From 7409fef3cbe6bba6c66ce8b03aef6c2d9dc6c7e7 Mon Sep 17 00:00:00 2001 From: Timo Wilken Date: Sun, 5 Nov 2023 01:03:55 +0100 Subject: Add secrets service Allow managing secrets and passwords using Guix. Secrets are encrypted in the Guix channel repository and decrypted using a single host key at activation time. --- tw/system/files/wireguard/lap-fp4.psk.enc | 1 + tw/system/files/wireguard/lap-lud.psk.enc | 1 + tw/system/files/wireguard/lap-pi3.psk.enc | 1 + tw/system/files/wireguard/lap-vin.psk.enc | 1 + tw/system/files/wireguard/lap.key.enc | 1 + tw/system/lap.scm | 21 +++++++++++++++++++++ 6 files changed, 26 insertions(+) create mode 100644 tw/system/files/wireguard/lap-fp4.psk.enc create mode 100644 tw/system/files/wireguard/lap-lud.psk.enc create mode 100644 tw/system/files/wireguard/lap-pi3.psk.enc create mode 100644 tw/system/files/wireguard/lap-vin.psk.enc create mode 100644 tw/system/files/wireguard/lap.key.enc (limited to 'tw/system') diff --git a/tw/system/files/wireguard/lap-fp4.psk.enc b/tw/system/files/wireguard/lap-fp4.psk.enc new file mode 100644 index 00000000..ef979978 --- /dev/null +++ b/tw/system/files/wireguard/lap-fp4.psk.enc @@ -0,0 +1 @@ +ThP5USmpvehDO14PVZjqyYaBCy8n3jDIQoojYN95O98wvjOHq+Cs+t2NvDD3 diff --git a/tw/system/files/wireguard/lap-lud.psk.enc b/tw/system/files/wireguard/lap-lud.psk.enc new file mode 100644 index 00000000..d976d90a --- /dev/null +++ b/tw/system/files/wireguard/lap-lud.psk.enc @@ -0,0 +1 @@ +XTD6NjCM0JYnYU9+Z6q+9ZbpUBshnEPPMagwf/wCKMxBsXCXrt63oeqM1TD3 diff --git a/tw/system/files/wireguard/lap-pi3.psk.enc b/tw/system/files/wireguard/lap-pi3.psk.enc new file mode 100644 index 00000000..2d318777 --- /dev/null +++ b/tw/system/files/wireguard/lap-pi3.psk.enc @@ -0,0 +1 @@ +XgTTJRaGle1fGipxe7i78Yr9HhUP3DiOQrctYMA6H/NcmzSV7uC/8d/XjjD3 diff --git a/tw/system/files/wireguard/lap-vin.psk.enc b/tw/system/files/wireguard/lap-vin.psk.enc new file mode 100644 index 00000000..c84938a9 --- /dev/null +++ b/tw/system/files/wireguard/lap-vin.psk.enc @@ -0,0 +1 @@ +EQriKiyMh5x0Ak1WRqzg6q79DjcZ+jXNW50RTog5HqRMmSu3sNKf2seijjD3 diff --git a/tw/system/files/wireguard/lap.key.enc b/tw/system/files/wireguard/lap.key.enc new file mode 100644 index 00000000..200bf821 --- /dev/null +++ b/tw/system/files/wireguard/lap.key.enc @@ -0,0 +1 @@ +ESqNLhK1ubNRY1JDVYuR1tGJDTUvnkKOTawBQcISO8Ntqgil59nRoOSNkjD3 diff --git a/tw/system/lap.scm b/tw/system/lap.scm index 516de321..33154d5b 100644 --- a/tw/system/lap.scm +++ b/tw/system/lap.scm @@ -21,6 +21,7 @@ #:use-module (nonguix licenses) #:use-module (tw channels) #:use-module (tw packages scanner) + #:use-module (tw services secrets) #:use-module (tw services wireguard) #:use-module (tw system)) @@ -446,6 +447,26 @@ EndSection (list vin) (list lud)))))) + (service secrets-service-type + (secrets-configuration + (secrets + (list + (secret + (encrypted-file (local-file "files/wireguard/lap.key.enc")) + (destination "/etc/wireguard/private.key")) + (secret + (encrypted-file (local-file "files/wireguard/lap-fp4.psk.enc")) + (destination "/etc/wireguard/fp4.psk")) + (secret + (encrypted-file (local-file "files/wireguard/lap-lud.psk.enc")) + (destination "/etc/wireguard/lud.psk")) + (secret + (encrypted-file (local-file "files/wireguard/lap-pi3.psk.enc")) + (destination "/etc/wireguard/pi3.psk")) + (secret + (encrypted-file (local-file "files/wireguard/lap-vin.psk.enc")) + (destination "/etc/wireguard/vin.psk")))))) + (modify-services (append %system-channel-services %desktop-services) ;; Let sane find the airscan backend. ipp-usb needs to be running separately. (sane-service-type _ => sane-backends/airscan) -- cgit v1.2.3