Add wireguard server @arrakis

2 files changed, 73 insertions, 3 deletions

diff --git a/hosts/arrakis/default.nix b/hosts/arrakis/default.nix
index 06b1f2b..f9277f8 100644
--- a/hosts/arrakis/default.nix
+++ b/hosts/arrakis/default.nix
@@ -63,6 +63,57 @@
     nameservers = [ "192.168.1.1" ];
     nftables.enable = true;
     useDHCP = false;
+    wg-quick.interfaces = {
+      wg0 = {
+        address = [
+          "10.4.20.1/24"
+        ];
+        ListenPort = 51820;
+        peers = [
+          { # black-sheep
+            allowedIPs = [ "10.4.20.2/32" ];
+            presharedKeyFile = "${config.sops.secrets."wireguard/black-sheep_psk".path}";
+            publicKey = "wQsGWsfXI2+GmKHdCH2V2xIeTyV2YlH/IFp6gerxcW8=";
+          }
+          { # lilnasx
+            allowedIPs = [ "10.4.20.3/32" ];
+            presharedKeyFile = "${config.sops.secrets."wireguard/lilnasx_psk".path}";
+            publicKey = "87cANtuPf28vGrB0uL69/tXgsD/30FUYt/XevQjpz3o=";
+          }
+          { # ramped
+            allowedIPs = [ "10.4.20.4/32" ];
+            presharedKeyFile = "${config.sops.secrets."wireguard/ramped_psk".path}";
+            publicKey = "TvE3f0QKJXUn8pxmKMaztFvRIdi9z9dxNDN2KNdtRXQ=";
+          }
+          { # homer
+            allowedIPs = [ "10.4.20.5/32" ];
+            presharedKeyFile = "${config.sops.secrets."wireguard/homer_psk".path}";
+            publicKey = "FBc2ZnypwHgjLQcZrwzPR35gax8JsXLa1ZcZy6iAc3Q=";
+          }
+          { # treebeard
+            allowedIPs = [ "10.4.20.6/32" ];
+            presharedKeyFile = "${config.sops.secrets."wireguard/treebeard_psk".path}";
+            publicKey = "aYh7q1QNmz6TLYx5OsZcyHQe45Dv0SyIOCtRp1NHDU8=";
+          }
+          { # lolli
+            allowedIPs = [ "10.4.20.7/32" ];
+            presharedKeyFile = "${config.sops.secrets."wireguard/lolli_psk".path}";
+            publicKey = "npt86Lt/f/9J3qS6u6C0X1MFHIONaA5PKE6lzwwUxTc=";
+          }
+          { # timetrad
+            allowedIPs = [ "10.4.20.8/32" ];
+            presharedKeyFile = "${config.sops.secrets."wireguard/timetrad_psk".path}";
+            publicKey = "/lWCEMGRIr3Gl/3GQYuweAKylhH5H2KqamiXeocYFVM=";
+          }
+          { # ginaz
+            allowedIPs = [ "10.4.20.254/32" ];
+            presharedKeyFile = "${config.sops.secrets."wireguard/ginaz_psk".path}";
+            publicKey = "GuE9PVeS0IDTcaBxOSJmKlvEx2xflxwVGOU+uM0HhBk=";
+          }
+        ];
+        privateKeyFile = "${config.sops.secrets."wireguard/arrakis_key".path}";
+      };
+    };
     wireless = {
       enable = true;
       networks = {
@@ -70,7 +121,7 @@
           pskRaw = "ext:psk_crystal_palace";
         };
       };
-      secretsFile = "/run/secrets/wpa_supplicant";
+      secretsFile = "${config.sops.secrets."wpa_supplicant".path}";
     };
   };
 
@@ -83,6 +134,15 @@
 
     secrets = {
       "nftables/ssh" = {};
+      "wireguard/arrakis_key" = {};
+      "wireguard/black-sheep_psk" = {};
+      "wireguard/ginaz_psk" = {};
+      "wireguard/homer_psk" = {};
+      "wireguard/lilnasx_psk" = {};
+      "wireguard/lolli_psk" = {};
+      "wireguard/ramped_psk" = {};
+      "wireguard/timetrad_psk" = {};
+      "wireguard/treebeard_psk" = {};
       "wpa_supplicant" = {};
     };
   };
diff --git a/hosts/secrets/arrakis.yaml b/hosts/secrets/arrakis.yaml
index 54fb561..57cb20d 100644
--- a/hosts/secrets/arrakis.yaml
+++ b/hosts/secrets/arrakis.yaml
@@ -1,5 +1,15 @@
 nftables:
     ssh: ENC[AES256_GCM,data:7XB18w9GPsqxT3MOjfxOyYIjgDZoPzWhKTJIGkhcRGXpf68OekCA0Jv3v5g81pxYNHQz5ky1//T5eEEhskBNT1dalScYXMm90CUOlYKHF975SW46p9ht357vUHngxnu4/Dh36Zmn7u4CMxUIeYsVXXVqujCFH+Ypuy7702hwyNJWa/u5Ik8rlsMMtO8aO+31xMf8MaCGVghDzXqXWaV9FJuuH69TJW0tW1Td2QD9yaMkH1kVSRXYi34Zbgcmf6MzGtWkytexjLqejegFUZ/7D6vQrGQIwYkTmtBvqlf0UUOKkZzXRp9e0ScWNnGJKbQSMes1ablDzwcuTzF6HS04Aykf0/CN8k71PxojWdd8HJEEKp1rL2CFW8LB/7CY8MD5zP4JcUilNiyzaFFQU93BRPg+7T6Dhk+qNIYCRaG/xLxzi4SxVSfMhI++/JwhOFatk9hOs3z8d4JgvMgTN0gKZJftt17CJMlAq3iDNvQC8aiIVaGHKoCSDUBBGS4zI75b8AcWRcSUNTixWnCx89KBBzQYTy4h3ZO0n6SsQvKyKdPWcVpnQtRqcToEJcCwvdwZXW3RfuRutmJb19yxIIagKEqWVYvgxIEZ19aV6HLJwUEnP761VsnskTVXbdPIctl4H5Mdg++K919ZVNZ56I0sE3c4TKukVsT+bn84ymoF/BUO+yvszptiCtpoJMLM/MPBbDT+3HB/rdi3gZKi1/MS3uj9cDTQJa6HeXd0PxxRXrBZnMJouUhMdrfVeUdLRpzZbVEcL7BYy3IBWAT5UUsJ+UrkOgK9nySe0NQ27gxSpooOIaxg8QRH0KB5p6hn2cwIHXT6GqbWdxE9T0G3hQmAvab7xpPA0oDRW4jb236vzBvBt7dWlw3QxRZXClaa2f1tYY7e499xQ+KqgC/zaBHJy74dStbc+aVQQwUyy8PqQ3OkaKL4uAsJHbjNmomTtt4OLwWfJvPY1QprfrbyXpFF5hNupi7aiItluKVpTvw+Sou7N1gmcNsbYunVJC6MMN7TGw+YL9kQ6h+5hDnyOt3sa31mZpIU95+PV6vpdxxkT1NC/HskJDPfcnoYnVj7PuyaRij2yRdmL+o6bN1NhEGl6dDuGy3gW5wos03bb9voMlhStuxrvRjUr/db3U1Z1O5winpWyRsDxkZR2EA4MweNbkWSS3FrZkuY1pYJd2RClrUIfuviB9gBXwntkaD06NJlXYlHr989cWuqrxIJ+tjHwThwozQ8knYs+Aa8bIFiw6BoBeOxl2d4QHml+4LmuWxaRSx4RLprgXCvJewqClbxk+4oyW5NqXxtXIHCQawCW+Z8my9j1hfNgM6Ct4L3hH0IRE2wZML3URRlkPI/FpvjitR0IauPl090mQa/kSfAjd0pcdJy37garUh9xIxkwmoyF6i2lmb3KSrK9G0rYmVMYIM2BVFTICr7yEguX/azw8uSLNdjENZ0D8bLvFhjoYrBf2WryqPrvtwh8nH2Q6XBGvPMgO2Aj9x0UgxVoHFrFi1qsoKqJpDrrIGGqYMKDS+m3VorQ3DAoCOMS6A739rOzjxFvi6ZtA03v1W4bDtldmydiMYpBEIA+ZVw0+1NwsSq+vEEIuyhiA05ev8KrexFyixmMvmqS2iGoJ/0MqpYPDnXwbQS66HY+ipn3Ds0RyZdH1cQEgi89p77nb6tjMLBRdsvkoVGwXQqVsmbMbtDsBX8wyzc5GMjG5oY5nO0FQcnudQuA3BBHWFL4Q+eaPGDx27s9sQxKBRaPfMgBBMV63/nmAcSYaqN8S4lVHWrpZvUCxehZ+5rx5tmI0625JODfN0GWK/ef0XRGNBW1I1KZAw3XmhAo+a0jaWTMaQz++JuV0MpVD8/xViOMBQdNHlBoWyUb9ArdkF2gzjOsWW1zeAFT+KPVPFXu/fQ1ZTN4aUnomC2uLpfKBYkQp1qkXx+BNAWFfzEmv6BJbtJaT432S7KnRJTCyQVyATlnMI1hOgkZO+y1OTXguhy4OBbxjmkib3OpUt0yLGI4cb1s8JtA1T4ZDlK6u70+rE1AlYtRAc3OotAhbOv9Uo071Pr8CA6eCzAt4Y/gGcss/AJ7LB0rG4OCXw/N+ic5N9n0YGn3Zp2XRqheLVWrgZiuN7gj+rORS3EpLUb6JnkanXWM5dAY/gWbRd8+iF7cCRCtnkaARp9Uch77SntUdllX+AGIMnRtcAU1cYkEBzKsDLF0PPZQzPXE4z5cRH7rnDSTLixATHS70vwGkBOe7NukiXBVzK7GBCXP1nzJevb7BeeUg9rDcsCxyejoc7YA8+pczMNxl4wjx3H2/x+JhMWrYcZQdhi8Vzaeoz0ulW8xZ6tO4JhLPA/Cb66B0tq9Za6f+uaJOIfqnl0xem6Rif2qUiKkSAZ4rN/2j8pRj9BMXCvKSttvG6hTTaprCe9Jn9rGi84rnIwZmN98C9KyHaTeKPC2NC4ooCsxOZtpeCCXNfFhqDVGL15NhwCravL/8pKf9bFhKW8DOkZRPy7jWtCCfIu0kkuZUkBLfT1lQ6eXKB6P6sC04IgBPV8Euw3woPOgGkJXCfLnxLljgvn70P3VQ==,iv:OnEBPu/havLABMuANjiKMEmhPX2tk/PlyDY0FwvQnsI=,tag:Qny6XbCXMhAr1AjZjr0ucw==,type:str]
+wireguard:
+    arrakis_key: ENC[AES256_GCM,data:jJxltF+jMKMchavpXWKGFmFI3K/Qkgmroc68nUzYL71kKR+WFMPUzDjXW0Y=,iv:RESrP6zChCIMeDn65mu7ULvfeT5QRRX76TdyOAjE/fw=,tag:0QXp38YwTJZS8phv9ObrhQ==,type:str]
+    black-sheep_psk: ENC[AES256_GCM,data:ZBR7CQJLBltt9lTeN16SUte0xt90oVoJfvWrdF8gVAPQgvGIp/t3i5L2+eA=,iv:ilqCFzHhjgxU7FRcj0Ymi/t53NPt8QMJD56azsNQMe4=,tag:i4TIQryxzJpGaM8KGCVXQA==,type:str]
+    ginaz_psk: ENC[AES256_GCM,data:Iy/jyCcXl5VnSArA+Uazww/refw+Flopi2CnUgXyB/lnL6ykqawztK6KSBU=,iv:rB9eeMXqa+ZptLenJs/x9yffu4s10YwI11A1EPUHY54=,tag:1rw8SyfXyKA9IW3SUfYbTg==,type:str]
+    homer_psk: ENC[AES256_GCM,data:JaUJEWlcEhWeT+g5J+ysQ7rHFW8bxyDiciqrwL4JH493fQNCBnIkfJXtjfg=,iv:l95W7lVeBZhS2YwWN8biyFHBlAUwP7+DrSOVAhowC+I=,tag:q+wDpSGlT3nb+88yYMNzhQ==,type:str]
+    lilnasx_psk: ENC[AES256_GCM,data:wssUtPGQfs2Gt63Iq+QD7nQsAaua/OP0tcTmxlWFPTjPF3PzU2Y8m/76B3w=,iv:1jSwB0XkC+Gcn2JRNcaGd3hhJebmdfaF1N6PNDEdkSU=,tag:GVigw9hi66q2+q06g+WumA==,type:str]
+    lolli_psk: ENC[AES256_GCM,data:Qfwx/B44ptl/Rd2WzA1TN9ueCODooWUaDmOPfZLQ3F9NBDX/bdNebd0KS8M=,iv:YUWJg3OVcOA2v4XTxNUfmzNUXsgdrKxujde7xYIaQUg=,tag:UJU98dTeniaBjl/M0A9UuA==,type:str]
+    ramped_psk: ENC[AES256_GCM,data:TCeXW9SWFEq7H7YdEE4E7gLoMC8F4GwSPBtvh8Zv6OQ3Ni0LdZBH9IHmPT4=,iv:U33J1eusuCiC41zla2ieIFKzmmgL/TlkLmH/5El3u4s=,tag:Z4QzImR0T2XzdI26nlX+/Q==,type:str]
+    timetrad_psk: ENC[AES256_GCM,data:zAOHUlk6VJd+w6ePcDAPhpmPmlogwqUh5zhDpnW7cbXflIdLtFN9YQbOYtc=,iv:DpqIP+uTxRY7Dl0WwOvAr/dDFeARCVZKNKKKCrgOkYA=,tag:IP+nUZS3klUvHNzbgS4IjQ==,type:str]
+    treebeard_psk: ENC[AES256_GCM,data:EjzdD4siZfCkwd6pX82C2HP8I0avKjStv6fleURD2cPkGmBFDH//MLYcY/k=,iv:yCc+U3+kAzOroOxO04EKVrbuqr85Y8cZ343UN4s3nBg=,tag:r5piVnM+Q5+0HRRMpVwmSA==,type:str]
 wpa_supplicant: ENC[AES256_GCM,data:HHs6g3qaaeinVGgteExQvhE0CEC94WjJ0tV7pyI=,iv:6F+DYHieaWWo+V1F9yjwWT7PcdiIpH48nv1SUrFHePk=,tag:cpimCP+YNmCI+t+wpuXwHg==,type:str]
 sops:
     kms: []
@@ -25,8 +35,8 @@ sops:
             ejRLb2Vkd1B3QmxLSE1wUzgrazZJT0UKz1IQxYm7hagYtBsWTpk+f6/79ArRUgNL
             MfhHMQAwuuXjBSmuFolyU3UoWnDYK6uGAv5nlTJxESqj5eQBafItSw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-13T06:55:41Z"
-    mac: ENC[AES256_GCM,data:71ifeYVwz7jt6Cv19MS2g9VYmQVhygEVAW5xLdblTAofUcNQsEO3JOJyhqICJqdU1nmy1/BlD0pM8hgyqLu96fL24b5N9uZb7S0B2hStlP7TOCot6UoX4Hmb5n2CRiKBgvdtDz86T4EOLfNXBPxSKr1W+mluSYtMJa+aNl0PXqA=,iv:EvwQkyyKybKDo1kMuzFb5FNs6ffoh9qnA3iiXLLyXMo=,tag:AmfdT6lxvbub3PvPKCAwsA==,type:str]
+    lastmodified: "2024-10-13T08:39:41Z"
+    mac: ENC[AES256_GCM,data:+MnJGp0Oi3eXCDgFa6Jl7v+U1X8iSvBTiZT/Et2O3Z5YKKSpjSyuOUp4wxvUKC1w7lwLCPil3TuanEmB5j9fCPFLd4vRqb1bwPy4x9AoJGCut1jDIT+ywSVjhN2jV4Mg1RbCXHRJN/QhSylXuBhDYIVF9mriGamY2ZiRra+Z7Is=,iv:STqOryc9DWJETRLYy6A1Z6DRdxK6/cDRurpmUYml3JU=,tag:rH+NLwBOiIoHc9HmzXthvA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.1