diff options
| author | Mark Nipper <nipsy@bitgnome.net> | 2024-10-13 01:42:13 -0700 |
|---|---|---|
| committer | Mark Nipper <nipsy@bitgnome.net> | 2024-10-13 01:42:13 -0700 |
| commit | 1808cc6ff71511708f508f61018196cd781d6b7b (patch) | |
| tree | 5e6c240aafe3d565321b357973989c0bf41aa4a4 /hosts/arrakis/default.nix | |
| parent | 740b45d77a7239b7cae8e01c5d0d68d7e82124e6 (diff) | |
| download | nix-1808cc6ff71511708f508f61018196cd781d6b7b.tar nix-1808cc6ff71511708f508f61018196cd781d6b7b.tar.gz nix-1808cc6ff71511708f508f61018196cd781d6b7b.tar.bz2 nix-1808cc6ff71511708f508f61018196cd781d6b7b.tar.lz nix-1808cc6ff71511708f508f61018196cd781d6b7b.tar.xz nix-1808cc6ff71511708f508f61018196cd781d6b7b.tar.zst nix-1808cc6ff71511708f508f61018196cd781d6b7b.zip | |
Add wireguard server @arrakis
Diffstat (limited to 'hosts/arrakis/default.nix')
| -rw-r--r-- | hosts/arrakis/default.nix | 62 |
1 files changed, 61 insertions, 1 deletions
diff --git a/hosts/arrakis/default.nix b/hosts/arrakis/default.nix index 06b1f2b..f9277f8 100644 --- a/hosts/arrakis/default.nix +++ b/hosts/arrakis/default.nix @@ -63,6 +63,57 @@ nameservers = [ "192.168.1.1" ]; nftables.enable = true; useDHCP = false; + wg-quick.interfaces = { + wg0 = { + address = [ + "10.4.20.1/24" + ]; + ListenPort = 51820; + peers = [ + { # black-sheep + allowedIPs = [ "10.4.20.2/32" ]; + presharedKeyFile = "${config.sops.secrets."wireguard/black-sheep_psk".path}"; + publicKey = "wQsGWsfXI2+GmKHdCH2V2xIeTyV2YlH/IFp6gerxcW8="; + } + { # lilnasx + allowedIPs = [ "10.4.20.3/32" ]; + presharedKeyFile = "${config.sops.secrets."wireguard/lilnasx_psk".path}"; + publicKey = "87cANtuPf28vGrB0uL69/tXgsD/30FUYt/XevQjpz3o="; + } + { # ramped + allowedIPs = [ "10.4.20.4/32" ]; + presharedKeyFile = "${config.sops.secrets."wireguard/ramped_psk".path}"; + publicKey = "TvE3f0QKJXUn8pxmKMaztFvRIdi9z9dxNDN2KNdtRXQ="; + } + { # homer + allowedIPs = [ "10.4.20.5/32" ]; + presharedKeyFile = "${config.sops.secrets."wireguard/homer_psk".path}"; + publicKey = "FBc2ZnypwHgjLQcZrwzPR35gax8JsXLa1ZcZy6iAc3Q="; + } + { # treebeard + allowedIPs = [ "10.4.20.6/32" ]; + presharedKeyFile = "${config.sops.secrets."wireguard/treebeard_psk".path}"; + publicKey = "aYh7q1QNmz6TLYx5OsZcyHQe45Dv0SyIOCtRp1NHDU8="; + } + { # lolli + allowedIPs = [ "10.4.20.7/32" ]; + presharedKeyFile = "${config.sops.secrets."wireguard/lolli_psk".path}"; + publicKey = "npt86Lt/f/9J3qS6u6C0X1MFHIONaA5PKE6lzwwUxTc="; + } + { # timetrad + allowedIPs = [ "10.4.20.8/32" ]; + presharedKeyFile = "${config.sops.secrets."wireguard/timetrad_psk".path}"; + publicKey = "/lWCEMGRIr3Gl/3GQYuweAKylhH5H2KqamiXeocYFVM="; + } + { # ginaz + allowedIPs = [ "10.4.20.254/32" ]; + presharedKeyFile = "${config.sops.secrets."wireguard/ginaz_psk".path}"; + publicKey = "GuE9PVeS0IDTcaBxOSJmKlvEx2xflxwVGOU+uM0HhBk="; + } + ]; + privateKeyFile = "${config.sops.secrets."wireguard/arrakis_key".path}"; + }; + }; wireless = { enable = true; networks = { @@ -70,7 +121,7 @@ pskRaw = "ext:psk_crystal_palace"; }; }; - secretsFile = "/run/secrets/wpa_supplicant"; + secretsFile = "${config.sops.secrets."wpa_supplicant".path}"; }; }; @@ -83,6 +134,15 @@ secrets = { "nftables/ssh" = {}; + "wireguard/arrakis_key" = {}; + "wireguard/black-sheep_psk" = {}; + "wireguard/ginaz_psk" = {}; + "wireguard/homer_psk" = {}; + "wireguard/lilnasx_psk" = {}; + "wireguard/lolli_psk" = {}; + "wireguard/ramped_psk" = {}; + "wireguard/timetrad_psk" = {}; + "wireguard/treebeard_psk" = {}; "wpa_supplicant" = {}; }; }; |