diff --git a/keys.nix b/keys.nix index 6fbb78a5..75f1c38d 100644 --- a/keys.nix +++ b/keys.nix @@ -31,6 +31,7 @@ rec { admins = { "rarias@hut" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1oZTPtlEXdGt0Ak+upeCIiBdaDQtcmuWoTUCVuSVIR rarias@hut"; "rarias@tent" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwlWSBTZi74WTz5xn6gBvTmCoVltmtIAeM3RMmkh4QZ rarias@tent"; + "rarias@fox" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDSbw3REAKECV7E2c/e2XJITudJQWq2qDSe2N1JHqHZd rarias@fox"; root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIII/1TNArcwA6D47mgW4TArwlxQRpwmIGiZDysah40Gb root@hut"; }; } diff --git a/m/fox/configuration.nix b/m/fox/configuration.nix index 614327e4..ab829496 100644 --- a/m/fox/configuration.nix +++ b/m/fox/configuration.nix @@ -6,6 +6,7 @@ ../common/xeon/console.nix ../module/emulation.nix ../module/nvidia.nix + ./wireguard.nix ]; # Don't turn off on August as UPC has different dates. diff --git a/m/fox/wireguard.nix b/m/fox/wireguard.nix new file mode 100644 index 00000000..34d84c07 --- /dev/null +++ b/m/fox/wireguard.nix @@ -0,0 +1,35 @@ +{ config, ... }: + +{ + networking.firewall = { + allowedUDPPorts = [ 666 ]; + }; + + age.secrets.wgFox.file = ../../secrets/wg-fox.age; + + networking.wireguard.enable = true; + networking.wireguard.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the server's end of the tunnel interface. + ips = [ "10.100.0.1/24" ]; + + # The port that WireGuard listens to. Must be accessible by the client. + listenPort = 666; + + # Path to the private key file. + privateKeyFile = config.age.secrets.wgFox.path; + # Public key: VfMPBQLQTKeyXJSwv8wBhc6OV0j2qAxUpX3kLHunK2Y= + + peers = [ + # List of allowed peers. + { + name = "Apex"; + publicKey = "VwhcN8vSOzdJEotQTpmPHBC52x3Hbv1lkFIyKubrnUA="; + # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. + allowedIPs = [ "10.100.0.30/32" ]; + } + ]; + }; + }; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 776e73fe..013fa236 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -2,6 +2,7 @@ let keys = import ../keys.nix; adminsKeys = builtins.attrValues keys.admins; hut = [ keys.hosts.hut ] ++ adminsKeys; + fox = [ keys.hosts.fox ] ++ adminsKeys; mon = [ keys.hosts.hut keys.hosts.tent ] ++ adminsKeys; tent = [ keys.hosts.tent ] ++ adminsKeys; # Only expose ceph keys to safe nodes and admins @@ -24,4 +25,6 @@ in "ceph-user.age".publicKeys = safe; "munge-key.age".publicKeys = safe; + + "wg-fox.age".publicKeys = fox; } diff --git a/secrets/wg-fox.age b/secrets/wg-fox.age new file mode 100644 index 00000000..187ddfed Binary files /dev/null and b/secrets/wg-fox.age differ