rebmit/nixos-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

hosts/flandre-m5p: experimenting with wireguard in enthalpy network

Browse source
This commit is contained in:
Lu Wang 2024-12-13 18:02:22 +08:00
parent 3d38c22e93
commit 1fc635be24
Signed by: rebmit
SSH key fingerprint: SHA256:3px8QV1zEerIrEWHaqtH5rR9kjetyRST5EipOPrd+bU
3 changed files with 79 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
nixos/hosts/flandre-m5p/networking.nix
View file

@ -2,6 +2,8 @@
profiles,
lib,
config,
hostData,
mylib,
...
}:
{
@ -73,4 +75,47 @@
}
'';
};
sops.secrets."wireguard/reimu-aston/private-key" = {
sopsFile = config.sops.secretFiles.get "hosts/flandre-m5p.yaml";
};
sops.secrets."wireguard/reimu-aston/preshared-key" = {
sopsFile = config.sops.secretFiles.get "hosts/flandre-m5p.yaml";
};
networking.wireguard = {
enable = true;
interfaces = {
reimu-aston = {
privateKeyFile = config.sops.secrets."wireguard/reimu-aston/private-key".path;
interfaceNamespace = "enthalpy";
listenPort = config.networking.ports.enthalpy-wireguard-reimu-aston;
peers = lib.singleton {
publicKey = "Phf1usg7i2vW5gawA1C44ZIydCFFCUqyP01w9j4/bEY=";
presharedKeyFile = config.sops.secrets."wireguard/reimu-aston/preshared-key".path;
allowedIPs = [
"172.16.0.1/32"
"${mylib.network.cidr.host 1 (mylib.network.cidr.subnet 4 15 hostData.enthalpy_node_prefix)}/128"
];
};
};
};
};
networking.netns.enthalpy = {
enableIPv4Forwarding = lib.mkForce true;
nftables = {
enable = true;
tables.wireguard-reimu-aston = {
family = "ip";
content = ''
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
iifname reimu-aston oifname clat counter masquerade
}
'';
};
};
};
}

1
nixos/modules/networking/ports.nix
View file

@ -19,6 +19,7 @@ in
# public ports
enthalpy-ipsec = 13000;
enthalpy-wireguard-reimu-aston = 13101;
};
readOnly = true;
description = ''

33
secrets/hosts/flandre-m5p.yaml Normal file
View file

@ -0,0 +1,33 @@
wireguard:
reimu-aston:
private-key: ENC[AES256_GCM,data:nDTbKn9c0GUDXOb5y5weTb0TBOnU7VVYHvGgkquk23/xwOo/kpQT7WgYpdY=,iv:m+cGfoovt3/sw53AbHwVkW2Zkc2KdI02o8AAlG3tPeI=,tag:mwemrV7fFy0FJwq8oRCF/w==,type:str]
preshared-key: ENC[AES256_GCM,data:ovMA+JtopMszF8+h6A3I9wzDgr/FYPLYRYZmOw8Obap06mRVVlRKgtSRT9Y=,iv:tFTenFvd6IZKGqfMZXO7LvaS7hdAoPUFW3xMXR4oDak=,tag:W05WeEk6AQo8wL5S7Mw2pQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1sfnct03u4cvfj98x4yjrcrrnu5gg8qgxrwk4uqq8w4e6wveeaedq97rn44
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSdjgyV29OM2xJaytVQWU5
aWtxeUkxOVlURVIxTGlZclNTTUlhajVjYVN3CkNUa3VPUkY5SlZ3MkdVZm1XTUJT
cTg4TEFoQTFjTFp1SEFXaXJLelFhYjgKLS0tIHRmdnlSbGN5Uzhob0pMNFRxbHdy
QW9UTy9BYmJOYmlkYWJTcVBPWGlLUlUK5jo471dQzEaIbdB+xUITaBm8zCqPIvxK
4kg33gSVFm3Uc4vYchHcLGaqjqUpi/XV6VGaD0IekjQH5YI13XKExg==
-----END AGE ENCRYPTED FILE-----
- recipient: age166kxtrcx99fxlgtvz5mvyt5ctvk3dt09f42gvm94ngnkyztmmelsyzdn77
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjQjdPZXZkY05IWi93cDZu
VUw2WTlaV3RGdDY0RXYrNGFIQ0Noc1JZQzJ3CjVJUGRYZk02WHArMFg2RkxSczhG
NlFIS2pUbGdnN1dkNjdWSDNCSFc5a1EKLS0tIGNucjVTTkk5NjF3N0F1VDRRWWxV
ZUQvKzQvYXFPSFNEWVZwVUhjWENKV2cK3l3bpCH/gz2zzT4ODmMHy4QYFsY2aTb5
8wbBKMFMNBuQWMrs1bjOQQxU6MBOy7Op0RnlOuuQwAt8yjszA7EYUw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-13T08:36:58Z"
mac: ENC[AES256_GCM,data:+vGdTalZ/srSCVEXURZUAVlLlZn6S9CfT9A5zsWE2RSx8A+4FCCVLrMrLQdF0MxAJ5D5/cQ8rSzc6/vkG17SjnL8zIlY0BJ6YXNaY9EjvRsK6733ClpuB8UL6KJmgqgLRilPZSMh2anUSLlzvX7PL0oGGWNrf5/ARdbiSaVwww0=,iv:+IsjX908W/yzwz2M19QHwWC+9cLVEaE+oj8sSAPk4YE=,tag:D1Gtymr0G7bgQasRaLQvmw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1