From b3e97e0be53dc64e2ea595f1bd81b0c5114953ce Mon Sep 17 00:00:00 2001
From: catvayor <catvayor@katvayor.net>
Date: Fri, 6 Dec 2024 15:04:08 +0100
Subject: [PATCH] feat(roam01): gretap with vault01

---
 machines/roam01/_configuration.nix            |   4 +-
 machines/roam01/networking.nix                | 139 ++++++++++++++++++
 machines/roam01/secrets/secrets.nix           |   3 +-
 .../secrets/systemd-network-wg_vault01_key    |  39 +++++
 machines/roam01/wireguard.nix                 |   2 +-
 5 files changed, 184 insertions(+), 3 deletions(-)
 create mode 100644 machines/roam01/networking.nix
 create mode 100644 machines/roam01/secrets/systemd-network-wg_vault01_key

diff --git a/machines/roam01/_configuration.nix b/machines/roam01/_configuration.nix
index 4815028..ba3becd 100644
--- a/machines/roam01/_configuration.nix
+++ b/machines/roam01/_configuration.nix
@@ -8,10 +8,12 @@ lib.extra.mkConfig {
   enabledServices = [
     # List of services to enable
     "wireguard"
+    "networking"
   ];
 
   extraConfig = {
-    networking.interfaces.enp1s0.useDHCP = true;
+    networking.interfaces.enp2s0.useDHCP = false;
+    networking.interfaces.enp3s0.useDHCP = false;
   };
 
   root = ./.;
diff --git a/machines/roam01/networking.nix b/machines/roam01/networking.nix
new file mode 100644
index 0000000..badbc08
--- /dev/null
+++ b/machines/roam01/networking.nix
@@ -0,0 +1,139 @@
+{ config, ... }:
+{
+  networking.firewall.trustedInterfaces = [ "wg0" ];
+  systemd.network = {
+    networks = {
+      "10-enp2s0" = {
+        name = "enp2s0";
+        networkConfig = {
+          Bridge = "br0";
+
+          LinkLocalAddressing = false;
+          LLDP = false;
+          EmitLLDP = false;
+          IPv6AcceptRA = false;
+          IPv6SendRA = false;
+        };
+      };
+      "10-enp3s0" = {
+        name = "enp3s0";
+        networkConfig = {
+          Bridge = "br1";
+
+          LinkLocalAddressing = false;
+          LLDP = false;
+          EmitLLDP = false;
+          IPv6AcceptRA = false;
+          IPv6SendRA = false;
+        };
+      };
+      "20-vlan-apro" = {
+        name = "vlan-apro";
+        networkConfig = {
+          Bridge = "br1";
+
+          LinkLocalAddressing = false;
+          LLDP = false;
+          EmitLLDP = false;
+          IPv6AcceptRA = false;
+          IPv6SendRA = false;
+        };
+      };
+      "50-gretap1" = {
+        name = "gretap1";
+        networkConfig = {
+          Bridge = "br0";
+
+          LinkLocalAddressing = false;
+          LLDP = false;
+          EmitLLDP = false;
+          IPv6AcceptRA = false;
+          IPv6SendRA = false;
+        };
+      };
+      "50-br0" = {
+        name = "br0";
+        networkConfig = {
+          VLAN = [ "vlan-apro" ];
+
+          LinkLocalAddressing = false;
+          LLDP = false;
+          EmitLLDP = false;
+          IPv6AcceptRA = false;
+          IPv6SendRA = false;
+        };
+      };
+      "50-br1" = {
+        name = "br1";
+        networkConfig = {
+          LinkLocalAddressing = false;
+          LLDP = false;
+          EmitLLDP = false;
+          IPv6AcceptRA = false;
+          IPv6SendRA = false;
+        };
+      };
+      "50-wg0" = {
+        name = "wg0";
+        address = [ "10.10.17.2/30" ];
+        networkConfig.Tunnel = "gretap1";
+      };
+    };
+    netdevs = {
+      "20-vlan-apro" = {
+        netdevConfig = {
+          Name = "vlan-apro";
+          Kind = "vlan";
+        };
+        vlanConfig.Id = 2000;
+      };
+      "50-wg0" = {
+        netdevConfig = {
+          Name = "wg0";
+          Kind = "wireguard";
+        };
+        wireguardConfig.PrivateKeyFile = config.age.secrets."systemd-network-wg_vault01_key".path;
+        wireguardPeers = [
+          {
+            wireguardPeerConfig = {
+              AllowedIPs = [ "10.10.17.0/30" ];
+              PublicKey = "ijgcPnWWZ0njUJjsDNSGhlhVO40aUDD+zFLtw/1nfBY=";
+              Endpoint = "vault01.hyp01.infra.dgnum.eu:1194";
+              PersistentKeepalive = 25;
+            };
+          }
+        ];
+      };
+      "50-br0" = {
+        netdevConfig = {
+          Name = "br0";
+          Kind = "bridge";
+        };
+        bridgeConfig = {
+          VLANFiltering = false;
+          STP = false;
+        };
+      };
+      "50-br1" = {
+        netdevConfig = {
+          Name = "br1";
+          Kind = "bridge";
+        };
+        bridgeConfig = {
+          VLANFiltering = false;
+          STP = false;
+        };
+      };
+      "50-gretap1" = {
+        netdevConfig = {
+          Name = "gretap1";
+          Kind = "gretap";
+        };
+        tunnelConfig = {
+          Local = "10.10.17.2";
+          Remote = "10.10.17.1";
+        };
+      };
+    };
+  };
+}
diff --git a/machines/roam01/secrets/secrets.nix b/machines/roam01/secrets/secrets.nix
index 2fd623f..6d2f6c9 100644
--- a/machines/roam01/secrets/secrets.nix
+++ b/machines/roam01/secrets/secrets.nix
@@ -1,4 +1,5 @@
 (import ../../../keys).mkSecrets [ "roam01" ] [
-  # List of secrets for router02
+  # List of secrets for roam01
   "systemd-network-wg_key"
+  "systemd-network-wg_vault01_key"
 ]
diff --git a/machines/roam01/secrets/systemd-network-wg_vault01_key b/machines/roam01/secrets/systemd-network-wg_vault01_key
new file mode 100644
index 0000000..622fe2d
--- /dev/null
+++ b/machines/roam01/secrets/systemd-network-wg_vault01_key
@@ -0,0 +1,39 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA +b8R9Lkk3qno5HpIDIV9wg65KLwhzpcvnBV+j5D2Dzs
+chHY0aJxdwuwChngmMZXLYj9TU2LIPwUssJbaPGIw/M
+-> ssh-ed25519 QlRB9Q XzsvtKi2f9c5VAJDDL9l9w4CaoXl14RkvQlTHANOvBE
+EEm5t9EfYPz/U8IwipCT9HeYxNZY7q4NdJcMZF6HLDQ
+-> ssh-ed25519 r+nK/Q nWnplGOmsEbl2Q/ZLuV0v0qrKrH7AvxgbMITHC+jKG8
+6d1lQNA55QS++Z0WGBVSyhgTzbqyD7H9H9THweyH0aw
+-> ssh-rsa krWCLQ
+ifYo/u+MBdBOUY8oKSnSNRxIVPjRaxU8Apf5kVu1diLOkuckWdwdvoIzqm+T5xGf
+lF4XKrTGZNloiWj5h0OEv91afgD5M197HWxqxfEilNlfdfYwtpI3aIm5lnlp3W7t
+gNlxehLEyHrGrYUbpEaTOiqTwTIMGbAchwbZ4YIbgtoBq/3K7L44gWxJB1XwfvHl
+qdxB2iD/swgOGgS1o153Dn7AAd/MuJ+PTXYmGHWoAHNujPpCN8aZRvDg7e+Q1Xla
+BpdaE3p4mcVhbF7uVllrppw0n1LpMgiOLkPiv1HjYJzbsKCQBf0jdNrSiEqlDObn
+gUaDnd4rcrOWdcG75kUHkw
+-> ssh-ed25519 /vwQcQ t0f5iikIE47bw7o/1+M8eEKtbDjXQRtoyE+wPNLVfmQ
++s33HNot9ovOVGVXhtpdW2Z3sKFMNNPnLLAZJeg+q5c
+-> ssh-ed25519 0R97PA 7gzz2IcQxkmFVA/xbskEcNsEXYvLtYeHa2/M8vaLOzc
+yTICGOtGiBhKKlttgvMU4EeTsrvtj2RysryIS+D0XD0
+-> ssh-ed25519 JGx7Ng xbc1Degn+fjvUl20buHer1KMhNH+6g/bxJpgcs2C5EY
+AcQWrjz+GxPrtqFS/ZcVAQfh28WneRqJvf0rZ2BpMIM
+-> ssh-ed25519 bUjjig 5Urn7y2U1w5CRiuCreLJ7m7NZTXxJV4kfFWDpKBu0gI
+5kB2pPF51NOon8lcuVgKD1HVOUuawe54Sf1dDG4kvaY
+-> ssh-ed25519 5SY7Kg QVg5S/zxuda25YuwnBX0shaSc1e2lgjvwjfirlfbPRI
+Uh90/WsKg24GKdch2UYSC0kgmFgTPQWEgdH0jePDrK0
+-> ssh-ed25519 p/Mg4Q T+A2Wf6fDoNsPGFqM+T3rd5uMELONb5WTAnZjNSvxjI
+TGXNeHk/n/ZP6FAHtDbVTbgQmkxp7kM6K4+2xah1TEg
+-> ssh-ed25519 5rrg4g Aq6xc+UFnDRQmV7g4S2V6zJrBDOu88XwEflWMJcLlB8
+37rARD2iQHhlYWWkTNyxrmOENXrj0uPciCN+TteZYJ4
+-> ssh-ed25519 oRtTqQ oX88qv7t1BXoYhq+Mwxs2yLF2K+41pcWMghgqPGZ8l4
+qLQ7YiUxjbmeK7g5DkKdTAHDouYZsKHw/DqOSL1VNFE
+-> ssh-ed25519 F2C+8w Ji998tdt/Vkh4OSM+/uTjuPNC55xSZVvYIDSlIMYt0I
+TZ+N864aLOXM7KJpdTXhKEFq8Rjhm88+JDVrXL6PY0g
+-> ssh-ed25519 PMC4Bw babMt4TQ59hUaC5RIgAtSurlZqxNZ4zn6PovjOHxpHw
+iRLb4TkqhELlHGwfPEezbfX7ZsHaIneSx1izlrDNtvY
+-> ;F~-grease & :DkVW`pR $9&
+UEoJooOslhrTj42WGUl1Js/AfqjXUvb9/H5SnERsuK3sWozOhgLUn7wbv/yQ/G7/
+Ljf/j2G+QdLfnfB7pYU8XanwFgWtOG++ukG1ypf1q5AEct1x23XpGza9oQ
+--- iHm57JGcwrljzXrZCEaHCB4IXLbcFh/2pRYQJXqaOkk
+_?8éŸá±áÃ";Vjþë\Aã§ûÈþÎÛîh-F ([Ô‚:S•@­»-ü€5ÿ°!©6DvÊýÁ·ä:)-ë\´þ¶ÑA·
\ No newline at end of file
diff --git a/machines/roam01/wireguard.nix b/machines/roam01/wireguard.nix
index a3dee30..e9f2cd0 100644
--- a/machines/roam01/wireguard.nix
+++ b/machines/roam01/wireguard.nix
@@ -21,7 +21,7 @@ in
 
 {
   age-secrets.autoMatch = [ "systemd-network" ];
-  networking.firewall.trustedInterfaces = [ "wg0" ];
+  networking.firewall.trustedInterfaces = [ "wg-mgmt" ];
   systemd.network = {
     networks = {
       "50-wg-mgmt" = {