privatevoid.net/depot
1
1
Fork 0
Code Issues 23 Pull requests 2 Projects 3 Releases Packages Wiki Activity Actions

cluster/services/wireguard: init

Browse source
This commit is contained in:
Max Headroom 2022-08-03 22:53:45 +02:00
parent e2da732613
commit 1dae0738eb
5 changed files with 105 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

43
cluster/services/wireguard/default.nix Normal file
View file

@ -0,0 +1,43 @@
{ config, ... }:
let
inherit (config.vars) hosts;
meshNet = rec {
netAddr = "10.1.1.0";
prefix = 24;
cidr = "${netAddr}/${toString prefix}";
};
getExtAddr = host: host.interfaces.primary.addrPublic or host.interfaces.primary.addr;
in
{
links = {
mesh-node-VEGAS = {
ipv4 = getExtAddr hosts.VEGAS;
extra = {
meshIp = "10.1.1.5";
inherit meshNet;
pubKey = "NpeB8O4erGTas1pz6Pt7qtY9k45YV6tcZmvvA4qXoFk=";
privKeyFile = ./mesh-keys/VEGAS.age;
};
};
mesh-node-prophet = {
ipv4 = getExtAddr hosts.prophet;
extra = {
meshIp = "10.1.1.9";
inherit meshNet;
pubKey = "MMZAbRtNE+gsLm6DJy9VN/Y39E69oAZnvOcFZPUAVDc=";
privKeyFile = ./mesh-keys/prophet.age;
};
};
};
services.wireguard = {
nodes = {
mesh = [ "VEGAS" "prophet" ];
};
nixos = {
mesh = ./mesh.nix;
};
};
}

11
cluster/services/wireguard/mesh-keys/VEGAS.age Normal file
View file

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A K4GQQWJwXbpc0RCIj7+l6YgmXFNOHRrtIrtuCwEd9FQ
9ZKAzhqdmjZ6u/nmDdD1lm7sn+C4orLDYh667twLFrA
-> ssh-ed25519 5/zT0w Sbt0FKgTtCbAXTPfJzuXV1Erm88W5s+lm1fzzWq/G0M
Dl8xl8DProREk/wcpabRaYwIcM2kQBrE3mM8MD453w8
-> ssh-ed25519 d3WGuA QLXbvtQSKYWpQsGISyr7XY6ZrabXN75jAHSorfg4HDg
3QZkuHKBEETwrcZVIzn8hOh9r1PCmRUQmMh9xfm+NrY
-> |(-grease Y}fl\6J<
+IF+TRTiuAuxUwWfA5qPumSSp4bnokwwNECqYVNDWVdiuw0/
--- stUqfmRdJG1YQAdEVaZJvM9IfnVShk/f5RQwdmUNkFI
サルコルZZユ朕ノリ壻萄゙ア閾ヒワlsロ<08><>促褄{0チ<30><EFBE81><EFBFBD>屈 谿UノX沖<1A>lュ瞋d<02>rラt|価uエォ

13
cluster/services/wireguard/mesh-keys/prophet.age Normal file
View file

@ -0,0 +1,13 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A 8xT2Vu1KP8A3iFcBVVvIg4JKXYpJEQtOsF0ZeYcQ2Es
HxYxEDJhFalqTJGNY1Qgax/VY1R1OQ1+r6eHbpaKhXM
-> ssh-ed25519 5/zT0w DZINx513x1+rnNUZSNQFDQhJ0Aq1LZKDABHzcbdWZ2s
e/+fCsXr7OMbhk5v9F+tuAQtw2zxBmhbOU1l7vlsuEo
-> ssh-ed25519 6YMlxg JCwYRIDl6YvEU++kb+9Ueko6dsQFfZWb16bCX2+ERkE
sctq94XnkeErz0y020ezq8iJuXZpd1vR67A6Zvn94i4
-> S"]8M%.-grease a] m
65dqLQud525eNWAiV3hqEtZL492hwNOrnE/Z8xkGGK7fR3a6/29yFvbHifTzs++c
37tXbp4kblo
--- mVbh72BVlXFnPAE5J18K1rAWm0HBBbNrAb6xJ7baAhM
ýH·×´t”u'ΙØõ:Ýdó“ºuÀ¸û+ºƒm©íŒš27öábyDÇ®¿Ê)
/ÁC!®wôaFF½Úû{9Tä‡Ðœ]j¢ ᦢ

36
cluster/services/wireguard/mesh.nix Normal file
View file

@ -0,0 +1,36 @@
{ cluster, config, ... }:
let
inherit (config.networking) hostName;
link = cluster.config.links."mesh-node-${hostName}";
mkPeer = peerName: let
peerLink = cluster.config.links."mesh-node-${peerName}";
in {
publicKey = peerLink.extra.pubKey;
allowedIPs = [ "${peerLink.extra.meshIp}/32" ];
endpoint = peerLink.tuple;
};
in
{
age.secrets.wireguard-key-core = {
file = link.extra.privKeyFile;
mode = "0400";
};
networking = {
firewall = {
allowedUDPPorts = [ link.port ];
};
wireguard = {
enable = true;
interfaces.wgmesh = {
ips = [ "${link.extra.meshIp}/24" ];
listenPort = link.port;
privateKeyFile = config.age.secrets.wireguard-key-core.path;
peers = map mkPeer cluster.config.services.wireguard.otherNodes.mesh;
};
};
};
}

2
secrets.nix
View file

@ -4,6 +4,8 @@ let
systemKeys = x: x.ssh.id.publicKey or null;
in with hosts;
{
"cluster/services/wireguard/mesh-keys/VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"cluster/services/wireguard/mesh-keys/prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
"secrets/acme-dns-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"secrets/gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ];