From b893da35be369e9c28d6c304931d753957a1e56e Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 5 Nov 2024 19:23:53 +0000 Subject: [PATCH] kalessin, kilgharrah: add to wireguard network --- flake.lock | 8 ++++---- hosts/kalessin/networking.nix | 12 ++++++++++++ hosts/kilgharrah/networking.nix | 12 +++++++++++- secrets.nix | 18 +++++++++--------- secrets/wireguard-peer-kalessin.age | 9 +++++++++ secrets/wireguard-peer-kalessin.pub | 1 + secrets/wireguard-peer-kilgharrah.age | 9 +++++++++ secrets/wireguard-peer-kilgharrah.pub | 1 + 8 files changed, 56 insertions(+), 14 deletions(-) create mode 100644 secrets/wireguard-peer-kalessin.age create mode 100644 secrets/wireguard-peer-kalessin.pub create mode 100644 secrets/wireguard-peer-kilgharrah.age create mode 100644 secrets/wireguard-peer-kilgharrah.pub diff --git a/flake.lock b/flake.lock index 84dc2db..14ec9e1 100644 --- a/flake.lock +++ b/flake.lock @@ -46,11 +46,11 @@ }, "birdsong": { "locked": { - "lastModified": 1730826917, - "narHash": "sha256-KzpWqP+Cg0H2V036LgIHfuxnpVq2wZ+eGFjuXegRhLY=", + "lastModified": 1730833940, + "narHash": "sha256-rr2f5GAXLUY1XH2+Ow5Iju1mCmscAxY+tefnrzseDHA=", "ref": "main", - "rev": "8ca844c0d0ce3b8088c0a380ecdbf555015b0cd6", - "revCount": 9, + "rev": "b4e7b0ca3e466f3d211590ecc422bb74f61875e6", + "revCount": 10, "type": "git", "url": "https://git.qenya.tel/qenya/birdsong" }, diff --git a/hosts/kalessin/networking.nix b/hosts/kalessin/networking.nix index 3c27781..b5ce574 100644 --- a/hosts/kalessin/networking.nix +++ b/hosts/kalessin/networking.nix @@ -3,4 +3,16 @@ { networking.useNetworkd = true; networking.interfaces.enp0s6.useDHCP = true; + + age.secrets.wireguard-peer-kalessin = { + file = ../../secrets/wireguard-peer-kalessin.age; + owner = "root"; + group = "systemd-network"; + mode = "640"; + }; + + birdsong.peering = { + enable = true; + privateKeyFile = config.age.secrets.wireguard-peer-kalessin.path; + }; } diff --git a/hosts/kilgharrah/networking.nix b/hosts/kilgharrah/networking.nix index a0510a7..f0d381f 100644 --- a/hosts/kilgharrah/networking.nix +++ b/hosts/kilgharrah/networking.nix @@ -13,5 +13,15 @@ linkConfig.RequiredForOnline = "routable"; }; - systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug"; + age.secrets.wireguard-peer-kilgharrah = { + file = ../../secrets/wireguard-peer-kilgharrah.age; + owner = "root"; + group = "systemd-network"; + mode = "640"; + }; + + birdsong.peering = { + enable = true; + privateKeyFile = config.age.secrets.wireguard-peer-kilgharrah.path; + }; } diff --git a/secrets.nix b/secrets.nix index 1db2c04..82036db 100644 --- a/secrets.nix +++ b/secrets.nix @@ -1,22 +1,22 @@ let keys = import ./keys.nix; - commonKeys = keys.users.qenya; - secrets = with keys; { - ftp-userDb-qenya = [ machines.kilgharrah ]; - user-password-kilgharrah-qenya = [ machines.kilgharrah ]; - user-password-tohru-qenya = [ machines.tohru ]; - wireguard-peer-orm = [ machines.orm ]; - wireguard-peer-tohru = [ machines.tohru ]; - wireguard-peer-yevaud = [ machines.yevaud ]; + ftp-userDb-qenya = [ machines.kilgharrah ] ++ keys.users.qenya; + user-password-kilgharrah-qenya = [ machines.kilgharrah ] ++ keys.users.qenya; + user-password-tohru-qenya = [ machines.tohru ] ++ keys.users.qenya; + wireguard-peer-orm = [ machines.orm ] ++ keys.users.qenya; + wireguard-peer-tohru = [ machines.tohru ] ++ keys.users.qenya; + wireguard-peer-yevaud = [ machines.yevaud ] ++ keys.users.qenya; + wireguard-peer-kalessin = [ machines.kalessin ] ++ keys.users.qenya; + wireguard-peer-kilgharrah = [ machines.kilgharrah ] ++ keys.users.qenya; }; in builtins.listToAttrs ( map (secretName: { name = "secrets/${secretName}.age"; - value.publicKeys = secrets."${secretName}" ++ commonKeys; + value.publicKeys = secrets."${secretName}"; }) (builtins.attrNames secrets) ) diff --git a/secrets/wireguard-peer-kalessin.age b/secrets/wireguard-peer-kalessin.age new file mode 100644 index 0000000..0aa5850 --- /dev/null +++ b/secrets/wireguard-peer-kalessin.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 QjA8rQ 4HpAnWjvN7TUVp09LXeFsbO7Tgm8nSJoVgvOPGrykRA +QV3ye1ZhE+KQxll64Wrrx0MJ5F6KNDJHW6Ux+a9p/g0 +-> ssh-ed25519 seJ9Iw g3lmpwfxc0578ivMnWhCkfjPXzUQJiiAKNkHKYwb/Wg +pce/B/UKdTyeucDTZaDkE7uMt68et597ERCVC1IWp1Q +-> ssh-ed25519 900ILw t8DWkRgXsF1GGzx0qYK7IBuT3j/AB/E0zJ5cadoL8wY +dCEsWHC5W3bSK2FaCtNHHm5gzZYUH0AIdyZUVqelE1g +--- LW82V25epOMftLlIvwqUx0K+coP1gG+Xiz6GXBoyD5E +cwGVc}~$9ԋ>iӔ&(xa߿.%=3o^ \ No newline at end of file diff --git a/secrets/wireguard-peer-kalessin.pub b/secrets/wireguard-peer-kalessin.pub new file mode 100644 index 0000000..0c05923 --- /dev/null +++ b/secrets/wireguard-peer-kalessin.pub @@ -0,0 +1 @@ +9vyIoXuu1UVjV+aFeuX9LoHRBeAAsiHbrLmYQY4nsQQ= diff --git a/secrets/wireguard-peer-kilgharrah.age b/secrets/wireguard-peer-kilgharrah.age new file mode 100644 index 0000000..d9ca07d --- /dev/null +++ b/secrets/wireguard-peer-kilgharrah.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 5PK5ag vCFLl0+KdLDdogU+r2wfwz0UiYBc8TOx5xeC3JpUgQQ +uJD6T0W12rrb2PS8MQ5zeMlTvm2PrWBB8xnr/7BYvb8 +-> ssh-ed25519 seJ9Iw riSe05mcxnPhW97u811QPXym7PxQbNfQj5fWCv4OHD8 +YQ22OWarqaWUmUUcNnt0NOHiTrgJQWPqibmaxrASO3s +-> ssh-ed25519 900ILw 5og8To6PuPPRxobF7DqwG6T14YGf74HssytPS5UjE3Q +foy8rSONvK9OttE6ilTiLkPUuncWhpzYk7tRdpiE3cU +--- ORkr3Q/weTzN4PdKVOFlfdnhfeYN+untw719iE65oK4 +O }?