Add rock5b to wireguard VPN

2023-04-12 12:25:56 +02:00 · 2023-04-12 12:25:56 +02:00 · d20b2c386e
commit d20b2c386e
parent 11b7466753
7 changed files with 59 additions and 36 deletions
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -168,7 +168,13 @@
      };
      rock5b = {
        system = "aarch64-linux";
-        extraModules = [inputs.rock5b.nixosModules.default];
+        extraModules = with inputs; [
+          disko.nixosModules.disko
+          rock5b.nixosModules.default
+        ];
+        secrets = {
+          "rock5b-wireguard-private-key" = {};
+        };
      };
      pbp = {
        system = "aarch64-linux";
--- a/hosts/rock5b/default.nix
+++ b/hosts/rock5b/default.nix
@ -10,6 +10,7 @@
    "common"
    "ssh"
    "ccr"
+    "wireguard-client"
  ];

  ccr.enable = true;
@ -25,28 +26,7 @@
    generic-extlinux-compatible.enable = true;
  };

-  disko.devices = import ./disko.nix {};
-
-  services.nginx.enable = true;
-  services.nginx.virtualHosts."localhost" = {
-    cgit = {
-      enable = true;
-      virtual-root = "/";
-      include = [
-        (builtins.toFile "cgitrc-extra-1" ''
-          repo.url=test-repo.git
-          repo.path=/srv/git/test-repo.
-          repo.desc=the master foo repository
-          repo.owner=fooman@example.com
-          css=/custom.css
-        '')
-        (builtins.toFile "cgitrc-extra-2" ''
-          # Allow http transport git clone
-          enable-http-clone=1
-        '')
-      ];
-    };
-  };
+  disko = import ./disko.nix {};

  fileSystems."/mnt/film" = {
    device = "//ccr.ydns.eu/film";
--- a/hosts/rock5b/disko.nix
+++ b/hosts/rock5b/disko.nix
@ -1,5 +1,5 @@
 {emmc ? "/dev/mmcblk0", ...}: {
-  disko.devices = {
+  devices = {
    disk = {
      emmc = {
        type = "disk";
--- a/lib/default.nix
+++ b/lib/default.nix
@ -8,11 +8,13 @@
    hosts = {
      thinkpad = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZMyLFfuBeDfPLn8WL6JazYpYq3oVvCdD4ktyt915TL";
      mothership = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlepPWHE9GvQIBcAQBQPd80oiePSPxGDnMdqpdEqx6I";
+      rock5b = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+pPzPomBOf2eiC26HYrJb9+hlA0pnYPtv2eRYLfOAG";
    };
  };
  ips = {
    mothership = "10.100.0.1";
    thinkpad = "10.100.0.2";
    oneplus6t = "10.100.0.3";
+    rock5b = "10.100.0.4";
  };
 }
--- a/modules/wireguard-server/default.nix
+++ b/modules/wireguard-server/default.nix
@ -1,6 +1,8 @@
 {
  pkgs,
  config,
+  fleetFlake,
+  lib,
  ...
 }: {
  networking.nat.enable = true;
@ -26,18 +28,18 @@

      privateKeyFile = config.age.secrets."${config.networking.hostName}-wireguard-private-key".path;

-      peers = [
-        {
-          # thinkpad
-          publicKey = "g8wId6Rl0olRFRtAnQ046ihPRYFCtMxOJ+/Z9ARwIxI=";
-          allowedIPs = ["10.100.0.2/32"];
-        }
-        {
-          # oneplus6t
-          publicKey = "O6/tKaA8Hs7OEqi15hV4RwviR6vyCTMYv6ZlhsI+tnI=";
-          allowedIPs = ["10.100.0.3/32"];
-        }
-      ];
+      peers = let
+        publicKeys = {
+          thinkpad = "g8wId6Rl0olRFRtAnQ046ihPRYFCtMxOJ+/Z9ARwIxI=";
+          oneplus6t = "O6/tKaA8Hs7OEqi15hV4RwviR6vyCTMYv6ZlhsI+tnI=";
+          rock5b = "bc5giljukT1+ChbbyTLdOfejfR3c8RZ4XoXmQM54nTY=";
+        };
+        mkPeer = hostname: {
+          publicKey = publicKeys."${hostname}";
+          allowedIPs = ["${(import "${fleetFlake}/lib").ips."${hostname}"}/32"];
+        };
+      in
+        builtins.map mkPeer (lib.mapAttrsToList (hostname: _: hostname) publicKeys);
    };
  };
 }
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -13,4 +13,5 @@ in
    # WireGuard
    "thinkpad-wireguard-private-key.age".publicKeys = [ccr-ssh ccr-gpg thinkpad];
    "mothership-wireguard-private-key.age".publicKeys = [ccr-ssh ccr-gpg mothership];
+    "rock5b-wireguard-private-key.age".publicKeys = [ccr-ssh ccr-gpg rock5b];
  }
--- a/secrets/rock5b-wireguard-private-key.age
+++ b/secrets/rock5b-wireguard-private-key.age
@ -0,0 +1,32 @@
+age-encryption.org/v1
+-> ssh-rsa /AagBw
+B/b52zRV6ydfeVAOYtFu5g8ysnRXpX8VJWweSTikfAdfRf2c/VZsyb9o2nL0veDp
+i1vnhtf4X2LBWFi95ZLQX6gFBgxEnh3hwZwzItzlC6Qx984/8dQQLuTzK7FGUNh6
+QlH2g/Xuf20ddB08RQBo/oP8gHwjS45COXwzUVqRxR+I3HCwt+YitN0XEGXPnvKV
+f7G1daRzaxNl4bky8uNOL8O4CKLLVJQclr/8P1J+URqAyXvFkGhxpcJwNxvm8JyP
+Ha3mIY7ZTHWB6gjUeBXTFLAB7YbGvFSS2V54g4c1XuB7CStB48CZZaweJ5EJ3yyp
+dKRumP+EtJKe+Er/vqZgry+WQmbXDw7ysupUzXXIZZWG8a0U7SzRBZqt80r6oS5K
+RagRTODQIFDwGXvLTeB56s2a9/6C3uaXoJD5STSoR+cMKQhHczHOUyxzMYc8vkwl
+hKHhdOSgEPAgHUMGGCRslTyznS4wZE7M2it97iENnb1LYlgxcrh3bspwiPw6iE98
+KoGz0G75Gto+rUBPWTc2kPD4Wtkosb7nC+ZQXor6sMYoT+fv9Ovpn/GwDkTR1ifS
+0dBsXyhjgns4fKqJl9sWCz15NIXS9z6ATvQ2h7vE5xXvFl3Ugxv25arO6LRvM8Yv
+HGrlwA/xTNTDiHKTULYfoqfPVHbBHI+iKFb7FGxaAB8
+-> ssh-rsa QHr3/A
+q8m9pqOuIhGOaTx2ZQx3v36NSeFCh+X/cUOyhGR1Xr9se9Tc+om3GPcxfzKCOHSf
+Mg00J+8D28TXMfp/tThFvWcK6oTYNesFqB2EK0xRaF4JLHE8PpdU1Y+nYgXznSfD
+nCmTwMtrx71Hts+aAAJuQsIm4y1/oVQLmtw86SHtCF6uYzOL8oTYXByy17YJtpB
+M9Lh63eFNXWBOjFotGN4I4pdrEXzo7aDmWnp2c8U2cDik23IrPTm59taF2fLXVlM
+0l3J65RGzZKqgop7wX9WWfqLtmelcaPHtReO5rCy1AGXCxjchSXfbn+iE+glXwhi
+7NBvoFZIcCEA4FiR7m9CFaBbTJBpVy5TmCBTXuXMOIFVOeryTdkIuvbCOxxchrTw
+u0R5YyD0yFbLq2hL5JCQZDPMKK+5GH2wbuXg29pSayCk8Pmg+8RCJzY2imtfHzHV
+u80QMoRnEvFfhJB2sVZ6ugxLLxVxE90wZVILzQK31xyOL9lQuisCnPVEVrc0PBVz
+7q86HtLgd3wASbK7ylZUu+DO6EsmGERhR4jZnnBXyTxGoLJbJKp8OsN3cWYZdilx
+sGtjX7Pi19IzWh7Rp5kFXaj+5r//6+kBDt97IiY/DSDgspqdRydJL1cw8jbhBVOX
+QIKllFjiY00Y5ou7fM9z3kePC5qEP/Q+iGi0K+PnEcM
+-> ssh-ed25519 EJftvQ pDgNqx9ZlL+7Yo3CPYKNX5VJxwEEo66RoMLLjhrdtRo
+hlSG0ryo4UiycLUDHABOrSxFG63N3VVX04wtw6sNYdc
+-> +^-grease gsd \a.-,gx# S@ 4'
+AFDfkKtGuVSs3AECvjr2H88xEAJU9NONhxdXwz5KjHJO3PV05KV1b5f3RIZ8PgHc
+6V8yzgN2mB0bAA
+--- qkw9kh+EGzr8F3LFieA06BoOPkGmiI3Si05l4YfIgLQ
+ÙTSï5`¼|±…ÿ‘C¿pµô'7AÿMCRSÍ+{£j“†j“,{Á.‡a6¼’'`Dñ‡39Å(òÜì<10>‹ipåc‡Ž+\†¶