privatevoid.net/depot
1
1
Fork 0
Code Issues 18 Pull requests 2 Projects 3 Releases Packages Wiki Activity Actions

cluster/services/wireguard: use cluster secrets

Browse source
This commit is contained in:
Max Headroom 2024-07-08 17:45:20 +02:00
parent 804e7b0363
commit 96c34332ca
7 changed files with 5 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

0
cluster/services/wireguard/mesh-keys/VEGAS.age → cluster/secrets/wireguard-meshPrivateKey-VEGAS.age
View file

0
cluster/services/wireguard/mesh-keys/checkmate.age → cluster/secrets/wireguard-meshPrivateKey-checkmate.age
View file

0
cluster/services/wireguard/mesh-keys/grail.age → cluster/secrets/wireguard-meshPrivateKey-grail.age
View file

0
cluster/services/wireguard/mesh-keys/prophet.age → cluster/secrets/wireguard-meshPrivateKey-prophet.age
View file

0
cluster/services/wireguard/mesh-keys/thunderskin.age → cluster/secrets/wireguard-meshPrivateKey-thunderskin.age
View file

9
cluster/services/wireguard/default.nix
View file

@ -23,7 +23,6 @@ in
meshIp = "10.1.1.32";
inherit meshNet;
pubKey = "fZMB9CDCWyBxPnsugo3Uxm/TIDP3VX54uFoaoC0bP3U=";
privKeyFile = ./mesh-keys/checkmate.age;
extraRoutes = [];
};
};
@ -33,7 +32,6 @@ in
meshIp = "10.1.1.6";
inherit meshNet;
pubKey = "0WAiQGdWySsGWFUk+a9e0I+BDTKwTyWQdFT2d7BMfDQ=";
privKeyFile = ./mesh-keys/grail.age;
extraRoutes = [];
};
};
@ -43,7 +41,6 @@ in
meshIp = "10.1.1.4";
inherit meshNet;
pubKey = "xvSsFvCVK8h2wThZJ7E5K0fniTBIEIYOblkKIf3Cwy0=";
privKeyFile = ./mesh-keys/thunderskin.age;
extraRoutes = [];
};
};
@ -53,7 +50,6 @@ in
meshIp = "10.1.1.5";
inherit meshNet;
pubKey = "NpeB8O4erGTas1pz6Pt7qtY9k45YV6tcZmvvA4qXoFk=";
privKeyFile = ./mesh-keys/VEGAS.age;
extraRoutes = [ "${hours.VEGAS.interfaces.vstub.addr}/32" "10.10.0.0/16" ];
};
};
@ -63,7 +59,6 @@ in
meshIp = "10.1.1.9";
inherit meshNet;
pubKey = "MMZAbRtNE+gsLm6DJy9VN/Y39E69oAZnvOcFZPUAVDc=";
privKeyFile = ./mesh-keys/prophet.age;
extraRoutes = [];
};
};
@ -75,5 +70,9 @@ in
nixos = {
mesh = ./mesh.nix;
};
secrets.meshPrivateKey = {
nodes = config.services.wireguard.nodes.mesh;
shared = false;
};
};
}

7
cluster/services/wireguard/mesh.nix
View file

@ -13,11 +13,6 @@ let
};
in
{
age.secrets.wireguard-key-core = {
file = link.extra.privKeyFile;
mode = "0400";
};
networking = {
firewall = {
trustedInterfaces = [ "wgmesh" ];
@ -29,7 +24,7 @@ in
interfaces.wgmesh = {
ips = [ "${link.extra.meshIp}/24" ];
listenPort = link.port;
privateKeyFile = config.age.secrets.wireguard-key-core.path;
privateKeyFile = cluster.config.services.wireguard.secrets.meshPrivateKey.path;
peers = map mkPeer (cluster.config.services.wireguard.otherNodes.mesh hostName);
};
};