nixy/wireguard: add pubkey

magpie/wg_pubkey

@@ -0,0 +1 @@
+xhjJdIXtTBNhtSoehsi6p+znIgOfMRetl5/wtnMxJGk=

nixy/configuration.nix

@@ -22,6 +22,10 @@
     group = config.users.users.nobody.group;
   };
 
+  sops.secrets."wg_privkey" = {
+    sopsFile = ./secrets/wg_privkey.yaml;
+  };
+
   nix = {
     optimise.automatic = true;
     gc.automatic = true;
@@ -76,7 +80,7 @@
   networking = {
     firewall = {
       enable = true;
-      allowedTCPPorts = [80 443];
+      allowedTCPPorts = [80 443 51820];
     };
 
     hostName = "nixy";
@@ -108,6 +112,22 @@
         };
       };
     };
+
+    wireguard.interfaces = {
+      wg0 = {
+        ips = ["10.100.0.6/24"];
+        listenPort = 51820;
+        privateKeyFile = config.sops.secrets."wg_privkey".path;
+        peers = [
+          {
+            publicKey = builtins.readFile ../magpie/wg_pubkey;
+            allowedIPs = ["10.100.0.1"];
+            endpoint = "5.75.229.224:51820";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
   };
 
   time.timeZone = "Europe/Sarajevo";
@@ -191,15 +211,15 @@
     udev = {
       packages = [pkgs.rtl-sdr pkgs.openhantek6022 pkgs.openocd];
       extraRules = ''
-	#Xilinx FTDI
+        #Xilinx FTDI
-	ACTION=="add", ATTR{idVendor}=="0403", ATTR{manufacturer}=="Xilinx", MODE:="666"
+        ACTION=="add", ATTR{idVendor}=="0403", ATTR{manufacturer}=="Xilinx", MODE:="666"
 
-	#Xilinx Digilent
+        #Xilinx Digilent
-	ATTR{idVendor}=="1443", MODE:="666"
+        ATTR{idVendor}=="1443", MODE:="666"
-	ACTION=="add", ATTR{idVendor}=="0403", ATTR{manufacturer}=="Digilent", MODE:="666"
+        ACTION=="add", ATTR{idVendor}=="0403", ATTR{manufacturer}=="Digilent", MODE:="666"
 
-	#Arduino UNO r4
+        #Arduino UNO r4
-	SUBSYSTEMS=="usb", ATTRS{idVendor}=="2341", MODE:="0666"
+        SUBSYSTEMS=="usb", ATTRS{idVendor}=="2341", MODE:="0666"
       '';
     };
 

nixy/secrets/wg_privkey.yaml

@@ -0,0 +1,30 @@
+wg_privkey: ENC[AES256_GCM,data:HcOkr+leeB6QmEx77KHWgFlp2m2qr4TvakoHyy0SaPpML2o/51IDYjcu2H4=,iv:8nHJIqz3+LmL4rM7idXbvbQKdhkDqmoY/TAvAf/Zfvw=,tag:VSHRKjVgottVC0uPsC0JgA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age153y8mz6gqy5t54q4fnrdvjj4v5ls9cgp3hhpd2hzf5tvkcnncf6q4xns0j
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzaTRxUDZJREhyYjQraUsw
+            T1p2UlpkSjBnbjZTWUJDM2lHUVN5Z1ZQQWdvCnFmV1RRazBpTHhrTHpQelpjcnlq
+            NnJ0dUNwZTB0V0hOdTJJamY3azBUbXcKLS0tIGpZUG5KUFhPbW1LWWQ1RUd2OFVq
+            WlBMd0tGcnBHSFk4SHhkVkZPZXJPY28Keh/k5yQ/iJgy9S9rf2DhCr3M2ozgMBRp
+            NJrCKJuiDugeK8q29x6a+4pyg2zSwlA6Q2lxGDca3m3TX45QImLt3g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1geqqmsnng2e9sja6uxxmtlwlm4c6e5v6ch3l3yjenstq6tjq4fusr0305s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEelBJaCtJVnVZcHQ4V1Nz
+            ZDV4T21VZGNjanpRbERxOWx1RXNZZ2hwTFdrCmg4MHdWTnVTd0hiL2F2VXRxUk5P
+            eHRrRTduZjZ6T3dCcW0yMENKMHg5TVkKLS0tIDVSMFJqQU1uTEpzTElIN3RZNi95
+            S2Y2dFROYkJCOTVlS00rZWZDeWlGV2sKWKV7lMoLQbDBTql5+xWW+uOKxS6FG7jT
+            BtAMbL2YfTCEcV7nimzco649UUtoY9oOk2635uoToIxBI1mr9UVlNw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-04T19:26:58Z"
+    mac: ENC[AES256_GCM,data:ZA1Rc1sMvIwEQBZ6d+u4RZ00KzLxjMW/Tzr3ZlHMduuJmvDXjPjobpALwbJoEraa3yBwwJyf0b0Grwhlz1kvoWYjos3rTk8noy4UiEjav5Dxf8aZP5j6YL5HSzHgwWvRkzYvIAaaVGVpUM7Wl2llDSCeQluIw0R3kUXEiRW10RU=,iv:/fq3S0kmo9IZNvnP2o4kT2beaRgEMtJIMlQNCqSotd0=,tag:eMOrWijXQsc8agWGJmyLjw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

nixy/wg_pubkey

@@ -0,0 +1 @@
+oHVmhw80daHjDjo7nwt/Y9eKBaH5FoTiVeukwDObijM=