diff --git a/hosts/stroopwafel/networking.nix b/hosts/stroopwafel/networking.nix index 2874432..c3c0e46 100644 --- a/hosts/stroopwafel/networking.nix +++ b/hosts/stroopwafel/networking.nix @@ -42,6 +42,16 @@ privateKeyFile = config.age.secrets.wg-pub-solar-key.path; }; + age.secrets.wg-momo-key.file = "${flake.self}/secrets/wg-momo-stroopwafel.age"; + + pub-solar.wireguard.momo = { + ownIPs = [ + "10.30.30.200/32" + "fd00:3030:3030:3030:3030:200::/96" + ]; + privateKeyFile = config.age.secrets.wg-momo-key.path; + }; + age.secrets.wg-ehex-key.file = "${flake.self}/secrets/wg-ehex-stroopwafel.age"; pub-solar.wireguard.ehex = { diff --git a/modules/wireguard/momo.nix b/modules/wireguard/momo.nix new file mode 100644 index 0000000..e54b6f0 --- /dev/null +++ b/modules/wireguard/momo.nix @@ -0,0 +1,49 @@ +{ + lib, + config, + ... +}: let + cfg = config.pub-solar.wireguard.momo; +in { + options.pub-solar.wireguard.momo = { + ownIPs = lib.mkOption { + description = "Internal ips in wireguard used for cluster control-plane communication."; + type = lib.types.listOf lib.types.str; + default = []; + }; + + privateKeyFile = lib.mkOption { + description = "Location of private key file"; + type = lib.types.path; + }; + }; + + config = lib.mkIf (lib.length cfg.ownIPs != 0) { + networking.firewall.allowedUDPPorts = [51823]; + + systemd.network.wait-online.ignoredInterfaces = ["wg-momo"]; + + systemd.services.wireguard-wg-momo = import ./service-override.nix lib; + + networking.wireguard.interfaces = { + wg-momo = { + listenPort = 51823; + mtu = 1300; + ips = cfg.ownIPs; + privateKeyFile = cfg.privateKeyFile; + peers = [ + { + endpoint = "pioneer.momo.koeln:51820"; + publicKey = "W9Vn2yv+AZjOD7sqKp4DyMbIz5N++Vjlr+6J3BnXj3o="; + allowedIPs = [ + "10.30.30.1/32" + "fd00:3030:3030:3030:3030:1::/96" + ]; + persistentKeepalive = 15; + dynamicEndpointRefreshSeconds = 30; + } + ]; + }; + }; + }; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index f0ab8c3..dadb0cd 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -98,6 +98,8 @@ in { "wg-pub-solar-stroopwafel.age".publicKeys = stroopwafelKeys ++ baseKeys; + "wg-momo-stroopwafel.age".publicKeys = stroopwafelKeys ++ baseKeys; + "wg-ehex-stroopwafel.age".publicKeys = stroopwafelKeys ++ baseKeys; "invoiceplane-db-password.age".publicKeys = pieKeys ++ baseKeys; diff --git a/secrets/wg-momo-stroopwafel.age b/secrets/wg-momo-stroopwafel.age new file mode 100644 index 0000000..036a19e --- /dev/null +++ b/secrets/wg-momo-stroopwafel.age @@ -0,0 +1,21 @@ +age-encryption.org/v1 +-> ssh-ed25519 b0WFDg 3wxrL9Fig5w2rrsmoXv1m3e91MvSkxIKM+n7EmZLm1U +FvNYfDG5DjgxwuJAdyk4T37bel78zse5QmKvNGHjXo4 +-> ssh-rsa kFDS0A +nTYzer2lsDlpBS5neQE3arva2/HOyXYobP/qY7fyry24Es/zdhOq6IrzcnJKPdCl +ORCfI/tuu8SZAm9VcEKstKXNmwY+eTGfjHVd+gnoExpyKMI8nW2Kez28vXnalzEG +V+hvn/NAIgUtY8n5e1mVpBaDsOatasYdKjYD1v45IyPh5yZbhki1JRVOJL5OF42V +GLaqLLQYZIT3YHXuHj3REvZWVP9ZBlvKne4lVm3zZ1cXTf1awBFRYvJI4sPe+GxB +uRW7D7dJJPuBHCRiViisJMaz+8PwtjjCj+4A6jjZbspndjL+xsdQbUfryWisFwtN +Jqj8W5xg6uJDCWrfFfYN+O+ClSQ7992/aX9yx9vf/rqC4K7dnUiO1O1136kSTXuS +dh49Tb9ONvfEdp8Om4SmLdFEsNHLckxXcfzpCCx4R9msOL2TsakIPvi3uBREys4c +49xlqWC1H9aqcjNU9APM8JjDBjQEyZMrW9Zl/GHHUmaWQME2U4u/ka/jk27mqfb7 +mskGksky9xz75yTdNtuvkns8QjRx9WO7SeDJzEv6/WRAbNQ8nX6mCmImgdKx1i+Q +n2pkilMADyimImPItFLF/kJd4059EpDDjMM89GfmZWHQJB0+7Xy1SHFdcxrYJeQ6 +yxId0LYkpW2VMjAXnLPu4Am2sT6qkFzLntA7EaWPopY +-> piv-p256 zqq/iw A71S3qDKdeMrCnyW3pXruuLgUTlLCzyHckQUeSYA4Wfj +6HsilO+d3W18QSbmECvdqcV68H82LA+TUWmknluFgDM +-> piv-p256 vRzPNw A+wAMWJhrKchxamL7DqBKXOQmG7WxLFQ/jLW7Zn1GwO+ +2W6yCPmuW7vrJzAtASD/bUwmyAHq0Ru8RtQWFYVJ14s +--- R0PZIvmP3N0GX+CdSD7INWWDBW55w885gKLfkB4J0TM +0Rkbye~uM_nj$ZoC쾰: mm0J`iWsP,T@>| \ No newline at end of file