Add separate wireguard connection for backups-rpi4
This commit is contained in:
parent
0c28f4bf44
commit
1d445a7fd4
4 changed files with 54 additions and 2 deletions
|
@ -2,7 +2,7 @@ name: deploy-rs
|
|||
run-name: ${{ github.actor }} - deploy-rs
|
||||
on:
|
||||
schedule:
|
||||
- cron: '0 2,9 * * *'
|
||||
- cron: '0 2 * * *'
|
||||
# “At 02:00 daily."
|
||||
|
||||
jobs:
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
../../common/services/tailscale-autoconnect.nix
|
||||
./backup-script.nix
|
||||
./cron.nix
|
||||
./wireguard.nix
|
||||
];
|
||||
# Enable distributed Builds
|
||||
nix.distributedBuilds = true;
|
||||
|
|
44
nixos/hosts/backups-rpi4/wireguard.nix
Normal file
44
nixos/hosts/backups-rpi4/wireguard.nix
Normal file
|
@ -0,0 +1,44 @@
|
|||
{ pkgs, config, lib, ... }: {
|
||||
|
||||
# Allow these hosts to directly communicate with their hostnames
|
||||
networking.extraHosts = ''
|
||||
10.100.0.1 osaka-linode-01
|
||||
10.100.0.2 framework-server
|
||||
10.100.0.3 backups-rpi4
|
||||
'';
|
||||
|
||||
networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 22 ];
|
||||
|
||||
# Set up the secrets file:
|
||||
sops.secrets."wireguard_key" = {
|
||||
owner = "root";
|
||||
sopsFile = ../../../secrets/hosts/backups-rpi4.yaml;
|
||||
};
|
||||
sops.secrets."preshared_key" = {
|
||||
owner = "root";
|
||||
sopsFile = ../../../secrets/wireguard.yaml;
|
||||
};
|
||||
|
||||
# Wireguard Forwarder
|
||||
networking.firewall.allowPing = true;
|
||||
networking.wireguard = {
|
||||
enable = true;
|
||||
interfaces = {
|
||||
"wireguard0" = {
|
||||
ips = [ "10.100.0.3/24" ];
|
||||
listenPort = 51820;
|
||||
privateKeyFile = "/run/secrets/wireguard_key";
|
||||
# Testing
|
||||
peers = [
|
||||
{ # osaka-linode-01
|
||||
publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE=";
|
||||
presharedKeyFile = "/run/secrets/preshared_key";
|
||||
persistentKeepalive = 5;
|
||||
allowedIPs = [ "10.100.0.1/32" ];
|
||||
endpoint = "172.234.84.222:51820"; # osaka-linode-01
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -4,6 +4,7 @@
|
|||
networking.extraHosts = ''
|
||||
10.100.0.1 osaka-linode-01
|
||||
10.100.0.2 framework-server
|
||||
10.100.0.3 backups-rpi4
|
||||
|
||||
10.100.0.2 git.sysctl.io
|
||||
10.100.0.2 loki.sysctl.io
|
||||
|
@ -42,12 +43,18 @@
|
|||
postSetup = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp0s4 -j MASQUERADE'';
|
||||
postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp0s4 -j MASQUERADE'';
|
||||
peers = [
|
||||
{ # nixos-rpi4-03
|
||||
{ # framework-server
|
||||
publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek=";
|
||||
presharedKeyFile = "/run/secrets/preshared_key";
|
||||
persistentKeepalive = 5;
|
||||
allowedIPs = [ "10.100.0.2/32" ];
|
||||
}
|
||||
{ # backups-rpi4
|
||||
publicKey = "5LUo2TJr0gsIGCTaeQJDQQqr1+ossEKehKrv2GC1OBw=";
|
||||
presharedKeyFile = "/run/secrets/preshared_key";
|
||||
persistentKeepalive = 5;
|
||||
allowedIPs = [ "10.100.0.3/32" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue