diff --git a/keys/secrets.nix b/keys/secrets.nix index c1ba64d..c10637d 100644 --- a/keys/secrets.nix +++ b/keys/secrets.nix @@ -12,6 +12,6 @@ in "wg-selene".publicKeys = macbook ++ selene ++ master; "wg-macbook".publicKeys = macbook ++ master; "hetzner.priv".publicKeys = macbook ++ selene ++ master ++ ren; - "wg-ren".publicKeys = macbook++master; + "wg-ren.priv".publicKeys = macbook++master++ren; "ren.priv".publicKeys = master ++ ren; } \ No newline at end of file diff --git a/keys/wg-ren b/keys/wg-ren deleted file mode 100644 index 858a6a6..0000000 --- a/keys/wg-ren +++ /dev/null @@ -1,7 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 M7OTMg QdJds7EpXMyyO9aKmqQg3HWmY6RQbzkQxRQw+K9fn14 -/SlvfJAOmCqYvIOZm/ZSynAIWSC+2dAvPpa+5Me6I8k --> ssh-ed25519 CJLJQg MqNRTuwFcRdZ5VFbcgXQwjRxMAHLJEdUKLuXFPtkRVc -qRaaJzGRPiW2doetErhhUKwUXitvsQ5CGl2QzGK44Ss ---- fCQGYqP7qr+S1tzDeyce5Bn4iWsXq+kIe/ojPNj0LVA -4Zi"՞3W+i98ߞ=unBy]@[X[] XÛ5̜zl@ \ No newline at end of file diff --git a/keys/wg-ren.priv b/keys/wg-ren.priv new file mode 100644 index 0000000..e3706a9 --- /dev/null +++ b/keys/wg-ren.priv @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 M7OTMg 8nknZVXc9jRQ9EIoeZQPfVFc3AsN+ZNaiSPeIWMVNyQ +hjICGDFoRD2hsUOBmdp25kkd0r/VaMCV2qwc32zOHsY +-> ssh-ed25519 CJLJQg Z6xiZlQsQ0WrHJL/rfKjqg4UJS6sbToZz+HeYcWdAxQ +Z8On7Lpm5wPj3Trp1tU1nz8G1L19Ko4TmfCOcV9dRqw +-> ssh-ed25519 pvX1bw Wwz7stGctuhK51nIvvWJpraC+p1MnctIobNTcfiPoRc +sMd9qVUGTGVZMLNdm4r5qNu/05nxMfibdpdSZ9IFv1g +--- ScMClS6qUPytP3iOk9isrnxfS52ykFVWYfxYoqAxAg4 +pjxC I1~/`Yb޿BkxbED) L{C V/}A֞ +I +Œf#ԭc \ No newline at end of file diff --git a/keys/wg-ren.pub b/keys/wg-ren.pub index c183803..2cbd679 100644 --- a/keys/wg-ren.pub +++ b/keys/wg-ren.pub @@ -1 +1 @@ -wvTFERFXOPcgziLtLtfF3LGv5zmBWikCy/yLRwSuxWA= +6wo2BVWvdXIkrqHaZFag4t7LcmiaiUIX4M/EeHrjwHE= diff --git a/modules/servermodules/wireguard/wireguard-server.nix b/modules/servermodules/wireguard/wireguard-server.nix index 0e9144b..f3c2b9f 100644 --- a/modules/servermodules/wireguard/wireguard-server.nix +++ b/modules/servermodules/wireguard/wireguard-server.nix @@ -54,10 +54,7 @@ in peers = [ # List of allowed peers. (import ../../../systems/macbook/wireguard.nix).peerConfig - { - publicKey = (builtins.readFile ../../../keys/wg-ren.pub); - allowedIPs = [ "10.100.0.3/32" ]; - } + (import ../../../systems/ren/wireguard.nix).peerConfig ]; }; }; diff --git a/systems/ren/system.nix b/systems/ren/system.nix index fc4de85..77af17a 100644 --- a/systems/ren/system.nix +++ b/systems/ren/system.nix @@ -34,5 +34,6 @@ nixpkgs.lib.nixosSystem { ./hardware.nix agenix.nixosModules.default ./volumes.nix + (import ./wireguard.nix).systemModule ]; } diff --git a/systems/ren/users.nix b/systems/ren/users.nix index cb5485d..49422b1 100644 --- a/systems/ren/users.nix +++ b/systems/ren/users.nix @@ -1,3 +1,4 @@ +{ pkgs, ... }: { users.users.ren = { isNormalUser = true; @@ -24,5 +25,6 @@ (builtins.readFile ../../keys/hetzner.pub) ]; age.identityPaths = [ "/home/ren/.ssh/id_ed25519" ]; + environment.systemPackages = [ pkgs.git ]; } diff --git a/systems/ren/wireguard.nix b/systems/ren/wireguard.nix new file mode 100644 index 0000000..0e80475 --- /dev/null +++ b/systems/ren/wireguard.nix @@ -0,0 +1,32 @@ +let + ip = "10.100.0.3/32"; + publicKey = (builtins.readFile ../../keys/wg-ren.pub); +in +{ + systemModule = { config, ... }: { + age.secrets.wg-private.file = ../../keys/wg-ren.priv; + networking.wg-quick.interfaces.wg-selene = { + privateKeyFile = config.age.secrets.wg-private.path; + + # The internal IP address assigned to this client by the server. + # The /24 subnet mask is important for knowing the VPN's local network. + address = [ ip ]; + + # DNS server(s) to use when the tunnel is active. + # This is critical for resolving hostnames when all traffic is routed. + dns = [ + "1.1.1.1" + "1.0.0.1" + ]; # Cloudflare DNS, or use your preferred one like 8.8.8.8 + + peers = [ + (import ../../modules/servermodules/wireguard/wireguard-server.nix).infoForClients + ]; + }; + }; + + peerConfig = { + publicKey = publicKey; + allowedIPs = [ip]; + }; +}