From 4907238726b1ad910c01ad100e0564eaaab2fb3c Mon Sep 17 00:00:00 2001 From: Petru Paler Date: Tue, 28 Oct 2025 17:25:15 +0000 Subject: [PATCH] stinky wifi --- .sops.yaml | 5 +++++ common/wifi.nix | 38 ++++++++++++++++++++++++++++++++++++++ hosts/stinky/default.nix | 1 + secrets/wifi.yaml | 25 +++++++++++++++++++++++++ 4 files changed, 69 insertions(+) create mode 100644 common/wifi.nix create mode 100644 secrets/wifi.yaml diff --git a/.sops.yaml b/.sops.yaml index a767c78..82fda6f 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -41,6 +41,11 @@ creation_rules: - age: - *admin_ppetru - *server_stinky + - path_regex: secrets/wifi\.yaml + key_groups: + - age: + - *admin_ppetru + - *server_stinky - path_regex: secrets/alo-cloud-1\.yaml key_groups: - age: diff --git a/common/wifi.nix b/common/wifi.nix new file mode 100644 index 0000000..2decc8e --- /dev/null +++ b/common/wifi.nix @@ -0,0 +1,38 @@ +{ config, lib, ... }: +{ + # WiFi configuration for NixOS hosts + # Import this module on hosts that should connect to WiFi + # Credentials stored in secrets/wifi.yaml (access controlled via .sops.yaml) + + sops.secrets.wifi-password-pi = { + sopsFile = ./../secrets/wifi.yaml; + }; + + networking.wireless = { + enable = true; + networks = { + "pi" = { + pskRaw = "ext:wifi-password-pi"; + }; + }; + # Only enable on wireless interface, not ethernet + interfaces = [ "wlan0" ]; + }; + + # Prefer wifi over ethernet, but keep ethernet as fallback + networking.dhcpcd.extraConfig = '' + # Prefer wlan0 over ethernet interfaces + interface wlan0 + metric 100 + + interface eth0 + metric 200 + ''; + + # Persist wireless configuration across reboots (for impermanence) + environment.persistence.${config.custom.impermanence.persistPath} = { + files = [ + "/etc/wpa_supplicant.conf" + ]; + }; +} diff --git a/hosts/stinky/default.nix b/hosts/stinky/default.nix index 7894b0c..1e9c9d3 100644 --- a/hosts/stinky/default.nix +++ b/hosts/stinky/default.nix @@ -11,6 +11,7 @@ ../../common/resource-limits.nix ../../common/sshd.nix ../../common/user-ppetru.nix + ../../common/wifi.nix # Note: No systemd-boot.nix - Raspberry Pi uses generic-extlinux-compatible (from sd-image module) ./hardware.nix ]; diff --git a/secrets/wifi.yaml b/secrets/wifi.yaml new file mode 100644 index 0000000..480ac55 --- /dev/null +++ b/secrets/wifi.yaml @@ -0,0 +1,25 @@ +wifi-password-pi: ENC[AES256_GCM,data:uNL8QJxy0tvV2g==,iv:AQyc9j0UpdFnuDFRWEHcIAh0VB4/F8K9YV710ZXynAE=,tag:DmNYDI/2rJ+LQCDcROyqdg==,type:str] +sops: + age: + - recipient: age1df9ukkmg9yn9cjeheq9m6wspa420su8qarmq570rdvf2de3rl38saqauwn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUd1lyZG9GVHBZZHU0Wkl5 + RFJ2NUdtUFRUbmd3aTRFV2dGaVA2S3RWOGk0CmlLV2ZYdERvb21iT0dlUk42TW5S + LzdxVlA1U1FpWkxIb1pMeUtRRm9NdFkKLS0tIGszaFM0dkhHeWZUcXc1dlo3SDBX + WjltV282VlJtTlBCRmdzOU16R0x5UUUKBTFArSUNWtq7r+HduxT0ChvYfjo8HtbG + KeYBoB9QwY5wNRMlk0AIlJVNLKW8A2tC9T8ehbtjol13H7PQK+wsQQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1me78u46409q9ez6fj0qanrfffc5e9kuq7n7uuvlljfwwc2mdaezqmyzxhx + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4THVFa1p5c2l5V0pKckVC + YUdYbitJbUpjclAydG4yekxhbXdzeDNpbXdRCnRCZVI1cWJiQi9TdkR3Y0E5TklO + T2dHYXFKeW9KSkdXOWFnbWVRQUZOL28KLS0tIDVMVldvd0NWcU5QWkhDTTBmUTla + aUs0dTB3Y3RXTlBCOCtYSHdOMUYxdTgKQShxsJ+3EQU18uixmM3FlCe5C9Rl3oS5 + gwZIrh0amSzX3f9SOjf42h1d+IDL/DMWAlSA/3XMx8TK9A1zKZDgVA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-10-28T17:05:45Z" + mac: ENC[AES256_GCM,data:iND5pd6isGy+zhmcgQQD+n9MiNS5xOfqnijpyXtZP/bXyEzzAZ3SvIkPiNvyLbuXCY99AH+AOOvPmQJtGs6RfBtH1qyD/1oiiJLX4Y06BCtI1Vuyrn21S3fYMrlx6aYEIQsKjo7DEo2v1VENSKF+WmrhxngtdmQJxpuFj09oKSM=,iv:dOJuTX0WSW1IcwBGUbIHsBkNMDl7Okw+K37LZQnFbbU=,tag:xX1/+gpIosTV8ChPVbFi2w==,type:str] + unencrypted_suffix: _unencrypted + version: 3.11.0