bifrost: ...

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-02-06 17:19:58 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-02-06 17:19:58 +0100
commit: 67657a453e654811ed5adf45a4c7aab32dc30274 (patch)
tree: b94f3378117ca2b6bd2d43c8ef106855e52e6462 /hosts/surtr/bifrost
parent: 93f07176317920ee881773519ee342f9c62ab9c9 (diff)
download: nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar
nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar.gz
nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar.bz2
nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar.xz
nixos-67657a453e654811ed5adf45a4c7aab32dc30274.zip
3 files changed, 93 insertions, 0 deletions
diff --git a/hosts/surtr/bifrost/default.nix b/hosts/surtr/bifrost/default.nix
new file mode 100644
index 00000000..8f1e602d
--- /dev/null
+++ b/hosts/surtr/bifrost/default.nix
@@ -0,0 +1,66 @@
+{ config, lib, ... }:
+with lib;
+let
+  trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str;
+in {
+  config = {
+    systemd.network = {
+      netdevs = {
+        bifrost = {
+          netdevConfig = {
+            Name = "bifrost";
+            Kind = "wireguard";
+          };
+          wireguardConfig = {
+            PrivateKeyFile = config.sops.secrets.bifrost.path;
+            ListenPort = 51822;
+          };
+          wireguardPeers = [
+            { wireguardPeerConfig = {
+                AllowedIPs = [ "2a03:4000:52:ada:4:1::/96" ];
+                PublicKey = trim (readFile ../../vidhar/network/bifrost/vidhar.pub);
+              };
+            }
+          ];
+        };
+      };
+      networks = {
+        bifrost = {
+          name = "bifrost";
+          matchConfig = {
+            Name = "bifrost";
+          };
+          address = ["2a03:4000:52:ada:4::/96"];
+          routes = [
+            { routeConfig = {
+                Destination = "2a03:4000:52:ada:4::/80";
+              };
+            }
+          ];
+          linkConfig = {
+            RequiredForOnline = false;
+          };
+          networkConfig = {
+            LLMNR = false;
+            MulticastDNS = false;
+          };
+        };
+      };
+    };
+    sops.secrets.bifrost = {
+      format = "binary";
+      sopsFile = ./surtr.priv;
+      mode = "0640";
+      owner = "root";
+      group = "systemd-network";
+    };
+    environment.etc."systemd/networkd.conf" = {
+      text = ''
+        [Network]
+        RouteTable=bifrost:1026
+      '';
+    };
+  };
+}
diff --git a/hosts/surtr/bifrost/surtr.priv b/hosts/surtr/bifrost/surtr.priv
new file mode 100644
index 00000000..e7f2aeb4
--- /dev/null
+++ b/hosts/surtr/bifrost/surtr.priv
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:Q3KFfWy4UQIbXfoR6jIb02r0735fvMMHqAWtqOE/BZfe/FuJUkb+HSSJbAkt,iv:YsaIx6eYfLOv1H3IammluRd9XDJAr6o4/HaHgtL8ZUc=,tag:uyINYQ0BGhi6TAuQkPCbBA==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-02-06T16:09:36Z",
+                "mac": "ENC[AES256_GCM,data:lzg4JDAyy1tL4dcuima26VWqQmCbr25+8AoecVIctX61V2STXiKzd938bEoJ02UVEPYAUzq+NP5fX6IrggYx2A0tII7oyo92EGBYJsvuCBpZWhZKpniXDsRcQo09PH3QJlJ9liSM8bCf6u//ubGU06xvLldt+g4xvvNOVfqMPSo=,iv:Ya2o/hhg18zp7PqLNSHJAAkyz/Lzibysylqsh0CvMzs=,tag:zeZZ0ilsCa/As7VOSCRgSQ==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-02-06T16:09:36Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAx1FJFTdMFdAzIAwO1rZ9ikD/cP1nTzfI1wLZf5ufB3Uw\nY8JVtL/aSLaO3tli5eZNuz6tEhTFA0GU8l3c/Ws6ocjC+l3IR5bS2CGZbMHjyIyT\n0l4BgxRFBMFJdpbgpIEPsthgZwJRGNQofSJ7A6/550ekM5b/n77CBZQOHwocuJ4q\n7LCSH6kFUH8GgkSC26OLC8f/QpWr9zTneZP0mBd2CiADDCg6oPI3rGwq6+jQKNny\n=wDDa\n-----END PGP MESSAGE-----\n",
+                                "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+                        },
+                        {
+                                "created_at": "2022-02-06T16:09:36Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdActA18sJwR4mjwyilHzHHBBuReg88U8QVMLphsqFvHFIw\nV5OTgNNvwiCPHSvGiYQ41Fnxa3VVDu0b3HSsq1Xvf5aFf65cRW39t/JHruwkpd1M\n0l4BbBOw5pksAlRcX25PNIIg7WEq4mlJjCi41INKJ1lF5YEu9kVZHT/+ayU6N5Kf\nVH3I6bpZiIKMc4fnF+yiVbCTWNC3EYTeCpe/ZnM8Gd0WLJh0KsLS+QVzMYagMHNm\n=Cc3x\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
+\ No newline at end of file
diff --git a/hosts/surtr/bifrost/surtr.pub b/hosts/surtr/bifrost/surtr.pub
new file mode 100644
index 00000000..2f6ec1b6
--- /dev/null
+++ b/hosts/surtr/bifrost/surtr.pub
@@ -0,0 +1 @@
+/s2yJlJKmy/vt+r/A4z2dof8CBs95KW7CeWLtOb0ERc=
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-02-06 17:19:58 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-02-06 17:19:58 +0100
commit	67657a453e654811ed5adf45a4c7aab32dc30274 (patch)
tree	b94f3378117ca2b6bd2d43c8ef106855e52e6462 /hosts/surtr/bifrost
parent	93f07176317920ee881773519ee342f9c62ab9c9 (diff)
download	nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar.gz nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar.bz2 nixos-67657a453e654811ed5adf45a4c7aab32dc30274.tar.xz nixos-67657a453e654811ed5adf45a4c7aab32dc30274.zip

diff --git a/hosts/surtr/bifrost/default.nix b/hosts/surtr/bifrost/default.nix new file mode 100644 index 00000000..8f1e602d --- /dev/null +++ b/hosts/surtr/bifrost/default.nix
@@ -0,0 +1,66 @@
	1	{ config, lib, ... }:
	2
	3	with lib;
	4
	5	let
	6	trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str;
	7	in {
	8	config = {
	9	systemd.network = {
	10	netdevs = {
	11	bifrost = {
	12	netdevConfig = {
	13	Name = "bifrost";
	14	Kind = "wireguard";
	15	};
	16	wireguardConfig = {
	17	PrivateKeyFile = config.sops.secrets.bifrost.path;
	18	ListenPort = 51822;
	19	};
	20	wireguardPeers = [
	21	{ wireguardPeerConfig = {
	22	AllowedIPs = [ "2a03:4000:52:ada:4:1::/96" ];
	23	PublicKey = trim (readFile ../../vidhar/network/bifrost/vidhar.pub);
	24	};
	25	}
	26	];
	27	};
	28	};
	29	networks = {
	30	bifrost = {
	31	name = "bifrost";
	32	matchConfig = {
	33	Name = "bifrost";
	34	};
	35	address = ["2a03:4000:52:ada:4::/96"];
	36	routes = [
	37	{ routeConfig = {
	38	Destination = "2a03:4000:52:ada:4::/80";
	39	};
	40	}
	41	];
	42	linkConfig = {
	43	RequiredForOnline = false;
	44	};
	45	networkConfig = {
	46	LLMNR = false;
	47	MulticastDNS = false;
	48	};
	49	};
	50	};
	51	};
	52	sops.secrets.bifrost = {
	53	format = "binary";
	54	sopsFile = ./surtr.priv;
	55	mode = "0640";
	56	owner = "root";
	57	group = "systemd-network";
	58	};
	59	environment.etc."systemd/networkd.conf" = {
	60	text = ''
	61	[Network]
	62	RouteTable=bifrost:1026
	63	'';
	64	};
	65	};
	66	}


diff --git a/hosts/surtr/bifrost/surtr.priv b/hosts/surtr/bifrost/surtr.priv new file mode 100644 index 00000000..e7f2aeb4 --- /dev/null +++ b/hosts/surtr/bifrost/surtr.priv
@@ -0,0 +1,26 @@
	1	{
	2	"data": "ENC[AES256_GCM,data:Q3KFfWy4UQIbXfoR6jIb02r0735fvMMHqAWtqOE/BZfe/FuJUkb+HSSJbAkt,iv:YsaIx6eYfLOv1H3IammluRd9XDJAr6o4/HaHgtL8ZUc=,tag:uyINYQ0BGhi6TAuQkPCbBA==,type:str]",
	3	"sops": {
	4	"kms": null,
	5	"gcp_kms": null,
	6	"azure_kv": null,
	7	"hc_vault": null,
	8	"age": null,
	9	"lastmodified": "2022-02-06T16:09:36Z",
	10	"mac": "ENC[AES256_GCM,data:lzg4JDAyy1tL4dcuima26VWqQmCbr25+8AoecVIctX61V2STXiKzd938bEoJ02UVEPYAUzq+NP5fX6IrggYx2A0tII7oyo92EGBYJsvuCBpZWhZKpniXDsRcQo09PH3QJlJ9liSM8bCf6u//ubGU06xvLldt+g4xvvNOVfqMPSo=,iv:Ya2o/hhg18zp7PqLNSHJAAkyz/Lzibysylqsh0CvMzs=,tag:zeZZ0ilsCa/As7VOSCRgSQ==,type:str]",
	11	"pgp": [
	12	{
	13	"created_at": "2022-02-06T16:09:36Z",
	14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAx1FJFTdMFdAzIAwO1rZ9ikD/cP1nTzfI1wLZf5ufB3Uw\nY8JVtL/aSLaO3tli5eZNuz6tEhTFA0GU8l3c/Ws6ocjC+l3IR5bS2CGZbMHjyIyT\n0l4BgxRFBMFJdpbgpIEPsthgZwJRGNQofSJ7A6/550ekM5b/n77CBZQOHwocuJ4q\n7LCSH6kFUH8GgkSC26OLC8f/QpWr9zTneZP0mBd2CiADDCg6oPI3rGwq6+jQKNny\n=wDDa\n-----END PGP MESSAGE-----\n",
	15	"fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
	16	},
	17	{
	18	"created_at": "2022-02-06T16:09:36Z",
	19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdActA18sJwR4mjwyilHzHHBBuReg88U8QVMLphsqFvHFIw\nV5OTgNNvwiCPHSvGiYQ41Fnxa3VVDu0b3HSsq1Xvf5aFf65cRW39t/JHruwkpd1M\n0l4BbBOw5pksAlRcX25PNIIg7WEq4mlJjCi41INKJ1lF5YEu9kVZHT/+ayU6N5Kf\nVH3I6bpZiIKMc4fnF+yiVbCTWNC3EYTeCpe/ZnM8Gd0WLJh0KsLS+QVzMYagMHNm\n=Cc3x\n-----END PGP MESSAGE-----\n",
	20	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
	21	}
	22	],
	23	"unencrypted_suffix": "_unencrypted",
	24	"version": "3.7.1"
	25	}
	26	} \ No newline at end of file


diff --git a/hosts/surtr/bifrost/surtr.pub b/hosts/surtr/bifrost/surtr.pub new file mode 100644 index 00000000..2f6ec1b6 --- /dev/null +++ b/hosts/surtr/bifrost/surtr.pub
@@ -0,0 +1 @@
		/s2yJlJKmy/vt+r/A4z2dof8CBs95KW7CeWLtOb0ERc=