From d20b2c386e8d31fc2089bccd317d650445246f04 Mon Sep 17 00:00:00 2001 From: Andrea Ciceri Date: Wed, 12 Apr 2023 12:25:56 +0200 Subject: [PATCH] Add `rock5b` to `wireguard` VPN --- hosts/default.nix | 8 +++++- hosts/rock5b/default.nix | 24 ++---------------- hosts/rock5b/disko.nix | 2 +- lib/default.nix | 2 ++ modules/wireguard-server/default.nix | 26 ++++++++++--------- secrets/default.nix | 1 + secrets/rock5b-wireguard-private-key.age | 32 ++++++++++++++++++++++++ 7 files changed, 59 insertions(+), 36 deletions(-) create mode 100644 secrets/rock5b-wireguard-private-key.age diff --git a/hosts/default.nix b/hosts/default.nix index 1579622..e7d54ce 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -168,7 +168,13 @@ }; rock5b = { system = "aarch64-linux"; - extraModules = [inputs.rock5b.nixosModules.default]; + extraModules = with inputs; [ + disko.nixosModules.disko + rock5b.nixosModules.default + ]; + secrets = { + "rock5b-wireguard-private-key" = {}; + }; }; pbp = { system = "aarch64-linux"; diff --git a/hosts/rock5b/default.nix b/hosts/rock5b/default.nix index 3bb0a6b..469fc3b 100644 --- a/hosts/rock5b/default.nix +++ b/hosts/rock5b/default.nix @@ -10,6 +10,7 @@ "common" "ssh" "ccr" + "wireguard-client" ]; ccr.enable = true; @@ -25,28 +26,7 @@ generic-extlinux-compatible.enable = true; }; - disko.devices = import ./disko.nix {}; - - services.nginx.enable = true; - services.nginx.virtualHosts."localhost" = { - cgit = { - enable = true; - virtual-root = "/"; - include = [ - (builtins.toFile "cgitrc-extra-1" '' - repo.url=test-repo.git - repo.path=/srv/git/test-repo. - repo.desc=the master foo repository - repo.owner=fooman@example.com - css=/custom.css - '') - (builtins.toFile "cgitrc-extra-2" '' - # Allow http transport git clone - enable-http-clone=1 - '') - ]; - }; - }; + disko = import ./disko.nix {}; fileSystems."/mnt/film" = { device = "//ccr.ydns.eu/film"; diff --git a/hosts/rock5b/disko.nix b/hosts/rock5b/disko.nix index 9475fef..5dda7c5 100644 --- a/hosts/rock5b/disko.nix +++ b/hosts/rock5b/disko.nix @@ -1,5 +1,5 @@ {emmc ? "/dev/mmcblk0", ...}: { - disko.devices = { + devices = { disk = { emmc = { type = "disk"; diff --git a/lib/default.nix b/lib/default.nix index 25fccd7..4c8dbcd 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -8,11 +8,13 @@ hosts = { thinkpad = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZMyLFfuBeDfPLn8WL6JazYpYq3oVvCdD4ktyt915TL"; mothership = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlepPWHE9GvQIBcAQBQPd80oiePSPxGDnMdqpdEqx6I"; + rock5b = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+pPzPomBOf2eiC26HYrJb9+hlA0pnYPtv2eRYLfOAG"; }; }; ips = { mothership = "10.100.0.1"; thinkpad = "10.100.0.2"; oneplus6t = "10.100.0.3"; + rock5b = "10.100.0.4"; }; } diff --git a/modules/wireguard-server/default.nix b/modules/wireguard-server/default.nix index 23426ad..b1c6005 100644 --- a/modules/wireguard-server/default.nix +++ b/modules/wireguard-server/default.nix @@ -1,6 +1,8 @@ { pkgs, config, + fleetFlake, + lib, ... }: { networking.nat.enable = true; @@ -26,18 +28,18 @@ privateKeyFile = config.age.secrets."${config.networking.hostName}-wireguard-private-key".path; - peers = [ - { - # thinkpad - publicKey = "g8wId6Rl0olRFRtAnQ046ihPRYFCtMxOJ+/Z9ARwIxI="; - allowedIPs = ["10.100.0.2/32"]; - } - { - # oneplus6t - publicKey = "O6/tKaA8Hs7OEqi15hV4RwviR6vyCTMYv6ZlhsI+tnI="; - allowedIPs = ["10.100.0.3/32"]; - } - ]; + peers = let + publicKeys = { + thinkpad = "g8wId6Rl0olRFRtAnQ046ihPRYFCtMxOJ+/Z9ARwIxI="; + oneplus6t = "O6/tKaA8Hs7OEqi15hV4RwviR6vyCTMYv6ZlhsI+tnI="; + rock5b = "bc5giljukT1+ChbbyTLdOfejfR3c8RZ4XoXmQM54nTY="; + }; + mkPeer = hostname: { + publicKey = publicKeys."${hostname}"; + allowedIPs = ["${(import "${fleetFlake}/lib").ips."${hostname}"}/32"]; + }; + in + builtins.map mkPeer (lib.mapAttrsToList (hostname: _: hostname) publicKeys); }; }; } diff --git a/secrets/default.nix b/secrets/default.nix index 6d46abc..a325add 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -13,4 +13,5 @@ in # WireGuard "thinkpad-wireguard-private-key.age".publicKeys = [ccr-ssh ccr-gpg thinkpad]; "mothership-wireguard-private-key.age".publicKeys = [ccr-ssh ccr-gpg mothership]; + "rock5b-wireguard-private-key.age".publicKeys = [ccr-ssh ccr-gpg rock5b]; } diff --git a/secrets/rock5b-wireguard-private-key.age b/secrets/rock5b-wireguard-private-key.age new file mode 100644 index 0000000..d1c1a4a --- /dev/null +++ b/secrets/rock5b-wireguard-private-key.age @@ -0,0 +1,32 @@ +age-encryption.org/v1 +-> ssh-rsa /AagBw +B/b52zRV6ydfeVAOYtFu5g8ysnRXpX8VJWweSTikfAdfRf2c/VZsyb9o2nL0veDp +i1vnhtf4X2LBWFi95ZLQX6gFBgxEnh3hwZwzItzlC6Qx984/8dQQLuTzK7FGUNh6 +QlH2g/Xuf20ddB08RQBo/oP8gHwjS45COXwzUVqRxR+I3HCwt+YitN0XEGXPnvKV +f7G1daRzaxNl4bky8uNOL8O4CKLLVJQclr/8P1J+URqAyXvFkGhxpcJwNxvm8JyP +Ha3mIY7ZTHWB6gjUeBXTFLAB7YbGvFSS2V54g4c1XuB7CStB48CZZaweJ5EJ3yyp +dKRumP+EtJKe+Er/vqZgry+WQmbXDw7ysupUzXXIZZWG8a0U7SzRBZqt80r6oS5K +RagRTODQIFDwGXvLTeB56s2a9/6C3uaXoJD5STSoR+cMKQhHczHOUyxzMYc8vkwl +hKHhdOSgEPAgHUMGGCRslTyznS4wZE7M2it97iENnb1LYlgxcrh3bspwiPw6iE98 +KoGz0G75Gto+rUBPWTc2kPD4Wtkosb7nC+ZQXor6sMYoT+fv9Ovpn/GwDkTR1ifS +0dBsXyhjgns4fKqJl9sWCz15NIXS9z6ATvQ2h7vE5xXvFl3Ugxv25arO6LRvM8Yv +HGrlwA/xTNTDiHKTULYfoqfPVHbBHI+iKFb7FGxaAB8 +-> ssh-rsa QHr3/A +q8m9pqOuIhGOaTx2ZQx3v36NSeFCh+X/cUOyhGR1Xr9se9Tc+om3GPcxfzKCOHSf +Mg00J+8D28TXMfp/tThFvWcK6oTYNesFqB2EK0xRaF4JLHE8PpdU1Y+nYgXznSfD ++nCmTwMtrx71Hts+aAAJuQsIm4y1/oVQLmtw86SHtCF6uYzOL8oTYXByy17YJtpB +M9Lh63eFNXWBOjFotGN4I4pdrEXzo7aDmWnp2c8U2cDik23IrPTm59taF2fLXVlM +0l3J65RGzZKqgop7wX9WWfqLtmelcaPHtReO5rCy1AGXCxjchSXfbn+iE+glXwhi +7NBvoFZIcCEA4FiR7m9CFaBbTJBpVy5TmCBTXuXMOIFVOeryTdkIuvbCOxxchrTw +u0R5YyD0yFbLq2hL5JCQZDPMKK+5GH2wbuXg29pSayCk8Pmg+8RCJzY2imtfHzHV +u80QMoRnEvFfhJB2sVZ6ugxLLxVxE90wZVILzQK31xyOL9lQuisCnPVEVrc0PBVz +7q86HtLgd3wASbK7ylZUu+DO6EsmGERhR4jZnnBXyTxGoLJbJKp8OsN3cWYZdilx +sGtjX7Pi19IzWh7Rp5kFXaj+5r//6+kBDt97IiY/DSDgspqdRydJL1cw8jbhBVOX +QIKllFjiY00Y5ou7fM9z3kePC5qEP/Q+iGi0K+PnEcM +-> ssh-ed25519 EJftvQ pDgNqx9ZlL+7Yo3CPYKNX5VJxwEEo66RoMLLjhrdtRo +hlSG0ryo4UiycLUDHABOrSxFG63N3VVX04wtw6sNYdc +-> +^-grease gsd \a.-,gx# S@ 4' +AFDfkKtGuVSs3AECvjr2H88xEAJU9NONhxdXwz5KjHJO3PV05KV1b5f3RIZ8PgHc +6V8yzgN2mB0bAA +--- qkw9kh+EGzr8F3LFieA06BoOPkGmiI3Si05l4YfIgLQ +TS5`|Cp'7AMCRS+{jj,{.a6'`D39( ipc+\ \ No newline at end of file