WIP: add router0-nfmnk and connect router0-dmz0 via wg

2024-05-25 21:23:43 +02:00 · 2024-05-25 21:23:43 +02:00 · cdf973208f
commit cdf973208f
parent f0c4b67ecb
12 changed files with 686 additions and 60 deletions
--- a/nix/os/devices/router0-dmz0/configuration.nix
+++ b/nix/os/devices/router0-dmz0/configuration.nix
@ -211,6 +211,7 @@ in {
            vlan.interfaces = builtins.map (vlanid: (mkInterfaceName {inherit vlanid;})) vlanRange;
            # lan.ipv4Addresses = ["192.168.0.0/16"];
            wan.interfaces = ["wan" "lan0"];
+            wg.interfaces = ["wg0"];
          }
          //
          # generate a zone for each vlan
@ -342,9 +343,40 @@ in {
    };
  };

+  sops.secrets.wg0-privatekey = {
+    mode = "440";
+    group = "systemd-network";
+  };
+  sops.secrets.wg1-privatekey = {
+    mode = "440";
+    group = "systemd-network";
+  };
+  sops.secrets.wg0-peer0-psk = {
+    mode = "440";
+    group = "systemd-network";
+  };
+  sops.secrets.wg1-peer0-psk = {
+    mode = "440";
+    group = "systemd-network";
+  };
+
  systemd.network = {
    wait-online.anyInterface = true;
-    netdevs =
+    netdevs = let
+      router0-nmfk_wgEndpoint = "${repoFlake.colmena.router0-nfmnk.deployment.targetHost}:${
+        builtins.toString
+        repoFlake
+        .nixosConfigurations
+        .router0-nfmnk
+        .config
+        .systemd
+        .network
+        .netdevs
+        .wg0
+        .wireguardConfig
+        .ListenPort
+      }";
+    in
      {
        # Create the bridge interface
        "20-${bridgeInterfaceName}" = {
@ -361,6 +393,54 @@ in {
            DefaultPVID=0
          '';
        };
+
+        wg0 = {
+          enable = true;
+          netdevConfig = {
+            Name = "wg0";
+            Kind = "wireguard";
+          };
+          wireguardConfig = {
+            PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path;
+          };
+          wireguardPeers = [
+            {
+              wireguardPeerConfig = {
+                AllowedIPs = [
+                  "10.0.0.254/32"
+                ];
+                PersistentKeepalive = 15;
+                PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path;
+                PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
+                Endpoint = router0-nmfk_wgEndpoint;
+              };
+            }
+          ];
+        };
+
+        # wg1 = {
+        #   enable = true;
+        #   netdevConfig = {
+        #     Name = "wg1";
+        #     Kind = "wireguard";
+        #   };
+        #   wireguardConfig = {
+        #     PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path;
+        #   };
+        #   wireguardPeers = [
+        #     {
+        #       wireguardPeerConfig = {
+        #         AllowedIPs = [
+        #           "10.0.0.254/32"
+        #         ];
+        #         PersistentKeepalive = 15;
+        #         PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path;
+        #         PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM=";
+        #         Endpoint = "${router0-nmfk_variables.ipv4}:51820";
+        #       };
+        #     }
+        #   ];
+        # };
      }
      # generate the vlan devices. these will be tagged on the main bridge
      // builtins.foldl'
@ -509,6 +589,21 @@ in {
            vlanRange
          );
        };
+
+        "50-wg0" = {
+          enable = true;
+          matchConfig.Name = "wg0";
+          address = [
+            "10.0.0.1/24"
+          ];
+        };
+        # "50-wg1" = {
+        #   enable = true;
+        #   matchConfig.Name = "wg1";
+        #   address = [
+        #     "10.0.0.2/24"
+        #   ];
+        # };
      }
      # configuration for the hostapd dynamic interfaces
      # * netdev type vlan