From a5f1832d07a436fad968c393d910dbe2d7f76589 Mon Sep 17 00:00:00 2001 From: reo101 Date: Mon, 8 Jan 2024 23:44:22 +0200 Subject: [PATCH] fix(wireguard)!: `AllowedIPs` semantics Also add `limonka` and `peshoDjam` peers --- .../nixos/x86_64-linux/jeeves/wireguard.nix | 76 ++++++++++--------- .../jeeves/wireguard/{private.age => key.age} | 0 secrets/home/jeeves/wireguard/key.pub | 1 + 3 files changed, 42 insertions(+), 35 deletions(-) rename secrets/home/jeeves/wireguard/{private.age => key.age} (100%) create mode 100644 secrets/home/jeeves/wireguard/key.pub diff --git a/machines/nixos/x86_64-linux/jeeves/wireguard.nix b/machines/nixos/x86_64-linux/jeeves/wireguard.nix index aa6d6e9..68bf730 100644 --- a/machines/nixos/x86_64-linux/jeeves/wireguard.nix +++ b/machines/nixos/x86_64-linux/jeeves/wireguard.nix @@ -6,13 +6,13 @@ # NOTE: key generation # umask 077 - # wg genkey > private - # wg pubkey < private > public + # wg genkey > key + # wg pubkey < key > key.pub # Server - age.secrets."wireguard.private" = { + age.secrets."wireguard.privateKey" = { mode = "077"; - rekeyFile = "${inputs.self}/secrets/home/jeeves/wireguard/private.age"; + rekeyFile = "${inputs.self}/secrets/home/jeeves/wireguard/key.age"; generator = { script = {lib, pkgs, file, ...}: '' priv=$(${pkgs.wireguard-tools}/bin/wg genkey) @@ -32,40 +32,46 @@ MTUBytes = "1300"; }; wireguardConfig = { - PrivateKeyFile = config.age.secrets."wireguard.private".path; + PrivateKeyFile = config.age.secrets."wireguard.privateKey".path; ListenPort = 51820; }; - wireguardPeers = [ - { - # cheetah - wireguardPeerConfig = { - PublicKey = "CFTGvBcly791ClwyS6PzTjmqztvYJW2eklR7it/QhxI="; - AllowedIPs = [ - "0.0.0.0/0" - # "::/0" - ]; + wireguardPeers = + lib.mapAttrsToList + (host: peerConfig: { + wireguardPeerConfig = peerConfig; + }) + { + cheetah = { + PublicKey = "CFTGvBcly791ClwyS6PzTjmqztvYJW2eklR7it/QhxI="; + AllowedIPs = [ + "10.100.0.2/32" + "0.0.0.0/0" + # "::/0" + ]; + }; + limonka = { + PublicKey = "+x4cKc16KxhW/M3wv64FU1J0AkiLyXT5Oar6I1n1xk4="; + AllowedIPs = [ + "10.100.0.3/32" + "192.168.1.123/32" + "0.0.0.0/0" + ]; + }; + peshoDjam = { + PublicKey = "37QEe3Lsq5BTIzxqAh9z7clHYeaOaMH31oqi5YvAPBY="; + AllowedIPs = [ + "10.100.0.4/32" + "192.168.1.134/32" + ]; + }; + s42 = { + PublicKey = "pZF6M8TZ1FSBtTwFz4xzlMqwqRScEqgBfqHBk7ddixc="; + AllowedIPs = [ + "10.100.0.5/32" + "0.0.0.0/0" + ]; + }; }; - } - { - # limonka - wireguardPeerConfig = { - PublicKey = "+x4cKc16KxhW/M3wv64FU1J0AkiLyXT5Oar6I1n1xk4="; - AllowedIPs = [ - "0.0.0.0/0" - # "192.168.1.0/24" - ]; - }; - } - { - # s42 - wireguardPeerConfig = { - PublicKey = "pZF6M8TZ1FSBtTwFz4xzlMqwqRScEqgBfqHBk7ddixc="; - AllowedIPs = [ - "0.0.0.0/0" - ]; - }; - } - ]; }; }; networks.wg0 = { diff --git a/secrets/home/jeeves/wireguard/private.age b/secrets/home/jeeves/wireguard/key.age similarity index 100% rename from secrets/home/jeeves/wireguard/private.age rename to secrets/home/jeeves/wireguard/key.age diff --git a/secrets/home/jeeves/wireguard/key.pub b/secrets/home/jeeves/wireguard/key.pub new file mode 100644 index 0000000..62218c1 --- /dev/null +++ b/secrets/home/jeeves/wireguard/key.pub @@ -0,0 +1 @@ +U6nnTD+EzeF4qfs5KJTwWc2Im700qKbbCmIVLatXa1Q=