMxZLD3kdnIZtUTL5RU7Q/oyz+Dw + b6l+yOVeW4BgxiOR3sn8qf1tK908D5/0m7hynOpmEjEYpOfa1PdZDg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ehdj6hghtr8sf5s5c03rru4y3a02nwrt694e36tjnd6g7eq4l43qfradn6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCZjV4UGNnOElCK01Sejc3 + OXV5MlVWdnhxRDE2RTJXWG9XOURhRzN4eURVClJxeGxuRTJ2N2ZISEsvSEVOeVhy + Z21ZN3NIVWxPV2lUOUkvVVFsbUtqWXMKLS0tIGFmcXg3UmYwTGpVNVVQK3R1Tyt2 + bjdwa1l6ZmNCTUl5M2MwaEFId0FXR0EKtFkV1iv/J/ltpJypCEOEs12CA4LxeEa5 + FJfzZm68EkxmOhMJx8OaTpT5V669vG3TIbpxIQyHq7QwgN2V7RZLKg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1tkkau8vk5h9dh3kemash4eghn7lk84j0hhpmvvf7j6phgcsm9vmsphv0py + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5eDkrTmpJZFlDM3dZZi90 + RS8raXB3OVAyTndrejJ4L3lPY3gyd2ZVVVc4ClZaa1dqcXVJMmtQMDhlbUp6dXcv + QTJRNVpuSjZTOElEMzRZVFpKS0RuKzQKLS0tIG1RTWw0Z2ZwRTFuUXkvaVMxZWVw + MzRORVZxVEk2OGxsZnpIZ3NZd2xURm8Ko3goG8Us6/vPzlwqvjGyA2nZyt9TMYn9 + 15j2zGPcTiOMEI7ez3SulAMC36RdyQAUKJkFoeCFvlncx+8L7qHLHg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-05T20:54:01Z" + mac: ENC[AES256_GCM,data:nSmR/TD/I0XZNDZv7Iv8PQqVtm0kSWaW+jIvlPbc+rbHJFRboiU6+G6nEsjEQ+DHIa4u3Pj4DWc9m11kkSACMzOnPY7FEur1g4rDlypHE5nFmDuaCnonz8RsPL2M0nYK9ihEWKl3m5G7w/UEV76x3nVGg4h/pxeI2Hivc+2iFrU=,iv:oZIexRyzxEkYAvUqcpESGh2IZpvksacsbAZhkt+YxHU=,tag:2uX9zSWyd8tm9PVDPebC+Q==,type:str] + pgp: + - created_at: "2024-09-05T20:14:39Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA82M54yws73UARAAxUkw1znvQa/y7Ro/vcMUM86+q8BPUNNO24MpHscQwp25 + VO1xP3qfZYq5HYSEHppAVucYN/54q5yp6JM7Ts4JFlKivHWrBKUlxlla7yxMv3Rr + WQLNDu6eZzSOuxuJaAvoEMXcEArsA8liJgaUHT2MKXgU+pUojt1CtEeSZ+GShCpa + rops69gmTEUX64zuH+AkQFBIda8nJn3zcFnWMFfP/A+Z13RolDurcpFpGXq/BI8F + X8GWJZJGC8Q+YJUaPqa1GUfvMMdGd9yadCdt7bA4LROlmyjCFkP9f1Jz9QUo/Hhr + H+hZ4qU0VRCREr7bfIgbbN1R4x5ps+sbpIuIW8YwDrfNDiRjUQLCDK3OuZOFXWd2 + ccdlEx0Xq5L199iRtXI2TwiSjWmfUPpjXg3eREBZU4wyGQB9RuMoA1+zqgIpQ39S + ll0wEnq0TqTG2P4u1yGSsq4537pPRkZKvv2qQK0im04B+DFWW8NKamfyDqrwsTx0 + JWxci6uT6Aq9NdLJR6+/RPyyEgVaZFs49zfObelJNG9mJde8xORwCUlALniTYr8/ + NYFGqAFjU+GJ7r101yJrHSQ0CyM92RV8txF4MIE+oNovqTR2WeqqMLHuqrMa2cYp + /Xta4o1QqkunfvhEqVDuAkvexCXdHiwvsVZhpFpweAeV1GpFvB1sFyZEiairl8nS + XAH6QRdIusJUrPvjbrCFcGzS5JeDzdHhnGrhXLFoiAhMINWsHeJsWpzXwKKC6Ry6 + 4NNzkIYC2W7PrVLhINwh14rWG3n/KIvLeSll/XDVyO00HiTI6ddwaUMhYIqY + =2jPD + -----END PGP MESSAGE----- + fp: CD8CE78CB0B3BDD4 + - created_at: "2024-09-05T20:14:39Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA2W9MER3HLb7AQf/VPVFngNBzP3tt/ayU4XeaBNonvLfJl5UTj5a37zlYQ0U + nIaRbVVG6w0/Og+yVclQXYqBTDHcZHQ777nSEEKv6KExKN1Nrs08Gte6ELjHNAzY + 2WIiiVIHeT7/sHSyxa/7tatVYor3PEXfuB75oFQ7N5KQC/aFh6VkdFCDHJFW6mb8 + q0vJZK4WHrnv2zdg2AwngVPB9gZPYgysI/8fn3I8PCnHzYtXDjcCt+0umaCuhsMp + wsIubO4BseABTtwKgeQXk9M3W0XmKu90W/xHyXmhy8aSOcTRvjQz9b2j2WejaZ/A + cjBnojJ9Hsq+9JJVOL9DDRRqY5ohvSi3E2jWXCpMftJcAb0hlevhcm7J1ve5EbXl + y2jXzMc6JoU7qDVXbD1GcDeF+/mUp2RTltGIxE0s7XcJVlYXIHmvXYXXpxfH17W6 + tuMdLtAzZ/j4duNLd8NlCK+vzoFzSmIxdSs3kWM= + =pFGe + -----END PGP MESSAGE----- + fp: 65BD3044771CB6FB + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/nixos/tailscale.nix b/nixos/tailscale.nix index 7652dda0..4084ea18 100644 --- a/nixos/tailscale.nix +++ b/nixos/tailscale.nix @@ -1,17 +1,20 @@ { config, + systemConfig, + gensokyo-zone, lib, pkgs, ... -}: -let +}: let + inherit (gensokyo-zone.lib) mkAlmostOptionDefault; inherit (lib.options) mkEnableOption; - inherit (lib.modules) mkIf mkDefault; + inherit (lib.modules) mkIf mkMerge mkDefault; + inherit (lib.lists) elem; inherit (lib.strings) optionalString; inherit (lib.meta) getExe; cfg = config.services.tailscale; in { - options.services.tailscale = with types; { + options.services.tailscale = with lib.types; { advertiseExitNode = mkEnableOption "exit node"; }; config = { @@ -31,9 +34,20 @@ in { services.tailscale.enable = mkDefault true; - sops.secrets.tailscale-key = mkIf cfg.enable { - sopsFile = mkDefault ./secrets/tailscale.yaml; - }; + sops.secrets.tailscale-key = let + keyReisen = "tailscale-key-reisen"; + keyGenso = "tailscale-key-gensokyo"; + sharedKeys = [keyReisen keyGenso]; + in + mkIf cfg.enable { + key = mkMerge [ + (mkIf (systemConfig.proxmox.enabled && systemConfig.proxmox.node.name == "reisen") (mkDefault keyReisen)) + (mkIf (config.networking.domain == gensokyo-zone.lib.domain) (mkAlmostOptionDefault keyGenso)) + ]; + sopsFile = mkIf (elem config.sops.secrets.tailscale-key.key sharedKeys) ( + mkDefault ./secrets/tailscale.yaml + ); + }; systemd.services.tailscale-autoconnect = mkIf cfg.enable rec { description = "Automatic connection to Tailscale"; diff --git a/systems/litterbox/nixos.nix b/systems/litterbox/nixos.nix index 18b519cc..b094070b 100644 --- a/systems/litterbox/nixos.nix +++ b/systems/litterbox/nixos.nix @@ -8,7 +8,10 @@ nixos.syncthing-kat ]; - sops.defaultSopsFile = ./secrets.yaml; + sops = { + defaultSopsFile = ./secrets.yaml; + secrets.tailscale-key.key = "tailscale-key"; + }; system.stateVersion = "23.11"; } diff --git a/systems/mediabox/secrets.yaml b/systems/mediabox/secrets.yaml index a9cf783b..d7f2b4c6 100644 --- a/systems/mediabox/secrets.yaml +++ b/systems/mediabox/secrets.yaml @@ -1,4 +1,3 @@ -tailscale-key: ENC[AES256_GCM,data:TnXZW2c5NhMYHutOdDn8NG5RcdcNTzcTXuC27Ir+OO/4abF0rCEts1A=,iv:OK2nUBJ6LyP9w9L05JGtHe5rxmfoNyk8+zF6M6jYIG8=,tag:McbAMcTJ93C5OluGzYMvCw==,type:str] cloudflare_mediabox_tunnel: ENC[AES256_GCM,data:ZQ+4dpo/DaCzO+767HWzSpLRUhNhQYXF7qgYtJ+x/RKQoQpj227rwS42FJtTnGDYp1ABxuQ8tbkWu3792VTjraD4gFxQcYhpgsnbNYfSm4b/6opRZXtIO53c0K1kBz7SJB/U0OcqHwGXUhVUIoJeuJrNu8rgIU9zWujzWypI7JDWoaryHEN8tnMYOkzZ3PD5WHyDUjxmCdhM5srkon+poarCbEg2Xihc+qZ9Z3uos2wqk4ptzwmW9+e5xFijXhsrrTHm/3N+,iv:hG/Dtg6bC6nSonSYQ1P3kWARXME1W+10Pgc2AFZvWxI=,tag:u2a0s/L+5GuAAnkvMpOsnw==,type:str] sops: shamir_threshold: 1 @@ -16,8 +15,8 @@ sops: aDVRZTJtTzh5aElnN3hpcitZWmluQ3MK/je9HcOaN+DiSi2JsCThRXOEbydNQcRM ZBjYlbtPILMjrn4NoUtxnwbmm7vNgGdXVu7EDfQ0OxjWbo9Cv95WZg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-16T19:24:33Z" - mac: ENC[AES256_GCM,data:cJy03khBCiXbZOwUM7xKnCMU9080WZ/3BZ4xlL3xAyG/1Krqnwa0dbx7OtOzRLBHV5UivB8Ba5diP4O+05II8UOKKV/bOMKQngaDZCyQ+bMBp/RB0+xCvMlLGuXC8KkHIOAYvo3QYUZ7dbPO/L1rxwZhvl5KAqqinvnZQS1OuUI=,iv:SwCpszFFiX/vvz9h23pUcPEqXJfrmvQPRKo0bbJhZh0=,tag:tpr+st4EoOpOuhWcH3OwsA==,type:str] + lastmodified: "2024-09-05T21:02:00Z" + mac: ENC[AES256_GCM,data:bmPlIrNDumamV+kgC3eI+yPPUB4QatGdu1Rf2I+h9zO3S9efe1ex1NxqCLG8R9JlHEXbJQvU9URD6Ft2/Kqdyo0YKe7gImsecrR8Uj+mJqe7gAZErgAjZRlPtdBQcYJ3A3ji3UxcfiR3DzCf6x6EgJM0f4g9e/tsTFWkymmRki4=,iv:62W+MXoN+lQQZnSy9pJ3D1G4F2UnUfcRmtR2YcUkFNk=,tag:0mNvX440xkCZ9SMvL0ucTw==,type:str] pgp: - created_at: "2024-01-11T22:30:58Z" enc: |- @@ -55,4 +54,4 @@ sops: -----END PGP MESSAGE----- fp: 65BD3044771CB6FB unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.0 diff --git a/systems/reimu/secrets.yaml b/systems/reimu/secrets.yaml index 83ced021..e93dbdfe 100644 --- a/systems/reimu/secrets.yaml +++ b/systems/reimu/secrets.yaml @@ -1,4 +1,3 @@ -tailscale-key: ENC[AES256_GCM,data:X1oDglyEjyFyeBgkV52IAcvS7krEeUfuJYhp/GN0cLH7She/RLdScbMcGBLwkDdtgoBkSK/HEjk=,iv:7eJg2IMVxZX7O3rzqeai3gjbAMLu3ScU49rrQPxnl0s=,tag:L2EgzeAvr4PLxaTBe9vObg==,type:str] krb5-keytab: ENC[AES256_GCM,data:3Dx4YkMFnxpg7HzylRbqe1KdfYgqBNvKYU7tb1lZQ1uwghdSn4U3ZztOE8SO5t2wGaIPHhOwv6eR0MWZnjU3vjWAPrrNlrc3mK3WLw+Gvbe/hfiLSKDvqzDcaYfBSFNvG9LFai5o8fGfPnAS/5AUY8iBY+NaPflsK+HV5MfadXg5J6EYduGSo82C6eWmLJcsBMieI3CLg/OCPI5rfo1ibbVJR2ma2EyiUl9KujqCJL3Nb5DH87YCFuiBScMkQP+GRL5Rf1p3otF14HsK9sVvJjkF7NgGvM/OUHv5u9eq7gBiWJSoGBE3Vsl5odep5x0r259nZy9oAQenhmJ9layVI40c4UI5B4m5nwKvUYeXnINX09dtBZy1+7iOBdjFwzP+cCbliW8GbtqwWDVYuuqSTosQPBtUWFBKPwn9HcSmVowN9VsuAjdOIFao6xNcTmUT4EJc4FTcbtsOXzynILYmb8n0S1nsT6h20i5hC7ltiwUOFOxOwl0Q/I1wQDFZH4HeGYNeqE/Icy2z1jnkj5g4XK+WFzNSJmdKzFE9fOnO5gwSkqoy72ohqz9giyKvEtAhBDBjuUcHnVmnNHWEGhFUCy2GP3f9KaowD6isJ9ICIa1mrHsol8agjpCvUTNLz/8LV6235vk/RZ96QoI8Hue/5M5p+0Qe8bRLfYmKQ7WPB6ywWr2NJFvgep+95XmVJvhzUXa6Zdj7RSWa+AVuK+lhWBpCO5Yo5s/3XF+1OLEGc6sErbjXOD5ofUmQYXfvh+P6IjtrUYoq96EZzQqC4pYx63q+E2zLIX3Ua6XFtoISs3qvduRVu0CROfBY3rMzbEEgwwR55fyoKomIs6ihxl1XyK0kvyRTWtQ6oky3HDmWee1AYXo598K6HeZnxDbyC/ov5sdccFgcG7aGhCn036AThJajZHHyC3Vg/47iqREpV84vqpoAj5c=,iv:xzjH/RaRSHx39TkQW3Ns7pLf6/ogeFHWqNvfkgOgsEA=,tag:IvmpHdZi04cdYFaXh3YTIg==,type:str] sops: shamir_threshold: 1 @@ -16,8 +15,8 @@ sops: UERXZU1FaTNGU09mTm91M05MNitvQzgKhaWavZCVVMA+MqdX4LDsywN9ySSskH0X 2K+YRI34/3oY0Mv2s6OEIa+laYf2XRImSh6BN1F4b/AezQa1LCTTaw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-16T20:48:49Z" - mac: ENC[AES256_GCM,data:si2YKYqOtaNm1xOlcK698jeK5XWnRIFW6OTyUxv2TxlmgoqximGVl7a/dv/CePQSA1m7pPBZFCAMGV9lmMtMGMM9ipxlaFIkHDRHcBndriy+a9Cijdc/Q5OybYOh6FA+Jktqn7afuF8IrWETWK7wO1E3lg1QmNQrW04gzzwNXLU=,iv:rGNEBBuZIT4asB3JsEF0AImxjgpbhCNeRjIeB1RFpyk=,tag:eKwBpWNVXGmU63gAg+TQ3g==,type:str] + lastmodified: "2024-09-05T21:02:06Z" + mac: ENC[AES256_GCM,data:hnctaM7VRQgAPCCvQmtQLo7XbEEjNatZmGoLYB0XZFI47Fy04u3BkcThLrb+/YzRuuMBO9JcVm8I671aQGiep2XLXjNBpqk4riTDWimJcS/f708rVS7PKwWZlcLgS9hzor4KF7zz5zKBmuhUpxgCETDwWkRiSjF23DIyjI429cA=,iv:QrDy7fJZsOus86mlJJ1pVq+sEIQovFGMNkgGHnH0iUg=,tag:Q8uyts2PDTMHEhm9NHePuw==,type:str] pgp: - created_at: "2024-01-30T23:58:18Z" enc: |- @@ -55,4 +54,4 @@ sops: -----END PGP MESSAGE----- fp: 65BD3044771CB6FB unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.0 diff --git a/systems/sakuya/secrets.yaml b/systems/sakuya/secrets.yaml index ab893c73..2b8e6604 100644 --- a/systems/sakuya/secrets.yaml +++ b/systems/sakuya/secrets.yaml @@ -1,4 +1,3 @@ -tailscale-key: ENC[AES256_GCM,data:MnCZvQHOE4rtQ0snTo1igA0HSP0vsa1tx2AU3mdyaoNof7L1/73fKOk7sU1pj1xPfEONt+g0vQvCuqpWdA==,iv:IbcL4oYiulQhMCdlLneC2xF5ytNvZgv/1pw1KzprOvQ=,tag:B9hK7l3mEH5VwaknchlBNQ==,type:str] sops: shamir_threshold: 1 kms: [] @@ -15,8 +14,8 @@ sops: TlhHWmdGY2NNUFVTNFM0QlFnZG9kMzQKTmEA+Q18XxHwGD28kmO+M/TXw1wJLo8m Ea8/36iM04M/ik5EH9GrWGp8ctX7Mp4p+VqDr3WNwSFZZFBp7sga+Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-05T07:37:01Z" - mac: ENC[AES256_GCM,data:2Q48p8IS8gHjzYkYahrRGwqMTRR9WbL8DykcgbLrPZYn0BaM7n6XfNKBhlM5jk9WZ1lF1KD89YNAnsY+QUUZzr9zBoX8JCWDU/YABSC2FuJKjn5wIUlGzRJJ92T/95KJVXmRiE6CzXukXWIApWagPRjF8B3UbJb9K0BmniKVmFU=,iv:7FdZaWEV/Y3seIhFguQiHlbop0etZnb/RGgvVWjm/oY=,tag:Om7nsDsyzNK+AorZYFg7mQ==,type:str] + lastmodified: "2024-09-05T21:01:52Z" + mac: ENC[AES256_GCM,data:0cBH6ZsC2UAy9S8pMnhJf199npssC39hcksvabeXEnpiHl1wIChb8O3hnuIxzS4MSwU2B0tLDmkMoXqZ1nHowlNDAjVXigGhmvkawawusREqr6aWgnZB8oGje6w2Muo/pLSRpK6qm1y64eH/C+7gqBci8qyOPK8paVbnPuLXk0k=,iv:u8KzRAOcToHg6BMjeEy0of3R8lPEkMrXTl8pc3Oap8k=,tag:UslLisTOuVt/IcNaK1qXgA==,type:str] pgp: - created_at: "2024-09-05T07:54:38Z" enc: |- diff --git a/tf/tailscale_devices.tf b/tf/tailscale_devices.tf index bbb51dcb..ca8ed215 100644 --- a/tf/tailscale_devices.tf +++ b/tf/tailscale_devices.tf @@ -1,8 +1,24 @@ +locals { + tailscale_tag_infra = "tag:infrastructure" + tailscale_tag_genso = "tag:gensokyo" + tailscale_tag_reisen = "tag:reisen" + tailscale_tag_arc = "tag:arc" + tailscale_tag_kat = "tag:kat" + + tailscale_group_admin = "autogroup:admin" + + tailscale_user_arc = "arc@${var.tailscale_tailnet}" + tailscale_user_kat = "kat@${var.tailscale_tailnet}" +} + resource "tailscale_acl" "tailnet" { acl = jsonencode({ tagOwners = { - "tag:reisen" : ["autogroup:admin"], - "tag:gensokyo" : ["autogroup:admin"], + "${local.tailscale_tag_infra}" : [local.tailscale_group_admin], + "${local.tailscale_tag_reisen}" : [local.tailscale_group_admin, local.tailscale_tag_infra], + "${local.tailscale_tag_genso}" : [local.tailscale_group_admin, local.tailscale_tag_arc, local.tailscale_tag_kat], + "${local.tailscale_tag_arc}" : [local.tailscale_user_arc], + "${local.tailscale_tag_kat}" : [local.tailscale_user_kat], } acls = [ { @@ -30,7 +46,16 @@ resource "tailscale_tailnet_key" "reisen" { ephemeral = false preauthorized = true description = "Reisen VM" - tags = ["tag:gensokyo", "tag:reisen"] + tags = [local.tailscale_tag_infra, local.tailscale_tag_genso, local.tailscale_tag_reisen] + depends_on = [tailscale_acl.tailnet] +} + +resource "tailscale_tailnet_key" "gensokyo" { + reusable = true + ephemeral = false + preauthorized = true + description = "Reisen VM" + tags = [local.tailscale_tag_infra, local.tailscale_tag_genso] depends_on = [tailscale_acl.tailnet] } @@ -38,3 +63,8 @@ output "tailscale_key_reisen" { value = tailscale_tailnet_key.reisen.key sensitive = true } + +output "tailscale_key_gensokyo" { + value = tailscale_tailnet_key.gensokyo.key + sensitive = true +}