From 5e19bc16f56d565f60b8b467f038599ecdbc5160 Mon Sep 17 00:00:00 2001 From: Yuri Tatishchev Date: Tue, 20 May 2025 23:32:21 -0700 Subject: [PATCH] router: wireguard: add wg0 interface with some peers for testing --- hosts/router/default.nix | 1 + .../router/secrets/cf-api-key.age | 0 .../wireguard/wg0-peer-AsusS513-psk.age | 5 ++ .../wireguard/wg0-peer-Yura-Pixel7Pro-psk.age | Bin 0 -> 256 bytes .../wireguard/wg0-peer-Yura-TPX13-psk.age | 6 ++ .../secrets/wireguard/wg0-private-key.age | 5 ++ hosts/router/services.nix | 2 +- hosts/router/wireguard.nix | 57 ++++++++++++++++++ 8 files changed, 75 insertions(+), 1 deletion(-) rename secrets/cf_api_key.age => hosts/router/secrets/cf-api-key.age (100%) create mode 100644 hosts/router/secrets/wireguard/wg0-peer-AsusS513-psk.age create mode 100644 hosts/router/secrets/wireguard/wg0-peer-Yura-Pixel7Pro-psk.age create mode 100644 hosts/router/secrets/wireguard/wg0-peer-Yura-TPX13-psk.age create mode 100644 hosts/router/secrets/wireguard/wg0-private-key.age create mode 100644 hosts/router/wireguard.nix diff --git a/hosts/router/default.nix b/hosts/router/default.nix index 0612fea..0a08ece 100644 --- a/hosts/router/default.nix +++ b/hosts/router/default.nix @@ -8,6 +8,7 @@ in [ # Include the results of the hardware scan. ./hardware-configuration.nix ./ifconfig.nix + ./wireguard.nix ./firewall.nix ./dns.nix ./kea.nix diff --git a/secrets/cf_api_key.age b/hosts/router/secrets/cf-api-key.age similarity index 100% rename from secrets/cf_api_key.age rename to hosts/router/secrets/cf-api-key.age diff --git a/hosts/router/secrets/wireguard/wg0-peer-AsusS513-psk.age b/hosts/router/secrets/wireguard/wg0-peer-AsusS513-psk.age new file mode 100644 index 0000000..07503ad --- /dev/null +++ b/hosts/router/secrets/wireguard/wg0-peer-AsusS513-psk.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 D2MY/A YAk0egMScFdPo0uAZzITtgQyPAifDcVUfb957Zhz9Ec +pAEM+7sbPE8rHBhRV7mTmH1w4mbfKFopMWbwu/3KHCw +--- ykshsqEqKvCCE2kWIPAJPA/DFW7mu6+0x4MQhHgi1yU +'zƀ{gid\{EtpUg2QC3gJGV16WG_E&v)&ޑ N"n_T͒ \ No newline at end of file diff --git a/hosts/router/secrets/wireguard/wg0-peer-Yura-Pixel7Pro-psk.age b/hosts/router/secrets/wireguard/wg0-peer-Yura-Pixel7Pro-psk.age new file mode 100644 index 0000000000000000000000000000000000000000..513d5f29c5832fe38d0cbbcba9605245473c6f8e GIT binary patch literal 256 zcmV+b0ssDCXJsvAZewzJaCB*JZZ2GmYd1hi+PIE~`N-=M7FK9Pxbb57bOL1Z`SU3vOH3R#RO>Hny^+_l$M?|OKbTL^s z9}v>WSD2pz?gFEyF2P|BDwblj8T|kDleYUm^Ldf8+Xt4ZLB{|Ju5=ywVN0FNPmDu; G&s)>ClwOJe literal 0 HcmV?d00001 diff --git a/hosts/router/secrets/wireguard/wg0-peer-Yura-TPX13-psk.age b/hosts/router/secrets/wireguard/wg0-peer-Yura-TPX13-psk.age new file mode 100644 index 0000000..a5ce007 --- /dev/null +++ b/hosts/router/secrets/wireguard/wg0-peer-Yura-TPX13-psk.age @@ -0,0 +1,6 @@ +age-encryption.org/v1 +-> ssh-ed25519 D2MY/A P88M0uj4ZphVo3WrRYDu+c7B0Dl7ncctbYkByYmU2wg +DV3Gn6TQ6iByAlNt0gg8kSZ2r0Gie/wcznZx9M+CC2g +--- KhwGM50BVql02Jq0do2uhXMfgWPPDfbodzDRmZ9n0O4 +rԶayY/CJBX!"F +h(L>()S;}}2ОO.hoqYK"cEJM?-O \ No newline at end of file diff --git a/hosts/router/secrets/wireguard/wg0-private-key.age b/hosts/router/secrets/wireguard/wg0-private-key.age new file mode 100644 index 0000000..7bcbe13 --- /dev/null +++ b/hosts/router/secrets/wireguard/wg0-private-key.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 D2MY/A tvRtTGWnaB0zxqZRba4/XpzwPa61RrnHCk4tT8OfnGQ +IX85Q5VKxQTl+MnhzwiuTnNMVkR9QrYo/1njrbZeBnQ +--- dmlPIL2T+RFhbO2iLDRa4BxxYSSUQdedV3TK83ooFdA +gE 70`dV(oWS@ۭpZЃTU+*\Q[x29i5k \ No newline at end of file diff --git a/hosts/router/services.nix b/hosts/router/services.nix index e6f23a6..b0f8448 100644 --- a/hosts/router/services.nix +++ b/hosts/router/services.nix @@ -52,7 +52,7 @@ in }; }; - secrix.system.secrets.cf-api-key.encrypted.file = ../../secrets/cf_api_key.age; + secrix.system.secrets.cf-api-key.encrypted.file = ./secrets/cf-api-key.age; systemd.services.caddy.serviceConfig.EnvironmentFile = config.secrix.system.secrets.cf-api-key.decrypted.path; services.caddy = { enable = true; diff --git a/hosts/router/wireguard.nix b/hosts/router/wireguard.nix new file mode 100644 index 0000000..ee1d3c4 --- /dev/null +++ b/hosts/router/wireguard.nix @@ -0,0 +1,57 @@ +{ config, lib, pkgs, ... }: +let + vars = import ./vars.nix; + + wg0Peers = [ + { + name = "Yura-TPX13"; + allowedIPs = [ "10.6.0.3/32" "${vars.extra.opnsense.p6}::6:3:0/112" ]; + publicKey = "iJa5JmJbMHNlbEluNwoB2Q8LyrPAfb7S/mluanMcI08="; + pskEnabled = true; + } + { + name = "Yura-Pixel7Pro"; + allowedIPs = [ "10.6.0.4/32" "${vars.extra.opnsense.p6}::6:4:0/112" ]; + publicKey = "UjZlsukmAsX60Z5FnZwKCSu141Gjj74+hBVT3TRhwT4="; + pskEnabled = true; + } + { + name = "AsusS513"; + allowedIPs = [ "10.6.0.100/32" ]; + publicKey = "XozJ7dHdJfkLORkCVxaB1VmvHEOAA285kRZcmzfPl38="; + pskEnabled = true; + } + ]; +in +{ + secrix.services.systemd-networkd.secrets = let + pskEnabledPeers = builtins.filter (peer: peer.pskEnabled) wg0Peers; + peerToSecretAttrs = peer: { + name = "wg0-peer-${peer.name}-psk"; + value.encrypted.file = ./secrets/wireguard/wg0-peer-${peer.name}-psk.age; + }; + peerSecretsList = map peerToSecretAttrs pskEnabledPeers; + peerSecrets = builtins.listToAttrs peerSecretsList; + in + { + wg0-private-key.encrypted.file = ./secrets/wireguard/wg0-private-key.age; + } // peerSecrets; + + systemd.network.netdevs = { + "10-wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + }; + wireguardConfig = { + PrivateKeyFile = config.secrix.services.systemd-networkd.secrets.wg0-private-key.decrypted.path; + ListenPort = 18596; + }; + wireguardPeers = map (peer: { + AllowedIPs = lib.strings.concatStringsSep "," peer.allowedIPs; + PublicKey = peer.publicKey; + PresharedKeyFile = if peer.pskEnabled then config.secrix.services.systemd-networkd.secrets."wg0-peer-${peer.name}-psk".decrypted.path else null; + }) wg0Peers; + }; + }; +}