wireguard client module for thinkpad

2023-04-01 14:29:45 +02:00 · 2023-04-01 14:29:45 +02:00 · 57f3d7645b
commit 57f3d7645b
parent 9f2dcb920e
5 changed files with 49 additions and 0 deletions
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -150,6 +150,9 @@
        extraHmModules = [
          inputs.ccrEmacs.hmModules.default
        ];
        secrets = {
          "thinkpad-wireguard-private-key" = {};
        };
      };
      rock5b = {
        system = "aarch64-linux";
--- a/hosts/thinkpad/default.nix
+++ b/hosts/thinkpad/default.nix
@ -11,6 +11,7 @@
      ./hardware-configuration.nix
    ]
    ++ fleetModules [
      "wireguard-client"
      "adb"
      "audio"
      "battery"
--- a/modules/wireguard-client/default.nix
+++ b/modules/wireguard-client/default.nix
@ -0,0 +1,32 @@
 {config, ...}: {
  networking.firewall = {
    allowedUDPPorts = [51820]; # Clients and peers can use the same port, see listenport
  };
  # Enable WireGuard
  networking.wireguard.interfaces = {
    # "wg0" is the network interface name. You can name the interface arbitrarily.
    wg0 = {
      ips = ["10.100.0.2/32"];
      listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
      privateKeyFile = config.age.secrets."${config.networking.hostName}-wireguard-private-key".path;
      peers = [
        {
          # Public key of the server (not a file path).
          publicKey = "O9V2PI7+vZm7gGn3f9SaTsJbVe9urf/jZkdXFz/mjVU=";
          # Forward all the traffic via VPN.
          # allowedIPs = [ "0.0.0.0/0" ];
          # Or forward only particular subnets
          allowedIPs = ["10.100.0.1"];
          # Set this to the server IP and port.
          endpoint = "mothership.aciceri.dev:51820";
          persistentKeepalive = 25;
        }
      ];
    };
  };
 }
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -2,6 +2,7 @@ let
  users.ccr = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5cEUx25pnZiH3eBrE2xNbJ92gJiKSznDUNRzcEL4ti6FlJm+75p4q0hgdqHwStR8+uCWBL6viVFCGutOVMFE5MX1Oc3A8fJdR6H9Rrwvk/1UQzqzc9tWxw1qPLKz+fnPDomjOvNofghCWQRwX3Xf1HnIqvRwELpNbR9i+/cHkDGzLJxkstbt4gol8ywMPkw02QdKk8s5MEd1vawxc+7Chs0JPW57RDqDYFErYys52JLeAViCBB9bofF+KT42LuRXKSjWlvCV9kR5TL49vUeBgzMQWMh++WQdN4m9lpqFqYyc75I49/E0HGf8LChDSS+hvRnb5MbtnVGjEA4WDHyldmJCvUNob5CUo4FjoSPRi+S/J3Ads8D4JVwaJOJEVqmMKEhiQ0Hzk4hwe3eV/VumlZj4U/QjaCrqqi4TW/iP0gNRfzcfiM+G/z5R7w1NMUpTX7oilyKjMQmGnXB857D3SSptS7dwh5OiKhVmrQMRCduooUsj236abqLU28K//RnxhOgh8kDGgoUHApnTiMZNKhgLiR42lKrubNcW1tAAqoNyFLMwwXeMLjh0iP1b5y8ntfNPNIcGb7vcwpS24z/aIjW7rQ4J7x5EBphHGhys6ne+irdhOM8c7kFr+c8+Q2oU0YAtFuMYztAFOHm1e20X00Zvys2nuee+hT9F1NungAQ==";
  hosts = {
    test = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHc46mGCuaKLwNzK/abuedYQLw9h/Cp5MhVb7IHTGh0E root@test";
    thinkpad = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZMyLFfuBeDfPLn8WL6JazYpYq3oVvCdD4ktyt915TL";
    mothership = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlepPWHE9GvQIBcAQBQPd80oiePSPxGDnMdqpdEqx6I";
  };
 in {
@ -9,4 +10,8 @@ in {
  "autistici-password.age".publicKeys = [users.ccr];
  "magit-forge-github-token.age".publicKeys = [users.ccr hosts.mothership];
  "git-workspace-tokens.age".publicKeys = [users.ccr hosts.test hosts.mothership];
  # WireGuard
  "thinkpad-wireguard-private-key.age".publicKeys = [hosts.thinkpad];
 }
--- a/secrets/thinkpad-wireguard-private-key.age
+++ b/secrets/thinkpad-wireguard-private-key.age
@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> ssh-ed25519 GVMLQg 8234gUExVmFvBd15Y8mDZMQN+JB0iF19Aco06QOF+WI
 pF4KkrffJ/JyihbqyzssHWQj4KTAT9FaO6d4C7W3fjQ
 -> C_|=?Ris-grease g3jg)xQT BnPMOr^ C3
 CTxz+ixS9zskTgznQf9x80hgX/maxeYS5GQloV9ARTs0g1q8sR4XWWcM28c7RKoM
 vxfC5QDCpmXaCiDG7s/xaTXF0GDSAyuFfcUCru0L0aOnz2ZGlWllKZ4
 --- n10P3gZZFs/X9zqMlV+jNgYd3nBdt0UJEqvB0GDDgRs
 0sàÇwÌÝN©hÚ:¾ØR<.6}?Šä!µ}<7D>ená	`5lÉLm¥²™ïsYÁð˜š<CB9C>ø~d0~Å–x‡{¼BAu<41>qüàíáÈ˜Òž