Add separate wireguard connection for backups-rpi4
This commit is contained in:
parent
0c28f4bf44
commit
1d445a7fd4
4 changed files with 54 additions and 2 deletions
|
@ -2,7 +2,7 @@ name: deploy-rs
|
||||||
run-name: ${{ github.actor }} - deploy-rs
|
run-name: ${{ github.actor }} - deploy-rs
|
||||||
on:
|
on:
|
||||||
schedule:
|
schedule:
|
||||||
- cron: '0 2,9 * * *'
|
- cron: '0 2 * * *'
|
||||||
# “At 02:00 daily."
|
# “At 02:00 daily."
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
|
|
|
@ -5,6 +5,7 @@
|
||||||
../../common/services/tailscale-autoconnect.nix
|
../../common/services/tailscale-autoconnect.nix
|
||||||
./backup-script.nix
|
./backup-script.nix
|
||||||
./cron.nix
|
./cron.nix
|
||||||
|
./wireguard.nix
|
||||||
];
|
];
|
||||||
# Enable distributed Builds
|
# Enable distributed Builds
|
||||||
nix.distributedBuilds = true;
|
nix.distributedBuilds = true;
|
||||||
|
|
44
nixos/hosts/backups-rpi4/wireguard.nix
Normal file
44
nixos/hosts/backups-rpi4/wireguard.nix
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
{ pkgs, config, lib, ... }: {
|
||||||
|
|
||||||
|
# Allow these hosts to directly communicate with their hostnames
|
||||||
|
networking.extraHosts = ''
|
||||||
|
10.100.0.1 osaka-linode-01
|
||||||
|
10.100.0.2 framework-server
|
||||||
|
10.100.0.3 backups-rpi4
|
||||||
|
'';
|
||||||
|
|
||||||
|
networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 22 ];
|
||||||
|
|
||||||
|
# Set up the secrets file:
|
||||||
|
sops.secrets."wireguard_key" = {
|
||||||
|
owner = "root";
|
||||||
|
sopsFile = ../../../secrets/hosts/backups-rpi4.yaml;
|
||||||
|
};
|
||||||
|
sops.secrets."preshared_key" = {
|
||||||
|
owner = "root";
|
||||||
|
sopsFile = ../../../secrets/wireguard.yaml;
|
||||||
|
};
|
||||||
|
|
||||||
|
# Wireguard Forwarder
|
||||||
|
networking.firewall.allowPing = true;
|
||||||
|
networking.wireguard = {
|
||||||
|
enable = true;
|
||||||
|
interfaces = {
|
||||||
|
"wireguard0" = {
|
||||||
|
ips = [ "10.100.0.3/24" ];
|
||||||
|
listenPort = 51820;
|
||||||
|
privateKeyFile = "/run/secrets/wireguard_key";
|
||||||
|
# Testing
|
||||||
|
peers = [
|
||||||
|
{ # osaka-linode-01
|
||||||
|
publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE=";
|
||||||
|
presharedKeyFile = "/run/secrets/preshared_key";
|
||||||
|
persistentKeepalive = 5;
|
||||||
|
allowedIPs = [ "10.100.0.1/32" ];
|
||||||
|
endpoint = "172.234.84.222:51820"; # osaka-linode-01
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -4,6 +4,7 @@
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
10.100.0.1 osaka-linode-01
|
10.100.0.1 osaka-linode-01
|
||||||
10.100.0.2 framework-server
|
10.100.0.2 framework-server
|
||||||
|
10.100.0.3 backups-rpi4
|
||||||
|
|
||||||
10.100.0.2 git.sysctl.io
|
10.100.0.2 git.sysctl.io
|
||||||
10.100.0.2 loki.sysctl.io
|
10.100.0.2 loki.sysctl.io
|
||||||
|
@ -42,12 +43,18 @@
|
||||||
postSetup = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp0s4 -j MASQUERADE'';
|
postSetup = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp0s4 -j MASQUERADE'';
|
||||||
postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp0s4 -j MASQUERADE'';
|
postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp0s4 -j MASQUERADE'';
|
||||||
peers = [
|
peers = [
|
||||||
{ # nixos-rpi4-03
|
{ # framework-server
|
||||||
publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek=";
|
publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek=";
|
||||||
presharedKeyFile = "/run/secrets/preshared_key";
|
presharedKeyFile = "/run/secrets/preshared_key";
|
||||||
persistentKeepalive = 5;
|
persistentKeepalive = 5;
|
||||||
allowedIPs = [ "10.100.0.2/32" ];
|
allowedIPs = [ "10.100.0.2/32" ];
|
||||||
}
|
}
|
||||||
|
{ # backups-rpi4
|
||||||
|
publicKey = "5LUo2TJr0gsIGCTaeQJDQQqr1+ossEKehKrv2GC1OBw=";
|
||||||
|
presharedKeyFile = "/run/secrets/preshared_key";
|
||||||
|
persistentKeepalive = 5;
|
||||||
|
allowedIPs = [ "10.100.0.3/32" ];
|
||||||
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue