From d6a451b6c5f7707f0bba9a32df1e4371bf8037d3 Mon Sep 17 00:00:00 2001 From: materus Date: Fri, 19 Apr 2024 18:28:40 +0200 Subject: [PATCH] materusPC: add wireguard config to networkmanager --- configurations/host/materusPC/network.nix | 37 ++++++++++++++++-- .../host/materusPC/secrets/default.nix | 1 + .../host/materusPC/secrets/secrets.yaml | 5 ++- .../profile/common/private/default.nix | Bin 758 -> 942 bytes 4 files changed, 38 insertions(+), 5 deletions(-) diff --git a/configurations/host/materusPC/network.nix b/configurations/host/materusPC/network.nix index 35eb6f5..10a0a56 100644 --- a/configurations/host/materusPC/network.nix +++ b/configurations/host/materusPC/network.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, lib, materusArg, ... }: { networking.useDHCP = lib.mkDefault true; networking.hostName = "materusPC"; @@ -13,6 +13,37 @@ [connectivity] uri=http://nmcheck.gnome.org/check_network_status.txt ''; - - + sops.templates."networkmanager.env".content = '' + WIREGUARD_PRIVATEKEY="${config.sops.placeholder.wireguard}" + ''; + networking.networkmanager.ensureProfiles.environmentFiles = [ + config.sops.templates."networkmanager.env".path + ]; + networking.networkmanager.ensureProfiles.profiles = { + wg0 = { + connection = { + id = "wg0"; + type = "wireguard"; + interface-name = "wg0"; + }; + wireguard = { + private-key = "$WIREGUARD_PRIVATEKEY"; + }; + "wireguard-peer.${materusArg.wireguard.pubKeys.valkyrie}" = { + endpoint = "${materusArg.ips.valkyrie}:${materusArg.wireguard.port}"; + allowed-ips = "${materusArg.ip-masks.wireguard.general};"; + }; + ipv4 = { + address1 = "${materusArg.ips.wireguard.materusPC}/23"; + dns = "${materusArg.ips.wireguard.valkyrie};"; + method = "manual"; + never-default = "true"; + }; + ipv6 = { + addr-gen-mode = "stable-privacy"; + method = "disabled"; + }; + proxy = { }; + }; + }; } diff --git a/configurations/host/materusPC/secrets/default.nix b/configurations/host/materusPC/secrets/default.nix index 72df330..0f5657e 100644 --- a/configurations/host/materusPC/secrets/default.nix +++ b/configurations/host/materusPC/secrets/default.nix @@ -10,6 +10,7 @@ sops.gnupg.sshKeyPaths = [ ]; sops.defaultSopsFile = materusCfg.hostPath + "/secrets/secrets.yaml"; sops.secrets."users/materus" = { }; + sops.secrets.wireguard = { }; services.openssh.hostKeys = [ { diff --git a/configurations/host/materusPC/secrets/secrets.yaml b/configurations/host/materusPC/secrets/secrets.yaml index 7d32540..3840ce5 100644 --- a/configurations/host/materusPC/secrets/secrets.yaml +++ b/configurations/host/materusPC/secrets/secrets.yaml @@ -1,6 +1,7 @@ users: materus: ENC[AES256_GCM,data:okqSgMvdFq1BMAg+Gs725zaNbeAQIpJKSPB2Sa83i3EYimphZNBtrJLen+gQEGNq4yeTyAc9Ih/hcnr+3z+Tea/g9ffh/UC4YA==,iv:OhKoWLREAqCbtmS3Rw9nE9+PtcBLwEHimJXcj4oejRA=,tag:Ht/SQSwumnQR6E45Pl47AQ==,type:str] root: ENC[AES256_GCM,data:vnPjK+xayk/Zk895rERYAeCzpjv5NJ7EAyK4MRDUzDbW++4Dy+UEI81v1v7w9dfpDeL+x5kOqUFO5zVVDUGfZ3yf/l8M8N8KcA==,iv:gGFGcy3K27nQxn0+7I/t0kg3nZyXeGWqysOl2auZJXo=,tag:N+LYhKpPCbI1EjEBwxuh1g==,type:str] +wireguard: ENC[AES256_GCM,data:rBkftzBcdamhP0xZB3qxfLptL8bX1qc7SdcfPNpYV67TeQs6i79+5KB/da4=,iv:22J5SZbFtYco7iSHvD2GD1bcazfGWlyEJ2isa3Ab4bI=,tag:BeUn9Srl2vyoDgK5Xv0UCg==,type:str] sops: kms: [] gcp_kms: [] @@ -16,8 +17,8 @@ sops: dWVzbzUyakxXUGpTQjNsYzcyVG1aRDgKXVa8tIAbmggw1vSt3NJYRLgXhbagpNrX RNXyndPaeQXVPVXuJWmHgRCYbwPTcfAFpGwFlX2IxVLlmC914Zklhw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-03T01:46:25Z" - mac: ENC[AES256_GCM,data:6YlLYKUzG2rorS22B6s4P6wJHCU1BWfEazXoEfEITB/qe3Ek3ITafX+RZI7pYLMiatIt9GHPb3YzDt6tOb91EakodC9pBTmW1E6NRzCZDr96nBQ+oIEmGBOOBwq/ysAeJRga0Sz5Xfx6rjRVCTARSLOmbouW5EF/bCKFVowgPYU=,iv:iZkBEIXreVic57ishmziIDNw6H6cNqA32ZxjTa8mjzA=,tag:ws3bj3T4xEGlq7YoB4RH1A==,type:str] + lastmodified: "2024-04-19T15:58:46Z" + mac: ENC[AES256_GCM,data:BLa0G3ci8EWH43UkLI2OoFJp2F9YeuKDrg6+2I/bq/lLi/YUitkJvBkA9VSIbvCyYWs/5SlEL5MayX8iiVdJ7r9bCiw+LVsWNAdaYDCafbZRW5F7KiHS5WXV3v4c201kFok7rmnRhEfKfdDxLlQ/mFHqOhupHU/qCNMTuUzJBiA=,iv:EPRoXHVMB6I16lTFJdFVAuSnMD/B55fPYtSBOQddutE=,tag:gohg+BdRlMPAQmNpRdk8sg==,type:str] pgp: - created_at: "2024-03-02T22:10:50Z" enc: |- diff --git a/configurations/profile/common/private/default.nix b/configurations/profile/common/private/default.nix index 405e2408ff572e66e953c07613a4d410ca318b85..3805ae6139cbc225ae946467dc9ec0b920551cef 100644 GIT binary patch literal 942 zcmV;f15x|{M@dveQdv+`0Gn@>;LKEs-_Bn>@E07jX{JfJGQqMf!OkIa`I0kd&c9L# zw|(FSoxEl%$Nj6uKuAHe78z2K$ zjfLH3_}N}apL6&K;}FGYEy*65AO{Z)Q5YSu+>10&g(Et;EV4g5!Nx+C=A%y7ZzTRJ z`Meq#tz`90Baqwo-L&&1{qz*)C%mjcS|&5J@p*cPimWu(thfe}^tlVF9YGvp`?6g) zt#jDKGmi&0EVI8C1-&@(M`mB<;#owkm=_6+rVZVsjcCe9!|xm6y3P+DmhzJ6E;U0lm`$E5nAz^?#9ci@Qj_k7 zC9<`3esyUMII=1%J7c!?;pFrxsXgA064!ub+NF0f5#;~4y<8>{kzQKPOfB*bI7H0z z1LLU)g_jKsK7kt>926RND?U;{z4uEC0y=r8*41MC7o=h=fw;M6+9DqNSRwuaO_8>A zS|{UxgvlgFjTsf#>XwLjOp=u==x<8viOdcsVyt}8(Uc9#QNRo z>%MA>uFAf5wrr5X$f7y-r1D~ik!RYuh59huC2tY8LP`h7BqoLa10>A$iACtugY zT65=g9{W~@Q#ZPR?LOOn>`+K4g2>Ez^vKbi=wZKssA$`}gd-i*)=l>`1EGCHo5@YU zV+Tv1Pu|xu{?GZ&eo*VW??#leH*P#z^T+tXBflD>gJLqk0Ru9~5_298kA?zP&Ug-@Z@g6wIi`J36ghF0W>ygaP2h>_ zw=o@|KV=@Zo3q%8d*Q{Yg5;lfY56jZ4ix*%A&ibyN}_WfXkHE?GDAr13xy$ji>H)l Q27CN%{KM0g6lw~aHNR!eIRF3v literal 758 zcmVR$3_zB5j&2&?$g^ZKZoE;Wu2e;m3Jy57Wma0 zMEO+kuvJIm{K<(g&(#@VgYm!J4eUs~9Oy~&fhU^ArxKLE6w4uh3xc{P2?9yw;;#wF z&r@ZjFVE=r8u?B-z{4xi_M+Pnif!U31j~y6_6y`z~^e!7qNnXLHD*V5<)W6aes21@}{-2 zufHkXRK1FM24F#XjjzS#3W^Z^sKz%4t4iDa0eFrwgEsD3P*}8_4+h| zHaf|Q3B9OHl_62Wj9bXeZf{oDg}kC5PORqkH~mIZi}=Hc2&K-*NBf!Ez{o|LzYbId z2wrt!Lp<|{nef+O-!jbFoZbURJ%&gLUavZkZ2(U_mnd6uTZi^x&4bf&~O#gag_AnLXzEec9^?TX_jMAPQf@DmiS%IwPA%6a%-mwarcTnql