WG: simpler config

2023-07-02 15:22:22 +01:00 · 2023-07-02 15:22:22 +01:00 · db063ba40a
commit db063ba40a
parent 162ce91db7
9 changed files with 93 additions and 60 deletions
--- a/baldur/configuration.nix
+++ b/baldur/configuration.nix
@ -258,9 +258,21 @@
        {
          # odin
          publicKey = "LDBhvzeYmHJ0z5ch+N559GWjT3It1gZvGR/9WtCfURw=";
-          presharedKeyFile = config.age.secrets.odin_wg_psk.path;
+          presharedKeyFile = config.age.secrets.wg_psk.path;
          allowedIPs = [ "10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128" ];
        }
+        {
+          # oppo
+          publicKey = "OBk6bHKuIYLwD7cwjmAuMn57jXqbDwCL52jhQxiHnnA=";
+          presharedKeyFile = config.age.secrets.wg_psk.path;
+          allowedIPs = [ "10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128" ];
+        }
+        {
+          # thor
+          publicKey = "rpwR6n4IE96VZAmQDBufsWE/a9G7d8fpkvY1OwsbOhk=";
+          presharedKeyFile = config.age.secrets.wg_psk.path;
+          allowedIPs = [ "10.0.0.4/32" "fdc9:281f:04d7:9ee9::4/128" ];
+        }
      ];
    };
  };
--- a/flake.nix
+++ b/flake.nix
@ -103,10 +103,11 @@
        {
          # age.secrets.oauth_proxy_client_credentials.file = ./secrets/oauth_proxy_client_credentials.age;
          age.secrets.spotify_password = { file = ./secrets/spotify_password.age; owner = "bertof"; };
+          age.secrets.wg_psk = { file = ./secrets/wg_psk.age; };
          age.secrets.baldur_wg_priv = { file = ./secrets/baldur_wg_priv.age; };
          age.secrets.odin_wg_priv = { file = ./secrets/odin_wg_priv.age; };
-          age.secrets.baldur_wg_psk = { file = ./secrets/baldur_wg_psk.age; };
-          age.secrets.odin_wg_psk = { file = ./secrets/odin_wg_psk.age; };
+          age.secrets.oppo_wg_priv = { file = ./secrets/oppo_wg_priv.age; };
+          age.secrets.thor_wg_priv = { file = ./secrets/thor_wg_priv.age; };
        }

        ./nixos_modules/bertof_user.nix
--- a/odin/common_configuration.nix
+++ b/odin/common_configuration.nix
@ -51,11 +51,30 @@ with lib; {

        peers = [
          {
-            publicKey = "K57ikgFSR1O0CXWBxfQEu7uxSOsp3ePj/NMRets5pVc=";
-            presharedKeyFile = config.age.secrets.odin_wg_psk.path;
+            # baldur
+            # allowedIPs = [ "10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128" ];
            allowedIPs = [ "0.0.0.0/0" "::/0" ];
            endpoint = "baldur.bertof.net:51820";
-            persistentKeepalive = 25;
+            presharedKeyFile = config.age.secrets.wg_psk.path;
+            publicKey = "K57ikgFSR1O0CXWBxfQEu7uxSOsp3ePj/NMRets5pVc=";
+          }
+          {
+            # odin
+            publicKey = "LDBhvzeYmHJ0z5ch+N559GWjT3It1gZvGR/9WtCfURw=";
+            presharedKeyFile = config.age.secrets.wg_psk.path;
+            allowedIPs = [ "10.0.0.2/24" "fdc9:281f:04d7:9ee9::2/128" ];
+          }
+          {
+            # oppo
+            publicKey = "OBk6bHKuIYLwD7cwjmAuMn57jXqbDwCL52jhQxiHnnA=";
+            presharedKeyFile = config.age.secrets.wg_psk.path;
+            allowedIPs = [ "10.0.0.3/24" "fdc9:281f:04d7:9ee9::3/128" ];
+          }
+          {
+            # thor
+            publicKey = "rpwR6n4IE96VZAmQDBufsWE/a9G7d8fpkvY1OwsbOhk=";
+            presharedKeyFile = config.age.secrets.wg_psk.path;
+            allowedIPs = [ "10.0.0.4/24" "fdc9:281f:04d7:9ee9::4/128" ];
          }
        ];
      };
--- a/secrets/baldur_wg_psk.age
+++ b/secrets/baldur_wg_psk.age
@ -1,27 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 lC44xg siyicGezmHp45yWb72O5RifDMUe8cnNR/8rlMqkRLmg
-xA8vPnJazAWVVKJTzP2ngi/xHt/0V9n+9ijECsbXTgQ
-> ssh-ed25519 2L7QNA QcYCyrqUHqX5CE8KmVzMM+oaXOzCaEAyuy8JBYsJWwY
-WljidAlaPXxrfsZKtmDi5iGNqOBs3Tm4hXPeJB99vos
-> ssh-ed25519 sNAOqA /vCQydAHoSTaWDbjP9/NmM+CkdUrtO/XJjPCoN21xmU
-QsWk9YqL07P3UNkZt+5Xd4dZw7SENGOUAq/iHFee2nw
-> ssh-ed25519 13iwjQ oD0OpKZ+Vm0nWmworan8dWOAlUQsHDvpm3bqGrOxIQc
-pJL9YhA3sXjo38fRvYraL/gLn1rgSKspMizDUuEChYk
-> ssh-ed25519 7MB20A 7kq62RnldRIwC16RKEIsSwPTbn6eH+3FtfmVJucnAyQ
-EdyaTv+I+oA8/Y3RvaGTHwpLyzshfnVF4dq0nmo+IoU
-> ssh-ed25519 IvyYug BwwnIO+4eduO4rVu18pA1P3EWwA+9W0WtTlIGNlQ8EU
-o++5xPZGMS3K1ACfwbbnQ9BVj8+GNRGFXsiIrWxz1hk
-> ssh-ed25519 v7O/FA MK70P0PK1SeatEb/xbK6wU/1cfiYF4zzYpBHHwx6t2k
-y2iwBptLaMsNeRn00vuy2SfdQNRnXHTiBouZo5BBExs
-> ssh-ed25519 Wzv8ew N2K5VjuHs3/RvDkh9Hlrf+ZVfAAKNcLcQmp3k6Tym3U
-9ghaa0D4Bpmzd9Yvx+Er3qYFGuC7TSgIirto0uKZRZA
-> ssh-ed25519 XgC3XA CtfNLoBAYMvcyt602EkEqPB4Fz3CRQG76JC0N/qtvFw
-X60izqbZKHBqW0+L905eI3Ya6sKgHFU2HevkQfep4LQ
-> ssh-ed25519 l795CA F3NiNkDDNR3PTKnS5OwMLY7s+/3NGNYMS5kiQcV/mRI
-8jVt29DIRitRGOFPUV9ncHeFmBJflUcE8g9EB1C0pOk
-> Vb6Y-grease lf
-kGMEIpGP8XAGzA6XQgKWZ72fH+9KEjQs9zDiE+nAxJX9uQePckfa++O23ZAcfseA
-Hrs6EFSwE+9UvhUHBY+/uuaxKhYGLG9p7ALhut+l
--- 9TLi7lo+ZYZtWSsjavBdUPkkEZF+j14+YJ8szI/Dp5U
-i‰,šðwDƒÉ€ùBxþë`–ëçŒ–ËRètúº–ü´¿W&<26>îj6¿L øëDÐ	‘Xø»=<3D>¬ˆNw3ïò0Ž€J
-4Ø‡”0RC³
--- a/secrets/odin_wg_psk.age
+++ b/secrets/odin_wg_psk.age
@ -1,25 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 lC44xg sxuYE9qrczPu9f7HguM6FS+24q+c6awYijsW75PaM1M
-lyU5kWLbhh8DtYqOdAwhD6ichr8tXaojvaks8N7uoDQ
-> ssh-ed25519 2L7QNA FEhfHUdaVct+NguR2covi+uizBwJabG7Oi2Kx6XED3A
-1Uge6BVi8Q9Wobg8mbCCg2QqtZFprbE2ucZM2qTz5Do
-> ssh-ed25519 sNAOqA RdSNYpDBjrdCdGbqviLC/3jNUpQlJVcVDJBZsYuSeGA
-X+pXWiBGoaSbJx5IOS6TF+vbSunhsjViLk54os2Ry1c
-> ssh-ed25519 13iwjQ yD/1bxrjpl+U4x6EBz/BNZKwarc7O99VKN6CqD09CyE
-2fCHX+tX4bbWgqEERk6SYl1Ati67q4AtwELJ7iyoKcI
-> ssh-ed25519 7MB20A 3sdcbYjpK8ySeMjz8pOLFIaWFemso5li9lGyTQHQpmU
-9yTSX6juV9OBtWisz/q4cTDpRYJe2sUbqHutx1pOJN8
-> ssh-ed25519 IvyYug Mv0oOpFUJOFLaPQbGju5JW4yRbLTonz31mLLk4GwYE0
-2Pof++UU99R229ovY+jouIr+Ty4u3ysw56iLC8+j2Bg
-> ssh-ed25519 v7O/FA 4GV/vYqiRqLSUvtg+IdmQCd7xXUuJH0wqEuPw+SC4QQ
-hupPjtZWH1A88DMA+aw2DoyyHLPLzvHejA5ohqCje1s
-> ssh-ed25519 Wzv8ew O8GUxPSc8+CRD2so4nMsMbtjDa6QVnqSj+czUFcs3ww
-KsTescNrPtapbAzgQ4cxXteyok8JG/fPYsbSnOysdL0
-> ssh-ed25519 XgC3XA vNZvFuAycFWyiSpAyjQGfVH9Gz9OEL5AOqrZ3ChBv0E
-IOOU/ru6k93kSpaHFjgPLyTViOcQQF5Hhe+Rx0u0t68
-> ssh-ed25519 l795CA ukyFdc58fFZlyzT56cwuTq+yzD30/aUfrjIkcsqHlSA
-hGru5mUwFbpAhgavMmm/fJmVzhDlhhi3HvPiSKPObRo
-> hD3?-grease
-
--- IuZjNwhOjNv7HLoZy0MlS50zvRKTNSVM51/Qjdv4G70
-^k¯õÑ†)=?"S|s7¼?uÞ©aÌØ"N½ƒ—KãÆ+(´h|ÅáÚ¢º¸ì+â—Å
šôeÓŒêÏÇ„Íí¶\È@éžkT9Uæ®©
--- a/secrets/oppo_wg_priv.age
+++ b/secrets/oppo_wg_priv.age
@ -0,0 +1,26 @@
+age-encryption.org/v1
+-> ssh-ed25519 lC44xg Z9RaDb0JbVBLG7+KpVlmh5mi/oOz2cMSP/ITL66SOWY
+aALSGRpf1IODsqzc4arKp+YrUud6v3oGeqVsThZ5wtQ
+-> ssh-ed25519 2L7QNA gqNAVQUGZtzKFxJCmxA/DKJ/ZEM4tZB3wL+dpVw6X0Q
+nr8mkJ1WqTAyOEea9WitMRJxYnqecV5+oGmb6YFuH3U
+-> ssh-ed25519 sNAOqA QB0rbnb35HyyN44jwxb2u5u8aWfan9ktNPEgdVIk52g
+TCU7phnf/DMyhZ4E5ZXc3LCqwEWbC5C1S98g88ZjFUM
+-> ssh-ed25519 13iwjQ ypYebKQM2OsgpoCdVQq3QNKSNZ/+oTDYEdMhwHtwsDA
+Eh9s3kC6dFjF7NvtcAmwt/zIBK5kXn+LqLGtknqVoGM
+-> ssh-ed25519 7MB20A If2LXQVdYMJpok0hjUU1GYmNX4VNJ8bhHfzkwX2n3kw
+6UEF27+gBhrZcLaBe5scN0QVkCKSUtja598zTAxmCqg
+-> ssh-ed25519 IvyYug SZGon3MLj789yMGfyZiIDcVwfzZC0BLFZYPma3gWIFs
+wQHTpASfufnGc+QPDuA56ECoYigESL/wVo/kbUxtBpc
+-> ssh-ed25519 v7O/FA P+VHlrU9rxL3GNbMWfq0J5BgSxeSFSoyZTwG9FhXRRs
+eTWRUf0In4uoi0PMX+3TpTBJbU8V8wa5XMTnD33rdVE
+-> ssh-ed25519 Wzv8ew kRo+OIwnSyoVNmsh4sskkJttJ8fpeHdjh480Xmt7wR0
+77vNZj942WVVx3qFN/NZqI+KHHFaT/145CfmMjC6LpI
+-> ssh-ed25519 XgC3XA dy3A48uxqMna0hD9TS1YmOyCeJpL1JZti9f7y1Isiik
+ZAAHRutLgNEiOj+7kS6DtqQpNSk5CwTa32wLc5rBhPY
+-> ssh-ed25519 l795CA ZgcVl+Ea0nZpHNQNvLgBTD+DHzz5odN3Pw6xAT8BQhQ
+DmB3Yl19+taWk2r7HvDB+oFXmyNJYKFbu4rJIGvYnCs
+-> nr:n[-grease *z #R=tf 3! TR@,U(%
+710uDuet/sVD1mEV+OuQGNZQTtfPSF2R5zSZI3cMPbsoJO/tNbzcpqy6BC7YCAuz
+UlaGBNdBrERq
+--- ZS8S8G4uTjw6PwljoDWkNyTQ3XgJEj5ujm0aFCeMkKg
+ö5¿¿[0Bx‡äözØáz<C3A1>Z?©IX)=DU®ýÆõÅN¹*ãˆ`ô©¹=qÍýø<C3BD>‚<EFBFBD>š®©ºœ²zmw>‘<H;F˜=¦FŸªSh4œ¢
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -30,7 +30,8 @@ in
  "nextcloud_admin_secret.age".publicKeys = users ++ systems;
  "nextcloud_bucket_secret.age".publicKeys = users ++ systems;
  "baldur_wg_priv.age".publicKeys = users ++ systems;
-  "baldur_wg_psk.age".publicKeys = users ++ systems;
  "odin_wg_priv.age".publicKeys = users ++ systems;
-  "odin_wg_psk.age".publicKeys = users ++ systems;
+  "oppo_wg_priv.age".publicKeys = users ++ systems;
+  "thor_wg_priv.age".publicKeys = users ++ systems;
+  "wg_psk.age".publicKeys = users ++ systems;
 }
--- a/secrets/thor_wg_priv.age
+++ b/secrets/thor_wg_priv.age
@ -0,0 +1,26 @@
+age-encryption.org/v1
+-> ssh-ed25519 lC44xg Z9RaDb0JbVBLG7+KpVlmh5mi/oOz2cMSP/ITL66SOWY
+aALSGRpf1IODsqzc4arKp+YrUud6v3oGeqVsThZ5wtQ
+-> ssh-ed25519 2L7QNA gqNAVQUGZtzKFxJCmxA/DKJ/ZEM4tZB3wL+dpVw6X0Q
+nr8mkJ1WqTAyOEea9WitMRJxYnqecV5+oGmb6YFuH3U
+-> ssh-ed25519 sNAOqA QB0rbnb35HyyN44jwxb2u5u8aWfan9ktNPEgdVIk52g
+TCU7phnf/DMyhZ4E5ZXc3LCqwEWbC5C1S98g88ZjFUM
+-> ssh-ed25519 13iwjQ ypYebKQM2OsgpoCdVQq3QNKSNZ/+oTDYEdMhwHtwsDA
+Eh9s3kC6dFjF7NvtcAmwt/zIBK5kXn+LqLGtknqVoGM
+-> ssh-ed25519 7MB20A If2LXQVdYMJpok0hjUU1GYmNX4VNJ8bhHfzkwX2n3kw
+6UEF27+gBhrZcLaBe5scN0QVkCKSUtja598zTAxmCqg
+-> ssh-ed25519 IvyYug SZGon3MLj789yMGfyZiIDcVwfzZC0BLFZYPma3gWIFs
+wQHTpASfufnGc+QPDuA56ECoYigESL/wVo/kbUxtBpc
+-> ssh-ed25519 v7O/FA P+VHlrU9rxL3GNbMWfq0J5BgSxeSFSoyZTwG9FhXRRs
+eTWRUf0In4uoi0PMX+3TpTBJbU8V8wa5XMTnD33rdVE
+-> ssh-ed25519 Wzv8ew kRo+OIwnSyoVNmsh4sskkJttJ8fpeHdjh480Xmt7wR0
+77vNZj942WVVx3qFN/NZqI+KHHFaT/145CfmMjC6LpI
+-> ssh-ed25519 XgC3XA dy3A48uxqMna0hD9TS1YmOyCeJpL1JZti9f7y1Isiik
+ZAAHRutLgNEiOj+7kS6DtqQpNSk5CwTa32wLc5rBhPY
+-> ssh-ed25519 l795CA ZgcVl+Ea0nZpHNQNvLgBTD+DHzz5odN3Pw6xAT8BQhQ
+DmB3Yl19+taWk2r7HvDB+oFXmyNJYKFbu4rJIGvYnCs
+-> nr:n[-grease *z #R=tf 3! TR@,U(%
+710uDuet/sVD1mEV+OuQGNZQTtfPSF2R5zSZI3cMPbsoJO/tNbzcpqy6BC7YCAuz
+UlaGBNdBrERq
+--- ZS8S8G4uTjw6PwljoDWkNyTQ3XgJEj5ujm0aFCeMkKg
+ö5¿¿[0Bx‡äözØáz<C3A1>Z?©IX)=DU®ýÆõÅN¹*ãˆ`ô©¹=qÍýø<C3BD>‚<EFBFBD>š®©ºœ²zmw>‘<H;F˜=¦FŸªSh4œ¢
--- a/secrets/wg_psk.age
+++ b/secrets/wg_psk.age