From 24f564ecf42f9c8819231c37a8e64a4984465cd1 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 14 Oct 2023 19:08:02 +0200 Subject: [PATCH] create wireguard tunnel to home --- configuration.nix | 29 +++++++++++++-- flake.lock | 47 ++++++++++++++++++++++++ flake.nix | 8 +++- secrets/README.md | 1 + secrets/secrets.nix | 7 ++++ secrets/wg-quick-home-preshared-key.age | 7 ++++ secrets/wg-quick-home-privkey.age | Bin 0 -> 315 bytes 7 files changed, 95 insertions(+), 4 deletions(-) create mode 100644 secrets/README.md create mode 100644 secrets/secrets.nix create mode 100644 secrets/wg-quick-home-preshared-key.age create mode 100644 secrets/wg-quick-home-privkey.age diff --git a/configuration.nix b/configuration.nix index 1ade130..b67557c 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }@args: +{ pkgs, config, ... }: let stateVersion = "23.05"; @@ -29,8 +29,6 @@ in excludePackages = with pkgs; [ xterm ]; }; - # home-manager.users.pim = import ./home/home.nix; - users.users.pim = { isNormalUser = true; extraGroups = [ "wheel" ]; @@ -74,4 +72,29 @@ in experimental-features = nix-command flakes ''; }; + + age.secrets.wg-quick-home-privkey.file = ./secrets/wg-quick-home-privkey.age; + age.secrets.wg-quick-home-preshared-key.file = ./secrets/wg-quick-home-preshared-key.age; + age.identityPaths = [ "/home/pim/.ssh/id_ed25519" ]; + + + networking.wg-quick = { + interfaces.home = { + privateKeyFile = config.age.secrets.wg-quick-home-privkey.path; + address = [ + "10.225.191.4/24" + "fd11:5ee:bad:c0de::4/64" + ]; + dns = [ "192.168.30.8" ]; + peers = [{ + presharedKeyFile = config.age.secrets.wg-quick-home-preshared-key.path; + endpoint = "84.245.14.149:51820"; + publicKey = "fa3mQ7ximJbH7cu2ZbWidto5xBGxEEfWvCCiUDk00Hg="; + allowedIPs = [ + "0.0.0.0/0" + "::0/0" + ]; + }]; + }; + }; } diff --git a/flake.lock b/flake.lock index 0feaeeb..1cf7843 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,51 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": [ + "home-manager" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1696775529, + "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=", + "owner": "ryantm", + "repo": "agenix", + "rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -69,6 +115,7 @@ }, "root": { "inputs": { + "agenix": "agenix", "home-manager": "home-manager", "homeage": "homeage", "nixpkgs": "nixpkgs", diff --git a/flake.nix b/flake.nix index 1c92ca4..b23fd70 100644 --- a/flake.nix +++ b/flake.nix @@ -12,14 +12,20 @@ url = "github:jordanisaacs/homeage"; inputs.nixpkgs.follows = "nixpkgs"; }; + agenix = { + url = "github:ryantm/agenix"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.home-manager.follows = "home-manager"; + }; }; - outputs = { nixpkgs, home-manager, homeage, ... }: { + outputs = { nixpkgs, home-manager, homeage, agenix, ... }: { nixosConfigurations = { pim = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ ./configuration.nix + agenix.nixosModules.default home-manager.nixosModules.home-manager { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; diff --git a/secrets/README.md b/secrets/README.md new file mode 100644 index 0000000..c668037 --- /dev/null +++ b/secrets/README.md @@ -0,0 +1 @@ +nix run github:ryantm/agenix# -- -e secret1.age diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..fb70817 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,7 @@ +let + pim = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILTxn6fDUyEOWhuapt5GptYPZay+3tNH+UeY7aq8KSbh pim@x260"; +in +{ + "wg-quick-home-privkey.age".publicKeys = [ pim ]; + "wg-quick-home-preshared-key.age".publicKeys = [ pim ]; +} diff --git a/secrets/wg-quick-home-preshared-key.age b/secrets/wg-quick-home-preshared-key.age new file mode 100644 index 0000000..ef361ba --- /dev/null +++ b/secrets/wg-quick-home-preshared-key.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 vBZj5g 7qZySIRklLEiFuGWmZCzA7o2gFmrj3MaxlpHFv6QQEE +8JYbQk0j+VQWejVSdO+zSVzJbv1hyfDr13/2D4OEvKU +-> >9W|B`-grease We!hy%z EIO'3;.3 s} W` +KNmYbqbYWksSynw +--- +wtolstlFP+wW8GMh9WvZMwXk+V1VYfaQQq4Wa/j1N4 +I{C׍#M2g8ߵ;nRME%r 1(o @R[e/C"U=8^-܋ \ No newline at end of file diff --git a/secrets/wg-quick-home-privkey.age b/secrets/wg-quick-home-privkey.age new file mode 100644 index 0000000000000000000000000000000000000000..8c092d343328eec483b3a4a22104a3ab3d997ca8 GIT binary patch literal 315 zcmV-B0mS}cXJsvAZewzJaCB*JZZ2b7dfJ zRtjlFY-eF>R83}AGc!e1N;hm)cr#&POL;bQaCbvEaBF3CT3IVm3N0-yAUQ#JWLPtL zY;ZJDOGs8qSVDMDcXn1;QZ-ahbZjwpN?C76MoLLJNLW)v3PT_}oNFLgt%gWa_%9{_ zNF0Sxi~ux|ypa@6{h#j}vc13djoS3o?Us2=Is35tQtF0>me=OOpGMVK0ltwL8MOb4 N&gO{>24!AYgYXTKbdvx8 literal 0 HcmV?d00001