stinky wifi

.sops.yaml

@@ -41,6 +41,11 @@ creation_rules:
       - age:
         - *admin_ppetru
         - *server_stinky
+  - path_regex: secrets/wifi\.yaml
+    key_groups:
+      - age:
+        - *admin_ppetru
+        - *server_stinky
   - path_regex: secrets/alo-cloud-1\.yaml
     key_groups:
       - age:

common/wifi.nix

@@ -0,0 +1,38 @@
+{ config, lib, ... }:
+{
+  # WiFi configuration for NixOS hosts
+  # Import this module on hosts that should connect to WiFi
+  # Credentials stored in secrets/wifi.yaml (access controlled via .sops.yaml)
+
+  sops.secrets.wifi-password-pi = {
+    sopsFile = ./../secrets/wifi.yaml;
+  };
+
+  networking.wireless = {
+    enable = true;
+    networks = {
+      "pi" = {
+        pskRaw = "ext:wifi-password-pi";
+      };
+    };
+    # Only enable on wireless interface, not ethernet
+    interfaces = [ "wlan0" ];
+  };
+
+  # Prefer wifi over ethernet, but keep ethernet as fallback
+  networking.dhcpcd.extraConfig = ''
+    # Prefer wlan0 over ethernet interfaces
+    interface wlan0
+    metric 100
+
+    interface eth0
+    metric 200
+  '';
+
+  # Persist wireless configuration across reboots (for impermanence)
+  environment.persistence.${config.custom.impermanence.persistPath} = {
+    files = [
+      "/etc/wpa_supplicant.conf"
+    ];
+  };
+}

hosts/stinky/default.nix

@@ -11,6 +11,7 @@
     ../../common/resource-limits.nix
     ../../common/sshd.nix
     ../../common/user-ppetru.nix
+    ../../common/wifi.nix
     # Note: No systemd-boot.nix - Raspberry Pi uses generic-extlinux-compatible (from sd-image module)
     ./hardware.nix
   ];

secrets/wifi.yaml

@@ -0,0 +1,25 @@
+wifi-password-pi: ENC[AES256_GCM,data:uNL8QJxy0tvV2g==,iv:AQyc9j0UpdFnuDFRWEHcIAh0VB4/F8K9YV710ZXynAE=,tag:DmNYDI/2rJ+LQCDcROyqdg==,type:str]
+sops:
+    age:
+        - recipient: age1df9ukkmg9yn9cjeheq9m6wspa420su8qarmq570rdvf2de3rl38saqauwn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUd1lyZG9GVHBZZHU0Wkl5
+            RFJ2NUdtUFRUbmd3aTRFV2dGaVA2S3RWOGk0CmlLV2ZYdERvb21iT0dlUk42TW5S
+            LzdxVlA1U1FpWkxIb1pMeUtRRm9NdFkKLS0tIGszaFM0dkhHeWZUcXc1dlo3SDBX
+            WjltV282VlJtTlBCRmdzOU16R0x5UUUKBTFArSUNWtq7r+HduxT0ChvYfjo8HtbG
+            KeYBoB9QwY5wNRMlk0AIlJVNLKW8A2tC9T8ehbtjol13H7PQK+wsQQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1me78u46409q9ez6fj0qanrfffc5e9kuq7n7uuvlljfwwc2mdaezqmyzxhx
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4THVFa1p5c2l5V0pKckVC
+            YUdYbitJbUpjclAydG4yekxhbXdzeDNpbXdRCnRCZVI1cWJiQi9TdkR3Y0E5TklO
+            T2dHYXFKeW9KSkdXOWFnbWVRQUZOL28KLS0tIDVMVldvd0NWcU5QWkhDTTBmUTla
+            aUs0dTB3Y3RXTlBCOCtYSHdOMUYxdTgKQShxsJ+3EQU18uixmM3FlCe5C9Rl3oS5
+            gwZIrh0amSzX3f9SOjf42h1d+IDL/DMWAlSA/3XMx8TK9A1zKZDgVA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-10-28T17:05:45Z"
+    mac: ENC[AES256_GCM,data:iND5pd6isGy+zhmcgQQD+n9MiNS5xOfqnijpyXtZP/bXyEzzAZ3SvIkPiNvyLbuXCY99AH+AOOvPmQJtGs6RfBtH1qyD/1oiiJLX4Y06BCtI1Vuyrn21S3fYMrlx6aYEIQsKjo7DEo2v1VENSKF+WmrhxngtdmQJxpuFj09oKSM=,iv:dOJuTX0WSW1IcwBGUbIHsBkNMDl7Okw+K37LZQnFbbU=,tag:xX1/+gpIosTV8ChPVbFi2w==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0