From e415f70bbb8a0a97b682ba631770f681d4d235b8 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Fri, 29 Aug 2025 13:38:47 +0200 Subject: [PATCH] Add wireguard server in fox Reviewed-by: Aleix Roca Nonell --- keys.nix | 1 + m/fox/configuration.nix | 1 + m/fox/wireguard.nix | 35 +++++++++++++++++++++++++++++++++++ secrets/secrets.nix | 3 +++ secrets/wg-fox.age | Bin 0 -> 697 bytes 5 files changed, 40 insertions(+) create mode 100644 m/fox/wireguard.nix create mode 100644 secrets/wg-fox.age diff --git a/keys.nix b/keys.nix index 6fbb78a5..75f1c38d 100644 --- a/keys.nix +++ b/keys.nix @@ -31,6 +31,7 @@ rec { admins = { "rarias@hut" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1oZTPtlEXdGt0Ak+upeCIiBdaDQtcmuWoTUCVuSVIR rarias@hut"; "rarias@tent" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwlWSBTZi74WTz5xn6gBvTmCoVltmtIAeM3RMmkh4QZ rarias@tent"; + "rarias@fox" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDSbw3REAKECV7E2c/e2XJITudJQWq2qDSe2N1JHqHZd rarias@fox"; root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIII/1TNArcwA6D47mgW4TArwlxQRpwmIGiZDysah40Gb root@hut"; }; } diff --git a/m/fox/configuration.nix b/m/fox/configuration.nix index 614327e4..ab829496 100644 --- a/m/fox/configuration.nix +++ b/m/fox/configuration.nix @@ -6,6 +6,7 @@ ../common/xeon/console.nix ../module/emulation.nix ../module/nvidia.nix + ./wireguard.nix ]; # Don't turn off on August as UPC has different dates. diff --git a/m/fox/wireguard.nix b/m/fox/wireguard.nix new file mode 100644 index 00000000..34d84c07 --- /dev/null +++ b/m/fox/wireguard.nix @@ -0,0 +1,35 @@ +{ config, ... }: + +{ + networking.firewall = { + allowedUDPPorts = [ 666 ]; + }; + + age.secrets.wgFox.file = ../../secrets/wg-fox.age; + + networking.wireguard.enable = true; + networking.wireguard.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the server's end of the tunnel interface. + ips = [ "10.100.0.1/24" ]; + + # The port that WireGuard listens to. Must be accessible by the client. + listenPort = 666; + + # Path to the private key file. + privateKeyFile = config.age.secrets.wgFox.path; + # Public key: VfMPBQLQTKeyXJSwv8wBhc6OV0j2qAxUpX3kLHunK2Y= + + peers = [ + # List of allowed peers. + { + name = "Apex"; + publicKey = "VwhcN8vSOzdJEotQTpmPHBC52x3Hbv1lkFIyKubrnUA="; + # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. + allowedIPs = [ "10.100.0.30/32" ]; + } + ]; + }; + }; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 776e73fe..013fa236 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -2,6 +2,7 @@ let keys = import ../keys.nix; adminsKeys = builtins.attrValues keys.admins; hut = [ keys.hosts.hut ] ++ adminsKeys; + fox = [ keys.hosts.fox ] ++ adminsKeys; mon = [ keys.hosts.hut keys.hosts.tent ] ++ adminsKeys; tent = [ keys.hosts.tent ] ++ adminsKeys; # Only expose ceph keys to safe nodes and admins @@ -24,4 +25,6 @@ in "ceph-user.age".publicKeys = safe; "munge-key.age".publicKeys = safe; + + "wg-fox.age".publicKeys = fox; } diff --git a/secrets/wg-fox.age b/secrets/wg-fox.age new file mode 100644 index 0000000000000000000000000000000000000000..187ddfedbaf33546761b07332500c774f0ab938e GIT binary patch literal 697 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSnc5zBfa#Zke%SkOr zsxmZi&(8|2NRLSIO*i!ScS`d&2sJP$P7BY?Hx8|;3J=Q8%;&N&PS0}n@Y0Sn_V73H z@hT0@^(gT)@Hg_!DhPAWP1er~$u=vlO7{yWw!pB>+cevwT*1`UC(5)q%%t4U&)uic z&?3`0Bh{nAyuc^VFf7F=-#@@T(aqhXBs9^(k;_uMpui}-qRiFJH8IL1#Ldmy-!H4o zF*qdC*(p0SAj>__*)=sev)nb;6Wumv$8dL(Km})miVUytOoMPAW3OQU+{|1L|D{q?6ax#x2m|k; zs61Co*Mbt`yz;c7P;}cW9L+54R$k5Nms~s3~&l|PI7g3&I$@I%6E^5NDIj<^2>EHO?P(7cXx5mbPS6O zFiA^u_2lw3$#5?Zud1{NaVs(Q49iUmNOyFN2z7Gt3QpG#F7UI=D~>G6bge2#F6YwK z)m1PKEzYU(2re-Kyfld zes2ExwRP8%*WaF6ViW5vU!`|%lgP6z*RJHpv=(%{sGlH|$Z^y2<0q>H`CHEXx81ng cH(?cPNqV>9!MY~bTN+