VEGAS: add backbone routing, portforward and peers

2021-10-16 20:18:53 +02:00 · 2021-10-16 20:18:53 +02:00 · 1384345400
commit 1384345400
parent 1aa75fc451
6 changed files with 87 additions and 0 deletions
--- a/hosts/VEGAS/services/backbone-routing/default.nix
+++ b/hosts/VEGAS/services/backbone-routing/default.nix
@ -0,0 +1,28 @@
+{ config, hosts, ... }:
+let
+  inherit (hosts.${config.networking.hostName}) interfaces;
+in
+{
+  imports = [
+    ./port-forward.nix
+    ./peering.nix
+  ];
+
+  networking.nat = {
+    enable = true;
+    externalInterface = interfaces.primary.link;
+    internalIPs = [
+      "10.10.0.0/16"
+    ];
+  };
+
+  networking.interfaces.${interfaces.vstub.link} = {
+    virtual = true;
+    ipv4.addresses = [
+      {
+        address = interfaces.vstub.addr;
+        prefixLength = 32;
+      }
+    ];
+  };
+}
--- a/hosts/VEGAS/services/backbone-routing/peering.nix
+++ b/hosts/VEGAS/services/backbone-routing/peering.nix
@ -0,0 +1,33 @@
+{ config, ... }:
+
+{
+  networking.firewall.allowedUDPPorts = [
+    config.networking.wireguard.interfaces.wgautobahn.listenPort
+  ];
+
+  age.secrets.wireguard-key-wgautobahn = {
+    file = ../../../../secrets/wireguard-key-wgautobahn.age;
+    owner = "root";
+    group = "root";
+    mode = "0400";
+  };
+
+  networking.wireguard = {
+    enable = true;
+    interfaces.wgautobahn = {
+      ips = [ "10.15.0.1/30" ];
+      listenPort = 51820;
+      privateKeyFile = config.age.secrets.wireguard-key-wgautobahn.path;
+
+      allowedIPsAsRoutes = true;
+      peers = [
+        # animus
+        {
+          publicKey = "CIJ8W5SDMyPnSZLN2CNplwhGaNPUGoLV0mdzoDHhxUo=";
+          allowedIPs = [ "10.15.0.0/30" "10.150.0.0/16" ];
+          endpoint = "116.202.226.86:53042";
+        }
+      ];
+    };
+  };
+}
--- a/hosts/VEGAS/services/backbone-routing/port-forward.nix
+++ b/hosts/VEGAS/services/backbone-routing/port-forward.nix
@ -0,0 +1,9 @@
+{
+  networking.nat.forwardPorts = [
+    {
+      sourcePort = 52222;
+      destination = "10.10.2.205:22";
+      proto = "tcp";
+    }
+  ];
+}
--- a/hosts/VEGAS/system.nix
+++ b/hosts/VEGAS/system.nix
@ -12,6 +12,9 @@
      ./modules/oauth2-proxy
      ./modules/virtualisation
      inputs.agenix.nixosModules.age
+
+      # Services
+      ./services/backbone-routing
    ]
    # TODO: fix users
    # ++ (import ../../users "server").groups.admin
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -8,4 +8,5 @@ in with hosts;
  "hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ styx ];
  "gitea-db-credentials.age".publicKeys = max ++ map systemKeys [ git ];
  "oauth2_proxy-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "wireguard-key-wgautobahn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
 }
--- a/secrets/wireguard-key-wgautobahn.age
+++ b/secrets/wireguard-key-wgautobahn.age
@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A 2h+cvDs0ZF/4KjtEdZVAt82fol+7LpAZPDDn6AvUOTg
+NhTqPo8kezw8958g6XStj+zwfgLtsAVUFZ6Utj5SgUM
+-> ssh-ed25519 5/zT0w CxBTfWH4/UfDAdo3G30bHleMU9FdRdTA4RapQN25ISU
+F+fvzsSuMv3kINJmEodraZcC16WbslE0w4oDo6sSjqA
+-> ssh-ed25519 d3WGuA IdssM5x5IKzLJeQNyGS6CFDcre0w6yG+X8WToFU66R8
+95lNHp1fepWe6CqecaGNZhg7Oh7lBw86UeSRGY7w1wE
+-> y>hqw-grease m, z7 ;#ddi
+/DsgoGG5+p/B7Dri153Ta5PxZT5IsMF9e8ispSE0E8sA2QkPxT2GGNRRlvYkzXSF
+6b9vv3P9IvPA4m2VQRJ6IlUPAmx00n0G9U5BqxrCknSZ242+QG3zFA
+--- eJGQ5eUCAuhrs7ozhissFClHKDQVgBbkU7ZXbAA4xNg
+Bñt<C3B1>7ç²û„ÊT]P®°÷7<C3B7>þe†J$_´
+j*ôH%"žX•â	0Æê‡ë¼$¯Ä/vòÐa¾‰¡>L<>Q*Ç>}ð±/kËÁgç