aciceri/nixfleet
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Add rock5b to wireguard VPN

Browse source
This commit is contained in:
Andrea Ciceri 2023-04-12 12:25:56 +02:00
parent 11b7466753
commit d20b2c386e
Signed by: aciceri
SSH key fingerprint: SHA256:/AagBweyV4Hlfg9u092n8hbHwD5fcB6A3qhDiDA65Rg
7 changed files with 59 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
hosts/default.nix
View file

@ -168,7 +168,13 @@
}; };
rock5b = { rock5b = {
system = "aarch64-linux"; system = "aarch64-linux";
extraModules = [inputs.rock5b.nixosModules.default]; extraModules = with inputs; [
disko.nixosModules.disko
rock5b.nixosModules.default
];
secrets = {
"rock5b-wireguard-private-key" = {};
};
}; };
pbp = { pbp = {
system = "aarch64-linux"; system = "aarch64-linux";

24
hosts/rock5b/default.nix
View file

@ -10,6 +10,7 @@
"common" "common"
"ssh" "ssh"
"ccr" "ccr"
"wireguard-client"
]; ];
ccr.enable = true; ccr.enable = true;
@ -25,28 +26,7 @@
generic-extlinux-compatible.enable = true; generic-extlinux-compatible.enable = true;
}; };
disko.devices = import ./disko.nix {}; disko = import ./disko.nix {};
services.nginx.enable = true;
services.nginx.virtualHosts."localhost" = {
cgit = {
enable = true;
virtual-root = "/";
include = [
(builtins.toFile "cgitrc-extra-1" ''
repo.url=test-repo.git
repo.path=/srv/git/test-repo.
repo.desc=the master foo repository
repo.owner=fooman@example.com
css=/custom.css
'')
(builtins.toFile "cgitrc-extra-2" ''
# Allow http transport git clone
enable-http-clone=1
'')
];
};
};
fileSystems."/mnt/film" = { fileSystems."/mnt/film" = {
device = "//ccr.ydns.eu/film"; device = "//ccr.ydns.eu/film";

2
hosts/rock5b/disko.nix
View file

@ -1,5 +1,5 @@
{emmc ? "/dev/mmcblk0", ...}: { {emmc ? "/dev/mmcblk0", ...}: {
disko.devices = { devices = {
disk = { disk = {
emmc = { emmc = {
type = "disk"; type = "disk";

2
lib/default.nix
View file

@ -8,11 +8,13 @@
hosts = { hosts = {
thinkpad = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZMyLFfuBeDfPLn8WL6JazYpYq3oVvCdD4ktyt915TL"; thinkpad = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZMyLFfuBeDfPLn8WL6JazYpYq3oVvCdD4ktyt915TL";
mothership = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlepPWHE9GvQIBcAQBQPd80oiePSPxGDnMdqpdEqx6I"; mothership = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlepPWHE9GvQIBcAQBQPd80oiePSPxGDnMdqpdEqx6I";
rock5b = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+pPzPomBOf2eiC26HYrJb9+hlA0pnYPtv2eRYLfOAG";
}; };
}; };
ips = { ips = {
mothership = "10.100.0.1"; mothership = "10.100.0.1";
thinkpad = "10.100.0.2"; thinkpad = "10.100.0.2";
oneplus6t = "10.100.0.3"; oneplus6t = "10.100.0.3";
rock5b = "10.100.0.4";
}; };
} }

26
modules/wireguard-server/default.nix
View file

@ -1,6 +1,8 @@
{ {
pkgs, pkgs,
config, config,
fleetFlake,
lib,
... ...
}: { }: {
networking.nat.enable = true; networking.nat.enable = true;
@ -26,18 +28,18 @@
privateKeyFile = config.age.secrets."${config.networking.hostName}-wireguard-private-key".path; privateKeyFile = config.age.secrets."${config.networking.hostName}-wireguard-private-key".path;
peers = [ peers = let
{ publicKeys = {
# thinkpad thinkpad = "g8wId6Rl0olRFRtAnQ046ihPRYFCtMxOJ+/Z9ARwIxI=";
publicKey = "g8wId6Rl0olRFRtAnQ046ihPRYFCtMxOJ+/Z9ARwIxI="; oneplus6t = "O6/tKaA8Hs7OEqi15hV4RwviR6vyCTMYv6ZlhsI+tnI=";
allowedIPs = ["10.100.0.2/32"]; rock5b = "bc5giljukT1+ChbbyTLdOfejfR3c8RZ4XoXmQM54nTY=";
} };
{ mkPeer = hostname: {
# oneplus6t publicKey = publicKeys."${hostname}";
publicKey = "O6/tKaA8Hs7OEqi15hV4RwviR6vyCTMYv6ZlhsI+tnI="; allowedIPs = ["${(import "${fleetFlake}/lib").ips."${hostname}"}/32"];
allowedIPs = ["10.100.0.3/32"]; };
} in
]; builtins.map mkPeer (lib.mapAttrsToList (hostname: _: hostname) publicKeys);
}; };
}; };
} }

1
secrets/default.nix
View file

@ -13,4 +13,5 @@ in
# WireGuard # WireGuard
"thinkpad-wireguard-private-key.age".publicKeys = [ccr-ssh ccr-gpg thinkpad]; "thinkpad-wireguard-private-key.age".publicKeys = [ccr-ssh ccr-gpg thinkpad];
"mothership-wireguard-private-key.age".publicKeys = [ccr-ssh ccr-gpg mothership]; "mothership-wireguard-private-key.age".publicKeys = [ccr-ssh ccr-gpg mothership];
"rock5b-wireguard-private-key.age".publicKeys = [ccr-ssh ccr-gpg rock5b];
} }

32
secrets/rock5b-wireguard-private-key.age Normal file
View file

@ -0,0 +1,32 @@
age-encryption.org/v1
-> ssh-rsa /AagBw
B/b52zRV6ydfeVAOYtFu5g8ysnRXpX8VJWweSTikfAdfRf2c/VZsyb9o2nL0veDp
i1vnhtf4X2LBWFi95ZLQX6gFBgxEnh3hwZwzItzlC6Qx984/8dQQLuTzK7FGUNh6
QlH2g/Xuf20ddB08RQBo/oP8gHwjS45COXwzUVqRxR+I3HCwt+YitN0XEGXPnvKV
f7G1daRzaxNl4bky8uNOL8O4CKLLVJQclr/8P1J+URqAyXvFkGhxpcJwNxvm8JyP
Ha3mIY7ZTHWB6gjUeBXTFLAB7YbGvFSS2V54g4c1XuB7CStB48CZZaweJ5EJ3yyp
dKRumP+EtJKe+Er/vqZgry+WQmbXDw7ysupUzXXIZZWG8a0U7SzRBZqt80r6oS5K
RagRTODQIFDwGXvLTeB56s2a9/6C3uaXoJD5STSoR+cMKQhHczHOUyxzMYc8vkwl
hKHhdOSgEPAgHUMGGCRslTyznS4wZE7M2it97iENnb1LYlgxcrh3bspwiPw6iE98
KoGz0G75Gto+rUBPWTc2kPD4Wtkosb7nC+ZQXor6sMYoT+fv9Ovpn/GwDkTR1ifS
0dBsXyhjgns4fKqJl9sWCz15NIXS9z6ATvQ2h7vE5xXvFl3Ugxv25arO6LRvM8Yv
HGrlwA/xTNTDiHKTULYfoqfPVHbBHI+iKFb7FGxaAB8
-> ssh-rsa QHr3/A
q8m9pqOuIhGOaTx2ZQx3v36NSeFCh+X/cUOyhGR1Xr9se9Tc+om3GPcxfzKCOHSf
Mg00J+8D28TXMfp/tThFvWcK6oTYNesFqB2EK0xRaF4JLHE8PpdU1Y+nYgXznSfD
+nCmTwMtrx71Hts+aAAJuQsIm4y1/oVQLmtw86SHtCF6uYzOL8oTYXByy17YJtpB
M9Lh63eFNXWBOjFotGN4I4pdrEXzo7aDmWnp2c8U2cDik23IrPTm59taF2fLXVlM
0l3J65RGzZKqgop7wX9WWfqLtmelcaPHtReO5rCy1AGXCxjchSXfbn+iE+glXwhi
7NBvoFZIcCEA4FiR7m9CFaBbTJBpVy5TmCBTXuXMOIFVOeryTdkIuvbCOxxchrTw
u0R5YyD0yFbLq2hL5JCQZDPMKK+5GH2wbuXg29pSayCk8Pmg+8RCJzY2imtfHzHV
u80QMoRnEvFfhJB2sVZ6ugxLLxVxE90wZVILzQK31xyOL9lQuisCnPVEVrc0PBVz
7q86HtLgd3wASbK7ylZUu+DO6EsmGERhR4jZnnBXyTxGoLJbJKp8OsN3cWYZdilx
sGtjX7Pi19IzWh7Rp5kFXaj+5r//6+kBDt97IiY/DSDgspqdRydJL1cw8jbhBVOX
QIKllFjiY00Y5ou7fM9z3kePC5qEP/Q+iGi0K+PnEcM
-> ssh-ed25519 EJftvQ pDgNqx9ZlL+7Yo3CPYKNX5VJxwEEo66RoMLLjhrdtRo
hlSG0ryo4UiycLUDHABOrSxFG63N3VVX04wtw6sNYdc
-> +^-grease gsd \a.-,gx# S@ 4'
AFDfkKtGuVSs3AECvjr2H88xEAJU9NONhxdXwz5KjHJO3PV05KV1b5f3RIZ8PgHc
6V8yzgN2mB0bAA
--- qkw9kh+EGzr8F3LFieA06BoOPkGmiI3Si05l4YfIgLQ
ÙTSï5`¼|±…ÿC¿pµô'7AÿMCRSÍ+{£j“†j“,{Á.‡a6¼'`Dñ‡39Å( òÜì<10>ipåc‡Ž+\†¶