tailscale: use agenix

2023-04-04 15:05:39 +02:00 · 2023-04-04 15:05:39 +02:00 · 56d0e7b9fa
commit 56d0e7b9fa
parent 43ff628e80
8 changed files with 43 additions and 3 deletions
--- a/agenix/hosts/attic/config.nix
+++ b/agenix/hosts/attic/config.nix
@ -3,5 +3,9 @@
    user-daniel-password = {
      file = ./user/danielPassword.age;
    };
    tailscale-authkey = {
      file = ./tailscale/authkey.age;
    };
  };
 }
--- a/agenix/hosts/attic/tailscale/authkey.age
+++ b/agenix/hosts/attic/tailscale/authkey.age
@ -0,0 +1,13 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyA0RWxY
 emZBSTBlQ1hTRkhDaU9HaS9JMUpCaWRYcHB1enh2TGRUcmFwZDFrCmdkZDRMY0hz
 MS9ERy9kcndQVC8wRzhZK1JWNGlobzcralBzSjdZTGNSSk0KLT4gc3NoLWVkMjU1
 MTkgc1ZmNkNBIGJqRHI1R2J3dTVlUmhXNW1JaTNvNTNBcVJyTmhuVlcydlhiS1Vn
 ZkVyaVUKUWJjNG83YmNmV0wwcVd1L3o4bzh4aFBjNGI1NzJYUGtKME01MDBkOEYr
 cwotPiAyaTEtZ3JlYXNlICYpR08jeiB7LCVNc0R4TyBSdGFnU0wgMT49d0hmdApW
 N1pieTVZd3U0NVJ6VXR1dFlvSmtRVFp3Yi9SSmpxdStNTVE5SE80ZUs5RDhlNUI5
 bDI5eE45NWROdTJPVE9FCkQyUUVyZkhYVldEUVlqcHFBK1ZhCi0tLSA0VVBZR2c2
 TTBIb1hTWnM0TzRpUzRqZUp2QlpLWDQ0ZUJIcFhKUWMrR0Y4Ci83j/AYh3pgxFQA
 iaWWkiOCPIAh7J8D6vJhpECGSxrfFlPyzVWSVoCtvFJgcOlsrsm7kUkyisbG3O7I
 AqgBfmCyJbkhjMzKl2RbzlV1IGnJeFP/2jFnXGHC6w==
 -----END AGE ENCRYPTED FILE-----
--- a/agenix/hosts/sail/config.nix
+++ b/agenix/hosts/sail/config.nix
@ -6,6 +6,10 @@
      group = "acme";
    };
    tailscale-authkey = {
      file = ./tailscale/authkey.age;
    };
    mastodon-database-password = {
      file = ./mastodon/databasePassword.age;
      owner = "mastodon";
--- a/agenix/hosts/sail/tailscale/authkey.age
+++ b/agenix/hosts/sail/tailscale/authkey.age
@ -0,0 +1,12 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyBGMEx1
 MDZxTTlPM3I0OW1jeHFoV1pneDNLUjIvazBZRGhYQ3oxak84RmlnCmRMU2VkMi83
 Sy9vTEVoaUpGZEljMEExU05jZmxvS3RZakVTWmhidWxVN1EKLT4gc3NoLWVkMjU1
 MTkgTmJWNGh3IFgyS0pZRTRScDU2REppODhQYlZMeENMU1FlbDVzM2UramgyNktR
 K3RCdzAKT1QwZVVKa2krZERxeVlqYjQ4WFZBZ1d5eDR5Sm4vZ0hCKzhnNk9Vdjlw
 SQotPiAxfThiLWdyZWFzZSBFe0kgPVp4R2IiTSA0bgo2MzU5K0U3UFZqS2NQUDF5
 dENQNUNhSkVvdwotLS0geFBEM0d2MHQzdTIrL25Ka21FaGxjUjNpazFhdGJoQ25w
 Uk5XS1ZJaHhwcwq968fFE3WeIkYgzqjHkDbJU6t0vBqII6/urAckSzfR/2PIrSJX
 1pg/U1U/CnTe15PnIopE9qB7gttNaaec0z6f2lzvYudfIrydhUzr2hHy8rx79XJS
 L0CBK+E=
 -----END AGE ENCRYPTED FILE-----
--- a/secrets.nix
+++ b/secrets.nix
@ -11,6 +11,8 @@ in
  # sail
  "agenix/hosts/sail/acme/credentials.age".publicKeys = sail;
  "agenix/hosts/sail/tailscale/authkey.age".publicKeys = sail;
  "agenix/hosts/sail/mastodon/databasePassword.age".publicKeys = sail;
  "agenix/hosts/sail/mastodon/smtpPassword.age".publicKeys = sail;
  "agenix/hosts/sail/mastodon/otpSecret.age".publicKeys = sail;
@ -44,4 +46,6 @@ in
  # attic
  "agenix/hosts/attic/user/danielPassword.age".publicKeys = attic;
  "agenix/hosts/attic/tailscale/authkey.age".publicKeys = attic;
 }
--- a/system/hosts/attic.nix
+++ b/system/hosts/attic.nix
@ -10,6 +10,8 @@ in
    ../nixos/ssh.nix
    ../nixos/git.nix
    ../nixos/tailscale.nix
  ];
  system.stateVersion = "22.11";
--- a/system/hosts/sail.nix
+++ b/system/hosts/sail.nix
@ -39,7 +39,7 @@ in
    ../nixos/websites-sail.nix
-    (import ../nixos/tailscale.nix (args // { inherit secret; }))
+    ../nixos/tailscale.nix
    ../nixos/mosquitto.nix
--- a/system/nixos/tailscale.nix
+++ b/system/nixos/tailscale.nix
@ -1,4 +1,4 @@
-{ pkgs, secret, ... }:
+{ pkgs, config, ... }:
 {
  environment.systemPackages = [ pkgs.tailscale ];
@ -25,7 +25,8 @@
      fi
      # otherwise authenticate with tailscale
-      ${pkgs.tailscale}/bin/tailscale up -authkey ${secret.tailscale.key}
+      authkey="$(cat ${config.age.secrets.tailscale-authkey.path})"
      ${pkgs.tailscale}/bin/tailscale up -authkey "$authkey"
    '';
  };
 }