From 1d445a7fd49156dad9f5001b950380838745fb4e Mon Sep 17 00:00:00 2001 From: iFargle Date: Mon, 29 Jan 2024 11:39:49 +0900 Subject: [PATCH] Add separate wireguard connection for backups-rpi4 --- .forgejo/workflows/deploy-rs.yml | 2 +- nixos/hosts/backups-rpi4/default.nix | 1 + nixos/hosts/backups-rpi4/wireguard.nix | 44 +++++++++++++++++++++++ nixos/hosts/osaka-linode-01/wireguard.nix | 9 ++++- 4 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 nixos/hosts/backups-rpi4/wireguard.nix diff --git a/.forgejo/workflows/deploy-rs.yml b/.forgejo/workflows/deploy-rs.yml index 67622653..46f7296e 100644 --- a/.forgejo/workflows/deploy-rs.yml +++ b/.forgejo/workflows/deploy-rs.yml @@ -2,7 +2,7 @@ name: deploy-rs run-name: ${{ github.actor }} - deploy-rs on: schedule: - - cron: '0 2,9 * * *' + - cron: '0 2 * * *' # “At 02:00 daily." jobs: diff --git a/nixos/hosts/backups-rpi4/default.nix b/nixos/hosts/backups-rpi4/default.nix index 04b91f14..93f9279f 100644 --- a/nixos/hosts/backups-rpi4/default.nix +++ b/nixos/hosts/backups-rpi4/default.nix @@ -5,6 +5,7 @@ ../../common/services/tailscale-autoconnect.nix ./backup-script.nix ./cron.nix + ./wireguard.nix ]; # Enable distributed Builds nix.distributedBuilds = true; diff --git a/nixos/hosts/backups-rpi4/wireguard.nix b/nixos/hosts/backups-rpi4/wireguard.nix new file mode 100644 index 00000000..dc12cce5 --- /dev/null +++ b/nixos/hosts/backups-rpi4/wireguard.nix @@ -0,0 +1,44 @@ +{ pkgs, config, lib, ... }: { + + # Allow these hosts to directly communicate with their hostnames + networking.extraHosts = '' + 10.100.0.1 osaka-linode-01 + 10.100.0.2 framework-server + 10.100.0.3 backups-rpi4 + ''; + + networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 22 ]; + + # Set up the secrets file: + sops.secrets."wireguard_key" = { + owner = "root"; + sopsFile = ../../../secrets/hosts/backups-rpi4.yaml; + }; + sops.secrets."preshared_key" = { + owner = "root"; + sopsFile = ../../../secrets/wireguard.yaml; + }; + + # Wireguard Forwarder + networking.firewall.allowPing = true; + networking.wireguard = { + enable = true; + interfaces = { + "wireguard0" = { + ips = [ "10.100.0.3/24" ]; + listenPort = 51820; + privateKeyFile = "/run/secrets/wireguard_key"; + # Testing + peers = [ + { # osaka-linode-01 + publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE="; + presharedKeyFile = "/run/secrets/preshared_key"; + persistentKeepalive = 5; + allowedIPs = [ "10.100.0.1/32" ]; + endpoint = "172.234.84.222:51820"; # osaka-linode-01 + } + ]; + }; + }; + }; +} \ No newline at end of file diff --git a/nixos/hosts/osaka-linode-01/wireguard.nix b/nixos/hosts/osaka-linode-01/wireguard.nix index cf03a11e..ba0475b9 100644 --- a/nixos/hosts/osaka-linode-01/wireguard.nix +++ b/nixos/hosts/osaka-linode-01/wireguard.nix @@ -4,6 +4,7 @@ networking.extraHosts = '' 10.100.0.1 osaka-linode-01 10.100.0.2 framework-server + 10.100.0.3 backups-rpi4 10.100.0.2 git.sysctl.io 10.100.0.2 loki.sysctl.io @@ -42,12 +43,18 @@ postSetup = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp0s4 -j MASQUERADE''; postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp0s4 -j MASQUERADE''; peers = [ - { # nixos-rpi4-03 + { # framework-server publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek="; presharedKeyFile = "/run/secrets/preshared_key"; persistentKeepalive = 5; allowedIPs = [ "10.100.0.2/32" ]; } + { # backups-rpi4 + publicKey = "5LUo2TJr0gsIGCTaeQJDQQqr1+ossEKehKrv2GC1OBw="; + presharedKeyFile = "/run/secrets/preshared_key"; + persistentKeepalive = 5; + allowedIPs = [ "10.100.0.3/32" ]; + } ]; }; };