Commit 97bb958b3cf2
Changed files (4)
ops/hosts.toml
@@ -65,14 +65,26 @@ addrs = { v4 = "10.100.0.1" }
port = 51820
[hosts.aion]
+network = "vpn"
addrs = { v4 = "192.168.1.49" }
+[hosts.aion.wireguard]
+addrs = { v4 = "10.100.0.49" }
+
[hosts.athena]
+network = "vpn"
addrs = { v4 = "192.168.1.183" }
+[hosts.athena.wireguard]
+addrs = { v4 = "10.100.0.83" }
+
[hosts.demeter]
+network = "vpn"
addrs = { v4 = "192.168.1.182" }
+[hosts.demeter.wireguard]
+addrs = { v4 = "10.100.0.82" }
+
[hosts.k8sn1]
addrs = { v4 = "192.168.1.130" }
secrets/machines.nix
@@ -50,6 +50,7 @@ let
hass = "10.100.0.81";
demeter = "10.100.0.82";
athena = "10.100.0.83";
+ aion = "10.100.0.49";
};
kerkouane = {
allowedIPs = [ "${wireguard.ips.kerkouane}/32" ];
@@ -63,6 +64,18 @@ let
allowedIPs = [ "${wireguard.ips.wakasu}/32" ];
publicKey = "qyxGnd/YJefqb4eEPqKO5XinvNx14fPcuZMNeYuBvSQ=";
};
+ athena = {
+ allowedIPs = [ "${wireguard.ips.athena}/32" ];
+ publicKey = "qyxGnd/YJefqb4eEPqKO5XinvNx14fPcuZMNeYuBvSQ=";
+ };
+ demeter = {
+ allowedIPs = [ "${wireguard.ips.demeter}/32" ];
+ publicKey = "qyxGnd/YJefqb4eEPqKO5XinvNx14fPcuZMNeYuBvSQ=";
+ };
+ aion = {
+ allowedIPs = [ "${wireguard.ips.aion}/32" ];
+ publicKey = "qyxGnd/YJefqb4eEPqKO5XinvNx14fPcuZMNeYuBvSQ=";
+ };
vincent = {
allowedIPs = [ "${wireguard.ips.vincent}/32" ];
publicKey = "1wzFG60hlrAoSYcRKApsH+WK3Zyz8IjdLgIb/8JbuW0=";
@@ -91,14 +104,6 @@ let
allowedIPs = [ "${wireguard.ips.hass}/32" ];
publicKey = "sLi6Qpm6yyI0kuJ5LzCKXzFhhTW3Q50krxSin+b/sWs=";
};
- demeter = {
- allowedIPs = [ "${wireguard.ips.demeter}/32" ];
- publicKey = "0n1CwaCwBUkRYlq0ZRzHK1VFGx1mXPQZvLKtTA3dqRw=";
- };
- athena = {
- allowedIPs = [ "${wireguard.ips.athena}/32" ];
- publicKey = "3bmLHTJYq++uESQD/WA0Qml38IIchPG3sL4epKPGc0I=";
- };
};
ssh = {
yubikey = {
@@ -176,6 +181,10 @@ in
hostname = "${home.ips.aion}";
remoteForwards = [ gpgRemoteForward gpgSSHRemoteForward ];
};
+ "aion.vpn" = {
+ hostname = "${wireguard.ips.aion}";
+ remoteForwards = [ gpgRemoteForward gpgSSHRemoteForward ];
+ };
"aomi.vpn" = {
hostname = "${wireguard.ips.aomi}";
remoteForwards = [ gpgRemoteForward gpgSSHRemoteForward ];
@@ -216,10 +225,18 @@ in
hostname = "${home.ips.athena}";
remoteForwards = [ gpgRemoteForward gpgSSHRemoteForward ];
};
+ "athena.vpn" = {
+ hostname = "${wireguard.ips.athena}";
+ remoteForwards = [ gpgRemoteForward gpgSSHRemoteForward ];
+ };
"demeter.home" = {
hostname = "${home.ips.demeter}";
remoteForwards = [ gpgRemoteForward gpgSSHRemoteForward ];
};
+ "demeter.vpn" = {
+ hostname = "${wireguard.ips.demeter}";
+ remoteForwards = [ gpgRemoteForward gpgSSHRemoteForward ];
+ };
"dev.home" = {
hostname = "${home.ips.dev}";
};
systems/hosts/athena.nix
@@ -3,14 +3,14 @@
with lib;
let
hostname = "athena";
- # secretPath = ../../secrets/machines.nix;
- # secretCondition = (builtins.pathExists secretPath);
- #
- # ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}";
- # ips = lists.optionals secretCondition ([ "${ip}/24" ]);
- # endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP;
- # endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0;
- # endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey;
+ secretPath = ../../secrets/machines.nix;
+ secretCondition = (builtins.pathExists secretPath);
+
+ ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}";
+ ips = lists.optionals secretCondition ([ "${ip}/24" ]);
+ endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP;
+ endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0;
+ endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey;
metadata = importTOML ../../ops/hosts.toml;
in
@@ -65,15 +65,15 @@ in
};
};
- # services = {
- # wireguard = {
- # enable = true;
- # ips = ips;
- # endpoint = endpointIP;
- # endpointPort = endpointPort;
- # endpointPublicKey = endpointPublicKey;
- # };
- # };
+ services = {
+ wireguard = {
+ enable = true;
+ ips = ips;
+ endpoint = endpointIP;
+ endpointPort = endpointPort;
+ endpointPublicKey = endpointPublicKey;
+ };
+ };
security.apparmor.enable = true;
security.pam.enableSSHAgentAuth = true;
}
systems/hosts/demeter.nix
@@ -3,14 +3,14 @@
with lib;
let
hostname = "demeter";
- # secretPath = ../../secrets/machines.nix;
- # secretCondition = (builtins.pathExists secretPath);
- #
- # ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}";
- # ips = lists.optionals secretCondition ([ "${ip}/24" ]);
- # endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP;
- # endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0;
- # endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey;
+ secretPath = ../../secrets/machines.nix;
+ secretCondition = (builtins.pathExists secretPath);
+
+ ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}";
+ ips = lists.optionals secretCondition ([ "${ip}/24" ]);
+ endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP;
+ endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0;
+ endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey;
metadata = importTOML ../../ops/hosts.toml;
in
@@ -65,15 +65,15 @@ in
};
};
- # services = {
- # wireguard = {
- # enable = true;
- # ips = ips;
- # endpoint = endpointIP;
- # endpointPort = endpointPort;
- # endpointPublicKey = endpointPublicKey;
- # };
- # };
+ services = {
+ wireguard = {
+ enable = true;
+ ips = ips;
+ endpoint = endpointIP;
+ endpointPort = endpointPort;
+ endpointPublicKey = endpointPublicKey;
+ };
+ };
security.apparmor.enable = true;
security.pam.enableSSHAgentAuth = true;
}