ciapa
/
infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: ciapa:8543999a8afea672f1bd815dbdd7600ec9a3a1ac
Branches Tags
ciapa:master
ciapa:update_flake_lock_action
ciapa:test
...
compare: ciapa:6c370451b88be4d72d22ca59438ef71057404a9d
Branches Tags
ciapa:master
ciapa:update_flake_lock_action
ciapa:test

2 Commits
8543999a8a ... 6c370451b8

Author SHA1 Message Date
Ciapa 6c370451b8 Configure container for Wireguard NAT tests
ci / test (push) Failing after 42s Details
ci / deploy (push) Has been skipped Details
2024-02-04 19:38:04 +01:00
Ciapa 7a704851c0 Configure Wireguard for Phoenix 2024-02-04 19:34:52 +01:00
5 changed files with 94 additions and 1 deletions
Show Stats Expand all files Collapse all files

1
hosts/phoenix.lewd.wtf/configuration.nix
View File

@ -3,6 +3,7 @@ let
utils = import ../../util/include.nix { lib = lib; }; utils = import ../../util/include.nix { lib = lib; };
imports = imports =
(utils.includeDir ./services) ++ (utils.includeDir ./services) ++
(utils.includeDir ./containers) ++
[ [
./hardware-configuration.nix ./hardware-configuration.nix
./networking.nix ./networking.nix

21
hosts/phoenix.lewd.wtf/containers/test.nix Normal file
View File

@ -0,0 +1,21 @@
{
containers.test = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.11";
config = { config, pkgs, ... }: {
system.stateVersion = "24.05";
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ 80 ];
};
useHostResolvConf = mkForce false;
};
services.resolved.enable = true;
};
};
}

24
hosts/phoenix.lewd.wtf/networking.nix
View File

@ -19,4 +19,28 @@
networking.defaultGateway = "192.168.0.1"; networking.defaultGateway = "192.168.0.1";
networking.nameservers = [ "192.168.0.1" ]; networking.nameservers = [ "192.168.0.1" ];
networking.nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "wg0";
enableIPv6 = true;
};
networking.wireguard.interfaces = {
wg0 = {
ips = [ "10.175.197.82/32" "fd7d:76ee:e68f:a993:f6b2:9dab:ddd3:a02/128" ];
privateKeyFile = "/run/secrets/services/wireguard/airvpn.private";
peers = [
{
publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
presharedKeyFile = "/run/secrets/services/wireguard/airvpn.psk";
allowedIPs = [ "10.128.0.1" ];
endpoint = "134.19.179.213:1637";
persistentKeepalive = 25;
}
];
};
};
} }

16
hosts/phoenix.lewd.wtf/secrets.nix
View File

@ -2,9 +2,23 @@
{ {
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# Vaultwarden # MSMTP
sops.secrets."services/msmtp/password" = { sops.secrets."services/msmtp/password" = {
mode = "0777"; mode = "0777";
sopsFile = ./secrets/msmtp.yaml; sopsFile = ./secrets/msmtp.yaml;
}; };
# Wireguard
sops.secrets."services/wireguard/airvpn.private" = {
mode = "0400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
sopsFile = ./secrets/wireguard.yaml;
};
sops.secrets."services/wireguard/airvpn.psk" = {
mode = "0400";
owner = config.users.users.root.name;
group = config.users.users.root.group;
sopsFile = ./secrets/wireguard.yaml;
};
} }

33
hosts/phoenix.lewd.wtf/secrets/wireguard.yaml Normal file
View File

@ -0,0 +1,33 @@
services:
wireguard:
airvpn.private: ENC[AES256_GCM,data:COgDVq0CpZcTsjLMx4FLHSv/ZI8eSPRLTxVtJ8XrevzRXc25sVSNMdHiMFA=,iv:QSFKc2U2v58PiOF79PFanx+QlFge3FiMjEOJudr7qKU=,tag:N7KjBhK+59IeRALJeGKc6A==,type:str]
airvpn.psk: ENC[AES256_GCM,data:bxZ/Pk75jCPU/Nhx96JJkmrJCqSAudZLDQjKCXnvAJf/pPpZdwJTw3o7ywM=,iv:EwHiUZTs8py8TZxJciqW53m7O/rU5V8+ZgSCEXlrIJc=,tag:tOtlgWs8VLgt7T6/apkZeA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTndabjF2YXFpTU5RcG9U
UFV4SXVQZDNIK3htYi93U1BhbGNGMUtPcENFCi9nWWR0TmdYV0NhdDJhMFExRm9K
SDYzVXVZbmdOWGFybGxOTWs0K3Y2MlUKLS0tIGJLendISXNaWWdpVU5zcVgyeitJ
ZTZ4eTlxdVpha0NxK3h4dEU2S1dGaXcKkGlvEp+aosaFlnO4zUiQHkU1EFxxIuUU
L3y56QiCJxHo9bv9yvn0cIbxWLl+ow7I88FBf89z0OQxTqKxcpniYQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkUGwvZ3hzaXBkTlA0Z1JX
N2R2cWNzWUIzVml0WGZxQ3FDUXFWOVJkWXdnCnNNbnFrYUVWYzBpdnRSdkdFZXRv
UHFKL3FQZEtST0tiaHZ0QUNzZWpWbTQKLS0tIGpLVW1EVXU5V0Q4QXF1b0xCeWlL
TFlUV2Vkak94YnI0OWpQR1A1TUlaUzAKEDaX7yhVViNG2/2EOcWWEynOOCYlzWZS
tsnOZcBkIDWkk6ZrZFXZ/iKzQiYTSWcznGPJuNd1Q9CnCCVKXtJmbQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-02-04T18:18:03Z"
mac: ENC[AES256_GCM,data:WM8D1TKT48WomrVcoT84cr8y7GajxbZ7ErQXwDZoPvw3phRLn7PuVdljtykIaTjQ9c0KrjSlLlTeRUhVUdFLJ5qB1ZA5N15wlDSRl7jtuaF8VKeAoS4txmh9YQXutrst1ldjk13nboOdRirNrYjqycdPtCBYQZc/bfvJUekoU7s=,iv:wpi+GlNNrpeMdW6CsLqhchgoyfbFOdTs2bD2pAAORtk=,tag:4QBEhFWszcJ+Gsml4K3Q9A==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1