wireguard: add momo network

2024-09-13 15:45:20 +02:00 · 2024-09-13 15:45:20 +02:00 · 32f46d4d7d
parent edc1f68670
commit 32f46d4d7d
4 changed files with 82 additions and 0 deletions
--- a/hosts/stroopwafel/networking.nix
+++ b/hosts/stroopwafel/networking.nix
@ -42,6 +42,16 @@
    privateKeyFile = config.age.secrets.wg-pub-solar-key.path;
  };

+  age.secrets.wg-momo-key.file = "${flake.self}/secrets/wg-momo-stroopwafel.age";
+
+  pub-solar.wireguard.momo = {
+    ownIPs = [
+      "10.30.30.200/32"
+      "fd00:3030:3030:3030:3030:200::/96"
+    ];
+    privateKeyFile = config.age.secrets.wg-momo-key.path;
+  };
+
  age.secrets.wg-ehex-key.file = "${flake.self}/secrets/wg-ehex-stroopwafel.age";

  pub-solar.wireguard.ehex = {
--- a/modules/wireguard/momo.nix
+++ b/modules/wireguard/momo.nix
@ -0,0 +1,49 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.pub-solar.wireguard.momo;
+in {
+  options.pub-solar.wireguard.momo = {
+    ownIPs = lib.mkOption {
+      description = "Internal ips in wireguard used for cluster control-plane communication.";
+      type = lib.types.listOf lib.types.str;
+      default = [];
+    };
+
+    privateKeyFile = lib.mkOption {
+      description = "Location of private key file";
+      type = lib.types.path;
+    };
+  };
+
+  config = lib.mkIf (lib.length cfg.ownIPs != 0) {
+    networking.firewall.allowedUDPPorts = [51823];
+
+    systemd.network.wait-online.ignoredInterfaces = ["wg-momo"];
+
+    systemd.services.wireguard-wg-momo = import ./service-override.nix lib;
+
+    networking.wireguard.interfaces = {
+      wg-momo = {
+        listenPort = 51823;
+        mtu = 1300;
+        ips = cfg.ownIPs;
+        privateKeyFile = cfg.privateKeyFile;
+        peers = [
+          {
+            endpoint = "pioneer.momo.koeln:51820";
+            publicKey = "W9Vn2yv+AZjOD7sqKp4DyMbIz5N++Vjlr+6J3BnXj3o=";
+            allowedIPs = [
+              "10.30.30.1/32"
+              "fd00:3030:3030:3030:3030:1::/96"
+            ];
+            persistentKeepalive = 15;
+            dynamicEndpointRefreshSeconds = 30;
+          }
+        ];
+      };
+    };
+  };
+}
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -98,6 +98,8 @@ in {

  "wg-pub-solar-stroopwafel.age".publicKeys = stroopwafelKeys ++ baseKeys;

+  "wg-momo-stroopwafel.age".publicKeys = stroopwafelKeys ++ baseKeys;
+
  "wg-ehex-stroopwafel.age".publicKeys = stroopwafelKeys ++ baseKeys;

  "invoiceplane-db-password.age".publicKeys = pieKeys ++ baseKeys;
--- a/secrets/wg-momo-stroopwafel.age
+++ b/secrets/wg-momo-stroopwafel.age
@ -0,0 +1,21 @@
+age-encryption.org/v1
+-> ssh-ed25519 b0WFDg 3wxrL9Fig5w2rrsmoXv1m3e91MvSkxIKM+n7EmZLm1U
+FvNYfDG5DjgxwuJAdyk4T37bel78zse5QmKvNGHjXo4
+-> ssh-rsa kFDS0A
+nTYzer2lsDlpBS5neQE3arva2/HOyXYobP/qY7fyry24Es/zdhOq6IrzcnJKPdCl
+ORCfI/tuu8SZAm9VcEKstKXNmwY+eTGfjHVd+gnoExpyKMI8nW2Kez28vXnalzEG
+V+hvn/NAIgUtY8n5e1mVpBaDsOatasYdKjYD1v45IyPh5yZbhki1JRVOJL5OF42V
+GLaqLLQYZIT3YHXuHj3REvZWVP9ZBlvKne4lVm3zZ1cXTf1awBFRYvJI4sPe+GxB
+uRW7D7dJJPuBHCRiViisJMaz+8PwtjjCj+4A6jjZbspndjL+xsdQbUfryWisFwtN
+Jqj8W5xg6uJDCWrfFfYN+O+ClSQ7992/aX9yx9vf/rqC4K7dnUiO1O1136kSTXuS
+dh49Tb9ONvfEdp8Om4SmLdFEsNHLckxXcfzpCCx4R9msOL2TsakIPvi3uBREys4c
+49xlqWC1H9aqcjNU9APM8JjDBjQEyZMrW9Zl/GHHUmaWQME2U4u/ka/jk27mqfb7
+mskGksky9xz75yTdNtuvkns8QjRx9WO7SeDJzEv6/WRAbNQ8nX6mCmImgdKx1i+Q
+n2pkilMADyimImPItFLF/kJd4059EpDDjMM89GfmZWHQJB0+7Xy1SHFdcxrYJeQ6
+yxId0LYkpW2VMjAXnLPu4Am2sT6qkFzLntA7EaWPopY
+-> piv-p256 zqq/iw A71S3qDKdeMrCnyW3pXruuLgUTlLCzyHckQUeSYA4Wfj
+6HsilO+d3W18QSbmECvdqcV68H82LA+TUWmknluFgDM
+-> piv-p256 vRzPNw A+wAMWJhrKchxamL7DqBKXOQmG7WxLFQ/jLW7Zn1GwO+
+2W6yCPmuW7vrJzAtASD/bUwmyAHq0Ru8RtQWFYVJ14s
+--- R0PZIvmP3N0GX+CdSD7INWWDBW55w885gKLfkB4J0TM
+0Rkb‚yeÊ~µ¾öu²÷áª‘M¾óÌ_ÇÞÇŒ$Z¿©é<01>o°C<C2B0>ì¾°:Ö mù¯m™“0¾ÅïJ`i‹WsëPÏ,T@>“œ<E2809C>|