cst1/lab-infra
1
0
Fork 0
forked from DGNum/lab-infra
Code Pull requests Activity

feat(roam01): gretap with vault01

Browse source
This commit is contained in:
catvayor 2024-12-06 15:04:08 +01:00
parent a389f94078
commit b3e97e0be5
Signed by untrusted user: lbailly
GPG key ID: CE3E645251AC63F3
5 changed files with 184 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
machines/roam01/_configuration.nix
View file

@ -8,10 +8,12 @@ lib.extra.mkConfig {
enabledServices = [
# List of services to enable
"wireguard"
"networking"
];
extraConfig = {
networking.interfaces.enp1s0.useDHCP = true;
networking.interfaces.enp2s0.useDHCP = false;
networking.interfaces.enp3s0.useDHCP = false;
};
root = ./.;

139
machines/roam01/networking.nix Normal file
View file

@ -0,0 +1,139 @@
{ config, ... }:
{
networking.firewall.trustedInterfaces = [ "wg0" ];
systemd.network = {
networks = {
"10-enp2s0" = {
name = "enp2s0";
networkConfig = {
Bridge = "br0";
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
};
"10-enp3s0" = {
name = "enp3s0";
networkConfig = {
Bridge = "br1";
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
};
"20-vlan-apro" = {
name = "vlan-apro";
networkConfig = {
Bridge = "br1";
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
};
"50-gretap1" = {
name = "gretap1";
networkConfig = {
Bridge = "br0";
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
};
"50-br0" = {
name = "br0";
networkConfig = {
VLAN = [ "vlan-apro" ];
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
};
"50-br1" = {
name = "br1";
networkConfig = {
LinkLocalAddressing = false;
LLDP = false;
EmitLLDP = false;
IPv6AcceptRA = false;
IPv6SendRA = false;
};
};
"50-wg0" = {
name = "wg0";
address = [ "10.10.17.2/30" ];
networkConfig.Tunnel = "gretap1";
};
};
netdevs = {
"20-vlan-apro" = {
netdevConfig = {
Name = "vlan-apro";
Kind = "vlan";
};
vlanConfig.Id = 2000;
};
"50-wg0" = {
netdevConfig = {
Name = "wg0";
Kind = "wireguard";
};
wireguardConfig.PrivateKeyFile = config.age.secrets."systemd-network-wg_vault01_key".path;
wireguardPeers = [
{
wireguardPeerConfig = {
AllowedIPs = [ "10.10.17.0/30" ];
PublicKey = "ijgcPnWWZ0njUJjsDNSGhlhVO40aUDD+zFLtw/1nfBY=";
Endpoint = "vault01.hyp01.infra.dgnum.eu:1194";
PersistentKeepalive = 25;
};
}
];
};
"50-br0" = {
netdevConfig = {
Name = "br0";
Kind = "bridge";
};
bridgeConfig = {
VLANFiltering = false;
STP = false;
};
};
"50-br1" = {
netdevConfig = {
Name = "br1";
Kind = "bridge";
};
bridgeConfig = {
VLANFiltering = false;
STP = false;
};
};
"50-gretap1" = {
netdevConfig = {
Name = "gretap1";
Kind = "gretap";
};
tunnelConfig = {
Local = "10.10.17.2";
Remote = "10.10.17.1";
};
};
};
};
}

3
machines/roam01/secrets/secrets.nix
View file

@ -1,4 +1,5 @@
(import ../../../keys).mkSecrets [ "roam01" ] [
# List of secrets for router02
# List of secrets for roam01
"systemd-network-wg_key"
"systemd-network-wg_vault01_key"
]

39
machines/roam01/secrets/systemd-network-wg_vault01_key Normal file
View file

@ -0,0 +1,39 @@
age-encryption.org/v1
-> ssh-ed25519 jIXfPA +b8R9Lkk3qno5HpIDIV9wg65KLwhzpcvnBV+j5D2Dzs
chHY0aJxdwuwChngmMZXLYj9TU2LIPwUssJbaPGIw/M
-> ssh-ed25519 QlRB9Q XzsvtKi2f9c5VAJDDL9l9w4CaoXl14RkvQlTHANOvBE
EEm5t9EfYPz/U8IwipCT9HeYxNZY7q4NdJcMZF6HLDQ
-> ssh-ed25519 r+nK/Q nWnplGOmsEbl2Q/ZLuV0v0qrKrH7AvxgbMITHC+jKG8
6d1lQNA55QS++Z0WGBVSyhgTzbqyD7H9H9THweyH0aw
-> ssh-rsa krWCLQ
ifYo/u+MBdBOUY8oKSnSNRxIVPjRaxU8Apf5kVu1diLOkuckWdwdvoIzqm+T5xGf
lF4XKrTGZNloiWj5h0OEv91afgD5M197HWxqxfEilNlfdfYwtpI3aIm5lnlp3W7t
gNlxehLEyHrGrYUbpEaTOiqTwTIMGbAchwbZ4YIbgtoBq/3K7L44gWxJB1XwfvHl
qdxB2iD/swgOGgS1o153Dn7AAd/MuJ+PTXYmGHWoAHNujPpCN8aZRvDg7e+Q1Xla
BpdaE3p4mcVhbF7uVllrppw0n1LpMgiOLkPiv1HjYJzbsKCQBf0jdNrSiEqlDObn
gUaDnd4rcrOWdcG75kUHkw
-> ssh-ed25519 /vwQcQ t0f5iikIE47bw7o/1+M8eEKtbDjXQRtoyE+wPNLVfmQ
+s33HNot9ovOVGVXhtpdW2Z3sKFMNNPnLLAZJeg+q5c
-> ssh-ed25519 0R97PA 7gzz2IcQxkmFVA/xbskEcNsEXYvLtYeHa2/M8vaLOzc
yTICGOtGiBhKKlttgvMU4EeTsrvtj2RysryIS+D0XD0
-> ssh-ed25519 JGx7Ng xbc1Degn+fjvUl20buHer1KMhNH+6g/bxJpgcs2C5EY
AcQWrjz+GxPrtqFS/ZcVAQfh28WneRqJvf0rZ2BpMIM
-> ssh-ed25519 bUjjig 5Urn7y2U1w5CRiuCreLJ7m7NZTXxJV4kfFWDpKBu0gI
5kB2pPF51NOon8lcuVgKD1HVOUuawe54Sf1dDG4kvaY
-> ssh-ed25519 5SY7Kg QVg5S/zxuda25YuwnBX0shaSc1e2lgjvwjfirlfbPRI
Uh90/WsKg24GKdch2UYSC0kgmFgTPQWEgdH0jePDrK0
-> ssh-ed25519 p/Mg4Q T+A2Wf6fDoNsPGFqM+T3rd5uMELONb5WTAnZjNSvxjI
TGXNeHk/n/ZP6FAHtDbVTbgQmkxp7kM6K4+2xah1TEg
-> ssh-ed25519 5rrg4g Aq6xc+UFnDRQmV7g4S2V6zJrBDOu88XwEflWMJcLlB8
37rARD2iQHhlYWWkTNyxrmOENXrj0uPciCN+TteZYJ4
-> ssh-ed25519 oRtTqQ oX88qv7t1BXoYhq+Mwxs2yLF2K+41pcWMghgqPGZ8l4
qLQ7YiUxjbmeK7g5DkKdTAHDouYZsKHw/DqOSL1VNFE
-> ssh-ed25519 F2C+8w Ji998tdt/Vkh4OSM+/uTjuPNC55xSZVvYIDSlIMYt0I
TZ+N864aLOXM7KJpdTXhKEFq8Rjhm88+JDVrXL6PY0g
-> ssh-ed25519 PMC4Bw babMt4TQ59hUaC5RIgAtSurlZqxNZ4zn6PovjOHxpHw
iRLb4TkqhELlHGwfPEezbfX7ZsHaIneSx1izlrDNtvY
-> ;F~-grease & :DkVW`pR $9&
UEoJooOslhrTj42WGUl1Js/AfqjXUvb9/H5SnERsuK3sWozOhgLUn7wbv/yQ/G7/
Ljf/j2G+QdLfnfB7pYU8XanwFgWtOG++ukG1ypf1q5AEct1x23XpGza9oQ
--- iHm57JGcwrljzXrZCEaHCB4IXLbcFh/2pRYQJXqaOkk
_?8éŸá±áÃ";Vjþë\Aã§ûÈþÎÛîh-F ([Ô‚:S•@­»-ü€5ÿ°!©6DvÊýÁ·ä:)-ë\´þ¶ÑA·

2
machines/roam01/wireguard.nix
View file

@ -21,7 +21,7 @@ in
{
age-secrets.autoMatch = [ "systemd-network" ];
networking.firewall.trustedInterfaces = [ "wg0" ];
networking.firewall.trustedInterfaces = [ "wg-mgmt" ];
systemd.network = {
networks = {
"50-wg-mgmt" = {