feat(wg-agb02): connecting to wireguard

2024-10-12 15:16:18 +02:00 · 2024-10-12 15:16:18 +02:00 · af71fc1063
commit af71fc1063
parent 891b02e96d
8 changed files with 79 additions and 2 deletions
--- a/machines/agb02/_configuration.nix
+++ b/machines/agb02/_configuration.nix
@ -3,6 +3,8 @@
 {
  imports = [
    "${modulesPath}/installer/sd-card/sd-image-aarch64.nix"
+    ./secrets
+    ./networking.nix
    ./users.nix
  ];
  sdImage.compressImage = false;
--- a/machines/agb02/networking.nix
+++ b/machines/agb02/networking.nix
@ -0,0 +1,47 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  systemd.network = {
+    enable = true;
+
+    networks = {
+      "50-wg0" = {
+        name = "wg0";
+        address = [
+          "10.10.10.6/24"
+        ];
+      };
+    };
+    netdevs = {
+      "50-wg0" = {
+        netdevConfig = {
+          Name = "wg0";
+          Kind = "wireguard";
+        };
+        wireguardConfig.PrivateKeyFile = config.age.secrets."wg".path;
+
+        wireguardPeers = [
+          {
+            AllowedIPs = [
+              "10.10.10.0/24"
+            ];
+            PublicKey = lib.trim (builtins.readFile ../../wg-keys/hackens-org.pub);
+            Endpoint = "129.199.129.76:1194";
+            PersistentKeepalive = 5;
+          }
+        ];
+      };
+    };
+  };
+  networking = {
+    nameservers = [
+      "2620:fe::fe"
+      "2620:fe::9"
+      "9.9.9.9"
+      "149.112.112.112"
+    ];
+  };
+}
--- a/machines/agb02/secrets/default.nix
+++ b/machines/agb02/secrets/default.nix
@ -0,0 +1,11 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
+  age.secrets."wg" = {
+    file = ./wg.age;
+    owner = "systemd-network";
+  };
+}
--- a/machines/agb02/secrets/secrets.nix
+++ b/machines/agb02/secrets/secrets.nix
@ -0,0 +1,8 @@
+let
+  lib = (import <nixpkgs> {}).lib;
+  readPubkeys = user:
+    builtins.filter (k: k != "") (lib.splitString "\n"
+      (builtins.readFile (../../../pubkeys + "/${user}.keys")));
+in {
+  "wg.age".publicKeys = (readPubkeys "catvayor") ++ (readPubkeys "sinavir") ++ (readPubkeys "agb02");
+}
--- a/machines/agb02/secrets/wg.age
+++ b/machines/agb02/secrets/wg.age
--- a/machines/hackens-org/wireguard.nix
+++ b/machines/hackens-org/wireguard.nix
@ -51,11 +51,18 @@
            PublicKey = lib.trim (builtins.readFile ../../wg-keys/hackens-milieu.pub);
          }
          {
-            # bakham (AGB)
+            # agb01
            AllowedIPs = [
              "10.10.10.5/32"
            ];
-            PublicKey = "JpUHFiavhlQfiHfOdUffQP3HLLeStttheACCaqlXAF8=";
+            PublicKey = lib.trim (builtins.readFile ../../wg-keys/agb01.pub);
+          }
+          {
+            # agb02
+            AllowedIPs = [
+              "10.10.10.6/32"
+            ];
+            PublicKey = lib.trim (builtins.readFile ../../wg-keys/agb02.pub);
          }
          {
            # soyouzpanda
--- a/pubkeys/agb02.keys
+++ b/pubkeys/agb02.keys
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM9857OPKpc9JfsoXSFXjV5gFIU60vWLRkMncYrgDyj3 root@agb02
--- a/wg-keys/agb02.pub
+++ b/wg-keys/agb02.pub
@ -0,0 +1 @@
+CGdgPLO9HbrOawLJFl8YENbf55ECZSVQp5JBlRjokCA=
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM9857OPKpc9JfsoXSFXjV5gFIU60vWLRkMncYrgDyj3 root@agb02`
				`@ -0,0 +1 @@`
				`CGdgPLO9HbrOawLJFl8YENbf55ECZSVQp5JBlRjokCA=`