diff options
Diffstat (limited to 'ops/machines')
| -rw-r--r-- | ops/machines/bugry/default.nix | 24 | ||||
| -rw-r--r-- | ops/machines/nevsky/default.nix | 27 |
2 files changed, 50 insertions, 1 deletions
diff --git a/ops/machines/bugry/default.nix b/ops/machines/bugry/default.nix index 2f28b39f89ef..fe581b421b96 100644 --- a/ops/machines/bugry/default.nix +++ b/ops/machines/bugry/default.nix @@ -8,6 +8,7 @@ in imports = [ (mod "tvl-cache.nix") (mod "tvl-users.nix") + (depot.third_party.agenix.src + "/modules/age.nix") ]; hardware.cpu.intel.updateMicrocode = true; @@ -81,19 +82,40 @@ in }; }; + age.secrets = { + wg-privkey.file = depot.ops.secrets."wg-bugry.age"; + }; + networking = { hostName = "bugry"; domain = "tvl.fyi"; hostId = "8425e349"; useDHCP = false; - interfaces.enp6s0.ipv6.addresses = [{ + interfaces.enp6s0.ipv4.addresses = [{ address = "91.199.149.239"; prefixLength = 24; }]; defaultGateway = "91.199.149.1"; + wireguard.interfaces.wg-nevsky = { + ips = [ "2a03:6f00:2:514b:5bc7:95ef:0:2/96" ]; + privateKeyFile = "/run/agenix/wg-privkey"; + + peers = [{ + publicKey = "gLyIY+R/YG9S8W8jtqE6pEV6MTyzeUX/PalL6iyvu3g="; # nevsky + endpoint = "188.225.81.75:51820"; + persistentKeepalive = 25; + allowedIPs = [ "::/0" ]; + }]; + + allowedIPsAsRoutes = false; # used as default v6 gateway below + }; + + defaultGateway6.address = "2a03:6f00:2:514b:5bc7:95ef::1"; + defaultGateway6.interface = "wg-nevsky"; + nameservers = [ "8.8.8.8" "8.8.4.4" diff --git a/ops/machines/nevsky/default.nix b/ops/machines/nevsky/default.nix index 2f3a0f7ae246..fd656c058a06 100644 --- a/ops/machines/nevsky/default.nix +++ b/ops/machines/nevsky/default.nix @@ -7,6 +7,7 @@ in { imports = [ (mod "tvl-users.nix") + (depot.third_party.agenix.src + "/modules/age.nix") ]; hardware.cpu.amd.updateMicrocode = true; @@ -83,6 +84,10 @@ in }; }; + age.secrets = { + wg-privkey.file = depot.ops.secrets."wg-nevsky.age"; + }; + networking = { hostName = "nevsky"; domain = "tvl.fyi"; @@ -106,12 +111,34 @@ in interface = "enp1s0f0np0"; }; + wireguard.interfaces.wg-bugry = { + ips = [ "2a03:6f00:2:514b:5bc7:95ef::1/96" ]; + privateKeyFile = "/run/agenix/wg-privkey"; + listenPort = 51820; + + postSetup = '' + ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s '2a03:6f00:2:514b:5bc7:95ef::1/96' -o enp1s0f0np0 -j MASQUERADE + ''; + + postShutdown = '' + ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s '2a03:6f00:2:514b:5bc7:95ef::1/96' -o enp1s0f0np0 -j MASQUERADE + ''; + + peers = [{ + publicKey = "+vFeWLH99aaypitw7x1J8IypoTrva28LItb1v2VjOAg="; # bugry + allowedIPs = [ "2a03:6f00:2:514b:5bc7:95ef::/96" ]; + }]; + + allowedIPsAsRoutes = true; + }; + nameservers = [ "8.8.8.8" "8.8.4.4" ]; firewall.allowedTCPPorts = [ 22 80 443 ]; + firewall.allowedUDPPorts = [ 51820 ]; }; # Generate an immutable /etc/resolv.conf from the nameserver settings |