org: deploy ipv6 and vpn

machines/hackens-org/_networking.nix

@@ -1,8 +1,21 @@
 { pkgs, ... }:
 {
+  imports = [
+    ./wireguard.nix
+  ];
   networking.useDHCP = false;
   systemd.network = {
     enable = true;
+    netdevs."10-sit-he" = {
+      netdevConfig = {
+        Kind = "sit";
+        Name = "sit-he";
+      };
+      tunnelConfig = {
+        Local = "129.199.129.76";
+        Remote = "216.66.84.42";
+      };
+    };
     networks = {
       "10-uplink" = {
         name = "eth0";
@@ -12,8 +25,17 @@
         ];
         networkConfig = {
           Gateway = "129.199.129.1";
+          Tunnel = [ "sit-he" ];
         };
       };
+      "10-tun-he" = {
+         matchConfig.Name = "sit-he";
+         networkConfig = {
+           Gateway = [ "2001:470:1f12:d21::1" ];
+           Description = "HE.NET IPv6 Tunnel (owned by maurice)";
+           Address = [ "2001:470:1f12:d21::2/64" ];
+         };
+       };
     };
   };
   networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];

machines/hackens-org/secrets/default.nix

@@ -1,5 +1,4 @@
 { ... }: {
-  imports = [ <agenix/modules/age.nix> ];
   age.secrets."django" = {
     file = ./django.age;
     owner = "django-hackens_orga";
@@ -8,4 +7,7 @@
     file = ./matterbridge-env.age;
     owner = "matterbridge";
   };
+  age.secrets."wg-key" = {
+    file = ./wg-key.age;
+  };
 }

machines/hackens-org/secrets/secrets.nix

@@ -2,7 +2,7 @@ let
   lib = (import <nixpkgs> { }).lib;
   readpubkeys = user:
     builtins.filter (k: k != "")
-      (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys")));
+      (lib.splitString "\n" (builtins.readFile (../../../pubkeys + "/${user}.keys")));
 in
 {
   "matterbridge-env.age".publicKeys = (readpubkeys "sinavir")
@@ -11,4 +11,7 @@ in
   "django.age".publicKeys = (readpubkeys "sinavir")
     ++ (readpubkeys "hackens-host") ++ (readpubkeys "raito")
     ++ (readpubkeys "gdd") ++ (readpubkeys "backslash");
+  "wg-key.age".publicKeys = (readpubkeys "sinavir")
+    ++ (readpubkeys "hackens-host") ++ (readpubkeys "raito")
+    ++ (readpubkeys "gdd") ++ (readpubkeys "backslash");
 }

machines/hackens-org/secrets/wg-key.age

@@ -0,0 +1,31 @@
+age-encryption.org/v1
+-> ssh-ed25519 JGx7Ng JuynqiiXmLBIlGc6o6HEwsFS8FLiFo86iTWr3kpxEQ0
+KjFX3rP7RjvXK42+8qiyRfITDppi7jg9+WPt2afsCuo
+-> ssh-ed25519 kXobKQ 8jEmn9hh3I2JeE+l8EZ9npJPGDXr6QcZvtsJhjrmpXE
+69W+pHMdgmBOhLw8Hnp+l/IZLvzFtqatYoEKn3nqiSo
+-> ssh-ed25519 7hZk0g XSZkyOjMqXtVthQTj8KmDCgM6+ilpktgk8ha1wu/23U
+N0IUwdftKBzma5EXfUyswn/RT6RWoXo8hOYH451H2Lg
+-> ssh-rsa krWCLQ
+JwqNEu6Xr9fwov++Ct/8Jfxaz6Z2F0KpxqJHTZ6PLt5weOVul83AdINfIzq7dJUo
+gR4KZJrwM27iY7aTHdbiImzmVSD0KPUeM0KoWjmLcU0xtLIXpoiBAEn0w9YXKTOF
+n4wTvpNtXCMkgQPtAYsPOBIdIgQKdEm9Q877mtjHPDlyppn8y7U4z7S1zp71ugc5
+B68HyMh1lzDWh43aqYOr5WIanscBjJNHRK1XqM0IhtuWg84cl0EsQ1wOKJxHwwJQ
+vjHLoaBulqTxRentvi//4eRz+fKFZ1uJmeHlySlqSYKCN55QZgIFJHGxpSb8kEhl
+CFqRx6v+uHeKhBK3yftSQA
+-> ssh-ed25519 /vwQcQ ZfgSXru0ZABSLKkyAxdxM4cPs5A1wmNJVqK67UmfdH4
+exrZlcFV0BZEnPrT+aRuCSyIKTS0Nbvdd7zWPqepQrc
+-> ssh-ed25519 0R97PA VNBEjlLbNQixIXvrkyWVpQ3cWbKQW5XcLcI3Aniy93Y
+WXt/rWJYI0mqELcS9+4t1y+cWXyvD4mSudoT/K0da1c
+-> ssh-ed25519 cvTB5g 2FWQYQkoMxWf7lf6ZCgF5hL46fmR1zKAmDKw/qGtnjU
+xwe9JcDzGLPW+jJwNkMssO21A/pr2baWoQUBYcO5pjk
+-> ssh-ed25519 Wu8JLQ ukKMgxBbbHa9TBXo0PGKkk5K1zdQvrk2Qp6BRYguumo
+l5k71S4x1VlLCm8BHadDrMMvvJ2927EkTtH8Hu1KNEE
+-> ssh-ed25519 EIt1vA yEpFCXXu6iayLUQKj9vgiQGwuRgyduceks6LMFXRGmI
+I4iGlWSVye16ZnwHYOfFWWbg6oLYmA1k9LcMyzWoBKA
+-> ssh-ed25519 X51wxg 8vkI4rsB3ETq1zMpqkFUr0u6s1OerUjEN1wnz/onjX8
+XvbOSMD58qI/yO03zwCg67R1H36AWM8MfT0FVFJnE34
+-> DP.[|9G-grease 1H80A YV&\ uG'R";.
+DtOW39f0bJ6uFAmxiXhmq3bpV5qnJ3TTb7BjCXND8LtgCj9HcyaOpt4HtNFqAZd9
+5hPJeoyr6AMB6TYVAMIKoCfmq2zRe4ilDe3Q5TOL5A
+--- yZCsgaQ3oxOkOyyP96+znN03pbyVfqc8ZP0S0x1JZc4
+žbl3¹(Š“:¨¾uÚ®Ôº!Ô–$5í]
AŽñ)§šß,VJØQC—·†;Qõ§Ô¦›ˆMtj.<2E>Àq*ˆüþN$²™¶š<C2B6>z

machines/hackens-org/wireguard.nix

@@ -0,0 +1,40 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  systemd.network = {
+    enable = true;
+    networks = {
+      "50-wg0" = {
+        name = "wg0";
+        address = [
+          "10.10.10.1/24"
+        ];
+        routes =  [{
+          routeConfig = {
+            Destination = "10.10.10.0/24";
+            Scope = "link";
+          };
+        }];
+      };
+    };
+    netdevs = {
+      "50-wg0" = {
+        netdevConfig = {
+          Name = "wg0";
+          Kind = "wireguard";
+        };
+        wireguardConfig = {
+          ListenPort = 1194;
+          PrivateKeyFile = config.age.secrets."wg-key".path;
+        };
+
+        wireguardPeers = [
+        ];
+      };
+    };
+  };
+  networking.firewall.allowedUDPPorts = [ 1194 ];
+}

meta.nix

@@ -10,12 +10,14 @@ let
           targetHost = null; #"milieu.cave.hackens.org";
           # targetPort = 4243;
           allowLocalDeployment = true;
+          tags = [ "desktop" ];
         };
         imports = [agenix];
       };
       hackens-org = {
         deployment = {
           targetHost = "server1.hackens.org"; # todo make something with ens firewall
+          tags = [ "server" ];
           targetPort = 2222;
         };
         imports = [agenix];

wg-keys/hackens-org.pub

@@ -0,0 +1 @@
+CzUK0RPHsoG9N1NisOG0u7xwyGhTZnjhl7Cus3X76Es=