wireguard: add pub.solar wireguard config

hosts/stroopwafel/networking.nix

@@ -31,4 +31,14 @@
       endpoint = "146.70.134.2:3565";
     };
   };
+
+  age.secrets.wg-pub-solar-key.file = "${flake.self}/secrets/wg-pub-solar-stroopwafel.age";
+
+  pub-solar.wireguard.pub-solar = {
+    ownIPs = [
+      "10.7.6.200/32"
+      "fd00:fae:fae:fae:fae:200::/96"
+    ];
+    privateKeyFile = config.age.secrets.wg-pub-solar-key.path;
+  };
 }

modules/wireguard/default.nix

@@ -7,5 +7,6 @@
   imports = [
     ./private.nix
     ./tunnel.nix
+    ./pub.solar.nix
   ];
 }

modules/wireguard/pub.solar.nix

@@ -0,0 +1,68 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  cfg = config.pub-solar.wireguard.pub-solar;
+in {
+  options.pub-solar.wireguard.pub-solar = {
+    ownIPs = mkOption {
+      description = "Internal ips in wireguard used for cluster control-plane communication.";
+      type = types.listOf types.str;
+      default = [];
+    };
+
+    privateKeyFile = mkOption {
+      description = "Location of private key file";
+      type = types.path;
+    };
+  };
+
+  config = mkIf (length cfg.ownIPs != 0){
+    networking.firewall.allowedUDPPorts = [51821];
+
+    systemd.services.wireguard-wg-pub-solar = {
+      enable = false;
+
+      after = [
+        "network.target"
+        "network-online.target"
+        "nss-lookup.target"
+      ];
+
+      serviceConfig = {
+        Type = mkForce "simple";
+        Restart = "on-failure";
+        RestartSec = "30";
+      };
+
+      environment = {
+        WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
+      };
+    };
+
+    networking.wireguard.interfaces = {
+      wg-pub-solar = {
+        listenPort = 51821;
+        mtu = 1300;
+        ips = cfg.ownIPs;
+        privateKeyFile = cfg.privateKeyFile;
+        peers = [
+          { 
+            endpoint = "flora6.pub.solar:51820";
+            publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
+            allowedIPs = [ "10.7.6.2/32" "fd00:fae:fae:fae:fae:2::/96" ];
+          }
+          { 
+            endpoint = "nachtigall.pub.solar:51820";
+            publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk=";
+            allowedIPs = [ "10.7.6.1/32" "fd00:fae:fae:fae:fae:1::/96" ];
+          }
+        ];
+      };
+    };
+  };
+}

secrets/secrets.nix

@@ -84,6 +84,8 @@ in {
   "wg-tunnel-stroopwafel.age".publicKeys = stroopwafelKeys ++ baseKeys;
   "wg-tunnel-droppie.age".publicKeys = droppieKeys ++ baseKeys;
 
+  "wg-pub-solar-stroopwafel.age".publicKeys = stroopwafelKeys ++ baseKeys;
+
   "invoiceplane-db-password.age".publicKeys = pieKeys ++ baseKeys;
   "invoiceplane-db-secrets.env.age".publicKeys = pieKeys ++ baseKeys;
 

secrets/wg-pub-solar-stroopwafel.age

@@ -0,0 +1,24 @@
+age-encryption.org/v1
+-> ssh-ed25519 b0WFDg FVT9AEwFAJ05+ximaSsEIdfW/HD7ZvUUFwwB26GDNQM
+sWo3Cewxl6NFyj6+I5fFRv675ehncRsAA+oLNzO2jNs
+-> ssh-rsa kFDS0A
+gJiz5L1u7Y5UPeH1dcjkHOhMJ38taEuOt9tkTc+BRqjsGN50rW/gtJuJyBMwI3v5
+odxVJcWgp6uZMMJdTN6L7e7YRcDbZUbbKYcnQbuAE3mb1y0WrZLRbLfWS7eNTB3d
+CRNeqfVn7Tg2e/r2kwLWmZb2HdMn0t6Yv1adPkQ1kkmkrzHPfpgfxdyxZ1WzEOnV
+g7WgxYw0mmLpnN2n1PPSSvAn/v8u4sj+7vMszoRIEgyVSRwDxKGR3qo2sKchSeUD
+yZX56a6AJgHHBh7wUjURVd90HBzm4dKbC8zzir0ZygWGVrNf2ybnLPj1c7Hl+zlW
+up6IwIGplWDkQY/fix1wVg+KBtphLkTVaW/3ZuyOu2q2JC/Vnprz1BuPpkWUC9lB
+9RW5NjN8P03h1rPg7USPnN2Pyrc63pBG55fL/Xaohk8eedD65kpxuH0afUv7422t
+95iG0SbEwAokJhTXkSDN8zMMxfn9c/+rJSUdQ7Qc5WyrvDePZw1zu104JV9Jlq9s
+ArtR437UL2GZu1xs6tXFsfbxJdI/YfmlgjwofHdmukuOzFZPqUtBmCsOI3b22JaV
+fYhlYHI0nQLbujSP31sm81xSBaIz6kH6yniospmLFIa3niXay9MnlEAM5ljUHBk/
+GQtSQPt75y45FgkghYhDG+/av0CbgEOypbYrUvKuXqc
+-> piv-p256 zqq/iw A7USudAooh1b3G9cLZoudZ8WuBJusE3gTmVU/3AaOoBh
+O4OD1N2MQezfJI1m5kndsu0U7sG19EQHAL+mOSLK+Wc
+-> piv-p256 vRzPNw Akjk82+BfO5tApOXVUCYwgXJer+y2VrUkmdoQRUSNHoR
+ULJojv+NuRsw+ygQ1+8Kr8oNZ+0tioVW0aHvf7siUlA
+-> !z&b-grease gi.# |_t^z\0J ),Y}>RlK ,qOur6S^
+IImLm/0FMvQ1SnrbZXCdTT6LY5sm1UeKFNjMOGD5JXxSWaZYJ/FujzzDLAwNqDJN
+PFnYFGHGv3TqxEDYpy9R+OAROsIgQeI
+--- eYDSPRJJ8A2xQVO+ttl1doPz738sD2qo+hrE4S+KwwU
+c{4O<34>ÐÊ«ªû£DœýxÂT›F™_þ€¨‚ÿTCÞè­'í³o-†KR¦—_¹JÇ¿]oÒý<''%3éÈ9HF¦UgÙ9