From 67657a453e654811ed5adf45a4c7aab32dc30274 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 6 Feb 2022 17:19:58 +0100 Subject: bifrost: ... --- hosts/surtr/bifrost/default.nix | 66 +++++++++++++++++++++++++++++++++++++++++ hosts/surtr/bifrost/surtr.priv | 26 ++++++++++++++++ hosts/surtr/bifrost/surtr.pub | 1 + 3 files changed, 93 insertions(+) create mode 100644 hosts/surtr/bifrost/default.nix create mode 100644 hosts/surtr/bifrost/surtr.priv create mode 100644 hosts/surtr/bifrost/surtr.pub (limited to 'hosts/surtr/bifrost') diff --git a/hosts/surtr/bifrost/default.nix b/hosts/surtr/bifrost/default.nix new file mode 100644 index 00000000..8f1e602d --- /dev/null +++ b/hosts/surtr/bifrost/default.nix @@ -0,0 +1,66 @@ +{ config, lib, ... }: + +with lib; + +let + trim = str: if hasSuffix "\n" str then trim (removeSuffix "\n" str) else str; +in { + config = { + systemd.network = { + netdevs = { + bifrost = { + netdevConfig = { + Name = "bifrost"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = config.sops.secrets.bifrost.path; + ListenPort = 51822; + }; + wireguardPeers = [ + { wireguardPeerConfig = { + AllowedIPs = [ "2a03:4000:52:ada:4:1::/96" ]; + PublicKey = trim (readFile ../../vidhar/network/bifrost/vidhar.pub); + }; + } + ]; + }; + }; + networks = { + bifrost = { + name = "bifrost"; + matchConfig = { + Name = "bifrost"; + }; + address = ["2a03:4000:52:ada:4::/96"]; + routes = [ + { routeConfig = { + Destination = "2a03:4000:52:ada:4::/80"; + }; + } + ]; + linkConfig = { + RequiredForOnline = false; + }; + networkConfig = { + LLMNR = false; + MulticastDNS = false; + }; + }; + }; + }; + sops.secrets.bifrost = { + format = "binary"; + sopsFile = ./surtr.priv; + mode = "0640"; + owner = "root"; + group = "systemd-network"; + }; + environment.etc."systemd/networkd.conf" = { + text = '' + [Network] + RouteTable=bifrost:1026 + ''; + }; + }; +} diff --git a/hosts/surtr/bifrost/surtr.priv b/hosts/surtr/bifrost/surtr.priv new file mode 100644 index 00000000..e7f2aeb4 --- /dev/null +++ b/hosts/surtr/bifrost/surtr.priv @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:Q3KFfWy4UQIbXfoR6jIb02r0735fvMMHqAWtqOE/BZfe/FuJUkb+HSSJbAkt,iv:YsaIx6eYfLOv1H3IammluRd9XDJAr6o4/HaHgtL8ZUc=,tag:uyINYQ0BGhi6TAuQkPCbBA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-02-06T16:09:36Z", + "mac": "ENC[AES256_GCM,data:lzg4JDAyy1tL4dcuima26VWqQmCbr25+8AoecVIctX61V2STXiKzd938bEoJ02UVEPYAUzq+NP5fX6IrggYx2A0tII7oyo92EGBYJsvuCBpZWhZKpniXDsRcQo09PH3QJlJ9liSM8bCf6u//ubGU06xvLldt+g4xvvNOVfqMPSo=,iv:Ya2o/hhg18zp7PqLNSHJAAkyz/Lzibysylqsh0CvMzs=,tag:zeZZ0ilsCa/As7VOSCRgSQ==,type:str]", + "pgp": [ + { + "created_at": "2022-02-06T16:09:36Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAx1FJFTdMFdAzIAwO1rZ9ikD/cP1nTzfI1wLZf5ufB3Uw\nY8JVtL/aSLaO3tli5eZNuz6tEhTFA0GU8l3c/Ws6ocjC+l3IR5bS2CGZbMHjyIyT\n0l4BgxRFBMFJdpbgpIEPsthgZwJRGNQofSJ7A6/550ekM5b/n77CBZQOHwocuJ4q\n7LCSH6kFUH8GgkSC26OLC8f/QpWr9zTneZP0mBd2CiADDCg6oPI3rGwq6+jQKNny\n=wDDa\n-----END PGP MESSAGE-----\n", + "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" + }, + { + "created_at": "2022-02-06T16:09:36Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdActA18sJwR4mjwyilHzHHBBuReg88U8QVMLphsqFvHFIw\nV5OTgNNvwiCPHSvGiYQ41Fnxa3VVDu0b3HSsq1Xvf5aFf65cRW39t/JHruwkpd1M\n0l4BbBOw5pksAlRcX25PNIIg7WEq4mlJjCi41INKJ1lF5YEu9kVZHT/+ayU6N5Kf\nVH3I6bpZiIKMc4fnF+yiVbCTWNC3EYTeCpe/ZnM8Gd0WLJh0KsLS+QVzMYagMHNm\n=Cc3x\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file diff --git a/hosts/surtr/bifrost/surtr.pub b/hosts/surtr/bifrost/surtr.pub new file mode 100644 index 00000000..2f6ec1b6 --- /dev/null +++ b/hosts/surtr/bifrost/surtr.pub @@ -0,0 +1 @@ +/s2yJlJKmy/vt+r/A4z2dof8CBs95KW7CeWLtOb0ERc= -- cgit v1.2.3