From 2a29f5587aeb869285ccdc80013ac9259240a8b7 Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Fri, 6 Dec 2024 19:42:52 +0100 Subject: [PATCH] add wireguard config to all other hosts into wheatley and auto-enable --- nixos/hosts/EDI/configuration.nix | 22 ++++++++++++++++++++++ nixos/hosts/GLaDOS/configuration.nix | 22 ++++++++++++++++++++++ nixos/hosts/shodan/configuration.nix | 22 ++++++++++++++++++++++ 3 files changed, 66 insertions(+) diff --git a/nixos/hosts/EDI/configuration.nix b/nixos/hosts/EDI/configuration.nix index a71f2fb..1ef187f 100644 --- a/nixos/hosts/EDI/configuration.nix +++ b/nixos/hosts/EDI/configuration.nix @@ -5,6 +5,7 @@ outputs, lib, pkgs, + config, ... }: { # You can import other NixOS modules here @@ -44,6 +45,27 @@ networking.hostName = "EDI"; + sops.secrets."wg-private-key".mode = "0440"; + sops.secrets."wg-private-key".owner = config.users.users.root.name; + + networking.wireguard.enable = true; + + networking.wg-quick.interfaces = { + wg0 = { + autostart = true; + dns = ["1.1.1.1"]; + address = ["10.5.5.3/32"]; + privateKeyFile = config.sops.secrets."wg-private-key".path; + peers = [ + { + publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg="; + endpoint = "84.87.146.85:5181"; + allowedIPs = ["10.47.47.0/24"]; + } + ]; + }; + }; + # Lanzaboote currently replaces the systemd-boot module. # This setting is usually set to true in configuration.nix # generated at installation time. So we force it to false diff --git a/nixos/hosts/GLaDOS/configuration.nix b/nixos/hosts/GLaDOS/configuration.nix index 73ffc6f..3187bb8 100644 --- a/nixos/hosts/GLaDOS/configuration.nix +++ b/nixos/hosts/GLaDOS/configuration.nix @@ -4,6 +4,7 @@ inputs, outputs, pkgs, + config, ... }: { # You can import other NixOS modules here @@ -86,6 +87,27 @@ # virtualisation.waydroid.enable = false; networking.hostName = "GLaDOS"; + sops.secrets."wg-private-key".mode = "0440"; + sops.secrets."wg-private-key".owner = config.users.users.root.name; + + networking.wireguard.enable = true; + + networking.wg-quick.interfaces = { + wg0 = { + autostart = true; + dns = ["1.1.1.1"]; + address = ["10.5.5.2/32"]; + privateKeyFile = config.sops.secrets."wg-private-key".path; + peers = [ + { + publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg="; + endpoint = "84.87.146.85:5181"; + allowedIPs = ["10.47.47.0/24"]; + } + ]; + }; + }; + # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion system.stateVersion = "24.11"; } diff --git a/nixos/hosts/shodan/configuration.nix b/nixos/hosts/shodan/configuration.nix index 7e693da..3ab20cb 100644 --- a/nixos/hosts/shodan/configuration.nix +++ b/nixos/hosts/shodan/configuration.nix @@ -3,6 +3,7 @@ outputs, lib, pkgs, + config, ... }: { imports = [ @@ -213,6 +214,27 @@ networking.hostName = "shodan"; + sops.secrets."wg-private-key".mode = "0440"; + sops.secrets."wg-private-key".owner = config.users.users.root.name; + + networking.wireguard.enable = true; + + networking.wg-quick.interfaces = { + wg0 = { + autostart = true; + dns = ["1.1.1.1"]; + address = ["10.5.5.4/32"]; + privateKeyFile = config.sops.secrets."wg-private-key".path; + peers = [ + { + publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg="; + endpoint = "84.87.146.85:5181"; + allowedIPs = ["10.47.47.0/24"]; + } + ]; + }; + }; + security.tpm2.enable = true; security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables