From 57f3d7645bfc12a0bc50fc328e4086ef2d50fc43 Mon Sep 17 00:00:00 2001 From: Andrea Ciceri Date: Sat, 1 Apr 2023 14:29:45 +0200 Subject: [PATCH] `wireguard` client module for `thinkpad` --- hosts/default.nix | 3 ++ hosts/thinkpad/default.nix | 1 + modules/wireguard-client/default.nix | 32 ++++++++++++++++++++++ secrets/default.nix | 5 ++++ secrets/thinkpad-wireguard-private-key.age | 8 ++++++ 5 files changed, 49 insertions(+) create mode 100644 modules/wireguard-client/default.nix create mode 100644 secrets/thinkpad-wireguard-private-key.age diff --git a/hosts/default.nix b/hosts/default.nix index feb79b4..1e1ca1d 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -150,6 +150,9 @@ extraHmModules = [ inputs.ccrEmacs.hmModules.default ]; + secrets = { + "thinkpad-wireguard-private-key" = {}; + }; }; rock5b = { system = "aarch64-linux"; diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix index 498b59d..705c8f6 100644 --- a/hosts/thinkpad/default.nix +++ b/hosts/thinkpad/default.nix @@ -11,6 +11,7 @@ ./hardware-configuration.nix ] ++ fleetModules [ + "wireguard-client" "adb" "audio" "battery" diff --git a/modules/wireguard-client/default.nix b/modules/wireguard-client/default.nix new file mode 100644 index 0000000..7dc8dc5 --- /dev/null +++ b/modules/wireguard-client/default.nix @@ -0,0 +1,32 @@ +{config, ...}: { + networking.firewall = { + allowedUDPPorts = [51820]; # Clients and peers can use the same port, see listenport + }; + # Enable WireGuard + networking.wireguard.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + ips = ["10.100.0.2/32"]; + listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) + + privateKeyFile = config.age.secrets."${config.networking.hostName}-wireguard-private-key".path; + + peers = [ + { + # Public key of the server (not a file path). + publicKey = "O9V2PI7+vZm7gGn3f9SaTsJbVe9urf/jZkdXFz/mjVU="; + + # Forward all the traffic via VPN. + # allowedIPs = [ "0.0.0.0/0" ]; + # Or forward only particular subnets + allowedIPs = ["10.100.0.1"]; + + # Set this to the server IP and port. + endpoint = "mothership.aciceri.dev:51820"; + + persistentKeepalive = 25; + } + ]; + }; + }; +} diff --git a/secrets/default.nix b/secrets/default.nix index 5ce885f..fa4057c 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -2,6 +2,7 @@ let users.ccr = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5cEUx25pnZiH3eBrE2xNbJ92gJiKSznDUNRzcEL4ti6FlJm+75p4q0hgdqHwStR8+uCWBL6viVFCGutOVMFE5MX1Oc3A8fJdR6H9Rrwvk/1UQzqzc9tWxw1qPLKz+fnPDomjOvNofghCWQRwX3Xf1HnIqvRwELpNbR9i+/cHkDGzLJxkstbt4gol8ywMPkw02QdKk8s5MEd1vawxc+7Chs0JPW57RDqDYFErYys52JLeAViCBB9bofF+KT42LuRXKSjWlvCV9kR5TL49vUeBgzMQWMh++WQdN4m9lpqFqYyc75I49/E0HGf8LChDSS+hvRnb5MbtnVGjEA4WDHyldmJCvUNob5CUo4FjoSPRi+S/J3Ads8D4JVwaJOJEVqmMKEhiQ0Hzk4hwe3eV/VumlZj4U/QjaCrqqi4TW/iP0gNRfzcfiM+G/z5R7w1NMUpTX7oilyKjMQmGnXB857D3SSptS7dwh5OiKhVmrQMRCduooUsj236abqLU28K//RnxhOgh8kDGgoUHApnTiMZNKhgLiR42lKrubNcW1tAAqoNyFLMwwXeMLjh0iP1b5y8ntfNPNIcGb7vcwpS24z/aIjW7rQ4J7x5EBphHGhys6ne+irdhOM8c7kFr+c8+Q2oU0YAtFuMYztAFOHm1e20X00Zvys2nuee+hT9F1NungAQ=="; hosts = { test = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHc46mGCuaKLwNzK/abuedYQLw9h/Cp5MhVb7IHTGh0E root@test"; + thinkpad = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZMyLFfuBeDfPLn8WL6JazYpYq3oVvCdD4ktyt915TL"; mothership = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlepPWHE9GvQIBcAQBQPd80oiePSPxGDnMdqpdEqx6I"; }; in { @@ -9,4 +10,8 @@ in { "autistici-password.age".publicKeys = [users.ccr]; "magit-forge-github-token.age".publicKeys = [users.ccr hosts.mothership]; "git-workspace-tokens.age".publicKeys = [users.ccr hosts.test hosts.mothership]; + + # WireGuard + + "thinkpad-wireguard-private-key.age".publicKeys = [hosts.thinkpad]; } diff --git a/secrets/thinkpad-wireguard-private-key.age b/secrets/thinkpad-wireguard-private-key.age new file mode 100644 index 0000000..f8d98a3 --- /dev/null +++ b/secrets/thinkpad-wireguard-private-key.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 GVMLQg 8234gUExVmFvBd15Y8mDZMQN+JB0iF19Aco06QOF+WI +pF4KkrffJ/JyihbqyzssHWQj4KTAT9FaO6d4C7W3fjQ +-> C_|=?Ris-grease g3jg)xQT BnPMOr^ C3 +CTxz+ixS9zskTgznQf9x80hgX/maxeYS5GQloV9ARTs0g1q8sR4XWWcM28c7RKoM +vxfC5QDCpmXaCiDG7s/xaTXF0GDSAyuFfcUCru0L0aOnz2ZGlWllKZ4 +--- n10P3gZZFs/X9zqMlV+jNgYd3nBdt0UJEqvB0GDDgRs +0sàÇwÌÝN©hÚ:¾ØR<.6}?Šä!µ}ená `5lÉLm¥²™ïsYÁð˜šø~d0~Å–x‡{¼BAuqüàíáȘÒž \ No newline at end of file