From 3058e51478473e9ba6c1f840055c39b5d8994898 Mon Sep 17 00:00:00 2001 From: Erwin Boskma Date: Fri, 23 Dec 2022 09:20:53 +0100 Subject: [PATCH] Add wireguard configuration for Horus --- machines/loki/configuration.nix | 33 ++++++++++++++++++++++++++++++++- machines/loki/secrets.yaml | 5 +++-- 2 files changed, 35 insertions(+), 3 deletions(-) diff --git a/machines/loki/configuration.nix b/machines/loki/configuration.nix index b77927c..6b24076 100644 --- a/machines/loki/configuration.nix +++ b/machines/loki/configuration.nix @@ -1,5 +1,5 @@ { nixos-hardware, ... }: -{ pkgs, ... }: +{ pkgs, config, ... }: { imports = [ nixos-hardware.nixosModules.common-cpu-amd @@ -123,6 +123,9 @@ 4101 4102 20048 + + # WireGuard + 51820 ]; allowedTCPPortRanges = [ @@ -136,6 +139,33 @@ ]; # }; }; + + wireguard.interfaces = { + wghorus = { + ips = [ "10.10.4.2/24" ]; + listenPort = 51820; + + privateKeyFile = config.sops.secrets.wireguard-horus-privkey.path; + + postSetup = '' + ${pkgs.systemd}/bin/resolvectl dns wghorus 192.168.4.1 + ${pkgs.systemd}/bin/resolvectl domain wghorus bedum.horus.nu internal.horus.nu + ''; + postShutdown = '' + ${pkgs.systemd}/bin/resolvectl dns wghorus "" + ${pkgs.systemd}/bin/resolvectl domain wghorus "" + ''; + + peers = [ + { + publicKey = "6faxlUG8+F7uVrKk/OJqqy5k2+OzrhXc/cV6Zsfbl0c="; + allowedIPs = [ "192.168.4.0/23" "192.168.6.0/24" "192.168.7.0/24" "192.168.8.0/24" ]; + endpoint = "212.45.34.195:51820"; + persistentKeepalive = 25; + } + ]; + }; + }; }; systemd.network = { @@ -196,6 +226,7 @@ livebook-password = { owner = "erwin"; }; + wireguard-horus-privkey = { }; }; # This value determines the NixOS release from which the default diff --git a/machines/loki/secrets.yaml b/machines/loki/secrets.yaml index ee63bed..05bd491 100644 --- a/machines/loki/secrets.yaml +++ b/machines/loki/secrets.yaml @@ -3,6 +3,7 @@ gh_token: ENC[AES256_GCM,data:7DBVEdZLReJQsyUoO9fITtHhE0UFcHr7XWod5XiaQ5iiwcI01t livebook_cookie: ENC[AES256_GCM,data:ZB7u8BWNn7x2O00YTALYTwNi/obq8nH3mI01Bd8UxPg=,iv:JVpPJaB6O7oRjYqYuEueT812U0Bn8mUCOLDwpAU5yTs=,tag:GIkodjTt9mRLQZ0UAtJszg==,type:str] livebook-password: ENC[AES256_GCM,data:FaMIr0GxLTvAzrYt7blGbJuGDbr+lDiIMnvY2c/r,iv:SKKKYYRYLGtRGgaHs7zAnH8n0HZiGaoAlLAptUPaa/c=,tag:vgBGhmXH/QpTbKjbrQEhKw==,type:str] renovate_env: ENC[AES256_GCM,data:mzeS0FXsycD4hWMzRMgeEgTY+x2QtYtxmhcFCJcjwlD/q577kprHaU8otr1sOu9mwNud7K8kJGk=,iv:MMhr6CPsyvmP7+dKJUwt9cjnATm9JKZ/KbG4Dkj7hJ0=,tag:ubLmcW/CtT/uPiyswvr93w==,type:str] +wireguard-horus-privkey: ENC[AES256_GCM,data:JVhdbvNqfdPWFCg24F56Hmu1Tf/EA6BOqa1uPuu8C/FrJhNaGi4S+KYOook=,iv:z8cq4C5vu/QqJ3UZdL1zEH22Ht3rKSbdHgAQbRSk8Kk=,tag:AVBvV8wJqw5jgDRiES89eQ==,type:str] sops: kms: [] gcp_kms: [] @@ -27,8 +28,8 @@ sops: T2d0VmRoQ1J1d05weFF6ZnZteVd6SWMKRcASrez/JICMurAuQJaW3GIS7lXPUOoj KLYA7ComIU00hewiugZGSrcvmnJ5fuEMERx9yk+6NrxsBGoExaddag== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-08T22:54:16Z" - mac: ENC[AES256_GCM,data:jnNNYQmv1iAoybGSQ/0BohA3AVNuptSDPWwyCSSOY9UKtIHDORhP6Qs9fUCsyuOnGjwZvvvxQRdhw8aB0WW17R+Ekv0d/15ErCLdjJfV81rSd3KmgyDOSdtTK1CoXRRyeM9LvVPb+hBKH7AvDTtpg74EJGnppWWE3br61nwdrrM=,iv:ok3m49f6ZvGh2khX34hXsliSnWoeR0CtfWyCW6+pQlA=,tag:a07WUaaJK6mgsROilBIXLA==,type:str] + lastmodified: "2022-12-20T13:49:30Z" + mac: ENC[AES256_GCM,data:rg46RoKf6RnOblrpkbdHVKFCm+gapgEhQxvfPU6XavHtTgrXLbdBaIqckrrAtkLf9MIHoOYipoIA2GmJ4ST9OMhE9q11fqNufXGn9Iae/6QgAqSLHNrPEoBvMExB6T8lLBt7OhuHcMcIZRQzqUOfQWw0BHO0vLDAWHUN7zxPY64=,iv:Zf2/PCEqgXrPhQY/jaJy6SE3gyc7i8dG2KViyWe4SiM=,tag:f+pibCxjdhrOVkPhPiFxow==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3