diff options
| author | Franck Cuny <franck@fcuny.net> | 2025-11-21 12:56:50 -0800 |
|---|---|---|
| committer | Franck Cuny <franck@fcuny.net> | 2025-11-21 12:56:50 -0800 |
| commit | ea5ab9be9cecabb975aa075246843fd1641616c2 (patch) | |
| tree | 423b2eb1b2d40d10f451056036957a17722ea780 /machines/nixos | |
| parent | add argonath to agenix and rekey secrets (diff) | |
| download | infra-ea5ab9be9cecabb975aa075246843fd1641616c2.tar.gz | |
wireguard configuration for argonath
Diffstat (limited to 'machines/nixos')
| -rw-r--r-- | machines/nixos/x86_64-linux/argonath.nix | 29 | ||||
| -rw-r--r-- | machines/nixos/x86_64-linux/rivendell.nix | 9 |
2 files changed, 36 insertions, 2 deletions
diff --git a/machines/nixos/x86_64-linux/argonath.nix b/machines/nixos/x86_64-linux/argonath.nix index eb08896..14b698a 100644 --- a/machines/nixos/x86_64-linux/argonath.nix +++ b/machines/nixos/x86_64-linux/argonath.nix @@ -1,4 +1,9 @@ -{ lib, adminUser, ... }: +{ + config, + lib, + adminUser, + ... +}: { imports = [ ../../../profiles/cgroups.nix @@ -9,11 +14,33 @@ ../../../profiles/server.nix ]; + age.secrets.wireguard.file = ../../../secrets/argonath/wireguard.age; + # fixes duplicated devices in mirroredBoots boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ]; disko.devices.disk.disk1.device = "/dev/vda"; + networking.wireguard = { + enable = true; + interfaces.wg0 = { + ips = [ "10.100.0.51/32" ]; + listenPort = 51871; + privateKeyFile = config.age.secrets.wireguard.path; + peers = [ + { + # rivendell + publicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng="; + allowedIPs = [ "10.100.0.60/32" ]; + persistentKeepalive = 25; + } + ]; + }; + }; + + networking.firewall.trustedInterfaces = [ "wg0" ]; + networking.firewall.allowedUDPPorts = [ 51871 ]; + system.stateVersion = "25.05"; # Did you read the comment? home-manager = { diff --git a/machines/nixos/x86_64-linux/rivendell.nix b/machines/nixos/x86_64-linux/rivendell.nix index 1fab968..df72474 100644 --- a/machines/nixos/x86_64-linux/rivendell.nix +++ b/machines/nixos/x86_64-linux/rivendell.nix @@ -54,10 +54,17 @@ { # digital ocean droplet publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318="; - allowedIPs = [ "10.100.0.0/24" ]; + allowedIPs = [ "10.100.0.50/32" ]; endpoint = "165.232.158.110:51871"; persistentKeepalive = 25; } + { + # argonath + publicKey = "vTItDh9YPnA+8hL1kIK+7EHv0ol3qvhfAfz790miw1w="; + allowedIPs = [ "10.100.0.51/32" ]; + endpoint = "157.230.146.234:51871"; + persistentKeepalive = 25; + } ]; }; }; |