wg

2026-01-14 16:55:00 +01:00 · 2024-07-28 14:04:54 +02:00 · 2024-07-28 14:04:54 +02:00 · 72e79f9cc3
commit 72e79f9cc3
parent 8c6441a941
14 changed files with 74 additions and 8 deletions
--- a/newinfra/nix/hive.nix
+++ b/newinfra/nix/hive.nix
@ -112,7 +112,7 @@
    '';
  };

-  vps1 = { name, nodes, modulesPath, ... }: {
+  vps1 = { name, nodes, modulesPath, config, ... }: {
    imports = [
      (modulesPath + "/profiles/qemu-guest.nix")
      ./modules/contabo
@ -126,8 +126,28 @@
    networking.hostName = name;
    deployment.tags = [ "ingress" "eu" "apps" ];
    system.stateVersion = "23.11";
+
+    # TODO: move
+    age.secrets.wg_private.file = ./secrets/wg_private_vps1.age;
+    networking.wg-quick.interfaces = {
+      wg0 = {
+        address = [ "10.0.0.1/24" ];
+        listenPort = 51820;
+
+        privateKeyFile = config.age.secrets.wg_private.path;
+
+        peers = [
+          {
+            publicKey = "pdUxG1vhmYraKzIIEFxTRAMhGwGztBL/Ly5icJUV3g0=";
+            endpoint = "vps3.infra.noratrieb.dev:51820";
+            allowedIPs = [ "10.0.0.3/32" ];
+            # TODO: Use PSK
+          }
+        ];
+      };
+    };
  };
-  vps3 = { name, nodes, modulesPath, ... }: {
+  vps3 = { name, nodes, modulesPath, config, ... }: {
    imports = [
      (modulesPath + "/profiles/qemu-guest.nix")
      ./modules/contabo
@ -138,5 +158,25 @@
    networking.hostName = name;
    deployment.tags = [ "ingress" "eu" "apps" ];
    system.stateVersion = "23.11";
+
+    # TODO: move
+    age.secrets.wg_private.file = ./secrets/wg_private_vps3.age;
+    networking.wg-quick.interfaces = {
+      wg0 = {
+        address = [ "10.0.0.3/24" ];
+        listenPort = 51820;
+
+        privateKeyFile = config.age.secrets.wg_private.path;
+
+        peers = [
+          {
+            publicKey = "5tg3w/TiCuCeKIBJCd6lHUeNjGEA76abT1OXnhNVyFQ=";
+            endpoint = "vps1.infra.noratrieb.dev:51820";
+            allowedIPs = [ "10.0.0.1/32" ];
+            # TODO: Use PSK
+          }
+        ];
+      };
+    };
  };
 }
--- a/newinfra/nix/secrets/docker_registry_password.age
+++ b/newinfra/nix/secrets/docker_registry_password.age
@ -1,5 +1,5 @@
 age-encryption.org/v1
-> ssh-ed25519 cVCt6g AAbb0ErTvg38WthfQ3l812GEevHWHclMOyFaPj4+GT0
-Rd83XSOPBQQVfCur8qOpMAxl0G25Obg/d4sLWW86Qb4
--- fRS0N8vuoOh7BdE2mcDZrQJDwN+MgTwmYWfYDDvwFnY
-Ni:l÷"½03Ç4‚²}zØV„òàžÖÁXÜ-†z—Øð(k'Åæf[”÷>ôÐþáî¢ý®
+-> ssh-ed25519 qM6TYg h7thhES4AbX7wd5Q0GC+VOIPU+yRezLL/yGlP1oNRT8
+owpgDNXP3xaM8vLv2UoU3ZanvATRneY01wnSEwJ62RQ
+--- 77pBCJdp1bAPFZqAJHCE8f0baRQf1pYupF9rN6XN+IQ
+G’å¬+·îk$<11>LœH¬¡ÁH’_§pPq8
úª–‡ûkî½qÞ‡a+ÆºæÛØUZ:GAØq
--- a/newinfra/nix/secrets/encrypt.sh
+++ b/newinfra/nix/secrets/encrypt.sh
@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+dir=$(realpath "$(dirname "$0")")
+cd "$dir"
+
+for secret in ../../secrets-git-crypt/*; do
+    agename="$(basename "$secret" | sed 's/\./_/').age"
+    rm -f "$agename"
+    agenix -e "$agename" < "$secret"
+done
--- a/newinfra/nix/secrets/minio_env_file.age
+++ b/newinfra/nix/secrets/minio_env_file.age
--- a/newinfra/nix/secrets/secrets.nix
+++ b/newinfra/nix/secrets/secrets.nix
@ -1,10 +1,12 @@
 let
-  vps1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOixcV3SGAWRCMYYn+ybioFSBhpfkYzSU1nX+g6e5jI5";
-  vps3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDM2e3h6Z2HcKDP6mkBip/5M41AegUdSdNa9mc8LrXpR";
+  vps1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII4Xj3TsDPStoHquTfOlyxShbA/kgMfQskKN8jpfiY4R";
+  vps3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvupo7d9YMZw56qhjB+tZPijxiG1dKChLpkOWZN0Y7C";
 in
 {
  "widetom_bot_token.age".publicKeys = [ vps1 ];
  "widetom_config_toml.age".publicKeys = [ vps1 ];
  "docker_registry_password.age".publicKeys = [ vps1 ];
  "minio_env_file.age".publicKeys = [ vps1 vps3 ];
+  "wg_private_vps1.age".publicKeys = [ vps1 ];
+  "wg_private_vps3.age".publicKeys = [ vps3 ];
 }
--- a/newinfra/nix/secrets/wg_private_vps1.age
+++ b/newinfra/nix/secrets/wg_private_vps1.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 qM6TYg ixjKLm1tffnj6uO82cgQ3zVFyvjC5IVYJDLnsNeGRwU
+S0LPQocVcyqAJ1Uo0wN/jCIZpXPTCNb372hj+Y3WkOo
+--- V+cmQNkhAyNNVhbKrcIniV+vfRWo9s9IGzp6mPg9K8I
+äòsGèV‚<EFBFBD>]g–cæí¼˜»Hç’5®¢ÌLî<âË}ÛÒƒb]øÐÑSìlxòjã¡:ôkZ—™»iÕ¯<>+TÑlMºóJ„Cûf
--- a/newinfra/nix/secrets/wg_private_vps3.age
+++ b/newinfra/nix/secrets/wg_private_vps3.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 XzACZQ gtCa9SHGq2EoXeEuQsFbu01yinWKvjt5LmhiAWM90U4
+LOyaZjzfRJTTJLi3qTN/DKqwgMZm4gvsvZjJt3doPQw
+--- hwsVLuP5IIMGBwHDIlrq/74/z2qKuwCczLLNXS5M29w
+=9•Å¾³5¦IT| Ì¶c”kê¿<12>ßx›èhöIËiC‰XkcñÂ}ŒHPÚ^5”MÚˆú?qœ)î¢Ød’ºrWa¥È<12>Å÷ù
--- a/newinfra/nix/secrets/widetom_bot_token.age
+++ b/newinfra/nix/secrets/widetom_bot_token.age
--- a/newinfra/nix/secrets/widetom_config_toml.age
+++ b/newinfra/nix/secrets/widetom_config_toml.age
--- a/newinfra/provision/README.md
+++ b/newinfra/provision/README.md
@ -7,6 +7,7 @@ NixOS is provisioned by running [nixos-infect](https://github.com/elitak/nixos-i
 > If you run the script before changing the hostname - remove the /etc/nixos/configuration.nix so it's regenerated with the new hostname.

 ```
+hostname tmp
 curl -LO https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect
 bash nixos-infect
 ```
--- a/newinfra/secrets-git-crypt/docker_registry_password
+++ b/newinfra/secrets-git-crypt/docker_registry_password
--- a/newinfra/secrets-git-crypt/wg_private_vps1
+++ b/newinfra/secrets-git-crypt/wg_private_vps1
--- a/newinfra/secrets-git-crypt/wg_private_vps3
+++ b/newinfra/secrets-git-crypt/wg_private_vps3