From 3676f44fe813794b0603dbc82da3149db8fb4e1c Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Sat, 18 Oct 2025 10:58:27 -0700 Subject: configure wireguard for rivendell --- docs/network.org | 51 ++++++++++++++++++++++ machines/nixos/x86_64-linux/do-rproxy/default.nix | 7 +++ machines/nixos/x86_64-linux/rivendell/default.nix | 28 ++++++++++++ .../nixos/x86_64-linux/synology-vm/default.nix | 6 +++ secrets/rivendell/wireguard.age | 7 +++ secrets/secrets.nix | 6 +++ 6 files changed, 105 insertions(+) create mode 100644 docs/network.org create mode 100644 secrets/rivendell/wireguard.age diff --git a/docs/network.org b/docs/network.org new file mode 100644 index 0000000..d3801b0 --- /dev/null +++ b/docs/network.org @@ -0,0 +1,51 @@ +** Wireguard +*** New host +On a host, run the following: +#+begin_src shell +fcuny@vm-synology ~> wg genkey > wireguard +Warning: writing to world accessible file. +Consider setting the umask to 077 and trying again. +fcuny@vm-synology ~> wg pubkey < wireguard > wireguard.pub +fcuny@vm-synology ~> ll +total 12 +drwxr-xr-x 2 fcuny users 4096 Aug 10 14:24 tmp +-rw-r--r-- 1 fcuny users 45 Oct 18 10:42 wireguard +-rw-r--r-- 1 fcuny users 45 Oct 18 10:42 wireguard.pub +fcuny@vm-synology ~> cat wireguard.pub jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng= +#+end_src + +Then create the secret in ../secrets/secrets.nix with +#+begin_src shell +agenix -i ~/.ssh/agenix -e /wireguard.age +#+end_src + +Then add the following to the host's configuration: +#+begin_src nix +age = { + secrets = { + wireguard = { + file = ../../../../secrets/rivendell/wireguard.age; + }; + }; +}; + +networking.wireguard = { + enable = true; + interfaces.wg0 = { + ips = [ "10.100.0.60/32" ]; + listenPort = 51871; + privateKeyFile = config.age.secrets.wireguard.path; + peers = [ + { + # digital ocean droplet + publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318="; + allowedIPs = [ "10.100.0.0/24" ]; + endpoint = "165.232.158.110:51871"; + persistentKeepalive = 25; + } + ]; + }; +}; + +networking.firewall.allowedUDPPorts = [ 51871 ]; +#+end_src diff --git a/machines/nixos/x86_64-linux/do-rproxy/default.nix b/machines/nixos/x86_64-linux/do-rproxy/default.nix index 32005e0..0d74a1f 100644 --- a/machines/nixos/x86_64-linux/do-rproxy/default.nix +++ b/machines/nixos/x86_64-linux/do-rproxy/default.nix @@ -18,10 +18,17 @@ privateKeyFile = config.age.secrets.wireguard.path; peers = [ { + # vm-synology publicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904="; allowedIPs = [ "10.100.0.0/24" ]; persistentKeepalive = 25; } + { + # rivendell + publicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng="; + allowedIPs = [ "10.100.0.0/24" ]; + persistentKeepalive = 25; + } ]; }; }; diff --git a/machines/nixos/x86_64-linux/rivendell/default.nix b/machines/nixos/x86_64-linux/rivendell/default.nix index 700a57f..1f38f6f 100644 --- a/machines/nixos/x86_64-linux/rivendell/default.nix +++ b/machines/nixos/x86_64-linux/rivendell/default.nix @@ -12,6 +12,14 @@ ../../../../profiles/disk/btrfs-on-luks.nix ]; + age = { + secrets = { + wireguard = { + file = ../../../../secrets/rivendell/wireguard.age; + }; + }; + }; + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" @@ -45,6 +53,26 @@ nix.settings.trusted-users = [ "builder" ]; + networking.wireguard = { + enable = true; + interfaces.wg0 = { + ips = [ "10.100.0.60/32" ]; + listenPort = 51871; + privateKeyFile = config.age.secrets.wireguard.path; + peers = [ + { + # digital ocean droplet + publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318="; + allowedIPs = [ "10.100.0.0/24" ]; + endpoint = "165.232.158.110:51871"; + persistentKeepalive = 25; + } + ]; + }; + }; + + networking.firewall.allowedUDPPorts = [ 51871 ]; + my.modules.hardware.baremetal.enable = true; my.modules.remote-unlock.enable = true; diff --git a/machines/nixos/x86_64-linux/synology-vm/default.nix b/machines/nixos/x86_64-linux/synology-vm/default.nix index cbf9f13..d04a44a 100644 --- a/machines/nixos/x86_64-linux/synology-vm/default.nix +++ b/machines/nixos/x86_64-linux/synology-vm/default.nix @@ -68,6 +68,12 @@ endpoint = "165.232.158.110:51871"; persistentKeepalive = 25; } + { + # rivendell + publicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng="; + allowedIPs = [ "10.100.0.0/24" ]; + persistentKeepalive = 25; + } ]; }; }; diff --git a/secrets/rivendell/wireguard.age b/secrets/rivendell/wireguard.age new file mode 100644 index 0000000..cedc155 --- /dev/null +++ b/secrets/rivendell/wireguard.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 pFjJaA yX115u9bhmWSBuvkwd94kOuuz7I1jIViRfX6GqsNOGg +AF+GO3PXF2YUh/Q0HdrSgmwycrmWwEp+jJtk5sd+UY4 +-> ssh-ed25519 Y5h84Q CvmWwsgwFJkdBpkMsb10/QjR1l5hBxAFs3mqsHjgjwY +XoXKK3JH6bdWfwKsaoLTK2rK4f3uuPOieLb/IwtV/Gc +--- mSxeIgzkrqgnyeUm52rvVRmaGLsqyIVv7dEBTXRNBSw +\jÊôP¨[(µÄðGǸkžhCù©ÄþêA`1ãzt‡îH³væÍsM7-ëÌWPöQÏúvc›t^•Ä#‚›lƒ=Q¹¸\0÷4 \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index ed8de8f..72bd62c 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -3,6 +3,7 @@ let vm-synology = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHKZAKlqOU6bSuMaaZAsYJdZnmNASWuIbbrrOjB6yGb8 root@vm-synology"; mba = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLQTIPZraE+jpMqGkh8yUhNFzRJbMarX5Mky3nETw6c root@mba-m2"; do = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID6qsTQwvo6lUACTZKb4T+Je89bW3/BY4DB4aCTqfApz"; + rivendell = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID76U5kt8DfBbuP16rMzfBTVTpjjPFKWnnheMALaCQEd"; }; users = { fcuny = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdyJepi/NyO6d9eP8m48Ga/gdjB5ENHRXYM1ZqFZR8t"; @@ -53,4 +54,9 @@ in users.fcuny hosts.vm-synology ]; + + "rivendell/wireguard.age".publicKeys = [ + users.fcuny + hosts.rivendell + ]; } -- cgit v1.2.3