From 9616093a2124737da4c666b9c8583726a909f450 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Benjamin=20Yule=20B=C3=A4dorf?= <git@benjaminbaedorf.eu>
Date: Tue, 11 Jun 2024 14:57:33 +0200
Subject: [PATCH] wireguard: add ehex vpn

---
 hosts/stroopwafel/networking.nix |   9 ++++
 modules/wireguard/default.nix    |   1 +
 modules/wireguard/ehex.nix       |  74 +++++++++++++++++++++++++++++++
 secrets/secrets.nix              |   2 +
 secrets/wg-ehex-stroopwafel.age  | Bin 0 -> 1185 bytes
 5 files changed, 86 insertions(+)
 create mode 100644 modules/wireguard/ehex.nix
 create mode 100644 secrets/wg-ehex-stroopwafel.age

diff --git a/hosts/stroopwafel/networking.nix b/hosts/stroopwafel/networking.nix
index 8ac00ba..d194d30 100644
--- a/hosts/stroopwafel/networking.nix
+++ b/hosts/stroopwafel/networking.nix
@@ -41,4 +41,13 @@
     ];
     privateKeyFile = config.age.secrets.wg-pub-solar-key.path;
   };
+
+  age.secrets.wg-ehex-key.file = "${flake.self}/secrets/wg-ehex-stroopwafel.age";
+
+  pub-solar.wireguard.ehex = {
+    ownIPs = [
+			"10.42.0.135/22"
+    ];
+    privateKeyFile = config.age.secrets.wg-ehex-key.path;
+  };
 }
diff --git a/modules/wireguard/default.nix b/modules/wireguard/default.nix
index a1de81d..b03e115 100644
--- a/modules/wireguard/default.nix
+++ b/modules/wireguard/default.nix
@@ -8,5 +8,6 @@
     ./private.nix
     ./tunnel.nix
     ./pub.solar.nix
+    ./ehex.nix
   ];
 }
diff --git a/modules/wireguard/ehex.nix b/modules/wireguard/ehex.nix
new file mode 100644
index 0000000..2f13c64
--- /dev/null
+++ b/modules/wireguard/ehex.nix
@@ -0,0 +1,74 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  cfg = config.pub-solar.wireguard.ehex;
+in {
+  options.pub-solar.wireguard.ehex = {
+    ownIPs = mkOption {
+      description = "Internal ips in wireguard used for cluster control-plane communication.";
+      type = types.listOf types.str;
+      default = [];
+    };
+
+    privateKeyFile = mkOption {
+      description = "Location of private key file";
+      type = types.path;
+    };
+  };
+
+  config = mkIf (length cfg.ownIPs != 0){
+    networking.firewall.allowedUDPPorts = [51822];
+
+    systemd.network.wait-online.ignoredInterfaces = [ "wg-ehex" ];
+
+    systemd.services.wireguard-wg-ehex = {
+      after = [
+        "network.target"
+        "network-online.target"
+        "nss-lookup.target"
+      ];
+
+      serviceConfig = {
+        Type = mkForce "simple";
+        Restart = "on-failure";
+        RestartSec = "30";
+      };
+
+      environment = {
+        WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
+      };
+    };
+
+    networking.wireguard.interfaces = {
+      wg-ehex = {
+        listenPort = 51821;
+        mtu = 1300;
+        ips = cfg.ownIPs;
+        privateKeyFile = cfg.privateKeyFile;
+        postSetup = '' 
+          printf "nameserver 10.0.66.10\nnameserver 10.0.66.12" | resolvconf -a wg-ehex -m 0 -x
+        '';
+        postShutdown = ''
+          resolvconf -d wg-ehex -f
+        '';
+        peers = [
+          {
+            endpoint = "vpn-gateway.ehex.de:4242";
+            publicKey = "Fsg4KEyDEvQEt/1cVWU9xa/k9x/3UhONDj61aXZ7tys=";
+						presharedKey = "tQy7B5R3wOgWwIKFDcEr4WZIqCrwG+9UgPRIQx/5xso=";
+            allowedIPs = [ "10.42.0.0/22" "10.0.66.0/24" ];
+            persistentKeepalive = 15;
+            dynamicEndpointRefreshSeconds = 30;
+# DNS = 10.0.66.10, ehex.cloud,ehex.de
+# DNS = 10.0.66.12, ehex.cloud,ehex.de
+          }
+        ];
+      };
+    };
+  };
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index c21eb77..23b2f09 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -93,6 +93,8 @@ in {
 
   "wg-pub-solar-stroopwafel.age".publicKeys = stroopwafelKeys ++ baseKeys;
 
+  "wg-ehex-stroopwafel.age".publicKeys = stroopwafelKeys ++ baseKeys;
+
   "invoiceplane-db-password.age".publicKeys = pieKeys ++ baseKeys;
   "invoiceplane-db-secrets.env.age".publicKeys = pieKeys ++ baseKeys;
 
diff --git a/secrets/wg-ehex-stroopwafel.age b/secrets/wg-ehex-stroopwafel.age
new file mode 100644
index 0000000000000000000000000000000000000000..9783f089567df1540735217a4663c9373eebdbe7
GIT binary patch
literal 1185
zcmX}ryX)&@0LF1$Bktn0h&UK(ZcWl43dt`?)1*n8rnxkTkXw^9Nz+{3G<he%Mf?-Q
zQ3OSYqX>fd54bp-<(x?eIg`^FL^z8_LFZ@qEZ-+clX-H9+UeTo_2uolO|gMM=I_nA
zE}JJYNz(*33vpK#)0tRC7`aG-O`$iTwH_ty*6LX#2%CK<*skF;i(MlR^!i*NUNXou
zrTMBIhK-40SEgUYM>i56hs6}x`&`|y?T`Tb_Mg^v!K{!)3+IswS?VgYVBDUpmFc7(
zcS2P}D>RR&5#Y34@uiLWjfS>D-R3E5U8y%yaBAgKS^6nNM)Uy3ir@x;gL#xMP3<I@
zdgrGcp<T}uX4c(UD~HoGQaWA_0@V_V2rRvlp3b$gL~^RRJE|5rbUSokQI%i=Y-c$W
zTns0k00*-JQJR$jt9ubk10LNf1n|1Unsd#fY+^*<YO?cCQp%*&DkryCT5EBGna+`I
zoGJqDA(KOx9F*Eyd6jCcTr;_Y9wgGuWgTZrq_<8XMzG6kSV=~#c}qG!Zh^gsu65C<
z0b`$rEpO#oXst9(%#3x)Q5{W{5xW<(BN!1)QsuJpCy3%5=W60`w4Iz6rI_oyc!D?G
z)^Of)0JoiT=T4f~9j~Qoby)YJ5oA`5aP}1k7(t!ebVv)az?G^W_rBdPAUFX-2yWtS
zn|T0_;$=J(f#mCsv^1>HsLZm%N`&CnP9WjI5gVOO^KoA&__Vcm^(v0}VXX6`)H3G@
z>l-Fp-Zsf}t~9`z7XdYNTTRzUW_N+9=ZcD=jMS8>N|L<8T4D$Jz6-+i<UoD$EiUdT
z=p?-<YaumMY=SeZeRsBTB<UC3<uvM}4i&#a?_?R{H1PsT@#5nfdW?j;*xDE>@NQ!3
zEF|3WNKo+1?E()dMvip*wS90ff4>rl7+*RmNUOCkC0tbnOn{G3SUyd2%#A_%r{ilr
z%&#QP%wW@C`EABiw~Ae)Y!C57<;j3sIZ|{!WD_-NX}{5pXuMU6?ZzfZ6WJ}I;2IcA
zC*kFFk&}1c7LbGOP2v(-Y-}+o@DECATvz{o=6`G0!=3Te%H&fvphrcj&sxidHWUiF
zrUhl~q??Tj`oR<=kkEU#iV^ifqN>qtv3&{^xnbNrbkWVm^wwGLD3^mm?Rrxw$|xw1
z`FuW$39Xf-x?jfE6liEHoUsrDKx1!uc?*f1V6ft$QEAn*k=YaLlLys<&t7@Cy!Yp8
zU%vatw_j7getiCd`-}Ykhfkk*>D3>9dUW`mdH&&ZZ+<Yl|Na~Gix0ngLB9XaZ{Pj$
X=<(;?hd+Pw*6Ys}PoPxa`{?oCo^z9b

literal 0
HcmV?d00001