wg-home: make wireguard pubkeys configurable; we'll want one per host
This commit is contained in:
parent
02f316f7f8
commit
7c18d77046
|
@ -20,6 +20,13 @@ let
|
|||
e.g. "ssh-ed25519 AAAA<base64>".
|
||||
'';
|
||||
};
|
||||
wg-home.pubkey = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
description = ''
|
||||
wireguard public key for the wg-home VPN.
|
||||
e.g. "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=".
|
||||
'';
|
||||
};
|
||||
};
|
||||
});
|
||||
in
|
||||
|
@ -41,18 +48,24 @@ in
|
|||
ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
|
||||
ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
|
||||
};
|
||||
|
||||
sane.hosts.by-name."lappy" = {
|
||||
ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
|
||||
ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
|
||||
wg-home.pubkey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
|
||||
};
|
||||
|
||||
sane.hosts.by-name."moby" = {
|
||||
ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
|
||||
ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
|
||||
};
|
||||
|
||||
sane.hosts.by-name."servo" = {
|
||||
ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
|
||||
ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
|
||||
wg-home.pubkey = "cy9tvnwGMqWhLxRZlvxDtHmknzqmedAaJz+g3Z0ILG0=";
|
||||
};
|
||||
|
||||
sane.hosts.by-name."rescue" = {
|
||||
ssh.user_pubkey = null;
|
||||
ssh.host_pubkey = null;
|
||||
|
|
|
@ -37,7 +37,7 @@ in
|
|||
peers = [
|
||||
{
|
||||
# server pubkey
|
||||
publicKey = "cy9tvnwGMqWhLxRZlvxDtHmknzqmedAaJz+g3Z0ILG0=";
|
||||
publicKey = config.sane.hosts.by-name."servo".wg-home.pubkey;
|
||||
|
||||
# accept traffic from any IP addr on the other side of the tunnel
|
||||
# allowedIPs = [ "0.0.0.0/0" ];
|
||||
|
@ -61,7 +61,7 @@ in
|
|||
peers = [
|
||||
{
|
||||
# lappy
|
||||
publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
|
||||
publicKey = config.sane.hosts.by-name."lappy".wg-home.pubkey;
|
||||
allowedIPs = [ "10.0.10.20/32" ];
|
||||
# allowedIPs = [ "10.0.10.0/24" "192.168.0.0/24" ];
|
||||
# allowedIPs = [ "0.0.0.0/0" ];
|
||||
|
|
Loading…
Reference in New Issue
Block a user