feat(wg-milieu): connected hackens-milieu to wireguard

2024-10-12 09:45:29 +02:00 · 2024-10-12 09:45:29 +02:00 · 4d997935ad
commit 4d997935ad
parent f43db5224f
9 changed files with 76 additions and 2 deletions
--- a/machines/hackens-milieu/_configuration.nix
+++ b/machines/hackens-milieu/_configuration.nix
@ -19,6 +19,8 @@
    ./users.nix
    ./vim.nix
    ./pixiecore
    ./networking.nix
    ./secrets
  ];
  boot.loader.efi.canTouchEfiVariables = true;
--- a/machines/hackens-milieu/networking.nix
+++ b/machines/hackens-milieu/networking.nix
@ -0,0 +1,33 @@
 { lib, config, ... }: {
  systemd.network = {
    enable = true;
    networks."50-wg0" = {
      name = "wg0";
      address = [
        "10.10.10.4/24"
      ];
    };
    netdevs = {
      "50-wg0" = {
        netdevConfig = {
          Name = "wg0";
          Kind = "wireguard";
        };
        wireguardConfig.PrivateKeyFile = config.age.secrets."wg".path;
        wireguardPeers = [
          {
            AllowedIPs = [
              "10.10.10.0/24"
            ];
            PublicKey = lib.trim (builtins.readFile ../../wg-keys/hackens-org.pub);
            Endpoint = "129.199.129.76:1194";
            PersistentKeepalive = 5;
          }
        ];
      };
    };
  };
 }
--- a/machines/hackens-milieu/secrets/default.nix
+++ b/machines/hackens-milieu/secrets/default.nix
@ -0,0 +1,11 @@
 {
  pkgs,
  config,
  lib,
  ...
 }: {
  age.secrets."wg" = {
    file = ./wg.age;
    owner = "systemd-network";
  };
 }
--- a/machines/hackens-milieu/secrets/secrets.nix
+++ b/machines/hackens-milieu/secrets/secrets.nix
@ -0,0 +1,8 @@
 let
  lib = (import <nixpkgs> {}).lib;
  readPubkeys = user:
    builtins.filter (k: k != "") (lib.splitString "\n"
      (builtins.readFile (../../../pubkeys + "/${user}.keys")));
 in {
  "wg.age".publicKeys = (readPubkeys "catvayor") ++ (readPubkeys "sinavir") ++ (readPubkeys "hackens-milieu");
 }
--- a/machines/hackens-milieu/secrets/wg.age
+++ b/machines/hackens-milieu/secrets/wg.age
@ -0,0 +1,12 @@
 age-encryption.org/v1
 -> ssh-ed25519 5rrg4g B36oMQ2IqhBXDaltfkba8gBjhTzHujh/KtpXmoBfIkE
 ga5w9MzfwR2LwlSmeA0ddyx2Fms/ZSp1c8p/rC46OSE
 -> ssh-ed25519 JGx7Ng wis78jvQlXpeK0rb50RNgliWwVaPqUYR66Dfxxq8+nk
 awK/Il5jYV2s95GxDLkeRas0PjDKKnVE2HjKTOFyQco
 -> ssh-ed25519 kXobKQ gYW3wXPQr756wsRQ6nKo4qQtT09OaEsnQmAX4G41PXQ
 sa8Bhxfosqf1VNXfj+rS2ryJs9T4sZK13tx5j+NOCm4
 -> ssh-ed25519 Dx1R2Q 2BLCykYc4lKLyBnDfJ6J7ZCD8CeX3vt2S2fLkwjeunw
 ueU6TaxgeX9Cp98LkHy5pkaUaRGdcTHtV8CopEILv10
 --- Ah6a49hN7wxxfR8C8Jczc/2jMAoTJoumYMj4PPKax2I
 î)Bš+£Ín
 c™ï<EFBFBD>›ÁY<EFBFBD>ú-l™k<E284A2>ÛMF+ÞÙ<C39E>r1)æÞ‹¸aU=<3D>}%\õÔ²¶=W~ã)Àp6nÜG%ð*ðâšk>	ä
--- a/machines/hackens-org/wireguard.nix
+++ b/machines/hackens-org/wireguard.nix
@ -43,6 +43,13 @@
            ];
            PublicKey = "h4Nf+e4JIjqOMuM5JtLN298BF/fym9fWKGtRZmS5MVA=";
          }
          {
            # hackens-milieu
            AllowedIPs = [
              "10.10.10.4/32"
            ];
            PublicKey = lib.trim (builtins.readFile ../../wg-keys/hackens-milieu.pub);
          }
          {
            # bakham (AGB)
            AllowedIPs = [
--- a/meta.nix
+++ b/meta.nix
@ -8,8 +8,7 @@ let
    nodes = {
      hackens-milieu = {
        deployment = {
-          targetHost = null; # "milieu.cave.hackens.org";
+          targetHost = "10.10.10.4";
          #targetPort = 4243;
          allowLocalDeployment = true;
          tags = [ "desktop" ];
        };
--- a/pubkeys/hackens-milieu.keys
+++ b/pubkeys/hackens-milieu.keys
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIl4w+P0bv3x8qgzVYWArSnjjtbJzUDXzdH5u8fVX3ia root@sinaju
--- a/wg-keys/hackens-milieu.pub
+++ b/wg-keys/hackens-milieu.pub
@ -0,0 +1 @@
 RNN+ZTwgDfyp+4ZhOrbNu4UsEDazGqPTbjGPq5B9lkk=
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIl4w+P0bv3x8qgzVYWArSnjjtbJzUDXzdH5u8fVX3ia root@sinaju`
		`@ -0,0 +1 @@`
							`RNN+ZTwgDfyp+4ZhOrbNu4UsEDazGqPTbjGPq5B9lkk=`