diff --git a/docs/administrative-access.md b/docs/administrative-access.md index 6b7faa40..f22ed08e 100644 --- a/docs/administrative-access.md +++ b/docs/administrative-access.md @@ -14,7 +14,7 @@ People with admin access to the infrastructure are added to [`logins/admins.nix` publicKey = ; allowedIPs = [ "10.7.6./32" "fd00:fae:fae:fae:fae:::/96" ]; } - }]; + ]; secretEncryptionKeys = { = ; @@ -30,6 +30,56 @@ SSH is not reachable from the open internet. Instead, SSH Port 22 is protected b 1. **SSH Public key**: self-explanatory. Add your public key to your user attrset under `sshPubKeys`. 2. **Wireguard device**: each wireguard device has two parts: the public key and the IP addresses it should have in the wireguard network. The pub.solar wireguard network is spaced under `10.7.6.0/24` and `fd00:fae:fae:fae:fae::/80`. To add your device, it's best to choose a free number between 200 and 255 and use that in both the ipv4 and ipv6 ranges: `10.7.6./32` `fd00:fae:fae:fae:fae:::/96`. For more information on how to generate keypairs, see [the NixOS Wireguard docs](https://nixos.wiki/wiki/WireGuard#Generate_keypair). +Example NixOS snippet for WireGuard client config + +``` +{ + networking = { + wireguard.enable = true; + wg-quick.interfaces = { + wg-pub-solar = { + address = ["10.7.6.201/32"]; + address = ["10.7.6.201/32" "fd00:fae:fae:fae:fae:201::/96"]; + privateKeyFile = "/etc/wireguard/wg-pub-solar.privatekey"; + + peers = [ + { # nachtigall.pub.solar + publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk="; + allowedIPs = [ "10.7.6.1/32" "fd00:fae:fae:fae:fae:1::/96" ]; + endpoint = "[2a01:4f8:172:1c25::1]:51820"; + # Use this endpoint in IPv4 only networks + #endpoint = "138.201.80.102:51820"; + persistentKeepalive = 15; + } + { # flora-6.pub.solar + publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU="; + allowedIPs = [ "10.7.6.2/32" "fd00:fae:fae:fae:fae:2::/96" ]; + endpoint = "80.71.153.210:51820"; + persistentKeepalive = 15; + } + { # metronom.pub.solar + publicKey = "zOSYGO7MfnOOUnzaTcWiKRQM0qqxR3JQrwx/gtEtHmo="; + allowedIPs = [ "10.7.6.3/32" "fd00:fae:fae:fae:fae:3::/96" ]; + #endpoint = "[2a01:4f8:c2c:7082::]:51820"; + # Use this endpoint in IPv4 only networks + endpoint = "49.13.236.167:51820"; + persistentKeepalive = 15; + } + { # tankstelle.pub.solar + publicKey = "iRTlY1lB7nPXf2eXzX8ZZDkfMmXyGjff5/joccbP8Cg="; + allowedIPs = [ "10.7.6.4/32" "fd00:fae:fae:fae:fae:4::/96" ]; + endpoint = "[2001:4d88:1ffa:26::5]:51820"; + # Use this endpoint in IPv4 only networks + #endpoint = "80.244.242.5:51820"; + persistentKeepalive = 15; + } + ]; + }; + }; + }; +} +``` + # Secret encryption Deployment secrets are added to the repository in encrypted files. To be able to work with these encrypted files, your public key(s) will have to be added to your user attrset under `secretEncryptionKeys`. diff --git a/flake.nix b/flake.nix index d96ccf73..e361d3fa 100644 --- a/flake.nix +++ b/flake.nix @@ -119,19 +119,19 @@ deploy.nodes = self.lib.deploy.mkDeployNodes self.nixosConfigurations { nachtigall = { - hostname = "10.7.6.1"; + hostname = "nachtigall.wg.pub.solar"; sshUser = username; }; flora-6 = { - hostname = "10.7.6.2"; + hostname = "flora-6.wg.pub.solar"; sshUser = username; }; metronom = { - hostname = "10.7.6.3"; + hostname = "metronom.wg.pub.solar"; sshUser = username; }; tankstelle = { - hostname = "80.244.242.5"; + hostname = "tankstelle.wg.pub.solar"; sshUser = username; }; }; diff --git a/hosts/default.nix b/hosts/default.nix index 8ded7cc3..e1881a43 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -67,6 +67,9 @@ self.nixosModules.overlays self.nixosModules.unlock-zfs-on-boot self.nixosModules.core + self.nixosModules.mail + self.nixosModules.prometheus-exporters + self.nixosModules.promtail self.inputs.simple-nixos-mailserver.nixosModule ]; @@ -79,6 +82,8 @@ ./tankstelle self.nixosModules.overlays self.nixosModules.core + self.nixosModules.prometheus-exporters + self.nixosModules.promtail ]; }; }; diff --git a/hosts/flora-6/wireguard.nix b/hosts/flora-6/wireguard.nix index c5bcd64d..3da4e16b 100644 --- a/hosts/flora-6/wireguard.nix +++ b/hosts/flora-6/wireguard.nix @@ -28,6 +28,25 @@ "fd00:fae:fae:fae:fae:1::/96" ]; } + { + # metronom.pub.solar + endpoint = "49.13.236.167:51820"; + publicKey = "zOSYGO7MfnOOUnzaTcWiKRQM0qqxR3JQrwx/gtEtHmo="; + allowedIPs = [ + "10.7.6.3/32" + "fd00:fae:fae:fae:fae:3::/96" + ]; + persistentKeepalive = 15; + } + { + # tankstelle.pub.solar + endpoint = "80.244.242.5:51820"; + publicKey = "iRTlY1lB7nPXf2eXzX8ZZDkfMmXyGjff5/joccbP8Cg="; + allowedIPs = [ + "10.7.6.4/32" + "fd00:fae:fae:fae:fae:4::/96" + ]; + } ]; }; }; diff --git a/hosts/tankstelle/wireguard.nix b/hosts/tankstelle/wireguard.nix index 2100d436..d8979eba 100644 --- a/hosts/tankstelle/wireguard.nix +++ b/hosts/tankstelle/wireguard.nix @@ -28,6 +28,15 @@ "fd00:fae:fae:fae:fae:1::/96" ]; } + { + # flora-6.pub.solar + endpoint = "80.71.153.210:51820"; + publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU="; + allowedIPs = [ + "10.7.6.2/32" + "fd00:fae:fae:fae:fae:2::/96" + ]; + } ]; }; }; diff --git a/modules/prometheus-exporters/default.nix b/modules/prometheus-exporters/default.nix index 996a7717..1c9a474c 100644 --- a/modules/prometheus-exporters/default.nix +++ b/modules/prometheus-exporters/default.nix @@ -1,5 +1,8 @@ { config, ... }: { + # Only expose prometheus exporter port via wireguard interface + networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 9002 ]; + services.prometheus = { exporters = { node = { diff --git a/modules/prometheus/default.nix b/modules/prometheus/default.nix index 564d6506..709f6a25 100644 --- a/modules/prometheus/default.nix +++ b/modules/prometheus/default.nix @@ -53,6 +53,22 @@ instance = "nachtigall"; }; } + { + targets = [ + "metronom.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}" + ]; + labels = { + instance = "metronom"; + }; + } + { + targets = [ + "tankstelle.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}" + ]; + labels = { + instance = "tankstelle"; + }; + } ]; } {