diff --git a/cluster/services/wireguard/default.nix b/cluster/services/wireguard/default.nix index a1f25eb..54b893a 100644 --- a/cluster/services/wireguard/default.nix +++ b/cluster/services/wireguard/default.nix @@ -10,6 +10,19 @@ let }; getExtAddr = host: host.interfaces.primary.addrPublic; + + snakeoilPublicKeys = { + checkmate = "TESTtbFybW5YREwtd18a1A4StS4YAIUS5/M1Lv0jHjA="; + grail = "TEsTh7bthkaDh9A1CpqDi/F121ao5lRZqIJznLH8mB4="; + thunderskin = "tEST6afFmVN18o+EiWNFx+ax3MJwdQIeNfJSGEpffXw="; + VEGAS = "tEsT6s7VtM5C20eJBaq6UlQydAha8ATlmrTRe9T5jnM="; + prophet = "TEstYyb5IoqSL53HbSQwMhTaR16sxcWcMmXIBPd+1gE="; + }; + + grease = hourName: realPublicKey: if config.simulacrum then + snakeoilPublicKeys.${hourName} + else + realPublicKey; in { vars = { @@ -22,7 +35,7 @@ in extra = { meshIp = "10.1.1.32"; inherit meshNet; - pubKey = "fZMB9CDCWyBxPnsugo3Uxm/TIDP3VX54uFoaoC0bP3U="; + pubKey = grease "checkmate" "fZMB9CDCWyBxPnsugo3Uxm/TIDP3VX54uFoaoC0bP3U="; extraRoutes = []; }; }; @@ -31,7 +44,7 @@ in extra = { meshIp = "10.1.1.6"; inherit meshNet; - pubKey = "0WAiQGdWySsGWFUk+a9e0I+BDTKwTyWQdFT2d7BMfDQ="; + pubKey = grease "grail" "0WAiQGdWySsGWFUk+a9e0I+BDTKwTyWQdFT2d7BMfDQ="; extraRoutes = []; }; }; @@ -40,7 +53,7 @@ in extra = { meshIp = "10.1.1.4"; inherit meshNet; - pubKey = "xvSsFvCVK8h2wThZJ7E5K0fniTBIEIYOblkKIf3Cwy0="; + pubKey = grease "thunderskin" "xvSsFvCVK8h2wThZJ7E5K0fniTBIEIYOblkKIf3Cwy0="; extraRoutes = []; }; }; @@ -49,7 +62,7 @@ in extra = { meshIp = "10.1.1.5"; inherit meshNet; - pubKey = "NpeB8O4erGTas1pz6Pt7qtY9k45YV6tcZmvvA4qXoFk="; + pubKey = grease "VEGAS" "NpeB8O4erGTas1pz6Pt7qtY9k45YV6tcZmvvA4qXoFk="; extraRoutes = [ "${hours.VEGAS.interfaces.vstub.addr}/32" "10.10.0.0/16" ]; }; }; @@ -58,7 +71,7 @@ in extra = { meshIp = "10.1.1.9"; inherit meshNet; - pubKey = "MMZAbRtNE+gsLm6DJy9VN/Y39E69oAZnvOcFZPUAVDc="; + pubKey = grease "prophet" "MMZAbRtNE+gsLm6DJy9VN/Y39E69oAZnvOcFZPUAVDc="; extraRoutes = []; }; }; @@ -69,8 +82,12 @@ in storm = [ "VEGAS" ]; }; nixos = { - mesh = ./mesh.nix; - storm = ./storm.nix; + mesh = [ + ./mesh.nix + ] ++ lib.optionals config.simulacrum [ + ./simulacrum/snakeoil-keys.nix + ]; + storm = [ ./storm.nix ]; }; secrets.meshPrivateKey = { nodes = config.services.wireguard.nodes.mesh; diff --git a/packages/checks/snakeoil/wireguard/private-key-4 b/cluster/services/wireguard/simulacrum/keys/snakeoilPrivateKey-VEGAS similarity index 100% rename from packages/checks/snakeoil/wireguard/private-key-4 rename to cluster/services/wireguard/simulacrum/keys/snakeoilPrivateKey-VEGAS diff --git a/packages/checks/snakeoil/wireguard/private-key-1 b/cluster/services/wireguard/simulacrum/keys/snakeoilPrivateKey-checkmate similarity index 100% rename from packages/checks/snakeoil/wireguard/private-key-1 rename to cluster/services/wireguard/simulacrum/keys/snakeoilPrivateKey-checkmate diff --git a/packages/checks/snakeoil/wireguard/private-key-2 b/cluster/services/wireguard/simulacrum/keys/snakeoilPrivateKey-grail similarity index 100% rename from packages/checks/snakeoil/wireguard/private-key-2 rename to cluster/services/wireguard/simulacrum/keys/snakeoilPrivateKey-grail diff --git a/packages/checks/snakeoil/wireguard/private-key-5 b/cluster/services/wireguard/simulacrum/keys/snakeoilPrivateKey-prophet similarity index 100% rename from packages/checks/snakeoil/wireguard/private-key-5 rename to cluster/services/wireguard/simulacrum/keys/snakeoilPrivateKey-prophet diff --git a/packages/checks/snakeoil/wireguard/private-key-3 b/cluster/services/wireguard/simulacrum/keys/snakeoilPrivateKey-thunderskin similarity index 100% rename from packages/checks/snakeoil/wireguard/private-key-3 rename to cluster/services/wireguard/simulacrum/keys/snakeoilPrivateKey-thunderskin diff --git a/cluster/services/wireguard/simulacrum/snakeoil-keys.nix b/cluster/services/wireguard/simulacrum/snakeoil-keys.nix new file mode 100644 index 0000000..d3dd500 --- /dev/null +++ b/cluster/services/wireguard/simulacrum/snakeoil-keys.nix @@ -0,0 +1,6 @@ +{ lib, config, ... }: { + config.environment.etc = { + "dummy-secrets/cluster-wireguard-meshPrivateKey".source = lib.mkForce ./keys/snakeoilPrivateKey-${config.networking.hostName}; + "dummy-secrets/wireguard-key-storm".source = lib.mkForce ./keys/snakeoilPrivateKey-${config.networking.hostName}; + }; +} diff --git a/packages/checks/snakeoil/wireguard/public-key-1 b/packages/checks/snakeoil/wireguard/public-key-1 deleted file mode 100644 index b1d95a6..0000000 --- a/packages/checks/snakeoil/wireguard/public-key-1 +++ /dev/null @@ -1 +0,0 @@ -TESTtbFybW5YREwtd18a1A4StS4YAIUS5/M1Lv0jHjA= diff --git a/packages/checks/snakeoil/wireguard/public-key-2 b/packages/checks/snakeoil/wireguard/public-key-2 deleted file mode 100644 index 728320d..0000000 --- a/packages/checks/snakeoil/wireguard/public-key-2 +++ /dev/null @@ -1 +0,0 @@ -TEsTh7bthkaDh9A1CpqDi/F121ao5lRZqIJznLH8mB4= diff --git a/packages/checks/snakeoil/wireguard/public-key-3 b/packages/checks/snakeoil/wireguard/public-key-3 deleted file mode 100644 index 9e95b39..0000000 --- a/packages/checks/snakeoil/wireguard/public-key-3 +++ /dev/null @@ -1 +0,0 @@ -tEST6afFmVN18o+EiWNFx+ax3MJwdQIeNfJSGEpffXw= diff --git a/packages/checks/snakeoil/wireguard/public-key-4 b/packages/checks/snakeoil/wireguard/public-key-4 deleted file mode 100644 index 21f94bf..0000000 --- a/packages/checks/snakeoil/wireguard/public-key-4 +++ /dev/null @@ -1 +0,0 @@ -tEsT6s7VtM5C20eJBaq6UlQydAha8ATlmrTRe9T5jnM= diff --git a/packages/checks/snakeoil/wireguard/public-key-5 b/packages/checks/snakeoil/wireguard/public-key-5 deleted file mode 100644 index c30ca14..0000000 --- a/packages/checks/snakeoil/wireguard/public-key-5 +++ /dev/null @@ -1 +0,0 @@ -TEstYyb5IoqSL53HbSQwMhTaR16sxcWcMmXIBPd+1gE=