Connect picard to the MLabs VPN

hosts/default.nix

@@ -89,6 +89,7 @@
           "forgejo-runners-token".owner = "nixuser";
           "forgejo-nix-access-tokens".owner = "nixuser";
           "nix-netrc" = { };
+          "wireguard-mlabs-private-key" = { };
         };
       };
 

hosts/picard/default.nix

@@ -41,6 +41,7 @@
       "prometheus-exporters"
       "zerotier"
       "alloy"
+      "wireguard-mlabs"
     ]
     ++ [ ./disko.nix ];
 

modules/wireguard-mlabs/default.nix

@@ -0,0 +1,15 @@
+{ config, ... }:
+{
+  networking.wireguard.interfaces.wg1 = {
+    ips = [ "10.10.1.1/32" ];
+    peers = [
+      {
+        publicKey = "A4u2Rt5WEMHOAc6YpDABkqAy2dzzFLH9Gn8xWcKaPQQ=";
+        allowedIPs = [ "10.10.0.0/16" ];
+        endpoint = "vpn.staging.mlabs.city:51820";
+        persistentKeepalive = 25;
+      }
+    ];
+    privateKeyFile = config.age.secrets.wireguard-mlabs-private-key.path;
+  };
+}

secrets/secrets.nix

@@ -164,6 +164,12 @@ with keys.users;
     picard
     kirk
   ];
+  "wireguard-mlabs-private-key.age".publicKeys = [
+    ccr-ssh
+    picard
+    pike
+    kirk
+  ];
 
   # WireGuard
   "picard-wireguard-private-key.age".publicKeys = [

secrets/wireguard-mlabs-private-key.age

@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 Zh7Kmw 1pcva3l9KyvXlzWJVeul63s1xnL2yEMzuB1R73IdKlA
+TDDa9yQYXrqFS+MCEeqCcQ/27zu3WytSmU5MBNyQTIk
+-> ssh-ed25519 /WmILg z9/JeIxSpzndNP+1fwfdRfKYTaNp7wVITCkF7wwayEs
+8PlFDHZbA0Z/3svhPWGE/sHfsMNmuXrdP6Qf0FhLMmc
+-> ssh-ed25519 OYRzvQ Tk0mN20c8199ZvTY6jXY6ExSXGR3kb4qtnj8HkPj1xY
+5SGMhFzIE98NgNw7bnnivVTvuKtBtJdf/2jAjJUSKl8
+-> ssh-ed25519 /yLdGQ 8J4LLlxtMFW8fALPGUk/NaHIJ59bo9tKe5TGiGAvYhk
+sgE0SQi169mEtltDWIb4ZZaXKUXORyiKhmOZsNOiqKU
+--- sWbCYolqfqwIsja6nNdyPBcOeM/Qq5GninMokUvK4xE
+ÆʼngzŽùï‹Ý{Ä4îÜ	¯Xé?‰<>ë’
+Ae"„€vÈ\Ho,m}bÂq½žä$âÌh—:æfÜGkFÜ=#0q™