feat(jeeves): wireguard
Add separate module for `wireguard` Rekey `jeeves_password` (use all `users`' keys) Add secrets related to Wireguard: server public/private, cheetah public Add a `.gitignore` for the private `limonka_age` key
This commit is contained in:
parent
31d4b9561e
commit
4f5af36bc6
11 changed files with 148 additions and 32 deletions
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
|||
/secrets/key
|
|
@ -4,6 +4,7 @@
|
|||
(import ./disko.nix { inherit inputs outputs; })
|
||||
inputs.agenix.nixosModules.default
|
||||
./network.nix
|
||||
./wireguard.nix
|
||||
];
|
||||
|
||||
nixpkgs = {
|
||||
|
|
|
@ -3,7 +3,6 @@
|
|||
environment.systemPackages = with pkgs; [
|
||||
];
|
||||
|
||||
# Networking
|
||||
age.secrets."home/wifi.env".file = ../../../../secrets/home/wifi.env.age;
|
||||
networking.wireless = {
|
||||
iwd.enable = true;
|
||||
|
|
62
machines/nixos/x86_64-linux/jeeves/wireguard.nix
Normal file
62
machines/nixos/x86_64-linux/jeeves/wireguard.nix
Normal file
|
@ -0,0 +1,62 @@
|
|||
{ lib, pkgs, config, ... }:
|
||||
{
|
||||
environment.systemPackages = with pkgs; [
|
||||
wireguard-tools
|
||||
];
|
||||
|
||||
# NOTE: key generation
|
||||
# umask 077
|
||||
# wg genkey > private
|
||||
# wg pubkey < private > public
|
||||
|
||||
# Server
|
||||
age.secrets."wireguard/server.private" = {
|
||||
file = ../../../../secrets/home/wireguard/server.private.age;
|
||||
mode = "077";
|
||||
};
|
||||
age.secrets."wireguard/server.public" = {
|
||||
file = ../../../../secrets/home/wireguard/server.public.age;
|
||||
};
|
||||
|
||||
# Peers
|
||||
age.secrets."wireguard/cheetah.pub" = {
|
||||
file = ../../../../secrets/home/wireguard/cheetah.pub.age;
|
||||
};
|
||||
|
||||
networking.firewall.allowedUDPPorts = [51820];
|
||||
systemd.network = {
|
||||
netdevs = {
|
||||
"50-wg0" = {
|
||||
netdevConfig = {
|
||||
Kind = "wireguard";
|
||||
Name = "wg0";
|
||||
MTUBytes = "1300";
|
||||
};
|
||||
wireguardConfig = {
|
||||
PrivateKeyFile = config.age.secrets."wireguard/server.private".path;
|
||||
ListenPort = 51820;
|
||||
};
|
||||
wireguardPeers = [
|
||||
{
|
||||
# cheetah
|
||||
wireguardPeerConfig = {
|
||||
PublicKey = config.age.secrets."wireguard/cheetah.pub".path;
|
||||
AllowedIPs = [
|
||||
"0.0.0.0/0"
|
||||
# "::/0"
|
||||
];
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
networks.wg0 = {
|
||||
matchConfig.Name = "wg0";
|
||||
address = ["10.100.0.1/24"];
|
||||
networkConfig = {
|
||||
IPMasquerade = "ipv4";
|
||||
IPForward = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,14 +1,17 @@
|
|||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtbHdXaWlnVnl6bStVUEpR
|
||||
c1d6a0lHL09VbVAraGtvclpJU1F6TUVCNUhRClNmVFFFVkpuNWJqUUxRTE93d3lT
|
||||
Wk1qT2oraUpSMGduOTk3NXBuMkFsbW8KLT4gc3NoLWVkMjU1MTkgdk1uYmxnIEJu
|
||||
ZUpodTN0VmRBanQwWWpIdzZvOS9HS0ZuZ05TWUtQbk5jRHI3cVNKRWcKT1IvYmpy
|
||||
Tmw5SXJHdHBCREZKWmtsZVB4WGlkVFNaNFhyRmE5R2NwdVNtcwotPiBhSi1ncmVh
|
||||
c2UgQlwKZHZQU2NwdkRhallRUStvU2tRSmVLRzN2d3NZMHVDNGxQQ01tVUZQOUQ0
|
||||
QURBbmJ1Y2hGR2VBN0xrNFR3MGMyTApUZ2xPZmVGRndFb3NwR3FwZGVoVi9XWEYw
|
||||
RGx5TDROYzJaQWFjc2UvQUs4Ci0tLSBDQy8yckEwTEttQVFIamxlM3VIVDRQZTN4
|
||||
VGZZUjZsWk9SVGR4UmtmOEU4ClM22goWXt0lCfW7h8NOsbT7DrEZ6NeOUBi/soFL
|
||||
nhAzqMKdDY5e3apubmGaerbzJ9nt22kAtnaswPA8EQF2FvdIRwiVvuPqp7sUbS/6
|
||||
8rWhNuuBqxwLCoVWUe7dkRTVwKu7Wk6stWUrhEZhOpDU9pjFIs9p4dzXD8zFBzpA
|
||||
pqn9cbRE46jheGN43sU=
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USB3bzVT
|
||||
c3M0RC9vYThYQUpoN0FKU2hpSDdOUk10cUI2Si9vNVA5UjMrOEZZClF2RytISG40
|
||||
S2tqUVo5R2RwbVhweXg5dlNlSlJXdHVMQ1NyOGY5VHNKRlUKLT4gc3NoLWVkMjU1
|
||||
MTkgV2Y4dmp3IHpLQXBabTNzaWsrQWZHSEJxdDJjOXRYZ1JJNG90RFg1L1B1dUxG
|
||||
SjFDakUKRkptYmQ4azV4VWdqSzZBTHloM203UXp5VDNKY0N1TDJTZ0FnYlBOWDlF
|
||||
awotPiBYMjU1MTkgSy9pVStZRjJKbHVJZDIwOUM1MHFoVTd0eTNmSXlyRmxJTnBr
|
||||
a2h2akJBOApic1VkdnZGUnVLZm9HbE5tZ1lzbGJSNGsxendyL0s2d3lVdnIreG42
|
||||
R1FBCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyBiR0dQVlFFV3grWXJQOEF4ajhtK2Yy
|
||||
akExVEpwZ1lqcW1VN1JnODJFcFQwCnhRME5iWnZnc3NUL1ZwQ1ZyakJjZWVFb3VV
|
||||
cmNpY0QyMitFNHZuakpxTmsKLT4gJHEsIixCbmwtZ3JlYXNlCmFrL1k5RTFsdndS
|
||||
N1FwTytvQQotLS0gTTlJUlJMR09lSzY2RmpSWmk4MGtJamtRdnVZM1JobUMrRUJw
|
||||
ZDgxRG9HVQo577U9ehKYysiNh7Z9o4X/xoP1eB7Igs5jQ/PFLFA0ST48NZ4GwJ1t
|
||||
0Hbm4xdx5qaI5BIlxmyDspQCtBU2MmtYYT4v0rWZcmVQdm9GLDmCFuUeiAG+X7MT
|
||||
wEqyX56oAr+ULxPO5EWoznIqv2wXantXsAGTvOKRqJuxWOleiXfAK50j4dM7jhzN
|
||||
rw2k
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
|
|
|
@ -1,20 +1,18 @@
|
|||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USBuTWds
|
||||
TmVVbEVPZjNYemU5Y0srUWdabnhGZDZ6TklvYXJaWlBtTWZ3MGhJCmhWd0VqZ1lV
|
||||
djBwL05MVTZpR2xNWU9Hd0tLVWxYRExWc0ZKb1BYa3Bjc00KLT4gc3NoLWVkMjU1
|
||||
MTkgV2Y4dmp3IE4vSHF2MHdrZmVvaXluWFpuZHRSU0tTQlRwTzBUUzNDaytvL3Jt
|
||||
UEcwSE0KSkRoTlpZSmYrekRtT0ltOHNMTjVubWNLWTlDVTAvenJTcDErdHV2Z202
|
||||
VQotPiBYMjU1MTkgUjJsMmc2QjR2T0ZQbS93ZUJhUFBIbHl3RFFzRzZrclcvOG5J
|
||||
SVE0WDNUNApMZkYxeEc1ZXhMTTdVK0VBa1FLUXNscmJLWGVQRHFKQjFTaW5VTElj
|
||||
UnJBCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyA4TmQxSjNDV3Q0N3hLQXhYZnBCditI
|
||||
aUtOZEpXVWpLRzF0c1h4SzZTSUZjCno0K0JhMENVY3ovMHRuL295dzI2VGtTZWt4
|
||||
SW5jWWZ6K1hLV2FCeEhEMXcKLT4gc3NoLWVkMjU1MTkgQjdiZXhBIExkZEdwUlJp
|
||||
V09YOEdKQmtpTE9xWXRwQkRsZ1VLRUhVTWxSK1dyQ2x1eDAKc29GMEt6a3NjSzRV
|
||||
UDJBaENVYlRLS2JRM1VDK0hvN1hGdHNiYmFwM3ZWMAotPiBvP0UtZ3JlYXNlIFxG
|
||||
IHA2O1okOzVsCkYxNGRtWnQ0M2pRVW1GZWw5bExoU0ZxSmllZEN3UWs5WFZpZG1V
|
||||
RWhaUC9xSTFpQk9TaFhDOGxOZmk0YVJ4cjYKYzhPM3AxZC8raXVnUVh3ZlF3U0Vy
|
||||
UUxMTytOb2tEOE1kU3RpaW15WWg1K1lTVXBnc29hU1k0TQotLS0gbzc3dHdJQ0pB
|
||||
VmxzZ1FhTmo0UUc0RldKclZzZkNBb1FlNUNBZjJBekp6MArQ+1zBESesqZ6HtsI2
|
||||
jdZVixj3TeSsdLzfW68kVyrBhUdV+r9zT3YHyHx0Qv9mr5alvdxTJxG00zJ7q0+u
|
||||
kmDgK/mnCmVwn/bRGyPtYXJdF1i2YgT/enkZhA==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USBKNjdl
|
||||
alVqNE5WY21yS2QxWndJOE9vSzRiWlhjSWNtR2dMdFA2ZE5kWUNvCjkrQVppSzdw
|
||||
ZXo1cEVEUXZ6WVBVcTYwVWRhRFBxUUxqS0dnVlZGUWtmYjQKLT4gc3NoLWVkMjU1
|
||||
MTkgV2Y4dmp3IGQzeDZGTUFGeFhoYVpEeDZZT1hLUjhkak90cnhTeThkcnlQMFU1
|
||||
RUxEbVkKNy8zQmpUdE1NVnNCYTYyRmZ6bmhMRUttS0RNU3UxOU5RT0swRmpTeGpX
|
||||
SQotPiBYMjU1MTkgcC9hMHpEMWl0WndmQzM2dm9MWG9reWpxVE5DeXRUcjRwQmp1
|
||||
RG5jeHBpMAptK3dXcStRcnBaMWRGZytQMDJQNFNiOU5ZVzZKczNwWEp5ZWVDbmdw
|
||||
QS9RCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyBNMHN6Z0V5YWJzMnJ6RklpbFBpVUVw
|
||||
OGdPRTl6Smo4RGxuZWtBelhrNW1rCnBFWjRlQWpjOW9TNHFSVFBSVStSalpTcUt4
|
||||
T3kxVmZxZkc0VzQ2ZlN2WHMKLT4gc3NoLWVkMjU1MTkgQjdiZXhBIG00eEhHSlhi
|
||||
bWMxOG02aFVBZEZGQnJxSFdRNmduRWVnN0lKQzlJMUVBVXcKbC9RYW1qS0p2Nld5
|
||||
UnVUb0xYTTYrVmxXQ2lMUG5rK3owOXJxMkR1MkZORQotPiA7emJcOi8tZ3JlYXNl
|
||||
CjJlQXdqdVpsc3NIZmxlcU1YOXZmM2xsSHE0Vm1qK3ovcThaTlBYREgKLS0tIENr
|
||||
TFN1MGlRbVM4NWZ4YWFJc0tWR3prUVZaVGkveW5taFdGWjZqZkZJS0kKSaZHvA62
|
||||
8AclIn54Dic5oyFpzGBIm321rTRsVWPmdTPkWiFpTEYdIFBJXAkpl3zC/exGPrZe
|
||||
ZRUAUT0rxIfx/9OlF3NkrcwAI4crdeDd9HQzMnQFAw8CXVs=
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
|
|
15
secrets/home/wireguard/cheetah.pub.age
Normal file
15
secrets/home/wireguard/cheetah.pub.age
Normal file
|
@ -0,0 +1,15 @@
|
|||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USBvVUor
|
||||
bGVuY2FwK0VwdkVxV1VIRmhXU0NrSDRQcUREeEJYRGJYREpUUm5vCkJWVUZFZGNx
|
||||
VGFUbmJWdy9vMjQzeU5TbVY4MDlaaGwzWEU4ZHAvK2hLNkUKLT4gc3NoLWVkMjU1
|
||||
MTkgV2Y4dmp3IHdxbkRodDNEMkcra1FrUHoxckIxaUU0aSt1T09LV25kVm02K1BM
|
||||
R0NvUTQKZ1BFSG1KNnphNVdDNXhyUmxPcjAwbDN5RWRNOWxpbUZJTGwyVnBwcWNi
|
||||
SQotPiBYMjU1MTkgUnZONFVKUGFZTDhzNDE2YS93Y0xrbEVVMXpwK2pWcCt1V2Jn
|
||||
YXp5RmdWbwplb3pkbU9UaVVFaDAxSDM1VEdVV1VzY3E0TWx3UWhxOGcxa29tQUIy
|
||||
U3c4Ci0+IHNzaC1lZDI1NTE5IHZNbmJsZyBneis4MExsSWxwcnN0ZmVUVEl0dzlE
|
||||
eWdqWHBPdDd5Q2VFQWNXMkltWm5NCnMzWm94SUFiU3dJYmdhMWpUM05aNlV6OG8z
|
||||
T3oxdUg0ZnUyOVc0T2M4cGcKLT4gJX4tZ3JlYXNlIDAjeFkKdHRkL2p4OThPM2ln
|
||||
bzlOSitseDQ3YVNKNlEKLS0tIEtlZzhyRHVlbmhSWmFHTVZGM29ycXNUSnJjK3FJ
|
||||
bmRvdk1xYkRKUVQ3c2sKY6ZetgsnlZtGTcDepuS1/vOnI9ksYgkk6gvMfgX+XyzE
|
||||
EQOjj/XkiDwSG8GWtd2dEJxUdUgJitob3wMtRVeozege+G9yYqFo0qAAcPE=
|
||||
-----END AGE ENCRYPTED FILE-----
|
16
secrets/home/wireguard/server_private.age
Normal file
16
secrets/home/wireguard/server_private.age
Normal file
|
@ -0,0 +1,16 @@
|
|||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USByZnZh
|
||||
NFhQSEZqSFdsNnRHT2Y0VEtrWUkyVG54aUNwUEQxNk5VYmU1S21vCngxeUFLVTVx
|
||||
QXR2U2paQmE3SERyWjViOENrNnRyaUxQS2dKSHg2NVdIRUkKLT4gc3NoLWVkMjU1
|
||||
MTkgV2Y4dmp3IEdKbWNLRnJ5aWZvamJNY2hnTENvUUExQnIxMzVrejNua3Mvc3Zp
|
||||
c2plV2MKZVJuNW5UOVIxZUlUOUc1dmFKbHJSaWhRYTQwNXkzdkp5WWwwWVhxbjNR
|
||||
SQotPiBYMjU1MTkgOXB3Wk83ZGtRNWpCUFZlQXBDb09ycXlnbjNmNXRjYWF6Q21V
|
||||
dG5MOThDZwp0RTFZRk9uZnFqakQvSU94cGlPSHd4WTBkQS9GODJIRWV6OWdTclpP
|
||||
UFpFCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyBkdG5qU2g5SUFrMUhtRW50blZ1eThx
|
||||
eTRVNFUyTHVtMlpFQkR3YllkZkRRCmdhb3h6Q1hKdFJXR0duQ2xLbXZ1alZxOWZV
|
||||
dzA0aXgwdnlZbzdqR0p2dmsKLT4gQFpANy8hLWdyZWFzZQpQc1p5SU1hZ0l1TzdC
|
||||
TDlWSW5HbFZvNHRTNVh2U2xZcHVzMmxaWG5jZ200Vy94elZKVkd1cTYzeTgvRWp3
|
||||
N0w5ClRDSQotLS0gRUtqVXJ2d0VGT2srQUx2SmJxckRXbWZMZlhZbU9ZcVNhVFJE
|
||||
SjZpYTNzSQqogzeEZyuK0GpIxT5ZRkfzuPaoXYL5ayljbXoPCtwZNdCLX6a0Yrna
|
||||
2XX9IQF4oKf5Zb5hALG0KznFrtnF0+QmbOO1sp93TDSaiexQ1A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
17
secrets/home/wireguard/server_public.age
Normal file
17
secrets/home/wireguard/server_public.age
Normal file
|
@ -0,0 +1,17 @@
|
|||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USBVNHMv
|
||||
MncvRmNpUjVRT2k2d0ZPbWVPOTdjWlJkMDMwYjQrUWxVRGpyWTNjClBLMnk4MTZp
|
||||
YXlVR1A0ajhIV3NDTEFRNkVPZmo1WWs0VWk2ZFRTS0QxWWcKLT4gc3NoLWVkMjU1
|
||||
MTkgV2Y4dmp3IHArZ1ZmNlFTRjBJV1JjWFlhMUg4UkdqcTBqTHJsYXV2dmJ5eWNZ
|
||||
Z2hHSDQKOWdyZFdTSXozSndhK1pkaE81VVl2QncwdnlteUtla1RrUXlRNW90TDZl
|
||||
dwotPiBYMjU1MTkgK2gzb2FseHNwQ010a2x0QzBEcWx5VUs3TWcyYWQ2MHB6WGs2
|
||||
Zzl2Nm1qVQo2TTdWMllsenM2MnRQZk5YWE9kSEY3YVFvd0FYbnlNdncxcDZhUkNY
|
||||
OU1NCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyBNaFpKK1YzTzdZbUpmUTJ0V0NjeUo4
|
||||
eThYSzFZTFhCSEtYWGFUbmgvakI4CkdNMmp5WnZOMmpWQy9JQjBJU21DbTFHUTJ2
|
||||
b2NoTlRpR21BR3B1MlhiMmcKLT4gKS1ncmVhc2UgVgphcDJYdjZWNnArVEJGUExF
|
||||
dnRob2UxTE1hTXQ5Y0lmSXBwQTNRYjF5WTkrWjZEZnhuVDFTWkNkOUpWZTUyVzRv
|
||||
CktaNmp1elI2TEN4ZmdubEU1em5hRDUvdi9BcWRHVmhWZWdXWG5PaisKLS0tIGxZ
|
||||
aVlXbmFLK3QyRHBsUVhVdEQvalpOeTFTcWJCNVd6QnhtdW9YWFA3c00KwrHWxx7T
|
||||
O9MvLcn3YRXtyeoW+x8V3rOP2kHBXgMZql14lhrMqHy1x2znW6nuOw6KLcBI9ZM9
|
||||
KmbyPo8m8uL+b9/J7HirLjG0CgTfCdM=
|
||||
-----END AGE ENCRYPTED FILE-----
|
|
@ -22,5 +22,8 @@ let
|
|||
in
|
||||
{
|
||||
"home/wifi.env.age".publicKeys = users ++ systems;
|
||||
"home/jeeves_password.age".publicKeys = [ limonka_age jeeves_system ];
|
||||
"home/jeeves_password.age".publicKeys = users ++ [ jeeves_system ];
|
||||
"home/wireguard/server_private.age".publicKeys = users ++ [ jeeves_system ];
|
||||
"home/wireguard/server_public.age".publicKeys = users ++ [ jeeves_system ];
|
||||
"home/wireguard/cheetah.pub.age".publicKeys = users ++ [ jeeves_system ];
|
||||
}
|
||||
|
|
|
@ -14,6 +14,7 @@
|
|||
deploy-rs
|
||||
# inputs.agenix.packages.${pkgs.system}.agenix
|
||||
inputs.ragenix.packages.${pkgs.system}.ragenix
|
||||
wireguard-tools
|
||||
rage
|
||||
];
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue