dala/nixos-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

camelot: Add wireguard conf and route deluge traffic

Browse source
This commit is contained in:
Victor Mignot 2023-12-10 21:09:53 +01:00
parent a8c45045ea
commit 2df8047d36
Signed by: dala
GPG key ID: 5E7F2CE1BEAFED3D
5 changed files with 136 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
.sops.yaml
View file

@ -1,13 +1,29 @@
keys: keys:
- &london_system age1rr2u4kk5jc0zk5mmgcfzlddzz82u9ldqwnd2mkcspnps7pzegsms7fys7u - &london_system age1rr2u4kk5jc0zk5mmgcfzlddzz82u9ldqwnd2mkcspnps7pzegsms7fys7u
- &london_dala age19m7s6rl4l88nv0f7el70k9u9mv6fd0nq5nw5a3f6p3ffzch274lsksu3y7 - &london_dala age19m7s6rl4l88nv0f7el70k9u9mv6fd0nq5nw5a3f6p3ffzch274lsksu3y7
- &camelot_system age1qp54d5gzvpyedcv26uckz7lmy2a48m27astawa62hkey59qgmg8setufp5
- &pgp_dala 2763F2B50E63CE401A3EB9C040DE2FEE4D3C5E2C
creation_rules: creation_rules:
# London
- path_regex: configurations/london/secrets/secrets.yaml$ - path_regex: configurations/london/secrets/secrets.yaml$
key_groups: key_groups:
- age: - age:
- *london_system - *london_system
pgp:
- *pgp_dala
- path_regex: configurations/london/secrets/users/dala.yaml$ - path_regex: configurations/london/secrets/users/dala.yaml$
key_groups: key_groups:
- age: - age:
- *london_dala - *london_dala
pgp:
- *pgp_dala
# Camelot
- path_regex: configurations/camelot/secrets/secrets.yaml$
key_groups:
- age:
- *camelot_system
pgp:
- *pgp_dala

13
configurations/camelot/default.nix
View file

@ -28,6 +28,7 @@
imports = [ imports = [
./jellyfin.nix ./jellyfin.nix
./wireguard.nix
]; ];
swapDeviceUUID = "a7c628ab-c5cb-4094-89d0-19b153fbead4"; swapDeviceUUID = "a7c628ab-c5cb-4094-89d0-19b153fbead4";
@ -43,6 +44,18 @@
hwAccelerationGPU = "intel"; hwAccelerationGPU = "intel";
/* System secrets */
sops = {
gnupg.sshKeyPaths = [ ];
age = {
sshKeyPaths = [ ];
keyFile = "/var/lib/sops-nix/key.txt";
};
defaultSopsFile = ./secrets/secrets.yaml;
secrets.wg0_private = { };
secrets.wg1_private = { };
};
machineUsers = { machineUsers = {
dala = { dala = {
description = "Dala"; description = "Dala";

7
configurations/camelot/jellyfin.nix
View file

@ -1,4 +1,4 @@
{ pkgs, extraInfo, ... }: { extraInfo, ... }:
{ {
services.jellyfin.enable = true; services.jellyfin.enable = true;
services.nginx.virtualHosts.${extraInfo.jellyfinURI} = { services.nginx.virtualHosts.${extraInfo.jellyfinURI} = {
@ -32,4 +32,9 @@
enable = true; enable = true;
web.enable = true; web.enable = true;
}; };
systemd.services.deluged.bindsTo = [ "wireguard-wg1.service" ];
systemd.services.deluged.requires = [ "network-online.target" ];
systemd.services.deluged.serviceConfig.NetworkNamespacePath = "/var/run/netns/wg1ns";
systemd.services.deluged.serviceConfig.PrivateNetwork = true;
} }

34
configurations/camelot/secrets/secrets.yaml Normal file
View file

@ -0,0 +1,34 @@
wg0_private: ENC[AES256_GCM,data:nuHHAwi+l9BQ8oJupm+i47EbfFc62QZXDeATeE+23RAEq/grJ/bN6sTn/o4=,iv:hZQAvvcCe2DOTvM1mABB26PsEqw8jpQUNhGbBaK/l0I=,tag:9VMaJys4IzelbBdCDuiy0Q==,type:str]
wg1_private: ENC[AES256_GCM,data:Ly3C3TQB2Aul40m/wk+mr5C2zviMhiNFfqTHknjJ4v4V09XA0XeyHtHo0ro=,iv:ph3vEIuI3F3B3eHLtu8Kfwv9Z7DdC2c+qphDn+Vn+CM=,tag:ntISjElZZB0PHtwC0mi+AA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1qp54d5gzvpyedcv26uckz7lmy2a48m27astawa62hkey59qgmg8setufp5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqa1NFWmk3TUdLMTF2RHVX
K2EvSDlNSFdDZ0dOMlNHOFErOGlBUGxrSjJNClV2NS9ZQVVxWTAycWJFeE9oc3Ux
NUxDS010azIxV1ZWR2dkdEtWUU1uTGMKLS0tIHA0cWg0ekNPSVdzVlFRMkZqb1VB
b00xT3ZHWTJBNFlUbTUrRjlVV0FoM1UKtfWg4R4Y28r2w8MYp1B1yhFEOBT8rEkz
P5qEP0p1i/zXlglaxxXTiQSuloG1Fwi2l5VGrhm6Hse07u3fEmS2VQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-10T17:25:27Z"
mac: ENC[AES256_GCM,data:JRk9QRRq0+UxenGSm2qwLZ+dJmCPG7QROCfmyByaOpdxOIi6CQQV03vHUPx50mTj4VeeAYAa/2LVWiot37kkQ/W8XzPJowG9f6iLcqriusU4BorAVEHwv0q4Pa9Wf8f+CbqALCwxdUAK9ehXl6TGzbiaqiENWXI4reMIovDKdnI=,iv:OWni9uRrAUFKeJAWMVbN6P4MFumoR13r75GZS7f+gE8=,tag:hAytWM5OvGa0Tg1vv+vqpA==,type:str]
pgp:
- created_at: "2023-12-10T17:24:42Z"
enc: |
-----BEGIN PGP MESSAGE-----
hF4D0ZiEKlLM+TsSAQdAh6/VJpfjaEo02UPMjcuLmQpZoCbmJfCULS0c0e5rQRIw
N2jwiFXYCzT50cMS8QpVJqAyb/unMYFas+pJqXUB83hg/eBZ9BeCKcTz/jkH42xa
1GYBCQIQbx5GjfFH7IuGyi9XtFE93UmwLVGLcD2J2uM7iDRR+cuFfiPXHHvP4eNA
Q3eRDwZWQQznDfcBfzMo6bF2IvmVBGC8cPzFNYjkVJGX0gP564DWJm4+ByZthhwW
UfQcyCKBYEI=
=zjUa
-----END PGP MESSAGE-----
fp: 2763F2B50E63CE401A3EB9C040DE2FEE4D3C5E2C
unencrypted_suffix: _unencrypted
version: 3.7.3

67
configurations/camelot/wireguard.nix Normal file
View file

@ -0,0 +1,67 @@
{ config, pkgs, extraInfo, ... }:
{
networking.firewall.allowedUDPPorts = [
51821
];
/* Wireguard */
networking.wireguard.interfaces.wg0 = {
ips = [ "10.100.0.6/24" ];
listenPort = 51820;
privateKeyFile = config.sops.secrets.wg0_private.path;
peers = [
# Rock Pro 64
{
publicKey = "XVmG3/rNsCqc8KCmOx3+UUn9DJOnJ40Uxid5JGdChR4=";
endpoint = "${extraInfo.wireguard.rockProEndpoint}:51820";
allowedIPs = [ "10.100.0.1" ];
persistentKeepalive = 25;
}
# london
{
publicKey = "AvW61c9iSO0NiMrXpPsdeWigTO3JTCadqY5Wq5xLPH8=";
allowedIPs = [ "10.100.0.4" ];
}
# fuyuki
{
publicKey = "maCF41/gOh5p0BBgOh0x9S/ourGSM7qrFfEgmB+XGHY=";
allowedIPs = [ "10.100.0.3" ];
}
# Mobile
{
publicKey = "JoW+Iwysip46WWKJINneXWWG2YszzKEKlI3dW4SIjg0=";
allowedIPs = [ "10.100.0.5" ];
}
];
};
networking.wireguard.interfaces.wg1 = {
ips = [ "10.100.1.1" ];
listenPort = 51821;
privateKeyFile = config.sops.secrets.wg1_private.path;
interfaceNamespace = "wg1ns";
preSetup = ''
ip netns add wg1ns
'';
postShutdown = ''
ip netns del wg1ns
'';
peers = [
{
publicKey = "T0BlFaNi01Cu7sZkoJH4CtKLagTgoK1NZ6Qdt0pL7kQ=";
endpoint = "${extraInfo.wireguard.VPSEndpoint}:51821";
allowedIPs = [ "0.0.0.0/0" ];
persistentKeepalive = 25;
}
];
};
}