kalipso/infrastructure
1
1
Fork 1
Code Issues 42 Pull Requests 2 Actions Projects 2 Releases Wiki Activity

Compare commits

base: kalipso:microvm-dirs
Branches Tags
kalipso:master kalipso:vaultwarden kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver
...
compare: kalipso:2f419a99d7af8a1b1b1592ddd72ae43580d68286
Branches Tags
kalipso:vaultwarden kalipso:master kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver

3 Commits
microvm-di ... 2f419a99d7

Author SHA1 Message Date
ahtlon
2f419a99d7 Documentation for wireguard key creation
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m27s
Details
Evaluate Hydra Jobs / eval-hydra-jobs (pull_request) Successful in 2m28s
Details
2024-11-14 19:57:05 +01:00
ahtlon
60e5056556 add secrets 2024-11-14 19:28:58 +01:00
ahtlon
4e2bf9a51f add wireguard module from wiki and prepare sops 2024-11-14 19:28:40 +01:00
7 changed files with 109 additions and 3 deletions
Expand all files Collapse all files

1
doc/src/SUMMARY.md
View File

@@ -12,5 +12,6 @@
- [musik](./projekte/musik.md)
- [TODO](./todo.md)
- [How-to]()
- [Wireguard](./anleitung/wireguard.md)
- [Updates](./anleitung/updates.md)
- [Rollbacks](./anleitung/rollback.md)

11
doc/src/anleitung/wireguard.md Normal file
View File

@@ -0,0 +1,11 @@
# Wireguard
Running on the raspberry pi
- Create new keys
- Enter nix shell for wg commands `nix-shell -p wireguard-tools`
- New private key `wg genkey > secrets/keys/wireguard/example.key`
- Encrypt with `sops -e -i secrets/keys/wireguard/example.key`
- commit keys only after encrypting
- Decrypt to stdout `sops -d secrets/keys/wireguard/example.key`
- Decrypt for use on a client `sops -d secrets/keys/wireguard/private.key > /tmp/private.key`
- Display public key `sops -d secrets/keys/wireguard/example.key | wg pubkey`

7
machines/.sops.yaml
View File

@@ -34,3 +34,10 @@ creation_rules:
- *machine_durruti
age:
- *admin_atlan
- path_regex: secrets/keys/wireguard/.*
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
age:
- *admin_atlan

1
machines/lucia/configuration.nix
View File

@@ -7,6 +7,7 @@ in
imports =
[ # Include the results of the hardware scan.
../modules/malobeo_user.nix
./wireguard.nix
];
sops.defaultSopsFile = ./secrets.yaml;

7
machines/lucia/secrets.yaml
View File

@@ -1,5 +1,6 @@
hello: ENC[AES256_GCM,data:3VuyuX7MaLSmor4W22F3FUCGp8SUq4pE6z5nuiZenH07+zEeMAllVCP6g/j1fQ==,iv:A3Oh99AchsmrkMEb4ZRSIigb8Cr+3WlQtsgyZJGpLY8=,tag:TOHF9BaydkRD6cJAndryTg==,type:str]
njala_api_key: ENC[AES256_GCM,data:qXGngMJaAOk2Gb8B4nwMTht9Vp/OEhGmKS5vh1kpi0MyqcsmwuwpWuUz+RWD6NDFn2w/35M=,iv:lsZyCrmcT1xJcLjzK4zkcRYmbKUeLUFYZ7oDfCVJV8c=,tag:WK+aF3XGBRDQuvL87Qdusw==,type:str]
wireguard_private: ENC[AES256_GCM,data:ZxGbYLQKvrPibLpId+xbvqphlcgm/U5Se9XMS4FogmY4HfJnh9Y4Ja/x20I=,iv:PnZjiyKk1XuIq5/NLtOdWh20ytDEMYM7LJqmCoSrD0s=,tag:CZErG28Lo3aiQGovxEeZtA==,type:str]
sops:
kms: []
gcp_kms: []
@@ -15,8 +16,8 @@ sops:
aVFGZjk4UjVJa3FoMDJiaXR2MmdiQ2cKSVgIdxPBNTbNFQbdI5ECNGQrDUK9dQI3
f3mHj+XAPmEtjUXLyxUI1gQ+8toctnU6cgJ+HdGLX01lgTHwz7uieQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-24T15:09:51Z"
mac: ENC[AES256_GCM,data:f/wf0EuNmy+ic/k+fHg3IJ8p4I8BftFn6QwGJsXJgTBDspe7Plnwh+kGEqdPg8OEbWy/1niRfCXJa/vKoquWsxL7LUP2lGYT7lj7QYuj2F8fo2WIe2qhCikuxO6Q1asKyBcebYv5KAY/yQlVBYs9X9tcU6Fu4IU2AmJhjYB6m3s=,iv:K3DCEV4/FocdnEulNM9snH4uym8pAZRSmsYbM+rghe4=,tag:429oJE1du0IRl4aDuLzoZA==,type:str]
lastmodified: "2024-11-14T18:10:54Z"
mac: ENC[AES256_GCM,data:DPQsRraMAvoezHsA7uM8q8sEevnZRnpU1vydEL72r6KJj12dT58KXCTuUeNgD+320LE1i83k6HLdM9C/+uniu73Ba5JSwglLLDBkZpfsdCde0aqkGjQd/RF/0Vb8ZbE/KCCCMVOjT6hX6RSDSEujoRMY26n1CWYtPeivqpWb5NY=,iv:TarRTCyPRoyQEb3qoXAJcOYtrTtftyZO4ahkyTZT8qU=,tag:A0kqa1szfk6Z5etivjB/lA==,type:str]
pgp:
- created_at: "2024-11-14T13:02:46Z"
enc: |-
@@ -77,4 +78,4 @@ sops:
-----END PGP MESSAGE-----
fp: 3474196f3adf27cfb70f8f56bcd52d1ed55033db
unencrypted_suffix: _unencrypted
version: 3.7.3
version: 3.8.1

54
machines/lucia/wireguard.nix Normal file
View File

@@ -0,0 +1,54 @@
{config, pkgs, ...}:
{
# enable NAT
networking.nat.enable = true;
networking.nat.externalInterface = "eth0";
networking.nat.internalInterfaces = [ "wg0" ];
networking.firewall = {
allowedUDPPorts = [ 51820 ];
};
networking.wireguard.enable = true;
networking.wireguard.interfaces = {
# "wg0" is the network interface name. You can name the interface arbitrarily.
wg0 = {
# Determines the IP address and subnet of the server's end of the tunnel interface.
ips = [ "10.100.0.1/24" ];
# The port that WireGuard listens to. Must be accessible by the client.
listenPort = 51820;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
# This undoes the above command
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKey = config.sops.secrets.wireguard_private.path;
peers = [
# List of allowed peers.
{ # Feel free to give a meaningfull name
# Public key of the peer (not a file path).
publicKey = "SfokXbgmvSmodgPFoVHjwmHE3nriQ3OTQ+hISU/3eW4=";
# To decrypt the private key to use
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
allowedIPs = [ "10.100.0.2/32" ];
}
];
};
};
}

31
machines/secrets/keys/wireguard/private.key Normal file
View File

@@ -0,0 +1,31 @@
{
"data": "ENC[AES256_GCM,data:MJnybSouJW9QcWks/6fBgYXhM1zREa76FDVh0vGF9LwffY4ceLMQpOsFXEN7,iv:z0H0r6VSXy92uiS9bGXL5KxqiA3jqAiAgAH5KMxppsE=,tag:RKwFFHgv+tnIlKRTyV68Ww==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjRlRzcldvSVkxV3VSeDBF\nRG9KK2NzYmtPWXE3a1JPN3NMRlJtbnJML0hzCmNTT0JFMTR6SDl0WVNBNk50VmdZ\nYi9pQU9FQW9qQ3NZdTM5T3FDcjNUQXMKLS0tIEpBcFhtbFMrbWlRYVdPSXpYM0xp\neW5MZ3dOYmphYXk2Tjh2Rk8xOGRkSGMKOLVuj75jqZeZ0SS1iHDRLONLbJ/UQXfO\nEN1ZhYXq7u5s+wKidmGoFVHWFAxM0O3kXaAQAHws4ttP0v6YqeSuBg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-11-14T18:24:30Z",
"mac": "ENC[AES256_GCM,data:1sVhca19IbHJUv+qfkn+cJXjYIaXLX12S9N3QvDUoeUSTT4m2GxArKjvKJSpmc3KZCbOwpF1TObHjDs88pqsCxkzl7J9TSu4EgESRfSUy0lRhIveN/38wvEGI/0yNZXwFisB0nNpPbwAUp4JUZnfcqihlDINbVCw7mzVShHlnvU=,iv:J7/9uhlisRJUkqEFeO9aBRX5rgv0392DCuF5Yu1a5gI=,tag:sd0eoBkxns2pitnMZWvPzQ==,type:str]",
"pgp": [
{
"created_at": "2024-11-14T18:24:30Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQGMA5HdvEwzh/H7AQv/cFzlEwHCdmrKutzeJHOVANtF93aunkV89avpcjNtxjKJ\nzWeDrxZPIhApRsS0Q5kvuYbplwJbDPDbQlDeRsAzZbGVzXisDEYVSLbSEDX253fV\npDoD3MdBU/syMus0x7gSulT288Ije5lY76kBoqrzzsDG1RbHHeQMBP4hrLrFdQhh\nlCtjXJHMPlxR+bsTLhmKFUl6UWA22QeevhIU2VSTU7ROgcE6qRAknJLVVhTBhHmB\nkm2JpTQuM6Vhq+zIYDgLegV2fOiOW9O6ONsUt5N/jQYFSj2T4WL5Wnix/bxVg6vL\nkAto2cO1GsRBRH994AUWq4h5dwYWUCafYkXMILCQmMy81YftAPiAoCTUBsc6DSJ1\nV+gr4G3wLetwY2DdM8HN2Cru49PI923aOtKztjX8+r/w22RZl99INY5F/RP6NAYA\nLCEdw9LlW6Ctct1B6JU+JlCdJ/FW2Q9RMazw9wF4ZCg0AfqC/tLW9ETZF0cRYmA5\nH9LJJIxjNyizlGoJ7p780lgBDNBJD2v3ST5ESJ9TctQLS2XBWHtgskW1rPaCxrVX\nrgE/0PUnqxofOLofu4ktKOxtutYOqyVeP6Tvr0TLLEjwikgZ92LxqMx5dW6h46rL\nUjGuKKBz7FyA\n=UMiq\n-----END PGP MESSAGE-----",
"fp": "c4639370c41133a738f643a591ddbc4c3387f1fb"
},
{
"created_at": "2024-11-14T18:24:30Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMA98TrrsQEbXUAQ//eu/1ioAXlJ2Po2xQ8xQ4HYTQqsMF0lWijN3kv4cH1w+W\nvnQRjB86do4L4DnZz66DDbjHClauLNeuDkYL1ejvetMtENp7KKT8LRJCH4X53eko\ngw6xAYXA8X6e3shM6eFOYIW97pbGQSlfzuh7IbAPZjEuV2ov67sxmWkd9ZJPxw+E\nn2dd/mxw96NM76o8WclwL/W1qrrIqydCJiBtqL09I2z9j9bJ4AxMWTB0kjpJZK4U\nNo5Hk6OwL3C6a3q0xfO0DIb3fy5O7VSwl7AuiRjGxclqy4mH+L9DBS0ONMjguTlo\n+yGZoJi7vaWNvVVW0U9RBEJyCjX6iYje5/gWlWXaMlyIubuOGFy5iXQOSMXk6589\niNcz+ouGAvK6Jy19zo+SQtvmUki+SSRGEzUbx85R13Hz3E5TTlq7wONsgZE4EqqM\ny/6OMCGOvHOzJyWMdKCJ+7DzWzKyQNGWco57hczX74iPGhlH7XfNa3Q0292qziT5\nVFnONWGgN7PLa6rJXOAsxPNlgH5Qbdi2XBgBso8rlAYUXTmKtK/5cDN3rDtRbzgX\nVDu64snQJvGOEKwgv/UXybMRe8OocuCW6zFQDjJMaRtEsg2LP2FjVaYzLhDyuDJ6\ntAIoxWMaMSxgGJkd/E45dOQq/oWBVTFKD8ECGORNOy4RCUMs2LHDbhesvo/PzvbS\nWAFsQZCvjXPe+YZmIuMt7MfgX8d/NhGTtGOaNfX3D+orBuhzWmIAAvlAwMrxorFb\ngayWLO7mYRDUw45uudFzJYql+QLGuvcrFP5BYjY5wk17u6cYYQzlNxs=\n=Qlcg\n-----END PGP MESSAGE-----",
"fp": "aef8d6c7e4761fc297cda833df13aebb1011b5d4"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.8.1"
}
}