privatevoid.net/depot
1
1
Fork 0
Code Issues 23 Pull requests 2 Projects 3 Releases Packages Wiki Activity Actions

Cluster secrets #100

Merged
max merged 17 commits from pr-cluster-secrets into master 2024-07-08 22:23:11 +03:00
Conversation 1 Commits 17 Files changed 90 +5 -11
7 changed files with 5 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 96c34332ca - Show all commits

0
cluster/services/wireguard/mesh-keys/VEGAS.age → cluster/secrets/wireguard-meshPrivateKey-VEGAS.age
View file

0
cluster/services/wireguard/mesh-keys/checkmate.age → cluster/secrets/wireguard-meshPrivateKey-checkmate.age
View file

0
cluster/services/wireguard/mesh-keys/grail.age → cluster/secrets/wireguard-meshPrivateKey-grail.age
View file

0
cluster/services/wireguard/mesh-keys/prophet.age → cluster/secrets/wireguard-meshPrivateKey-prophet.age
View file

0
cluster/services/wireguard/mesh-keys/thunderskin.age → cluster/secrets/wireguard-meshPrivateKey-thunderskin.age
View file

9
cluster/services/wireguard/default.nix
View file

@ -23,7 +23,6 @@ in
meshIp = "10.1.1.32"; meshIp = "10.1.1.32";
inherit meshNet; inherit meshNet;
pubKey = "fZMB9CDCWyBxPnsugo3Uxm/TIDP3VX54uFoaoC0bP3U="; pubKey = "fZMB9CDCWyBxPnsugo3Uxm/TIDP3VX54uFoaoC0bP3U=";
privKeyFile = ./mesh-keys/checkmate.age;
extraRoutes = []; extraRoutes = [];
}; };
}; };
@ -33,7 +32,6 @@ in
meshIp = "10.1.1.6"; meshIp = "10.1.1.6";
inherit meshNet; inherit meshNet;
pubKey = "0WAiQGdWySsGWFUk+a9e0I+BDTKwTyWQdFT2d7BMfDQ="; pubKey = "0WAiQGdWySsGWFUk+a9e0I+BDTKwTyWQdFT2d7BMfDQ=";
privKeyFile = ./mesh-keys/grail.age;
extraRoutes = []; extraRoutes = [];
}; };
}; };
@ -43,7 +41,6 @@ in
meshIp = "10.1.1.4"; meshIp = "10.1.1.4";
inherit meshNet; inherit meshNet;
pubKey = "xvSsFvCVK8h2wThZJ7E5K0fniTBIEIYOblkKIf3Cwy0="; pubKey = "xvSsFvCVK8h2wThZJ7E5K0fniTBIEIYOblkKIf3Cwy0=";
privKeyFile = ./mesh-keys/thunderskin.age;
extraRoutes = []; extraRoutes = [];
}; };
}; };
@ -53,7 +50,6 @@ in
meshIp = "10.1.1.5"; meshIp = "10.1.1.5";
inherit meshNet; inherit meshNet;
pubKey = "NpeB8O4erGTas1pz6Pt7qtY9k45YV6tcZmvvA4qXoFk="; pubKey = "NpeB8O4erGTas1pz6Pt7qtY9k45YV6tcZmvvA4qXoFk=";
privKeyFile = ./mesh-keys/VEGAS.age;
extraRoutes = [ "${hours.VEGAS.interfaces.vstub.addr}/32" "10.10.0.0/16" ]; extraRoutes = [ "${hours.VEGAS.interfaces.vstub.addr}/32" "10.10.0.0/16" ];
}; };
}; };
@ -63,7 +59,6 @@ in
meshIp = "10.1.1.9"; meshIp = "10.1.1.9";
inherit meshNet; inherit meshNet;
pubKey = "MMZAbRtNE+gsLm6DJy9VN/Y39E69oAZnvOcFZPUAVDc="; pubKey = "MMZAbRtNE+gsLm6DJy9VN/Y39E69oAZnvOcFZPUAVDc=";
privKeyFile = ./mesh-keys/prophet.age;
extraRoutes = []; extraRoutes = [];
}; };
}; };
@ -75,5 +70,9 @@ in
nixos = { nixos = {
mesh = ./mesh.nix; mesh = ./mesh.nix;
}; };
secrets.meshPrivateKey = {
nodes = config.services.wireguard.nodes.mesh;
shared = false;
};
}; };
} }

7
cluster/services/wireguard/mesh.nix
View file

@ -13,11 +13,6 @@ let
}; };
in in
{ {
age.secrets.wireguard-key-core = {
file = link.extra.privKeyFile;
mode = "0400";
};
networking = { networking = {
firewall = { firewall = {
trustedInterfaces = [ "wgmesh" ]; trustedInterfaces = [ "wgmesh" ];
@ -29,7 +24,7 @@ in
interfaces.wgmesh = { interfaces.wgmesh = {
ips = [ "${link.extra.meshIp}/24" ]; ips = [ "${link.extra.meshIp}/24" ];
listenPort = link.port; listenPort = link.port;
privateKeyFile = config.age.secrets.wireguard-key-core.path; privateKeyFile = cluster.config.services.wireguard.secrets.meshPrivateKey.path;
peers = map mkPeer (cluster.config.services.wireguard.otherNodes.mesh hostName); peers = map mkPeer (cluster.config.services.wireguard.otherNodes.mesh hostName);
}; };
}; };