cluster/services/wireguard: init

cluster/services/wireguard/default.nix

@@ -0,0 +1,43 @@
+{ config, ... }:
+
+let
+  inherit (config.vars) hosts;
+
+  meshNet = rec {
+    netAddr = "10.1.1.0";
+    prefix = 24;
+    cidr = "${netAddr}/${toString prefix}";
+  };
+
+  getExtAddr = host: host.interfaces.primary.addrPublic or host.interfaces.primary.addr;
+in
+{
+  links = {
+    mesh-node-VEGAS = {
+      ipv4 = getExtAddr hosts.VEGAS;
+      extra = {
+        meshIp = "10.1.1.5";
+        inherit meshNet;
+        pubKey = "NpeB8O4erGTas1pz6Pt7qtY9k45YV6tcZmvvA4qXoFk=";
+        privKeyFile = ./mesh-keys/VEGAS.age;
+      };
+    };
+    mesh-node-prophet = {
+      ipv4 = getExtAddr hosts.prophet;
+      extra = {
+        meshIp = "10.1.1.9";
+        inherit meshNet;
+        pubKey = "MMZAbRtNE+gsLm6DJy9VN/Y39E69oAZnvOcFZPUAVDc=";
+        privKeyFile = ./mesh-keys/prophet.age;
+      };
+    };
+  };
+  services.wireguard = {
+    nodes = {
+      mesh = [ "VEGAS" "prophet" ];
+    };
+    nixos = {
+      mesh = ./mesh.nix;
+    };
+  };
+}

cluster/services/wireguard/mesh-keys/VEGAS.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A K4GQQWJwXbpc0RCIj7+l6YgmXFNOHRrtIrtuCwEd9FQ
+9ZKAzhqdmjZ6u/nmDdD1lm7sn+C4orLDYh667twLFrA
+-> ssh-ed25519 5/zT0w Sbt0FKgTtCbAXTPfJzuXV1Erm88W5s+lm1fzzWq/G0M
+Dl8xl8DProREk/wcpabRaYwIcM2kQBrE3mM8MD453w8
+-> ssh-ed25519 d3WGuA QLXbvtQSKYWpQsGISyr7XY6ZrabXN75jAHSorfg4HDg
+3QZkuHKBEETwrcZVIzn8hOh9r1PCmRUQmMh9xfm+NrY
+-> |(-grease Y}fl\6J<
++IF+TRTiuAuxUwWfA5qPumSSp4bnokwwNECqYVNDWVdiuw0/
+--- stUqfmRdJG1YQAdEVaZJvM9IfnVShk/f5RQwdmUNkFI
+ｻﾙｺﾙ’ZZﾕ朕ﾉﾘ壻萄ﾞｱ閾ﾋﾜlsﾛ<08><>促褄{0ﾁ<30><EFBE81>ｽ<EFBFBD>屈 谿UﾉX沖<1A>lｭ瞋d<02>rﾗt|価uｴｫ

cluster/services/wireguard/mesh-keys/prophet.age

@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 NO562A 8xT2Vu1KP8A3iFcBVVvIg4JKXYpJEQtOsF0ZeYcQ2Es
+HxYxEDJhFalqTJGNY1Qgax/VY1R1OQ1+r6eHbpaKhXM
+-> ssh-ed25519 5/zT0w DZINx513x1+rnNUZSNQFDQhJ0Aq1LZKDABHzcbdWZ2s
+e/+fCsXr7OMbhk5v9F+tuAQtw2zxBmhbOU1l7vlsuEo
+-> ssh-ed25519 6YMlxg JCwYRIDl6YvEU++kb+9Ueko6dsQFfZWb16bCX2+ERkE
+sctq94XnkeErz0y020ezq8iJuXZpd1vR67A6Zvn94i4
+-> S"]8M%.-grease a] m
+65dqLQud525eNWAiV3hqEtZL492hwNOrnE/Z8xkGGK7fR3a6/29yFvbHifTzs++c
+37tXbp4kblo
+--- mVbh72BVlXFnPAE5J18K1rAWm0HBBbNrAb6xJ7baAhM
+ýH·×´t”u'ΙØõ:Ýd󓋺uÀ¸û+ºƒm©íŒš27öábyDÇ®¿Ê)
+/ÁC!®wôaFF½Úû{9Tä‡Ðœ]j¢ᦢ

cluster/services/wireguard/mesh.nix

@@ -0,0 +1,36 @@
+{ cluster, config, ... }:
+let
+  inherit (config.networking) hostName;
+
+  link = cluster.config.links."mesh-node-${hostName}";
+
+  mkPeer = peerName: let
+    peerLink = cluster.config.links."mesh-node-${peerName}";
+  in {
+    publicKey = peerLink.extra.pubKey;
+    allowedIPs = [ "${peerLink.extra.meshIp}/32" ];
+    endpoint = peerLink.tuple;
+  };
+in
+{
+  age.secrets.wireguard-key-core = {
+    file = link.extra.privKeyFile;
+    mode = "0400";
+  };
+
+  networking = {
+    firewall = {
+      allowedUDPPorts = [ link.port ];
+    };
+
+    wireguard = {
+      enable = true;
+      interfaces.wgmesh = {
+        ips = [ "${link.extra.meshIp}/24" ];
+        listenPort = link.port;
+        privateKeyFile = config.age.secrets.wireguard-key-core.path;
+        peers = map mkPeer cluster.config.services.wireguard.otherNodes.mesh;
+      };
+    };
+  };
+}

secrets.nix

@@ -4,6 +4,8 @@ let
   systemKeys = x: x.ssh.id.publicKey or null;
 in with hosts;
 {
+  "cluster/services/wireguard/mesh-keys/VEGAS.age".publicKeys = max ++ map systemKeys [ VEGAS ];
+  "cluster/services/wireguard/mesh-keys/prophet.age".publicKeys = max ++ map systemKeys [ prophet ];
   "secrets/acme-dns-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/coturn-static-auth.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "secrets/gitlab-initial-root-password.age".publicKeys = max ++ map systemKeys [ VEGAS ];