wireguard/support: Init
This commit is contained in:
parent
7199515e8c
commit
fec939d816
|
@ -1,4 +1,5 @@
|
|||
wg-home-private-key: ENC[AES256_GCM,data:/RHNF6Zw6CTWa9ahUhGWRfkR8KIj+HdqUIojA1w6HQBFbZ/+Vo+CcYTYO5I=,iv:2sDH1P3VRjmLw6Ilkq0rw/hossHrNWP5uRvX9yr5fLE=,tag:KIT5GCfXuhg6RjA8+Nmtnw==,type:str]
|
||||
wg-support-private-key: ENC[AES256_GCM,data:KXbEctH6vxUWk3yhkBNKS/YbfjOOkhgR0BN+TqmDOb5wPK6SHQlH1DBsk9c=,iv:ZjFevB6IW2EwPITSpG+UtZL12POQ4l/rStnz4/20+Mc=,tag:ZxY7TdqkLB6Z+pQzjSo1zw==,type:str]
|
||||
media-sb-proxy-auth: ENC[AES256_GCM,data:hYKmrpIMotRaf47bt8LSyXT2FEUHu26SLtKCt2zh/ziFtH2empD2NTlpf+l5Q6VHW1r1RUyE0KdmNM4nZRumJ/NuP3Aa9ErGTI3qozjQk9Kl,iv:pLYZv8X76XQGBd36PjQPkiUNPR08PkIKuTqJ+mmaMcw=,tag:3PMAO3lOfT+y+1s8yJLvhA==,type:str]
|
||||
restic-rclone-ssh-key: ENC[AES256_GCM,data:IOVEsH7DcrX4Lcb5Vv8Qxshyoc5jOudRbLnc+iZ2aL05wGo2aUbtDusPrZ9QeIhw/09UAdJUXW6HudtVWPnmL9UJVr1Sm+JYMUS50QCE4DcX0kVV9u5DXiESwfJ+WHAQimShQEvjJ6SCgNBoZNTHcsr95H9G6Tn0XyAM3VYcm69+rzzBN3E0ohb06SOV6JOvtgLLN1BVB+dt6p1UlBuWt5XNc6YPd2T4Erf4FkiPHVneg66hcFFFMX453Qzv/z14aKM0NlEMhMKqLTGt0fsIlwoX4Wdq1KDWGtsf6oVZygCbGiOi57Sy5PjUDys8FmCdkV5PjnRQc4c0E1ynHk79stwbQzqJr/RVe2Tmo3KFgoOOrWYENXztQ+rewYnhsJKF2eVVMtBKf9CAbcrw7UTuVnyxzb9K/NpebAugo00w+4M95lv2Y/MxKf85xdCqGAtfgCJ9eOH3ZW2MUx4m9e5TrBzcS/ewyeXvzd69SBknyvdQ7GXqht5Nf6Ed2a1zj3LUYiLy3H/0/GLZVmoAlJ86,iv:rwqEopfSJJ66yPKgrbVD8Id/CWCfIQi6FLByJZJbJUI=,tag:71J3OFgGNeJUyIZCNrFbqw==,type:str]
|
||||
restic-htpasswd: ENC[AES256_GCM,data:hqZxZ1KXDUqaJ4rsz58l6Jqmhmatm65aZx7aEBlDyBUm3NQFNjyjZlK570lfOdOfJhj0ZZPFRiCENBHTpMt8sdjvsQ4M+g==,iv:Sw/7MBrOy0nIHjF+v8qP7cF1vwfwWiCicl4yl0tOBJc=,tag:3RFktMbo/oETuqVzvjzGwA==,type:str]
|
||||
|
@ -8,8 +9,8 @@ sops:
|
|||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2022-08-25T14:16:49Z"
|
||||
mac: ENC[AES256_GCM,data:e/9RK7hHX0Jft/27J5ImLxeYS9w7gdLM06/yoHOsgIdeKAzTqCUxVxyAK2JCmTA65iHybY0k8UkrjO73eC4fLUNjNOUIfWJPnEbgs4Ms0BSzRKHoEQ+OZesnaTpzg3BC8z+Y7Uq3PJ/btEFyap1sY4DR84q0oRU4og4/C+1lL7c=,iv:T8EM0HzzxIqdrl8rgfnc0edkr7QpZJWevZxHzo7HwVc=,tag:eS3bX6D0VL7HVFcXFLdk6Q==,type:str]
|
||||
lastmodified: "2023-02-24T16:28:57Z"
|
||||
mac: ENC[AES256_GCM,data:k2stXcDNr52vNXdC8x83E7awjrcKXXQiqY3AgJEgtM57U103Kv9c9Ppk8kX6bOGJ8/Wi3qacT2pZAvEUkD7waTz4RNJPbFgqAmp4tv3/tGj6alYyBw14KZYF0u/UHGbRgUYZc+rluk7BbijwDPuOXH3wQhgE5liOmWfJxyOj8vI=,iv:HrkQTXc3rH0xhgrHH6hboJCoKplk6AaoW5gdAMIphCU=,tag:T8kM9caHH0GkuxlWb8cSFA==,type:str]
|
||||
pgp:
|
||||
- created_at: "2021-04-06T11:13:54Z"
|
||||
enc: |
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
{
|
||||
imports = [
|
||||
./home.nix
|
||||
./support.nix
|
||||
];
|
||||
|
||||
networking.wireguard.enable = true;
|
||||
|
|
|
@ -86,7 +86,7 @@ in
|
|||
};
|
||||
|
||||
boot.kernel.sysctl = lib.optionalAttrs enableServer {
|
||||
"net.ipv4.ip_forward" = 1;
|
||||
"net.ipv4.ip_forward" = lib.mkOverride 999 1;
|
||||
};
|
||||
|
||||
services.bind = lib.mkIf enableServer {
|
||||
|
|
81
modules/wireguard/support.nix
Normal file
81
modules/wireguard/support.nix
Normal file
|
@ -0,0 +1,81 @@
|
|||
{ lib, config, pkgs, ... }:
|
||||
let
|
||||
serverHostName = "vueko";
|
||||
port = 51821;
|
||||
peers = {
|
||||
# Key of the server.
|
||||
vueko = {
|
||||
address = "10.80.16.1";
|
||||
publicKey = "wN2vrYcltdrU+061SNcxThWklI5I/Mhbxh5+PmV/RTU=";
|
||||
};
|
||||
# Key for all of my hosts. One is enough, because it is only activated on demand.
|
||||
simon = {
|
||||
address = "10.80.16.2";
|
||||
publicKey = "3jGyiDbwqNfwIT/UKDwxtcpT5zEc8re/k5kU0NLqEkg=";
|
||||
};
|
||||
# Keys for all hosts that are supported.
|
||||
jane = {
|
||||
address = "10.80.16.3";
|
||||
publicKey = "pZJhYDMYaYn/Zyz5Kn660uWtvxh1bTAdyVDOjnR1j0w=";
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
config = lib.mkIf (config.networking.hostName == serverHostName) {
|
||||
sops.secrets.wg-support-private-key = {
|
||||
sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml";
|
||||
};
|
||||
|
||||
networking.wireguard.interfaces.wg-support = {
|
||||
privateKeyFile = config.sops.secrets.wg-support-private-key.path;
|
||||
ips = [ "${peers.${serverHostName}.address}/24" ];
|
||||
listenPort = port;
|
||||
peers = map
|
||||
(peerConfig: with peerConfig; {
|
||||
allowedIPs = [ "${address}/32" ];
|
||||
inherit publicKey;
|
||||
})
|
||||
(lib.attrValues
|
||||
(lib.filterAttrs
|
||||
(n: v: n != serverHostName)
|
||||
peers));
|
||||
};
|
||||
|
||||
networking.firewall.allowedUDPPorts = [
|
||||
port
|
||||
53
|
||||
];
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv4.ip_forward" = lib.mkOverride 998 1;
|
||||
};
|
||||
|
||||
services.bind = {
|
||||
enable = true;
|
||||
zones = lib.singleton {
|
||||
name = "support.vpn.sbruder.de";
|
||||
master = true;
|
||||
file =
|
||||
let
|
||||
# !!! very hacky
|
||||
hexStringToInt = hex: (builtins.fromTOML "int = 0x${hex}").int;
|
||||
|
||||
peerRecords = lib.concatStrings
|
||||
(lib.mapAttrsToList
|
||||
(peer: peerConfig: ''
|
||||
${peer} IN A ${peerConfig.address}
|
||||
'')
|
||||
peers);
|
||||
|
||||
peerRecordsHash = builtins.hashString "sha256" peerRecords;
|
||||
serial = hexStringToInt (lib.substring 0 8 peerRecordsHash);
|
||||
in
|
||||
pkgs.writeText "support.vpn.sbruder.de.zone" (''
|
||||
$TTL 3600
|
||||
@ IN SOA ${serverHostName}.sbruder.de. hostmaster.sbruder.de. ${toString serial} 28800 3600 604800 3600
|
||||
@ IN NS ${serverHostName}.sbruder.de.
|
||||
'' + peerRecords);
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue