From 4f5af36bc616c466375c1a93f40e48e8c987a5a9 Mon Sep 17 00:00:00 2001 From: reo101 Date: Mon, 23 Oct 2023 08:47:06 +0300 Subject: [PATCH] feat(jeeves): wireguard Add separate module for `wireguard` Rekey `jeeves_password` (use all `users`' keys) Add secrets related to Wireguard: server public/private, cheetah public Add a `.gitignore` for the private `limonka_age` key --- .gitignore | 1 + .../x86_64-linux/jeeves/configuration.nix | 1 + .../nixos/x86_64-linux/jeeves/network.nix | 1 - .../nixos/x86_64-linux/jeeves/wireguard.nix | 62 +++++++++++++++++++ secrets/home/jeeves_password.age | 27 ++++---- secrets/home/wifi.env.age | 34 +++++----- secrets/home/wireguard/cheetah.pub.age | 15 +++++ secrets/home/wireguard/server_private.age | 16 +++++ secrets/home/wireguard/server_public.age | 17 +++++ secrets/secrets.nix | 5 +- shells/default/default.nix | 1 + 11 files changed, 148 insertions(+), 32 deletions(-) create mode 100644 .gitignore create mode 100644 machines/nixos/x86_64-linux/jeeves/wireguard.nix create mode 100644 secrets/home/wireguard/cheetah.pub.age create mode 100644 secrets/home/wireguard/server_private.age create mode 100644 secrets/home/wireguard/server_public.age diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..27ccac0 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/secrets/key diff --git a/machines/nixos/x86_64-linux/jeeves/configuration.nix b/machines/nixos/x86_64-linux/jeeves/configuration.nix index a9ac85d..5129709 100644 --- a/machines/nixos/x86_64-linux/jeeves/configuration.nix +++ b/machines/nixos/x86_64-linux/jeeves/configuration.nix @@ -4,6 +4,7 @@ (import ./disko.nix { inherit inputs outputs; }) inputs.agenix.nixosModules.default ./network.nix + ./wireguard.nix ]; nixpkgs = { diff --git a/machines/nixos/x86_64-linux/jeeves/network.nix b/machines/nixos/x86_64-linux/jeeves/network.nix index 3978637..aa46231 100644 --- a/machines/nixos/x86_64-linux/jeeves/network.nix +++ b/machines/nixos/x86_64-linux/jeeves/network.nix @@ -3,7 +3,6 @@ environment.systemPackages = with pkgs; [ ]; - # Networking age.secrets."home/wifi.env".file = ../../../../secrets/home/wifi.env.age; networking.wireless = { iwd.enable = true; diff --git a/machines/nixos/x86_64-linux/jeeves/wireguard.nix b/machines/nixos/x86_64-linux/jeeves/wireguard.nix new file mode 100644 index 0000000..f863c39 --- /dev/null +++ b/machines/nixos/x86_64-linux/jeeves/wireguard.nix @@ -0,0 +1,62 @@ +{ lib, pkgs, config, ... }: +{ + environment.systemPackages = with pkgs; [ + wireguard-tools + ]; + + # NOTE: key generation + # umask 077 + # wg genkey > private + # wg pubkey < private > public + + # Server + age.secrets."wireguard/server.private" = { + file = ../../../../secrets/home/wireguard/server.private.age; + mode = "077"; + }; + age.secrets."wireguard/server.public" = { + file = ../../../../secrets/home/wireguard/server.public.age; + }; + + # Peers + age.secrets."wireguard/cheetah.pub" = { + file = ../../../../secrets/home/wireguard/cheetah.pub.age; + }; + + networking.firewall.allowedUDPPorts = [51820]; + systemd.network = { + netdevs = { + "50-wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + MTUBytes = "1300"; + }; + wireguardConfig = { + PrivateKeyFile = config.age.secrets."wireguard/server.private".path; + ListenPort = 51820; + }; + wireguardPeers = [ + { + # cheetah + wireguardPeerConfig = { + PublicKey = config.age.secrets."wireguard/cheetah.pub".path; + AllowedIPs = [ + "0.0.0.0/0" + # "::/0" + ]; + }; + } + ]; + }; + }; + networks.wg0 = { + matchConfig.Name = "wg0"; + address = ["10.100.0.1/24"]; + networkConfig = { + IPMasquerade = "ipv4"; + IPForward = true; + }; + }; + }; +} diff --git a/secrets/home/jeeves_password.age b/secrets/home/jeeves_password.age index 46851f6..80e0f0b 100644 --- a/secrets/home/jeeves_password.age +++ b/secrets/home/jeeves_password.age @@ -1,14 +1,17 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtbHdXaWlnVnl6bStVUEpR -c1d6a0lHL09VbVAraGtvclpJU1F6TUVCNUhRClNmVFFFVkpuNWJqUUxRTE93d3lT -Wk1qT2oraUpSMGduOTk3NXBuMkFsbW8KLT4gc3NoLWVkMjU1MTkgdk1uYmxnIEJu -ZUpodTN0VmRBanQwWWpIdzZvOS9HS0ZuZ05TWUtQbk5jRHI3cVNKRWcKT1IvYmpy -Tmw5SXJHdHBCREZKWmtsZVB4WGlkVFNaNFhyRmE5R2NwdVNtcwotPiBhSi1ncmVh -c2UgQlwKZHZQU2NwdkRhallRUStvU2tRSmVLRzN2d3NZMHVDNGxQQ01tVUZQOUQ0 -QURBbmJ1Y2hGR2VBN0xrNFR3MGMyTApUZ2xPZmVGRndFb3NwR3FwZGVoVi9XWEYw -RGx5TDROYzJaQWFjc2UvQUs4Ci0tLSBDQy8yckEwTEttQVFIamxlM3VIVDRQZTN4 -VGZZUjZsWk9SVGR4UmtmOEU4ClM22goWXt0lCfW7h8NOsbT7DrEZ6NeOUBi/soFL -nhAzqMKdDY5e3apubmGaerbzJ9nt22kAtnaswPA8EQF2FvdIRwiVvuPqp7sUbS/6 -8rWhNuuBqxwLCoVWUe7dkRTVwKu7Wk6stWUrhEZhOpDU9pjFIs9p4dzXD8zFBzpA -pqn9cbRE46jheGN43sU= +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USB3bzVT +c3M0RC9vYThYQUpoN0FKU2hpSDdOUk10cUI2Si9vNVA5UjMrOEZZClF2RytISG40 +S2tqUVo5R2RwbVhweXg5dlNlSlJXdHVMQ1NyOGY5VHNKRlUKLT4gc3NoLWVkMjU1 +MTkgV2Y4dmp3IHpLQXBabTNzaWsrQWZHSEJxdDJjOXRYZ1JJNG90RFg1L1B1dUxG +SjFDakUKRkptYmQ4azV4VWdqSzZBTHloM203UXp5VDNKY0N1TDJTZ0FnYlBOWDlF +awotPiBYMjU1MTkgSy9pVStZRjJKbHVJZDIwOUM1MHFoVTd0eTNmSXlyRmxJTnBr +a2h2akJBOApic1VkdnZGUnVLZm9HbE5tZ1lzbGJSNGsxendyL0s2d3lVdnIreG42 +R1FBCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyBiR0dQVlFFV3grWXJQOEF4ajhtK2Yy +akExVEpwZ1lqcW1VN1JnODJFcFQwCnhRME5iWnZnc3NUL1ZwQ1ZyakJjZWVFb3VV +cmNpY0QyMitFNHZuakpxTmsKLT4gJHEsIixCbmwtZ3JlYXNlCmFrL1k5RTFsdndS +N1FwTytvQQotLS0gTTlJUlJMR09lSzY2RmpSWmk4MGtJamtRdnVZM1JobUMrRUJw +ZDgxRG9HVQo577U9ehKYysiNh7Z9o4X/xoP1eB7Igs5jQ/PFLFA0ST48NZ4GwJ1t +0Hbm4xdx5qaI5BIlxmyDspQCtBU2MmtYYT4v0rWZcmVQdm9GLDmCFuUeiAG+X7MT +wEqyX56oAr+ULxPO5EWoznIqv2wXantXsAGTvOKRqJuxWOleiXfAK50j4dM7jhzN +rw2k -----END AGE ENCRYPTED FILE----- diff --git a/secrets/home/wifi.env.age b/secrets/home/wifi.env.age index d9cd420..0e207fe 100644 --- a/secrets/home/wifi.env.age +++ b/secrets/home/wifi.env.age @@ -1,20 +1,18 @@ -----BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USBuTWds -TmVVbEVPZjNYemU5Y0srUWdabnhGZDZ6TklvYXJaWlBtTWZ3MGhJCmhWd0VqZ1lV -djBwL05MVTZpR2xNWU9Hd0tLVWxYRExWc0ZKb1BYa3Bjc00KLT4gc3NoLWVkMjU1 -MTkgV2Y4dmp3IE4vSHF2MHdrZmVvaXluWFpuZHRSU0tTQlRwTzBUUzNDaytvL3Jt -UEcwSE0KSkRoTlpZSmYrekRtT0ltOHNMTjVubWNLWTlDVTAvenJTcDErdHV2Z202 -VQotPiBYMjU1MTkgUjJsMmc2QjR2T0ZQbS93ZUJhUFBIbHl3RFFzRzZrclcvOG5J -SVE0WDNUNApMZkYxeEc1ZXhMTTdVK0VBa1FLUXNscmJLWGVQRHFKQjFTaW5VTElj -UnJBCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyA4TmQxSjNDV3Q0N3hLQXhYZnBCditI -aUtOZEpXVWpLRzF0c1h4SzZTSUZjCno0K0JhMENVY3ovMHRuL295dzI2VGtTZWt4 -SW5jWWZ6K1hLV2FCeEhEMXcKLT4gc3NoLWVkMjU1MTkgQjdiZXhBIExkZEdwUlJp -V09YOEdKQmtpTE9xWXRwQkRsZ1VLRUhVTWxSK1dyQ2x1eDAKc29GMEt6a3NjSzRV -UDJBaENVYlRLS2JRM1VDK0hvN1hGdHNiYmFwM3ZWMAotPiBvP0UtZ3JlYXNlIFxG -IHA2O1okOzVsCkYxNGRtWnQ0M2pRVW1GZWw5bExoU0ZxSmllZEN3UWs5WFZpZG1V -RWhaUC9xSTFpQk9TaFhDOGxOZmk0YVJ4cjYKYzhPM3AxZC8raXVnUVh3ZlF3U0Vy -UUxMTytOb2tEOE1kU3RpaW15WWg1K1lTVXBnc29hU1k0TQotLS0gbzc3dHdJQ0pB -VmxzZ1FhTmo0UUc0RldKclZzZkNBb1FlNUNBZjJBekp6MArQ+1zBESesqZ6HtsI2 -jdZVixj3TeSsdLzfW68kVyrBhUdV+r9zT3YHyHx0Qv9mr5alvdxTJxG00zJ7q0+u -kmDgK/mnCmVwn/bRGyPtYXJdF1i2YgT/enkZhA== +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USBKNjdl +alVqNE5WY21yS2QxWndJOE9vSzRiWlhjSWNtR2dMdFA2ZE5kWUNvCjkrQVppSzdw +ZXo1cEVEUXZ6WVBVcTYwVWRhRFBxUUxqS0dnVlZGUWtmYjQKLT4gc3NoLWVkMjU1 +MTkgV2Y4dmp3IGQzeDZGTUFGeFhoYVpEeDZZT1hLUjhkak90cnhTeThkcnlQMFU1 +RUxEbVkKNy8zQmpUdE1NVnNCYTYyRmZ6bmhMRUttS0RNU3UxOU5RT0swRmpTeGpX +SQotPiBYMjU1MTkgcC9hMHpEMWl0WndmQzM2dm9MWG9reWpxVE5DeXRUcjRwQmp1 +RG5jeHBpMAptK3dXcStRcnBaMWRGZytQMDJQNFNiOU5ZVzZKczNwWEp5ZWVDbmdw +QS9RCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyBNMHN6Z0V5YWJzMnJ6RklpbFBpVUVw +OGdPRTl6Smo4RGxuZWtBelhrNW1rCnBFWjRlQWpjOW9TNHFSVFBSVStSalpTcUt4 +T3kxVmZxZkc0VzQ2ZlN2WHMKLT4gc3NoLWVkMjU1MTkgQjdiZXhBIG00eEhHSlhi +bWMxOG02aFVBZEZGQnJxSFdRNmduRWVnN0lKQzlJMUVBVXcKbC9RYW1qS0p2Nld5 +UnVUb0xYTTYrVmxXQ2lMUG5rK3owOXJxMkR1MkZORQotPiA7emJcOi8tZ3JlYXNl +CjJlQXdqdVpsc3NIZmxlcU1YOXZmM2xsSHE0Vm1qK3ovcThaTlBYREgKLS0tIENr +TFN1MGlRbVM4NWZ4YWFJc0tWR3prUVZaVGkveW5taFdGWjZqZkZJS0kKSaZHvA62 +8AclIn54Dic5oyFpzGBIm321rTRsVWPmdTPkWiFpTEYdIFBJXAkpl3zC/exGPrZe +ZRUAUT0rxIfx/9OlF3NkrcwAI4crdeDd9HQzMnQFAw8CXVs= -----END AGE ENCRYPTED FILE----- diff --git a/secrets/home/wireguard/cheetah.pub.age b/secrets/home/wireguard/cheetah.pub.age new file mode 100644 index 0000000..d1decf3 --- /dev/null +++ b/secrets/home/wireguard/cheetah.pub.age @@ -0,0 +1,15 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USBvVUor +bGVuY2FwK0VwdkVxV1VIRmhXU0NrSDRQcUREeEJYRGJYREpUUm5vCkJWVUZFZGNx +VGFUbmJWdy9vMjQzeU5TbVY4MDlaaGwzWEU4ZHAvK2hLNkUKLT4gc3NoLWVkMjU1 +MTkgV2Y4dmp3IHdxbkRodDNEMkcra1FrUHoxckIxaUU0aSt1T09LV25kVm02K1BM +R0NvUTQKZ1BFSG1KNnphNVdDNXhyUmxPcjAwbDN5RWRNOWxpbUZJTGwyVnBwcWNi +SQotPiBYMjU1MTkgUnZONFVKUGFZTDhzNDE2YS93Y0xrbEVVMXpwK2pWcCt1V2Jn +YXp5RmdWbwplb3pkbU9UaVVFaDAxSDM1VEdVV1VzY3E0TWx3UWhxOGcxa29tQUIy +U3c4Ci0+IHNzaC1lZDI1NTE5IHZNbmJsZyBneis4MExsSWxwcnN0ZmVUVEl0dzlE +eWdqWHBPdDd5Q2VFQWNXMkltWm5NCnMzWm94SUFiU3dJYmdhMWpUM05aNlV6OG8z +T3oxdUg0ZnUyOVc0T2M4cGcKLT4gJX4tZ3JlYXNlIDAjeFkKdHRkL2p4OThPM2ln +bzlOSitseDQ3YVNKNlEKLS0tIEtlZzhyRHVlbmhSWmFHTVZGM29ycXNUSnJjK3FJ +bmRvdk1xYkRKUVQ3c2sKY6ZetgsnlZtGTcDepuS1/vOnI9ksYgkk6gvMfgX+XyzE +EQOjj/XkiDwSG8GWtd2dEJxUdUgJitob3wMtRVeozege+G9yYqFo0qAAcPE= +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/home/wireguard/server_private.age b/secrets/home/wireguard/server_private.age new file mode 100644 index 0000000..590a658 --- /dev/null +++ b/secrets/home/wireguard/server_private.age @@ -0,0 +1,16 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USByZnZh +NFhQSEZqSFdsNnRHT2Y0VEtrWUkyVG54aUNwUEQxNk5VYmU1S21vCngxeUFLVTVx +QXR2U2paQmE3SERyWjViOENrNnRyaUxQS2dKSHg2NVdIRUkKLT4gc3NoLWVkMjU1 +MTkgV2Y4dmp3IEdKbWNLRnJ5aWZvamJNY2hnTENvUUExQnIxMzVrejNua3Mvc3Zp +c2plV2MKZVJuNW5UOVIxZUlUOUc1dmFKbHJSaWhRYTQwNXkzdkp5WWwwWVhxbjNR +SQotPiBYMjU1MTkgOXB3Wk83ZGtRNWpCUFZlQXBDb09ycXlnbjNmNXRjYWF6Q21V +dG5MOThDZwp0RTFZRk9uZnFqakQvSU94cGlPSHd4WTBkQS9GODJIRWV6OWdTclpP +UFpFCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyBkdG5qU2g5SUFrMUhtRW50blZ1eThx +eTRVNFUyTHVtMlpFQkR3YllkZkRRCmdhb3h6Q1hKdFJXR0duQ2xLbXZ1alZxOWZV +dzA0aXgwdnlZbzdqR0p2dmsKLT4gQFpANy8hLWdyZWFzZQpQc1p5SU1hZ0l1TzdC +TDlWSW5HbFZvNHRTNVh2U2xZcHVzMmxaWG5jZ200Vy94elZKVkd1cTYzeTgvRWp3 +N0w5ClRDSQotLS0gRUtqVXJ2d0VGT2srQUx2SmJxckRXbWZMZlhZbU9ZcVNhVFJE +SjZpYTNzSQqogzeEZyuK0GpIxT5ZRkfzuPaoXYL5ayljbXoPCtwZNdCLX6a0Yrna +2XX9IQF4oKf5Zb5hALG0KznFrtnF0+QmbOO1sp93TDSaiexQ1A== +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/home/wireguard/server_public.age b/secrets/home/wireguard/server_public.age new file mode 100644 index 0000000..d225a7d --- /dev/null +++ b/secrets/home/wireguard/server_public.age @@ -0,0 +1,17 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USBVNHMv +MncvRmNpUjVRT2k2d0ZPbWVPOTdjWlJkMDMwYjQrUWxVRGpyWTNjClBLMnk4MTZp +YXlVR1A0ajhIV3NDTEFRNkVPZmo1WWs0VWk2ZFRTS0QxWWcKLT4gc3NoLWVkMjU1 +MTkgV2Y4dmp3IHArZ1ZmNlFTRjBJV1JjWFlhMUg4UkdqcTBqTHJsYXV2dmJ5eWNZ +Z2hHSDQKOWdyZFdTSXozSndhK1pkaE81VVl2QncwdnlteUtla1RrUXlRNW90TDZl +dwotPiBYMjU1MTkgK2gzb2FseHNwQ010a2x0QzBEcWx5VUs3TWcyYWQ2MHB6WGs2 +Zzl2Nm1qVQo2TTdWMllsenM2MnRQZk5YWE9kSEY3YVFvd0FYbnlNdncxcDZhUkNY +OU1NCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyBNaFpKK1YzTzdZbUpmUTJ0V0NjeUo4 +eThYSzFZTFhCSEtYWGFUbmgvakI4CkdNMmp5WnZOMmpWQy9JQjBJU21DbTFHUTJ2 +b2NoTlRpR21BR3B1MlhiMmcKLT4gKS1ncmVhc2UgVgphcDJYdjZWNnArVEJGUExF +dnRob2UxTE1hTXQ5Y0lmSXBwQTNRYjF5WTkrWjZEZnhuVDFTWkNkOUpWZTUyVzRv +CktaNmp1elI2TEN4ZmdubEU1em5hRDUvdi9BcWRHVmhWZWdXWG5PaisKLS0tIGxZ +aVlXbmFLK3QyRHBsUVhVdEQvalpOeTFTcWJCNVd6QnhtdW9YWFA3c00KwrHWxx7T +O9MvLcn3YRXtyeoW+x8V3rOP2kHBXgMZql14lhrMqHy1x2znW6nuOw6KLcBI9ZM9 +KmbyPo8m8uL+b9/J7HirLjG0CgTfCdM= +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 7e60eea..28c5098 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -22,5 +22,8 @@ let in { "home/wifi.env.age".publicKeys = users ++ systems; - "home/jeeves_password.age".publicKeys = [ limonka_age jeeves_system ]; + "home/jeeves_password.age".publicKeys = users ++ [ jeeves_system ]; + "home/wireguard/server_private.age".publicKeys = users ++ [ jeeves_system ]; + "home/wireguard/server_public.age".publicKeys = users ++ [ jeeves_system ]; + "home/wireguard/cheetah.pub.age".publicKeys = users ++ [ jeeves_system ]; } diff --git a/shells/default/default.nix b/shells/default/default.nix index bb3c7db..291880d 100644 --- a/shells/default/default.nix +++ b/shells/default/default.nix @@ -14,6 +14,7 @@ deploy-rs # inputs.agenix.packages.${pkgs.system}.agenix inputs.ragenix.packages.${pkgs.system}.ragenix + wireguard-tools rage ]; }