diff --git a/machines/hackens-org/_networking.nix b/machines/hackens-org/_networking.nix index aab021c..e0d5a79 100644 --- a/machines/hackens-org/_networking.nix +++ b/machines/hackens-org/_networking.nix @@ -1,8 +1,21 @@ { pkgs, ... }: { + imports = [ + ./wireguard.nix + ]; networking.useDHCP = false; systemd.network = { enable = true; + netdevs."10-sit-he" = { + netdevConfig = { + Kind = "sit"; + Name = "sit-he"; + }; + tunnelConfig = { + Local = "129.199.129.76"; + Remote = "216.66.84.42"; + }; + }; networks = { "10-uplink" = { name = "eth0"; @@ -12,8 +25,17 @@ ]; networkConfig = { Gateway = "129.199.129.1"; + Tunnel = [ "sit-he" ]; }; }; + "10-tun-he" = { + matchConfig.Name = "sit-he"; + networkConfig = { + Gateway = [ "2001:470:1f12:d21::1" ]; + Description = "HE.NET IPv6 Tunnel (owned by maurice)"; + Address = [ "2001:470:1f12:d21::2/64" ]; + }; + }; }; }; networking.nameservers = [ "1.1.1.1" "8.8.8.8" ]; diff --git a/machines/hackens-org/secrets/default.nix b/machines/hackens-org/secrets/default.nix index 777ea59..38f8036 100644 --- a/machines/hackens-org/secrets/default.nix +++ b/machines/hackens-org/secrets/default.nix @@ -1,5 +1,4 @@ { ... }: { - imports = [ ]; age.secrets."django" = { file = ./django.age; owner = "django-hackens_orga"; @@ -8,4 +7,7 @@ file = ./matterbridge-env.age; owner = "matterbridge"; }; + age.secrets."wg-key" = { + file = ./wg-key.age; + }; } diff --git a/machines/hackens-org/secrets/secrets.nix b/machines/hackens-org/secrets/secrets.nix index 9ef07a7..837dea0 100644 --- a/machines/hackens-org/secrets/secrets.nix +++ b/machines/hackens-org/secrets/secrets.nix @@ -2,7 +2,7 @@ let lib = (import { }).lib; readpubkeys = user: builtins.filter (k: k != "") - (lib.splitString "\n" (builtins.readFile (../pubkeys + "/${user}.keys"))); + (lib.splitString "\n" (builtins.readFile (../../../pubkeys + "/${user}.keys"))); in { "matterbridge-env.age".publicKeys = (readpubkeys "sinavir") @@ -11,4 +11,7 @@ in "django.age".publicKeys = (readpubkeys "sinavir") ++ (readpubkeys "hackens-host") ++ (readpubkeys "raito") ++ (readpubkeys "gdd") ++ (readpubkeys "backslash"); + "wg-key.age".publicKeys = (readpubkeys "sinavir") + ++ (readpubkeys "hackens-host") ++ (readpubkeys "raito") + ++ (readpubkeys "gdd") ++ (readpubkeys "backslash"); } diff --git a/machines/hackens-org/secrets/wg-key.age b/machines/hackens-org/secrets/wg-key.age new file mode 100644 index 0000000..3f6e811 --- /dev/null +++ b/machines/hackens-org/secrets/wg-key.age @@ -0,0 +1,31 @@ +age-encryption.org/v1 +-> ssh-ed25519 JGx7Ng JuynqiiXmLBIlGc6o6HEwsFS8FLiFo86iTWr3kpxEQ0 +KjFX3rP7RjvXK42+8qiyRfITDppi7jg9+WPt2afsCuo +-> ssh-ed25519 kXobKQ 8jEmn9hh3I2JeE+l8EZ9npJPGDXr6QcZvtsJhjrmpXE +69W+pHMdgmBOhLw8Hnp+l/IZLvzFtqatYoEKn3nqiSo +-> ssh-ed25519 7hZk0g XSZkyOjMqXtVthQTj8KmDCgM6+ilpktgk8ha1wu/23U +N0IUwdftKBzma5EXfUyswn/RT6RWoXo8hOYH451H2Lg +-> ssh-rsa krWCLQ +JwqNEu6Xr9fwov++Ct/8Jfxaz6Z2F0KpxqJHTZ6PLt5weOVul83AdINfIzq7dJUo +gR4KZJrwM27iY7aTHdbiImzmVSD0KPUeM0KoWjmLcU0xtLIXpoiBAEn0w9YXKTOF +n4wTvpNtXCMkgQPtAYsPOBIdIgQKdEm9Q877mtjHPDlyppn8y7U4z7S1zp71ugc5 +B68HyMh1lzDWh43aqYOr5WIanscBjJNHRK1XqM0IhtuWg84cl0EsQ1wOKJxHwwJQ +vjHLoaBulqTxRentvi//4eRz+fKFZ1uJmeHlySlqSYKCN55QZgIFJHGxpSb8kEhl +CFqRx6v+uHeKhBK3yftSQA +-> ssh-ed25519 /vwQcQ ZfgSXru0ZABSLKkyAxdxM4cPs5A1wmNJVqK67UmfdH4 +exrZlcFV0BZEnPrT+aRuCSyIKTS0Nbvdd7zWPqepQrc +-> ssh-ed25519 0R97PA VNBEjlLbNQixIXvrkyWVpQ3cWbKQW5XcLcI3Aniy93Y +WXt/rWJYI0mqELcS9+4t1y+cWXyvD4mSudoT/K0da1c +-> ssh-ed25519 cvTB5g 2FWQYQkoMxWf7lf6ZCgF5hL46fmR1zKAmDKw/qGtnjU +xwe9JcDzGLPW+jJwNkMssO21A/pr2baWoQUBYcO5pjk +-> ssh-ed25519 Wu8JLQ ukKMgxBbbHa9TBXo0PGKkk5K1zdQvrk2Qp6BRYguumo +l5k71S4x1VlLCm8BHadDrMMvvJ2927EkTtH8Hu1KNEE +-> ssh-ed25519 EIt1vA yEpFCXXu6iayLUQKj9vgiQGwuRgyduceks6LMFXRGmI +I4iGlWSVye16ZnwHYOfFWWbg6oLYmA1k9LcMyzWoBKA +-> ssh-ed25519 X51wxg 8vkI4rsB3ETq1zMpqkFUr0u6s1OerUjEN1wnz/onjX8 +XvbOSMD58qI/yO03zwCg67R1H36AWM8MfT0FVFJnE34 +-> DP.[|9G-grease 1H80A YV&\ uG'R";. +DtOW39f0bJ6uFAmxiXhmq3bpV5qnJ3TTb7BjCXND8LtgCj9HcyaOpt4HtNFqAZd9 +5hPJeoyr6AMB6TYVAMIKoCfmq2zRe4ilDe3Q5TOL5A +--- yZCsgaQ3oxOkOyyP96+znN03pbyVfqc8ZP0S0x1JZc4 +bl3(:uڮԺ!Ԗ$5]A),VJQC;QԦMtj.q*N$z \ No newline at end of file diff --git a/machines/hackens-org/wireguard.nix b/machines/hackens-org/wireguard.nix new file mode 100644 index 0000000..81bfd7e --- /dev/null +++ b/machines/hackens-org/wireguard.nix @@ -0,0 +1,40 @@ +{ + config, + lib, + pkgs, + ... +}: { + systemd.network = { + enable = true; + networks = { + "50-wg0" = { + name = "wg0"; + address = [ + "10.10.10.1/24" + ]; + routes = [{ + routeConfig = { + Destination = "10.10.10.0/24"; + Scope = "link"; + }; + }]; + }; + }; + netdevs = { + "50-wg0" = { + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 1194; + PrivateKeyFile = config.age.secrets."wg-key".path; + }; + + wireguardPeers = [ + ]; + }; + }; + }; + networking.firewall.allowedUDPPorts = [ 1194 ]; +} diff --git a/meta.nix b/meta.nix index 421d9e1..650c120 100644 --- a/meta.nix +++ b/meta.nix @@ -10,12 +10,14 @@ let targetHost = null; #"milieu.cave.hackens.org"; # targetPort = 4243; allowLocalDeployment = true; + tags = [ "desktop" ]; }; imports = [agenix]; }; hackens-org = { deployment = { targetHost = "server1.hackens.org"; # todo make something with ens firewall + tags = [ "server" ]; targetPort = 2222; }; imports = [agenix]; diff --git a/wg-keys/hackens-org.pub b/wg-keys/hackens-org.pub new file mode 100644 index 0000000..a0eae68 --- /dev/null +++ b/wg-keys/hackens-org.pub @@ -0,0 +1 @@ +CzUK0RPHsoG9N1NisOG0u7xwyGhTZnjhl7Cus3X76Es=