abonerib/bscpkgs
1
0
Fork 0
forked from rarias/bscpkgs
Code Pull Requests 1 Activity

Add wireguard server in fox

Browse Source 
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
This commit is contained in:
Rodrigo Arias 2025-08-29 13:38:47 +02:00
parent 200c727bbf
commit e415f70bbb
5 changed files with 40 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
keys.nix
View File

@ -31,6 +31,7 @@ rec {
admins = { admins = {
"rarias@hut" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1oZTPtlEXdGt0Ak+upeCIiBdaDQtcmuWoTUCVuSVIR rarias@hut"; "rarias@hut" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1oZTPtlEXdGt0Ak+upeCIiBdaDQtcmuWoTUCVuSVIR rarias@hut";
"rarias@tent" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwlWSBTZi74WTz5xn6gBvTmCoVltmtIAeM3RMmkh4QZ rarias@tent"; "rarias@tent" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwlWSBTZi74WTz5xn6gBvTmCoVltmtIAeM3RMmkh4QZ rarias@tent";
"rarias@fox" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDSbw3REAKECV7E2c/e2XJITudJQWq2qDSe2N1JHqHZd rarias@fox";
root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIII/1TNArcwA6D47mgW4TArwlxQRpwmIGiZDysah40Gb root@hut"; root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIII/1TNArcwA6D47mgW4TArwlxQRpwmIGiZDysah40Gb root@hut";
}; };
} }

1
m/fox/configuration.nix
View File

@ -6,6 +6,7 @@
../common/xeon/console.nix ../common/xeon/console.nix
../module/emulation.nix ../module/emulation.nix
../module/nvidia.nix ../module/nvidia.nix
./wireguard.nix
]; ];
# Don't turn off on August as UPC has different dates. # Don't turn off on August as UPC has different dates.

35
m/fox/wireguard.nix Normal file
View File

@ -0,0 +1,35 @@
{ config, ... }:
{
networking.firewall = {
allowedUDPPorts = [ 666 ];
};
age.secrets.wgFox.file = ../../secrets/wg-fox.age;
networking.wireguard.enable = true;
networking.wireguard.interfaces = {
# "wg0" is the network interface name. You can name the interface arbitrarily.
wg0 = {
# Determines the IP address and subnet of the server's end of the tunnel interface.
ips = [ "10.100.0.1/24" ];
# The port that WireGuard listens to. Must be accessible by the client.
listenPort = 666;
# Path to the private key file.
privateKeyFile = config.age.secrets.wgFox.path;
# Public key: VfMPBQLQTKeyXJSwv8wBhc6OV0j2qAxUpX3kLHunK2Y=
peers = [
# List of allowed peers.
{
name = "Apex";
publicKey = "VwhcN8vSOzdJEotQTpmPHBC52x3Hbv1lkFIyKubrnUA=";
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
allowedIPs = [ "10.100.0.30/32" ];
}
];
};
};
}

3
secrets/secrets.nix
View File

@ -2,6 +2,7 @@ let
keys = import ../keys.nix; keys = import ../keys.nix;
adminsKeys = builtins.attrValues keys.admins; adminsKeys = builtins.attrValues keys.admins;
hut = [ keys.hosts.hut ] ++ adminsKeys; hut = [ keys.hosts.hut ] ++ adminsKeys;
fox = [ keys.hosts.fox ] ++ adminsKeys;
mon = [ keys.hosts.hut keys.hosts.tent ] ++ adminsKeys; mon = [ keys.hosts.hut keys.hosts.tent ] ++ adminsKeys;
tent = [ keys.hosts.tent ] ++ adminsKeys; tent = [ keys.hosts.tent ] ++ adminsKeys;
# Only expose ceph keys to safe nodes and admins # Only expose ceph keys to safe nodes and admins
@ -24,4 +25,6 @@ in
"ceph-user.age".publicKeys = safe; "ceph-user.age".publicKeys = safe;
"munge-key.age".publicKeys = safe; "munge-key.age".publicKeys = safe;
"wg-fox.age".publicKeys = fox;
} }

BIN
secrets/wg-fox.age Normal file
View File

Binary file not shown.