tankstelle: configure wireguard

This commit is contained in:
teutat3s 2024-05-30 19:17:21 +02:00
parent b039dec111
commit 941eff6d87
Signed by untrusted user: teutat3s
GPG key ID: 4FA1D3FA524F22C1
7 changed files with 74 additions and 24 deletions

View file

@ -28,6 +28,15 @@
"fd00:fae:fae:fae:fae:2::/96" "fd00:fae:fae:fae:fae:2::/96"
]; ];
} }
{
# tankstelle.pub.solar
endpoint = "80.244.242.5:51820";
publicKey = "iRTlY1lB7nPXf2eXzX8ZZDkfMmXyGjff5/joccbP8Cg=";
allowedIPs = [
"10.7.6.4/32"
"fd00:fae:fae:fae:fae:4::/96"
];
}
]; ];
}; };
}; };

View file

@ -7,7 +7,7 @@
./networking.nix ./networking.nix
./forgejo-actions-runner.nix ./forgejo-actions-runner.nix
#./wireguard.nix ./wireguard.nix
#./backups.nix #./backups.nix
]; ];
} }

View file

@ -7,27 +7,18 @@
{ {
networking.firewall.allowedUDPPorts = [ 51820 ]; networking.firewall.allowedUDPPorts = [ 51820 ];
age.secrets.wg-private-key.file = "${flake.self}/secrets/metronom-wg-private-key.age"; age.secrets.wg-private-key.file = "${flake.self}/secrets/tankstelle-wg-private-key.age";
networking.wireguard.interfaces = { networking.wireguard.interfaces = {
wg-ssh = { wg-ssh = {
listenPort = 51820; listenPort = 51820;
mtu = 1300; mtu = 1300;
ips = [ ips = [
"10.7.6.3/32" "10.7.6.4/32"
"fd00:fae:fae:fae:fae:3::/96" "fd00:fae:fae:fae:fae:4::/96"
]; ];
privateKeyFile = config.age.secrets.wg-private-key.path; privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.admins.wireguardDevices ++ [ peers = flake.self.logins.admins.wireguardDevices ++ [
{
# flora-6.pub.solar
endpoint = "80.71.153.210:51820";
publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
allowedIPs = [
"10.7.6.2/32"
"fd00:fae:fae:fae:fae:2::/96"
];
}
{ {
# nachtigall.pub.solar # nachtigall.pub.solar
endpoint = "138.201.80.102:51820"; endpoint = "138.201.80.102:51820";
@ -41,14 +32,14 @@
}; };
}; };
services.openssh.listenAddresses = [ #services.openssh.listenAddresses = [
{ # {
addr = "10.7.6.3"; # addr = "10.7.6.4";
port = 22; # port = 22;
} # }
{ # {
addr = "[fd00:fae:fae:fae:fae:3::]"; # addr = "[fd00:fae:fae:fae:fae:4::]";
port = 22; # port = 22;
} # }
]; #];
} }

View file

@ -28,7 +28,6 @@
networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ]; networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ];
networking.hosts = { networking.hosts = {
"138.201.80.102" = [ "git.${config.pub-solar-os.networking.domain}" ];
"10.7.6.1" = [ "nachtigall.${config.pub-solar-os.networking.domain}" ]; "10.7.6.1" = [ "nachtigall.${config.pub-solar-os.networking.domain}" ];
"10.7.6.2" = [ "flora-6.${config.pub-solar-os.networking.domain}" ]; "10.7.6.2" = [ "flora-6.${config.pub-solar-os.networking.domain}" ];
}; };

View file

@ -20,6 +20,7 @@ in
"nachtigall-root-ssh-key.age".publicKeys = nachtigallKeys ++ adminKeys; "nachtigall-root-ssh-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"nachtigall-wg-private-key.age".publicKeys = nachtigallKeys ++ adminKeys; "nachtigall-wg-private-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"tankstelle-wg-private-key.age".publicKeys = tankstelleKeys ++ adminKeys;
"flora6-wg-private-key.age".publicKeys = flora6Keys ++ adminKeys; "flora6-wg-private-key.age".publicKeys = flora6Keys ++ adminKeys;
"mastodon-secret-key-base.age".publicKeys = nachtigallKeys ++ adminKeys; "mastodon-secret-key-base.age".publicKeys = nachtigallKeys ++ adminKeys;

View file

@ -0,0 +1,45 @@
age-encryption.org/v1
-> ssh-ed25519 1X0eLA MwsWZb3girtAXvxgr3IBZhSthg5xzC2z88WIkG2GTDk
4yKFoIU/SbKcpSXYShUwEY6KV9o59bgIsDCJ0POOmZU
-> ssh-ed25519 uYcDNw 4CPU+vcJcXt+sVSD60ThkWWu87wEzo/TkFAfkJ7lAxU
K5ubfpowb/mBjRS9AaoEuPJEAy3jZQF9vBVK6+StrEE
-> ssh-rsa f5THog
GVZN3/Yl8OX+j8GuAp5ixsmz59HS+0z9OeGMoUl3m4S0kjpl39vY5+Fd5SXTtNLB
O5itG/nbo4lK/PVtH/s3UuzRlEvGzASkxTVGZAXBUgXlPf6hsUdxUhLn8G1DRTj9
qmZyk5ERH/uqA8LIH8kBWPE8OJ9qf5oVwttOuJLlkrmiojEvbK4Egf4pBAKxv1Vu
JUwoO2W5QxB9lOkOiGOfq6e++pWL+PN1URpGFxbvmM7N6OKNhix+HV9lBdTbS4tl
uP8n0nrM5h5yh7Waz+aAVb7Wu4YgsFCEmGlhEksM/tiHFun+9kFI3xUNTTO3PbYP
KH6KAV8mOA8tL/6PNbbLmaHp5v7//5Abgjmy1BCwNe/WfZiTVLmGDaOpW7qE0pcq
h+ooOk81MenF84FRQGEEMMBVHgckxxCGYYve7bEsWMJP+ua1BmZjQu/I2LpXN6OA
KtoPcnmCGyrZMWKLVdSjzeeEqKk7wtG6BISeLdguF4pEUN2Qoqppx33UQ0ztACf1
PHAsKbABkCG0yZz13M0bKSCP1O3HWzy2Cmw0EU+WbP6GEGCWmzZRDmjI9+CgtowH
9jz16+1k0PgO5EjV2s1Hijt0gEizl2Q07c2/BYx97951BOR9/LGVRKGtduXixf4a
qFt0Qw0JPZwP2XaXJmJ9x+4e1go5ydJFNnhcvTMUx3I
-> ssh-rsa kFDS0A
mM/LqZJl+5sDjDRhUZlPiFH43+BKkawgiPkQ6eNQmvS7fGjS6FWyGteiRdzxHax3
y2YE0GC0EmllMfXpjidHQHd4IBP82LrAlry2if9QYOdxtPg3577EZT1XFsR4Eegx
9xuG0+UYIYoEi4wUnnc58z/lV/iCJ4hTBsSMD69ciPdUVzeaA7RoFKImuLx3zhu4
Gc5ggAFKL9CYwMaJATB3e6+kTu3jkSUSa6vc4D0z7x7Sd2LjRN/THHlpvQQyMi4e
XREkhSNbOHp3mADLv7taFnjwUS/MltFDV8bPsemKmg+He0cVWc4JZynxaRXgdo4p
I3zkYcuWuUzWLgr6l8Aj4B7vd9tk9D0YyPmyMFWhq/IYjx62o/qTUSmBsluj2cqg
pg+45m/WTEAI7vnZXPcSlgbXyll1QE5TISqd7ugRyL3QhzR0h6TkRbMn5iCb15xy
zAgDCaN7z9Xhz9Y4zZG1zrKiF2qCNuZa6ZrgKRZLiFaVmhPvizCeYaZpRI2BfWwH
mo957eHh1//DIAbqWwRfblGZJUbuMK/vyvPoRsum3Pgft2LZLYF0U4vd8b0W5wBW
GBH3+zJBz5hhZVY96b5e70a6Uuwzub51RJlSJ07kNA/n5F1dN+8BFZlp52vCCSXQ
yzNnGZVnVF451CrsLtotzScO4r5KULpJaLK7Vkx20RE
-> piv-p256 vRzPNw AoFeX/N95u7AJHk3CEuFIf7tr0vYaGD+vFeh03kOmj2+
qBrMOjlgPdY9hDUeMBZ/oWkduTr2fyHkQWPzjU8wsKE
-> piv-p256 zqq/iw A6134rkgfZQCqdSsE4PtaAq8QfJP5h/+L9WxfvQ6nFSg
kz/3tibowB2x7akq8slScl3XW9OcOFqUaVMA5hP03CQ
-> ssh-ed25519 YFSOsg TjpLEHbKVX8eT5FJyj5OjoczjlbfE1QxrSQV7nmK3z8
+60JLcmaQEwEHkwRSD8ZxOVKfPfp+oCIxNz26h4EW4Q
-> ssh-ed25519 iHV63A /EMk1Hj4P0+VDBWneswmBE6rKRLuTBkcR42Y3NAGCxs
gFK/5AZAGptQ2GNbT25oiM1jENs70UYJVmBsH/9FRBE
-> ssh-ed25519 BVsyTA LwsnNWko4BLTMYIsW+iaagyTq1amhYfB+p0HUikzwT4
7rZengSXZzlTFh/FFVS8Jt+LMJZQ2wE7F3al1+DFe9Y
-> ssh-ed25519 +3V2lQ JGc07grd52VZSARjFBckyoA7D6686kSP/rhW6B8CiCg
R77Oha9dKKYX7YxHbeiVRwpSgxNeUQcQIld1v30xwaE
--- 8J1Hx/Cb3bTUm4llIEeQx+YUwHkX9XzTIAZm+YdJxVQ
}ÙÛKuØwˆe[ªºQ
s^p§xæÉ¡Éi·9a;Hݲ …ÑÃynÄÁ
QáÐÌëùóƒÈÂqöekµà;j¦ùôú7È©\„

View file

@ -19,6 +19,11 @@ resource "namecheap_domain_records" "pub-solar" {
type = "A" type = "A"
address = "80.71.153.210" address = "80.71.153.210"
} }
record {
hostname = "tankstelle"
type = "A"
address = "80.244.242.5"
}
record { record {
hostname = "alerts" hostname = "alerts"
type = "A" type = "A"