cofractal-ams01: add wg/peering to swann

This commit is contained in:
Luke Granger-Brown 2024-04-04 22:51:15 +00:00
parent 131a8e8535
commit fbe35f040b

View file

@ -176,12 +176,94 @@ in
34197 # factorio 34197 # factorio
4001 # IPFS 4001 # IPFS
443 # HTTP/3 443 # HTTP/3
51821 51822 51823 # wireguard
]; ];
}; };
systemd.network.networks."40-bond0".linkConfig.RequiredForOnline = "yes"; systemd.network = let
systemd.network.networks."40-enp45s0f0np0".linkConfig.RequiredForOnline = "no"; wireguard = { name, listenPort, privateKey, publicKey, endpoint ? null }: {
systemd.network.networks."40-enp45s0f1np1".linkConfig.RequiredForOnline = "no"; netdevConfig = {
systemd.network.networks."50-tailscale".linkConfig.RequiredForOnline = "no"; Name = name;
Kind = "wireguard";
Description = "WireGuard tunnel ${name}";
};
wireguardConfig = {
ListenPort = listenPort;
PrivateKeyFile = privateKey;
};
wireguardPeers = [{
wireguardPeerConfig = lib.mkMerge [{
PublicKey = publicKey;
AllowedIPs = [
"0.0.0.0/0"
"::/0"
];
} (lib.mkIf (endpoint != null) {
Endpoint = endpoint;
})];
}];
};
swannWireguard = args: wireguard (args // {
privateKey = config.my.vault.secrets.wg-swann-private.path;
publicKey = "N7nMSpFl+t+FVluRJY8dGJuB4Yn11mJlBW5+LwFqOhg=";
});
rexxarWireguard = args: wireguard (args // {
privateKey = config.my.vault.secrets.wg-rexxar-private.path;
publicKey = "Rhzn9S8WLpoohsk0Y2oanQSa9waThlK7dbA7ufzzMSU=";
});
in {
netdevs."40-wg-swann-ee" = swannWireguard {
name = "wg-swann-ee";
listenPort = 51821;
};
netdevs."40-wg-swann-gnet" = swannWireguard {
name = "wg-swann-gnet";
listenPort = 51822;
endpoint = "185.250.189.20:51822";
};
netdevs."40-wg-rexxar" = rexxarWireguard {
name = "wg-rexxar";
listenPort = 51823;
};
networks."40-wg-swann-ee" = {
matchConfig.Name = "wg-swann-ee";
address = [
"92.118.30.1/31"
"2a09:a442::1:2/64"
];
};
networks."40-wg-swann-gnet" = {
matchConfig.Name = "wg-swann-gnet";
address = [
"92.118.30.7/31"
"2a09:a442::4:2/64"
];
};
networks."40-wg-rexxar" = {
matchConfig.Name = "wg-rexxar";
address = [
"169.254.200.1/31"
];
};
networks."40-bond0".linkConfig.RequiredForOnline = "yes";
networks."40-enp45s0f0np0".linkConfig.RequiredForOnline = "no";
networks."40-enp45s0f1np1".linkConfig.RequiredForOnline = "no";
networks."50-tailscale".linkConfig.RequiredForOnline = "no";
networks."60-lo" = {
matchConfig.Name = "lo";
addresses = [{
addressConfig.Address = "127.0.0.1/8";
addressConfig.Scope = "host";
} {
addressConfig.Address = "::1/128";
} {
addressConfig.Address = "92.118.30.252/32";
} {
addressConfig.Address = "2a09:a442:2000::/128";
}];
};
};
my.ip.tailscale = "100.83.36.130"; my.ip.tailscale = "100.83.36.130";
my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:6253:2482"; my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:6253:2482";
my.coredns.bind = [ "bond0" "tailscale0" "127.0.0.1" "::1" ]; my.coredns.bind = [ "bond0" "tailscale0" "127.0.0.1" "::1" ];
@ -232,8 +314,12 @@ in
local = { local = {
routerID = "199.19.152.160"; routerID = "199.19.152.160";
}; };
export.v4 = [ ]; export.v4 = [ "92.118.28.0/24" ];
export.v6 = [ "2a09:a446:1337::/48" ]; export.v6 = [ "2a09:a446:1337::/48" "2a09:a442::/48" "2a09:a442:2000::/48" ];
internal.export.v4 = [ "92.118.30.252/32" ];
internal.export.v6 = [ "2a09:a446:1337::/48" "2a09:a442:2000::/48" "2a09:a442::/48" ];
peering.cofractal = { peering.cofractal = {
local = local // { local = local // {
v6 = "2a09:a446:1337:ffff::10"; v6 = "2a09:a446:1337:ffff::10";
@ -295,5 +381,19 @@ in
security.polkit.enable = true; security.polkit.enable = true;
users.users.lukegb.extraGroups = lib.mkAfter [ "libvirtd" ]; users.users.lukegb.extraGroups = lib.mkAfter [ "libvirtd" ];
my.vault.secrets = let
wireguardSecret = key: {
group = "systemd-network";
template = ''
{{- with secret "kv/apps/wireguard/cofractal-ams01" -}}
{{- .Data.data.${key} -}}
{{- end -}}
'';
};
in {
wg-swann-private = wireguardSecret "privateKeyToSwann";
wg-rexxar-private = wireguardSecret "privateKeyToRexxar";
};
system.stateVersion = "23.05"; system.stateVersion = "23.05";
} }