From ae502375b342fa99c949e2506d3803eb7509abb7 Mon Sep 17 00:00:00 2001
From: Erwin Boskma <erwin@datarift.nl>
Date: Mon, 9 Dec 2024 09:45:11 +0100
Subject: [PATCH] Set up additional WireGuard tunnel

---
 machines/loki/configuration.nix  | 45 +++++++++++++++++++++++++++++--
 machines/loki/secrets.yaml       |  7 ++---
 machines/mimir/configuration.nix | 46 +++++++++++++++++++++++++++++---
 machines/mimir/secrets.yml       | 39 +++++++++++++++++++++++++++
 4 files changed, 129 insertions(+), 8 deletions(-)
 create mode 100644 machines/mimir/secrets.yml

diff --git a/machines/loki/configuration.nix b/machines/loki/configuration.nix
index 93474ad..3e142ea 100644
--- a/machines/loki/configuration.nix
+++ b/machines/loki/configuration.nix
@@ -285,7 +285,7 @@
           };
 
           wireguardConfig = {
-            PrivateKeyFile = config.sops.secrets.wireguard-horus-privkey.path;
+            PrivateKeyFile = config.sops.secrets.wireguard-horus0-privkey.path;
             ListenPort = 51820;
           };
 
@@ -303,6 +303,29 @@
             }
           ];
         };
+
+        "11-horus1" = {
+          netdevConfig = {
+            Kind = "wireguard";
+            MTUBytes = "1420";
+            Name = "horus1";
+          };
+
+          wireguardConfig = {
+            PrivateKeyFile = config.sops.secrets.wireguard-horus1-privkey.path;
+          };
+
+          wireguardPeers = [
+            {
+              PublicKey = "UZGk9xoXhpHwM6jDWQvYDgJKk/OfcX9gw4iM9bPJJ00=";
+              AllowedIPs = [
+                "10.128.0.0/23"
+              ];
+              Endpoint = "212.45.34.195:51822";
+              PersistentKeepalive = 25;
+            }
+          ];
+        };
       };
 
       networks = {
@@ -359,6 +382,21 @@
             }
           ];
         };
+        "41-horus1" = {
+          matchConfig = {
+            Name = "horus1";
+          };
+
+          linkConfig = {
+            ActivationPolicy = "manual";
+          };
+
+          networkConfig = {
+            DHCP = "no";
+          };
+
+          address = [ "10.128.0.2/23" ];
+        };
       };
 
       links = {
@@ -552,7 +590,10 @@
     livebook-password = {
       owner = "erwin";
     };
-    wireguard-horus-privkey = {
+    wireguard-horus0-privkey = {
+      owner = "systemd-network";
+    };
+    wireguard-horus1-privkey = {
       owner = "systemd-network";
     };
     k3s-token = { };
diff --git a/machines/loki/secrets.yaml b/machines/loki/secrets.yaml
index a544e03..3ecedb5 100644
--- a/machines/loki/secrets.yaml
+++ b/machines/loki/secrets.yaml
@@ -3,7 +3,8 @@ gh_token: ENC[AES256_GCM,data:7DBVEdZLReJQsyUoO9fITtHhE0UFcHr7XWod5XiaQ5iiwcI01t
 livebook-env: ENC[AES256_GCM,data:n0IReqMxu0pLJZtHdoTW+AvE8eKAyLsr41GbLR4OPSTrZrRKIOscZ5KIoLGtDrCQFw==,iv:MFC78r/1mfRf8puKWxXtaQeaqhFFVdYpu1vLMCe3JiI=,tag:Wd8EG95rx75EJpt5GaQw9g==,type:str]
 livebook-password: ENC[AES256_GCM,data:FaMIr0GxLTvAzrYt7blGbJuGDbr+lDiIMnvY2c/r,iv:SKKKYYRYLGtRGgaHs7zAnH8n0HZiGaoAlLAptUPaa/c=,tag:vgBGhmXH/QpTbKjbrQEhKw==,type:str]
 renovate_env: ENC[AES256_GCM,data:mzeS0FXsycD4hWMzRMgeEgTY+x2QtYtxmhcFCJcjwlD/q577kprHaU8otr1sOu9mwNud7K8kJGk=,iv:MMhr6CPsyvmP7+dKJUwt9cjnATm9JKZ/KbG4Dkj7hJ0=,tag:ubLmcW/CtT/uPiyswvr93w==,type:str]
-wireguard-horus-privkey: ENC[AES256_GCM,data:JVhdbvNqfdPWFCg24F56Hmu1Tf/EA6BOqa1uPuu8C/FrJhNaGi4S+KYOook=,iv:z8cq4C5vu/QqJ3UZdL1zEH22Ht3rKSbdHgAQbRSk8Kk=,tag:AVBvV8wJqw5jgDRiES89eQ==,type:str]
+wireguard-horus0-privkey: ENC[AES256_GCM,data:Ro3g/O6qv8zuBOWFKmtTC7/5xxMd3O57Cj+h9n0yTn3zgE1qsWjynKEsinU=,iv:BhIgKUOmiWS8wKWBuZtoKRO+nclGBBGjCLsgeTiTLuk=,tag:DtZFgNAzx1Z2dB4cg3dXaw==,type:str]
+wireguard-horus1-privkey: ENC[AES256_GCM,data:e5WtFORl8fXtqMXC5bcs3D1rnBg1dkoc/4I5VlYM5WPeAXKIL48NBOm1yVw=,iv:vFk4FWZQyPtvqWfR9m9t8A/wt1LlwRRZVduecd+reUs=,tag:Gs3yzxy4LCoFJgMqKidSxg==,type:str]
 k3s-token: ENC[AES256_GCM,data:agr9ihvrufHJ+zsWUTT7tT6oXwhQfp1VjlzvL/YrjhfsQsWdA2wqQOBG8Fgi6gDlqz+3DwWr3wdy/jclEEwrnA==,iv:zgYrN9CSraugO+LMIpJ2jDvxjCnQ9a3GHj6ffO/K0uY=,tag:6en6lNNvNMyOVf1Rfow6ew==,type:str]
 barman-passwords: ENC[AES256_GCM,data:M7HCuXsq8kSqoEfbn94/Hdl1tvb93i5oDYOr+QeuDVD33aF/xxuOwDVZM7wz7OcuozV7f6URtMGDy26KaHqekWhn2hFoRi5WHOxjE7M6oYLP6V4F+IGQBeMOHjjzqjQ9ti/BfhGpi3oHf0RK4RxLCmoNzAfWuP6zZnCyKgwyxBVu6lCHG2I08CJ8w2novts8,iv:EMLqvGIb1WK71Aw+LWr7JrQydA89CTTOavsFUZ6M3G8=,tag:PXu0JVzHjbH9wQfijf9V7A==,type:str]
 factorio-token: ENC[AES256_GCM,data:m18pL2ck9ak7Sr/OQtxuG0rl4oXoFGCFG82Cplt0,iv:fXAkF+k1B4vzTxanPO39r7FvFPRFmpOy3My/zaOfLQE=,tag:JXotTaf4Aba9R11bSwiVbA==,type:str]
@@ -40,8 +41,8 @@ sops:
             c0dlMkVlRG9LYU00M2M3UGJpUkxDOWsKiwc5oM63ezv1TVng0zQOqILOxuRMU+j7
             hHl6AWg0iorXJ1IWmGxLINDAK/RQVEFLK6gRjfN7qB+6wdmrKl8seQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-17T10:13:01Z"
-    mac: ENC[AES256_GCM,data:z/e3bOudpTvxgR0l1qMzVq1O7vsxXr7jA4YETzDI6T25bj+A2rIk4YE9PDi3rp0ADsNFy0yclknvzrkPuFlYQ+ylFzD2NJ97hbRzD3jl+NdyPdmUFU4ohkFA/EXWZ1sVWoPOogdk0Od3PUPzKpQwL3gTJB6jxSDDcy+lmRRXgDQ=,iv:BSscMpW1tVkonTIqJKkeUeG1s2ZPx4QUL97Rr+rf+7E=,tag:5RdHeD8SDzfkouM23qnH3Q==,type:str]
+    lastmodified: "2024-12-09T09:52:58Z"
+    mac: ENC[AES256_GCM,data:566st1YkfscxnkFtaSfnvfWqfdXLYILxJJLf+LeH5j5gOU5cc1bgrhtBLAzshzthhcvIP5Y+L78Nxz9Ppv9ZJrIZpnhebQ+8xG6XyF9yzv8DdbgKQxTyCcvpMrm8qqCxFv5NnfMpa2a6dUq6vS7KCM8fUmFl83eEa5ZwtT+9QAw=,iv:Xxld0/ziE4N13BjuOkFmUB7nmTtr+xo2AZPDvJRrNRU=,tag:qzvmAszZamGlywrZ2CRSLQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.1
diff --git a/machines/mimir/configuration.nix b/machines/mimir/configuration.nix
index 550d0a3..678f275 100644
--- a/machines/mimir/configuration.nix
+++ b/machines/mimir/configuration.nix
@@ -278,6 +278,31 @@
         };
       };
 
+      netdevs = {
+        "11-horus1" = {
+          netdevConfig = {
+            Kind = "wireguard";
+            MTUBytes = "1420";
+            Name = "horus1";
+          };
+
+          wireguardConfig = {
+            PrivateKeyFile = config.sops.secrets.wireguard-horus1-privkey.path;
+          };
+
+          wireguardPeers = [
+            {
+              PublicKey = "UZGk9xoXhpHwM6jDWQvYDgJKk/OfcX9gw4iM9bPJJ00=";
+              AllowedIPs = [
+                "10.128.0.0/23"
+              ];
+              EndPoint = "212.45.34.195:51822";
+              PersistentKeepalive = 25;
+            }
+          ];
+        };
+      };
+
       networks = {
         "40-enp4s0" = {
           enable = true;
@@ -310,6 +335,21 @@
             { Address = "192.168.42.10/24"; }
           ];
         };
+        "41-horus1" = {
+          matchConfig = {
+            Name = "horus1";
+          };
+
+          linkConfig = {
+            ActivationPolicy = "manual";
+          };
+
+          networkConfig = {
+            DHCP = "no";
+          };
+
+          address = [ "10.128.0.2/23" ];
+        };
       };
     };
 
@@ -471,9 +511,9 @@
     defaultSopsFile = ./secrets.yaml;
 
     secrets = {
-      # outline-keycloak-secret = {
-      #   owner = "outline";
-      # };
+      wireguard-horus1-privkey = {
+        owner = "systemd-network";
+      };
     };
   };
 
diff --git a/machines/mimir/secrets.yml b/machines/mimir/secrets.yml
new file mode 100644
index 0000000..3652455
--- /dev/null
+++ b/machines/mimir/secrets.yml
@@ -0,0 +1,39 @@
+wireguard-horus1-privkey: ENC[AES256_GCM,data:swCZ55Y2OtW0r/A4u02okf4VONc24laR20bSgdK8Buw36uRfCiN/ydykaDw=,iv:TLMbiLRLdT3af6bsc9y0G+s5O1GsOoerug1IPUFhar0=,tag:HBug4T1Mi5XX282wkDYoFQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCekRnYWNKZis5OFF6bUdY
+            a3VnWXhCT3VqN0FoNVo0MXhmNGd4Q1RoeGxzCitSNld0bm55Z00rS1ExbXBSd3M5
+            U09vSnQwWmp0WmI1ckhyMGNyTzBLeUEKLS0tIE4yUUgxenlXK1lBY2ZhM0ltem9T
+            cHg5Vzd6c0ord1lYR2JGSy80MjgreEkKsaLGbqzB0q1nVKoPgP1c8rkl9euGR7rW
+            ArEguEZ390hyfyWQLvKMtrhI1zVg7ATmoN8aNaNqaRhWH4ak30oL5A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHTE9FNWphZURORGhybXRC
+            MHhSVmlxeFB0S29ncjRDSnZ0cHNyRWEvS1dBClQrcWQyUWRZSnMwNnRNbzhNTktC
+            ZlhIWWUzdmg1UmplbHJqelVzT2FBM0kKLS0tIE54a0dWVE8zYlNqVkZSem1LK3Bq
+            bGpidWtmUVJsWFZ4OEJPcERrbXZiWFEKwdjwcV8vV1qkiYVzc4YgC9PiyfkLIMyj
+            WRO+gzKEa2p9JiI5fZtLDp7qIORvHLtkoDS+bgWF3PM52MJDRG9fIw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age192a3nepaclecjjkxssszueak6rxar49prceplvvxc5m4f3ww7g5qpfgdqj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByWW1BWVdkYUdPaitqMGJE
+            emx0ZGJPako1SytObWJ6TTRCU0VBZ2d2K0JBCkxRMWZ6OHE2VUR5c0htdUFOTzNG
+            MDhNVWx1VEp6cGNqTTdQNVcxTVg5NkUKLS0tIDBCOFBiTjJ1WXhtK0xJeUU0Z2N2
+            bjdnSFNFcVZlUzJFOW92WU10UmNCQnMK95u50DI+BzfkWCo/eYpiBUMsdks5mrdz
+            AkpVjViYKRYY0QUQpY7o3hD0q7K/IMiEirfn6l80L3m4iHZ/iENupg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-09T09:52:43Z"
+    mac: ENC[AES256_GCM,data:my4OPZxaQG9E8boVsGzPmMU/d95qUFkuhktS9QxBgN6AC7WNU13GImYpuZRkgcLJzTXYUir+Zw/og5NiIZzW7m4h9AuYxIt3H7NM060oj7zHKcoayetiRGXkPBlVY+DEdo8MtROGhZRhLRt/N3er+IrZvef46aamm320oz6l6ow=,iv:Au7N696wIzbGS8J1jDIEeiR3xFcg9VmX4qqlagRV9bc=,tag:XVsmRSDDKL4YXg82mRY/rw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1