From f6bd56d583dd1506f1a60501fd4fbd80023c6bba Mon Sep 17 00:00:00 2001 From: kalipso Date: Sat, 15 Nov 2025 13:11:32 +0100 Subject: [PATCH] [fanny] setup initrd wireguard --- machines/fanny/configuration.nix | 28 ++++++++++++++++++++++++++++ machines/modules/malobeo/peers.nix | 8 ++++++++ 2 files changed, 36 insertions(+) diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index 0a98325..c09cff5 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -1,6 +1,7 @@ { inputs, config, ... }: let sshKeys = import ../ssh_keys.nix; + peers = import ../modules/malobeo/peers.nix; in { sops.defaultSopsFile = ./secrets.yaml; @@ -87,6 +88,33 @@ in ethernetDrivers = ["r8169"]; }; + boot.initrd = { + availableKernelModules = [ "wireguard" ]; + systemd = { + enable = true; + network = { + enable = true; + netdevs."30-wg-initrd" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg-initrd"; + }; + wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; }; + wireguardPeers = [{ + AllowedIPs = peers.fanny-initrd.allowedIPs; + PublicKey = peers.fanny-initrd.publicKey; + Endpoint = "${peers.vpn.publicIp}:${builtins.toString(peers.vpn.listenPort)}"; + PersistentKeepalive = 25; + }]; + }; + networks."30-wg-initrd" = { + name = "wg-initrd"; + addresses = [{ Address = peers.fanny-initrd.address; }]; + }; + }; + }; + }; + services.malobeo.vpn = { enable = true; name = "fanny"; diff --git a/machines/modules/malobeo/peers.nix b/machines/modules/malobeo/peers.nix index 070e13f..9db619e 100644 --- a/machines/modules/malobeo/peers.nix +++ b/machines/modules/malobeo/peers.nix @@ -44,6 +44,14 @@ publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU="; }; + "fanny-initrd" = { + role = "client"; + address = "10.100.0.102"; + allowedIPs = [ "10.100.0.102/32" ]; + #TODO: UPDATE + publicKey = "3U59F6T1s/1LaZBIa6wB0qsVuO6pRR9jfYZJIH2piAU="; + }; + "backup0" = { role = "client"; address = "10.100.0.20";