add pruflas vpn

2022-10-07 19:18:48 +02:00 · 2022-10-07 19:18:48 +02:00 · 7f36dee66b
commit 7f36dee66b
parent fda6dd5da2
4 changed files with 53 additions and 2 deletions
--- a/nixos/pruflas/configuration.nix
+++ b/nixos/pruflas/configuration.nix
@ -3,7 +3,13 @@
 , lib
 , ...
 }:
-with lib; {
+with lib;
+let
+  secretsPath = config.dadada.secrets.path;
+  wg0PrivKey = "${config.networking.hostName}-wg0-key";
+  wg0PresharedKey = "${config.networking.hostName}-wg0-preshared-key";
+in
+{
  imports = [ ./hardware-configuration.nix ];

  networking.hostName = "pruflas";
@ -46,6 +52,27 @@ with lib; {
    bs.enable = true;
  };

+  age.secrets.${wg0PrivKey}.file = "${secretsPath}/${wg0PrivKey}.age";
+  age.secrets.${wg0PresharedKey}.file = "${secretsPath}/${wg0PresharedKey}.age";
+
+  networking.wireguard = {
+    enable = true;
+    interfaces.uwupn = {
+      allowedIPsAsRoutes = true;
+      privateKeyFile = config.age.secrets.${wg0PrivKey}.path;
+      ips = [ "10.11.0.39/32" "fc00:1337:dead:beef::10.11.0.39/128" ];
+      peers = [
+        {
+          publicKey = "tuoiOWqgHz/lrgTcLjX+xIhvxh9jDH6gmDw2ZMvX5T8=";
+          allowedIPs = [ "10.11.0.0/22" "fc00:1337:dead:beef::10.11.0.0/118" "192.168.178.0/23" ];
+          endpoint = "53c70r.de:51820";
+          persistentKeepalive = 25;
+          presharedKeyFile = config.age.secrets.${wg0PresharedKey}.path;
+        }
+      ];
+    };
+  };
+
  networking.useDHCP = false;
  networking.interfaces."enp0s25".useDHCP = true;

@ -105,6 +132,8 @@ with lib; {
  users.mutableUsers = true;

  dadada.networking.localResolver.enable = true;
+  dadada.networking.localResolver.uwu = true;
+  dadada.networking.localResolver.s0 = true;

  dadada.autoUpgrade.enable = mkDefault true;

--- a/secrets/pruflas-wg0-key.age
+++ b/secrets/pruflas-wg0-key.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 IXCPDQ yZsU7q89HVxP6Ldup2noEaGy5+SzFzuMtA4/+4mQfUU
+w1cM4NXL+M9RjRjuYswEWYhtiWPgjlJEdwm9wQ9GF5Q
+-> ssh-ed25519 Otklkw O8jQnBDmaBnKLHU4nAIeRwkXE3ovdw7Y6vmZcmwqpUc
+rM5wbfCSQhA0wxfRPVLB7dVl8L8aiB9eWhTX/ARV1YE
+-> pJ-grease ~4C{og l_
+pXTBa1xB/KJU5w
+--- +w4Zc/+fVRky0Nzu0R9cc1MKAOgig1swtCLDrb6M4WM
+³_Í LJ
´îŽîÕïú²pÆB„´ûÓ$Ÿ£fÓ’x<>w}îAÕÎ6Þ¤6°P²Æ-{+öE±þÜ[FßÖaýWœ,ØÂ…Žl¶Ž&
--- a/secrets/pruflas-wg0-preshared-key.age
+++ b/secrets/pruflas-wg0-preshared-key.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 IXCPDQ Q0ETN6DFshfo+YouSf/YWX7u8otnnAqZr/Y7qxCRiTI
+5LVB4bzpysObZJkmJJw2kgE57lZKs2XA8BVSwS7y/VM
+-> ssh-ed25519 Otklkw Lgo+x/ODCP6e3SHg2rZVNNLZkHCCT7YMC7MT0Fa4dHc
+bX+Bja0SeGBzNQS3vUGj+GVDAYVTgyGQtPw5I0DWPdU
+-> 7&'U\;\-grease ot 7f'PU3CA
+O2UHtKXSTN5TrfVh7ROQ8x9YLynOFvrxK+1kSW42hGbTstOdhBAlNfKMdiIM4Itn
+k7Jshx6UTqa8dF8QIw2cme0jFkF8JUioj7uQuusGBG/WZg
+--- Wau438nNnP4srJ16gRGC/9jUdCB6TjBgxc2kZVRsvn0
+´fÛ<>ð¯m7¬ºöÛã\ûÐVÚÚhðê¥ëMeöm¾^õ?EkfPû7ÔÄh¥ôäu]ÝnÅ+n.>†É<dOñ¡|Çn_k&»ÄÊo
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -12,7 +12,10 @@ let
    "${hostName}-backup-ssh-key.age".publicKeys = [ systems.${hostName} dadada ];
  };
 in
-{ } //
+{
+  "pruflas-wg0-key.age".publicKeys = [ systems.pruflas dadada ];
+  "pruflas-wg0-preshared-key.age".publicKeys = [ systems.pruflas dadada ];
+} //
 backupSecrets "gorgon" //
 backupSecrets "ifrit" //
 backupSecrets "pruflas" //