all: refactor wireguard config
This commit is contained in:
parent
05457d3712
commit
35011d7f89
13 changed files with 453 additions and 219 deletions
|
@ -1,12 +1,79 @@
|
|||
{ lib, ... }: {
|
||||
imports = [
|
||||
../shared/network.nix
|
||||
../shared/networkd.nix
|
||||
];
|
||||
networking = {
|
||||
nameservers = lib.mkForce [
|
||||
"1.1.1.1"
|
||||
"1.0.0.1"
|
||||
];
|
||||
{ lib, config, ... }:
|
||||
let
|
||||
wireguard-peers = import ../shared/wireguard-peers.nix;
|
||||
in
|
||||
{
|
||||
sops.secrets = {
|
||||
"wireguard/bifrost/pk" = {
|
||||
mode = "400";
|
||||
owner = config.users.users.root.name;
|
||||
group = config.users.users.root.group;
|
||||
};
|
||||
};
|
||||
systemd = {
|
||||
network = {
|
||||
enable = true;
|
||||
wait-online.enable = false;
|
||||
networks = {
|
||||
"41-ether" = {
|
||||
enable = true;
|
||||
matchConfig = {
|
||||
Type = "ether";
|
||||
Name = "e*";
|
||||
};
|
||||
networkConfig = {
|
||||
DHCP = "yes";
|
||||
IPv4Forwarding = "yes";
|
||||
};
|
||||
dhcpV4Config = {
|
||||
UseDomains = true;
|
||||
};
|
||||
linkConfig = {
|
||||
RequiredForOnline = "yes";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.resolved = {
|
||||
enable = true;
|
||||
domains = [ "~." ];
|
||||
fallbackDns = [ ];
|
||||
};
|
||||
|
||||
networking = {
|
||||
nameservers = [
|
||||
"10.10.10.11"
|
||||
"10.10.10.12"
|
||||
];
|
||||
useDHCP = lib.mkDefault false;
|
||||
useNetworkd = true;
|
||||
firewall = {
|
||||
allowedUDPPorts = [ 51821 ];
|
||||
trustedInterfaces = [ "Homelab" ];
|
||||
};
|
||||
wg-quick = {
|
||||
interfaces = {
|
||||
Homelab = {
|
||||
listenPort = 51821;
|
||||
privateKeyFile = config.sops.secrets."wireguard/bifrost/pk".path;
|
||||
address = [
|
||||
"10.10.10.1/24"
|
||||
];
|
||||
dns = [ "10.10.10.11" "10.10.10.12" ];
|
||||
peers = with wireguard-peers; [
|
||||
(rico0 // { endpoint = null; })
|
||||
(rico1 // { endpoint = null; })
|
||||
(rico2 // { endpoint = null; })
|
||||
(wynne // { endpoint = null; })
|
||||
(layne // { endpoint = null; })
|
||||
skipper
|
||||
kowalski
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
@ -1,35 +1,77 @@
|
|||
{ config, ... }: {
|
||||
imports = [
|
||||
../shared/network.nix
|
||||
../shared/networkd.nix
|
||||
../shared/wireguard.nix
|
||||
];
|
||||
|
||||
{ lib, config, ... }:
|
||||
let
|
||||
wireguard-peers = import ../shared/wireguard-peers.nix;
|
||||
in
|
||||
{
|
||||
sops.secrets = {
|
||||
"wireguard/layne/pk" = {
|
||||
mode = "400";
|
||||
owner = config.users.users.root.name;
|
||||
group = config.users.users.root.group;
|
||||
};
|
||||
"wireguard/layne/psk" = {
|
||||
mode = "400";
|
||||
owner = config.users.users.root.name;
|
||||
group = config.users.users.root.group;
|
||||
};
|
||||
"proton/layne" = {
|
||||
mode = "400";
|
||||
owner = config.users.users.root.name;
|
||||
group = config.users.users.root.group;
|
||||
};
|
||||
|
||||
systemd = {
|
||||
network = {
|
||||
enable = true;
|
||||
wait-online.enable = false;
|
||||
networks = {
|
||||
"41-ether" = {
|
||||
enable = true;
|
||||
matchConfig = {
|
||||
Type = "ether";
|
||||
Name = "e*";
|
||||
};
|
||||
networkConfig = {
|
||||
DHCP = "yes";
|
||||
IPv4Forwarding = "yes";
|
||||
};
|
||||
dhcpV4Config = {
|
||||
UseDomains = true;
|
||||
};
|
||||
linkConfig = {
|
||||
RequiredForOnline = "yes";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
nodeconfig.wireguard = {
|
||||
services.resolved = {
|
||||
enable = true;
|
||||
listen-port = 51834;
|
||||
pk-file = config.sops.secrets."wireguard/layne/pk".path;
|
||||
psk-file = config.sops.secrets."wireguard/layne/psk".path;
|
||||
node-ips = [
|
||||
"10.10.10.14/24"
|
||||
domains = [ "~." ];
|
||||
fallbackDns = [ ];
|
||||
};
|
||||
|
||||
networking = {
|
||||
useDHCP = lib.mkDefault false;
|
||||
nameservers = [
|
||||
"10.10.10.11"
|
||||
"10.10.10.12"
|
||||
];
|
||||
useNetworkd = true;
|
||||
firewall = {
|
||||
allowedUDPPorts = [ 51834 ];
|
||||
trustedInterfaces = [ "Homelab" ];
|
||||
};
|
||||
wg-quick = {
|
||||
interfaces = {
|
||||
Homelab = {
|
||||
listenPort = 51834;
|
||||
privateKeyFile = config.sops.secrets."wireguard/layne/pk".path;
|
||||
address = [
|
||||
"10.10.10.14/24"
|
||||
];
|
||||
dns = [ "10.10.10.11" "10.10.10.12" ];
|
||||
peers = with wireguard-peers; [
|
||||
(bifrost // { persistentKeepalive = 20; })
|
||||
rico0
|
||||
rico1
|
||||
rico2
|
||||
wynne
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,30 +1,77 @@
|
|||
{ config, ... }: {
|
||||
imports = [
|
||||
../shared/network.nix
|
||||
../shared/networkd.nix
|
||||
../shared/wireguard.nix
|
||||
];
|
||||
|
||||
{ lib, config, ... }:
|
||||
let
|
||||
wireguard-peers = import ../shared/wireguard-peers.nix;
|
||||
in
|
||||
{
|
||||
sops.secrets = {
|
||||
"wireguard/rico0/pk" = {
|
||||
mode = "400";
|
||||
owner = config.users.users.root.name;
|
||||
group = config.users.users.root.group;
|
||||
};
|
||||
"wireguard/rico0/psk" = {
|
||||
mode = "400";
|
||||
owner = config.users.users.root.name;
|
||||
group = config.users.users.root.group;
|
||||
};
|
||||
|
||||
systemd = {
|
||||
network = {
|
||||
enable = true;
|
||||
wait-online.enable = false;
|
||||
networks = {
|
||||
"41-ether" = {
|
||||
enable = true;
|
||||
matchConfig = {
|
||||
Type = "ether";
|
||||
Name = "e*";
|
||||
};
|
||||
networkConfig = {
|
||||
DHCP = "yes";
|
||||
IPv4Forwarding = "yes";
|
||||
};
|
||||
dhcpV4Config = {
|
||||
UseDomains = true;
|
||||
};
|
||||
linkConfig = {
|
||||
RequiredForOnline = "yes";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
nodeconfig.wireguard = {
|
||||
services.resolved = {
|
||||
enable = true;
|
||||
listen-port = 51830;
|
||||
pk-file = config.sops.secrets."wireguard/rico0/pk".path;
|
||||
psk-file = config.sops.secrets."wireguard/rico0/psk".path;
|
||||
node-ips = [
|
||||
"10.10.10.10/24"
|
||||
domains = [ "~." ];
|
||||
fallbackDns = [ ];
|
||||
};
|
||||
|
||||
networking = {
|
||||
useDHCP = lib.mkDefault false;
|
||||
nameservers = [
|
||||
"10.10.10.11"
|
||||
"10.10.10.12"
|
||||
];
|
||||
useNetworkd = true;
|
||||
firewall = {
|
||||
allowedUDPPorts = [ 51830 ];
|
||||
trustedInterfaces = [ "Homelab" ];
|
||||
};
|
||||
wg-quick = {
|
||||
interfaces = {
|
||||
Homelab = {
|
||||
listenPort = 51830;
|
||||
privateKeyFile = config.sops.secrets."wireguard/rico0/pk".path;
|
||||
address = [
|
||||
"10.10.10.10/24"
|
||||
];
|
||||
dns = [ "10.10.10.11" "10.10.10.12" ];
|
||||
peers = with wireguard-peers; [
|
||||
(bifrost // { persistentKeepalive = 20; })
|
||||
rico1
|
||||
rico2
|
||||
wynne
|
||||
layne
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,30 +1,77 @@
|
|||
{ config, ... }: {
|
||||
imports = [
|
||||
../shared/network.nix
|
||||
../shared/networkd.nix
|
||||
../shared/wireguard.nix
|
||||
];
|
||||
|
||||
{ lib, config, ... }:
|
||||
let
|
||||
wireguard-peers = import ../shared/wireguard-peers.nix;
|
||||
in
|
||||
{
|
||||
sops.secrets = {
|
||||
"wireguard/rico1/pk" = {
|
||||
mode = "400";
|
||||
owner = config.users.users.root.name;
|
||||
group = config.users.users.root.group;
|
||||
};
|
||||
"wireguard/rico1/psk" = {
|
||||
mode = "400";
|
||||
owner = config.users.users.root.name;
|
||||
group = config.users.users.root.group;
|
||||
};
|
||||
|
||||
systemd = {
|
||||
network = {
|
||||
enable = true;
|
||||
wait-online.enable = false;
|
||||
networks = {
|
||||
"41-ether" = {
|
||||
enable = true;
|
||||
matchConfig = {
|
||||
Type = "ether";
|
||||
Name = "e*";
|
||||
};
|
||||
networkConfig = {
|
||||
DHCP = "yes";
|
||||
IPv4Forwarding = "yes";
|
||||
};
|
||||
dhcpV4Config = {
|
||||
UseDomains = true;
|
||||
};
|
||||
linkConfig = {
|
||||
RequiredForOnline = "yes";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
nodeconfig.wireguard = {
|
||||
services.resolved = {
|
||||
enable = true;
|
||||
listen-port = 51831;
|
||||
pk-file = config.sops.secrets."wireguard/rico1/pk".path;
|
||||
psk-file = config.sops.secrets."wireguard/rico1/psk".path;
|
||||
node-ips = [
|
||||
"10.10.10.11/24"
|
||||
domains = [ "~." ];
|
||||
fallbackDns = [ ];
|
||||
};
|
||||
|
||||
networking = {
|
||||
useDHCP = lib.mkDefault false;
|
||||
nameservers = [
|
||||
"10.10.10.11"
|
||||
"10.10.10.12"
|
||||
];
|
||||
useNetworkd = true;
|
||||
firewall = {
|
||||
allowedUDPPorts = [ 51831 ];
|
||||
trustedInterfaces = [ "Homelab" ];
|
||||
};
|
||||
wg-quick = {
|
||||
interfaces = {
|
||||
Homelab = {
|
||||
listenPort = 51831;
|
||||
privateKeyFile = config.sops.secrets."wireguard/rico1/pk".path;
|
||||
address = [
|
||||
"10.10.10.11/24"
|
||||
];
|
||||
dns = [ "10.10.10.11" "10.10.10.12" ];
|
||||
peers = with wireguard-peers; [
|
||||
(bifrost // { persistentKeepalive = 20; })
|
||||
rico0
|
||||
rico2
|
||||
wynne
|
||||
layne
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,30 +1,77 @@
|
|||
{ config, ... }: {
|
||||
imports = [
|
||||
../shared/network.nix
|
||||
../shared/networkd.nix
|
||||
../shared/wireguard.nix
|
||||
];
|
||||
|
||||
{ lib, config, ... }:
|
||||
let
|
||||
wireguard-peers = import ../shared/wireguard-peers.nix;
|
||||
in
|
||||
{
|
||||
sops.secrets = {
|
||||
"wireguard/rico2/pk" = {
|
||||
mode = "400";
|
||||
owner = config.users.users.root.name;
|
||||
group = config.users.users.root.group;
|
||||
};
|
||||
"wireguard/rico2/psk" = {
|
||||
mode = "400";
|
||||
owner = config.users.users.root.name;
|
||||
group = config.users.users.root.group;
|
||||
};
|
||||
|
||||
systemd = {
|
||||
network = {
|
||||
enable = true;
|
||||
wait-online.enable = false;
|
||||
networks = {
|
||||
"41-ether" = {
|
||||
enable = true;
|
||||
matchConfig = {
|
||||
Type = "ether";
|
||||
Name = "e*";
|
||||
};
|
||||
networkConfig = {
|
||||
DHCP = "yes";
|
||||
IPv4Forwarding = "yes";
|
||||
};
|
||||
dhcpV4Config = {
|
||||
UseDomains = true;
|
||||
};
|
||||
linkConfig = {
|
||||
RequiredForOnline = "yes";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
nodeconfig.wireguard = {
|
||||
services.resolved = {
|
||||
enable = true;
|
||||
listen-port = 51832;
|
||||
pk-file = config.sops.secrets."wireguard/rico2/pk".path;
|
||||
psk-file = config.sops.secrets."wireguard/rico2/psk".path;
|
||||
node-ips = [
|
||||
"10.10.10.12/24"
|
||||
domains = [ "~." ];
|
||||
fallbackDns = [ ];
|
||||
};
|
||||
|
||||
networking = {
|
||||
useDHCP = lib.mkDefault false;
|
||||
nameservers = [
|
||||
"10.10.10.11"
|
||||
"10.10.10.12"
|
||||
];
|
||||
useNetworkd = true;
|
||||
firewall = {
|
||||
allowedUDPPorts = [ 51832 ];
|
||||
trustedInterfaces = [ "Homelab" ];
|
||||
};
|
||||
wg-quick = {
|
||||
interfaces = {
|
||||
Homelab = {
|
||||
listenPort = 51832;
|
||||
privateKeyFile = config.sops.secrets."wireguard/rico2/pk".path;
|
||||
address = [
|
||||
"10.10.10.12/24"
|
||||
];
|
||||
dns = [ "10.10.10.11" "10.10.10.12" ];
|
||||
peers = with wireguard-peers; [
|
||||
(bifrost // { persistentKeepalive = 20; })
|
||||
rico0
|
||||
rico1
|
||||
wynne
|
||||
layne
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,15 +0,0 @@
|
|||
{ lib, ... }: {
|
||||
networking = {
|
||||
nameservers = [
|
||||
"10.10.10.11"
|
||||
"10.10.10.12"
|
||||
];
|
||||
useDHCP = lib.mkDefault false;
|
||||
};
|
||||
|
||||
services.resolved = {
|
||||
enable = true;
|
||||
domains = [ "~." ];
|
||||
fallbackDns = [ ];
|
||||
};
|
||||
}
|
|
@ -1,40 +0,0 @@
|
|||
{ lib, config, ... }: {
|
||||
networking = {
|
||||
useNetworkd = true;
|
||||
};
|
||||
systemd = {
|
||||
network = {
|
||||
enable = true;
|
||||
wait-online.enable = false;
|
||||
networks = {
|
||||
"41-ether" = {
|
||||
enable = true;
|
||||
matchConfig = {
|
||||
Type = "ether";
|
||||
Name = "e*";
|
||||
};
|
||||
networkConfig = {
|
||||
DHCP = "yes";
|
||||
IPv4Forwarding = "yes";
|
||||
};
|
||||
dhcpV4Config = {
|
||||
UseDomains = true;
|
||||
};
|
||||
ipv6AcceptRAConfig = {
|
||||
UseDomains = true;
|
||||
};
|
||||
linkConfig = {
|
||||
RequiredForOnline = "yes";
|
||||
};
|
||||
routes = lib.mkIf ((lib.strings.toLower config.networking.hostName) != "bifrost") [
|
||||
{
|
||||
Destination = "165.232.180.97";
|
||||
Gateway = "_dhcp4";
|
||||
GatewayOnLink = "yes";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
15
hosts/shared/wireguard-peers.nix
Normal file
15
hosts/shared/wireguard-peers.nix
Normal file
|
@ -0,0 +1,15 @@
|
|||
let
|
||||
mkPeer = endpoint: publicKey: allowedIPs: {
|
||||
inherit endpoint publicKey allowedIPs;
|
||||
};
|
||||
in
|
||||
{
|
||||
bifrost = mkPeer "165.232.180.97:51821" "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=" [ "10.10.10.1" "10.10.10.2" "10.10.10.3" ];
|
||||
skipper = mkPeer null "ob8Ri5fYBCkksRnpbkq0kBlU0Ll3xjIPpMk8e9TKpl4=" [ "10.10.10.2" ];
|
||||
kowalski = mkPeer null "ZgtftftDNAnNsOKo34cgaP3lQim2HMmoCXayALIVsFU=" [ "10.10.10.3" ];
|
||||
rico0 = mkPeer "192.168.1.10:51830" "9mfgKUM6hXllEUunvI8szlni9OFpKSbaLVZRAhAh51Q=" [ "10.10.10.10" ];
|
||||
rico1 = mkPeer "192.168.1.11:51831" "lFtIm7CX3gcHMAu673ptRzNDQh5QEa7FbzlHSQerRg0=" [ "10.10.10.11" ];
|
||||
rico2 = mkPeer "192.168.1.12:51832" "FyFlOHfAprr474cJCXKRvgsU6o22xaQ8gzs1563AQnI=" [ "10.10.10.12" ];
|
||||
wynne = mkPeer "192.168.1.13:51833" "re9z2AAKGaJrEn5Q+xp7XnZn4x4+GoJPLZScaXrnMC0=" [ "10.10.10.13" ];
|
||||
layne = mkPeer "192.168.1.14:51834" "qhthtzB7vTGRfS1RGyP7RJ+BZLKd/BNxhaTJvAlYuyo=" [ "10.10.10.14" ];
|
||||
}
|
|
@ -1,33 +0,0 @@
|
|||
{ config, lib, ... }:
|
||||
let
|
||||
hostName = lib.strings.toLower config.networking.hostName;
|
||||
mkPeer = endpoint: publicKey: ip: {
|
||||
inherit endpoint publicKey;
|
||||
allowedIPs = [ ip ];
|
||||
};
|
||||
peer-rico0 = mkPeer "192.168.1.10:51830" "9mfgKUM6hXllEUunvI8szlni9OFpKSbaLVZRAhAh51Q=" "10.10.10.10";
|
||||
peer-rico1 = mkPeer "192.168.1.11:51831" "lFtIm7CX3gcHMAu673ptRzNDQh5QEa7FbzlHSQerRg0=" "10.10.10.11";
|
||||
peer-rico2 = mkPeer "192.168.1.12:51832" "FyFlOHfAprr474cJCXKRvgsU6o22xaQ8gzs1563AQnI=" "10.10.10.12";
|
||||
peer-wynne = mkPeer "192.168.1.13:51833" "re9z2AAKGaJrEn5Q+xp7XnZn4x4+GoJPLZScaXrnMC0=" "10.10.10.13";
|
||||
peer-layne = mkPeer "192.168.1.14:51834" "qhthtzB7vTGRfS1RGyP7RJ+BZLKd/BNxhaTJvAlYuyo=" "10.10.10.14";
|
||||
selectPeer = host: peer: if hostName == host then [ ] else [ peer ];
|
||||
interface-name = "Homelab";
|
||||
in
|
||||
{
|
||||
nodeconfig.wireguard = {
|
||||
inherit interface-name;
|
||||
dns = [ "10.10.10.11" "10.10.10.12" ];
|
||||
endpoint = "165.232.180.97:51821";
|
||||
endpoint-publickey = "NNw/iDMCTq8mpHncrecEh4UlvtINX/UUDtCJf2ToFR4=";
|
||||
allowed-ips = if hostName == "skipper" then [ "10.10.10.0/24" ] else [ "10.10.10.1" "10.10.10.2" "10.10.10.3" ];
|
||||
};
|
||||
networking = {
|
||||
firewall.allowedUDPPorts = [ config.nodeconfig.wireguard.listen-port ];
|
||||
wg-quick.interfaces.${interface-name}.peers = if hostName == "skipper" then [ ] else
|
||||
((selectPeer "rico0" peer-rico0)
|
||||
++ (selectPeer "rico1" peer-rico1)
|
||||
++ (selectPeer "rico2" peer-rico2)
|
||||
++ (selectPeer "wynne" peer-wynne)
|
||||
++ (selectPeer "layne" peer-layne));
|
||||
};
|
||||
}
|
|
@ -1,12 +1,20 @@
|
|||
_: {
|
||||
imports = [
|
||||
../../shared/network.nix
|
||||
./wireguard.nix
|
||||
];
|
||||
{ lib, ... }: {
|
||||
imports = [ ./wireguard.nix ];
|
||||
|
||||
services.resolved = {
|
||||
enable = true;
|
||||
domains = [ "~." ];
|
||||
fallbackDns = [ ];
|
||||
};
|
||||
|
||||
networking = {
|
||||
nameservers = [
|
||||
"10.10.10.11"
|
||||
"10.10.10.12"
|
||||
];
|
||||
useDHCP = lib.mkDefault false;
|
||||
extraHosts = ''
|
||||
10.10.10.1 Proxy
|
||||
10.10.10.1 Bifrost
|
||||
10.10.10.2 Skipper
|
||||
10.10.10.10 Rico0
|
||||
10.10.10.11 Rico1
|
||||
|
|
|
@ -1,26 +1,33 @@
|
|||
{ config, ... }: {
|
||||
imports = [ ../../shared/wireguard.nix ];
|
||||
|
||||
{ config, ... }:
|
||||
let
|
||||
wireguard-peers = import ../../shared/wireguard-peers.nix;
|
||||
in
|
||||
{
|
||||
sops.secrets = {
|
||||
"wireguard/skipper/pk" = {
|
||||
mode = "400";
|
||||
owner = config.users.users.root.name;
|
||||
group = config.users.users.root.group;
|
||||
};
|
||||
"wireguard/skipper/psk" = {
|
||||
mode = "400";
|
||||
owner = config.users.users.root.name;
|
||||
group = config.users.users.root.group;
|
||||
};
|
||||
networking = {
|
||||
firewall = {
|
||||
trustedInterfaces = [ "Homelab" ];
|
||||
};
|
||||
wg-quick = {
|
||||
interfaces = {
|
||||
Homelab = {
|
||||
listenPort = 51822;
|
||||
privateKeyFile = config.sops.secrets."wireguard/skipper/pk".path;
|
||||
address = [
|
||||
"10.10.10.2/24"
|
||||
];
|
||||
dns = [ "10.10.10.11" "10.10.10.12" ];
|
||||
peers = with wireguard-peers; [
|
||||
(bifrost // { allowedIPs = [ "10.10.10.0/24" ]; })
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
nodeconfig.wireguard = {
|
||||
enable = true;
|
||||
listen-port = 51822;
|
||||
pk-file = config.sops.secrets."wireguard/skipper/pk".path;
|
||||
psk-file = config.sops.secrets."wireguard/skipper/psk".path;
|
||||
node-ips = [
|
||||
"10.10.10.2/24"
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,10 +1,8 @@
|
|||
{ config, ... }: {
|
||||
imports = [
|
||||
../shared/network.nix
|
||||
../shared/networkd.nix
|
||||
../shared/wireguard.nix
|
||||
];
|
||||
|
||||
{ lib, config, ... }:
|
||||
let
|
||||
wireguard-peers = import ../shared/wireguard-peers.nix;
|
||||
in
|
||||
{
|
||||
sops.secrets = {
|
||||
"wireguard/wynne/pk" = {
|
||||
mode = "400";
|
||||
|
@ -18,13 +16,67 @@
|
|||
};
|
||||
};
|
||||
|
||||
nodeconfig.wireguard = {
|
||||
systemd = {
|
||||
network = {
|
||||
enable = true;
|
||||
wait-online.enable = false;
|
||||
networks = {
|
||||
"41-ether" = {
|
||||
enable = true;
|
||||
matchConfig = {
|
||||
Type = "ether";
|
||||
Name = "e*";
|
||||
};
|
||||
networkConfig = {
|
||||
DHCP = "yes";
|
||||
IPv4Forwarding = "yes";
|
||||
};
|
||||
dhcpV4Config = {
|
||||
UseDomains = true;
|
||||
};
|
||||
linkConfig = {
|
||||
RequiredForOnline = "yes";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.resolved = {
|
||||
enable = true;
|
||||
listen-port = 51833;
|
||||
pk-file = config.sops.secrets."wireguard/wynne/pk".path;
|
||||
psk-file = config.sops.secrets."wireguard/wynne/psk".path;
|
||||
node-ips = [
|
||||
"10.10.10.13/24"
|
||||
domains = [ "~." ];
|
||||
fallbackDns = [ ];
|
||||
};
|
||||
|
||||
networking = {
|
||||
useDHCP = lib.mkDefault false;
|
||||
nameservers = [
|
||||
"10.10.10.11"
|
||||
"10.10.10.12"
|
||||
];
|
||||
useNetworkd = true;
|
||||
firewall = {
|
||||
allowedUDPPorts = [ 51833 ];
|
||||
trustedInterfaces = [ "Homelab" ];
|
||||
};
|
||||
wg-quick = {
|
||||
interfaces = {
|
||||
Homelab = {
|
||||
listenPort = 51833;
|
||||
privateKeyFile = config.sops.secrets."wireguard/wynne/pk".path;
|
||||
address = [
|
||||
"10.10.10.13/24"
|
||||
];
|
||||
dns = [ "10.10.10.11" "10.10.10.12" ];
|
||||
peers = with wireguard-peers; [
|
||||
(bifrost // { persistentKeepalive = 20; })
|
||||
rico0
|
||||
rico1
|
||||
rico2
|
||||
layne
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
14
secrets.yaml
14
secrets.yaml
|
@ -4,30 +4,20 @@ passwd:
|
|||
wireguard:
|
||||
skipper:
|
||||
pk: ENC[AES256_GCM,data:by1Cqt1IYK1+MTGrj8Y6JQcKGuUun3b4XNDi6+eyR2bviRhfEQdxHEEA+ZI=,iv:V8dZy4iWe7t54aDgn22pGYaqf+tN1drt3nFo0ctoUlE=,tag:x4GfT9kY8+fGrM1ELOMbRA==,type:str]
|
||||
psk: ENC[AES256_GCM,data:D6S3XPit4SkwsFzOFL7NXXzaxZg5R0oBvTsHVkUDHQxBzfBUA9u1iDRl2Jw=,iv:eqI5twDHGcJDDqPmBelU2XxIi84jV9k+bORgKEpz7EA=,tag:Ljj/7oA7RBEMSd6dXC7FKw==,type:str]
|
||||
rico0:
|
||||
pk: ENC[AES256_GCM,data:VGhOm7s/wU15h2nhDzrJdImTDv7SvmUNNQhsCJIzFmZh0mKS81au8uDJhVA=,iv:+8sTtCEXyw2fnNXS7kayOb5ldwUPnPzGaJ39UOpXKrQ=,tag:gyejp28gbMbRKaBMYYAoKA==,type:str]
|
||||
psk: ENC[AES256_GCM,data:XlnEVm3nIGIB/e5dVnwtoAXyjYAc5iElP5mPXlqX8zttXUsEjD3ifL9/rwc=,iv:K/8EyZaNCAxSscfVrO84P86pEkdvnP9ibBDs2SWoXx8=,tag:HS8CxiSaHxyukdfk5zWIvg==,type:str]
|
||||
rico1:
|
||||
pk: ENC[AES256_GCM,data:pXAPjrmKYZ2HZtwEhASOIv24BAu1hmA+Gaave4IegqpJyQlpcoPnmUKWnZ8=,iv:FiFq8Uoo0pA7rJCiM5pHss2ElEzIBZ7K73wWfn9oLl8=,tag:PKzhRmqmKwMXQYeKo7nBVw==,type:str]
|
||||
psk: ENC[AES256_GCM,data:yaSQc/NT1Res1LjU19GNFK9poeaY2M7BSSicmV237bQKxBo1hM4corPATM4=,iv:d4mOelgktH6wX6vmXhdjC6PQZ04bmCWkqHBP4IGyKog=,tag:B3xSy4avb8hNNzjq3K3uMg==,type:str]
|
||||
rico2:
|
||||
pk: ENC[AES256_GCM,data:XyiOlPelFLAhW7Dbko+zGnrxvDAcwxLhBPXye+tBEZ4rs/gcoczjqPhfUJo=,iv:DoMIXLUClnosQPg4VhXBdWV41MJ2sN3C3xgZ9jw2qkY=,tag:m0ZfLdWX8u1h1RgIMfVE9w==,type:str]
|
||||
psk: ENC[AES256_GCM,data:vKHqJDkpyj05UnnSU0PTG3byrXs9gwJISRmwgG93jaOUCUKfsJuSDeQCfQw=,iv:/v7sEH03zsVfDxY6oCvnRfNQfNvqXi5Bt5ONM7zFxoI=,tag:WzDTlFU7frYwAGHkUHlxEQ==,type:str]
|
||||
wynne:
|
||||
pk: ENC[AES256_GCM,data:50L8Rru7pVWa+19qltLynzYwh37HK3IbnjfBtf6REb7KpSTWvmK48JVchxw=,iv:PQylNCEGiyBIk/NxFSAFqrzCu5st9dkshQ6jyRt7yKs=,tag:ddhaCFCBQVxrPaqaHIvg2Q==,type:str]
|
||||
psk: ENC[AES256_GCM,data:cbO8D/kwhdsiYAqXAbdud0Bhm/tpmwcpdCmKcsvsnUFjy2fO9dYrd0/KbSA=,iv:oByAtlZTY7+taMoniU/dIecZG8XoHWwKVBHGri4xUv0=,tag:8vJm4n/8/jxHtS+E+iVvLw==,type:str]
|
||||
layne:
|
||||
pk: ENC[AES256_GCM,data:tmuYhe/7n65asRwmXXk7ZeYeS8SDovkLpaysXTmNvL+40IZw71Ju1lpJIrI=,iv:B4fhKqOkLwTWBpHD557Xrtn5GgTJJpWlFYCzNU1/Ipc=,tag:HBFGG35FB/UWkuVQWqo1EA==,type:str]
|
||||
psk: ENC[AES256_GCM,data:5psT1pbRMDCBXHYg4z5zqsYTmgQgg0Df+xEtbEhf1YBzl6qEYyjLDhvpvaQ=,iv:wH9CqNBmLjlGlDPFZtTQ+tCVYBTkhLfwLc2nWNhlYCM=,tag:YWtFcx4YD6gh5qDnIYshfQ==,type:str]
|
||||
matrix:
|
||||
syncv3_secret: ENC[AES256_GCM,data:05lLSSolNO55VjJQL3nLNGo2jiZUZht2FKNvc2O2dCccSfglrwm6J5Guzns9ZlT8X9j74lvlWlbM6Q==,iv:1zARbgZ9GJV1UMJ+WjFPNYPqhRjGVj4iLYMpfsRjrko=,tag:fQ9Vg1xD1k2eYlEbtF6q8A==,type:str]
|
||||
caddy:
|
||||
env_file: ENC[AES256_GCM,data:PKtILX7o0D3rj78JXIXad9UcQz0ZiihXK1nY/kb08fh3i54hYrFyJyGt04b9mAufxTnhDV4=,iv:I/EtxopCFmRxgsGJIcFDufTiM1JyPPoIQkgKIDiCP24=,tag:5QlGMp839p9RYKB09tr61A==,type:str]
|
||||
forgejo:
|
||||
runner_registration_token_file: ENC[AES256_GCM,data:CM5hQEd1YHuCpzN6ZVGVzxRgQcUuq/KZ+o5JcB3kRAyVJVYjCyRfNPD2SA/ruw==,iv:L3tLN0C/d3lztvnBHyRzSFdkjtR8bnd5IrROGBSw/0E=,tag:R+o7E47DNvRr8S+hqR+v5w==,type:str]
|
||||
proton:
|
||||
layne: ENC[AES256_GCM,data:wAY2uoxjM1ubHzvwBfsgQzx+OLsno4Q/gP5XPiDPHwWy3IbmU14EhSH942mdjixRlHK2/T3l3NYqFSOm//8Ri9+GyfmJBcIKY/A8vgui0DbkGOb5+h7AKDoCwyUrredtCtFSWk5Hahl19BnJtoLEzmOjbF6su7P2PgAdpxlkWiiyR3ZVSC+PD/2KjdkgNSEXV8V7fxTSaiMqAYXiIqe33Kx5gKIVHPuHf8qrnKYQ92q2BUolpXpcg24FlbavjgmkTI3wCw9V/o/zo5lJnCzi8TSdVelJ5fOKDUA+8FemJcquYQ==,iv:dsbKPzNUAYnH1yaflxEAoKaTj+QtflkMdqAQqQQi418=,tag:jsSTKjmk6nTUfUAxcTsMtA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
@ -106,8 +96,8 @@ sops:
|
|||
UXJhWFFnQnFvOEF0M0JFb3E4UVB4UU0KSUq4d8eudY03p/fd8S8f1wk0OU4BlNYB
|
||||
tldkOx2DhSvcVr/FcIJIR2PFbU8o50kYj9R0HR2sHJ5C5fJ0cDXY4A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-10-31T05:28:50Z"
|
||||
mac: ENC[AES256_GCM,data:PbyhjXr/IZw+5q0PqTjXowHaiB31NjZzYpKhVV5s43+XrdMpVhcaqr9Gs7yTsqNsSc36uZ1YRymwYr8i+bF1k81lvDgyEr38Pl3vcEoIy+jNPaVnxXBRW6CL69cKfC058GmuPRYIyevorw3G3DtpLsCT5lGiMS9XedmBMf3rsw0=,iv:lHO27bURe7apOq/2KQXttou/OJMRM4uBrpqH26hBIDE=,tag:1ulMCx3/UCWCplUv+NJqNA==,type:str]
|
||||
lastmodified: "2024-11-16T13:28:44Z"
|
||||
mac: ENC[AES256_GCM,data:HSpdXpDRlP7IamrmvQInn1coo+T59r5AowbH9uEr6cntWhOVjI6xJb91dd647uhnl9RQ4KN6QjNiBU3u4/9ie/hHAOzuX4vzYHjaWV0iO1pAHVOkT5jmker767je7rKVOu9BdtDgckGWQfC599bEL2PzS5megjo5Jbg/trZXHx0=,iv:EmnH2nwuBHdrtoJXSvOUdob0YKzl88jyJbXN+qFX0zQ=,tag:kUicG4NTK8DiY7OUvOgv3w==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.1
|
||||
|
|
Loading…
Reference in a new issue