aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFranck Cuny <franck@fcuny.net>2025-10-18 10:58:27 -0700
committerFranck Cuny <franck@fcuny.net>2025-10-18 10:58:27 -0700
commit3676f44fe813794b0603dbc82da3149db8fb4e1c (patch)
tree842d4e799c33a07bd20062c9cac096dd02f1f8ff
parentmove the disk configuration for rivendell as a profile (diff)
downloadinfra-3676f44fe813794b0603dbc82da3149db8fb4e1c.tar.gz
configure wireguard for rivendell
Diffstat
-rw-r--r--docs/network.org51
-rw-r--r--machines/nixos/x86_64-linux/do-rproxy/default.nix7
-rw-r--r--machines/nixos/x86_64-linux/rivendell/default.nix28
-rw-r--r--machines/nixos/x86_64-linux/synology-vm/default.nix6
-rw-r--r--secrets/rivendell/wireguard.age7
-rw-r--r--secrets/secrets.nix6
6 files changed, 105 insertions, 0 deletions
diff --git a/docs/network.org b/docs/network.org
new file mode 100644
index 0000000..d3801b0
--- /dev/null
+++ b/docs/network.org
@@ -0,0 +1,51 @@
+** Wireguard
+*** New host
+On a host, run the following:
+#+begin_src shell
+fcuny@vm-synology ~> wg genkey > wireguard
+Warning: writing to world accessible file.
+Consider setting the umask to 077 and trying again.
+fcuny@vm-synology ~> wg pubkey < wireguard > wireguard.pub
+fcuny@vm-synology ~> ll
+total 12
+drwxr-xr-x 2 fcuny users 4096 Aug 10 14:24 tmp
+-rw-r--r-- 1 fcuny users 45 Oct 18 10:42 wireguard
+-rw-r--r-- 1 fcuny users 45 Oct 18 10:42 wireguard.pub
+fcuny@vm-synology ~> cat wireguard.pub jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=
+#+end_src
+
+Then create the secret in ../secrets/secrets.nix with
+#+begin_src shell
+agenix -i ~/.ssh/agenix -e <hostname>/wireguard.age
+#+end_src
+
+Then add the following to the host's configuration:
+#+begin_src nix
+age = {
+ secrets = {
+ wireguard = {
+ file = ../../../../secrets/rivendell/wireguard.age;
+ };
+ };
+};
+
+networking.wireguard = {
+ enable = true;
+ interfaces.wg0 = {
+ ips = [ "10.100.0.60/32" ];
+ listenPort = 51871;
+ privateKeyFile = config.age.secrets.wireguard.path;
+ peers = [
+ {
+ # digital ocean droplet
+ publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318=";
+ allowedIPs = [ "10.100.0.0/24" ];
+ endpoint = "165.232.158.110:51871";
+ persistentKeepalive = 25;
+ }
+ ];
+ };
+};
+
+networking.firewall.allowedUDPPorts = [ 51871 ];
+#+end_src
diff --git a/machines/nixos/x86_64-linux/do-rproxy/default.nix b/machines/nixos/x86_64-linux/do-rproxy/default.nix
index 32005e0..0d74a1f 100644
--- a/machines/nixos/x86_64-linux/do-rproxy/default.nix
+++ b/machines/nixos/x86_64-linux/do-rproxy/default.nix
@@ -18,10 +18,17 @@
privateKeyFile = config.age.secrets.wireguard.path;
peers = [
{
+ # vm-synology
publicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904=";
allowedIPs = [ "10.100.0.0/24" ];
persistentKeepalive = 25;
}
+ {
+ # rivendell
+ publicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
+ allowedIPs = [ "10.100.0.0/24" ];
+ persistentKeepalive = 25;
+ }
];
};
};
diff --git a/machines/nixos/x86_64-linux/rivendell/default.nix b/machines/nixos/x86_64-linux/rivendell/default.nix
index 700a57f..1f38f6f 100644
--- a/machines/nixos/x86_64-linux/rivendell/default.nix
+++ b/machines/nixos/x86_64-linux/rivendell/default.nix
@@ -12,6 +12,14 @@
../../../../profiles/disk/btrfs-on-luks.nix
];
+ age = {
+ secrets = {
+ wireguard = {
+ file = ../../../../secrets/rivendell/wireguard.age;
+ };
+ };
+ };
+
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
@@ -45,6 +53,26 @@
nix.settings.trusted-users = [ "builder" ];
+ networking.wireguard = {
+ enable = true;
+ interfaces.wg0 = {
+ ips = [ "10.100.0.60/32" ];
+ listenPort = 51871;
+ privateKeyFile = config.age.secrets.wireguard.path;
+ peers = [
+ {
+ # digital ocean droplet
+ publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318=";
+ allowedIPs = [ "10.100.0.0/24" ];
+ endpoint = "165.232.158.110:51871";
+ persistentKeepalive = 25;
+ }
+ ];
+ };
+ };
+
+ networking.firewall.allowedUDPPorts = [ 51871 ];
+
my.modules.hardware.baremetal.enable = true;
my.modules.remote-unlock.enable = true;
diff --git a/machines/nixos/x86_64-linux/synology-vm/default.nix b/machines/nixos/x86_64-linux/synology-vm/default.nix
index cbf9f13..d04a44a 100644
--- a/machines/nixos/x86_64-linux/synology-vm/default.nix
+++ b/machines/nixos/x86_64-linux/synology-vm/default.nix
@@ -68,6 +68,12 @@
endpoint = "165.232.158.110:51871";
persistentKeepalive = 25;
}
+ {
+ # rivendell
+ publicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
+ allowedIPs = [ "10.100.0.0/24" ];
+ persistentKeepalive = 25;
+ }
];
};
};
diff --git a/secrets/rivendell/wireguard.age b/secrets/rivendell/wireguard.age
new file mode 100644
index 0000000..cedc155
--- /dev/null
+++ b/secrets/rivendell/wireguard.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 pFjJaA yX115u9bhmWSBuvkwd94kOuuz7I1jIViRfX6GqsNOGg
+AF+GO3PXF2YUh/Q0HdrSgmwycrmWwEp+jJtk5sd+UY4
+-> ssh-ed25519 Y5h84Q CvmWwsgwFJkdBpkMsb10/QjR1l5hBxAFs3mqsHjgjwY
+XoXKK3JH6bdWfwKsaoLTK2rK4f3uuPOieLb/IwtV/Gc
+--- mSxeIgzkrqgnyeUm52rvVRmaGLsqyIVv7dEBTXRNBSw
+\jÊôP¨[(µÄðGǸkžhCù©ÄþêA`1ãzt‡îH³væÍsM7-ëÌWPöQÏúvc›t^•Ä#‚›lƒ=Q¹¸\0÷4 \ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index ed8de8f..72bd62c 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -3,6 +3,7 @@ let
vm-synology = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHKZAKlqOU6bSuMaaZAsYJdZnmNASWuIbbrrOjB6yGb8 root@vm-synology";
mba = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLQTIPZraE+jpMqGkh8yUhNFzRJbMarX5Mky3nETw6c root@mba-m2";
do = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID6qsTQwvo6lUACTZKb4T+Je89bW3/BY4DB4aCTqfApz";
+ rivendell = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID76U5kt8DfBbuP16rMzfBTVTpjjPFKWnnheMALaCQEd";
};
users = {
fcuny = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdyJepi/NyO6d9eP8m48Ga/gdjB5ENHRXYM1ZqFZR8t";
@@ -53,4 +54,9 @@ in
users.fcuny
hosts.vm-synology
];
+
+ "rivendell/wireguard.age".publicKeys = [
+ users.fcuny
+ hosts.rivendell
+ ];
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-06 03:16:54 +0000