From eacf60974cab1d423ce021940e840f2f37cd3576 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20Yule=20B=C3=A4dorf?= Date: Wed, 3 Apr 2024 20:54:40 +0200 Subject: [PATCH 1/7] wireguard: initial commit --- flake.nix | 3 +- hosts/nachtigall/networking.nix | 30 ++++++- logins/admins.nix | 43 ++++++++++ logins/default.nix | 14 ++++ .../public-keys}/default.nix | 0 {public-keys => logins}/robots.nix | 0 modules/unlock-zfs-on-boot.nix | 2 +- modules/users.nix | 6 +- public-keys/admins.nix | 13 --- secrets/age-yubikey-464-identity.txt | 1 + secrets/age-yubikey-485-identity.txt | 1 + secrets/secrets.nix | 82 +++++++++---------- 12 files changed, 131 insertions(+), 64 deletions(-) create mode 100644 logins/admins.nix create mode 100644 logins/default.nix rename {public-keys => logins/public-keys}/default.nix (100%) rename {public-keys => logins}/robots.nix (100%) delete mode 100644 public-keys/admins.nix create mode 100644 secrets/age-yubikey-464-identity.txt create mode 100644 secrets/age-yubikey-485-identity.txt diff --git a/flake.nix b/flake.nix index e0c3b496..79e5cec8 100644 --- a/flake.nix +++ b/flake.nix @@ -39,7 +39,7 @@ imports = [ inputs.nixos-flake.flakeModule - ./public-keys + ./logins ./lib ./overlays ./modules @@ -63,6 +63,7 @@ deploy-rs nixpkgs-fmt agenix + age-plugin-yubikey cachix editorconfig-checker nodePackages.prettier diff --git a/hosts/nachtigall/networking.nix b/hosts/nachtigall/networking.nix index 5328cc4a..39e485d7 100644 --- a/hosts/nachtigall/networking.nix +++ b/hosts/nachtigall/networking.nix @@ -1,4 +1,8 @@ -{ config, pkgs, ... }: +{ + config, + pkgs, + flake, + ... }: { networking.hostName = "nachtigall"; @@ -21,4 +25,28 @@ ]; networking.defaultGateway = "138.201.80.65"; networking.defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; }; + + networking.firewall.allowedUDPPorts = [ 51899 ]; + + age.secrets.wg-private-key.file = "${flake.self}/secrets/nachtigall-wg-private-key.age"; + + networking.wireguard.interfaces = { + wg-ssh = { + listenPort = 51899; + mtu = 1300; + ips = [ + "10.7.6.1/32" + "fd00:fae:fae:fae:fae:1::/96" + ]; + privateKeyFile = config.age.secrets.wg-private-key.path; + peers = flake.self.logins.admins.wireguardDevices ++ [ + { # flora6 + publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU="; + allowedIPs = [ ]; + persistentKeepalive = 30; + dynamicEndpointRefreshSeconds = 30; + } + ]; + }; + }; } diff --git a/logins/admins.nix b/logins/admins.nix new file mode 100644 index 00000000..b3d4bafa --- /dev/null +++ b/logins/admins.nix @@ -0,0 +1,43 @@ +{ + axeman = rec { + sshPubKeys = { + axeman-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU axeman@tuxnix"; + }; + + secretEncryptionKeys = sshPubKeys; + }; + + b12f = rec { + sshPubKeys = { + b12f-gpg = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDVbUEOgciblRPOCaCkkwfYoKLjmJ6JKxnfg6MY7sN3W1/N4AsC27bvYPkYI66d4M3Ygi6nztaUrIIKBOPZrQtS0vx1jqosmcDwBMttNI7u4LdSDjGMEGB4zJdfR60HFuzpSNaBI/nKMWcAxr8v1KODy/mKTQ7fnMDN15OhvE7sAZe26B6IptUbG1DLuouezd4AW0OwQ3c6hVIuv5eF96OKrwFZ9XpNyYAashy8WTYqJWJRb71DV8oiqT9b3sN0Dy+7nUAPcLvJdwUDGjHQvnklgFUupKtrPhpRWqgJ41l4ebb1DCxmoL2zpdVohUK4eVC9ELdplvXtK+EJIJ1lKcDAYduYcxk//3+EdUDH0IkfXvz0Tomryu2BeyxURdMPzQh+ctHUWNI49tByx/mWrEqSu+XdgvtcumVg+jNUZKL9eA++xxuOan7H/OyshptLugZHd2e9JNM34NEOUEptq7LtHD5pEdXRV1ZT1IOsuSoDtdX14GeP2GSl21eKLnvSu9g8nGULIsx9hI3CrrlvvL9JU+Aymb4iEvqLhDeUNE643uYQad6P2SuK0kLQ/9Ny0z3y6bgglGn2uDUiAOPd8c+gFRRkMWvAWjWQi3iIR9TYBS4Z+CeYmUv8X2UCRcQPBn1wt69rvE9RcfHqRLZTUE5SpstQ0rXLinXmRA/WQV5Bdw== yubi-gpg"; + }; + + secretEncryptionKeys = { + bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw== hello@benjaminbaedorf.com"; + yubi485 = "age1yubikey1qgxuu2x3uzw7k5pg5sp2dv43edhwdz3xuhj7kjqrnw0p8t0l67c5yz9nm6q"; + yubi464 = "age1yubikey1qd7szmr9ux2znl4x4hzykkwaru60nr4ufu6kdd88sm7657gjz4x5w0jy4y7"; + } // sshPubKeys; + + wireguardDevices = [ + ]; + }; + + hensoko = rec { + sshPubKeys = { + hensoko-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb"; + hensoko-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy"; + }; + + secretEncryptionKeys = sshPubKeys; + }; + + teutat3s = { + sshPubKeys = { + teutat3s-1 = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a"; + }; + + secretEncryptionKeys = { + teutat3s-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms"; + }; + }; +} diff --git a/logins/default.nix b/logins/default.nix new file mode 100644 index 00000000..72352e80 --- /dev/null +++ b/logins/default.nix @@ -0,0 +1,14 @@ +{ lib, ... }: let + admins = import ./admins.nix; + robots = import ./robots.nix; +in { + flake = { + logins = { + admins = lib.lists.foldl (logins: adminConfig: logins // { + sshPubKeys = lib.attrsets.attrValues adminConfig.sshPubKeys; + wireguardDevices = adminConfig.wireguardDevices; + }) {} (lib.attrsets.attrValues admins); + robots.sshPubKeys = lib.attrsets.attrValues robots; + }; + }; +} diff --git a/public-keys/default.nix b/logins/public-keys/default.nix similarity index 100% rename from public-keys/default.nix rename to logins/public-keys/default.nix diff --git a/public-keys/robots.nix b/logins/robots.nix similarity index 100% rename from public-keys/robots.nix rename to logins/robots.nix diff --git a/modules/unlock-zfs-on-boot.nix b/modules/unlock-zfs-on-boot.nix index 2e507dff..d459b10b 100644 --- a/modules/unlock-zfs-on-boot.nix +++ b/modules/unlock-zfs-on-boot.nix @@ -10,7 +10,7 @@ # Please create this manually the first time. hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; - authorizedKeys = flake.self.publicKeys.admins; + authorizedKeys = flake.self.logins.admins.sshPubKeys; }; # this will automatically load the zfs password prompt on login # and kill the other prompt so boot can continue diff --git a/modules/users.nix b/modules/users.nix index 8f1f898a..91b78e0a 100644 --- a/modules/users.nix +++ b/modules/users.nix @@ -4,12 +4,12 @@ group = flake.self.username; extraGroups = [ "wheel" "docker" ]; isNormalUser = true; - openssh.authorizedKeys.keys = flake.self.publicKeys.admins; + openssh.authorizedKeys.keys = flake.self.logins.admins.sshPubKeys; }; users.groups.${flake.self.username} = { }; # TODO: Remove when we stop locking ourselves out. - users.users.root.openssh.authorizedKeys.keys = flake.self.publicKeys.admins; + users.users.root.openssh.authorizedKeys.keys = flake.self.logins.admins.sshPubKeys; users.users.hakkonaut = { description = "CI and automation user"; @@ -19,7 +19,7 @@ uid = 998; group = "hakkonaut"; isSystemUser = true; - openssh.authorizedKeys.keys = flake.self.publicKeys.robots; + openssh.authorizedKeys.keys = flake.self.logins.robots.sshPubKeys; }; users.groups.hakkonaut = { }; diff --git a/public-keys/admins.nix b/public-keys/admins.nix deleted file mode 100644 index d7476314..00000000 --- a/public-keys/admins.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ - axeman-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU axeman@tuxnix"; - - b12f-yubi-backup = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup"; - b12f-gpg = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDVbUEOgciblRPOCaCkkwfYoKLjmJ6JKxnfg6MY7sN3W1/N4AsC27bvYPkYI66d4M3Ygi6nztaUrIIKBOPZrQtS0vx1jqosmcDwBMttNI7u4LdSDjGMEGB4zJdfR60HFuzpSNaBI/nKMWcAxr8v1KODy/mKTQ7fnMDN15OhvE7sAZe26B6IptUbG1DLuouezd4AW0OwQ3c6hVIuv5eF96OKrwFZ9XpNyYAashy8WTYqJWJRb71DV8oiqT9b3sN0Dy+7nUAPcLvJdwUDGjHQvnklgFUupKtrPhpRWqgJ41l4ebb1DCxmoL2zpdVohUK4eVC9ELdplvXtK+EJIJ1lKcDAYduYcxk//3+EdUDH0IkfXvz0Tomryu2BeyxURdMPzQh+ctHUWNI49tByx/mWrEqSu+XdgvtcumVg+jNUZKL9eA++xxuOan7H/OyshptLugZHd2e9JNM34NEOUEptq7LtHD5pEdXRV1ZT1IOsuSoDtdX14GeP2GSl21eKLnvSu9g8nGULIsx9hI3CrrlvvL9JU+Aymb4iEvqLhDeUNE643uYQad6P2SuK0kLQ/9Ny0z3y6bgglGn2uDUiAOPd8c+gFRRkMWvAWjWQi3iIR9TYBS4Z+CeYmUv8X2UCRcQPBn1wt69rvE9RcfHqRLZTUE5SpstQ0rXLinXmRA/WQV5Bdw== yubi-gpg"; - b12f-464-fido2 = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHUbowjUtBiOPWi+TCHGToFwIsMDY6s7IRev6buVVdWxAAAACHNzaDpiMTJm yubi@464"; - b12f-485-fido2 = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDyxaJNw0jXREOzQfa0E2RQE/xLD/VddDldbdSmS8uf9AAAACHNzaDpiMTJm yubi@485"; - - hensoko-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb"; - hensoko-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy"; - teutat3s-1 = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a"; - -} diff --git a/secrets/age-yubikey-464-identity.txt b/secrets/age-yubikey-464-identity.txt new file mode 100644 index 00000000..e696507c --- /dev/null +++ b/secrets/age-yubikey-464-identity.txt @@ -0,0 +1 @@ +AGE-PLUGIN-YUBIKEY-1HZCCGQVZH5WV7DCL6V837 diff --git a/secrets/age-yubikey-485-identity.txt b/secrets/age-yubikey-485-identity.txt new file mode 100644 index 00000000..b4c90ef8 --- /dev/null +++ b/secrets/age-yubikey-485-identity.txt @@ -0,0 +1 @@ +AGE-PLUGIN-YUBIKEY-1EKCCGQVZE64TLZCKYUCW7 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 12bebb9a..153a9755 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,21 +1,10 @@ let - # set ssh public keys here for your system and user - axeman-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU axeman@tuxnix"; - b12f-bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw== hello@benjaminbaedorf.com"; - hensoko-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb"; - hensoko-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy"; - teutat3s-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms"; + admins = import ../logins/admins.nix; nachtigall-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7G0ufi+MNvaAZLDgpieHrABPGN7e/kD5kMFwSk4ABj root@nachtigall"; flora-6-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@flora-6"; - baseKeys = [ - axeman-1 - b12f-bbcom - hensoko-1 - hensoko-2 - teutat3s-1 - ]; + adminKeys = builtins.foldl' (keys: login: keys ++ (builtins.attrValues login.secretEncryptionKeys)) [] (builtins.attrValues admins); nachtigallKeys = [ nachtigall-host @@ -27,48 +16,51 @@ let in { # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall - "nachtigall-root-ssh-key.age".publicKeys = nachtigallKeys ++ baseKeys; + "nachtigall-root-ssh-key.age".publicKeys = nachtigallKeys ++ adminKeys; - "mastodon-secret-key-base.age".publicKeys = nachtigallKeys ++ baseKeys; - "mastodon-otp-secret.age".publicKeys = nachtigallKeys ++ baseKeys; - "mastodon-vapid-private-key.age".publicKeys = nachtigallKeys ++ baseKeys; - "mastodon-vapid-public-key.age".publicKeys = nachtigallKeys ++ baseKeys; - "mastodon-smtp-password.age".publicKeys = nachtigallKeys ++ baseKeys; - "mastodon-extra-env-secrets.age".publicKeys = nachtigallKeys ++ baseKeys; + "nachtigall-wg-private-key.age".publicKeys = nachtigallKeys ++ adminKeys; + "flora6-wg-private-key.age".publicKeys = flora6Keys ++ adminKeys; - "keycloak-database-password.age".publicKeys = nachtigallKeys ++ baseKeys; + "mastodon-secret-key-base.age".publicKeys = nachtigallKeys ++ adminKeys; + "mastodon-otp-secret.age".publicKeys = nachtigallKeys ++ adminKeys; + "mastodon-vapid-private-key.age".publicKeys = nachtigallKeys ++ adminKeys; + "mastodon-vapid-public-key.age".publicKeys = nachtigallKeys ++ adminKeys; + "mastodon-smtp-password.age".publicKeys = nachtigallKeys ++ adminKeys; + "mastodon-extra-env-secrets.age".publicKeys = nachtigallKeys ++ adminKeys; - "forgejo-actions-runner-token.age".publicKeys = flora6Keys ++ baseKeys; - "forgejo-database-password.age".publicKeys = nachtigallKeys ++ baseKeys; - "forgejo-mailer-password.age".publicKeys = nachtigallKeys ++ baseKeys; + "keycloak-database-password.age".publicKeys = nachtigallKeys ++ adminKeys; - "matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ baseKeys; - "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ baseKeys; - "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ baseKeys; - "matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ baseKeys; + "forgejo-actions-runner-token.age".publicKeys = flora6Keys ++ adminKeys; + "forgejo-database-password.age".publicKeys = nachtigallKeys ++ adminKeys; + "forgejo-mailer-password.age".publicKeys = nachtigallKeys ++ adminKeys; - "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ baseKeys; - "nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ baseKeys; + "matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ adminKeys; + "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys; + "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys; + "matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys; - "searx-environment.age".publicKeys = nachtigallKeys ++ baseKeys; + "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys; + "nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys; - "restic-repo-droppie.age".publicKeys = nachtigallKeys ++ baseKeys; - "restic-repo-storagebox.age".publicKeys = nachtigallKeys ++ baseKeys; + "searx-environment.age".publicKeys = nachtigallKeys ++ adminKeys; - "drone-db-secrets.age".publicKeys = flora6Keys ++ baseKeys; - "drone-secrets.age".publicKeys = flora6Keys ++ baseKeys; + "restic-repo-droppie.age".publicKeys = nachtigallKeys ++ adminKeys; + "restic-repo-storagebox.age".publicKeys = nachtigallKeys ++ adminKeys; - "mediawiki-database-password.age".publicKeys = nachtigallKeys ++ baseKeys; - "mediawiki-admin-password.age".publicKeys = nachtigallKeys ++ baseKeys; - "mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ baseKeys; - "mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ baseKeys; + "drone-db-secrets.age".publicKeys = flora6Keys ++ adminKeys; + "drone-secrets.age".publicKeys = flora6Keys ++ adminKeys; - "coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ baseKeys; + "mediawiki-database-password.age".publicKeys = nachtigallKeys ++ adminKeys; + "mediawiki-admin-password.age".publicKeys = nachtigallKeys ++ adminKeys; + "mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ adminKeys; + "mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ adminKeys; - "grafana-admin-password.age".publicKeys = flora6Keys ++ baseKeys; - "grafana-keycloak-client-secret.age".publicKeys = flora6Keys ++ baseKeys; - "grafana-smtp-password.age".publicKeys = flora6Keys ++ baseKeys; + "coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ adminKeys; - "nachtigall-metrics-nginx-basic-auth.age".publicKeys = nachtigallKeys ++ baseKeys; - "nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys = flora6Keys ++ nachtigallKeys ++ baseKeys; + "grafana-admin-password.age".publicKeys = flora6Keys ++ adminKeys; + "grafana-keycloak-client-secret.age".publicKeys = flora6Keys ++ adminKeys; + "grafana-smtp-password.age".publicKeys = flora6Keys ++ adminKeys; + + "nachtigall-metrics-nginx-basic-auth.age".publicKeys = nachtigallKeys ++ adminKeys; + "nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys = flora6Keys ++ nachtigallKeys ++ adminKeys; } From 621e9336ed7267a7c598fe645dfc5b07089639c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20Yule=20B=C3=A4dorf?= Date: Wed, 3 Apr 2024 21:03:14 +0200 Subject: [PATCH 2/7] wireguard: add basic keys --- hosts/flora-6/default.nix | 1 + hosts/flora-6/wireguard.nix | 29 ++++++++++++++++++ hosts/nachtigall/default.nix | 1 + hosts/nachtigall/networking.nix | 24 --------------- hosts/nachtigall/wireguard.nix | 29 ++++++++++++++++++ logins/admins.nix | 4 +++ secrets/flora6-wg-private-key.age | 42 +++++++++++++++++++++++++++ secrets/nachtigall-wg-private-key.age | 41 ++++++++++++++++++++++++++ 8 files changed, 147 insertions(+), 24 deletions(-) create mode 100644 hosts/flora-6/wireguard.nix create mode 100644 hosts/nachtigall/wireguard.nix create mode 100644 secrets/flora6-wg-private-key.age create mode 100644 secrets/nachtigall-wg-private-key.age diff --git a/hosts/flora-6/default.nix b/hosts/flora-6/default.nix index a2ad0c52..17910211 100644 --- a/hosts/flora-6/default.nix +++ b/hosts/flora-6/default.nix @@ -7,6 +7,7 @@ ./hardware-configuration.nix ./configuration.nix ./triton-vmtools.nix + ./wireguard.nix ./apps/caddy.nix diff --git a/hosts/flora-6/wireguard.nix b/hosts/flora-6/wireguard.nix new file mode 100644 index 00000000..53bc5bc3 --- /dev/null +++ b/hosts/flora-6/wireguard.nix @@ -0,0 +1,29 @@ +{ + config, + pkgs, + flake, + ... }: +{ + networking.firewall.allowedUDPPorts = [ 51820 ]; + + age.secrets.wg-private-key.file = "${flake.self}/secrets/nachtigall-wg-private-key.age"; + + networking.wireguard.interfaces = { + wg-ssh = { + listenPort = 51820; + mtu = 1300; + ips = [ + "10.7.6.2/32" + "fd00:fae:fae:fae:fae:2::/96" + ]; + privateKeyFile = config.age.secrets.wg-private-key.path; + peers = flake.self.logins.admins.wireguardDevices ++ [ + { + endpoint = "nachtigall.pub.solar:51820"; + publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk="; + allowedIPs = [ "10.7.6.1/32" "fd00:fae:fae:fae:fae:1::/96" ]; + } + ]; + }; + }; +} diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix index 15f50a00..69428bf9 100644 --- a/hosts/nachtigall/default.nix +++ b/hosts/nachtigall/default.nix @@ -8,6 +8,7 @@ ./configuration.nix ./networking.nix + ./wireguard.nix ./backups.nix ./apps/nginx.nix diff --git a/hosts/nachtigall/networking.nix b/hosts/nachtigall/networking.nix index 39e485d7..91a09475 100644 --- a/hosts/nachtigall/networking.nix +++ b/hosts/nachtigall/networking.nix @@ -25,28 +25,4 @@ ]; networking.defaultGateway = "138.201.80.65"; networking.defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; }; - - networking.firewall.allowedUDPPorts = [ 51899 ]; - - age.secrets.wg-private-key.file = "${flake.self}/secrets/nachtigall-wg-private-key.age"; - - networking.wireguard.interfaces = { - wg-ssh = { - listenPort = 51899; - mtu = 1300; - ips = [ - "10.7.6.1/32" - "fd00:fae:fae:fae:fae:1::/96" - ]; - privateKeyFile = config.age.secrets.wg-private-key.path; - peers = flake.self.logins.admins.wireguardDevices ++ [ - { # flora6 - publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU="; - allowedIPs = [ ]; - persistentKeepalive = 30; - dynamicEndpointRefreshSeconds = 30; - } - ]; - }; - }; } diff --git a/hosts/nachtigall/wireguard.nix b/hosts/nachtigall/wireguard.nix new file mode 100644 index 00000000..352a04e6 --- /dev/null +++ b/hosts/nachtigall/wireguard.nix @@ -0,0 +1,29 @@ +{ + config, + pkgs, + flake, + ... }: +{ + networking.firewall.allowedUDPPorts = [ 51820 ]; + + age.secrets.wg-private-key.file = "${flake.self}/secrets/nachtigall-wg-private-key.age"; + + networking.wireguard.interfaces = { + wg-ssh = { + listenPort = 51820; + mtu = 1300; + ips = [ + "10.7.6.1/32" + "fd00:fae:fae:fae:fae:1::/96" + ]; + privateKeyFile = config.age.secrets.wg-private-key.path; + peers = flake.self.logins.admins.wireguardDevices ++ [ + { + endpoint = "flora6.pub.solar:51820"; + publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU="; + allowedIPs = [ "10.7.6.2/32" "fd00:fae:fae:fae:fae:2::/96" ]; + } + ]; + }; + }; +} diff --git a/logins/admins.nix b/logins/admins.nix index b3d4bafa..05a2432a 100644 --- a/logins/admins.nix +++ b/logins/admins.nix @@ -19,6 +19,10 @@ } // sshPubKeys; wireguardDevices = [ + { # stroopwafel + publicKey = "NNb7T8Jmn+V2dTZ8T6Fcq7hGomHGDckKoV3kK2oAhSE="; + allowedIPs = [ "10.7.6.200/32" "fd00:fae:fae:fae:fae:200::/96" ]; + } ]; }; diff --git a/secrets/flora6-wg-private-key.age b/secrets/flora6-wg-private-key.age new file mode 100644 index 00000000..a9d21262 --- /dev/null +++ b/secrets/flora6-wg-private-key.age @@ -0,0 +1,42 @@ +age-encryption.org/v1 +-> ssh-ed25519 Y0ZZaw FvsdIE/inJoLVSosWXATnFbAAVjVuf7jlEC3nSUF6Ug +gX84OKgWdfkGBN+NFy11BxIb4WX1z9UkPA4u2Q1uV+g +-> ssh-ed25519 uYcDNw z5Veza0uVwqCqGCGYzGmXPcyaV9HztEN39cWFbSG7yg +UWZQcDP1vMsYoWwMQlr4YmzWYw2EKm/s5zJVHNf2M0U +-> ssh-rsa f5THog +v1kqiU+cx65mvTNeuAhK65eBEk1vmkABRYgcmFIrdr4eY3pru+FaQTfMhTI9HjcO +OTU0YPxxSadbUCaN6Z3QnTv5qowwOQlEsWK+RMsOZgnyRQHa2SIrhfHz7v+n8BTF +8BYB4UBJpD3aLqM7VED6dYls178HUbiq34ohrG2vY5PHE72xTU60amv9NcJhSJPR +twZPiSp3I14MlJU4bboS1YBaEmgxvbXru0DwuoQLw3OUrH7xOggVoSJxm8lVyjR2 +oFYS5wdnrhAIEsJ0lTsO5fvq9Dmie7qoL60rbBbue9lPk1nD1NlUe3akd4IIo36R +kDbthUYluVSJON3o/wenSvJDOw3N3t8bu2+/XfWAd2NL9SPBijMQJtqjK8EAtmz9 +OjBMjJGQzVdBxRP9U3CWYIwaqYQfWhXXY4AXTwIMsfmeV8ZHZsId3Y156p0NaKg6 +NGb7eX/AWmcdNTp8ZCqlb4QexICrVd7XDkNbPHkYPUOdUhaMyS+T7YU8Qs3YWroP +Bw63QMWbvo1l4HO/3HeIKlzIXTjLEi6PjTiWb7vM4GuoCwjdDg5djMEj4nsvDyea +B9EBTEcoP2oj47wgsX0nfV5bKAQ4y8AN4ZNWb00vjN9ybBbLK3q//1DrEWmddieF +t6FyZXvZH0Gf6y5OO56yRp/vmxvKFcvxqUA3P8bPAnw +-> ssh-rsa kFDS0A +c+0wRUbjzdJiBhdKAVlE8yxt1O3t4oQ438F5HjMPohEXSFLiNFi4Y0JQsw6qn3GP +hySsyIoj9G+cI9FDPjTFPmE7O1SHrd2LqBZGukyswDXX8CpwmZ7vfqfK2lCgKfos +SSPiGaYk+HlQF2QfX/xdgQ2PbFXHnDy8LZ9AfZP04PrnK9wqdiEXwmkWZ/Lu1P+V +Wb/28BYxcfkseAprFr/KSJLoNuD9UphRhQwRklmjADnf0lep3vHccxz1Oo5flu5M +AD47r+0bLGM+w3epCF1GyR4L2lEBaD8pkVOt3/zIdjn8nFZVNJwjshToazvnVEd3 +Vd9Uas58AyxcT7Dk/QaVO7c5KJDdfSuxnT1zElkM2ZQM4lEueTJYDBJGyfubb30y +Z7re/MsLOh0jNJbb0r1KOkzwpcdm9iyvi26eaGsX7Q1Gb2pzOYFxD1vSUUC6A6Hp +W5X6fKsiBPreYLf5MV6p9r2YJPdX4SJiq4XztQi1PL+ndq1h8wskxk3Pyvk9fhle +iC5owZ8/FikfC/1oEa2KayeLyYB001BUuktevzfH2GmbqLkR9wBGw5vUJzOO4vOW +o8SVCSUxSrG8S+HQksOSXFWywkdBDhqc8eyRUtb+6iqqMA2Q4GDqktSCB1KeBYD6 +OalH6bo4H1ddV8LPMOKcFtjmTPuum43C7bNge2rxhgg +-> piv-p256 vRzPNw A/utfOjPG1zs1Lf2FOWDHhJIJW1PIHmKFqFvBZZycHPn +EfGFh9R0PDgskQg00z6thQ1YozT5ZiBhzNN9iTXWDe4 +-> piv-p256 zqq/iw A0RjdOkfYmTlYCwM3aFLdXfBimXMGzVh21A5QxZ217xW +7J9cRYpr1uhQPE0VjvLAwyS7jNSK0+qjA9xUMeRwYos +-> ssh-ed25519 YFSOsg w8ljrS1oRdB9RT8Odi5UOPjEtFL3WBlQUAH9Y7gp3WM +xcrbEm66K6mNrJ9+877YEgWUdxW85YyS1z8CGMyYxeE +-> ssh-ed25519 iHV63A O0bMGpauAYAuiAtbITj+lQOS0LuFl/BDVxIUTly8tQM +0Kiu4sNN0joX5D4eB42oQ/iRSntsJI5JNKOmkQeyLGE +-> ssh-ed25519 BVsyTA k/0Rtr9qbFH7V6DyCRtyqdAHU1b7D7DNGV8pPPJmrnk +dJ29gcfSxaVQ46XbW021PxPotZ8ZG2zjostJme9GUZQ +--- 1V0sJP5JIa9GZ0F0hf1GAFX3LNkPSNsxNhqM9cH7Rgc +|#mR5wQf 1 ZMUOf:G^! +gG29w_Bd \ No newline at end of file diff --git a/secrets/nachtigall-wg-private-key.age b/secrets/nachtigall-wg-private-key.age new file mode 100644 index 00000000..325b1315 --- /dev/null +++ b/secrets/nachtigall-wg-private-key.age @@ -0,0 +1,41 @@ +age-encryption.org/v1 +-> ssh-ed25519 iDKjwg 1m2Nkhw2R1InZFZrOkzQCoQy4s/kduXyM44yWifllXc +cxz6EWfaIJUjEkXEExFGKPrrl4iXnchkFfMiCpDgnZ8 +-> ssh-ed25519 uYcDNw nVtsI77gUtZKmvu6o/jkvh/Ab8KDgRuL7V6MDuFtBnk +P7xVJA1a1ioe2tROajY1uvS1kLGrJW+YrXVf2Z2K2a4 +-> ssh-rsa f5THog +rr17rPe7lJ2Zc0nsHhEch7mG7D27lnaMbAJ2Zsn4oHDXFn4cnSw4L/Zf+aZVIpNY +ew2u24yBE5ButBh8t0wm2Di2SBir4cAQob7160Py5ZpqOHBGxACgxhfZm7f/FzLZ +Ue0CUKebJI8KAqkjyayLLzESMECT5buhoJ4+K8U/B6O8NgGPrjS1Xjx1zCAs8tsG +kQz2KsBFnIEH20qmj2ezmijJdkUJbyX2389jCIzZ95wOG0RcUH1+s0aMcuvvLptS +05nSlmOlnwv7M8Jkwg+BC6l6xpoG3zpQDReEBTT3DYMRL3sNPV9eIHcPrWIXlANk +7vqLPxNlu/gHhQSijcPICH0YiDZ3MIJdXtqVHxCFWmXlPAzfkSMwg2k3WT8fMSJ9 +ajEM0i6AIjaNAeY6cY87kGmfSjwRTSEbDSkC0B5VV1h2CZJDot7+9eZQ1HcwnP3j +iLTijtB+dMAzpnQ8kA9bGnuOurTB3Jy+JxwejO21J1/rxBA+P0nATufnk5olhTKS +vqkor0rxkV379SMpHLpbg4IbwdIjp+77GDJkofcAxZI8tmU2IF19dC1UsDfz15N/ +b984i7PpJ115U2oSbwBZ8WThx1i8I47/mabTU32IXvhfdsp9QmBoBIqUqdgHsU43 +LSBHRHiMy+3BfNA0M52oWEThtScOeqzwo3oSBCTM3xI +-> ssh-rsa kFDS0A +fgw9rO7pT7MLo1nNvZ05Ry+Gyjb27Trc5kZ7KYYya1BpCKjLnYwOaaoLtoHkGnuz +bPJ4ouyMsWUiPpT/SZ5/uNHlSDS9dNF0RTzCAqSi31CwY5KFTfStzsOKeUvxCcGp +Z9uyOEr1sOl1+gORWphrHmllSrXFAHHgOorLrtACkrQMxn678Wko13CFvDhtkl+l +sqi+l+B5ffeJsaHmCLmrROGzWrCnT/1zwJV5KMF0HjBSOi+Fl+HxA9s6UCEHxTy/ +H8GvOooDGczgjg06yI2Puzo+DvhE/XOeFOoM/cLdGPnq/R8Mo4r4BDeBnQqbbBCI +4LV0Ybz0jVpAHHCu5kAxIzc68d1mwmxYPW4pxMVDGaZKGoBnA9jkHA0DD0TKe62D +ZBWtKAZb3gD4yDZfcbZABuXFszmFzKRmoE8YLmZDw0GwLu/It+ZtL9cxUZ+YmknP +ZhBcy1NTlPhXlJdZBWImK8KKluf03BjBIAFm+ZGT1FiCnZft5SZFDf7PGq+PvRwT +wk6UMeBiVbJvpVtjthHbur5FxXG+ly9wa9Y5bP3K2VnJkVcVt6NhkJ6Hg+g2FIZ4 +gzq+5azkX+7nSNr0dSR1Phk4j+6aahRc2Gb7SiMqo6nwKuWBL6SQRDuKwP1PaPvm +aGfsduWhKZQM5ZeXBYkdgQqLgx4oAgbI2SujRaJlykE +-> piv-p256 vRzPNw A77uRo1hsdtaU8Fze62NI3AocU7srSmd5A7y1PbUVEyQ +LgD5sj6ZGGYiDausGO5lxERV71MFkZltzP3W4JIK59M +-> piv-p256 zqq/iw A7rWVvgXoLOrF3w8wyR27/fGAPxeknuBMVF1yeNceSkN +qAe7DwmCiFz72fy0Ica3SWZYNyvlsE1M/Odma5FKlyI +-> ssh-ed25519 YFSOsg Hld4L4nxmssu+4vwIEE4Q13Xapfn38R42+MdT3c5Jyg +gW3YzRgpc8SKyTp6o4BqmqFurr+lak+hKvYLFGdm2s8 +-> ssh-ed25519 iHV63A ODXmcURhm3oMgB5t4kigz1LoXMl0IqG7zUUog0FXRDw +pa37B1B4FFTrh4UHDh2O4VBSQyxlaozHDNR8PCQ+gis +-> ssh-ed25519 BVsyTA 1dkpnnRlhnqueC91EW7xn/q4MUUvleN23KyiTJM1ZlI +QvpM4QaFx4ey3EZ8TNnbJjdeIgR5Nfbugw3X2Xv27wY +--- dHSohj4s4bp6X8I2em011HuWwNNIDis6h4e/44CnTIU +^Pv ^4YYp'}Xbq5W nv߰B=*%١n iT] \ No newline at end of file From 147ed44b9af3e57b0208233b9960a6bd25c05801 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 3 Apr 2024 21:06:55 +0200 Subject: [PATCH 3/7] wireguard: add dumpyourvms --- logins/admins.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/logins/admins.nix b/logins/admins.nix index 05a2432a..db5c6b5d 100644 --- a/logins/admins.nix +++ b/logins/admins.nix @@ -23,6 +23,10 @@ publicKey = "NNb7T8Jmn+V2dTZ8T6Fcq7hGomHGDckKoV3kK2oAhSE="; allowedIPs = [ "10.7.6.200/32" "fd00:fae:fae:fae:fae:200::/96" ]; } + { # dumpyourvms + publicKey = "3UrVLQrwXnPAVXPiTAd7eM3fZYxnFSYgKAGpNMUwnUk="; + allowedIPs = [ "10.7.6.201/32" "fd00:fae:fae:fae:fae:201::/96" ]; + } ]; }; From 83125ae472fc3ae0f2e50b544d5728d311b9e13c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20Yule=20B=C3=A4dorf?= Date: Wed, 3 Apr 2024 21:17:38 +0200 Subject: [PATCH 4/7] logins: check for missing wireguard device attribute --- logins/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/logins/default.nix b/logins/default.nix index 72352e80..3168d54f 100644 --- a/logins/default.nix +++ b/logins/default.nix @@ -6,7 +6,7 @@ in { logins = { admins = lib.lists.foldl (logins: adminConfig: logins // { sshPubKeys = lib.attrsets.attrValues adminConfig.sshPubKeys; - wireguardDevices = adminConfig.wireguardDevices; + wireguardDevices = if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else []; }) {} (lib.attrsets.attrValues admins); robots.sshPubKeys = lib.attrsets.attrValues robots; }; From a795f0824fb3d139f72b2fc675b3d52cc2ca1530 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20Yule=20B=C3=A4dorf?= Date: Wed, 3 Apr 2024 21:47:27 +0200 Subject: [PATCH 5/7] logins: fix admin login merging --- logins/default.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/logins/default.nix b/logins/default.nix index 3168d54f..374b513f 100644 --- a/logins/default.nix +++ b/logins/default.nix @@ -4,10 +4,10 @@ in { flake = { logins = { - admins = lib.lists.foldl (logins: adminConfig: logins // { - sshPubKeys = lib.attrsets.attrValues adminConfig.sshPubKeys; - wireguardDevices = if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else []; - }) {} (lib.attrsets.attrValues admins); + admins = lib.lists.foldl (logins: adminConfig: { + sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys); + wireguardDevices = logins.wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else []); + }) { sshPubKeys = []; wireguardDevices = []; } (lib.attrsets.attrValues admins); robots.sshPubKeys = lib.attrsets.attrValues robots; }; }; From c53adf51f7a5431c57c5f83bdcdffaec9ab43af1 Mon Sep 17 00:00:00 2001 From: Hendrik Sokolowski Date: Fri, 5 Apr 2024 00:37:11 +0200 Subject: [PATCH 6/7] logins: add judy for hensoko --- logins/admins.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/logins/admins.nix b/logins/admins.nix index db5c6b5d..760a920a 100644 --- a/logins/admins.nix +++ b/logins/admins.nix @@ -37,6 +37,12 @@ }; secretEncryptionKeys = sshPubKeys; + wireguardDevices = [ + { # judy + publicKey = "I+gN7v1VXkAGoSir6L8aebtLbguvy5nAx1QVDTzdckk="; + allowedIPs = [ "10.7.6.202/32" "fd00:fae:fae:fae:fae:202::/96" ]; + } + ]; }; teutat3s = { From 48845d6cf6aa754bc9ebcd234ae0d2c6ba9d36a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20Yule=20B=C3=A4dorf?= Date: Fri, 5 Apr 2024 13:01:26 +0200 Subject: [PATCH 7/7] logins/wireguard: move teutat3s wireguard device --- logins/admins.nix | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/logins/admins.nix b/logins/admins.nix index 760a920a..f4c38292 100644 --- a/logins/admins.nix +++ b/logins/admins.nix @@ -23,10 +23,6 @@ publicKey = "NNb7T8Jmn+V2dTZ8T6Fcq7hGomHGDckKoV3kK2oAhSE="; allowedIPs = [ "10.7.6.200/32" "fd00:fae:fae:fae:fae:200::/96" ]; } - { # dumpyourvms - publicKey = "3UrVLQrwXnPAVXPiTAd7eM3fZYxnFSYgKAGpNMUwnUk="; - allowedIPs = [ "10.7.6.201/32" "fd00:fae:fae:fae:fae:201::/96" ]; - } ]; }; @@ -53,5 +49,12 @@ secretEncryptionKeys = { teutat3s-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms"; }; + + wireguardDevices = [ + { # dumpyourvms + publicKey = "3UrVLQrwXnPAVXPiTAd7eM3fZYxnFSYgKAGpNMUwnUk="; + allowedIPs = [ "10.7.6.201/32" "fd00:fae:fae:fae:fae:201::/96" ]; + } + ]; }; }