wg-home: make wireguard pubkeys configurable; we'll want one per host

2023-01-20 06:09:57 +00:00 · 2023-01-20 06:09:57 +00:00 · 7c18d77046
commit 7c18d77046
parent 02f316f7f8
2 changed files with 15 additions and 2 deletions
--- a/hosts/modules/hosts.nix
+++ b/hosts/modules/hosts.nix
@ -20,6 +20,13 @@ let
          e.g. "ssh-ed25519 AAAA<base64>".
        '';
      };
+      wg-home.pubkey = mkOption {
+        type = types.nullOr types.str;
+        description = ''
+          wireguard public key for the wg-home VPN.
+          e.g. "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=".
+        '';
+      };
    };
  });
 in
@ -41,18 +48,24 @@ in
      ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX";
      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFw9NoRaYrM6LbDd3aFBc4yyBlxGQn8HjeHd/dZ3CfHk";
    };
+
    sane.hosts.by-name."lappy" = {
      ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu";
      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSJnqmVl9/SYQ0btvGb0REwwWY8wkdkGXQZfn/1geEc";
+      wg-home.pubkey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
    };
+
    sane.hosts.by-name."moby" = {
      ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
    };
+
    sane.hosts.by-name."servo" = {
      ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
      ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
+      wg-home.pubkey = "cy9tvnwGMqWhLxRZlvxDtHmknzqmedAaJz+g3Z0ILG0=";
    };
+
    sane.hosts.by-name."rescue" = {
      ssh.user_pubkey = null;
      ssh.host_pubkey = null;
--- a/hosts/modules/wg-home.nix
+++ b/hosts/modules/wg-home.nix
@ -37,7 +37,7 @@ in
        peers = [
          {
            # server pubkey
-            publicKey = "cy9tvnwGMqWhLxRZlvxDtHmknzqmedAaJz+g3Z0ILG0=";
+            publicKey = config.sane.hosts.by-name."servo".wg-home.pubkey;

            # accept traffic from any IP addr on the other side of the tunnel
            # allowedIPs = [ "0.0.0.0/0" ];
@ -61,7 +61,7 @@ in
        peers = [
          {
            # lappy
-            publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
+            publicKey = config.sane.hosts.by-name."lappy".wg-home.pubkey;
            allowedIPs = [ "10.0.10.20/32" ];
            # allowedIPs = [ "10.0.10.0/24" "192.168.0.0/24" ];
            # allowedIPs = [ "0.0.0.0/0" ];