From 941eff6d8735d6e89bef9bdeaa8fa043975d09b1 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 30 May 2024 19:17:21 +0200 Subject: [PATCH] tankstelle: configure wireguard --- hosts/nachtigall/wireguard.nix | 9 ++++++ hosts/tankstelle/default.nix | 2 +- hosts/tankstelle/wireguard.nix | 35 ++++++++------------- modules/core/networking.nix | 1 - secrets/secrets.nix | 1 + secrets/tankstelle-wg-private-key.age | 45 +++++++++++++++++++++++++++ terraform/dns.tf | 5 +++ 7 files changed, 74 insertions(+), 24 deletions(-) create mode 100644 secrets/tankstelle-wg-private-key.age diff --git a/hosts/nachtigall/wireguard.nix b/hosts/nachtigall/wireguard.nix index 3008ef3..ff47d92 100644 --- a/hosts/nachtigall/wireguard.nix +++ b/hosts/nachtigall/wireguard.nix @@ -28,6 +28,15 @@ "fd00:fae:fae:fae:fae:2::/96" ]; } + { + # tankstelle.pub.solar + endpoint = "80.244.242.5:51820"; + publicKey = "iRTlY1lB7nPXf2eXzX8ZZDkfMmXyGjff5/joccbP8Cg="; + allowedIPs = [ + "10.7.6.4/32" + "fd00:fae:fae:fae:fae:4::/96" + ]; + } ]; }; }; diff --git a/hosts/tankstelle/default.nix b/hosts/tankstelle/default.nix index 724a1fc..a379466 100644 --- a/hosts/tankstelle/default.nix +++ b/hosts/tankstelle/default.nix @@ -7,7 +7,7 @@ ./networking.nix ./forgejo-actions-runner.nix - #./wireguard.nix + ./wireguard.nix #./backups.nix ]; } diff --git a/hosts/tankstelle/wireguard.nix b/hosts/tankstelle/wireguard.nix index 0eef697..2100d43 100644 --- a/hosts/tankstelle/wireguard.nix +++ b/hosts/tankstelle/wireguard.nix @@ -7,27 +7,18 @@ { networking.firewall.allowedUDPPorts = [ 51820 ]; - age.secrets.wg-private-key.file = "${flake.self}/secrets/metronom-wg-private-key.age"; + age.secrets.wg-private-key.file = "${flake.self}/secrets/tankstelle-wg-private-key.age"; networking.wireguard.interfaces = { wg-ssh = { listenPort = 51820; mtu = 1300; ips = [ - "10.7.6.3/32" - "fd00:fae:fae:fae:fae:3::/96" + "10.7.6.4/32" + "fd00:fae:fae:fae:fae:4::/96" ]; privateKeyFile = config.age.secrets.wg-private-key.path; peers = flake.self.logins.admins.wireguardDevices ++ [ - { - # flora-6.pub.solar - endpoint = "80.71.153.210:51820"; - publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU="; - allowedIPs = [ - "10.7.6.2/32" - "fd00:fae:fae:fae:fae:2::/96" - ]; - } { # nachtigall.pub.solar endpoint = "138.201.80.102:51820"; @@ -41,14 +32,14 @@ }; }; - services.openssh.listenAddresses = [ - { - addr = "10.7.6.3"; - port = 22; - } - { - addr = "[fd00:fae:fae:fae:fae:3::]"; - port = 22; - } - ]; + #services.openssh.listenAddresses = [ + # { + # addr = "10.7.6.4"; + # port = 22; + # } + # { + # addr = "[fd00:fae:fae:fae:fae:4::]"; + # port = 22; + # } + #]; } diff --git a/modules/core/networking.nix b/modules/core/networking.nix index 7354897..765fdd4 100644 --- a/modules/core/networking.nix +++ b/modules/core/networking.nix @@ -28,7 +28,6 @@ networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ]; networking.hosts = { - "138.201.80.102" = [ "git.${config.pub-solar-os.networking.domain}" ]; "10.7.6.1" = [ "nachtigall.${config.pub-solar-os.networking.domain}" ]; "10.7.6.2" = [ "flora-6.${config.pub-solar-os.networking.domain}" ]; }; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 6ed622d..2f19b43 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -20,6 +20,7 @@ in "nachtigall-root-ssh-key.age".publicKeys = nachtigallKeys ++ adminKeys; "nachtigall-wg-private-key.age".publicKeys = nachtigallKeys ++ adminKeys; + "tankstelle-wg-private-key.age".publicKeys = tankstelleKeys ++ adminKeys; "flora6-wg-private-key.age".publicKeys = flora6Keys ++ adminKeys; "mastodon-secret-key-base.age".publicKeys = nachtigallKeys ++ adminKeys; diff --git a/secrets/tankstelle-wg-private-key.age b/secrets/tankstelle-wg-private-key.age new file mode 100644 index 0000000..e668044 --- /dev/null +++ b/secrets/tankstelle-wg-private-key.age @@ -0,0 +1,45 @@ +age-encryption.org/v1 +-> ssh-ed25519 1X0eLA MwsWZb3girtAXvxgr3IBZhSthg5xzC2z88WIkG2GTDk +4yKFoIU/SbKcpSXYShUwEY6KV9o59bgIsDCJ0POOmZU +-> ssh-ed25519 uYcDNw 4CPU+vcJcXt+sVSD60ThkWWu87wEzo/TkFAfkJ7lAxU +K5ubfpowb/mBjRS9AaoEuPJEAy3jZQF9vBVK6+StrEE +-> ssh-rsa f5THog +GVZN3/Yl8OX+j8GuAp5ixsmz59HS+0z9OeGMoUl3m4S0kjpl39vY5+Fd5SXTtNLB +O5itG/nbo4lK/PVtH/s3UuzRlEvGzASkxTVGZAXBUgXlPf6hsUdxUhLn8G1DRTj9 +qmZyk5ERH/uqA8LIH8kBWPE8OJ9qf5oVwttOuJLlkrmiojEvbK4Egf4pBAKxv1Vu +JUwoO2W5QxB9lOkOiGOfq6e++pWL+PN1URpGFxbvmM7N6OKNhix+HV9lBdTbS4tl +uP8n0nrM5h5yh7Waz+aAVb7Wu4YgsFCEmGlhEksM/tiHFun+9kFI3xUNTTO3PbYP +KH6KAV8mOA8tL/6PNbbLmaHp5v7//5Abgjmy1BCwNe/WfZiTVLmGDaOpW7qE0pcq +h+ooOk81MenF84FRQGEEMMBVHgckxxCGYYve7bEsWMJP+ua1BmZjQu/I2LpXN6OA +KtoPcnmCGyrZMWKLVdSjzeeEqKk7wtG6BISeLdguF4pEUN2Qoqppx33UQ0ztACf1 +PHAsKbABkCG0yZz13M0bKSCP1O3HWzy2Cmw0EU+WbP6GEGCWmzZRDmjI9+CgtowH +9jz16+1k0PgO5EjV2s1Hijt0gEizl2Q07c2/BYx97951BOR9/LGVRKGtduXixf4a +qFt0Qw0JPZwP2XaXJmJ9x+4e1go5ydJFNnhcvTMUx3I +-> ssh-rsa kFDS0A +mM/LqZJl+5sDjDRhUZlPiFH43+BKkawgiPkQ6eNQmvS7fGjS6FWyGteiRdzxHax3 +y2YE0GC0EmllMfXpjidHQHd4IBP82LrAlry2if9QYOdxtPg3577EZT1XFsR4Eegx +9xuG0+UYIYoEi4wUnnc58z/lV/iCJ4hTBsSMD69ciPdUVzeaA7RoFKImuLx3zhu4 +Gc5ggAFKL9CYwMaJATB3e6+kTu3jkSUSa6vc4D0z7x7Sd2LjRN/THHlpvQQyMi4e +XREkhSNbOHp3mADLv7taFnjwUS/MltFDV8bPsemKmg+He0cVWc4JZynxaRXgdo4p +I3zkYcuWuUzWLgr6l8Aj4B7vd9tk9D0YyPmyMFWhq/IYjx62o/qTUSmBsluj2cqg +pg+45m/WTEAI7vnZXPcSlgbXyll1QE5TISqd7ugRyL3QhzR0h6TkRbMn5iCb15xy +zAgDCaN7z9Xhz9Y4zZG1zrKiF2qCNuZa6ZrgKRZLiFaVmhPvizCeYaZpRI2BfWwH +mo957eHh1//DIAbqWwRfblGZJUbuMK/vyvPoRsum3Pgft2LZLYF0U4vd8b0W5wBW +GBH3+zJBz5hhZVY96b5e70a6Uuwzub51RJlSJ07kNA/n5F1dN+8BFZlp52vCCSXQ +yzNnGZVnVF451CrsLtotzScO4r5KULpJaLK7Vkx20RE +-> piv-p256 vRzPNw AoFeX/N95u7AJHk3CEuFIf7tr0vYaGD+vFeh03kOmj2+ +qBrMOjlgPdY9hDUeMBZ/oWkduTr2fyHkQWPzjU8wsKE +-> piv-p256 zqq/iw A6134rkgfZQCqdSsE4PtaAq8QfJP5h/+L9WxfvQ6nFSg +kz/3tibowB2x7akq8slScl3XW9OcOFqUaVMA5hP03CQ +-> ssh-ed25519 YFSOsg TjpLEHbKVX8eT5FJyj5OjoczjlbfE1QxrSQV7nmK3z8 ++60JLcmaQEwEHkwRSD8ZxOVKfPfp+oCIxNz26h4EW4Q +-> ssh-ed25519 iHV63A /EMk1Hj4P0+VDBWneswmBE6rKRLuTBkcR42Y3NAGCxs +gFK/5AZAGptQ2GNbT25oiM1jENs70UYJVmBsH/9FRBE +-> ssh-ed25519 BVsyTA LwsnNWko4BLTMYIsW+iaagyTq1amhYfB+p0HUikzwT4 +7rZengSXZzlTFh/FFVS8Jt+LMJZQ2wE7F3al1+DFe9Y +-> ssh-ed25519 +3V2lQ JGc07grd52VZSARjFBckyoA7D6686kSP/rhW6B8CiCg +R77Oha9dKKYX7YxHbeiVRwpSgxNeUQcQIld1v30xwaE +--- 8J1Hx/Cb3bTUm4llIEeQx+YUwHkX9XzTIAZm+YdJxVQ +}ÙÛKuØwˆe[ªºQ +s^p§x‘æÉ¡Éi·9a;Hݲ …ÑÃynÄÁ +QáÐÌëùóƒÈÂqöekµà;j¦ùôú7È©\„ \ No newline at end of file diff --git a/terraform/dns.tf b/terraform/dns.tf index 039dd86..4fd25b1 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -19,6 +19,11 @@ resource "namecheap_domain_records" "pub-solar" { type = "A" address = "80.71.153.210" } + record { + hostname = "tankstelle" + type = "A" + address = "80.244.242.5" + } record { hostname = "alerts" type = "A"