diff --git a/REUSE.toml b/REUSE.toml index 256b780..b7f8fcb 100644 --- a/REUSE.toml +++ b/REUSE.toml @@ -38,7 +38,7 @@ precedence = "closest" [[annotations]] SPDX-FileCopyrightText = "2024 Lubin Bailly " SPDX-License-Identifier = "EUPL-1.2" -path = ["modules/nixos/extranix/0001-revert-don-t-parse-md-in-js.patch", "modules/nixos/extranix/0002-chore-remove-useless-dependencies.patch", "modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch", "modules/nixos/extranix/0004-fix-indentation-of-ul.patch", "modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch"] +path = ["modules/nixos/extranix/0001-revert-don-t-parse-md-in-js.patch", "modules/nixos/extranix/0002-chore-remove-useless-dependencies.patch", "modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch", "modules/nixos/extranix/0004-fix-indentation-of-ul.patch", "modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch", "machines/nixos/vault01/networking/0001-fix-multiple-interface-with-same-IP.patch"] precedence = "closest" [[annotations]] diff --git a/default.nix b/default.nix index 10a951e..beaf93c 100644 --- a/default.nix +++ b/default.nix @@ -126,6 +126,7 @@ let "modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch" "modules/nixos/extranix/0004-fix-indentation-of-ul.patch" "modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch" + "machines/nixos/vault01/networking/0001-fix-multiple-interface-with-same-IP.patch" ]; copyright = "2024 Lubin Bailly "; } diff --git a/machines/nixos/vault01/networking.nix b/machines/nixos/vault01/networking.nix deleted file mode 100644 index 3fb2f3f..0000000 --- a/machines/nixos/vault01/networking.nix +++ /dev/null @@ -1,411 +0,0 @@ -# SPDX-FileCopyrightText: 2024 Lubin Bailly -# -# SPDX-License-Identifier: EUPL-1.2 - -{ - pkgs, - lib, - meta, - name, - config, - ... -}: - -let - inherit (lib) mapAttrs' mkOption nameValuePair; - inherit (lib.types) listOf attrs; - - uplink = { - ip = "10.120.33.250"; - prefix = 30; - - router = "10.120.33.249"; - }; - - mkNetwork = - name: - { - address ? [ ], - extraNetwork ? { }, - ... - }: - nameValuePair "10-${name}" ({ inherit name address; } // extraNetwork); - - mkNetdev = - name: - { Id, ... }: - nameValuePair "10-${name}" { - netdevConfig = { - Name = name; - Kind = "vlan"; - }; - vlanConfig.Id = Id; - }; - - mkUserVlan = - { - vlan, - netIP, - servIP, - interfaceName, - ... - }: - { - name = interfaceName; - value = { - Id = vlan; - extraNetwork = { - networkConfig = { - LinkLocalAddressing = "no"; - DHCPServer = "yes"; - }; - linkConfig = { - Promiscuous = true; - MTUBytes = 1500; - }; - addresses = [ - { - Address = "${servIP}/27"; - AddPrefixRoute = false; - } - ]; - routes = [ - { - Destination = "${netIP}/27"; - Table = "user"; - } - ]; - }; - }; - }; - - userVlans = builtins.genList (id: rec { - vlan = 4094 - id; - prefix24nb = (id + 1) / 8; - prefix27nb = (id + 1 - prefix24nb * 8) * 32; - netIP = "10.0.${toString prefix24nb}.${toString prefix27nb}"; - servIP = "10.0.${toString prefix24nb}.${toString (prefix27nb + 1)}"; - interfaceName = "vlan-user-${toString vlan}"; - prefixLen = 27; - }) 850; - - vlans = { - vlan-uplink-cri = { - Id = 223; - address = with uplink; [ "${ip}/${builtins.toString prefix}" ]; - - extraNetwork = { - routes = [ - { - # Get the public ip from the metadata - PreferredSource = builtins.head meta.network.${name}.addresses.ipv4; - Gateway = uplink.router; - } - ]; - linkConfig.MTUBytes = 1500; - }; - }; - - vlan-admin = { - Id = 3000; - address = [ "fd26:baf9:d250:8000::1/64" ]; - }; - - vlan-admin-ap = { - Id = 3001; - address = [ - "fd26:baf9:d250:8001::1/64" - # FIXME: ipv4 is temporary for APs in production - "10.0.253.1/24" - ]; - extraNetwork = { - networkConfig = { - IPv6SendRA = true; - DHCPServer = "yes"; - }; - ipv6Prefixes = [ - { - AddressAutoconfiguration = false; - OnLink = false; - Prefix = "fd26:baf9:d250:8001::/64"; - } - ]; - }; - }; - - vlan-apro = { - Id = 2000; - address = [ "10.0.255.1/24" ]; - - extraNetwork = { - networkConfig.DHCPServer = "yes"; - linkConfig.MTUBytes = 1500; - }; - }; - - vlan-hypervisor = { - Id = 2001; - address = [ "10.0.254.1/24" ]; - - extraNetwork = { - networkConfig.DHCPServer = "yes"; - linkConfig.MTUBytes = 1500; - }; - }; - } // builtins.listToAttrs (map mkUserVlan userVlans); -in -{ - options.networking.vlans-info = mkOption { - type = listOf attrs; - description = '' - Information about vlans for log analysis. - ''; - readOnly = true; - }; - config = { - systemd = { - network = { - config.routeTables."user" = 1000; - networks = { - "10-lo" = { - name = "lo"; - address = [ - "::1/128" - "127.0.0.1/8" - "10.0.0.1/27" - ]; - routes = [ - { - Destination = "10.0.0.0/27"; - Table = "user"; - } - ]; - routingPolicyRules = [ - { - To = "10.0.0.0/16"; - Table = "user"; - } - ]; - }; - "10-enp67s0f0np0" = { - name = "enp67s0f0np0"; - linkConfig.Promiscuous = true; - networkConfig = { - Bridge = "br0"; - - LinkLocalAddressing = false; - LLDP = false; - EmitLLDP = false; - IPv6AcceptRA = false; - IPv6SendRA = false; - }; - linkConfig.MTUBytes = 1504; - }; - "50-gretap1" = { - name = "gretap1"; - networkConfig = { - Bridge = "br0"; - - LinkLocalAddressing = false; - LLDP = false; - EmitLLDP = false; - IPv6AcceptRA = false; - IPv6SendRA = false; - }; - linkConfig.MTUBytes = 1504; - }; - "50-br0" = { - name = "br0"; - networkConfig = { - VLAN = builtins.attrNames vlans; - - LinkLocalAddressing = false; - LLDP = false; - EmitLLDP = false; - IPv6AcceptRA = false; - IPv6SendRA = false; - }; - linkConfig.MTUBytes = 1504; - }; - "50-wg0" = { - name = "wg0"; - address = [ "10.10.17.1/30" ]; - networkConfig.Tunnel = "gretap1"; - }; - } // (mapAttrs' mkNetwork vlans); - - netdevs = { - "50-gretap1" = { - netdevConfig = { - Name = "gretap1"; - Kind = "gretap"; - }; - tunnelConfig = { - Local = "10.10.17.1"; - Remote = "10.10.17.2"; - }; - }; - "50-br0" = { - netdevConfig = { - Name = "br0"; - Kind = "bridge"; - }; - bridgeConfig = { - VLANFiltering = false; - STP = false; - }; - }; - "50-wg0" = { - netdevConfig = { - Name = "wg0"; - Kind = "wireguard"; - }; - wireguardConfig = { - ListenPort = 1194; - PrivateKeyFile = config.age.secrets."wg-key".path; - }; - - wireguardPeers = [ - { - AllowedIPs = [ - "10.10.17.0/30" - ]; - PublicKey = "g6S3gBx1Hf2iX41tokD+m8WfzJJTTcsKifOkn+Wcd00="; - } - ]; - }; - } // mapAttrs' mkNetdev vlans; - }; - - services = { - ethtoolConfig = { - wantedBy = [ "systemd-networkd.service" ]; - after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ]; - bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ]; - script = builtins.concatStringsSep "\n" ( - builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [ - "rxvlan" - "txvlan" - "rx-vlan-filter" - "rx-vlan-offload" - "tx-vlan-offload" - "tx-vlan-stag-hw-insert" - ] - ); - }; - - systemd-networkd.serviceConfig.LimitNOFILE = 4096; - - net-checker = { - path = [ - pkgs.iputils - pkgs.systemd - ]; - script = '' - if ping -c 1 8.8.8.8 > /dev/null || ping -c 1 1.1.1.1 > /dev/null; then - echo network is up - ${lib.concatMapStringsSep "\n " ( - { interfaceName, ... }: "networkctl up ${interfaceName}" - ) userVlans} - else - echo network is down - ${lib.concatMapStringsSep "\n " ( - { interfaceName, ... }: "networkctl down ${interfaceName}" - ) userVlans} - fi - ''; - }; - }; - - timers.net-checker = { - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "*-*-* *:*:42"; - }; - }; - - networking = { - vlans-info = [ - { - vlan = 2001; - netIP = "10.0.254.0"; - prefixLen = 24; - } - { - vlan = 3001; - netIP = "10.0.253.0"; - prefixLen = 24; - } - ] ++ userVlans; - nftables = { - enable = true; - tables = { - nat = { - family = "ip"; - content = '' - chain postrouting { - type nat hook postrouting priority 100; - ip saddr 10.0.0.0/16 ip daddr != 10.0.0.0/16 snat ip to 129.199.195.130-129.199.195.157 - } - ''; - }; - filter = { - family = "inet"; - content = '' - chain forward { - type filter hook forward priority filter; policy accept; - ct state vmap { - invalid: drop, - established: accept, - related: accept, - new: jump forward_decide, - untracked: jump forward_decide, - }; - } - chain forward_decide { - # Block access to vpn - ip daddr { - 10.10.17.0/30, - 100.80.0.0/16, - } jump forward_reject; - - # And administrative vlans - ip6 daddr { - fd26:baf9:d250::/48, - } jump forward_reject; - - # These are being deployed, and so are not trusted - ip saddr 10.0.255.0/24 jump forward_reject; - - # We only forward for ISP clients and our stuff - ip saddr != 10.0.0.0/16 jump forward_reject; - - # Can talk to us - ip daddr 10.0.0.0/27 accept; - - # Not others nor CRI - ip daddr 10.0.0.0/8 jump forward_reject; - } - chain forward_reject { - reject with icmpx type admin-prohibited; - } - ''; - }; - }; - }; - firewall = { - allowedUDPPorts = [ - 67 - 1194 - ]; - # FIXME: I dont't remember why it's here, and it doesn't seems right - # comes from https://git.dgnum.eu/DGNum/infrastructure/commit/411795c664374549e5e831722a80180b51fbf0d5 - # checkReversePath = false; - }; - }; - - age.secrets."wg-key".owner = "systemd-network"; - users.users."systemd-network".extraGroups = [ "keys" ]; - - boot.kernel.sysctl."net.ipv4.ip_forward" = true; - }; -} diff --git a/machines/nixos/vault01/networking/0001-fix-multiple-interface-with-same-IP.patch b/machines/nixos/vault01/networking/0001-fix-multiple-interface-with-same-IP.patch new file mode 100644 index 0000000..37f784b --- /dev/null +++ b/machines/nixos/vault01/networking/0001-fix-multiple-interface-with-same-IP.patch @@ -0,0 +1,31 @@ +From 417ae050a7dfb6d6d1e227bbe5817992949376f7 Mon Sep 17 00:00:00 2001 +From: catvayor +Date: Sun, 23 Feb 2025 21:15:42 +0100 +Subject: [PATCH] fix: multiple interface with same IP + +--- + src/lib/dhcp/pkt_filter.cc | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/lib/dhcp/pkt_filter.cc b/src/lib/dhcp/pkt_filter.cc +index d6360984ef..4dfdea59c7 100644 +--- a/src/lib/dhcp/pkt_filter.cc ++++ b/src/lib/dhcp/pkt_filter.cc +@@ -24,6 +24,14 @@ PktFilter::openFallbackSocket(const isc::asiolink::IOAddress& addr, + " address " << addr << ", port " << port + << ", reason: " << strerror(errno)); + } ++ // allow address to be reused ++ int oneopt = 1; ++ if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &oneopt, sizeof(oneopt))) { ++ close(sock); ++ isc_throw(SocketConfigError, "failed to set SO_REUSEADDR socket for" ++ " address " << addr << ", port " << port ++ << ", reason: " << strerror(errno)); ++ } + // Set the close-on-exec flag. + if (fcntl(sock, F_SETFD, FD_CLOEXEC) < 0) { + close(sock); +-- +2.47.1 + diff --git a/machines/nixos/vault01/networking/default.nix b/machines/nixos/vault01/networking/default.nix new file mode 100644 index 0000000..8a6c3f5 --- /dev/null +++ b/machines/nixos/vault01/networking/default.nix @@ -0,0 +1,431 @@ +# SPDX-FileCopyrightText: 2024 Lubin Bailly +# +# SPDX-License-Identifier: EUPL-1.2 + +{ + pkgs, + lib, + meta, + config, + name, + ... +}: + +let + inherit (lib) + catAttrs + getExe + mapAttrs' + nameValuePair + ; + + uplink = { + ip = "10.120.33.250"; + prefix = 30; + + router = "10.120.33.249"; + }; + + mkNetwork = + name: + { + address ? [ ], + extraNetwork ? { }, + ... + }: + nameValuePair "10-${name}" ({ inherit name address; } // extraNetwork); + + mkNetdev = + name: + { Id, ... }: + nameValuePair "10-${name}" { + netdevConfig = { + Name = name; + Kind = "vlan"; + }; + vlanConfig.Id = Id; + }; + + mkUserVlan = + { + vlan, + interfaceName, + ... + }: + { + name = interfaceName; + value = { + Id = vlan; + extraNetwork = { + networkConfig.LinkLocalAddressing = "no"; + linkConfig = { + Promiscuous = true; + MTUBytes = 1500; + }; + addresses = [ + { + Address = "10.0.0.1/16"; + AddPrefixRoute = false; + } + ]; + }; + }; + }; + + userVlans = builtins.genList (id: rec { + vlan = 4094 - id; + interfaceName = "vlan-user-${toString vlan}"; + }) 850; + + vlans = { + vlan-uplink-cri = { + Id = 223; + address = with uplink; [ "${ip}/${builtins.toString prefix}" ]; + + extraNetwork = { + routes = [ + { + # Get the public ip from the metadata + PreferredSource = builtins.head meta.network.${name}.addresses.ipv4; + Gateway = uplink.router; + } + ]; + linkConfig.MTUBytes = 1500; + }; + }; + + vlan-admin = { + Id = 3000; + address = [ "fd26:baf9:d250:8000::1/64" ]; + }; + + vlan-admin-ap = { + Id = 3001; + address = [ + "fd26:baf9:d250:8001::1/64" + # FIXME: ipv4 is temporary for APs in production + "10.0.253.1/24" + ]; + extraNetwork = { + networkConfig = { + IPv6SendRA = true; + DHCPServer = "yes"; + }; + ipv6Prefixes = [ + { + AddressAutoconfiguration = false; + OnLink = false; + Prefix = "fd26:baf9:d250:8001::/64"; + } + ]; + }; + }; + + vlan-apro = { + Id = 2000; + address = [ "10.0.255.1/24" ]; + + extraNetwork = { + networkConfig.DHCPServer = "yes"; + linkConfig.MTUBytes = 1500; + }; + }; + + vlan-hypervisor = { + Id = 2001; + address = [ "10.0.254.1/24" ]; + + extraNetwork = { + networkConfig.DHCPServer = "yes"; + linkConfig.MTUBytes = 1500; + }; + }; + } // builtins.listToAttrs (map mkUserVlan userVlans); +in +{ + nixpkgs.overlays = [ + (_: super: { + kea = super.kea.overrideAttrs (o: { + patches = o.patches ++ [ ./0001-fix-multiple-interface-with-same-IP.patch ]; + }); + }) + ]; + + systemd = { + network = { + config.routeTables."user" = 1000; + networks = { + "10-lo" = { + name = "lo"; + address = [ + "::1/128" + "127.0.0.1/8" + "10.0.0.1/27" + ]; + routes = [ + { + Destination = "10.0.0.0/27"; + Table = "user"; + } + ]; + routingPolicyRules = [ + { + To = "10.0.0.0/16"; + Table = "user"; + } + ]; + }; + "10-enp67s0f0np0" = { + name = "enp67s0f0np0"; + linkConfig.Promiscuous = true; + networkConfig = { + VLAN = builtins.attrNames vlans; + + LinkLocalAddressing = false; + LLDP = false; + EmitLLDP = false; + IPv6AcceptRA = false; + IPv6SendRA = false; + }; + linkConfig.MTUBytes = 1504; + }; + } // (mapAttrs' mkNetwork vlans); + + netdevs = mapAttrs' mkNetdev vlans; + }; + + services = { + ethtoolConfig = { + wantedBy = [ "systemd-networkd.service" ]; + after = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ]; + bindsTo = [ "sys-subsystem-net-devices-enp67s0f0np0.device" ]; + script = builtins.concatStringsSep "\n" ( + builtins.map (name: "${lib.getExe pkgs.ethtool} -K enp67s0f0np0 ${name} off") [ + "rxvlan" + "txvlan" + "rx-vlan-filter" + "rx-vlan-offload" + "tx-vlan-offload" + "tx-vlan-stag-hw-insert" + ] + ); + }; + + systemd-networkd.serviceConfig.LimitNOFILE = 4096; + + kea-dhcp4-server = { + serviceConfig = { + AmbientCapabilities = [ "CAP_NET_ADMIN" ]; + CapabilityBoundingSet = [ "CAP_NET_ADMIN" ]; + }; + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + path = [ config.services.postgresql.package ]; + preStart = lib.mkAfter '' + pushd $STATE_DIRECTORY + if ! test -e .db.initialized; then + psql -d ulogd -U ulogd -f ${pkgs.writeText "kea_log.sql" '' + CREATE SEQUENCE kea_log_lease_id_seq; + CREATE TABLE kea_log ( + _lease_id bigint PRIMARY KEY UNIQUE NOT NULL DEFAULT nextval('kea_log_lease_id_seq'), + ip_addr inet NOT NULL, + vlan_id int NOT NULL, + lease_start_sec bigint NOT NULL, + lease_end_sec bigint NOT NULL + ); + ''} + touch .db.initialized + fi + popd + ''; + }; + }; + }; + + networking = { + nftables = { + enable = true; + tables = { + nat = { + family = "ip"; + content = '' + chain postrouting { + type nat hook postrouting priority 100; + ip saddr 10.0.0.0/16 ip daddr != 10.0.0.0/16 snat ip to 129.199.195.130-129.199.195.157 + } + ''; + }; + filter = { + family = "inet"; + content = '' + chain forward { + type filter hook forward priority filter; policy accept; + ct state vmap { + invalid: drop, + established: accept, + related: accept, + new: jump forward_decide, + untracked: jump forward_decide, + }; + } + chain forward_decide { + # Block access to vpn + ip daddr { + 10.10.17.0/30, + 100.80.0.0/16, + } jump forward_reject; + + # And administrative vlans + ip6 daddr { + fd26:baf9:d250::/48, + } jump forward_reject; + + # These are being deployed, and so are not trusted + ip saddr 10.0.255.0/24 jump forward_reject; + + # We only forward for ISP clients and our stuff + ip saddr != 10.0.0.0/16 jump forward_reject; + + # Can talk to us + ip daddr 10.0.0.0/27 accept; + + # Not others nor CRI + ip daddr 10.0.0.0/8 jump forward_reject; + } + chain forward_reject { + reject with icmpx type admin-prohibited; + } + ''; + }; + }; + }; + firewall = { + allowedUDPPorts = [ + 67 + 1194 + ]; + }; + }; + + services = { + kea.dhcp4 = { + enable = true; + settings = { + interfaces-config = { + interfaces = catAttrs "interfaceName" userVlans; + dhcp-socket-type = "raw"; + outbound-interface = "same-as-inbound"; + service-sockets-require-all = true; + }; + lease-database = { + # FIXME: pgsql + name = "/var/lib/kea/dhcp4.leases"; + persist = true; + type = "memfile"; + }; + valid-lifetime = 7200; + rebind-timer = 3600; + renew-timer = 1800; + subnet4 = [ + { + id = 1; + pools = [ + { + pool = "10.0.0.32 - 10.0.252.255"; + } + ]; + subnet = "10.0.0.0/16"; + } + ]; + hooks-libraries = [ + { + library = "${pkgs.kea}/lib/kea/hooks/libdhcp_run_script.so"; + parameters = { + name = getExe ( + let + link-del = pkgs.writeText "link-del.sql" '' + WITH lease_entry_id AS ( + SELECT max(_lease_id) AS curr_id FROM kea_log + WHERE ip_addr = inet 'LEASE4_ADDRESS' AND lease_end_sec > TIMESTAMP + ) + UPDATE kea_log SET + lease_end_sec = TIMESTAMP + FROM lease_entry_id + WHERE _lease_id = curr_id + ; + ''; + link-new = pkgs.writeText "link-new.sql" '' + INSERT INTO kea_log (ip_addr, vlan_id, lease_start_sec, lease_end_sec) VALUES + (inet 'LEASE4_ADDRESS', + VLAN_ID, + TIMESTAMP, + TIMESTAMP+7200 + ); + ''; + link-renew = pkgs.writeText "link-renew.sql" '' + WITH lease_entry_id AS ( + SELECT max(_lease_id) AS curr_id FROM kea_log + WHERE ip_addr = inet 'LEASE4_ADDRESS' AND lease_end_sec > TIMESTAMP + ) + UPDATE kea_log SET + lease_end_sec = TIMESTAMP+7200 + FROM lease_entry_id + WHERE _lease_id = curr_id + ; + ''; + in + pkgs.writeShellApplication { + name = "hook.sh"; + runtimeInputs = [ + pkgs.busybox + config.services.postgresql.package + ]; + text = '' + case "$1" in + "leases4_committed") + TIMESTAMP="$(date +%s)" + for i in $(seq 0 $((DELETED_LEASES4_SIZE-1))); do + LEASE4_ADDRESS=$(eval "echo \$DELETED_LEASES4_AT''${i}_ADDRESS") + ip r del table user dev "$QUERY4_IFACE_NAME" "$LEASE4_ADDRESS" + sed "s/TIMESTAMP/$TIMESTAMP/; + s/LEASE4_ADDRESS/$LEASE4_ADDRESS" \ + ${link-del} \ + | psql -d ulogd -U ulogd + done + for i in $(seq 0 $((LEASES4_SIZE-1))); do + LEASE4_ADDRESS=$(eval "echo \$LEASES4_AT''${i}_ADDRESS") + if [ -z "$(ip r show "$LEASE4_ADDRESS" dev "$QUERY4_IFACE_NAME")" ]; then + ip r add table user dev "$QUERY4_IFACE_NAME" "$LEASE4_ADDRESS" + sed "s/TIMESTAMP/$TIMESTAMP/; + s/LEASE4_ADDRESS/$LEASE4_ADDRESS/; + s/VLAN_ID/$(cut -d- -f3 <<< "$QUERY4_IFACE_NAME")/" \ + ${link-new} \ + | psql -d ulogd -U ulogd + else + sed "s/TIMESTAMP/$TIMESTAMP/; + s/LEASE4_ADDRESS/$LEASE4_ADDRESS/;" \ + ${link-renew} \ + | psql -d ulogd -U ulogd + fi + done + ;; + esac + ''; + } + ); + sync = false; + }; + } + ]; + }; + }; + postgresql = { + enable = true; + identMap = '' + ulogd-map kea ulogd + ''; + }; + }; + + boot.kernel.sysctl."net.ipv4.ip_forward" = true; +} diff --git a/machines/nixos/vault01/secrets/secrets.nix b/machines/nixos/vault01/secrets/secrets.nix index f93ee25..45b76b0 100644 --- a/machines/nixos/vault01/secrets/secrets.nix +++ b/machines/nixos/vault01/secrets/secrets.nix @@ -14,5 +14,4 @@ "radius-private_key_password_file" "eatonmon-password_file" "radius-ap-radius-secret_file" - "wg-key" ] diff --git a/machines/nixos/vault01/secrets/wg-key b/machines/nixos/vault01/secrets/wg-key deleted file mode 100644 index 6b366f8..0000000 Binary files a/machines/nixos/vault01/secrets/wg-key and /dev/null differ