feat(jeeves): wireguard
Add separate module for `wireguard` Rekey `jeeves_password` (use all `users`' keys) Add secrets related to Wireguard: server public/private, cheetah public Add a `.gitignore` for the private `limonka_age` key
This commit is contained in:
parent
31d4b9561e
commit
4f5af36bc6
11 changed files with 148 additions and 32 deletions
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
||||||
|
/secrets/key
|
|
@ -4,6 +4,7 @@
|
||||||
(import ./disko.nix { inherit inputs outputs; })
|
(import ./disko.nix { inherit inputs outputs; })
|
||||||
inputs.agenix.nixosModules.default
|
inputs.agenix.nixosModules.default
|
||||||
./network.nix
|
./network.nix
|
||||||
|
./wireguard.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
nixpkgs = {
|
nixpkgs = {
|
||||||
|
|
|
@ -3,7 +3,6 @@
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
];
|
];
|
||||||
|
|
||||||
# Networking
|
|
||||||
age.secrets."home/wifi.env".file = ../../../../secrets/home/wifi.env.age;
|
age.secrets."home/wifi.env".file = ../../../../secrets/home/wifi.env.age;
|
||||||
networking.wireless = {
|
networking.wireless = {
|
||||||
iwd.enable = true;
|
iwd.enable = true;
|
||||||
|
|
62
machines/nixos/x86_64-linux/jeeves/wireguard.nix
Normal file
62
machines/nixos/x86_64-linux/jeeves/wireguard.nix
Normal file
|
@ -0,0 +1,62 @@
|
||||||
|
{ lib, pkgs, config, ... }:
|
||||||
|
{
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
wireguard-tools
|
||||||
|
];
|
||||||
|
|
||||||
|
# NOTE: key generation
|
||||||
|
# umask 077
|
||||||
|
# wg genkey > private
|
||||||
|
# wg pubkey < private > public
|
||||||
|
|
||||||
|
# Server
|
||||||
|
age.secrets."wireguard/server.private" = {
|
||||||
|
file = ../../../../secrets/home/wireguard/server.private.age;
|
||||||
|
mode = "077";
|
||||||
|
};
|
||||||
|
age.secrets."wireguard/server.public" = {
|
||||||
|
file = ../../../../secrets/home/wireguard/server.public.age;
|
||||||
|
};
|
||||||
|
|
||||||
|
# Peers
|
||||||
|
age.secrets."wireguard/cheetah.pub" = {
|
||||||
|
file = ../../../../secrets/home/wireguard/cheetah.pub.age;
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedUDPPorts = [51820];
|
||||||
|
systemd.network = {
|
||||||
|
netdevs = {
|
||||||
|
"50-wg0" = {
|
||||||
|
netdevConfig = {
|
||||||
|
Kind = "wireguard";
|
||||||
|
Name = "wg0";
|
||||||
|
MTUBytes = "1300";
|
||||||
|
};
|
||||||
|
wireguardConfig = {
|
||||||
|
PrivateKeyFile = config.age.secrets."wireguard/server.private".path;
|
||||||
|
ListenPort = 51820;
|
||||||
|
};
|
||||||
|
wireguardPeers = [
|
||||||
|
{
|
||||||
|
# cheetah
|
||||||
|
wireguardPeerConfig = {
|
||||||
|
PublicKey = config.age.secrets."wireguard/cheetah.pub".path;
|
||||||
|
AllowedIPs = [
|
||||||
|
"0.0.0.0/0"
|
||||||
|
# "::/0"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
networks.wg0 = {
|
||||||
|
matchConfig.Name = "wg0";
|
||||||
|
address = ["10.100.0.1/24"];
|
||||||
|
networkConfig = {
|
||||||
|
IPMasquerade = "ipv4";
|
||||||
|
IPForward = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,14 +1,17 @@
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtbHdXaWlnVnl6bStVUEpR
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USB3bzVT
|
||||||
c1d6a0lHL09VbVAraGtvclpJU1F6TUVCNUhRClNmVFFFVkpuNWJqUUxRTE93d3lT
|
c3M0RC9vYThYQUpoN0FKU2hpSDdOUk10cUI2Si9vNVA5UjMrOEZZClF2RytISG40
|
||||||
Wk1qT2oraUpSMGduOTk3NXBuMkFsbW8KLT4gc3NoLWVkMjU1MTkgdk1uYmxnIEJu
|
S2tqUVo5R2RwbVhweXg5dlNlSlJXdHVMQ1NyOGY5VHNKRlUKLT4gc3NoLWVkMjU1
|
||||||
ZUpodTN0VmRBanQwWWpIdzZvOS9HS0ZuZ05TWUtQbk5jRHI3cVNKRWcKT1IvYmpy
|
MTkgV2Y4dmp3IHpLQXBabTNzaWsrQWZHSEJxdDJjOXRYZ1JJNG90RFg1L1B1dUxG
|
||||||
Tmw5SXJHdHBCREZKWmtsZVB4WGlkVFNaNFhyRmE5R2NwdVNtcwotPiBhSi1ncmVh
|
SjFDakUKRkptYmQ4azV4VWdqSzZBTHloM203UXp5VDNKY0N1TDJTZ0FnYlBOWDlF
|
||||||
c2UgQlwKZHZQU2NwdkRhallRUStvU2tRSmVLRzN2d3NZMHVDNGxQQ01tVUZQOUQ0
|
awotPiBYMjU1MTkgSy9pVStZRjJKbHVJZDIwOUM1MHFoVTd0eTNmSXlyRmxJTnBr
|
||||||
QURBbmJ1Y2hGR2VBN0xrNFR3MGMyTApUZ2xPZmVGRndFb3NwR3FwZGVoVi9XWEYw
|
a2h2akJBOApic1VkdnZGUnVLZm9HbE5tZ1lzbGJSNGsxendyL0s2d3lVdnIreG42
|
||||||
RGx5TDROYzJaQWFjc2UvQUs4Ci0tLSBDQy8yckEwTEttQVFIamxlM3VIVDRQZTN4
|
R1FBCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyBiR0dQVlFFV3grWXJQOEF4ajhtK2Yy
|
||||||
VGZZUjZsWk9SVGR4UmtmOEU4ClM22goWXt0lCfW7h8NOsbT7DrEZ6NeOUBi/soFL
|
akExVEpwZ1lqcW1VN1JnODJFcFQwCnhRME5iWnZnc3NUL1ZwQ1ZyakJjZWVFb3VV
|
||||||
nhAzqMKdDY5e3apubmGaerbzJ9nt22kAtnaswPA8EQF2FvdIRwiVvuPqp7sUbS/6
|
cmNpY0QyMitFNHZuakpxTmsKLT4gJHEsIixCbmwtZ3JlYXNlCmFrL1k5RTFsdndS
|
||||||
8rWhNuuBqxwLCoVWUe7dkRTVwKu7Wk6stWUrhEZhOpDU9pjFIs9p4dzXD8zFBzpA
|
N1FwTytvQQotLS0gTTlJUlJMR09lSzY2RmpSWmk4MGtJamtRdnVZM1JobUMrRUJw
|
||||||
pqn9cbRE46jheGN43sU=
|
ZDgxRG9HVQo577U9ehKYysiNh7Z9o4X/xoP1eB7Igs5jQ/PFLFA0ST48NZ4GwJ1t
|
||||||
|
0Hbm4xdx5qaI5BIlxmyDspQCtBU2MmtYYT4v0rWZcmVQdm9GLDmCFuUeiAG+X7MT
|
||||||
|
wEqyX56oAr+ULxPO5EWoznIqv2wXantXsAGTvOKRqJuxWOleiXfAK50j4dM7jhzN
|
||||||
|
rw2k
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
|
|
@ -1,20 +1,18 @@
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USBuTWds
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USBKNjdl
|
||||||
TmVVbEVPZjNYemU5Y0srUWdabnhGZDZ6TklvYXJaWlBtTWZ3MGhJCmhWd0VqZ1lV
|
alVqNE5WY21yS2QxWndJOE9vSzRiWlhjSWNtR2dMdFA2ZE5kWUNvCjkrQVppSzdw
|
||||||
djBwL05MVTZpR2xNWU9Hd0tLVWxYRExWc0ZKb1BYa3Bjc00KLT4gc3NoLWVkMjU1
|
ZXo1cEVEUXZ6WVBVcTYwVWRhRFBxUUxqS0dnVlZGUWtmYjQKLT4gc3NoLWVkMjU1
|
||||||
MTkgV2Y4dmp3IE4vSHF2MHdrZmVvaXluWFpuZHRSU0tTQlRwTzBUUzNDaytvL3Jt
|
MTkgV2Y4dmp3IGQzeDZGTUFGeFhoYVpEeDZZT1hLUjhkak90cnhTeThkcnlQMFU1
|
||||||
UEcwSE0KSkRoTlpZSmYrekRtT0ltOHNMTjVubWNLWTlDVTAvenJTcDErdHV2Z202
|
RUxEbVkKNy8zQmpUdE1NVnNCYTYyRmZ6bmhMRUttS0RNU3UxOU5RT0swRmpTeGpX
|
||||||
VQotPiBYMjU1MTkgUjJsMmc2QjR2T0ZQbS93ZUJhUFBIbHl3RFFzRzZrclcvOG5J
|
SQotPiBYMjU1MTkgcC9hMHpEMWl0WndmQzM2dm9MWG9reWpxVE5DeXRUcjRwQmp1
|
||||||
SVE0WDNUNApMZkYxeEc1ZXhMTTdVK0VBa1FLUXNscmJLWGVQRHFKQjFTaW5VTElj
|
RG5jeHBpMAptK3dXcStRcnBaMWRGZytQMDJQNFNiOU5ZVzZKczNwWEp5ZWVDbmdw
|
||||||
UnJBCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyA4TmQxSjNDV3Q0N3hLQXhYZnBCditI
|
QS9RCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyBNMHN6Z0V5YWJzMnJ6RklpbFBpVUVw
|
||||||
aUtOZEpXVWpLRzF0c1h4SzZTSUZjCno0K0JhMENVY3ovMHRuL295dzI2VGtTZWt4
|
OGdPRTl6Smo4RGxuZWtBelhrNW1rCnBFWjRlQWpjOW9TNHFSVFBSVStSalpTcUt4
|
||||||
SW5jWWZ6K1hLV2FCeEhEMXcKLT4gc3NoLWVkMjU1MTkgQjdiZXhBIExkZEdwUlJp
|
T3kxVmZxZkc0VzQ2ZlN2WHMKLT4gc3NoLWVkMjU1MTkgQjdiZXhBIG00eEhHSlhi
|
||||||
V09YOEdKQmtpTE9xWXRwQkRsZ1VLRUhVTWxSK1dyQ2x1eDAKc29GMEt6a3NjSzRV
|
bWMxOG02aFVBZEZGQnJxSFdRNmduRWVnN0lKQzlJMUVBVXcKbC9RYW1qS0p2Nld5
|
||||||
UDJBaENVYlRLS2JRM1VDK0hvN1hGdHNiYmFwM3ZWMAotPiBvP0UtZ3JlYXNlIFxG
|
UnVUb0xYTTYrVmxXQ2lMUG5rK3owOXJxMkR1MkZORQotPiA7emJcOi8tZ3JlYXNl
|
||||||
IHA2O1okOzVsCkYxNGRtWnQ0M2pRVW1GZWw5bExoU0ZxSmllZEN3UWs5WFZpZG1V
|
CjJlQXdqdVpsc3NIZmxlcU1YOXZmM2xsSHE0Vm1qK3ovcThaTlBYREgKLS0tIENr
|
||||||
RWhaUC9xSTFpQk9TaFhDOGxOZmk0YVJ4cjYKYzhPM3AxZC8raXVnUVh3ZlF3U0Vy
|
TFN1MGlRbVM4NWZ4YWFJc0tWR3prUVZaVGkveW5taFdGWjZqZkZJS0kKSaZHvA62
|
||||||
UUxMTytOb2tEOE1kU3RpaW15WWg1K1lTVXBnc29hU1k0TQotLS0gbzc3dHdJQ0pB
|
8AclIn54Dic5oyFpzGBIm321rTRsVWPmdTPkWiFpTEYdIFBJXAkpl3zC/exGPrZe
|
||||||
VmxzZ1FhTmo0UUc0RldKclZzZkNBb1FlNUNBZjJBekp6MArQ+1zBESesqZ6HtsI2
|
ZRUAUT0rxIfx/9OlF3NkrcwAI4crdeDd9HQzMnQFAw8CXVs=
|
||||||
jdZVixj3TeSsdLzfW68kVyrBhUdV+r9zT3YHyHx0Qv9mr5alvdxTJxG00zJ7q0+u
|
|
||||||
kmDgK/mnCmVwn/bRGyPtYXJdF1i2YgT/enkZhA==
|
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
|
15
secrets/home/wireguard/cheetah.pub.age
Normal file
15
secrets/home/wireguard/cheetah.pub.age
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USBvVUor
|
||||||
|
bGVuY2FwK0VwdkVxV1VIRmhXU0NrSDRQcUREeEJYRGJYREpUUm5vCkJWVUZFZGNx
|
||||||
|
VGFUbmJWdy9vMjQzeU5TbVY4MDlaaGwzWEU4ZHAvK2hLNkUKLT4gc3NoLWVkMjU1
|
||||||
|
MTkgV2Y4dmp3IHdxbkRodDNEMkcra1FrUHoxckIxaUU0aSt1T09LV25kVm02K1BM
|
||||||
|
R0NvUTQKZ1BFSG1KNnphNVdDNXhyUmxPcjAwbDN5RWRNOWxpbUZJTGwyVnBwcWNi
|
||||||
|
SQotPiBYMjU1MTkgUnZONFVKUGFZTDhzNDE2YS93Y0xrbEVVMXpwK2pWcCt1V2Jn
|
||||||
|
YXp5RmdWbwplb3pkbU9UaVVFaDAxSDM1VEdVV1VzY3E0TWx3UWhxOGcxa29tQUIy
|
||||||
|
U3c4Ci0+IHNzaC1lZDI1NTE5IHZNbmJsZyBneis4MExsSWxwcnN0ZmVUVEl0dzlE
|
||||||
|
eWdqWHBPdDd5Q2VFQWNXMkltWm5NCnMzWm94SUFiU3dJYmdhMWpUM05aNlV6OG8z
|
||||||
|
T3oxdUg0ZnUyOVc0T2M4cGcKLT4gJX4tZ3JlYXNlIDAjeFkKdHRkL2p4OThPM2ln
|
||||||
|
bzlOSitseDQ3YVNKNlEKLS0tIEtlZzhyRHVlbmhSWmFHTVZGM29ycXNUSnJjK3FJ
|
||||||
|
bmRvdk1xYkRKUVQ3c2sKY6ZetgsnlZtGTcDepuS1/vOnI9ksYgkk6gvMfgX+XyzE
|
||||||
|
EQOjj/XkiDwSG8GWtd2dEJxUdUgJitob3wMtRVeozege+G9yYqFo0qAAcPE=
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
16
secrets/home/wireguard/server_private.age
Normal file
16
secrets/home/wireguard/server_private.age
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USByZnZh
|
||||||
|
NFhQSEZqSFdsNnRHT2Y0VEtrWUkyVG54aUNwUEQxNk5VYmU1S21vCngxeUFLVTVx
|
||||||
|
QXR2U2paQmE3SERyWjViOENrNnRyaUxQS2dKSHg2NVdIRUkKLT4gc3NoLWVkMjU1
|
||||||
|
MTkgV2Y4dmp3IEdKbWNLRnJ5aWZvamJNY2hnTENvUUExQnIxMzVrejNua3Mvc3Zp
|
||||||
|
c2plV2MKZVJuNW5UOVIxZUlUOUc1dmFKbHJSaWhRYTQwNXkzdkp5WWwwWVhxbjNR
|
||||||
|
SQotPiBYMjU1MTkgOXB3Wk83ZGtRNWpCUFZlQXBDb09ycXlnbjNmNXRjYWF6Q21V
|
||||||
|
dG5MOThDZwp0RTFZRk9uZnFqakQvSU94cGlPSHd4WTBkQS9GODJIRWV6OWdTclpP
|
||||||
|
UFpFCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyBkdG5qU2g5SUFrMUhtRW50blZ1eThx
|
||||||
|
eTRVNFUyTHVtMlpFQkR3YllkZkRRCmdhb3h6Q1hKdFJXR0duQ2xLbXZ1alZxOWZV
|
||||||
|
dzA0aXgwdnlZbzdqR0p2dmsKLT4gQFpANy8hLWdyZWFzZQpQc1p5SU1hZ0l1TzdC
|
||||||
|
TDlWSW5HbFZvNHRTNVh2U2xZcHVzMmxaWG5jZ200Vy94elZKVkd1cTYzeTgvRWp3
|
||||||
|
N0w5ClRDSQotLS0gRUtqVXJ2d0VGT2srQUx2SmJxckRXbWZMZlhZbU9ZcVNhVFJE
|
||||||
|
SjZpYTNzSQqogzeEZyuK0GpIxT5ZRkfzuPaoXYL5ayljbXoPCtwZNdCLX6a0Yrna
|
||||||
|
2XX9IQF4oKf5Zb5hALG0KznFrtnF0+QmbOO1sp93TDSaiexQ1A==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
17
secrets/home/wireguard/server_public.age
Normal file
17
secrets/home/wireguard/server_public.age
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USBVNHMv
|
||||||
|
MncvRmNpUjVRT2k2d0ZPbWVPOTdjWlJkMDMwYjQrUWxVRGpyWTNjClBLMnk4MTZp
|
||||||
|
YXlVR1A0ajhIV3NDTEFRNkVPZmo1WWs0VWk2ZFRTS0QxWWcKLT4gc3NoLWVkMjU1
|
||||||
|
MTkgV2Y4dmp3IHArZ1ZmNlFTRjBJV1JjWFlhMUg4UkdqcTBqTHJsYXV2dmJ5eWNZ
|
||||||
|
Z2hHSDQKOWdyZFdTSXozSndhK1pkaE81VVl2QncwdnlteUtla1RrUXlRNW90TDZl
|
||||||
|
dwotPiBYMjU1MTkgK2gzb2FseHNwQ010a2x0QzBEcWx5VUs3TWcyYWQ2MHB6WGs2
|
||||||
|
Zzl2Nm1qVQo2TTdWMllsenM2MnRQZk5YWE9kSEY3YVFvd0FYbnlNdncxcDZhUkNY
|
||||||
|
OU1NCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyBNaFpKK1YzTzdZbUpmUTJ0V0NjeUo4
|
||||||
|
eThYSzFZTFhCSEtYWGFUbmgvakI4CkdNMmp5WnZOMmpWQy9JQjBJU21DbTFHUTJ2
|
||||||
|
b2NoTlRpR21BR3B1MlhiMmcKLT4gKS1ncmVhc2UgVgphcDJYdjZWNnArVEJGUExF
|
||||||
|
dnRob2UxTE1hTXQ5Y0lmSXBwQTNRYjF5WTkrWjZEZnhuVDFTWkNkOUpWZTUyVzRv
|
||||||
|
CktaNmp1elI2TEN4ZmdubEU1em5hRDUvdi9BcWRHVmhWZWdXWG5PaisKLS0tIGxZ
|
||||||
|
aVlXbmFLK3QyRHBsUVhVdEQvalpOeTFTcWJCNVd6QnhtdW9YWFA3c00KwrHWxx7T
|
||||||
|
O9MvLcn3YRXtyeoW+x8V3rOP2kHBXgMZql14lhrMqHy1x2znW6nuOw6KLcBI9ZM9
|
||||||
|
KmbyPo8m8uL+b9/J7HirLjG0CgTfCdM=
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
|
@ -22,5 +22,8 @@ let
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
"home/wifi.env.age".publicKeys = users ++ systems;
|
"home/wifi.env.age".publicKeys = users ++ systems;
|
||||||
"home/jeeves_password.age".publicKeys = [ limonka_age jeeves_system ];
|
"home/jeeves_password.age".publicKeys = users ++ [ jeeves_system ];
|
||||||
|
"home/wireguard/server_private.age".publicKeys = users ++ [ jeeves_system ];
|
||||||
|
"home/wireguard/server_public.age".publicKeys = users ++ [ jeeves_system ];
|
||||||
|
"home/wireguard/cheetah.pub.age".publicKeys = users ++ [ jeeves_system ];
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,6 +14,7 @@
|
||||||
deploy-rs
|
deploy-rs
|
||||||
# inputs.agenix.packages.${pkgs.system}.agenix
|
# inputs.agenix.packages.${pkgs.system}.agenix
|
||||||
inputs.ragenix.packages.${pkgs.system}.ragenix
|
inputs.ragenix.packages.${pkgs.system}.ragenix
|
||||||
|
wireguard-tools
|
||||||
rage
|
rage
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue