wg

newinfra/nix/hive.nix

@@ -112,7 +112,7 @@
     '';
   };
 
-  vps1 = { name, nodes, modulesPath, ... }: {
+  vps1 = { name, nodes, modulesPath, config, ... }: {
     imports = [
       (modulesPath + "/profiles/qemu-guest.nix")
       ./modules/contabo
@@ -126,8 +126,28 @@
     networking.hostName = name;
     deployment.tags = [ "ingress" "eu" "apps" ];
     system.stateVersion = "23.11";
+
+    # TODO: move
+    age.secrets.wg_private.file = ./secrets/wg_private_vps1.age;
+    networking.wg-quick.interfaces = {
+      wg0 = {
+        address = [ "10.0.0.1/24" ];
+        listenPort = 51820;
+
+        privateKeyFile = config.age.secrets.wg_private.path;
+
+        peers = [
+          {
+            publicKey = "pdUxG1vhmYraKzIIEFxTRAMhGwGztBL/Ly5icJUV3g0=";
+            endpoint = "vps3.infra.noratrieb.dev:51820";
+            allowedIPs = [ "10.0.0.3/32" ];
+            # TODO: Use PSK
+          }
+        ];
+      };
+    };
   };
-  vps3 = { name, nodes, modulesPath, ... }: {
+  vps3 = { name, nodes, modulesPath, config, ... }: {
     imports = [
       (modulesPath + "/profiles/qemu-guest.nix")
       ./modules/contabo
@@ -138,5 +158,25 @@
     networking.hostName = name;
     deployment.tags = [ "ingress" "eu" "apps" ];
     system.stateVersion = "23.11";
+
+    # TODO: move
+    age.secrets.wg_private.file = ./secrets/wg_private_vps3.age;
+    networking.wg-quick.interfaces = {
+      wg0 = {
+        address = [ "10.0.0.3/24" ];
+        listenPort = 51820;
+
+        privateKeyFile = config.age.secrets.wg_private.path;
+
+        peers = [
+          {
+            publicKey = "5tg3w/TiCuCeKIBJCd6lHUeNjGEA76abT1OXnhNVyFQ=";
+            endpoint = "vps1.infra.noratrieb.dev:51820";
+            allowedIPs = [ "10.0.0.1/32" ];
+            # TODO: Use PSK
+          }
+        ];
+      };
+    };
   };
 }

newinfra/nix/secrets/docker_registry_password.age

@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 cVCt6g AAbb0ErTvg38WthfQ3l812GEevHWHclMOyFaPj4+GT0
+-> ssh-ed25519 qM6TYg h7thhES4AbX7wd5Q0GC+VOIPU+yRezLL/yGlP1oNRT8
-Rd83XSOPBQQVfCur8qOpMAxl0G25Obg/d4sLWW86Qb4
+owpgDNXP3xaM8vLv2UoU3ZanvATRneY01wnSEwJ62RQ
---- fRS0N8vuoOh7BdE2mcDZrQJDwN+MgTwmYWfYDDvwFnY
+--- 77pBCJdp1bAPFZqAJHCE8f0baRQf1pYupF9rN6XN+IQ
-Ni:l÷"½03Ç4‚²}zØV„òàžÖÁXÜ-†z—Ø­ð(k'Åæf[”÷>ôÐþáî¢ý®
+G’å¬+·îk$<11>LœH¬¡ÁH’_§pPq8
úª–‡ûkî½qÞ‡a+ƺæÛØUZ:GAØq

newinfra/nix/secrets/encrypt.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+dir=$(realpath "$(dirname "$0")")
+cd "$dir"
+
+for secret in ../../secrets-git-crypt/*; do
+    agename="$(basename "$secret" | sed 's/\./_/').age"
+    rm -f "$agename"
+    agenix -e "$agename" < "$secret"
+done

newinfra/nix/secrets/secrets.nix

@@ -1,10 +1,12 @@
 let
-  vps1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOixcV3SGAWRCMYYn+ybioFSBhpfkYzSU1nX+g6e5jI5";
+  vps1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII4Xj3TsDPStoHquTfOlyxShbA/kgMfQskKN8jpfiY4R";
-  vps3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDM2e3h6Z2HcKDP6mkBip/5M41AegUdSdNa9mc8LrXpR";
+  vps3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvupo7d9YMZw56qhjB+tZPijxiG1dKChLpkOWZN0Y7C";
 in
 {
   "widetom_bot_token.age".publicKeys = [ vps1 ];
   "widetom_config_toml.age".publicKeys = [ vps1 ];
   "docker_registry_password.age".publicKeys = [ vps1 ];
   "minio_env_file.age".publicKeys = [ vps1 vps3 ];
+  "wg_private_vps1.age".publicKeys = [ vps1 ];
+  "wg_private_vps3.age".publicKeys = [ vps3 ];
 }

newinfra/nix/secrets/wg_private_vps1.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 qM6TYg ixjKLm1tffnj6uO82cgQ3zVFyvjC5IVYJDLnsNeGRwU
+S0LPQocVcyqAJ1Uo0wN/jCIZpXPTCNb372hj+Y3WkOo
+--- V+cmQNkhAyNNVhbKrcIniV+vfRWo9s9IGzp6mPg9K8I
+äòsGèV‚<EFBFBD>]g–cæí¼˜»Hç’5®¢ÌLî<âË}ÛÒƒb]øÐÑSìlxòjã¡:ôkZ­—™»iÕ¯<>+TÑlMºóJ„Cûf

newinfra/nix/secrets/wg_private_vps3.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 XzACZQ gtCa9SHGq2EoXeEuQsFbu01yinWKvjt5LmhiAWM90U4
+LOyaZjzfRJTTJLi3qTN/DKqwgMZm4gvsvZjJt3doPQw
+--- hwsVLuP5IIMGBwHDIlrq/74/z2qKuwCczLLNXS5M29w
+=9•ž³5¦IT| Ì­¶c”kê¿<12>ßx›èhöIËiC‰XkcñÂ}ŒHPÚ^5”MÚ­ˆú?qœ)î¢Ød’ºrWa¥È<12>Å÷ù

newinfra/provision/README.md

@@ -7,6 +7,7 @@ NixOS is provisioned by running [nixos-infect](https://github.com/elitak/nixos-i
 > If you run the script before changing the hostname - remove the /etc/nixos/configuration.nix so it's regenerated with the new hostname.
 
 ```
+hostname tmp
 curl -LO https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect
 bash nixos-infect
 ```

shell.nix

@@ -11,6 +11,7 @@
     shellcheck
     git-crypt
     opentofu
+    wireguard-tools
     (import (builtins.fetchTarball "https://github.com/ryantm/agenix/archive/de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6.tar.gz") { }).agenix
   ];
 }