From 7a704851c0c503d490489088d906b0686e318ccf Mon Sep 17 00:00:00 2001 From: Ciapa Date: Sun, 4 Feb 2024 19:34:52 +0100 Subject: [PATCH] Configure Wireguard for Phoenix --- hosts/phoenix.lewd.wtf/networking.nix | 24 ++++++++++++++ hosts/phoenix.lewd.wtf/secrets.nix | 16 ++++++++- hosts/phoenix.lewd.wtf/secrets/wireguard.yaml | 33 +++++++++++++++++++ 3 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 hosts/phoenix.lewd.wtf/secrets/wireguard.yaml diff --git a/hosts/phoenix.lewd.wtf/networking.nix b/hosts/phoenix.lewd.wtf/networking.nix index 0a835c5..1dcb454 100644 --- a/hosts/phoenix.lewd.wtf/networking.nix +++ b/hosts/phoenix.lewd.wtf/networking.nix @@ -19,4 +19,28 @@ networking.defaultGateway = "192.168.0.1"; networking.nameservers = [ "192.168.0.1" ]; + + networking.nat = { + enable = true; + internalInterfaces = ["ve-+"]; + externalInterface = "wg0"; + enableIPv6 = true; + }; + + networking.wireguard.interfaces = { + wg0 = { + ips = [ "10.175.197.82/32" "fd7d:76ee:e68f:a993:f6b2:9dab:ddd3:a02/128" ]; + privateKeyFile = "/run/secrets/services/wireguard/airvpn.private"; + + peers = [ + { + publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk="; + presharedKeyFile = "/run/secrets/services/wireguard/airvpn.psk"; + allowedIPs = [ "10.128.0.1" ]; + endpoint = "134.19.179.213:1637"; + persistentKeepalive = 25; + } + ]; + }; + }; } diff --git a/hosts/phoenix.lewd.wtf/secrets.nix b/hosts/phoenix.lewd.wtf/secrets.nix index 16c6c96..d327b26 100644 --- a/hosts/phoenix.lewd.wtf/secrets.nix +++ b/hosts/phoenix.lewd.wtf/secrets.nix @@ -2,9 +2,23 @@ { sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - # Vaultwarden + # MSMTP sops.secrets."services/msmtp/password" = { mode = "0777"; sopsFile = ./secrets/msmtp.yaml; }; + + # Wireguard + sops.secrets."services/wireguard/airvpn.private" = { + mode = "0400"; + owner = config.users.users.root.name; + group = config.users.users.root.group; + sopsFile = ./secrets/wireguard.yaml; + }; + sops.secrets."services/wireguard/airvpn.psk" = { + mode = "0400"; + owner = config.users.users.root.name; + group = config.users.users.root.group; + sopsFile = ./secrets/wireguard.yaml; + }; } diff --git a/hosts/phoenix.lewd.wtf/secrets/wireguard.yaml b/hosts/phoenix.lewd.wtf/secrets/wireguard.yaml new file mode 100644 index 0000000..23b2518 --- /dev/null +++ b/hosts/phoenix.lewd.wtf/secrets/wireguard.yaml @@ -0,0 +1,33 @@ +services: + wireguard: + airvpn.private: ENC[AES256_GCM,data:COgDVq0CpZcTsjLMx4FLHSv/ZI8eSPRLTxVtJ8XrevzRXc25sVSNMdHiMFA=,iv:QSFKc2U2v58PiOF79PFanx+QlFge3FiMjEOJudr7qKU=,tag:N7KjBhK+59IeRALJeGKc6A==,type:str] + airvpn.psk: ENC[AES256_GCM,data:bxZ/Pk75jCPU/Nhx96JJkmrJCqSAudZLDQjKCXnvAJf/pPpZdwJTw3o7ywM=,iv:EwHiUZTs8py8TZxJciqW53m7O/rU5V8+ZgSCEXlrIJc=,tag:tOtlgWs8VLgt7T6/apkZeA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTndabjF2YXFpTU5RcG9U + UFV4SXVQZDNIK3htYi93U1BhbGNGMUtPcENFCi9nWWR0TmdYV0NhdDJhMFExRm9K + SDYzVXVZbmdOWGFybGxOTWs0K3Y2MlUKLS0tIGJLendISXNaWWdpVU5zcVgyeitJ + ZTZ4eTlxdVpha0NxK3h4dEU2S1dGaXcKkGlvEp+aosaFlnO4zUiQHkU1EFxxIuUU + L3y56QiCJxHo9bv9yvn0cIbxWLl+ow7I88FBf89z0OQxTqKxcpniYQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkUGwvZ3hzaXBkTlA0Z1JX + N2R2cWNzWUIzVml0WGZxQ3FDUXFWOVJkWXdnCnNNbnFrYUVWYzBpdnRSdkdFZXRv + UHFKL3FQZEtST0tiaHZ0QUNzZWpWbTQKLS0tIGpLVW1EVXU5V0Q4QXF1b0xCeWlL + TFlUV2Vkak94YnI0OWpQR1A1TUlaUzAKEDaX7yhVViNG2/2EOcWWEynOOCYlzWZS + tsnOZcBkIDWkk6ZrZFXZ/iKzQiYTSWcznGPJuNd1Q9CnCCVKXtJmbQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-02-04T18:18:03Z" + mac: ENC[AES256_GCM,data:WM8D1TKT48WomrVcoT84cr8y7GajxbZ7ErQXwDZoPvw3phRLn7PuVdljtykIaTjQ9c0KrjSlLlTeRUhVUdFLJ5qB1ZA5N15wlDSRl7jtuaF8VKeAoS4txmh9YQXutrst1ldjk13nboOdRirNrYjqycdPtCBYQZc/bfvJUekoU7s=,iv:wpi+GlNNrpeMdW6CsLqhchgoyfbFOdTs2bD2pAAORtk=,tag:4QBEhFWszcJ+Gsml4K3Q9A==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1