diff --git a/hosts/stroopwafel/networking.nix b/hosts/stroopwafel/networking.nix index 8ac00ba..d194d30 100644 --- a/hosts/stroopwafel/networking.nix +++ b/hosts/stroopwafel/networking.nix @@ -41,4 +41,13 @@ ]; privateKeyFile = config.age.secrets.wg-pub-solar-key.path; }; + + age.secrets.wg-ehex-key.file = "${flake.self}/secrets/wg-ehex-stroopwafel.age"; + + pub-solar.wireguard.ehex = { + ownIPs = [ + "10.42.0.135/22" + ]; + privateKeyFile = config.age.secrets.wg-ehex-key.path; + }; } diff --git a/modules/wireguard/default.nix b/modules/wireguard/default.nix index a1de81d..b03e115 100644 --- a/modules/wireguard/default.nix +++ b/modules/wireguard/default.nix @@ -8,5 +8,6 @@ ./private.nix ./tunnel.nix ./pub.solar.nix + ./ehex.nix ]; } diff --git a/modules/wireguard/ehex.nix b/modules/wireguard/ehex.nix new file mode 100644 index 0000000..2f13c64 --- /dev/null +++ b/modules/wireguard/ehex.nix @@ -0,0 +1,74 @@ +{ + lib, + config, + pkgs, + ... +}: +with lib; let + psCfg = config.pub-solar; + cfg = config.pub-solar.wireguard.ehex; +in { + options.pub-solar.wireguard.ehex = { + ownIPs = mkOption { + description = "Internal ips in wireguard used for cluster control-plane communication."; + type = types.listOf types.str; + default = []; + }; + + privateKeyFile = mkOption { + description = "Location of private key file"; + type = types.path; + }; + }; + + config = mkIf (length cfg.ownIPs != 0){ + networking.firewall.allowedUDPPorts = [51822]; + + systemd.network.wait-online.ignoredInterfaces = [ "wg-ehex" ]; + + systemd.services.wireguard-wg-ehex = { + after = [ + "network.target" + "network-online.target" + "nss-lookup.target" + ]; + + serviceConfig = { + Type = mkForce "simple"; + Restart = "on-failure"; + RestartSec = "30"; + }; + + environment = { + WG_ENDPOINT_RESOLUTION_RETRIES = "infinity"; + }; + }; + + networking.wireguard.interfaces = { + wg-ehex = { + listenPort = 51821; + mtu = 1300; + ips = cfg.ownIPs; + privateKeyFile = cfg.privateKeyFile; + postSetup = '' + printf "nameserver 10.0.66.10\nnameserver 10.0.66.12" | resolvconf -a wg-ehex -m 0 -x + ''; + postShutdown = '' + resolvconf -d wg-ehex -f + ''; + peers = [ + { + endpoint = "vpn-gateway.ehex.de:4242"; + publicKey = "Fsg4KEyDEvQEt/1cVWU9xa/k9x/3UhONDj61aXZ7tys="; + presharedKey = "tQy7B5R3wOgWwIKFDcEr4WZIqCrwG+9UgPRIQx/5xso="; + allowedIPs = [ "10.42.0.0/22" "10.0.66.0/24" ]; + persistentKeepalive = 15; + dynamicEndpointRefreshSeconds = 30; +# DNS = 10.0.66.10, ehex.cloud,ehex.de +# DNS = 10.0.66.12, ehex.cloud,ehex.de + } + ]; + }; + }; + }; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index c21eb77..23b2f09 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -93,6 +93,8 @@ in { "wg-pub-solar-stroopwafel.age".publicKeys = stroopwafelKeys ++ baseKeys; + "wg-ehex-stroopwafel.age".publicKeys = stroopwafelKeys ++ baseKeys; + "invoiceplane-db-password.age".publicKeys = pieKeys ++ baseKeys; "invoiceplane-db-secrets.env.age".publicKeys = pieKeys ++ baseKeys; diff --git a/secrets/wg-ehex-stroopwafel.age b/secrets/wg-ehex-stroopwafel.age new file mode 100644 index 0000000..9783f08 Binary files /dev/null and b/secrets/wg-ehex-stroopwafel.age differ