From 1dae0738ebaa6fd2557789ed99804e6983f00815 Mon Sep 17 00:00:00 2001 From: Max Date: Wed, 3 Aug 2022 22:53:45 +0200 Subject: [PATCH] cluster/services/wireguard: init --- cluster/services/wireguard/default.nix | 43 +++++++++++++++++++ .../services/wireguard/mesh-keys/VEGAS.age | 11 +++++ .../services/wireguard/mesh-keys/prophet.age | 13 ++++++ cluster/services/wireguard/mesh.nix | 36 ++++++++++++++++ secrets.nix | 2 + 5 files changed, 105 insertions(+) create mode 100644 cluster/services/wireguard/default.nix create mode 100644 cluster/services/wireguard/mesh-keys/VEGAS.age create mode 100644 cluster/services/wireguard/mesh-keys/prophet.age create mode 100644 cluster/services/wireguard/mesh.nix diff --git a/cluster/services/wireguard/default.nix b/cluster/services/wireguard/default.nix new file mode 100644 index 0000000..d9d8d77 --- /dev/null +++ b/cluster/services/wireguard/default.nix @@ -0,0 +1,43 @@ +{ config, ... }: + +let + inherit (config.vars) hosts; + + meshNet = rec { + netAddr = "10.1.1.0"; + prefix = 24; + cidr = "${netAddr}/${toString prefix}"; + }; + + getExtAddr = host: host.interfaces.primary.addrPublic or host.interfaces.primary.addr; +in +{ + links = { + mesh-node-VEGAS = { + ipv4 = getExtAddr hosts.VEGAS; + extra = { + meshIp = "10.1.1.5"; + inherit meshNet; + pubKey = "NpeB8O4erGTas1pz6Pt7qtY9k45YV6tcZmvvA4qXoFk="; + privKeyFile = ./mesh-keys/VEGAS.age; + }; + }; + mesh-node-prophet = { + ipv4 = getExtAddr hosts.prophet; + extra = { + meshIp = "10.1.1.9"; + inherit meshNet; + pubKey = "MMZAbRtNE+gsLm6DJy9VN/Y39E69oAZnvOcFZPUAVDc="; + privKeyFile = ./mesh-keys/prophet.age; + }; + }; + }; + services.wireguard = { + nodes = { + mesh = [ "VEGAS" "prophet" ]; + }; + nixos = { + mesh = ./mesh.nix; + }; + }; +} diff --git a/cluster/services/wireguard/mesh-keys/VEGAS.age b/cluster/services/wireguard/mesh-keys/VEGAS.age new file mode 100644 index 0000000..bda0247 --- /dev/null +++ b/cluster/services/wireguard/mesh-keys/VEGAS.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 NO562A K4GQQWJwXbpc0RCIj7+l6YgmXFNOHRrtIrtuCwEd9FQ +9ZKAzhqdmjZ6u/nmDdD1lm7sn+C4orLDYh667twLFrA +-> ssh-ed25519 5/zT0w Sbt0FKgTtCbAXTPfJzuXV1Erm88W5s+lm1fzzWq/G0M +Dl8xl8DProREk/wcpabRaYwIcM2kQBrE3mM8MD453w8 +-> ssh-ed25519 d3WGuA QLXbvtQSKYWpQsGISyr7XY6ZrabXN75jAHSorfg4HDg +3QZkuHKBEETwrcZVIzn8hOh9r1PCmRUQmMh9xfm+NrY +-> |(-grease Y}fl\6J< ++IF+TRTiuAuxUwWfA5qPumSSp4bnokwwNECqYVNDWVdiuw0/ +--- stUqfmRdJG1YQAdEVaZJvM9IfnVShk/f5RQwdmUNkFI +»ÙºÙfZZÕ’½Éؚ䓸Þ±è‡ËÜlsÛò ÿ‘£åë{0Áù»ìv½õ¼‹ü æ®UÉX‰«óäl­áÑdï]r×t|‰¿u´« \ No newline at end of file diff --git a/cluster/services/wireguard/mesh-keys/prophet.age b/cluster/services/wireguard/mesh-keys/prophet.age new file mode 100644 index 0000000..b261e58 --- /dev/null +++ b/cluster/services/wireguard/mesh-keys/prophet.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-ed25519 NO562A 8xT2Vu1KP8A3iFcBVVvIg4JKXYpJEQtOsF0ZeYcQ2Es +HxYxEDJhFalqTJGNY1Qgax/VY1R1OQ1+r6eHbpaKhXM +-> ssh-ed25519 5/zT0w DZINx513x1+rnNUZSNQFDQhJ0Aq1LZKDABHzcbdWZ2s +e/+fCsXr7OMbhk5v9F+tuAQtw2zxBmhbOU1l7vlsuEo +-> ssh-ed25519 6YMlxg JCwYRIDl6YvEU++kb+9Ueko6dsQFfZWb16bCX2+ERkE +sctq94XnkeErz0y020ezq8iJuXZpd1vR67A6Zvn94i4 +-> S"]8M%.-grease a] m +65dqLQud525eNWAiV3hqEtZL492hwNOrnE/Z8xkGGK7fR3a6/29yFvbHifTzs++c +37tXbp4kblo +--- mVbh72BVlXFnPAE5J18K1rAWm0HBBbNrAb6xJ7baAhM +ýH·×´t”u'ΙØõ:Ýd󓋺uÀ¸û+ºƒm©íŒš27öábyDÇ®¿Ê) +/ÁC!®wôaFF½Úû{9Tä‡Ðœ]j¢ ᦢ \ No newline at end of file diff --git a/cluster/services/wireguard/mesh.nix b/cluster/services/wireguard/mesh.nix new file mode 100644 index 0000000..fdfe3ca --- /dev/null +++ b/cluster/services/wireguard/mesh.nix @@ -0,0 +1,36 @@ +{ cluster, config, ... }: +let + inherit (config.networking) hostName; + + link = cluster.config.links."mesh-node-${hostName}"; + + mkPeer = peerName: let + peerLink = cluster.config.links."mesh-node-${peerName}"; + in { + publicKey = peerLink.extra.pubKey; + allowedIPs = [ "${peerLink.extra.meshIp}/32" ]; + endpoint = peerLink.tuple; + }; +in +{ + age.secrets.wireguard-key-core = { + file = link.extra.privKeyFile; + mode = "0400"; + }; + + networking = { + firewall = { + allowedUDPPorts = [ link.port ]; + }; + + wireguard = { + enable = true; + interfaces.wgmesh = { + ips = [ "${link.extra.meshIp}/24" ]; + listenPort = link.port; + privateKeyFile = config.age.secrets.wireguard-key-core.path; + peers = map mkPeer cluster.config.services.wireguard.otherNodes.mesh; + }; + }; + }; +} diff --git a/secrets.nix b/secrets.nix index ca829a0..102d9ea 100644 --- a/secrets.nix +++ b/secrets.nix @@ -4,6 +4,8 @@ let systemKeys = x: x.ssh.id.publicKey or null; in with hosts; { + "cluster/services/wireguard/mesh-keys/VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ]; + "cluster/services/wireguard/mesh-keys/prophet.age".publicKeys = max ++ map systemKeys [ prophet ]; "secrets/acme-dns-key.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "secrets/coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ]; "secrets/gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ];