b12f/os
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

wireguard: add pub.solar wireguard config

Browse source
This commit is contained in:
Benjamin Yule Bädorf 2024-04-03 21:55:30 +02:00
parent 163e96c560
commit 09d6f74e1a
Signed by: b12f
GPG key ID: 729956E1124F8F26
5 changed files with 105 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
hosts/stroopwafel/networking.nix
View file

@ -31,4 +31,14 @@
endpoint = "146.70.134.2:3565";
};
};
age.secrets.wg-pub-solar-key.file = "${flake.self}/secrets/wg-pub-solar-stroopwafel.age";
pub-solar.wireguard.pub-solar = {
ownIPs = [
"10.7.6.200/32"
"fd00:fae:fae:fae:fae:200::/96"
];
privateKeyFile = config.age.secrets.wg-pub-solar-key.path;
};
}

1
modules/wireguard/default.nix
View file

@ -7,5 +7,6 @@
imports = [
./private.nix
./tunnel.nix
./pub.solar.nix
];
}

68
modules/wireguard/pub.solar.nix Normal file
View file

@ -0,0 +1,68 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.wireguard.pub-solar;
in {
options.pub-solar.wireguard.pub-solar = {
ownIPs = mkOption {
description = "Internal ips in wireguard used for cluster control-plane communication.";
type = types.listOf types.str;
default = [];
};
privateKeyFile = mkOption {
description = "Location of private key file";
type = types.path;
};
};
config = mkIf (length cfg.ownIPs != 0){
networking.firewall.allowedUDPPorts = [51821];
systemd.services.wireguard-wg-pub-solar = {
enable = false;
after = [
"network.target"
"network-online.target"
"nss-lookup.target"
];
serviceConfig = {
Type = mkForce "simple";
Restart = "on-failure";
RestartSec = "30";
};
environment = {
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
};
};
networking.wireguard.interfaces = {
wg-pub-solar = {
listenPort = 51821;
mtu = 1300;
ips = cfg.ownIPs;
privateKeyFile = cfg.privateKeyFile;
peers = [
{
endpoint = "flora6.pub.solar:51820";
publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
allowedIPs = [ "10.7.6.2/32" "fd00:fae:fae:fae:fae:2::/96" ];
}
{
endpoint = "nachtigall.pub.solar:51820";
publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk=";
allowedIPs = [ "10.7.6.1/32" "fd00:fae:fae:fae:fae:1::/96" ];
}
];
};
};
};
}

2
secrets/secrets.nix
View file

@ -84,6 +84,8 @@ in {
"wg-tunnel-stroopwafel.age".publicKeys = stroopwafelKeys ++ baseKeys;
"wg-tunnel-droppie.age".publicKeys = droppieKeys ++ baseKeys;
"wg-pub-solar-stroopwafel.age".publicKeys = stroopwafelKeys ++ baseKeys;
"invoiceplane-db-password.age".publicKeys = pieKeys ++ baseKeys;
"invoiceplane-db-secrets.env.age".publicKeys = pieKeys ++ baseKeys;

24
secrets/wg-pub-solar-stroopwafel.age Normal file
View file

@ -0,0 +1,24 @@
age-encryption.org/v1
-> ssh-ed25519 b0WFDg FVT9AEwFAJ05+ximaSsEIdfW/HD7ZvUUFwwB26GDNQM
sWo3Cewxl6NFyj6+I5fFRv675ehncRsAA+oLNzO2jNs
-> ssh-rsa kFDS0A
gJiz5L1u7Y5UPeH1dcjkHOhMJ38taEuOt9tkTc+BRqjsGN50rW/gtJuJyBMwI3v5
odxVJcWgp6uZMMJdTN6L7e7YRcDbZUbbKYcnQbuAE3mb1y0WrZLRbLfWS7eNTB3d
CRNeqfVn7Tg2e/r2kwLWmZb2HdMn0t6Yv1adPkQ1kkmkrzHPfpgfxdyxZ1WzEOnV
g7WgxYw0mmLpnN2n1PPSSvAn/v8u4sj+7vMszoRIEgyVSRwDxKGR3qo2sKchSeUD
yZX56a6AJgHHBh7wUjURVd90HBzm4dKbC8zzir0ZygWGVrNf2ybnLPj1c7Hl+zlW
up6IwIGplWDkQY/fix1wVg+KBtphLkTVaW/3ZuyOu2q2JC/Vnprz1BuPpkWUC9lB
9RW5NjN8P03h1rPg7USPnN2Pyrc63pBG55fL/Xaohk8eedD65kpxuH0afUv7422t
95iG0SbEwAokJhTXkSDN8zMMxfn9c/+rJSUdQ7Qc5WyrvDePZw1zu104JV9Jlq9s
ArtR437UL2GZu1xs6tXFsfbxJdI/YfmlgjwofHdmukuOzFZPqUtBmCsOI3b22JaV
fYhlYHI0nQLbujSP31sm81xSBaIz6kH6yniospmLFIa3niXay9MnlEAM5ljUHBk/
GQtSQPt75y45FgkghYhDG+/av0CbgEOypbYrUvKuXqc
-> piv-p256 zqq/iw A7USudAooh1b3G9cLZoudZ8WuBJusE3gTmVU/3AaOoBh
O4OD1N2MQezfJI1m5kndsu0U7sG19EQHAL+mOSLK+Wc
-> piv-p256 vRzPNw Akjk82+BfO5tApOXVUCYwgXJer+y2VrUkmdoQRUSNHoR
ULJojv+NuRsw+ygQ1+8Kr8oNZ+0tioVW0aHvf7siUlA
-> !z&b-grease gi.# |_t^z\0J ),Y}>RlK ,qOur6S^
IImLm/0FMvQ1SnrbZXCdTT6LY5sm1UeKFNjMOGD5JXxSWaZYJ/FujzzDLAwNqDJN
PFnYFGHGv3TqxEDYpy9R+OAROsIgQeI
--- eYDSPRJJ8A2xQVO+ttl1doPz738sD2qo+hrE4S+KwwU
c{4O<34>ÐÊ«ªû£DœýxÂTF™€¨ÿTCÞè­'í³o-†KR¦—_¹JÇ¿]oÒý<''%3éÈ9HF¦UgÙ9