Add separate wireguard connection for backups-rpi4

This commit is contained in:
iFargle 2024-01-29 11:39:49 +09:00
parent 0c28f4bf44
commit 1d445a7fd4
4 changed files with 54 additions and 2 deletions

View file

@ -2,7 +2,7 @@ name: deploy-rs
run-name: ${{ github.actor }} - deploy-rs run-name: ${{ github.actor }} - deploy-rs
on: on:
schedule: schedule:
- cron: '0 2,9 * * *' - cron: '0 2 * * *'
# “At 02:00 daily." # “At 02:00 daily."
jobs: jobs:

View file

@ -5,6 +5,7 @@
../../common/services/tailscale-autoconnect.nix ../../common/services/tailscale-autoconnect.nix
./backup-script.nix ./backup-script.nix
./cron.nix ./cron.nix
./wireguard.nix
]; ];
# Enable distributed Builds # Enable distributed Builds
nix.distributedBuilds = true; nix.distributedBuilds = true;

View file

@ -0,0 +1,44 @@
{ pkgs, config, lib, ... }: {
# Allow these hosts to directly communicate with their hostnames
networking.extraHosts = ''
10.100.0.1 osaka-linode-01
10.100.0.2 framework-server
10.100.0.3 backups-rpi4
'';
networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 22 ];
# Set up the secrets file:
sops.secrets."wireguard_key" = {
owner = "root";
sopsFile = ../../../secrets/hosts/backups-rpi4.yaml;
};
sops.secrets."preshared_key" = {
owner = "root";
sopsFile = ../../../secrets/wireguard.yaml;
};
# Wireguard Forwarder
networking.firewall.allowPing = true;
networking.wireguard = {
enable = true;
interfaces = {
"wireguard0" = {
ips = [ "10.100.0.3/24" ];
listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard_key";
# Testing
peers = [
{ # osaka-linode-01
publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE=";
presharedKeyFile = "/run/secrets/preshared_key";
persistentKeepalive = 5;
allowedIPs = [ "10.100.0.1/32" ];
endpoint = "172.234.84.222:51820"; # osaka-linode-01
}
];
};
};
};
}

View file

@ -4,6 +4,7 @@
networking.extraHosts = '' networking.extraHosts = ''
10.100.0.1 osaka-linode-01 10.100.0.1 osaka-linode-01
10.100.0.2 framework-server 10.100.0.2 framework-server
10.100.0.3 backups-rpi4
10.100.0.2 git.sysctl.io 10.100.0.2 git.sysctl.io
10.100.0.2 loki.sysctl.io 10.100.0.2 loki.sysctl.io
@ -42,12 +43,18 @@
postSetup = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp0s4 -j MASQUERADE''; postSetup = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp0s4 -j MASQUERADE'';
postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp0s4 -j MASQUERADE''; postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp0s4 -j MASQUERADE'';
peers = [ peers = [
{ # nixos-rpi4-03 { # framework-server
publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek="; publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek=";
presharedKeyFile = "/run/secrets/preshared_key"; presharedKeyFile = "/run/secrets/preshared_key";
persistentKeepalive = 5; persistentKeepalive = 5;
allowedIPs = [ "10.100.0.2/32" ]; allowedIPs = [ "10.100.0.2/32" ];
} }
{ # backups-rpi4
publicKey = "5LUo2TJr0gsIGCTaeQJDQQqr1+ossEKehKrv2GC1OBw=";
presharedKeyFile = "/run/secrets/preshared_key";
persistentKeepalive = 5;
allowedIPs = [ "10.100.0.3/32" ];
}
]; ];
}; };
}; };