From 08e4dda6d2ec954bc653baa592e2663a78149055 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Thu, 25 Sep 2025 15:01:33 +0200 Subject: [PATCH] Add raccoon peer to wireguard MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It routes traffic from fox, apex and the compute nodes so that we can reach the git servers and tent. Reviewed-by: Aleix Boné --- m/apex/wireguard.nix | 7 +++++ m/common/base/net.nix | 1 - m/common/ssf.nix | 1 + m/common/ssf/hosts-remote.nix | 9 +++++++ m/fox/wireguard.nix | 7 +++++ m/raccoon/configuration.nix | 1 + m/raccoon/wireguard.nix | 48 ++++++++++++++++++++++++++++++++++ m/tent/configuration.nix | 1 + secrets/secrets.nix | 2 ++ secrets/wg-raccoon.age | Bin 0 -> 697 bytes 10 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 m/common/ssf/hosts-remote.nix create mode 100644 m/raccoon/wireguard.nix create mode 100644 secrets/wg-raccoon.age diff --git a/m/apex/wireguard.nix b/m/apex/wireguard.nix index 0a6ac5f0..4721d2df 100644 --- a/m/apex/wireguard.nix +++ b/m/apex/wireguard.nix @@ -25,11 +25,18 @@ # Send keepalives every 25 seconds. Important to keep NAT tables alive. persistentKeepalive = 25; } + { + name = "raccoon"; + publicKey = "QUfnGXSMEgu2bviglsaSdCjidB51oEDBFpnSFcKGfDI="; + allowedIPs = [ "10.106.0.236/32" "192.168.0.0/16" "10.0.44.0/24" ]; + } ]; }; }; networking.hosts = { "10.106.0.1" = [ "fox" ]; + "10.106.0.236" = [ "raccoon" ]; + "10.0.44.4" = [ "tent" ]; }; } diff --git a/m/common/base/net.nix b/m/common/base/net.nix index 64e6160a..88c8c00f 100644 --- a/m/common/base/net.nix +++ b/m/common/base/net.nix @@ -15,7 +15,6 @@ hosts = { "84.88.53.236" = [ "ssfhead.bsc.es" "ssfhead" ]; - "84.88.51.152" = [ "raccoon" ]; "84.88.51.142" = [ "raccoon-ipmi" ]; }; }; diff --git a/m/common/ssf.nix b/m/common/ssf.nix index 8e8dc6b4..98a98e52 100644 --- a/m/common/ssf.nix +++ b/m/common/ssf.nix @@ -4,6 +4,7 @@ ./xeon.nix ./ssf/fs.nix ./ssf/hosts.nix + ./ssf/hosts-remote.nix ./ssf/net.nix ./ssf/ssh.nix ]; diff --git a/m/common/ssf/hosts-remote.nix b/m/common/ssf/hosts-remote.nix new file mode 100644 index 00000000..1660f739 --- /dev/null +++ b/m/common/ssf/hosts-remote.nix @@ -0,0 +1,9 @@ +{ pkgs, ... }: + +{ + networking.hosts = { + # Remote hosts visible from compute nodes + "10.106.0.236" = [ "raccoon" ]; + "10.0.44.4" = [ "tent" ]; + }; +} diff --git a/m/fox/wireguard.nix b/m/fox/wireguard.nix index d0b4349e..7a55c2e9 100644 --- a/m/fox/wireguard.nix +++ b/m/fox/wireguard.nix @@ -29,12 +29,19 @@ # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. allowedIPs = [ "10.106.0.30/32" ]; } + { + name = "raccoon"; + publicKey = "QUfnGXSMEgu2bviglsaSdCjidB51oEDBFpnSFcKGfDI="; + allowedIPs = [ "10.106.0.236/32" "192.168.0.0/16" "10.0.44.0/24" ]; + } ]; }; }; networking.hosts = { "10.106.0.30" = [ "apex" ]; + "10.106.0.236" = [ "raccoon" ]; + "10.0.44.4" = [ "tent" ]; }; networking.firewall = { diff --git a/m/raccoon/configuration.nix b/m/raccoon/configuration.nix index cec17e6f..7a608e20 100644 --- a/m/raccoon/configuration.nix +++ b/m/raccoon/configuration.nix @@ -8,6 +8,7 @@ ../module/ssh-hut-extern.nix ../module/nvidia.nix ../eudy/kernel/perf.nix + ./wireguard.nix ]; # Don't install Grub on the disk yet diff --git a/m/raccoon/wireguard.nix b/m/raccoon/wireguard.nix new file mode 100644 index 00000000..daf48837 --- /dev/null +++ b/m/raccoon/wireguard.nix @@ -0,0 +1,48 @@ +{ config, pkgs, ... }: + +{ + networking.nat = { + enable = true; + enableIPv6 = false; + externalInterface = "eno0"; + internalInterfaces = [ "wg0" ]; + }; + + networking.firewall = { + allowedUDPPorts = [ 666 ]; + }; + + age.secrets.wgRaccoon.file = ../../secrets/wg-raccoon.age; + + # Enable WireGuard + networking.wireguard.enable = true; + networking.wireguard.interfaces = { + wg0 = { + ips = [ "10.106.0.236/24" ]; + listenPort = 666; + privateKeyFile = config.age.secrets.wgRaccoon.path; + # Public key: QUfnGXSMEgu2bviglsaSdCjidB51oEDBFpnSFcKGfDI= + peers = [ + { + name = "fox"; + publicKey = "VfMPBQLQTKeyXJSwv8wBhc6OV0j2qAxUpX3kLHunK2Y="; + allowedIPs = [ "10.106.0.1/32" ]; + endpoint = "fox.ac.upc.edu:666"; + persistentKeepalive = 25; + } + { + name = "apex"; + publicKey = "VwhcN8vSOzdJEotQTpmPHBC52x3Hbv1lkFIyKubrnUA="; + allowedIPs = [ "10.106.0.30/32" "10.0.40.0/24" ]; + endpoint = "ssfhead.bsc.es:666"; + persistentKeepalive = 25; + } + ]; + }; + }; + + networking.hosts = { + "10.106.0.1" = [ "fox.wg" ]; + "10.106.0.30" = [ "apex.wg" ]; + }; +} diff --git a/m/tent/configuration.nix b/m/tent/configuration.nix index 416d8df1..9d56ba70 100644 --- a/m/tent/configuration.nix +++ b/m/tent/configuration.nix @@ -35,6 +35,7 @@ defaultGateway = "10.0.44.1"; hosts = { "84.88.53.236" = [ "apex" ]; + "10.0.44.1" = [ "raccoon" ]; }; }; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 96732490..920d52dc 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -4,6 +4,7 @@ let hut = [ keys.hosts.hut ] ++ adminsKeys; fox = [ keys.hosts.fox ] ++ adminsKeys; apex = [ keys.hosts.apex ] ++ adminsKeys; + raccoon = [ keys.hosts.raccoon ] ++ adminsKeys; mon = [ keys.hosts.hut keys.hosts.tent ] ++ adminsKeys; tent = [ keys.hosts.tent ] ++ adminsKeys; # Only expose ceph keys to safe nodes and admins @@ -29,4 +30,5 @@ in "wg-fox.age".publicKeys = fox; "wg-apex.age".publicKeys = apex; + "wg-raccoon.age".publicKeys = raccoon; } diff --git a/secrets/wg-raccoon.age b/secrets/wg-raccoon.age new file mode 100644 index 0000000000000000000000000000000000000000..f32a2aa395b4fcaf3bdd9cf09e9164d3a85aad62 GIT binary patch literal 697 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+k2J4zFIR|6%-1f> zv~&&3NvXq zasr)vT*}dH^9^=0PDxiN@bs!Q)HgHBHIFa~^A9mF&P(%34GD+}Eet9v_Y4ltD+@Mr zb`J}33U%djF0TwU^SAITuME%eu88#T^UY7qa7@qf4Jh|4s>lrqH_fx~4@&e7^~vYb z)zwvqsL1j)cPk7iGxA8z$cPNfH8R)s@yjgD^$066vh)nfa5nVL&oinjuJq)3z`xP` zd5>n%_lLzsEWg+^*k+4KKA2?7U}x?pD