feat(jeeves): wireguard

Add separate module for `wireguard`
Rekey `jeeves_password` (use all `users`' keys)
Add secrets related to Wireguard: server public/private, cheetah public
Add a `.gitignore` for the private `limonka_age` key
This commit is contained in:
reo101 2023-10-23 08:47:06 +03:00
parent 31d4b9561e
commit 4f5af36bc6
Signed by: reo101
GPG key ID: 675AA7EF13964ACB
11 changed files with 148 additions and 32 deletions

1
.gitignore vendored Normal file
View file

@ -0,0 +1 @@
/secrets/key

View file

@ -4,6 +4,7 @@
(import ./disko.nix { inherit inputs outputs; }) (import ./disko.nix { inherit inputs outputs; })
inputs.agenix.nixosModules.default inputs.agenix.nixosModules.default
./network.nix ./network.nix
./wireguard.nix
]; ];
nixpkgs = { nixpkgs = {

View file

@ -3,7 +3,6 @@
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
]; ];
# Networking
age.secrets."home/wifi.env".file = ../../../../secrets/home/wifi.env.age; age.secrets."home/wifi.env".file = ../../../../secrets/home/wifi.env.age;
networking.wireless = { networking.wireless = {
iwd.enable = true; iwd.enable = true;

View file

@ -0,0 +1,62 @@
{ lib, pkgs, config, ... }:
{
environment.systemPackages = with pkgs; [
wireguard-tools
];
# NOTE: key generation
# umask 077
# wg genkey > private
# wg pubkey < private > public
# Server
age.secrets."wireguard/server.private" = {
file = ../../../../secrets/home/wireguard/server.private.age;
mode = "077";
};
age.secrets."wireguard/server.public" = {
file = ../../../../secrets/home/wireguard/server.public.age;
};
# Peers
age.secrets."wireguard/cheetah.pub" = {
file = ../../../../secrets/home/wireguard/cheetah.pub.age;
};
networking.firewall.allowedUDPPorts = [51820];
systemd.network = {
netdevs = {
"50-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
MTUBytes = "1300";
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets."wireguard/server.private".path;
ListenPort = 51820;
};
wireguardPeers = [
{
# cheetah
wireguardPeerConfig = {
PublicKey = config.age.secrets."wireguard/cheetah.pub".path;
AllowedIPs = [
"0.0.0.0/0"
# "::/0"
];
};
}
];
};
};
networks.wg0 = {
matchConfig.Name = "wg0";
address = ["10.100.0.1/24"];
networkConfig = {
IPMasquerade = "ipv4";
IPForward = true;
};
};
};
}

View file

@ -1,14 +1,17 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtbHdXaWlnVnl6bStVUEpR YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USB3bzVT
c1d6a0lHL09VbVAraGtvclpJU1F6TUVCNUhRClNmVFFFVkpuNWJqUUxRTE93d3lT c3M0RC9vYThYQUpoN0FKU2hpSDdOUk10cUI2Si9vNVA5UjMrOEZZClF2RytISG40
Wk1qT2oraUpSMGduOTk3NXBuMkFsbW8KLT4gc3NoLWVkMjU1MTkgdk1uYmxnIEJu S2tqUVo5R2RwbVhweXg5dlNlSlJXdHVMQ1NyOGY5VHNKRlUKLT4gc3NoLWVkMjU1
ZUpodTN0VmRBanQwWWpIdzZvOS9HS0ZuZ05TWUtQbk5jRHI3cVNKRWcKT1IvYmpy MTkgV2Y4dmp3IHpLQXBabTNzaWsrQWZHSEJxdDJjOXRYZ1JJNG90RFg1L1B1dUxG
Tmw5SXJHdHBCREZKWmtsZVB4WGlkVFNaNFhyRmE5R2NwdVNtcwotPiBhSi1ncmVh SjFDakUKRkptYmQ4azV4VWdqSzZBTHloM203UXp5VDNKY0N1TDJTZ0FnYlBOWDlF
c2UgQlwKZHZQU2NwdkRhallRUStvU2tRSmVLRzN2d3NZMHVDNGxQQ01tVUZQOUQ0 awotPiBYMjU1MTkgSy9pVStZRjJKbHVJZDIwOUM1MHFoVTd0eTNmSXlyRmxJTnBr
QURBbmJ1Y2hGR2VBN0xrNFR3MGMyTApUZ2xPZmVGRndFb3NwR3FwZGVoVi9XWEYw a2h2akJBOApic1VkdnZGUnVLZm9HbE5tZ1lzbGJSNGsxendyL0s2d3lVdnIreG42
RGx5TDROYzJaQWFjc2UvQUs4Ci0tLSBDQy8yckEwTEttQVFIamxlM3VIVDRQZTN4 R1FBCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyBiR0dQVlFFV3grWXJQOEF4ajhtK2Yy
VGZZUjZsWk9SVGR4UmtmOEU4ClM22goWXt0lCfW7h8NOsbT7DrEZ6NeOUBi/soFL akExVEpwZ1lqcW1VN1JnODJFcFQwCnhRME5iWnZnc3NUL1ZwQ1ZyakJjZWVFb3VV
nhAzqMKdDY5e3apubmGaerbzJ9nt22kAtnaswPA8EQF2FvdIRwiVvuPqp7sUbS/6 cmNpY0QyMitFNHZuakpxTmsKLT4gJHEsIixCbmwtZ3JlYXNlCmFrL1k5RTFsdndS
8rWhNuuBqxwLCoVWUe7dkRTVwKu7Wk6stWUrhEZhOpDU9pjFIs9p4dzXD8zFBzpA N1FwTytvQQotLS0gTTlJUlJMR09lSzY2RmpSWmk4MGtJamtRdnVZM1JobUMrRUJw
pqn9cbRE46jheGN43sU= ZDgxRG9HVQo577U9ehKYysiNh7Z9o4X/xoP1eB7Igs5jQ/PFLFA0ST48NZ4GwJ1t
0Hbm4xdx5qaI5BIlxmyDspQCtBU2MmtYYT4v0rWZcmVQdm9GLDmCFuUeiAG+X7MT
wEqyX56oAr+ULxPO5EWoznIqv2wXantXsAGTvOKRqJuxWOleiXfAK50j4dM7jhzN
rw2k
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

View file

@ -1,20 +1,18 @@
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USBuTWds YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USBKNjdl
TmVVbEVPZjNYemU5Y0srUWdabnhGZDZ6TklvYXJaWlBtTWZ3MGhJCmhWd0VqZ1lV alVqNE5WY21yS2QxWndJOE9vSzRiWlhjSWNtR2dMdFA2ZE5kWUNvCjkrQVppSzdw
djBwL05MVTZpR2xNWU9Hd0tLVWxYRExWc0ZKb1BYa3Bjc00KLT4gc3NoLWVkMjU1 ZXo1cEVEUXZ6WVBVcTYwVWRhRFBxUUxqS0dnVlZGUWtmYjQKLT4gc3NoLWVkMjU1
MTkgV2Y4dmp3IE4vSHF2MHdrZmVvaXluWFpuZHRSU0tTQlRwTzBUUzNDaytvL3Jt MTkgV2Y4dmp3IGQzeDZGTUFGeFhoYVpEeDZZT1hLUjhkak90cnhTeThkcnlQMFU1
UEcwSE0KSkRoTlpZSmYrekRtT0ltOHNMTjVubWNLWTlDVTAvenJTcDErdHV2Z202 RUxEbVkKNy8zQmpUdE1NVnNCYTYyRmZ6bmhMRUttS0RNU3UxOU5RT0swRmpTeGpX
VQotPiBYMjU1MTkgUjJsMmc2QjR2T0ZQbS93ZUJhUFBIbHl3RFFzRzZrclcvOG5J SQotPiBYMjU1MTkgcC9hMHpEMWl0WndmQzM2dm9MWG9reWpxVE5DeXRUcjRwQmp1
SVE0WDNUNApMZkYxeEc1ZXhMTTdVK0VBa1FLUXNscmJLWGVQRHFKQjFTaW5VTElj RG5jeHBpMAptK3dXcStRcnBaMWRGZytQMDJQNFNiOU5ZVzZKczNwWEp5ZWVDbmdw
UnJBCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyA4TmQxSjNDV3Q0N3hLQXhYZnBCditI QS9RCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyBNMHN6Z0V5YWJzMnJ6RklpbFBpVUVw
aUtOZEpXVWpLRzF0c1h4SzZTSUZjCno0K0JhMENVY3ovMHRuL295dzI2VGtTZWt4 OGdPRTl6Smo4RGxuZWtBelhrNW1rCnBFWjRlQWpjOW9TNHFSVFBSVStSalpTcUt4
SW5jWWZ6K1hLV2FCeEhEMXcKLT4gc3NoLWVkMjU1MTkgQjdiZXhBIExkZEdwUlJp T3kxVmZxZkc0VzQ2ZlN2WHMKLT4gc3NoLWVkMjU1MTkgQjdiZXhBIG00eEhHSlhi
V09YOEdKQmtpTE9xWXRwQkRsZ1VLRUhVTWxSK1dyQ2x1eDAKc29GMEt6a3NjSzRV bWMxOG02aFVBZEZGQnJxSFdRNmduRWVnN0lKQzlJMUVBVXcKbC9RYW1qS0p2Nld5
UDJBaENVYlRLS2JRM1VDK0hvN1hGdHNiYmFwM3ZWMAotPiBvP0UtZ3JlYXNlIFxG UnVUb0xYTTYrVmxXQ2lMUG5rK3owOXJxMkR1MkZORQotPiA7emJcOi8tZ3JlYXNl
IHA2O1okOzVsCkYxNGRtWnQ0M2pRVW1GZWw5bExoU0ZxSmllZEN3UWs5WFZpZG1V CjJlQXdqdVpsc3NIZmxlcU1YOXZmM2xsSHE0Vm1qK3ovcThaTlBYREgKLS0tIENr
RWhaUC9xSTFpQk9TaFhDOGxOZmk0YVJ4cjYKYzhPM3AxZC8raXVnUVh3ZlF3U0Vy TFN1MGlRbVM4NWZ4YWFJc0tWR3prUVZaVGkveW5taFdGWjZqZkZJS0kKSaZHvA62
UUxMTytOb2tEOE1kU3RpaW15WWg1K1lTVXBnc29hU1k0TQotLS0gbzc3dHdJQ0pB 8AclIn54Dic5oyFpzGBIm321rTRsVWPmdTPkWiFpTEYdIFBJXAkpl3zC/exGPrZe
VmxzZ1FhTmo0UUc0RldKclZzZkNBb1FlNUNBZjJBekp6MArQ+1zBESesqZ6HtsI2 ZRUAUT0rxIfx/9OlF3NkrcwAI4crdeDd9HQzMnQFAw8CXVs=
jdZVixj3TeSsdLzfW68kVyrBhUdV+r9zT3YHyHx0Qv9mr5alvdxTJxG00zJ7q0+u
kmDgK/mnCmVwn/bRGyPtYXJdF1i2YgT/enkZhA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----

View file

@ -0,0 +1,15 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USBvVUor
bGVuY2FwK0VwdkVxV1VIRmhXU0NrSDRQcUREeEJYRGJYREpUUm5vCkJWVUZFZGNx
VGFUbmJWdy9vMjQzeU5TbVY4MDlaaGwzWEU4ZHAvK2hLNkUKLT4gc3NoLWVkMjU1
MTkgV2Y4dmp3IHdxbkRodDNEMkcra1FrUHoxckIxaUU0aSt1T09LV25kVm02K1BM
R0NvUTQKZ1BFSG1KNnphNVdDNXhyUmxPcjAwbDN5RWRNOWxpbUZJTGwyVnBwcWNi
SQotPiBYMjU1MTkgUnZONFVKUGFZTDhzNDE2YS93Y0xrbEVVMXpwK2pWcCt1V2Jn
YXp5RmdWbwplb3pkbU9UaVVFaDAxSDM1VEdVV1VzY3E0TWx3UWhxOGcxa29tQUIy
U3c4Ci0+IHNzaC1lZDI1NTE5IHZNbmJsZyBneis4MExsSWxwcnN0ZmVUVEl0dzlE
eWdqWHBPdDd5Q2VFQWNXMkltWm5NCnMzWm94SUFiU3dJYmdhMWpUM05aNlV6OG8z
T3oxdUg0ZnUyOVc0T2M4cGcKLT4gJX4tZ3JlYXNlIDAjeFkKdHRkL2p4OThPM2ln
bzlOSitseDQ3YVNKNlEKLS0tIEtlZzhyRHVlbmhSWmFHTVZGM29ycXNUSnJjK3FJ
bmRvdk1xYkRKUVQ3c2sKY6ZetgsnlZtGTcDepuS1/vOnI9ksYgkk6gvMfgX+XyzE
EQOjj/XkiDwSG8GWtd2dEJxUdUgJitob3wMtRVeozege+G9yYqFo0qAAcPE=
-----END AGE ENCRYPTED FILE-----

View file

@ -0,0 +1,16 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USByZnZh
NFhQSEZqSFdsNnRHT2Y0VEtrWUkyVG54aUNwUEQxNk5VYmU1S21vCngxeUFLVTVx
QXR2U2paQmE3SERyWjViOENrNnRyaUxQS2dKSHg2NVdIRUkKLT4gc3NoLWVkMjU1
MTkgV2Y4dmp3IEdKbWNLRnJ5aWZvamJNY2hnTENvUUExQnIxMzVrejNua3Mvc3Zp
c2plV2MKZVJuNW5UOVIxZUlUOUc1dmFKbHJSaWhRYTQwNXkzdkp5WWwwWVhxbjNR
SQotPiBYMjU1MTkgOXB3Wk83ZGtRNWpCUFZlQXBDb09ycXlnbjNmNXRjYWF6Q21V
dG5MOThDZwp0RTFZRk9uZnFqakQvSU94cGlPSHd4WTBkQS9GODJIRWV6OWdTclpP
UFpFCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyBkdG5qU2g5SUFrMUhtRW50blZ1eThx
eTRVNFUyTHVtMlpFQkR3YllkZkRRCmdhb3h6Q1hKdFJXR0duQ2xLbXZ1alZxOWZV
dzA0aXgwdnlZbzdqR0p2dmsKLT4gQFpANy8hLWdyZWFzZQpQc1p5SU1hZ0l1TzdC
TDlWSW5HbFZvNHRTNVh2U2xZcHVzMmxaWG5jZ200Vy94elZKVkd1cTYzeTgvRWp3
N0w5ClRDSQotLS0gRUtqVXJ2d0VGT2srQUx2SmJxckRXbWZMZlhZbU9ZcVNhVFJE
SjZpYTNzSQqogzeEZyuK0GpIxT5ZRkfzuPaoXYL5ayljbXoPCtwZNdCLX6a0Yrna
2XX9IQF4oKf5Zb5hALG0KznFrtnF0+QmbOO1sp93TDSaiexQ1A==
-----END AGE ENCRYPTED FILE-----

View file

@ -0,0 +1,17 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IElkcVZ1USBVNHMv
MncvRmNpUjVRT2k2d0ZPbWVPOTdjWlJkMDMwYjQrUWxVRGpyWTNjClBLMnk4MTZp
YXlVR1A0ajhIV3NDTEFRNkVPZmo1WWs0VWk2ZFRTS0QxWWcKLT4gc3NoLWVkMjU1
MTkgV2Y4dmp3IHArZ1ZmNlFTRjBJV1JjWFlhMUg4UkdqcTBqTHJsYXV2dmJ5eWNZ
Z2hHSDQKOWdyZFdTSXozSndhK1pkaE81VVl2QncwdnlteUtla1RrUXlRNW90TDZl
dwotPiBYMjU1MTkgK2gzb2FseHNwQ010a2x0QzBEcWx5VUs3TWcyYWQ2MHB6WGs2
Zzl2Nm1qVQo2TTdWMllsenM2MnRQZk5YWE9kSEY3YVFvd0FYbnlNdncxcDZhUkNY
OU1NCi0+IHNzaC1lZDI1NTE5IHZNbmJsZyBNaFpKK1YzTzdZbUpmUTJ0V0NjeUo4
eThYSzFZTFhCSEtYWGFUbmgvakI4CkdNMmp5WnZOMmpWQy9JQjBJU21DbTFHUTJ2
b2NoTlRpR21BR3B1MlhiMmcKLT4gKS1ncmVhc2UgVgphcDJYdjZWNnArVEJGUExF
dnRob2UxTE1hTXQ5Y0lmSXBwQTNRYjF5WTkrWjZEZnhuVDFTWkNkOUpWZTUyVzRv
CktaNmp1elI2TEN4ZmdubEU1em5hRDUvdi9BcWRHVmhWZWdXWG5PaisKLS0tIGxZ
aVlXbmFLK3QyRHBsUVhVdEQvalpOeTFTcWJCNVd6QnhtdW9YWFA3c00KwrHWxx7T
O9MvLcn3YRXtyeoW+x8V3rOP2kHBXgMZql14lhrMqHy1x2znW6nuOw6KLcBI9ZM9
KmbyPo8m8uL+b9/J7HirLjG0CgTfCdM=
-----END AGE ENCRYPTED FILE-----

View file

@ -22,5 +22,8 @@ let
in in
{ {
"home/wifi.env.age".publicKeys = users ++ systems; "home/wifi.env.age".publicKeys = users ++ systems;
"home/jeeves_password.age".publicKeys = [ limonka_age jeeves_system ]; "home/jeeves_password.age".publicKeys = users ++ [ jeeves_system ];
"home/wireguard/server_private.age".publicKeys = users ++ [ jeeves_system ];
"home/wireguard/server_public.age".publicKeys = users ++ [ jeeves_system ];
"home/wireguard/cheetah.pub.age".publicKeys = users ++ [ jeeves_system ];
} }

View file

@ -14,6 +14,7 @@
deploy-rs deploy-rs
# inputs.agenix.packages.${pkgs.system}.agenix # inputs.agenix.packages.${pkgs.system}.agenix
inputs.ragenix.packages.${pkgs.system}.ragenix inputs.ragenix.packages.${pkgs.system}.ragenix
wireguard-tools
rage rage
]; ];
} }