privatevoid.net/depot
1
1
Fork 0
Code Issues 23 Pull requests 2 Projects 3 Releases Packages Wiki Activity Actions

VEGAS: add backbone routing, portforward and peers

Browse source
This commit is contained in:
Max Headroom 2021-10-16 20:18:53 +02:00
parent 1aa75fc451
commit 1384345400
6 changed files with 87 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
hosts/VEGAS/services/backbone-routing/default.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, hosts, ... }:
let
inherit (hosts.${config.networking.hostName}) interfaces;
in
{
imports = [
./port-forward.nix
./peering.nix
];
networking.nat = {
enable = true;
externalInterface = interfaces.primary.link;
internalIPs = [
"10.10.0.0/16"
];
};
networking.interfaces.${interfaces.vstub.link} = {
virtual = true;
ipv4.addresses = [
{
address = interfaces.vstub.addr;
prefixLength = 32;
}
];
};
}

33
hosts/VEGAS/services/backbone-routing/peering.nix Normal file
View file

@ -0,0 +1,33 @@
{ config, ... }:
{
networking.firewall.allowedUDPPorts = [
config.networking.wireguard.interfaces.wgautobahn.listenPort
];
age.secrets.wireguard-key-wgautobahn = {
file = ../../../../secrets/wireguard-key-wgautobahn.age;
owner = "root";
group = "root";
mode = "0400";
};
networking.wireguard = {
enable = true;
interfaces.wgautobahn = {
ips = [ "10.15.0.1/30" ];
listenPort = 51820;
privateKeyFile = config.age.secrets.wireguard-key-wgautobahn.path;
allowedIPsAsRoutes = true;
peers = [
# animus
{
publicKey = "CIJ8W5SDMyPnSZLN2CNplwhGaNPUGoLV0mdzoDHhxUo=";
allowedIPs = [ "10.15.0.0/30" "10.150.0.0/16" ];
endpoint = "116.202.226.86:53042";
}
];
};
};
}

9
hosts/VEGAS/services/backbone-routing/port-forward.nix Normal file
View file

@ -0,0 +1,9 @@
{
networking.nat.forwardPorts = [
{
sourcePort = 52222;
destination = "10.10.2.205:22";
proto = "tcp";
}
];
}

3
hosts/VEGAS/system.nix
View file

@ -12,6 +12,9 @@
./modules/oauth2-proxy ./modules/oauth2-proxy
./modules/virtualisation ./modules/virtualisation
inputs.agenix.nixosModules.age inputs.agenix.nixosModules.age
# Services
./services/backbone-routing
] ]
# TODO: fix users # TODO: fix users
# ++ (import ../../users "server").groups.admin # ++ (import ../../users "server").groups.admin

1
secrets/secrets.nix
View file

@ -8,4 +8,5 @@ in with hosts;
"hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ styx ]; "hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ styx ];
"gitea-db-credentials.age".publicKeys = max ++ map systemKeys [ git ]; "gitea-db-credentials.age".publicKeys = max ++ map systemKeys [ git ];
"oauth2_proxy-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "oauth2_proxy-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"wireguard-key-wgautobahn.age".publicKeys = max ++ map systemKeys [ VEGAS ];
} }

13
secrets/wireguard-key-wgautobahn.age Normal file
View file

@ -0,0 +1,13 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A 2h+cvDs0ZF/4KjtEdZVAt82fol+7LpAZPDDn6AvUOTg
NhTqPo8kezw8958g6XStj+zwfgLtsAVUFZ6Utj5SgUM
-> ssh-ed25519 5/zT0w CxBTfWH4/UfDAdo3G30bHleMU9FdRdTA4RapQN25ISU
F+fvzsSuMv3kINJmEodraZcC16WbslE0w4oDo6sSjqA
-> ssh-ed25519 d3WGuA IdssM5x5IKzLJeQNyGS6CFDcre0w6yG+X8WToFU66R8
95lNHp1fepWe6CqecaGNZhg7Oh7lBw86UeSRGY7w1wE
-> y>hqw-grease m, z7 ;#ddi
/DsgoGG5+p/B7Dri153Ta5PxZT5IsMF9e8ispSE0E8sA2QkPxT2GGNRRlvYkzXSF
6b9vv3P9IvPA4m2VQRJ6IlUPAmx00n0G9U5BqxrCknSZ242+QG3zFA
--- eJGQ5eUCAuhrs7ozhissFClHKDQVgBbkU7ZXbAA4xNg
Bñt<C3B1>7ç²û„ÊT]P®°÷7<C3B7>þe†J$_´
j*ôH%"žX•â 0Æê‡ë¼$¯Ä/vòÐa¾‰¡>L<>Q*Ç>}ð±/kËÁgç