Add wireguard server in fox

Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
2025-08-29 13:38:47 +02:00 · 2025-08-29 13:38:47 +02:00 · c3da39c392
commit c3da39c392
parent d3889b3339
5 changed files with 40 additions and 0 deletions
--- a/keys.nix
+++ b/keys.nix
@ -31,6 +31,7 @@ rec {
  admins = {
    "rarias@hut"  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1oZTPtlEXdGt0Ak+upeCIiBdaDQtcmuWoTUCVuSVIR rarias@hut";
    "rarias@tent" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwlWSBTZi74WTz5xn6gBvTmCoVltmtIAeM3RMmkh4QZ rarias@tent";
+    "rarias@fox"  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDSbw3REAKECV7E2c/e2XJITudJQWq2qDSe2N1JHqHZd rarias@fox";
    root          = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIII/1TNArcwA6D47mgW4TArwlxQRpwmIGiZDysah40Gb root@hut";
  };
 }
--- a/m/fox/configuration.nix
+++ b/m/fox/configuration.nix
@ -6,6 +6,7 @@
    ../common/xeon/console.nix
    ../module/emulation.nix
    ../module/nvidia.nix
+    ./wireguard.nix
  ];

  # Don't turn off on August as UPC has different dates.
--- a/m/fox/wireguard.nix
+++ b/m/fox/wireguard.nix
@ -0,0 +1,35 @@
+{ config, ... }:
+
+{
+  networking.firewall = {
+    allowedUDPPorts = [ 666 ];
+  };
+
+  age.secrets.wgFox.file = ../../secrets/wg-fox.age;
+
+  networking.wireguard.enable = true;
+  networking.wireguard.interfaces = {
+    # "wg0" is the network interface name. You can name the interface arbitrarily.
+    wg0 = {
+      # Determines the IP address and subnet of the server's end of the tunnel interface.
+      ips = [ "10.100.0.1/24" ];
+
+      # The port that WireGuard listens to. Must be accessible by the client.
+      listenPort = 666;
+
+      # Path to the private key file.
+      privateKeyFile = config.age.secrets.wgFox.path;
+      # Public key: VfMPBQLQTKeyXJSwv8wBhc6OV0j2qAxUpX3kLHunK2Y=
+
+      peers = [
+        # List of allowed peers.
+        { 
+          name = "Apex";
+          publicKey = "VwhcN8vSOzdJEotQTpmPHBC52x3Hbv1lkFIyKubrnUA=";
+          # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
+          allowedIPs = [ "10.100.0.30/32" ];
+        }
+      ];
+    };
+  };
+}
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -2,6 +2,7 @@ let
  keys = import ../keys.nix;
  adminsKeys = builtins.attrValues keys.admins;
  hut = [ keys.hosts.hut ] ++ adminsKeys;
+  fox = [ keys.hosts.fox ] ++ adminsKeys;
  mon = [ keys.hosts.hut keys.hosts.tent ] ++ adminsKeys;
  tent = [ keys.hosts.tent ] ++ adminsKeys;
  # Only expose ceph keys to safe nodes and admins
@ -24,4 +25,6 @@ in

  "ceph-user.age".publicKeys = safe;
  "munge-key.age".publicKeys = safe;
+
+  "wg-fox.age".publicKeys = fox;
 }
--- a/secrets/wg-fox.age
+++ b/secrets/wg-fox.age