From 532af9900f1b04c5ccc614f4ce5011452053ae00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20R=C3=B6ger?= Date: Tue, 13 May 2025 22:51:15 +0200 Subject: [PATCH] System Gen36 @ 2025-05-13-22:51:15 by jonas@monolith --- hosts/comfy-station/configuration.nix | 1 + hosts/monolith/configuration.nix | 7 ++++++ modules/networking/wireguard/client.nix | 13 ++++++----- modules/networking/wireguard/peers.nix | 30 ++++++++++++++++++++----- modules/networking/wireguard/server.nix | 6 +---- secrets/monolith/wg.yaml | 30 +++++++++++++++++++++++++ 6 files changed, 72 insertions(+), 15 deletions(-) create mode 100644 secrets/monolith/wg.yaml diff --git a/hosts/comfy-station/configuration.nix b/hosts/comfy-station/configuration.nix index 88db258..3050b2c 100644 --- a/hosts/comfy-station/configuration.nix +++ b/hosts/comfy-station/configuration.nix @@ -40,6 +40,7 @@ hive.yubikey.enable = true; hive.wg.client.enable = true; hive.wg.client.privateKeyFile = config.sops.secrets.wg-priv.path; + hive.wg.client.peer = "comfy-station"; hive.programs.games.enable = true; hive.programs.games.steam = true; diff --git a/hosts/monolith/configuration.nix b/hosts/monolith/configuration.nix index 8d2cabb..388ba26 100644 --- a/hosts/monolith/configuration.nix +++ b/hosts/monolith/configuration.nix @@ -13,6 +13,10 @@ # Secret management sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + sops.secrets.wg-priv = { + sopsFile = ../../secrets/monolith/wg.yaml; + key = "privateKey"; + }; # Users users.users.jonas = { @@ -41,6 +45,9 @@ hive.sound.enable = true; hive.yubikey.enable = true; hive.services.kdeconnect.enable = true; + hive.wg.client.enable = true; + hive.wg.client.privateKeyFile = config.sops.secrets.wg-priv.path; + hive.wg.client.peer = "comfy-station"; hive.programs.games.enable = true; hive.programs.games.lutris = true; hive.programs.games.steam = true; diff --git a/modules/networking/wireguard/client.nix b/modules/networking/wireguard/client.nix index 4422b2b..ca46e5f 100644 --- a/modules/networking/wireguard/client.nix +++ b/modules/networking/wireguard/client.nix @@ -4,7 +4,7 @@ ... }: let cfg = config.hive.wg.client; - peers = import ./peers.nix {}; + peers = import ./peers.nix {inherit lib;}; in { options.hive.wg.client = { enable = lib.mkEnableOption "Enable WireGuard client"; @@ -13,6 +13,11 @@ in { default = false; description = "Automatically connect to the WireGuard server with systemd"; }; + peer = lib.mkOption { + type = lib.types.singleLineStr; + example = "comfy-station"; + description = "The name of the peer defined in peers.nix to incarnate"; + }; privateKeyFile = lib.mkOption { type = lib.types.path; description = "Path to the private key file for the WireGuard client"; @@ -21,12 +26,10 @@ in { config = lib.mkIf cfg.enable { networking.wg-quick.interfaces.wg0 = { - inherit (peers.jonas) address; + address = peers.clientAddress cfg.peer; inherit (cfg) privateKeyFile; autostart = cfg.autoConnect; - peers = [ - peers.harbor - ]; + peers = peers.forClient cfg.peer; }; }; } diff --git a/modules/networking/wireguard/peers.nix b/modules/networking/wireguard/peers.nix index eddc93e..70336e3 100644 --- a/modules/networking/wireguard/peers.nix +++ b/modules/networking/wireguard/peers.nix @@ -1,4 +1,4 @@ -{}: { +{lib, ...}: rec { harbor = { publicKey = "se1SYdSuu+e8FLqHJO0Fk+kWV3WlrVj9qeCPOhAqsmA="; @@ -12,9 +12,29 @@ persistentKeepalive = 25; }; - jonas = { - publicKey = "OsP5tyyYq2B9K8kcDJRLMVE/XuFk57aEhzhQcJc+e3M="; - address = ["10.10.10.2/24"]; - allowedIPs = ["10.10.10.2/32"]; + clients = { + comfy-station = { + publicKey = "OsP5tyyYq2B9K8kcDJRLMVE/XuFk57aEhzhQcJc+e3M="; + address = ["10.10.10.2/24"]; + allowedIPs = ["10.10.10.2/32"]; + }; + + monolith = { + publicKey = "r60a6TyR2jV6ePvZgtznd3H4hQPE3sjznoiE8vx3+iI="; + address = ["10.10.10.3/24"]; + allowedIPs = ["10.10.10.3/32"]; + }; }; + + forServer = + builtins.mapAttrs (_: v: { + inherit (v) publicKey allowedIPs; + }) + clients; + forClient = c: + (lib.mapAttrsToList (_: v: { + inherit (v) publicKey allowedIPs; + }) (builtins.removeAttrs clients [c])) + ++ [harbor]; + clientAddress = c: clients.${c}.address; } diff --git a/modules/networking/wireguard/server.nix b/modules/networking/wireguard/server.nix index bc02c1c..d6d24e4 100644 --- a/modules/networking/wireguard/server.nix +++ b/modules/networking/wireguard/server.nix @@ -30,11 +30,7 @@ in { inherit (cfg) privateKeyFile; - peers = [ - { - inherit (peers.jonas) publicKey allowedIPs; - } - ]; + peers = peers.forServer; }; }; } diff --git a/secrets/monolith/wg.yaml b/secrets/monolith/wg.yaml new file mode 100644 index 0000000..78a75e7 --- /dev/null +++ b/secrets/monolith/wg.yaml @@ -0,0 +1,30 @@ +privateKey: ENC[AES256_GCM,data:gcbi+wMK1WQSmehGdct9gA4R84u9N0bRXY29N3qTad7yMuI0EFmkyP87y9A=,iv:UYf+cn9nvlREIsDDK8DPByhPf5f1N5KmIyX5D21Oj0c=,tag:R2Ra5mX0K+PL/jeThIM27A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1clh2c489j7mx94aqr44u6k2cx5axqme9rlshqu9l2mcynluwhq6qwn0sv0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiYnJBTmpUd1BLbEY2K0Ez + UEh1N2RENjZNamdKSG9CYXpLVWRoL05jWGg4CmZlMDAzV0o1RU5id3R6VjNvZkg1 + bjF4eGs1d3Y3NHdTVDQ2dFRTT3Fncm8KLS0tIHk1RXllN0QyR3dPamlhZVJaVU94 + M2hUemQ0SHcrdENRSEY4bGhJS1lWV1kKzITAPa+BEf5Ij7+QUK9pOgrwc3huqcWu + shkTYFjXKZ4tBZDxGfdHsW/jHk9hu5sXoVjt8vj5E8VmWi0sZ8i3RA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1expg8vyduf290pz7l4f3mjzvk9f0azfdn48pyjzs3m6p7v4qjq0qwtn36z + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBITk9ub05tb2NqVW5kbzNE + bGF6UzZ1eDJwTjNhSE5XZ2haOW9RUEk1UGlRClljOHkyQW5JSHV1ejZETVBpalJ6 + MDBNNE1rQXVIWjhvUU9aVFM4YSs0dzAKLS0tIEdKdGpzMXlMc2JSMWlUOXIzRVVS + cHQzMzNUdWtmeVNpZ0VJQWdLZENBTGMKI9yjvpAz/1Ja40Gywq7hpmTLb8VmNJDN + 59UBUqIWN9itItBZ4X4PaW0u3Vn4QKlLYi+t5fIzlP8Se+reLPVuRg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-05-13T20:03:12Z" + mac: ENC[AES256_GCM,data:hFqoPLdNCR4XurK17pVRzwM5BJVhgDGPw+cjOBiSV7bBy6SEAyNo23a1ECVxO0RM77WKxspNzFze72h9ibt2KMGTFYh0FmBvgBngu4jxTd8nHGhnHjCeSj19iR2LzBiTxJKGpUzKqXgMgY0iXFkqQffd0+m5RUGEFL2xZShSnLs=,iv:ZBHAlT3RrQimRojwGFksOPHS1nndbVA4qJBUE8YaLx0=,tag:xZAL5cOMPd8ISAufzZluiw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4