From 9790519c3faf4a368ce7f43953a4ab9479960cf9 Mon Sep 17 00:00:00 2001
From: Timo Wilken
Date: Wed, 8 Nov 2023 19:50:05 +0100
Subject: Track restic and wireguard secrets on vin

---
 tw/system/files/restic/timo-laptop.enc    |  7 ++++++
 tw/system/files/restic/timo-phone.enc     |  7 ++++++
 tw/system/files/restic/timo-sync.enc      |  7 ++++++
 tw/system/files/restic/vin-grafana.enc    |  7 ++++++
 tw/system/files/wireguard/vin-fp4.psk.enc |  8 ++++++
 tw/system/files/wireguard/vin-lap.psk.enc |  8 ++++++
 tw/system/files/wireguard/vin-lud.psk.enc |  8 ++++++
 tw/system/files/wireguard/vin-pi3.psk.enc |  8 ++++++
 tw/system/files/wireguard/vin.key.enc     |  8 ++++++
 tw/system/vin.scm                         | 41 +++++++++++++++++++++++++++++++
 10 files changed, 109 insertions(+)
 create mode 100644 tw/system/files/restic/timo-laptop.enc
 create mode 100644 tw/system/files/restic/timo-phone.enc
 create mode 100644 tw/system/files/restic/timo-sync.enc
 create mode 100644 tw/system/files/restic/vin-grafana.enc
 create mode 100644 tw/system/files/wireguard/vin-fp4.psk.enc
 create mode 100644 tw/system/files/wireguard/vin-lap.psk.enc
 create mode 100644 tw/system/files/wireguard/vin-lud.psk.enc
 create mode 100644 tw/system/files/wireguard/vin-pi3.psk.enc
 create mode 100644 tw/system/files/wireguard/vin.key.enc

(limited to 'tw')

diff --git a/tw/system/files/restic/timo-laptop.enc b/tw/system/files/restic/timo-laptop.enc
new file mode 100644
index 00000000..65c1cdd7
--- /dev/null
+++ b/tw/system/files/restic/timo-laptop.enc
@@ -0,0 +1,7 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9TV0hVQSBrUzFZ
+ejdvc0o0cjlHL3N0SHlEMFlFbFVQU3oyd0NRYlVMQW84REg4eXdnCjBlYXZ5K2lr
+dXRxTExwOUlKQzRhYzZ4QjB1ZFl6K1FmakNqdkE2WnJSWTAKLS0tIENjZVBSc2Jz
+RVh5ZmZvdFJDK3k4V01nMWlBZk1FSHZUTXdvVlkxQWYvbW8KXyam9znEvA0OKQvY
+oOkH5bqTD0bXt/0cBgwTb335bhr/CyU7KrB+ecMRVDL+nOl/AA==
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/system/files/restic/timo-phone.enc b/tw/system/files/restic/timo-phone.enc
new file mode 100644
index 00000000..8dbc59a7
--- /dev/null
+++ b/tw/system/files/restic/timo-phone.enc
@@ -0,0 +1,7 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9TV0hVQSBIcjE2
+QllXZjhTRnN1L0cyenRFdi9nd1lPSS9SdDJ1Q0ptamV4NzdpM1NBCjZCVUVRT01l
+WVVnaFRuUGYzTU9MTmVQSHg5Z0k5bFNOc1hzUXNUa1dLTWcKLS0tIEpjb0hPZ2xD
+dHhwRVlieElpcWhRS3R2eUZNSUZCeHNRdnpGWGNhRXRGY3cKGxopDKuonY2En216
+DF+MQW7yyPcehggYhGnG54VFjDfjhJ5cE2hQmMhw7zY6r3NdUA==
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/system/files/restic/timo-sync.enc b/tw/system/files/restic/timo-sync.enc
new file mode 100644
index 00000000..fac66e39
--- /dev/null
+++ b/tw/system/files/restic/timo-sync.enc
@@ -0,0 +1,7 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9TV0hVQSBlSUVC
+OEQzdUF0VHdJMzVGOEc4ZjFoaVJ6azExdXMyNkxpeE9VNUE2WWpvCjJnQ25wRjBu
+OHFyUUlJY2RBc3NQdHdmWndocEd0TWp1SVFpdmJUeHo5ajgKLS0tIFFHQ0I3eW9V
+TVZxUnNIdTRKTmNwaFhsc1lVQ1daa0xzaU9mdVJ4UDN4b3cKCn3vjD8+whlggEIZ
+NgA9trepBZFy92qhUUApgKhxgBj67lLPOphgqxDQr3nX
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/system/files/restic/vin-grafana.enc b/tw/system/files/restic/vin-grafana.enc
new file mode 100644
index 00000000..e03ecb0d
--- /dev/null
+++ b/tw/system/files/restic/vin-grafana.enc
@@ -0,0 +1,7 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9TV0hVQSBHYXRl
+eGZNRXd3anVadVJUM3RZY21MTGFMNWt6Qk85TUFwSER1cmFqRVU0CmZ6VjA5ajdJ
+WGZaYVBQTnhySlBPeXdvNjFtbUwwbC8ya3RYa2ZDYUlabGsKLS0tIGE5d3Z4Wmxk
+K0hyNUZUZGw4SHhPN2lkZDVXTkM1N2tWRzRBYUVQZTRmODgKFWWcxLm1m2cgWs8s
+QZ4PvjgOJthBI0lbZ2Qf+u1wxvRr0qcsHjn5OWPbNLzg4Zs30w==
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/system/files/wireguard/vin-fp4.psk.enc b/tw/system/files/wireguard/vin-fp4.psk.enc
new file mode 100644
index 00000000..e636c35d
--- /dev/null
+++ b/tw/system/files/wireguard/vin-fp4.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9TV0hVQSBoczBZ
+UkJwUDNpS3ZLNkZQMGVsd241YTNOay9OdzlnaTJLVTBlcjlZRmdBCnlrM2ZUV1Z1
+Q0ZuR3BHUGFTeVY1WUpha0hoaHRzOVRKK1F3WmF0bzZHa0kKLS0tIEM3Z1R5dzdF
+djRxcURzL2lBMGlHSWVhNGNtaktSL1JtUytkN0lzUURtREUKaULnyw47eRqRkI2w
+ROK8Rfp7zNWkVGE3vL9rSQhhkJL6rhORgbHFDjG7xAnWJECxSSa2xH9Xzcb4OY2K
+55hKMGzlEQi8HYuMrjOgm0E=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/system/files/wireguard/vin-lap.psk.enc b/tw/system/files/wireguard/vin-lap.psk.enc
new file mode 100644
index 00000000..6975348d
--- /dev/null
+++ b/tw/system/files/wireguard/vin-lap.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9TV0hVQSBQNkVF
+TElJRys2d3NtRGszNDVaTzl1YUdISlg5bXU0Y1Zic1hVNHJ4ekVNCmQ1ZmUxMTM5
+VnZpNnBiZ2IrRWZmNTNyQnBhZysvdFJwVmk4L1F5MUtjb2sKLS0tIG9VcFRiNERC
+Zms4aUROMHd3WFZnTlcrZFdxSWsrMzAwNkpDQlEzQTB5dHMKEtKI+rIW9dPVmAXr
+ZAXvEqxw4oC5C6MVwPKjMnpo8D5XuAbU5nXYbaTqmxAJ6cUL9n0ohmet4F1dN4Ni
++JsXzA00hPm3KijiuiD6rJ8=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/system/files/wireguard/vin-lud.psk.enc b/tw/system/files/wireguard/vin-lud.psk.enc
new file mode 100644
index 00000000..ba725037
--- /dev/null
+++ b/tw/system/files/wireguard/vin-lud.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9TV0hVQSBOUm5x
+R2J2UDBxamg5MjVqTTZhOGE1NHdDOENXTWlFKzZMRW4vWjNWZkc4CjFPanJQTmQ2
+ZFJtZHF3Y09INXlNRmdrdUVBSUY5SkwyUGNJZVZNL0ZUN00KLS0tIFhsd3BKMkNG
+R3dJRFFYeHY2UjVESmZNTUhQd240eDgrQXpGdk9WTkhLdGsKqzXzlh9nwmR2bfwE
+mg95yfy6LqDs1tQLMzVqDXvKxz4yrZkI4IXHwGWOt2MAvOYC5ln/UhlJry2D3tpG
+2ZaopoLD8E1Q4yNLdqMWO6Q=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/system/files/wireguard/vin-pi3.psk.enc b/tw/system/files/wireguard/vin-pi3.psk.enc
new file mode 100644
index 00000000..e273896c
--- /dev/null
+++ b/tw/system/files/wireguard/vin-pi3.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9TV0hVQSBuL2c3
+YW9mbXRhTjVjQ2Q1TlVJMzJjaHRPcS9oeVRlSDVPak1paTBTZzBvCk5pdElRNS80
+djdvWERuRUE3ZkVCR0RLZDdscHUwUUgya2kyeUwrdXdtVHcKLS0tIFp4QWlIZWZl
+L0dabXJEbm15cGZoeUZ5N3JMSHVxUGUyTFpPT250VzZJejQK41qhHwdeK+M5fWzE
+ApbvvEg38s2xKhhH2+NiSGNmwGkFDftopdlnYgeFoA981B/EnpDLbvRTs9FUdSZd
+Kcq4eo38LFBLqcZUysia9JE=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/system/files/wireguard/vin.key.enc b/tw/system/files/wireguard/vin.key.enc
new file mode 100644
index 00000000..76b7bed2
--- /dev/null
+++ b/tw/system/files/wireguard/vin.key.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9TV0hVQSBUSUNz
+NXNaS3M4cU9aSDJNbThLQUhqUCtjbFdMTjF6and5UXFBd1grWWlvCjVFR2E2aFJl
+blU3MjlBUWYydTA4d2d5blA1NHU1azdoc3lKN0REYzQwNjgKLS0tIDJXSFNiUkVm
+b25ITlViSFY3RXRCMjFzWFZxSXE1ZjgrbDNYRE9aUlA3VTAK17WT34ih5ZrKQufr
+8XTp+CReWYEr+jIW5ap8IVy8Vn2ymhZ4zmo1vxcZZDZLkElMP7QXId6eaiQ6f5hY
+h/RgMhIDzLtYt5UCh18goqk=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/system/vin.scm b/tw/system/vin.scm
index 24dd367a..75243e8d 100644
--- a/tw/system/vin.scm
+++ b/tw/system/vin.scm
@@ -17,6 +17,7 @@
   #:use-module (tw services dns)
   #:use-module (tw services grafana)
   #:use-module (tw services restic)
+  #:use-module (tw services secrets)
   #:use-module (tw system))
 
 ;; The device's BIOS does not support UEFI, sadly.  It also doesn't recognise
@@ -137,6 +138,46 @@
                (keep-daily 14)
                (keep-monthly -1))))
 
+      (service secrets-service-type
+        (secrets-configuration
+         (secrets
+          (list
+           (secret
+            (encrypted-file (local-file "files/restic/timo-laptop.enc"))
+            (destination "/etc/restic/timo-laptop")
+            (user "restic")
+            (group "restic"))
+           (secret
+            (encrypted-file (local-file "files/restic/timo-phone.enc"))
+            (destination "/etc/restic/timo-phone")
+            (user "restic")
+            (group "restic"))
+           (secret
+            (encrypted-file (local-file "files/restic/timo-sync.enc"))
+            (destination "/etc/restic/timo-sync")
+            (user "restic")
+            (group "restic"))
+           (secret
+            (encrypted-file (local-file "files/restic/vin-grafana.enc"))
+            (destination "/etc/restic/vin-grafana")
+            (user "restic")
+            (group "restic"))
+           (secret
+            (encrypted-file (local-file "files/wireguard/vin.key.enc"))
+            (destination "/etc/wireguard/private.key"))
+           (secret
+            (encrypted-file (local-file "files/wireguard/vin-fp4.psk.enc"))
+            (destination "/etc/wireguard/fp4.psk"))
+           (secret
+            (encrypted-file (local-file "files/wireguard/vin-lud.psk.enc"))
+            (destination "/etc/wireguard/lud.psk"))
+           (secret
+            (encrypted-file (local-file "files/wireguard/vin-pi3.psk.enc"))
+            (destination "/etc/wireguard/pi3.psk"))
+           (secret
+            (encrypted-file (local-file "files/wireguard/vin-lap.psk.enc"))
+            (destination "/etc/wireguard/lap.psk"))))))
+
       ;; For running the Grafana docker container.
       (service grafana-service-type
         (grafana-configuration
-- 
cgit v1.2.3