From 5e0e46fc36181be80fa54b5fd8ad52078f15d4ef Mon Sep 17 00:00:00 2001 From: Brendan Golden Date: Wed, 18 Jan 2023 14:47:21 +0000 Subject: [PATCH] feat: I think thats the wireguard config set up May need to alter it a bit and do more testing when I get in --- flake.nix | 4 ++ machines/ash.nix | 95 ++++++++++++++++++++++++++++++++++++++++++ secrets/secrets.nix | 6 ++- secrets/wireguard.age | Bin 0 -> 516 bytes 4 files changed, 104 insertions(+), 1 deletion(-) create mode 100644 machines/ash.nix create mode 100644 secrets/wireguard.age diff --git a/flake.nix b/flake.nix index d7e4a69..5b13255 100644 --- a/flake.nix +++ b/flake.nix @@ -92,6 +92,10 @@ # ns1 vigil = import ./machines/vigil.nix; + # wireguard + ash = import ./machines/ash.nix; + + }; }; diff --git a/machines/ash.nix b/machines/ash.nix new file mode 100644 index 0000000..dd8828c --- /dev/null +++ b/machines/ash.nix @@ -0,0 +1,95 @@ +/* + + Name: https://en.wikipedia.org/wiki/Ash_(Alien) + Why: Infilitrate into the network + Type: VM + Hardware: - + From: 2023 + Role: Wireguard (VPN) Server + Notes: Thius vpn is for admin use only, to give access to all the servers via ssh + +*/ + +{ pkgs, lib, nodes, ... }: +let + # name of the server, sets teh hostname and record for it + name = "ash"; + + ip_pub = "193.1.99.75"; + ip_priv = "172.20.20.5"; + # hostname = "${name}.skynet.ie"; + hostname = ip_pub; + + # main servers are on 172.20.20.x + prefix = "172.20.21"; + +in { + imports = [ + # applications for this particular server + ../applications/firewall.nix + ../applications/dns.nix + ]; + + deployment = { + targetHost = hostname; + targetPort = 22; + targetUser = "root"; + }; + + # these two are to be able to add the rules for firewall and dns + # open the firewall for this + skynet_firewall.forward = [ + "ip saddr ${ip_pub} udp dport 51820 counter packets 0 bytes 0 accept" + ]; + + skynet_dns.records = { + external = [ + "${name} A ${ip_pub}" + ]; + cname = [ + #may asw ell add a cname for this + "wg CNAME ${name}" + ]; + }; + + + age.secrets.wireguard.file = ../secrets/wireguard.age; + + networking = { + nat = { + enable = true; + externalInterface = "eth0"; + internalInterfaces = ["wg0"]; + }; + + firewall = { + allowedTCPPorts = [22]; + allowedUDPPorts = [51820]; + interfaces.wg0 = { + allowedTCPPorts = [53]; + allowedUDPPorts = [53]; + }; + }; + + wireguard.interfaces.wg0 = { + # may need to change this to the same base as the full network + ips = ["172.20.21.0/24"]; + listenPort = 51820; + privateKeyFile = "/run/agenix/wireguard"; + + peers = [ + { # silver - Brendan + publicKey = "46jMR/DzJ4rQCR8MBqLMwcyr2tsSII/xeCjihb6EQgQ="; + allowedIPs = [ "172.20.21.2/32" ]; + } + ]; + + }; + }; + + environment.systemPackages = [ + # needed to generate keys + pkgs.wireguard-tools + ]; + +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 460296e..7168fb2 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -6,10 +6,14 @@ let # change this when its properly set up agentjones = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJDVQGjIwMQmkElGshgKDAlChM2xdNN6iI5Ap2IbAs5"; + ash = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJDVQGjIwMQmkElGshgKDAlChM2xdNN6iI5Ap2IbAs5"; systems = [ agentjones + ash ]; in { - #"secret1.age".publicKeys = users ++ systems; + # nix run github:ryantm/agenix -- -e secret1.age + + "wireguard.age".publicKeys = users ++ systems; } \ No newline at end of file diff --git a/secrets/wireguard.age b/secrets/wireguard.age new file mode 100644 index 0000000000000000000000000000000000000000..c98b7204c95df840b178d6b382976c7ab2e7c20e GIT binary patch literal 516 zcmZ|LyNc9M007X1bwN^W;aZ4QP}ydP$<1SCVj)h<&LfkJlkDU*-8_<;WG2r$$>gRK z1kp}d*4oBK`~gA49}oo*Ya8(wwozNbFF0`K(4)L$S>S9Nrpev3fOG{2>OP53KzS=x z5P(QpAlqp@vIee`p2fm=%i&&Kjq5nh&6>d?Y!#?LqUB|&XtkLOT-dN|4SlCHCgIp9 zbM6rj%xTF?%k2qItm_lZn`6_kdXO0ju)}D`&RYE>?_@4JtfD${I&Gdu%;|qLUd?Co zmb1tkG}BpYGT_RBZfLOTHW4QYN}z2qXo*34Fd{01ceNj5@2o4^x|wthASXFpR8zR< zW=a4@Xe)st^4)kQ}N{?cdL3W{|4J2 BttJ2f literal 0 HcmV?d00001