forked from kalipso/infrastructure
[docs] add vpn documentation
This commit is contained in:
@@ -14,7 +14,7 @@
|
||||
- [How-to]()
|
||||
- [Create New Host](./anleitung/create.md)
|
||||
- [Sops](./anleitung/sops.md)
|
||||
- [Wireguard](./anleitung/wireguard.md)
|
||||
- [MaloVPN](./anleitung/wireguard.md)
|
||||
- [Updates](./anleitung/updates.md)
|
||||
- [Rollbacks](./anleitung/rollback.md)
|
||||
- [MicroVM](./anleitung/microvm.md)
|
||||
|
||||
@@ -1,11 +1,55 @@
|
||||
# Wireguard
|
||||
Running on the raspberry pi
|
||||
# MaloVPN
|
||||
Running in the cloud. To let a host access the VPN you need to do the following:
|
||||
- generate a wireguard keypair
|
||||
- add the host to ./machines/modules/malobeo/peers.nix
|
||||
- enable the malovpn module on the host
|
||||
|
||||
- Create new keys
|
||||
- Enter nix shell for wg commands `nix-shell -p wireguard-tools`
|
||||
- New private key `wg genkey > secrets/keys/wireguard/example.key`
|
||||
- Encrypt with `sops -e -i secrets/keys/wireguard/example.key`
|
||||
- commit keys only after encrypting
|
||||
- Decrypt to stdout `sops -d secrets/keys/wireguard/example.key`
|
||||
- Decrypt for use on a client `sops -d secrets/keys/wireguard/private.key > /tmp/private.key`
|
||||
- Display public key `sops -d secrets/keys/wireguard/example.key | wg pubkey`
|
||||
|
||||
## Generate Wireguard keys
|
||||
Enter nix shell for wg commands `nix-shell -p wireguard-tools`
|
||||
```bash
|
||||
umask 077
|
||||
wg genkey > wg.private
|
||||
wg pubkey < wg.private > wg.pub
|
||||
```
|
||||
Now you have a private/public keypair. Add the private key to the hosts sops secrets if you like.
|
||||
## Add host to peers.nix
|
||||
peers.nix is a central 'registry' of all the hosts in the vpn. Any host added here will be added to the vpn servers peerlist allowing it to access the VPN. This allows us to controll who gets access by this repository.
|
||||
|
||||
- Add your host to /machines/modules/malobeo/peers.nix
|
||||
- Set the role to "client"
|
||||
- choose a ip address as 'address' that is not taken already
|
||||
- set allowedIPs as the others, except we want to limit this host to only access certain peers
|
||||
- Add your public Key here as string
|
||||
|
||||
After that commit your changes and either open a PR or push directly to master
|
||||
Example:
|
||||
```nix
|
||||
"celine" = {
|
||||
role = "client";
|
||||
address = [ "10.100.0.2/24" ];
|
||||
allowedIPs = [ "10.100.0.0/24" ];
|
||||
publicKey = "Jgx82tSOmZJS4sm1o8Eci9ahaQdQir2PLq9dBqsWZw4=";
|
||||
};
|
||||
```
|
||||
|
||||
## Enable MaloVPN on Host
|
||||
Either you configure wireguard manually or use the malobeo vpn module
|
||||
The 'name' must match your hosts name in peers.nix:
|
||||
|
||||
```nix
|
||||
sops.secrets.private_key = {};
|
||||
|
||||
imports = [
|
||||
malobeo.nixosModules.malobeo.vpn
|
||||
];
|
||||
|
||||
services.malobeo.vpn = {
|
||||
enable = true;
|
||||
name = "celine";
|
||||
privateKeyFile = config.sops.secrets.private_key.path;
|
||||
};
|
||||
```
|
||||
|
||||
After a rebuild-switch you should be able to ping the vpn server 10.100.0.1.
|
||||
If the peers.nix file just was commited shortly before it may take a while till the vpn server updated its peerlist.
|
||||
|
||||
Reference in New Issue
Block a user