wg-home: use separate host key than client key
This commit is contained in:
parent
a3a7b6c563
commit
df848b3262
|
@ -35,6 +35,9 @@
|
||||||
sopsFile = ../../../secrets/servo.yaml;
|
sopsFile = ../../../secrets/servo.yaml;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
sops.secrets."wg_home_server_privkey" = {
|
||||||
|
sopsFile = ../../../secrets/servo.yaml;
|
||||||
|
};
|
||||||
sops.secrets."wg_ovpns_privkey" = {
|
sops.secrets."wg_ovpns_privkey" = {
|
||||||
sopsFile = ../../../secrets/servo.yaml;
|
sopsFile = ../../../secrets/servo.yaml;
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ config, lib, ... }:
|
{ config, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (lib) mkIf mkOption optionalAttrs types;
|
inherit (lib) mkIf mkMerge mkOption optionalAttrs types;
|
||||||
cfg = config.sane.services.wg-home;
|
cfg = config.sane.services.wg-home;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
@ -15,61 +15,72 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable (mkMerge [
|
||||||
# wireguard VPN which allows everything on my domain to speak to each other even when
|
{
|
||||||
# not behind a shared LAN.
|
# wireguard VPN which allows everything on my domain to speak to each other even when
|
||||||
# this config defines both the endpoint (server) and client configs
|
# not behind a shared LAN.
|
||||||
|
# this config defines both the endpoint (server) and client configs
|
||||||
|
|
||||||
networking.firewall.allowedUDPPorts = [ 51820 ];
|
# for convenience, have both the server and client use the same port for their wireguard connections.
|
||||||
networking.wireguard.interfaces.wg-home = {
|
networking.firewall.allowedUDPPorts = [ 51820 ];
|
||||||
privateKeyFile = config.sops.secrets.wg_home_privkey.path;
|
networking.wireguard.interfaces.wg-home = {
|
||||||
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
|
listenPort = 51820;
|
||||||
} // (optionalAttrs (cfg.role == "client") {
|
};
|
||||||
# client IP (TODO: make host-specific)
|
}
|
||||||
ips = [ "10.0.10.20/32" ];
|
|
||||||
|
|
||||||
peers = [
|
{
|
||||||
{
|
networking.wireguard.interfaces.wg-home = lib.mkIf (cfg.role == "client") {
|
||||||
# server pubkey
|
privateKeyFile = config.sops.secrets.wg_home_privkey.path;
|
||||||
publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
|
# client IP (TODO: make host-specific)
|
||||||
|
ips = [ "10.0.10.20/32" ];
|
||||||
|
|
||||||
# accept traffic from any IP addr on the other side of the tunnel
|
peers = [
|
||||||
allowedIPs = [ "0.0.0.0/0" ];
|
{
|
||||||
|
# server pubkey
|
||||||
|
publicKey = "cy9tvnwGMqWhLxRZlvxDtHmknzqmedAaJz+g3Z0ILG0=";
|
||||||
|
|
||||||
endpoint = "uninsane.org:51820";
|
# accept traffic from any IP addr on the other side of the tunnel
|
||||||
|
allowedIPs = [ "0.0.0.0/0" ];
|
||||||
|
|
||||||
# send keepalives every 25 seconds to keep NAT routes live
|
endpoint = "uninsane.org:51820";
|
||||||
persistentKeepalive = 25;
|
|
||||||
}
|
# send keepalives every 25 seconds to keep NAT routes live
|
||||||
];
|
persistentKeepalive = 25;
|
||||||
}) // (optionalAttrs (cfg.role == "server") {
|
}
|
||||||
ips = [
|
];
|
||||||
"10.0.10.5/24"
|
};
|
||||||
];
|
}
|
||||||
peers = [
|
{
|
||||||
{
|
networking.wireguard.interfaces.wg-home = lib.mkIf (cfg.role == "server") {
|
||||||
# peers and host all use the same key
|
privateKeyFile = config.sops.secrets.wg_home_server_privkey.path;
|
||||||
publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
|
ips = [
|
||||||
allowedIPs = [ "10.0.10.0/24" ];
|
"10.0.10.5/24"
|
||||||
# allowedIPs = [ "10.0.10.0/24" "192.168.0.0/24" ];
|
];
|
||||||
# allowedIPs = [ "0.0.0.0/0" ];
|
peers = [
|
||||||
}
|
{
|
||||||
# {
|
# peers all use the same key
|
||||||
# # lappy
|
publicKey = "pWtnKW7f7sNIZQ2M83uJ7cHg3IL1tebE3IoVkCgjkXM=";
|
||||||
# publicKey = "TODO";
|
allowedIPs = [ "10.0.10.0/24" ];
|
||||||
# allowedIPs = [ "10.0.10.20/32" ];
|
# allowedIPs = [ "10.0.10.0/24" "192.168.0.0/24" ];
|
||||||
# }
|
# allowedIPs = [ "0.0.0.0/0" ];
|
||||||
# {
|
}
|
||||||
# # desko
|
# {
|
||||||
# publicKey = "TODO";
|
# # lappy
|
||||||
# allowedIPs = [ "10.0.10.22/32" ];
|
# publicKey = "TODO";
|
||||||
# }
|
# allowedIPs = [ "10.0.10.20/32" ];
|
||||||
# {
|
# }
|
||||||
# # moby
|
# {
|
||||||
# publicKey = "TODO";
|
# # desko
|
||||||
# allowedIPs = [ "10.0.10.48/32" ];
|
# publicKey = "TODO";
|
||||||
# }
|
# allowedIPs = [ "10.0.10.22/32" ];
|
||||||
];
|
# }
|
||||||
});
|
# {
|
||||||
};
|
# # moby
|
||||||
|
# publicKey = "TODO";
|
||||||
|
# allowedIPs = [ "10.0.10.48/32" ];
|
||||||
|
# }
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
||||||
|
]);
|
||||||
}
|
}
|
||||||
|
|
|
@ -8,6 +8,7 @@ ddns_afraid: ENC[AES256_GCM,data:fTjwU7DoPDXulmjUNXSe5FVLGv4DvPvIHYCLwagVmKXlWOc
|
||||||
#ENC[AES256_GCM,data:zhL2iNWZ8xPbBneffWcc93ZCW/SDv5FH,iv:P3a8+oucJRM8o7hnHUxAvefHdZEAbKJKhK2Y1+r75GA=,tag:VFvFucE5c780RmspW7p8Qg==,type:comment]
|
#ENC[AES256_GCM,data:zhL2iNWZ8xPbBneffWcc93ZCW/SDv5FH,iv:P3a8+oucJRM8o7hnHUxAvefHdZEAbKJKhK2Y1+r75GA=,tag:VFvFucE5c780RmspW7p8Qg==,type:comment]
|
||||||
#ENC[AES256_GCM,data:N0wn6NUjQKXFbSULhrKzqDc4bHVbM3JLWJwOu5Zoi00gCKSiMA==,iv:9NhoT+OM+bjz4DwRRm2c4rTBZ3Jr6eMOY7F1l4WeE1k=,tag:inkd6kw8HvT5Tz3UAbIklw==,type:comment]
|
#ENC[AES256_GCM,data:N0wn6NUjQKXFbSULhrKzqDc4bHVbM3JLWJwOu5Zoi00gCKSiMA==,iv:9NhoT+OM+bjz4DwRRm2c4rTBZ3Jr6eMOY7F1l4WeE1k=,tag:inkd6kw8HvT5Tz3UAbIklw==,type:comment]
|
||||||
wg_ovpns_privkey: ENC[AES256_GCM,data:+SdnhsPyg6Vbl0itNLq4fBPONLBknkjFCr/4shTr2HjeGdaD7LxPud1VvfM=,iv:Rf647IlLImPu7l2CHqetjs0y6QkWdqXUO70OKfcII00=,tag:ykvKJ9BeTDbQqR7K5S6Rfw==,type:str]
|
wg_ovpns_privkey: ENC[AES256_GCM,data:+SdnhsPyg6Vbl0itNLq4fBPONLBknkjFCr/4shTr2HjeGdaD7LxPud1VvfM=,iv:Rf647IlLImPu7l2CHqetjs0y6QkWdqXUO70OKfcII00=,tag:ykvKJ9BeTDbQqR7K5S6Rfw==,type:str]
|
||||||
|
wg_home_server_privkey: ENC[AES256_GCM,data:epUVE8K2+fboEzPaDiznmI25HXcNluGV0QTGp0dk/dQIQkXmygYT3Bw9/s0=,iv:UJUA7dr98Lajn0gAmRfLdbIgiFjSp2XvZNrSs9pH9dg=,tag:ytgMS+vOcrWIJVX/qjZ2ww==,type:str]
|
||||||
#ENC[AES256_GCM,data:857w7AqbAbVTOKFLxKcMkcQjJ7EkHZFwBRwtCJFspOk8do2f,iv:bIrXzdrhRYk79ZV+JCdIw4UVxq11/tTZUDL6Bwf+NoE=,tag:igMRz5UPX//JrF9NGCOwHQ==,type:comment]
|
#ENC[AES256_GCM,data:857w7AqbAbVTOKFLxKcMkcQjJ7EkHZFwBRwtCJFspOk8do2f,iv:bIrXzdrhRYk79ZV+JCdIw4UVxq11/tTZUDL6Bwf+NoE=,tag:igMRz5UPX//JrF9NGCOwHQ==,type:comment]
|
||||||
#ENC[AES256_GCM,data:KzCOrdCiXHrVx+oGj2mz/+zkZ8eRRnFhHadx6FlXj8OXQDMvDkSPi6G2f6j5FE//G2F321mZCiMJ1Mf32tItGb0SxoEhyO9wxTesNn45hmA7M0z5HqTxACU=,iv:ksdz8j2fq1W/xnzu0y1JaIgbKzjiqj2KHCEYhkEKsrM=,tag:dbH/vy4JgL1eUeNpv7afSQ==,type:comment]
|
#ENC[AES256_GCM,data:KzCOrdCiXHrVx+oGj2mz/+zkZ8eRRnFhHadx6FlXj8OXQDMvDkSPi6G2f6j5FE//G2F321mZCiMJ1Mf32tItGb0SxoEhyO9wxTesNn45hmA7M0z5HqTxACU=,iv:ksdz8j2fq1W/xnzu0y1JaIgbKzjiqj2KHCEYhkEKsrM=,tag:dbH/vy4JgL1eUeNpv7afSQ==,type:comment]
|
||||||
dovecot_passwd: ENC[AES256_GCM,data:GsXT6PQjCibzyr5G4W3IOIRL4xBuYqFYHpRJOjS2TvXIlTSwVrHbx5Vw5wLHI0zN14rvYy5sycJvEMiCC1YPVphAYNm7VHdo97sUGLpjZ1BpUaJ2KBx77jErxbPrJUSpAroojQFtXFYA2t2bTpOSjZGH7UeyZoLckZtdDqXmnBDvirwVDPNaPv04RrhnqehGyh8EN+b2b5KAm99U9H1oyxIL6mAMJo6FtduVejiVqJB2sl/myI5fJ+bvwkW1CLRmVi0JdVHs4BlTQpi5Q8Kx2SMOH02TP+QDSHv/O8ROpbZ8m0oTk2YbgAG7U8K0t55j8jjWX/7OD4nMv485PgzAMINdzI46g9l9afzo,iv:8MqpUkRPpGJiuWtrdTJAIDXrKZMI73LcwzOiqVMWR88=,tag:+zXmEPV90loAMJtL/+v3vA==,type:str]
|
dovecot_passwd: ENC[AES256_GCM,data:GsXT6PQjCibzyr5G4W3IOIRL4xBuYqFYHpRJOjS2TvXIlTSwVrHbx5Vw5wLHI0zN14rvYy5sycJvEMiCC1YPVphAYNm7VHdo97sUGLpjZ1BpUaJ2KBx77jErxbPrJUSpAroojQFtXFYA2t2bTpOSjZGH7UeyZoLckZtdDqXmnBDvirwVDPNaPv04RrhnqehGyh8EN+b2b5KAm99U9H1oyxIL6mAMJo6FtduVejiVqJB2sl/myI5fJ+bvwkW1CLRmVi0JdVHs4BlTQpi5Q8Kx2SMOH02TP+QDSHv/O8ROpbZ8m0oTk2YbgAG7U8K0t55j8jjWX/7OD4nMv485PgzAMINdzI46g9l9afzo,iv:8MqpUkRPpGJiuWtrdTJAIDXrKZMI73LcwzOiqVMWR88=,tag:+zXmEPV90loAMJtL/+v3vA==,type:str]
|
||||||
|
@ -60,8 +61,8 @@ sops:
|
||||||
cWplOHBNWjlJdGI3ZWtJc0t4Mk9URG8KE+9IPGYZsIs2PaDJ2AUE4gB4QEj5zo6P
|
cWplOHBNWjlJdGI3ZWtJc0t4Mk9URG8KE+9IPGYZsIs2PaDJ2AUE4gB4QEj5zo6P
|
||||||
aZVbubu6Tbg+tD/98RkfWAkNvoVeDYuLNPDNgqOL0UgCQiTrPPaTjw==
|
aZVbubu6Tbg+tD/98RkfWAkNvoVeDYuLNPDNgqOL0UgCQiTrPPaTjw==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2022-12-15T09:12:44Z"
|
lastmodified: "2023-01-20T05:07:55Z"
|
||||||
mac: ENC[AES256_GCM,data:QQiTsQogs6MP9X0lrpf2FeSia6SeQP5/9dtUrWQOd2Vh/s0fBJfIGUdLeLgt5itvaD5QywY6lN9Rsx++BUN0rrwUu/uF42KOMC7wjHdSv07CYuDfvlFZItuIo5eWlfcEq9+p6/VwUXY0TU3M6Ex+mABT5XK67tnLuh/SoHUl+DA=,iv:12sa+wFdO5T7pZrLM3mnEwoJ0WmXZZLKpucEgMYQHMI=,tag:zZEz6+vTma6KDMwXi/fNZA==,type:str]
|
mac: ENC[AES256_GCM,data:DiSYji+n9XdsUVJZzrXT9RmoQ+WNvkBB9CPxAGbVbFlPgVD4c4FUrGOruCMNK6G4PdLYBz2/YW3zi4fTwFK7VbJqhaaPKH/hLlCBQuXjYUmsfurWloRVUiuusbiA0yA5DYQ5+93mc+jN8xyDn3cOXzdxy/e8/cAH82AS8kKg1aM=,iv:6X+8ae0V/McmdIc0BXSSEO4cNfSQODtYbKaejK4p70k=,tag:ra2M9ARAxZo1a1FnsZVBug==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.7.3
|
version: 3.7.3
|
||||||
|
|
Loading…
Reference in New Issue
Block a user