erwin/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Wiki Activity Actions

Set up additional WireGuard tunnel

Browse source
This commit is contained in:
Erwin Boskma 2024-12-09 09:45:11 +01:00
parent de5aaadc6e
commit ae502375b3
Signed by: erwin
SSH key fingerprint: SHA256:9LmFDe1C6jSrEyqxxvX8NtJBmcbB105XoqyUZF092bg
4 changed files with 129 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
machines/loki/configuration.nix
View file

@ -285,7 +285,7 @@
}; };
wireguardConfig = { wireguardConfig = {
PrivateKeyFile = config.sops.secrets.wireguard-horus-privkey.path; PrivateKeyFile = config.sops.secrets.wireguard-horus0-privkey.path;
ListenPort = 51820; ListenPort = 51820;
}; };
@ -303,6 +303,29 @@
} }
]; ];
}; };
"11-horus1" = {
netdevConfig = {
Kind = "wireguard";
MTUBytes = "1420";
Name = "horus1";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets.wireguard-horus1-privkey.path;
};
wireguardPeers = [
{
PublicKey = "UZGk9xoXhpHwM6jDWQvYDgJKk/OfcX9gw4iM9bPJJ00=";
AllowedIPs = [
"10.128.0.0/23"
];
Endpoint = "212.45.34.195:51822";
PersistentKeepalive = 25;
}
];
};
}; };
networks = { networks = {
@ -359,6 +382,21 @@
} }
]; ];
}; };
"41-horus1" = {
matchConfig = {
Name = "horus1";
};
linkConfig = {
ActivationPolicy = "manual";
};
networkConfig = {
DHCP = "no";
};
address = [ "10.128.0.2/23" ];
};
}; };
links = { links = {
@ -552,7 +590,10 @@
livebook-password = { livebook-password = {
owner = "erwin"; owner = "erwin";
}; };
wireguard-horus-privkey = { wireguard-horus0-privkey = {
owner = "systemd-network";
};
wireguard-horus1-privkey = {
owner = "systemd-network"; owner = "systemd-network";
}; };
k3s-token = { }; k3s-token = { };

7
machines/loki/secrets.yaml
View file

@ -3,7 +3,8 @@ gh_token: ENC[AES256_GCM,data:7DBVEdZLReJQsyUoO9fITtHhE0UFcHr7XWod5XiaQ5iiwcI01t
livebook-env: ENC[AES256_GCM,data:n0IReqMxu0pLJZtHdoTW+AvE8eKAyLsr41GbLR4OPSTrZrRKIOscZ5KIoLGtDrCQFw==,iv:MFC78r/1mfRf8puKWxXtaQeaqhFFVdYpu1vLMCe3JiI=,tag:Wd8EG95rx75EJpt5GaQw9g==,type:str] livebook-env: ENC[AES256_GCM,data:n0IReqMxu0pLJZtHdoTW+AvE8eKAyLsr41GbLR4OPSTrZrRKIOscZ5KIoLGtDrCQFw==,iv:MFC78r/1mfRf8puKWxXtaQeaqhFFVdYpu1vLMCe3JiI=,tag:Wd8EG95rx75EJpt5GaQw9g==,type:str]
livebook-password: ENC[AES256_GCM,data:FaMIr0GxLTvAzrYt7blGbJuGDbr+lDiIMnvY2c/r,iv:SKKKYYRYLGtRGgaHs7zAnH8n0HZiGaoAlLAptUPaa/c=,tag:vgBGhmXH/QpTbKjbrQEhKw==,type:str] livebook-password: ENC[AES256_GCM,data:FaMIr0GxLTvAzrYt7blGbJuGDbr+lDiIMnvY2c/r,iv:SKKKYYRYLGtRGgaHs7zAnH8n0HZiGaoAlLAptUPaa/c=,tag:vgBGhmXH/QpTbKjbrQEhKw==,type:str]
renovate_env: ENC[AES256_GCM,data:mzeS0FXsycD4hWMzRMgeEgTY+x2QtYtxmhcFCJcjwlD/q577kprHaU8otr1sOu9mwNud7K8kJGk=,iv:MMhr6CPsyvmP7+dKJUwt9cjnATm9JKZ/KbG4Dkj7hJ0=,tag:ubLmcW/CtT/uPiyswvr93w==,type:str] renovate_env: ENC[AES256_GCM,data:mzeS0FXsycD4hWMzRMgeEgTY+x2QtYtxmhcFCJcjwlD/q577kprHaU8otr1sOu9mwNud7K8kJGk=,iv:MMhr6CPsyvmP7+dKJUwt9cjnATm9JKZ/KbG4Dkj7hJ0=,tag:ubLmcW/CtT/uPiyswvr93w==,type:str]
wireguard-horus-privkey: ENC[AES256_GCM,data:JVhdbvNqfdPWFCg24F56Hmu1Tf/EA6BOqa1uPuu8C/FrJhNaGi4S+KYOook=,iv:z8cq4C5vu/QqJ3UZdL1zEH22Ht3rKSbdHgAQbRSk8Kk=,tag:AVBvV8wJqw5jgDRiES89eQ==,type:str] wireguard-horus0-privkey: ENC[AES256_GCM,data:Ro3g/O6qv8zuBOWFKmtTC7/5xxMd3O57Cj+h9n0yTn3zgE1qsWjynKEsinU=,iv:BhIgKUOmiWS8wKWBuZtoKRO+nclGBBGjCLsgeTiTLuk=,tag:DtZFgNAzx1Z2dB4cg3dXaw==,type:str]
wireguard-horus1-privkey: ENC[AES256_GCM,data:e5WtFORl8fXtqMXC5bcs3D1rnBg1dkoc/4I5VlYM5WPeAXKIL48NBOm1yVw=,iv:vFk4FWZQyPtvqWfR9m9t8A/wt1LlwRRZVduecd+reUs=,tag:Gs3yzxy4LCoFJgMqKidSxg==,type:str]
k3s-token: ENC[AES256_GCM,data:agr9ihvrufHJ+zsWUTT7tT6oXwhQfp1VjlzvL/YrjhfsQsWdA2wqQOBG8Fgi6gDlqz+3DwWr3wdy/jclEEwrnA==,iv:zgYrN9CSraugO+LMIpJ2jDvxjCnQ9a3GHj6ffO/K0uY=,tag:6en6lNNvNMyOVf1Rfow6ew==,type:str] k3s-token: ENC[AES256_GCM,data:agr9ihvrufHJ+zsWUTT7tT6oXwhQfp1VjlzvL/YrjhfsQsWdA2wqQOBG8Fgi6gDlqz+3DwWr3wdy/jclEEwrnA==,iv:zgYrN9CSraugO+LMIpJ2jDvxjCnQ9a3GHj6ffO/K0uY=,tag:6en6lNNvNMyOVf1Rfow6ew==,type:str]
barman-passwords: ENC[AES256_GCM,data:M7HCuXsq8kSqoEfbn94/Hdl1tvb93i5oDYOr+QeuDVD33aF/xxuOwDVZM7wz7OcuozV7f6URtMGDy26KaHqekWhn2hFoRi5WHOxjE7M6oYLP6V4F+IGQBeMOHjjzqjQ9ti/BfhGpi3oHf0RK4RxLCmoNzAfWuP6zZnCyKgwyxBVu6lCHG2I08CJ8w2novts8,iv:EMLqvGIb1WK71Aw+LWr7JrQydA89CTTOavsFUZ6M3G8=,tag:PXu0JVzHjbH9wQfijf9V7A==,type:str] barman-passwords: ENC[AES256_GCM,data:M7HCuXsq8kSqoEfbn94/Hdl1tvb93i5oDYOr+QeuDVD33aF/xxuOwDVZM7wz7OcuozV7f6URtMGDy26KaHqekWhn2hFoRi5WHOxjE7M6oYLP6V4F+IGQBeMOHjjzqjQ9ti/BfhGpi3oHf0RK4RxLCmoNzAfWuP6zZnCyKgwyxBVu6lCHG2I08CJ8w2novts8,iv:EMLqvGIb1WK71Aw+LWr7JrQydA89CTTOavsFUZ6M3G8=,tag:PXu0JVzHjbH9wQfijf9V7A==,type:str]
factorio-token: ENC[AES256_GCM,data:m18pL2ck9ak7Sr/OQtxuG0rl4oXoFGCFG82Cplt0,iv:fXAkF+k1B4vzTxanPO39r7FvFPRFmpOy3My/zaOfLQE=,tag:JXotTaf4Aba9R11bSwiVbA==,type:str] factorio-token: ENC[AES256_GCM,data:m18pL2ck9ak7Sr/OQtxuG0rl4oXoFGCFG82Cplt0,iv:fXAkF+k1B4vzTxanPO39r7FvFPRFmpOy3My/zaOfLQE=,tag:JXotTaf4Aba9R11bSwiVbA==,type:str]
@ -40,8 +41,8 @@ sops:
c0dlMkVlRG9LYU00M2M3UGJpUkxDOWsKiwc5oM63ezv1TVng0zQOqILOxuRMU+j7 c0dlMkVlRG9LYU00M2M3UGJpUkxDOWsKiwc5oM63ezv1TVng0zQOqILOxuRMU+j7
hHl6AWg0iorXJ1IWmGxLINDAK/RQVEFLK6gRjfN7qB+6wdmrKl8seQ== hHl6AWg0iorXJ1IWmGxLINDAK/RQVEFLK6gRjfN7qB+6wdmrKl8seQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-17T10:13:01Z" lastmodified: "2024-12-09T09:52:58Z"
mac: ENC[AES256_GCM,data:z/e3bOudpTvxgR0l1qMzVq1O7vsxXr7jA4YETzDI6T25bj+A2rIk4YE9PDi3rp0ADsNFy0yclknvzrkPuFlYQ+ylFzD2NJ97hbRzD3jl+NdyPdmUFU4ohkFA/EXWZ1sVWoPOogdk0Od3PUPzKpQwL3gTJB6jxSDDcy+lmRRXgDQ=,iv:BSscMpW1tVkonTIqJKkeUeG1s2ZPx4QUL97Rr+rf+7E=,tag:5RdHeD8SDzfkouM23qnH3Q==,type:str] mac: ENC[AES256_GCM,data:566st1YkfscxnkFtaSfnvfWqfdXLYILxJJLf+LeH5j5gOU5cc1bgrhtBLAzshzthhcvIP5Y+L78Nxz9Ppv9ZJrIZpnhebQ+8xG6XyF9yzv8DdbgKQxTyCcvpMrm8qqCxFv5NnfMpa2a6dUq6vS7KCM8fUmFl83eEa5ZwtT+9QAw=,iv:Xxld0/ziE4N13BjuOkFmUB7nmTtr+xo2AZPDvJRrNRU=,tag:qzvmAszZamGlywrZ2CRSLQ==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.1 version: 3.9.1

46
machines/mimir/configuration.nix
View file

@ -278,6 +278,31 @@
}; };
}; };
netdevs = {
"11-horus1" = {
netdevConfig = {
Kind = "wireguard";
MTUBytes = "1420";
Name = "horus1";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets.wireguard-horus1-privkey.path;
};
wireguardPeers = [
{
PublicKey = "UZGk9xoXhpHwM6jDWQvYDgJKk/OfcX9gw4iM9bPJJ00=";
AllowedIPs = [
"10.128.0.0/23"
];
EndPoint = "212.45.34.195:51822";
PersistentKeepalive = 25;
}
];
};
};
networks = { networks = {
"40-enp4s0" = { "40-enp4s0" = {
enable = true; enable = true;
@ -310,6 +335,21 @@
{ Address = "192.168.42.10/24"; } { Address = "192.168.42.10/24"; }
]; ];
}; };
"41-horus1" = {
matchConfig = {
Name = "horus1";
};
linkConfig = {
ActivationPolicy = "manual";
};
networkConfig = {
DHCP = "no";
};
address = [ "10.128.0.2/23" ];
};
}; };
}; };
@ -471,9 +511,9 @@
defaultSopsFile = ./secrets.yaml; defaultSopsFile = ./secrets.yaml;
secrets = { secrets = {
# outline-keycloak-secret = { wireguard-horus1-privkey = {
# owner = "outline"; owner = "systemd-network";
# }; };
}; };
}; };

39
machines/mimir/secrets.yml Normal file
View file

@ -0,0 +1,39 @@
wireguard-horus1-privkey: ENC[AES256_GCM,data:swCZ55Y2OtW0r/A4u02okf4VONc24laR20bSgdK8Buw36uRfCiN/ydykaDw=,iv:TLMbiLRLdT3af6bsc9y0G+s5O1GsOoerug1IPUFhar0=,tag:HBug4T1Mi5XX282wkDYoFQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCekRnYWNKZis5OFF6bUdY
a3VnWXhCT3VqN0FoNVo0MXhmNGd4Q1RoeGxzCitSNld0bm55Z00rS1ExbXBSd3M5
U09vSnQwWmp0WmI1ckhyMGNyTzBLeUEKLS0tIE4yUUgxenlXK1lBY2ZhM0ltem9T
cHg5Vzd6c0ord1lYR2JGSy80MjgreEkKsaLGbqzB0q1nVKoPgP1c8rkl9euGR7rW
ArEguEZ390hyfyWQLvKMtrhI1zVg7ATmoN8aNaNqaRhWH4ak30oL5A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHTE9FNWphZURORGhybXRC
MHhSVmlxeFB0S29ncjRDSnZ0cHNyRWEvS1dBClQrcWQyUWRZSnMwNnRNbzhNTktC
ZlhIWWUzdmg1UmplbHJqelVzT2FBM0kKLS0tIE54a0dWVE8zYlNqVkZSem1LK3Bq
bGpidWtmUVJsWFZ4OEJPcERrbXZiWFEKwdjwcV8vV1qkiYVzc4YgC9PiyfkLIMyj
WRO+gzKEa2p9JiI5fZtLDp7qIORvHLtkoDS+bgWF3PM52MJDRG9fIw==
-----END AGE ENCRYPTED FILE-----
- recipient: age192a3nepaclecjjkxssszueak6rxar49prceplvvxc5m4f3ww7g5qpfgdqj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByWW1BWVdkYUdPaitqMGJE
emx0ZGJPako1SytObWJ6TTRCU0VBZ2d2K0JBCkxRMWZ6OHE2VUR5c0htdUFOTzNG
MDhNVWx1VEp6cGNqTTdQNVcxTVg5NkUKLS0tIDBCOFBiTjJ1WXhtK0xJeUU0Z2N2
bjdnSFNFcVZlUzJFOW92WU10UmNCQnMK95u50DI+BzfkWCo/eYpiBUMsdks5mrdz
AkpVjViYKRYY0QUQpY7o3hD0q7K/IMiEirfn6l80L3m4iHZ/iENupg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-09T09:52:43Z"
mac: ENC[AES256_GCM,data:my4OPZxaQG9E8boVsGzPmMU/d95qUFkuhktS9QxBgN6AC7WNU13GImYpuZRkgcLJzTXYUir+Zw/og5NiIZzW7m4h9AuYxIt3H7NM060oj7zHKcoayetiRGXkPBlVY+DEdo8MtROGhZRhLRt/N3er+IrZvef46aamm320oz6l6ow=,iv:Au7N696wIzbGS8J1jDIEeiR3xFcg9VmX4qqlagRV9bc=,tag:XVsmRSDDKL4YXg82mRY/rw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1