From 94c64eb05ad8f03159f96abcf7d1bd6bf596e4ef Mon Sep 17 00:00:00 2001
From: Stefan Junker <mail@stefanjunker.de>
Date: Sat, 25 May 2024 11:35:26 +0200
Subject: [PATCH] feat(bm-hostkey0): set up mycelium

---
 .sops.yaml                                    |  6 ++++
 .../devices/sj-bm-hostkey0/configuration.nix  |  2 ++
 nix/os/devices/steveej-x13s/configuration.nix | 22 +------------
 nix/os/snippets/mycelium.nix                  | 31 +++++++++++++++++++
 .../sj-bm-hostkey0/mycelium_priv_key.bin.enc  | 26 ++++++++++++++++
 5 files changed, 66 insertions(+), 21 deletions(-)
 create mode 100644 nix/os/snippets/mycelium.nix
 create mode 100644 secrets/sj-bm-hostkey0/mycelium_priv_key.bin.enc

diff --git a/.sops.yaml b/.sops.yaml
index 2abd5cb..76cd8da 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -105,3 +105,9 @@ creation_rules:
       age:
       - *steveej-x13s
       - *sj-bm-hostkey0
+  - path_regex: ^secrets/sj-bm-hostkey0/.+$
+    key_groups:
+    - pgp:
+      - *steveej
+      age:
+      - *sj-bm-hostkey0
diff --git a/nix/os/devices/sj-bm-hostkey0/configuration.nix b/nix/os/devices/sj-bm-hostkey0/configuration.nix
index 04fa94a..4bc6daa 100644
--- a/nix/os/devices/sj-bm-hostkey0/configuration.nix
+++ b/nix/os/devices/sj-bm-hostkey0/configuration.nix
@@ -93,6 +93,8 @@ in {
       users.defaultUserShell = pkgs.zsh;
       environment.pathsToLink = ["/share/zsh"];
     }
+
+    ../../snippets/mycelium.nix
   ];
 
   services.openssh.enable = true;
diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix
index 2f9ecda..9f4ef00 100644
--- a/nix/os/devices/steveej-x13s/configuration.nix
+++ b/nix/os/devices/steveej-x13s/configuration.nix
@@ -59,8 +59,6 @@
   };
 
   imports = [
-    "${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/networking/mycelium.nix"
-
     nodeFlake.inputs.nixos-x13s.nixosModules.default
 
     repoFlake.inputs.sops-nix.nixosModules.sops
@@ -69,6 +67,7 @@
 
     ../../snippets/nix-settings.nix
     ../../snippets/nix-settings-holo-chain.nix
+    ../../snippets/mycelium.nix
     ../../profiles/common/user.nix
 
     {
@@ -220,25 +219,6 @@
     "nixos-x13s.cachix.org-1:SzroHbidolBD3Sf6UusXp12YZ+a5ynWv0RtYF0btFos="
   ];
 
-  sops.secrets.mycelium-key = {
-    format = "binary";
-    sopsFile = repoFlake + "/secrets/steveej-x13s/mycelium_priv_key.bin.enc";
-  };
-
-  services.mycelium = {
-    enable = true;
-    package = nodeFlake.inputs.mycelium.packages.${system}.mycelium;
-    keyFile = config.sops.secrets.mycelium-key.path;
-    addHostedPublicNodes = true;
-    peers = [
-    ];
-
-    # tunName = "mycelium-pub";
-
-    extraArgs = [
-    ];
-  };
-
   steveej.holo-zerotier = {
     enable = true;
     autostart = false;
diff --git a/nix/os/snippets/mycelium.nix b/nix/os/snippets/mycelium.nix
new file mode 100644
index 0000000..64bfae5
--- /dev/null
+++ b/nix/os/snippets/mycelium.nix
@@ -0,0 +1,31 @@
+{
+  repoFlake,
+  nodeFlake,
+  nodeName,
+  config,
+  system,
+  ...
+}: {
+  imports = [
+    "${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/networking/mycelium.nix"
+  ];
+
+  sops.secrets.mycelium-key = {
+    format = "binary";
+    sopsFile = repoFlake + "/secrets/${nodeName}/mycelium_priv_key.bin.enc";
+  };
+
+  services.mycelium = {
+    enable = true;
+    package = nodeFlake.inputs.mycelium.packages.${system}.mycelium;
+    keyFile = config.sops.secrets.mycelium-key.path;
+    addHostedPublicNodes = true;
+    peers = [
+    ];
+
+    # tunName = "mycelium-pub";
+
+    extraArgs = [
+    ];
+  };
+}
diff --git a/secrets/sj-bm-hostkey0/mycelium_priv_key.bin.enc b/secrets/sj-bm-hostkey0/mycelium_priv_key.bin.enc
new file mode 100644
index 0000000..77036fc
--- /dev/null
+++ b/secrets/sj-bm-hostkey0/mycelium_priv_key.bin.enc
@@ -0,0 +1,26 @@
+{
+	"data": "ENC[AES256_GCM,data:2DcYHv5RCSoM3olKYZhn4BTwEROwC4+JZ/PQxF4SV7I=,iv:B27a2XnhgiHW3HAh/MnTUonmhkWvaZkmG2c2JPWV05A=,tag:TKZ/rFzQH0uvbOFoeas3Ag==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1dw43sxtdxptzgyhsxhrj36x5gn7376gqk45t7wtyt3s97v7ux39sdmdd44",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwenVpMFlQbC9PR1NDTWIy\nYi93VHlTZHg1NHJ0UXNIcFFGV08zRzlyTm00Cnp2RlpuMVBsc3dWOVZVODVBQ09H\nby9GWm1pSVlya0I3b0o2T2RhZGFrc0UKLS0tIGRQK1hPQjlkWjBFb3pSRXE5MnFY\nNFkvdTg3T0FZWVZWK2thRU55a0hWYUkKPHaAqvnyaP0sG47rJD40d4r6vjMjNEif\nq0X+BT3vR1Wd2vFKhWkcrS531jX3JUX5wEPFfbqWY3SEeunkbx43Ew==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-05-17T14:49:38Z",
+		"mac": "ENC[AES256_GCM,data:HqeOxzTlr6tyDWmSpvAthf/puD1wdv3a3Nv8qdt9GcR2UqmByreFPRktTwRL53NvCW+8QGSrUjah7fB2GWsuSVXowSSkY5h8W5s0O+YkFLXo9K67hhtEk+4QwYKQk5w4ZdlAEFrgDAzCFr27Mron53VLhVo0DA6GesgywTLf/B4=,iv:uV/dpuhxXl39MTzystHafirJH0mVnLsT+0h9jh4Epm8=,tag:s5uRzLtcfyNuWau9RteyvA==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-05-17T14:49:38Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQf/XROsC15JsLhhO8or+6hYHYVig4cEiazJeo+lAm83WdYj\nQ/rAgQg4hSR6i84UOfPKCGS5Rv3TTkt1VsUgibwAvLdT65SB32pe5SCT68L0yHL1\nXabvMmmREbJW+zwhEz3G2ggzBrnoDE4l3npTYjrhsjEPmRJNBO3g7rigWtRL1iDR\nYl6IrBYB/NGEkfJ0lNWoY6K911Gb0TCVQXO/CMT0xbp9GTIhry9WUX1eWK/fiymP\nnJH3XSGmL2GAZnBIosFkrQlBDxHXC2Xi7kktFnzCgwrZBGYXn9ftC7toHPvn48cV\nuTzcFc2VHXxFLbDwSY/EOsfjSGjaaYXodCr2xHbkR9JcAZvLvs76by2wCzXKM8CR\nueuvS31Ah02r0JD1z8ZXWX3+etMvJEkEk3Nsngbo/r70/qtRTp/eLkTuYjzcUFMU\nXv40Izg+PiFxAOo2RK7RLRdD+YTXuddG/jxSXQY=\n=zrcf\n-----END PGP MESSAGE-----",
+				"fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
\ No newline at end of file