Enable wireguard in apex

Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
2025-08-29 13:52:05 +02:00 · 2025-08-29 13:52:05 +02:00 · e366e6ce87
commit e366e6ce87
parent e415f70bbb
4 changed files with 47 additions and 0 deletions
--- a/m/apex/configuration.nix
+++ b/m/apex/configuration.nix
@ -7,6 +7,7 @@
    ../module/ceph.nix
    ../module/slurm-server.nix
    ./nfs.nix
    ./wireguard.nix
  ];
  # Don't install grub MBR for now
--- a/m/apex/wireguard.nix
+++ b/m/apex/wireguard.nix
@ -0,0 +1,31 @@
 { config, ... }:
 {
  networking.firewall = {
    allowedUDPPorts = [ 666 ];
  };
  age.secrets.wgApex.file = ../../secrets/wg-apex.age;
  # Enable WireGuard
  networking.wireguard.enable = true;
  networking.wireguard.interfaces = {
    # "wg0" is the network interface name. You can name the interface arbitrarily.
    wg0 = {
      ips = [ "10.100.0.30/24" ];
      listenPort = 666;
      privateKeyFile = config.age.secrets.wgApex.path;
      # Public key: VwhcN8vSOzdJEotQTpmPHBC52x3Hbv1lkFIyKubrnUA=
      peers = [
        {
          name = "Fox";
          publicKey = "VfMPBQLQTKeyXJSwv8wBhc6OV0j2qAxUpX3kLHunK2Y=";
          allowedIPs = [ "10.100.0.0/24" ];
          endpoint = "fox.ac.upc.edu:666";
          # Send keepalives every 25 seconds. Important to keep NAT tables alive.
          persistentKeepalive = 25;
        }
      ];
    };
  };
 }
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -3,6 +3,7 @@ let
  adminsKeys = builtins.attrValues keys.admins;
  hut = [ keys.hosts.hut ] ++ adminsKeys;
  fox = [ keys.hosts.fox ] ++ adminsKeys;
  apex = [ keys.hosts.apex ] ++ adminsKeys;
  mon = [ keys.hosts.hut keys.hosts.tent ] ++ adminsKeys;
  tent = [ keys.hosts.tent ] ++ adminsKeys;
  # Only expose ceph keys to safe nodes and admins
@ -27,4 +28,5 @@ in
  "munge-key.age".publicKeys = safe;
  "wg-fox.age".publicKeys = fox;
  "wg-apex.age".publicKeys = apex;
 }
--- a/secrets/wg-apex.age
+++ b/secrets/wg-apex.age
@ -0,0 +1,13 @@
 age-encryption.org/v1
 -> ssh-ed25519 fw2Xhg CO3xkQZ+Tzej6VOQg8GoGYMdRWP0s0w55S7PeZ/zq0o
 P119jX3o3ZdD+Dg/ehVIEsWdSCbmYksLDt4k4dovgl8
 -> ssh-ed25519 cK5kHw B9d+pwXxt8jDV+6WvHOxUQuwpYF4mHUoGPQaD7niuX4
 RxYK+0r28qTULJKaZiSQC5yqsi/BYTZ40TSIhpwxCk0
 -> ssh-ed25519 CAWG4Q akKCzdpc/17zOdLknTawmpJw3GuTLXjDlZz8CQg3hGE
 011OH3AnEmm36xg0p7FvHOL1xVpMllUf6lqs4BSUVeA
 -> ssh-ed25519 xA739A hv9vYtwBhrospLhJ5SQoNDkZx+blfYKZ/I40frj/u1Y
 s6KY1l2d6dEQouLbwL1Y56kC0Up9Tp1dmW91LYNYKjs
 -> ssh-ed25519 MSF3dg ehzqonjVpx3NFaxmSQc66VxkZEU5n7aiIOvuwYrl7wI
 yME0q4b5F9/eKJlNg+0sGuGTGp58UoNAf+MI8pj2faM
 --- KC628nslyddv5xZwh4DUj1nGqMx/mW+txSnYCjFRODY
 <EFBFBD>dl¸¢[ï´”ëêb<>ú^ÙŽ“-šl¥æà¸+õò“ÜÐ¢ÞFf¨uÜÞöÚ‘ðnüHLµK	ÉííðÚ^÷—¹1ƒË2V¦©j[