From c60728e7aa9afb6309efb4f5e3150e9e1b11ed5b Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 19 Jul 2024 19:26:36 +0100 Subject: [PATCH] wireguard: initial setup --- hosts/orm/configuration.nix | 1 + hosts/orm/wireguard.nix | 33 ++++++++++++++++++++++++++++++++ hosts/tohru/configuration.nix | 1 + hosts/tohru/wireguard.nix | 23 ++++++++++++++++++++++ secrets.nix | 19 ++++++++++++++++++ secrets/secrets.nix | 4 ---- secrets/wireguard-hub.age | 10 ++++++++++ secrets/wireguard-hub.pub | 1 + secrets/wireguard-peer-tohru.age | 10 ++++++++++ secrets/wireguard-peer-tohru.pub | 1 + 10 files changed, 99 insertions(+), 4 deletions(-) create mode 100644 hosts/orm/wireguard.nix create mode 100644 hosts/tohru/wireguard.nix create mode 100644 secrets.nix delete mode 100644 secrets/secrets.nix create mode 100644 secrets/wireguard-hub.age create mode 100644 secrets/wireguard-hub.pub create mode 100644 secrets/wireguard-peer-tohru.age create mode 100644 secrets/wireguard-peer-tohru.pub diff --git a/hosts/orm/configuration.nix b/hosts/orm/configuration.nix index 857e662..a1063ad 100644 --- a/hosts/orm/configuration.nix +++ b/hosts/orm/configuration.nix @@ -4,6 +4,7 @@ imports = [ ./hardware-configuration.nix ./home.nix + ./wireguard.nix ]; boot.loader.systemd-boot.enable = true; diff --git a/hosts/orm/wireguard.nix b/hosts/orm/wireguard.nix new file mode 100644 index 0000000..be20446 --- /dev/null +++ b/hosts/orm/wireguard.nix @@ -0,0 +1,33 @@ +{ config, lib, pkgs, ... }: + +{ + age.secrets.wireguard-hub.file = ../../secrets/wireguard-hub.age; + + networking = { + nat = { + enable = true; + externalInterface = "ens3"; + internalInterfaces = [ "wg0" ]; + }; + + firewall.allowedUDPPorts = [ config.networking.wireguard.interfaces.wg0.listenPort ]; + + wireguard.interfaces.wg0 = { + ips = [ "10.127.1.1/24" "fd70:81ca:0f8f:1::1/64" ]; + listenPort = 51820; + privateKeyFile = config.age.secrets.wireguard-hub.path; + peers = [ + { + name = "shaw"; + publicKey = "eD79pROC2zjhKz4tGRS43O95gcFRqO+SFb2XDnTr0zc="; + allowedIPs = [ "10.127.1.2" "fd70:81ca:0f8f:1::2" ]; + } + { + name = "tohru"; + publicKey = "lk3PCQM1jmZoI8sM/rWSyKNuZOUnjox3n9L9geJD+18="; + allowedIPs = [ "10.127.1.3" "fd70:81ca:0f8f:1::3" ]; + } + ]; + }; + }; +} diff --git a/hosts/tohru/configuration.nix b/hosts/tohru/configuration.nix index 81891b7..e969ad7 100644 --- a/hosts/tohru/configuration.nix +++ b/hosts/tohru/configuration.nix @@ -9,6 +9,7 @@ ../../services/fonts.nix ../../services/steam.nix ./syncthing.nix + ./wireguard.nix ]; boot.loader.systemd-boot.enable = true; diff --git a/hosts/tohru/wireguard.nix b/hosts/tohru/wireguard.nix new file mode 100644 index 0000000..dc52429 --- /dev/null +++ b/hosts/tohru/wireguard.nix @@ -0,0 +1,23 @@ +{ config, lib, pkgs, ... }: + +{ + age.secrets.wireguard-peer-tohru.file = ../../secrets/wireguard-peer-tohru.age; + + networking = { + firewall.allowedUDPPorts = [ config.networking.wireguard.interfaces.wg0.listenPort ]; + + wireguard.interfaces.wg0 = { + ips = [ "10.127.1.3/24" "fd70:81ca:0f8f:1::3/64" ]; + listenPort = 51821; + privateKeyFile = config.age.secrets.wireguard-peer-tohru.path; + peers = [ + { + publicKey = "birdLVh8roeZpcVo308Ums4l/aibhAxbi7MBsglkJyA="; + allowedIPs = [ "10.127.1.0/24" "fd70:81ca:0f8f:1::/64" ]; + endpoint = "birdsong.network:51820"; + persistentKeepalive = 23; + } + ]; + }; + }; +} diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..a5423aa --- /dev/null +++ b/secrets.nix @@ -0,0 +1,19 @@ +let + keys = import ./keys.nix; + + commonKeys = keys.users.qenya; + + secrets = with keys; { + wireguard-hub = [ machines.orm ]; + wireguard-peer-orm = [ machines.orm ]; + wireguard-peer-tohru = [ machines.tohru ]; + }; +in +builtins.listToAttrs ( + map + (secretName: { + name = "secrets/${secretName}.age"; + value.publicKeys = secrets."${secretName}" ++ commonKeys; + }) + (builtins.attrNames secrets) +) diff --git a/secrets/secrets.nix b/secrets/secrets.nix deleted file mode 100644 index c41523b..0000000 --- a/secrets/secrets.nix +++ /dev/null @@ -1,4 +0,0 @@ -let - keys = ../ssh-keys.nix; -in -{ } diff --git a/secrets/wireguard-hub.age b/secrets/wireguard-hub.age new file mode 100644 index 0000000..6cd9c12 --- /dev/null +++ b/secrets/wireguard-hub.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 l/RSAw +h2Jz8m9ZEklGxWK8HcixO3+D4AVATPI3m3wE1ITviM +US+J+FDPJ/nmLT1ylRGfXyfjiJRgLpdgCg1L3IPrmrc +-> ssh-ed25519 900ILw bX/KdX53EFQCmWI0MU/wKfzqKmAw+/fMs4/955iYOlw +7epwHu5g+p6BHe/ksaA9MAvpneZBwHeqnMtSc1m3FFY +-> !V-grease &x6T2i d0B}! +tkT/G8gEKyx280vDO1QgG5ERBCkR9XCgk8IIE1AeBONi9eo+Z0sGfNHv2DXFx14B +TcKX31wDmUbtv8j+4d7722YeZ4jvKiSuQA38zLREOGJyhA +--- TR/GFMXQ4N6AMuScg8LSednd6jAJugxgCJLegPtFmgI +4>?(Y|R5V  ×4'[K_ѝ,ϧ Tk5TC~c*D[N䃼< \ No newline at end of file diff --git a/secrets/wireguard-hub.pub b/secrets/wireguard-hub.pub new file mode 100644 index 0000000..c6f541c --- /dev/null +++ b/secrets/wireguard-hub.pub @@ -0,0 +1 @@ +birdLVh8roeZpcVo308Ums4l/aibhAxbi7MBsglkJyA= diff --git a/secrets/wireguard-peer-tohru.age b/secrets/wireguard-peer-tohru.age new file mode 100644 index 0000000..f99168e --- /dev/null +++ b/secrets/wireguard-peer-tohru.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 yZzWlg HKjvqxwrKVDSKuKcog2RTryVc+0vWII6DdFuouffNWs +fPlYoR4wSrGPlX3t11J1YSP3yToM2RjJVfLKM4oATxA +-> ssh-ed25519 900ILw f76/jY251hkNMd3fBVZPuoWleh4ZdSdu95p7WDlmZi4 +iSULkGxw9aokMgv59fhW3LzJR/Dpx+LVCc6jbbPwCgU +-> vdo-grease +8NUae81gLW0x8UoCVKqQUZaqkG8FTXwnysjEgXaEGBgDxjpuTp+C5qWczNYAXOFN +ha3mtF6IYHFHBZKsH0t1366nfYDAQXHOuu0hN4GBBz8gqnUt +--- uB1k+yMkL5ZUHXGSDv8ZPHDn0UfHOv1x3tRa2eIdbP8 +EY3Due/e4G[lQ=CovͿz/nbLa_h{A{ \ No newline at end of file diff --git a/secrets/wireguard-peer-tohru.pub b/secrets/wireguard-peer-tohru.pub new file mode 100644 index 0000000..6930ed6 --- /dev/null +++ b/secrets/wireguard-peer-tohru.pub @@ -0,0 +1 @@ +lk3PCQM1jmZoI8sM/rWSyKNuZOUnjox3n9L9geJD+18=