From 5966956e26f901f5d274e4d19405b81087dd75a5 Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Fri, 6 Dec 2024 19:16:11 +0100 Subject: [PATCH] add wireguard vpn into wheatley --- nixos/hosts/EDI/secrets/sops.yaml | 7 +++--- nixos/hosts/GLaDOS/secrets/sops.yaml | 7 +++--- nixos/hosts/shodan/secrets/sops.yaml | 7 +++--- nixos/hosts/wheatley/configuration.nix | 32 ++++++++++++++++++++++++++ nixos/hosts/wheatley/secrets/sops.yaml | 5 ++-- 5 files changed, 47 insertions(+), 11 deletions(-) diff --git a/nixos/hosts/EDI/secrets/sops.yaml b/nixos/hosts/EDI/secrets/sops.yaml index 195607f..0d21f88 100644 --- a/nixos/hosts/EDI/secrets/sops.yaml +++ b/nixos/hosts/EDI/secrets/sops.yaml @@ -1,4 +1,5 @@ lillian-password: ENC[AES256_GCM,data:0mwqnvA+xrDD/m6uQtPbo9MpcFsOoqHE+Cg2gF6xZzNsqM3i/OmvAe7syp+mGBacZ3avoIHowLSWgXUkMcuFPeYa6XRkrX4LhA==,iv:f1kB54k6ZYWKlZ0Zowu8fOD0cf2WvNlX3GSpy1sUMdA=,tag:dsusc45E1BmYsNmiPzNccg==,type:str] +wg-private-key: ENC[AES256_GCM,data:CqXlIN0gKzMrZRJycAf96LUVNw9yCZpHtE8XP+JwV2Ftip46iUksg1uExxQ=,iv:LdcopSz8Hx5hO1M00B8r+C7XViwpjGOpvmoXUHIkFtc=,tag:rbskx98YjcYV1lB8OO2VxQ==,type:str] sops: kms: [] gcp_kms: [] @@ -14,8 +15,8 @@ sops: eUZ6b09pYlRVWFBuUm1Ua2l6Z0dacW8KeQdAVsxXsDiDMtFA2koSpDsw7Ib63vA0 GE/ubWDwwRc7wMPFGuofIe6TaDSFgtVXza+yo+i4y51+BOpwqxlYYA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-21T10:15:11Z" - mac: ENC[AES256_GCM,data:AnQfufrAVvN2f2kr2KLM8toFj4BUxM1xvwH48DE1OcoenBlzQHu76R35cc9q0rJjOBWXYnZPLEHncE46XyXt56HPboH/blIEZwa9aL1pwDOV5UwbaqZTuSy7/Ylnn0ZoZtcD4gFnavWBT9iUgu3VjRso1i6eXm0Lc1mvwRbH63M=,iv:zJW4Bzm+IGzgxsFE7QP+E4RY5UoPWTUeo9RfoLpbSt8=,tag:E29Pnjtp0w05hdEQCmkj7A==,type:str] + lastmodified: "2024-12-06T18:01:20Z" + mac: ENC[AES256_GCM,data:UTzeVEUolw6oBrRL8NMEcb5WmJYUdKnnxKYTrV0AowX6B5Jk8e6hSHqMiEmY9yPdS0HGA0i+DirGvrW3TmsOk2XehsiNO9puXb0/6KiaTge4y3/ueVASAPs/qB9RR6EAdBiE1ZUKVy2vpL+x9xp5XY2F8aHIp22DmJ5Xg5oyWJc=,iv:1/Fj2xAKHUebsj1FLmmGAmvHXNYsLXIfP6F7PJ7EH9M=,tag:XvFBu2vCNj7UMbWVPgo94Q==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.1 diff --git a/nixos/hosts/GLaDOS/secrets/sops.yaml b/nixos/hosts/GLaDOS/secrets/sops.yaml index 66274e0..dbe7de8 100644 --- a/nixos/hosts/GLaDOS/secrets/sops.yaml +++ b/nixos/hosts/GLaDOS/secrets/sops.yaml @@ -1,4 +1,5 @@ lillian-password: ENC[AES256_GCM,data:aHJCYmnpGIWJMsNZ8aw51Rquuv4F7kgGvfIxHMELuDlEqgjkg+SAhh+UQEpv16F0WVxrYZ/EwxKFMBpfPv9M2NLZC98bav0D9g==,iv:uzYLfmxG46ubmgeFsfW7aqXZbcL+TQw0VdDcklV0/ZI=,tag:Ozcf5qXC7xh0VcsBzhyo2g==,type:str] +wg-private-key: ENC[AES256_GCM,data:em6sci3eefw5TJHpzgTaGGuQp8UuvOmkHRsQltg0TKpMb1Lrcxicb23cQxo=,iv:VEeGmzncHyAgP5toTOwDK6qw0OT4/6Etxh8Zr4uYQD4=,tag:nvse11zMhzukzClx5ub4dw==,type:str] sops: kms: [] gcp_kms: [] @@ -14,8 +15,8 @@ sops: MUZWTVh0dVdMZlRzelJ4WlROUlIyNmcKphNuMN9Wh8h/gvmtUxQWjPKtgjWriLRD +DpEEVGrmu0RJ8/wUqjxGoL4GzLAlZm4EnKlyUyA0tw8sbLZ2Lnl/w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-22T11:58:42Z" - mac: ENC[AES256_GCM,data:TuNvE51hpHvOjB3G2y7UCT8BvlI1ulc8aeeBihtnGiGDjwU1Eze1bdA47hZYCZsCYdo3Tow1gY0gCkJACKeWqUXMLT8jxcUfiUWqQicQhBm/TT9m+oqLQiAqJCkh1Ez8XuaftqIg+oJstyy4wZyvMK8Bg+9EsSYiBnMrKfrgLBs=,iv:GXy93l1BBkkeKXJ1ntFI6Rw6QZmSbzDlWClJ16/Csv4=,tag:jBYynl6tLL/xN61ypMwvrw==,type:str] + lastmodified: "2024-12-06T17:57:35Z" + mac: ENC[AES256_GCM,data:ZZx+FdrqSTWWEUakpicUtKA0PVrlNkAq7n0oNYCTWJCdoiMrkMfZAH26Iv2KmMzeg1IaW4rQ83jmlEVy2CTXBDLiB6n1sXa1sqe0vzO3aNqjzaXzFh8Sa1d8NOsGtn+MiTJ7DK4YAx1As/GnqGQIWbBBSM7otquBHLAuzvn1YRE=,iv:BpMQR40gDZZRddKscAs3jZ3uRE905vled4pDD9et648=,tag:tZOZq//4oRkbIemeFAM7qA==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.1 diff --git a/nixos/hosts/shodan/secrets/sops.yaml b/nixos/hosts/shodan/secrets/sops.yaml index f203c8e..64419ad 100644 --- a/nixos/hosts/shodan/secrets/sops.yaml +++ b/nixos/hosts/shodan/secrets/sops.yaml @@ -1,4 +1,5 @@ lillian-password: ENC[AES256_GCM,data:uPNBvMyhkiX3eedduFlsFUIcas/VBVSYrsmGTlgGUOzTQST59CYZRoq0ArphIJ3+Usy6KbR5tA5FCp4PoB3qVYBfjlAq6dhZIw==,iv:TiUIo2lvdL6SiDuW4gWn0TeJXkz5MldzqGxuK3MNPnE=,tag:d3p/h+q50JxygDtk2qxIeQ==,type:str] +wg-private-key: ENC[AES256_GCM,data:PeuKeYRHfOzGlekLI95EH3qq+blntZrrboPKaKC0ghD5zIyaCYrFHYWLkug=,iv:BcugGYW7+i7d04H4EKn+BdJJPqwMVVvlHBETO0x0kQM=,tag:Z/ammSrFpWTIbVfi4VJZ9w==,type:str] sops: kms: [] gcp_kms: [] @@ -14,8 +15,8 @@ sops: KzNBMCtUaS9sU21Xc1JUd1FSR29tSkEKyqaDM/WUWjK2l+ahE6sIFYsQ6Qtkf7yz NWFTzsDZBmm9kpSIjchf+PuBuoRHeEKbEH8jnMlYB3J8boEnUnXMlw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-19T00:42:59Z" - mac: ENC[AES256_GCM,data:WuwpvgM5WCmtsb9WH6us1dn0+qQuV/6+ooI8K7Wp+VFlMWLA4g509TgOFHG+cxWJeN2cRtilnHM1INv1U6uadjWis0LrjrqbHaMRJ5aAr3/zKoTXWTG4pRNykoYmCkwHLnx0gJi6hm4PbKOIFVM+6V5m9JCLKRVO6eqyW15SVww=,iv:xVR5ZGs2Ww+J57qreIlHSW8A+ADAOjzM7B+KLRFrRLw=,tag:6KTaeX8+Txz4j1UJUWRj+w==,type:str] + lastmodified: "2024-12-06T18:02:27Z" + mac: ENC[AES256_GCM,data:qMvaXA/3B7rp2BvG10lvLdY/rD1ooh0QwwdfgzixeoHZxnqxmz7HZGP1UE1bGIbLYYeWGEJW440uDll5Q3ky+0qz7W8VbFEYBjaCyNcicnlLgFZXKh2nxeErubzF+I82X8wfNndAH1HWZZmPasTdDHfudjWyZF4/JKPboiyr5xE=,iv:ikj6goYS81rixJDHCWag1pYD6bSasSVOYyENlRjqn9w=,tag:Q3hQO9rqwnCBRLxec0/LTg==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.1 diff --git a/nixos/hosts/wheatley/configuration.nix b/nixos/hosts/wheatley/configuration.nix index 31aa0e1..2a85a17 100644 --- a/nixos/hosts/wheatley/configuration.nix +++ b/nixos/hosts/wheatley/configuration.nix @@ -138,9 +138,12 @@ sops.secrets."protonvpn-priv-key".mode = "0440"; sops.secrets."protonvpn-priv-key".owner = config.users.users.root.name; + sops.secrets."wg-private-key".mode = "0440"; + sops.secrets."wg-private-key".owner = config.users.users.root.name; networking.wireguard.enable = true; + # wg public key for host: A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg= networking.wg-quick.interfaces = { # "wg0" is the network interface name. You can name the interface arbitrarily. wg0 = { @@ -171,6 +174,35 @@ } ]; }; + wg1 = { + autostart = true; + address = ["10.5.5.1/24"]; + listenPort = 51820; + privateKeyFile = config.sops.secrets."wg-private-key".path; + + peers = [ + { + #GLaDOS public key + publicKey = "yieF2yQptaE3jStoaGytUnN+HLxyVhFBZIUOGUNAV38="; + allowedIPs = ["10.5.5.2/32"]; + } + { + #EDI public key + publicKey = "i4nDZbU+a2k5C20tFJRNPVE1vhYKJwhoqGHEdeC4704="; + allowedIPs = ["10.5.5.3/32"]; + } + { + #Shodan public key + publicKey = "Zah2nZDaHF8jpP5AtMA5bhE7t38fMB2UHzbXAc96/jw="; + allowedIPs = ["10.5.5.4/32"]; + } + { + #ADA public key + publicKey = "SHu7xxRVWuqp4U4uipMoITKrFPWZATGsJevUeqBSzWo="; + allowedIPs = ["10.5.5.5/32"]; + } + ]; + }; }; networking.firewall = { diff --git a/nixos/hosts/wheatley/secrets/sops.yaml b/nixos/hosts/wheatley/secrets/sops.yaml index d89f8b9..4353e47 100644 --- a/nixos/hosts/wheatley/secrets/sops.yaml +++ b/nixos/hosts/wheatley/secrets/sops.yaml @@ -3,6 +3,7 @@ lillian-password: ENC[AES256_GCM,data:GY7WyfLRc/q4fecnazWzfoZsruN/F0ar7mJ9RaqTHS protonvpn-priv-key: ENC[AES256_GCM,data:s4LAq1Rqm+jGaK3OKcjIBCQYXPs3oEuTKJMAM+gFxIpZdwcJCIU7uyoCy6c=,iv:zoWv5u0xgJHldwdRGRv3bXI1kasaWQz1YD7wt0J890I=,tag:cFXnayZRq13UqP+XWuHnWw==,type:str] rpcSecret: ENC[AES256_GCM,data:3tCZk2csB/ofxPc6,iv:NwT6k1hh73moH6eErT23/Dvwgb1wP/qIuoxXnCgNSao=,tag:nh0mFsh9I4R1baCL1oH+AA==,type:str] webdav-secret: ENC[AES256_GCM,data:SDFyHaE+HprkguOmDfnzwQ/n5OYgbTpxcVl4FGiLcsItefbSDOIQg5l01fqVB8zv+rRGlPcyRrIn7KTPrTpBx7X4RNHfFK4FKKvAANt6z0e5pu1+wnoObWxTShCFjfFoRCLkoh/j/CmLFyFIafrI7rzZUhs=,iv:stygLmNVWXkZL5A0J83CKPefRr7TqXeygQVLszr28eY=,tag:9hss2c77JELSASnwUyAF4w==,type:str] +wg-private-key: ENC[AES256_GCM,data:5WGAAst0qVqn1siX3snkAhsSDhZaS33XHT44BfViWLZqvzw+OhPB/jkSr4U=,iv:yXfN50SM3OWdycINB8iWXtvCSS01NBTrGBs1kxd1j0M=,tag:yhjDY1AM5aQ6DFeFEjo2Mw==,type:str] sops: kms: [] gcp_kms: [] @@ -18,8 +19,8 @@ sops: Vm9mWk5JRGtZNVVhN1JQWTBlb2kySkEKoLI1MzS3uGNUbyn7kI5DylKZiPtc1div bKIboWoobTfDt0EURfmZ5+JrX6DlZxRyNQyl9dsKmZT6pLdaIppStA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-04T22:37:22Z" - mac: ENC[AES256_GCM,data:sOC3EwlVuPXRNDY9mMkp5+qiPvRc439DD2r9pfjPThV0YXb/HqFIyHEdNJDzvAj1hm20Qp0I45A3Hy2hKI6AKKtY9B8/fMu9EMdtkmmWk5Iav4jTYd8bbVyegILFfxix2DNbRrR95qPqwfjrq3E47c/JuM7DVCwueS5d22rbNrs=,iv:gcrCQs1fHRfU2IQo/vJ2u2ITau7wn+Zo0L4AO9RZbCE=,tag:PCYsDxhAHjIglHMikg97+A==,type:str] + lastmodified: "2024-12-06T17:42:47Z" + mac: ENC[AES256_GCM,data:Fcc8x/C6iv62OJeLSGZlfsLzscWVAki1vdJvPiApx8N0Uazkq0G5PS6haoLEtOzDw2Fi/0pvVWef+O+lOg/mtqxxNBXozv1f66Q9HQCZOZP0PRQPEVcWJJ/vuPMSOlQDEiGJnuakJZeOmtuZkGStcfmlcybsOlyvEYwvbpeweDI=,iv:oDpoDDcQ/+ovsjkCeRLx9Fpiv+0/f/KkC4fFDdUmxHo=,tag:SiYHQmVz0vLFCOs0xhgr4g==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1