From 1e5e3256e175b66b6a936bef33d19cfb0c478d66 Mon Sep 17 00:00:00 2001 From: min Date: Fri, 30 May 2025 20:37:54 -0400 Subject: [PATCH] Add new peers --- nixos/hosts/silver/services/wireguard.nix | 16 +++++++++++++++- secrets/silver/default.yaml | 6 ++++-- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/nixos/hosts/silver/services/wireguard.nix b/nixos/hosts/silver/services/wireguard.nix index 4fb8a84..e8a5706 100644 --- a/nixos/hosts/silver/services/wireguard.nix +++ b/nixos/hosts/silver/services/wireguard.nix @@ -9,8 +9,10 @@ in { sops.secrets."svc-wireguard-key" = {}; sops.secrets."svc-wireguard-psk-0-2" = {}; sops.secrets."svc-wireguard-psk-1-1" = {}; + sops.secrets."svc-wireguard-psk-1-2" = {}; sops.secrets."svc-wireguard-psk-2-1" = {}; sops.secrets."svc-wireguard-psk-3-1" = {}; + sops.secrets."svc-wireguard-psk-4-1" = {}; boot.kernel.sysctl."net.ipv4.ip_forward" = true; @@ -31,12 +33,14 @@ in { postSetup = '' ${iptables} -A FORWARD -i ${interface} -o ${interface} -d 10.193.0.2 -p tcp -m multiport --dports 139,445 -j ACCEPT ${iptables} -A FORWARD -i ${interface} -o ${interface} -d 10.193.0.2 -p udp -m multiport --dports 139,445 -j ACCEPT + ${iptables} -A FORWARD -i ${interface} -o ${interface} -d 10.193.4.1 -p tcp -m multiport --dports 49022 -j ACCEPT ${iptables} -A FORWARD -i ${interface} -o ${interface} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ${iptables} -A FORWARD -i ${interface} -o ${interface} -j DROP ''; preShutdown = '' ${iptables} -D FORWARD -i ${interface} -o ${interface} -d 10.193.0.2 -p tcp -m multiport --dports 139,445 -j ACCEPT - ${iptables} -D FORWARD -i ${interface} -o ${interface} -d 10.193.0.2 -p udp -m multiport --dports 139,445 -j ACCEPT + ${iptables} -D FORWARD -i ${interface} -o ${interface} -d 10.193.0.2 -p tcp -m multiport --dports 139,445 -j ACCEPT + ${iptables} -D FORWARD -i ${interface} -o ${interface} -d 10.193.4.1 -p tcp -m multiport --dports 49022 -j ACCEPT ${iptables} -D FORWARD -i ${interface} -o ${interface} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ${iptables} -D FORWARD -i ${interface} -o ${interface} -j DROP ''; @@ -52,6 +56,11 @@ in { allowedIPs = ["10.193.1.1/32"]; presharedKeyFile = config.sops.secrets."svc-wireguard-psk-1-1".path; } + { + publicKey = "acLrMesy/gPvmUQKSJY42X9+WlMW9nwc8dYcreivtDo="; + allowedIPs = ["10.193.1.2/32"]; + presharedKeyFile = config.sops.secrets."svc-wireguard-psk-1-2".path; + } { publicKey = "E+cApvpWOfwehlwDxA8paR/fWZq8iozSofTSRA7dBx0="; allowedIPs = ["10.193.2.1/32"]; @@ -62,6 +71,11 @@ in { allowedIPs = ["10.193.3.1/32"]; presharedKeyFile = config.sops.secrets."svc-wireguard-psk-3-1".path; } + { + publicKey = "mMLd7efRu2BCdv+X+jzRtz1U1EnCU5hzGb7G0x3N7jY="; + allowedIPs = ["10.193.4.1/32"]; + presharedKeyFile = config.sops.secrets."svc-wireguard-psk-4-1".path; + } ]; }; }; diff --git a/secrets/silver/default.yaml b/secrets/silver/default.yaml index dc50062..6ceb04b 100644 --- a/secrets/silver/default.yaml +++ b/secrets/silver/default.yaml @@ -11,8 +11,10 @@ svc-nebula-key: ENC[AES256_GCM,data:utJO5t4mq4tmAkAv9A2tcClM3nxLxMSWiz/bUoq8Pkbn svc-wireguard-key: ENC[AES256_GCM,data:dmxJ07UnQAtet4RtlVXEMFLVKxOU44XQcUW7h7UPbLG9chiQeXGkZkkTihs=,iv:bEA9+DYDBLo1dgrCSrIpa1ig9JJEtXeJF5ZmtdsAO3s=,tag:tyLB5Dd9uolalSzddC608A==,type:str] svc-wireguard-psk-0-2: ENC[AES256_GCM,data:0sTGYa3HUe70hYJZnPy9w0iG37aRDTplmdvGdc5C8KN8Dg5XbVc2CmVS1r4=,iv:9Dnr3BYhzKKOZ7S565HY4CkhgPv1JEd3Zk7662/cd9s=,tag:Dd0BLrIjfX0F2lBan59jUg==,type:str] svc-wireguard-psk-1-1: ENC[AES256_GCM,data:YbxjRleUWTr1+rZyzZ+5vB9Po/V0T1mYhH+H8igjascGV/Oo4lPn1xoYqLg=,iv:+fcWdpRqR7GU5UXug+6GCX9Be5DoE944T5PIm0csgEU=,tag:3mGEL3KYjfSJ9uM+i6Wirg==,type:str] +svc-wireguard-psk-1-2: ENC[AES256_GCM,data:K7tml5C3DEFkyJCf/U/CqNIcYIm4xDTmUQJTNw1AOgnxjWQhcfXDAU9xfME=,iv:h3xL81wHb4itBKo4+wUPbxxlzZNpbM7yfjIryBc+nfg=,tag:+5aXxvMi8j9fH9ZcrUVAUQ==,type:str] svc-wireguard-psk-2-1: ENC[AES256_GCM,data:+80iLdsHE0rtM1rVb4xUfzOwpMSOqgxtuKWg4d7Kj7kDuvrCrHPX83NruNo=,iv:HDfGq2o41qTyUU3PwfUvJJcb88JIcbW3yrfqRY8lBxY=,tag:+jWwRf5vqSriCOKdOu3Qag==,type:str] svc-wireguard-psk-3-1: ENC[AES256_GCM,data:USX+fQeT+f+ZU8R7pgIXYPBd4f+8BGrFpuJwxCLprkhhxEY2U8kz85zg8Tw=,iv:QxzQyJEIqoT7szXBgE6M2qd0MeO8Y2e4wLRY9PH0x9M=,tag:kWLwR18SVfj52xkN4tJM7g==,type:str] +svc-wireguard-psk-4-1: ENC[AES256_GCM,data:gQmzz0CP3b6aLLe1ucGTHmSpTP9RHDAhpnqkQci8RLdm2gQNIxfU5ASmSW8=,iv:Klq6y+81EqjQXZNDpnmPKhq8+gCtWklq09bzlKwm9Ys=,tag:H0GoCLLcVMC8FtzFx9HyPA==,type:str] sops: age: - recipient: age1yubikey1qg5k0y844v5e79uwax3r00u7zdljwnjlrmwvdr3st9m5a3ra5098qy0sjdj @@ -43,7 +45,7 @@ sops: NVREcHJGWWIvY0Z1OGt4cGN6am1RaXMKAnlb8FOJ1wO5qtcmej57s7rhWjv5wqIn nCUJX0R7s0/KH3aj98bX/4hQg2ZAw1l+xViOOIfwfRnzLWeyaAnk5A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-27T20:27:04Z" - mac: ENC[AES256_GCM,data:fUiMamMjX8LeSlBfAFMNfKct47gWeSdUOKhLHiIfQ+9WqjoypELkJUrgvfS6KzBFf/Hs5vb9hfHP3CNhrFspQvUJ2GbcK1OoaFQG5nN98k9LWmU3EY46YKQkIpHX0408B5EAubtVka7S2Tc3LxYiJqDn8nqKNkNZiaeuk5n4scY=,iv:/Od64mA8S3I1d665Uxs8mxjKqThdm/IaBWZPTtV2lUQ=,tag:ko7tTXbc58vVsfVcYGIp1g==,type:str] + lastmodified: "2025-05-31T00:25:25Z" + mac: ENC[AES256_GCM,data:dpaVHzh3xF1A3UgjbtYEmKVk4VQSX5r2e+IMVPruJLgMTmGMByMsWwY+n46XcGUJWem4W60upcU/NL9WCFKwoSBk9lPsbm/w34G0xquAfI9m0m9CoddRRuZfhI4Q/J0jcVAH2JebryVrQXJNUuB2tQ9MkIjXjYIONiMF831O2D0=,iv:ex3+hDvkbW+tWjZqhaOf+WXEvhJTzuGxXffFxUahiiM=,tag:h72Zq8H6gOC6Cl4jJoyBrw==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2