From 4d997935ad2d9c653e5505aca2e4997e3bd8bf18 Mon Sep 17 00:00:00 2001 From: catvayor Date: Sat, 12 Oct 2024 09:45:29 +0200 Subject: [PATCH] feat(wg-milieu): connected hackens-milieu to wireguard --- machines/hackens-milieu/_configuration.nix | 2 ++ machines/hackens-milieu/networking.nix | 33 +++++++++++++++++++++ machines/hackens-milieu/secrets/default.nix | 11 +++++++ machines/hackens-milieu/secrets/secrets.nix | 8 +++++ machines/hackens-milieu/secrets/wg.age | 12 ++++++++ machines/hackens-org/wireguard.nix | 7 +++++ meta.nix | 3 +- pubkeys/hackens-milieu.keys | 1 + wg-keys/hackens-milieu.pub | 1 + 9 files changed, 76 insertions(+), 2 deletions(-) create mode 100644 machines/hackens-milieu/networking.nix create mode 100644 machines/hackens-milieu/secrets/default.nix create mode 100644 machines/hackens-milieu/secrets/secrets.nix create mode 100644 machines/hackens-milieu/secrets/wg.age create mode 100644 pubkeys/hackens-milieu.keys create mode 100644 wg-keys/hackens-milieu.pub diff --git a/machines/hackens-milieu/_configuration.nix b/machines/hackens-milieu/_configuration.nix index e7c248f..52e5982 100644 --- a/machines/hackens-milieu/_configuration.nix +++ b/machines/hackens-milieu/_configuration.nix @@ -19,6 +19,8 @@ ./users.nix ./vim.nix ./pixiecore + ./networking.nix + ./secrets ]; boot.loader.efi.canTouchEfiVariables = true; diff --git a/machines/hackens-milieu/networking.nix b/machines/hackens-milieu/networking.nix new file mode 100644 index 0000000..681b0f7 --- /dev/null +++ b/machines/hackens-milieu/networking.nix @@ -0,0 +1,33 @@ +{ lib, config, ... }: { + systemd.network = { + enable = true; + + networks."50-wg0" = { + name = "wg0"; + address = [ + "10.10.10.4/24" + ]; + }; + + netdevs = { + "50-wg0" = { + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + }; + wireguardConfig.PrivateKeyFile = config.age.secrets."wg".path; + + wireguardPeers = [ + { + AllowedIPs = [ + "10.10.10.0/24" + ]; + PublicKey = lib.trim (builtins.readFile ../../wg-keys/hackens-org.pub); + Endpoint = "129.199.129.76:1194"; + PersistentKeepalive = 5; + } + ]; + }; + }; + }; +} diff --git a/machines/hackens-milieu/secrets/default.nix b/machines/hackens-milieu/secrets/default.nix new file mode 100644 index 0000000..14efc4b --- /dev/null +++ b/machines/hackens-milieu/secrets/default.nix @@ -0,0 +1,11 @@ +{ + pkgs, + config, + lib, + ... +}: { + age.secrets."wg" = { + file = ./wg.age; + owner = "systemd-network"; + }; +} diff --git a/machines/hackens-milieu/secrets/secrets.nix b/machines/hackens-milieu/secrets/secrets.nix new file mode 100644 index 0000000..488906d --- /dev/null +++ b/machines/hackens-milieu/secrets/secrets.nix @@ -0,0 +1,8 @@ +let + lib = (import {}).lib; + readPubkeys = user: + builtins.filter (k: k != "") (lib.splitString "\n" + (builtins.readFile (../../../pubkeys + "/${user}.keys"))); +in { + "wg.age".publicKeys = (readPubkeys "catvayor") ++ (readPubkeys "sinavir") ++ (readPubkeys "hackens-milieu"); +} diff --git a/machines/hackens-milieu/secrets/wg.age b/machines/hackens-milieu/secrets/wg.age new file mode 100644 index 0000000..4447230 --- /dev/null +++ b/machines/hackens-milieu/secrets/wg.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 5rrg4g B36oMQ2IqhBXDaltfkba8gBjhTzHujh/KtpXmoBfIkE +ga5w9MzfwR2LwlSmeA0ddyx2Fms/ZSp1c8p/rC46OSE +-> ssh-ed25519 JGx7Ng wis78jvQlXpeK0rb50RNgliWwVaPqUYR66Dfxxq8+nk +awK/Il5jYV2s95GxDLkeRas0PjDKKnVE2HjKTOFyQco +-> ssh-ed25519 kXobKQ gYW3wXPQr756wsRQ6nKo4qQtT09OaEsnQmAX4G41PXQ +sa8Bhxfosqf1VNXfj+rS2ryJs9T4sZK13tx5j+NOCm4 +-> ssh-ed25519 Dx1R2Q 2BLCykYc4lKLyBnDfJ6J7ZCD8CeX3vt2S2fLkwjeunw +ueU6TaxgeX9Cp98LkHy5pkaUaRGdcTHtV8CopEILv10 +--- Ah6a49hN7wxxfR8C8Jczc/2jMAoTJoumYMj4PPKax2I +)B+n +cY-lkMF+ُr1)ދaU=}%\Բ =W~)p6nG%*k>  \ No newline at end of file diff --git a/machines/hackens-org/wireguard.nix b/machines/hackens-org/wireguard.nix index 261042d..816eb86 100644 --- a/machines/hackens-org/wireguard.nix +++ b/machines/hackens-org/wireguard.nix @@ -43,6 +43,13 @@ ]; PublicKey = "h4Nf+e4JIjqOMuM5JtLN298BF/fym9fWKGtRZmS5MVA="; } + { + # hackens-milieu + AllowedIPs = [ + "10.10.10.4/32" + ]; + PublicKey = lib.trim (builtins.readFile ../../wg-keys/hackens-milieu.pub); + } { # bakham (AGB) AllowedIPs = [ diff --git a/meta.nix b/meta.nix index 4401078..cb4fd43 100644 --- a/meta.nix +++ b/meta.nix @@ -8,8 +8,7 @@ let nodes = { hackens-milieu = { deployment = { - targetHost = null; # "milieu.cave.hackens.org"; - #targetPort = 4243; + targetHost = "10.10.10.4"; allowLocalDeployment = true; tags = [ "desktop" ]; }; diff --git a/pubkeys/hackens-milieu.keys b/pubkeys/hackens-milieu.keys new file mode 100644 index 0000000..e3c856b --- /dev/null +++ b/pubkeys/hackens-milieu.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIl4w+P0bv3x8qgzVYWArSnjjtbJzUDXzdH5u8fVX3ia root@sinaju diff --git a/wg-keys/hackens-milieu.pub b/wg-keys/hackens-milieu.pub new file mode 100644 index 0000000..1b5a6f8 --- /dev/null +++ b/wg-keys/hackens-milieu.pub @@ -0,0 +1 @@ +RNN+ZTwgDfyp+4ZhOrbNu4UsEDazGqPTbjGPq5B9lkk=