1
0
Fork 0
forked from pub-solar/infra

wireguard: add trinkgenossin, delite, blue-shell

This commit is contained in:
teutat3s 2024-08-25 00:13:53 +02:00
parent 15b507904f
commit d32abd7a7f
Signed by untrusted user: teutat3s
GPG key ID: 4FA1D3FA524F22C1
16 changed files with 305 additions and 12 deletions

View file

@ -139,15 +139,15 @@
sshUser = username;
};
trinkgenossin = {
#hostname = "trinkgenossin.wg.pub.solar";
hostname = "trinkgenossin.wg.pub.solar";
sshUser = username;
};
delite = {
#hostname = "delite.wg.pub.solar";
hostname = "delite.wg.pub.solar";
sshUser = username;
};
blue-shell = {
#hostname = "delite.wg.pub.solar";
hostname = "blue-shell.wg.pub.solar";
sshUser = username;
};
};

View file

@ -12,8 +12,6 @@
"ip=dhcp"
];
services.openssh.openFirewall = true;
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#

View file

@ -7,7 +7,7 @@
./disk-config.nix
./networking.nix
#./wireguard.nix
./wireguard.nix
#./backups.nix
];
}

View file

@ -0,0 +1,49 @@
{
config,
pkgs,
flake,
...
}:
let
wireguardIPv4 = "10.7.6.7";
wireguardIPv6 = "fd00:fae:fae:fae:fae:7::";
in
{
networking.firewall.allowedUDPPorts = [ 51820 ];
age.secrets.wg-private-key.file = "${flake.self}/secrets/blue-shell-wg-private-key.age";
networking.wireguard.interfaces = {
wg-ssh = {
listenPort = 51820;
mtu = 1300;
ips = [
"${wireguardIPv4}/32"
"${wireguardIPv6}/96"
];
privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.admins.wireguardDevices ++ [
{
# flora-6.pub.solar
endpoint = "80.71.153.210:51820";
publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
allowedIPs = [
"10.7.6.2/32"
"fd00:fae:fae:fae:fae:2::/96"
];
}
];
};
};
services.openssh.listenAddresses = [
{
addr = wireguardIPv4;
port = 22;
}
{
addr = "[${wireguardIPv6}]";
port = 22;
}
];
}

View file

@ -12,8 +12,6 @@
"ip=dhcp"
];
services.openssh.openFirewall = true;
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#

View file

@ -7,7 +7,7 @@
./disk-config.nix
./networking.nix
#./wireguard.nix
./wireguard.nix
#./backups.nix
];
}

View file

@ -0,0 +1,49 @@
{
config,
pkgs,
flake,
...
}:
let
wireguardIPv4 = "10.7.6.6";
wireguardIPv6 = "fd00:fae:fae:fae:fae:6::";
in
{
networking.firewall.allowedUDPPorts = [ 51820 ];
age.secrets.wg-private-key.file = "${flake.self}/secrets/delite-wg-private-key.age";
networking.wireguard.interfaces = {
wg-ssh = {
listenPort = 51820;
mtu = 1300;
ips = [
"${wireguardIPv4}/32"
"${wireguardIPv6}/96"
];
privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.admins.wireguardDevices ++ [
{
# flora-6.pub.solar
endpoint = "80.71.153.210:51820";
publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
allowedIPs = [
"10.7.6.2/32"
"fd00:fae:fae:fae:fae:2::/96"
];
}
];
};
};
services.openssh.listenAddresses = [
{
addr = wireguardIPv4;
port = 22;
}
{
addr = "[${wireguardIPv6}]";
port = 22;
}
];
}

View file

@ -47,6 +47,33 @@
"fd00:fae:fae:fae:fae:4::/96"
];
}
{
# trinkgenossin.pub.solar
endpoint = "85.215.152.22:51820";
publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
allowedIPs = [
"10.7.6.5/32"
"fd00:fae:fae:fae:fae:5::/96"
];
}
{
# delite.pub.solar
endpoint = "5.255.119.132:51820";
publicKey = "ZT2qGWgMPwHRUOZmTQHWCRX4m14YwOsiszjsA5bpc2k=";
allowedIPs = [
"10.7.6.6/32"
"fd00:fae:fae:fae:fae:6::/96"
];
}
{
# blue-shell.pub.solar
endpoint = "194.13.83.205:51820";
publicKey = "bcrIpWrKc1M+Hq4ds3aN1lTaKE26f2rvXhd+93QrzR8=";
allowedIPs = [
"10.7.6.7/32"
"fd00:fae:fae:fae:fae:7::/96"
];
}
];
};
};

View file

@ -14,8 +14,6 @@
"ip=dhcp"
];
services.openssh.openFirewall = true;
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#

View file

@ -6,7 +6,7 @@
./configuration.nix
./networking.nix
#./wireguard.nix
./wireguard.nix
#./backups.nix
];
}

View file

@ -0,0 +1,49 @@
{
config,
pkgs,
flake,
...
}:
let
wireguardIPv4 = "10.7.6.5";
wireguardIPv6 = "fd00:fae:fae:fae:fae:5::";
in
{
networking.firewall.allowedUDPPorts = [ 51820 ];
age.secrets.wg-private-key.file = "${flake.self}/secrets/trinkgenossin-wg-private-key.age";
networking.wireguard.interfaces = {
wg-ssh = {
listenPort = 51820;
mtu = 1300;
ips = [
"${wireguardIPv4}/32"
"${wireguardIPv6}/96"
];
privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.admins.wireguardDevices ++ [
{
# flora-6.pub.solar
endpoint = "80.71.153.210:51820";
publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
allowedIPs = [
"10.7.6.2/32"
"fd00:fae:fae:fae:fae:2::/96"
];
}
];
};
};
services.openssh.listenAddresses = [
{
addr = wireguardIPv4;
port = 22;
}
{
addr = "[${wireguardIPv6}]";
port = 22;
}
];
}

View file

@ -0,0 +1,43 @@
age-encryption.org/v1
-> ssh-ed25519 eP5MMw xAObv9OBtCMHWnbnO9b9w5fiG3tkJJTvjFNWmYmGfhQ
sXmgq1drzY3rap8aD8/iMbMgjGkajfENkBQDdK/2TKQ
-> ssh-ed25519 uYcDNw sxw3K1xYG+OZQy+4U2UfX//ZElPaCieANzFHanJxfxw
VyhqjYppfHVb2jTceXLL/yYwEJE2uD9TY4PliHu7c0E
-> ssh-rsa f5THog
hRIMIg4P7SOOS3IGr2vF/TAdvgAXjJ8CbjKQt+Bd8MUjxf769rD3bln3lF3DlfIU
RMkicdnwRdWTnqp+HyV0/UsD4ZzVb0YY+ntK6wujqgEwhpef9NOE2Hsiyvv228l5
pu6eUTrosmb0ysnw8zRmr4RYdv1+MsD9gbnLOnnuHkA+i28jAE6o4gXIdnKfDcIk
ptJISTFwyzz+q8UvdfO4YGRBL4zSoWM5VEQS0IPjrt4+qBlOyC2IlXz1/aaGZk41
ODgPUO68USpzFsLqsmRJJQOMxxkdnYWy4DoeHKUyZI4YO0t94zVEHIS3x6w2l+/Q
9r7TdKXxniLFYW9t5+28ez5XfLruapXroA8kp2hy3S7ybuOyB2MIfCXVvK0kiOfw
2kZnv7LvL4BLUMtgPKoAxj8Pzpi8HzFGxQudqNwSkjb4bvFg8eej0oP/WhvFalsY
MGSdlFJkKKeLWh8MzmD2WXHJ5yVcRFHydyWGMHlZJ4soi0I3gTSQaNSPUxWtFSd3
Trk3Jz4Qrd7EA6y6wn2Jc4xCX+cWb8Q3nrXVZJL/FSxss+zstQit5O3BwWupJQLt
ubyqLxQI/PKP/gIU8sGhwKDWGjZUlwvjPBG+EdWJAxoI7S7+4UxkGgsNvx67VKgi
xxz3ANlHPbGLgAZTtEk5AqHWLWE6ZRn/7i3Qv1HWZJ4
-> ssh-rsa kFDS0A
OqNv7KThlRd0aD1gixsI2LVb+Zj2r7OVm4lUD/UJ0WVe/ihlcBAeEj8noqNA3zgH
djO53WpAkGrbt8CejuQcPYLyw8Bdk++cBu9Po+X0dAp2cCPqakgIpEI6qG1uiEty
LOOF13TivCB802UrJmX/8HLDV3yv7IWIr2XV0V8s5UvasYlgCt1eg4suhXIngnJG
wd7WFnXwtNtR/UcnWtpE8c6p5kaAn4wSAtx6hFqnkN5ANjKXHy29NkFR1Lgu55OU
qoJPpcZpvEESYMQfPvfuCUSZgcSvJE8B1MJZzxdKBHFiaWa7BkkWOL2KNIARFji5
nBrGzGLV9IaHWsS0UfIWixvM3OPl4wgwpdLtVJsnLX/ggFZrZmj+iR5DdqurfW7E
0a8Ie1NKK7FU+HnzEk6+8aiDb0QozEhrmaE5olc8dBOKK13e1idDTCsquaQcSOEh
DBP8r0LhqU7YwnNF6UpQiYs3Zs2HyPegfz2GwB3yeaHqc7+MnXm/j4B5qUcX5naz
llQoNfddAtoXGeK3G0yjugkSluValw6o2hQ+4iRx4n1f3dVcurXkBr9fjCKMmjC4
qbOHhsBU4dHCvFIOXY27Xvq5qZ4/ceNb6fq/NXvkD87eePMLg9R9hmtTaCDlEN2d
a350/FxlWOZXEox+mRZhE+mE5qSIg+LbnFZ+zjWq+yc
-> piv-p256 vRzPNw AzwIBCtS5Tx/zuFHRYsYSOffxAE79O5foV+ndpw0hR1t
HDmWtvUS9wSnlNjbkD0Rc0jQ4tNhqpcqpeztW1GXC3g
-> piv-p256 zqq/iw Av5ZYxbCJrjUImhX7hoO8nxtWEtd7mPWhofwCxtW5GNI
tB/mFmw4U2NbeDKdasi/Z99VggQYhnv6+n9+VJekq/k
-> ssh-ed25519 YFSOsg nl0SHBFBylYgoy4qrZ851AQ6NLuDpXtIQ5WffqQPckU
/yk/gT3enujLcjHkYuE0XGUDrYUEEzvyPvIlKhHtf5c
-> ssh-ed25519 iHV63A 2Gq6dIvLDJQmwgQwxhqrPpubkToiseczLkobeCZiOSA
IXddfsh84BrA0v6X/SjqoFbUfJfw3v+zD3Dk5RdsfAE
-> ssh-ed25519 BVsyTA 9oRVFqCqPoQ35/u+Cg4dPkG4eXw7vSRaPwhel430TGE
C54Ofc94lPFMGLljqY4Ag0AhM/MHWeZjZ6x1fmyMmqI
-> ssh-ed25519 +3V2lQ 2g1xRrQZy30nCaDq6RtfXQfUchtD8oOnmGYX+A2venQ
oop5rNpGKvTUOLGN2HGc7B63H/8XYrhO+XsCjsKfPgA
--- cMgwwO4kfMX17njkjYczc4R6FVRwC+cpK37g2cFAapc
È `Ñ<>Xéø¶Ó“¡;êR…Vàâ]tbM"N4×Éa§êš/æI×Bâ7Qòe‡MÑ §ºÀnpʱ£†ç2Å}Éz-R4E<34>ÀN

Binary file not shown.

View file

@ -21,6 +21,12 @@ let
metronomKeys = [ metronom-host ];
trinkgenossinKeys = [ trinkgenossin-host ];
deliteKeys = [ delite-host ];
blueshellKeys = [ blue-shell-host ];
garageKeys = [
trinkgenossin-host
delite-host
@ -35,6 +41,9 @@ in
"tankstelle-wg-private-key.age".publicKeys = tankstelleKeys ++ adminKeys;
"flora6-wg-private-key.age".publicKeys = flora6Keys ++ adminKeys;
"metronom-wg-private-key.age".publicKeys = metronomKeys ++ adminKeys;
"trinkgenossin-wg-private-key.age".publicKeys = trinkgenossinKeys ++ adminKeys;
"delite-wg-private-key.age".publicKeys = deliteKeys ++ adminKeys;
"blue-shell-wg-private-key.age".publicKeys = blueshellKeys ++ adminKeys;
"mastodon-secret-key-base.age".publicKeys = nachtigallKeys ++ adminKeys;
"mastodon-otp-secret.age".publicKeys = nachtigallKeys ++ adminKeys;

View file

@ -0,0 +1,43 @@
age-encryption.org/v1
-> ssh-ed25519 NID4eA Q3E8hBMDQRxoJx6UGzECMZmkffdgyYlhGaloKFNmxw0
37DKT5sgmAEritSoPuW+O5dvjCH23pOAdFyJG0TnY6w
-> ssh-ed25519 uYcDNw zgfSabCBntiTnc0fdfDzpkq/AwUXSpyvsA14gkatP3w
tLbZDE6UB/xvC153mSGcGSSWKH+Ph1Ek5D+JTrWjzdk
-> ssh-rsa f5THog
0THw5q/Aa/wCzfqO/9YFBOvSfISS/O2cMHBlQ7NXzF2hlj+hzGjJeL2USmL8iZ7X
YToH0oy8lreVRYxfi/LUMyg14hQf11hTekT/sKc8m5eBm+8WiHbWJsQJKdRg6WVO
B2Ju+3QIZXBk7ajCIcVjgoJQy1JydXm5YQkZnI69icdtAEnYSEoVEpaPHkT7Et65
UUC/eegltWFSeJl4bzgceVXO3VtszoG/KkL7ToT2WX2Hbnb4R3U8cWLOTr4I6hzM
90h6mNaorm3bd5fysOoU3G531/eAqcC7QZQQGyCOEBBHgx0w32ZKpjqu8q8c/f0M
VMOgE0JfK4/iB5E3dwGqRZ2G8iXu/cx0CQY98YAFCDOYExMsQzFXzqKq8KecVd+g
vaj598KJFxYskwrkGNXwIds2lPCte3HIa9XcGeQ4svaLYdQw5zsSIF32zOwAbxRn
1ABzp/T7V3BYyykJbeJi3UMoHUo3nsq75xClmXRnlTvQ7I0x62DrXdMNE9tJtqAF
lVUeD7gKlDPmYMK0QKbxFHYTVbdJ3d7UbJUgb2SxHpm5I8J7Wx29p6gLN7+swdIg
+y0Z8+qcABkeVHQ9OWwV0XYdMdLFovnc0pDAEvHL4rxv3E8W2Nv2mm0xW7I4HcG0
h9uJ2lU4mn60YqBtso/cu+LzUHIPcHji5sRK8/qu+Tg
-> ssh-rsa kFDS0A
kXXvKZebwQLFofayT/0SFzdFl0e8xQbUJf+q47YHmPMlJY7nsQBs1fvmQsp7fsfW
TRdh14uVImErEQsuqNYgYDR/jBUVtRkySOXde8Q9QM/CZwwR7NMu8P2vBzZ6uXKL
amlZS8iYXWJKRgmxsgiONFZwfcB9TWhaDYsmeqFxV6ui2LGgtCBllttYzvyVNWZI
NXMg0bbkLd+I2svBSBX/p8rECxq5gUmr8PB2k+yrHuXJvnR8Hop7YjvbrC2qSy5r
6OOTButBV7cILTf03DPvd3f61uUqm/NapxN4UdEZDTmOYud2dF8Eqw+BCNIT2wZr
/KD49ElPlcWM8cCxBGaSTTT66mP3FWwIcCZVfdVrhf//TN/SAo+lcoN7m/p9Uj0i
Y5nM3JR7ZuiLHfXu+fTHBiWnWBtLkPYUDlGIGlFGinMQwi4CMqoUY7jROdjHuPkt
S0VK2ViRxBB5Z5tQSnL02+TNsDd+CDURRiBgWfdmk1kkh9o2SrSiGcxCV03UVEaE
4Q07ZjKJF9HeC6goK+QjSOvLHS2qHyJznUty7nAiAS+yPDlq6m13/dFTvFii7H2h
UJ+5MJcVHLd6VQhzjmwTQXCrbTn/FI2LkZgR4HPRFDElkmnMUV1NU/2gkwm7Z0gu
RaEAuYMoKZNBQ6eQgANst+LFA7ctwpz/d0PB8Gvjf6g
-> piv-p256 vRzPNw AmCpZNeI8ggIr211niro2CalG6ELXYubjXj2J01eSwL+
IPXLB01UKFj7tptbB7FmNbbjDGrqbEoizjNzzJvNsXs
-> piv-p256 zqq/iw Auwb+rr9JfTX9VoTKaDobEGFPIwJZUFAMolG8SvZ5ix6
+e5IWW7Sxy1T2F0Ykm1tKQIvGGJFODIrNdvrCKREvrI
-> ssh-ed25519 YFSOsg 5Eeo3PIUgfRgPrY/eR6aps8UB2NNNr9YJswZ5mPj5Fk
cN4Dwp+ZFN8UCptfVsAp3iGesYhry7umwGc77jom2Vo
-> ssh-ed25519 iHV63A RMH4ezLwPxlf9cLgFlWSrGMDdlySpIr22O3Nr4ESgkg
8Ll31aL8PCOFp5+TIhv7qYVzjnBMepWJSlT6PGBMtdM
-> ssh-ed25519 BVsyTA 9yQZMVRpIitqx4ggP9pswC2VBmtKHR8FqIiLAq6wdCs
g/dA5SXBUNyLFGuOEVwsPIu2sEyAS4y+5RlccymLfL0
-> ssh-ed25519 +3V2lQ unqrENNB2tJvICc/nAi31TZ8c7ilbFreww51f/Mi4nQ
y7QWtFtEUq8elK+Q2HxpGav3nx3dxDQd5ikn9DpIJ20
--- SJo44grQsKFl8WMnva4kMp88kMZ9D3EWnm3mN0Oe15c
~°ÙìÚŒx̆Il`<60>u²”˜ôÿÁÙ@«Ž'B#ÅRaˆ Ù£;«ã(»ÃÎïŠ<C3AF>Šò˜åŽ³&G3<Q<>sH‰ª~G ò)½¡®

View file

@ -24,6 +24,21 @@ resource "namecheap_domain_records" "pub-solar" {
type = "A"
address = "10.7.6.4"
}
record {
hostname = "trinkgenossin.wg"
type = "A"
address = "10.7.6.5"
}
record {
hostname = "delite.wg"
type = "A"
address = "10.7.6.6"
}
record {
hostname = "blue-shell.wg"
type = "A"
address = "10.7.6.7"
}
record {
hostname = "nachtigall.wg"
type = "AAAA"
@ -44,6 +59,21 @@ resource "namecheap_domain_records" "pub-solar" {
type = "AAAA"
address = "fd00:fae:fae:fae:fae:4::"
}
record {
hostname = "trinkgenossin.wg"
type = "AAAA"
address = "fd00:fae:fae:fae:fae:5::"
}
record {
hostname = "delite.wg"
type = "AAAA"
address = "fd00:fae:fae:fae:fae:6::"
}
record {
hostname = "blue-shell.wg"
type = "AAAA"
address = "fd00:fae:fae:fae:fae:7::"
}
record {
hostname = "flora-6"
type = "A"