diff --git a/ops/glesys/dns-tvl-fyi.tf b/ops/glesys/dns-tvl-fyi.tf index 600b4ed54..2edef3a45 100644 --- a/ops/glesys/dns-tvl-fyi.tf +++ b/ops/glesys/dns-tvl-fyi.tf @@ -74,6 +74,13 @@ resource "glesys_dnsdomain_record" "tvl_fyi_bugry_A" { data = var.bugry_ipv4 } +resource "glesys_dnsdomain_record" "tvl_fyi_bugry_AAAA" { + domain = glesys_dnsdomain.tvl_fyi.id + host = "bugry" + type = "AAAA" + data = var.bugry_ipv6 +} + resource "glesys_dnsdomain_record" "tvl_fyi_nixery-01_A" { domain = glesys_dnsdomain.tvl_fyi.id host = "nixery-01" diff --git a/ops/glesys/main.tf b/ops/glesys/main.tf index d675987f1..eef612027 100644 --- a/ops/glesys/main.tf +++ b/ops/glesys/main.tf @@ -76,6 +76,11 @@ variable "bugry_ipv4" { default = "91.199.149.239" } +variable "bugry_ipv6" { + type = string + default = "2a03:6f00:2:514b:5bc7:95ef:0:2" +} + variable "sanduny_ipv4" { type = string default = "85.119.82.231" diff --git a/ops/machines/bugry/default.nix b/ops/machines/bugry/default.nix index 2f28b39f8..fe581b421 100644 --- a/ops/machines/bugry/default.nix +++ b/ops/machines/bugry/default.nix @@ -8,6 +8,7 @@ in imports = [ (mod "tvl-cache.nix") (mod "tvl-users.nix") + (depot.third_party.agenix.src + "/modules/age.nix") ]; hardware.cpu.intel.updateMicrocode = true; @@ -81,19 +82,40 @@ in }; }; + age.secrets = { + wg-privkey.file = depot.ops.secrets."wg-bugry.age"; + }; + networking = { hostName = "bugry"; domain = "tvl.fyi"; hostId = "8425e349"; useDHCP = false; - interfaces.enp6s0.ipv6.addresses = [{ + interfaces.enp6s0.ipv4.addresses = [{ address = "91.199.149.239"; prefixLength = 24; }]; defaultGateway = "91.199.149.1"; + wireguard.interfaces.wg-nevsky = { + ips = [ "2a03:6f00:2:514b:5bc7:95ef:0:2/96" ]; + privateKeyFile = "/run/agenix/wg-privkey"; + + peers = [{ + publicKey = "gLyIY+R/YG9S8W8jtqE6pEV6MTyzeUX/PalL6iyvu3g="; # nevsky + endpoint = "188.225.81.75:51820"; + persistentKeepalive = 25; + allowedIPs = [ "::/0" ]; + }]; + + allowedIPsAsRoutes = false; # used as default v6 gateway below + }; + + defaultGateway6.address = "2a03:6f00:2:514b:5bc7:95ef::1"; + defaultGateway6.interface = "wg-nevsky"; + nameservers = [ "8.8.8.8" "8.8.4.4" diff --git a/ops/machines/nevsky/default.nix b/ops/machines/nevsky/default.nix index 2f3a0f7ae..fd656c058 100644 --- a/ops/machines/nevsky/default.nix +++ b/ops/machines/nevsky/default.nix @@ -7,6 +7,7 @@ in { imports = [ (mod "tvl-users.nix") + (depot.third_party.agenix.src + "/modules/age.nix") ]; hardware.cpu.amd.updateMicrocode = true; @@ -83,6 +84,10 @@ in }; }; + age.secrets = { + wg-privkey.file = depot.ops.secrets."wg-nevsky.age"; + }; + networking = { hostName = "nevsky"; domain = "tvl.fyi"; @@ -106,12 +111,34 @@ in interface = "enp1s0f0np0"; }; + wireguard.interfaces.wg-bugry = { + ips = [ "2a03:6f00:2:514b:5bc7:95ef::1/96" ]; + privateKeyFile = "/run/agenix/wg-privkey"; + listenPort = 51820; + + postSetup = '' + ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s '2a03:6f00:2:514b:5bc7:95ef::1/96' -o enp1s0f0np0 -j MASQUERADE + ''; + + postShutdown = '' + ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s '2a03:6f00:2:514b:5bc7:95ef::1/96' -o enp1s0f0np0 -j MASQUERADE + ''; + + peers = [{ + publicKey = "+vFeWLH99aaypitw7x1J8IypoTrva28LItb1v2VjOAg="; # bugry + allowedIPs = [ "2a03:6f00:2:514b:5bc7:95ef::/96" ]; + }]; + + allowedIPsAsRoutes = true; + }; + nameservers = [ "8.8.8.8" "8.8.4.4" ]; firewall.allowedTCPPorts = [ 22 80 443 ]; + firewall.allowedUDPPorts = [ 51820 ]; }; # Generate an immutable /etc/resolv.conf from the nameserver settings diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix index b9824534d..a8b3675ed 100644 --- a/ops/secrets/secrets.nix +++ b/ops/secrets/secrets.nix @@ -30,10 +30,13 @@ let nevsky = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQe7M+G8Id3ZD7j+I07TCUV1o12q1vpsOXHRlcPSEfa"; bugry = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqG6sITyJ/UsQ/RtYqmmMvTT4r4sppadoQIz5SvA+5J"; + admins = tazjin ++ aspen ++ sterni; terraform.publicKeys = tazjin ++ aspen ++ sterni ++ flokli; - whitbyDefault.publicKeys = tazjin ++ aspen ++ sterni ++ [ whitby ]; - allDefault.publicKeys = tazjin ++ aspen ++ sterni ++ [ sanduny whitby ]; - sandunyDefault.publicKeys = tazjin ++ aspen ++ sterni ++ [ sanduny ]; + whitbyDefault.publicKeys = admins ++ [ whitby ]; + allDefault.publicKeys = admins ++ [ sanduny whitby ]; + sandunyDefault.publicKeys = admins ++ [ sanduny ]; + bugryDefault.publicKeys = admins ++ [ bugry ]; + nevskyDefault.publicKeys = admins ++ [ nevsky ]; in { "besadii.age" = whitbyDefault; @@ -60,4 +63,6 @@ in "tf-glesys.age" = terraform; "tf-keycloak.age" = terraform; "tvl-alerts-bot-telegram-token.age" = whitbyDefault; + "wg-bugry.age" = bugryDefault; + "wg-nevsky.age" = nevskyDefault; } diff --git a/ops/secrets/wg-bugry.age b/ops/secrets/wg-bugry.age new file mode 100644 index 000000000..c2b0a68e6 Binary files /dev/null and b/ops/secrets/wg-bugry.age differ diff --git a/ops/secrets/wg-nevsky.age b/ops/secrets/wg-nevsky.age new file mode 100644 index 000000000..a5011004e --- /dev/null +++ b/ops/secrets/wg-nevsky.age @@ -0,0 +1,17 @@ +age-encryption.org/v1 +-> ssh-ed25519 dcsaLw fAd2MnJBU3OG7KpHvd6rhRVQuMl5pGUOlx6zQ1HVpTU +hwoKpHUvpHp/gLFhtwTOyJLBeUyryrZAf8TzDsaoMUg +-> ssh-ed25519 zcCuhA B2ZIcHgTjg69iprbGkKPyGGExK+kP1l6MMYX4czpOVM +xomAnf6WhEM78GWvtAtCS/yw4UfeCT3Ph3evbLp0yQk +-> ssh-ed25519 1SxhRA uJNHTJFigivTGSKNzd4oqEhEIFF/aWwWQzovxwiVSHo +VAzriez/W6hZKicze7rOYs7YL8vxPxVoWzMe9yawyqA +-> ssh-ed25519 ch/9tw nBm9P9qvUkZSYI+CKN0kjXzSuD6sg+uMvTux9yTD7V0 +Kt+R1s9tEPk+e5ZeskmZtBzEvm25B33KCQwmjnfuVNM +-> ssh-ed25519 CpJBgQ 6g8GbJ/zZkAb1pBpqA5Jm929aIAJlepe1sPNqhAuAWM +gYCkgAQw2nF0wcPMZruvhBqkC4a2BxYK8kWo+R9ll44 +-> ssh-ed25519 aXKGcg rfGH2EO9/soo/duaZlt4hBic4KxMDR+tw8JJ1Un+u1U +FzyiK9NT7NUM+oQph/EB26PfuLsLQVYsKwqeBHGaRI8 +-> ssh-ed25519 xR+E/Q 3w7vMdS+Iragj8garW5/F0ZL28orsyewbvp4i8szNl4 +zuEEaHd2rTfMYuLvQ19TuHOX5UMmSZABD3grJjEnsG8 +--- +e2kcaRvPwsUH/XG+ChROPjyZHLv4mfpSBmmJCr/4UM +>S1 :Ԍu5ܘNj@t) OQ7n^ Y,FMͤ6^>eǔ+~]9.Z \ No newline at end of file