ctucx.git: nixfiles

machines/lollo/configuration (wireguard) -> machines/briefkasten/configuration

diff --git a/machines/briefkasten/configuration.nix b/machines/briefkasten/configuration.nix
@@ -39,6 +39,8 @@
   age.secrets = {
     restic-server-briefkasten.file = ../../secrets/restic-server/briefkasten.age;
     restic-server-wanderduene.file = ../../secrets/restic-server/wanderduene.age;
+
+    wireguard-privkey.file         = ./. + "/../../secrets/${config.networking.hostName}/wireguard-privkey.age";
   };
 
   boot = {

@@ -123,10 +125,32 @@
       }];
     };
 
+    wireguard = {
+      enable = true;
+
+      interfaces.wg-wanderduene = {
+        listenPort             = 51820;
+        privateKeyFile         = config.age.secrets.wireguard-privkey.path;
+        generatePrivateKeyFile = true;
+        postSetup              = "ip link set dev wg-wanderduene mtu 1500";
+        ips                    = [ "172.17.0.2/24" ];
+
+        peers = [
+          {
+            persistentKeepalive = 10;
+            endpoint            = "46.38.253.139:51821";
+            allowedIPs          = [ "172.17.0.0/24" ];
+            publicKey           = "hOUeP8RFchzJXyy8DceTFKN9f1VHi9GzZQii0dX2zww=";
+          }
+        ];
+      };
+    };
+
     firewall.enable = true;
     firewall.allowedTCPPorts = [ 5201 ];
     firewall.allowedUDPPorts = [ 5201 51820 ];
     firewall.extraCommands = ''
+      iptables  -A nixos-fw -i wg-wanderduene             -j nixos-fw-accept
       iptables  -A nixos-fw -p tcp -s 10.0.0.0/8          -j nixos-fw-accept
       iptables  -A nixos-fw -p udp -s 10.0.0.0/8          -j nixos-fw-accept
       iptables  -A nixos-fw -p tcp -s 195.39.246.32/28    -j nixos-fw-accept

diff --git a/machines/lollo/configuration.nix b/machines/lollo/configuration.nix
@@ -28,8 +28,6 @@
   age.secrets.restic-server-lollo.file       = ../../secrets/restic-server/lollo.age;
   age.secrets.restic-server-wanderduene.file = ../../secrets/restic-server/wanderduene.age;
 
-  age.secrets.wireguard-privkey.file      = ../../secrets/lollo/wireguard-privkey.age;
-
   boot = {
     loader = {
       systemd-boot.enable = true;

@@ -107,33 +105,10 @@
       }];
     };
 
-    wireguard = {
-      enable = true;
-
-      interfaces.wg-wanderduene = {
-        listenPort             = 51820;
-        privateKeyFile         = config.age.secrets.wireguard-privkey.path;
-        generatePrivateKeyFile = true;
-        postSetup              = "ip link set dev wg-wanderduene mtu 1500";
-        ips                    = [ "172.17.0.2/24" ];
-
-        peers = [
-          {
-            persistentKeepalive = 10;
-            endpoint            = "46.38.253.139:51821";
-            allowedIPs          = [ "172.17.0.0/24" ];
-            publicKey           = "hOUeP8RFchzJXyy8DceTFKN9f1VHi9GzZQii0dX2zww=";
-          }
-        ];
-      };
-
-    };
-
     firewall.enable = true;
     firewall.allowedTCPPorts = [ 5201 ];
     firewall.allowedUDPPorts = [ 5201 51820 ];
     firewall.extraCommands = ''
-      iptables  -A nixos-fw -i wg-wanderduene -j nixos-fw-accept
       iptables  -A nixos-fw -p tcp -s 10.0.0.0/8 -j nixos-fw-accept
       iptables  -A nixos-fw -p udp -s 10.0.0.0/8 -j nixos-fw-accept
       iptables  -A nixos-fw -p tcp -s 195.39.246.32/28 -j nixos-fw-accept

diff --git a/secrets/briefkasten/wireguard-privkey.age b/secrets/briefkasten/wireguard-privkey.age
@@ -0,0 +1,10 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnQk1jbTlsaCtSaE1BU21s
+UlRTRHUyaFpQbFhDN1Q4MlVGMWxYOUJCZXgwCjRtZjlXRTBpblpLeHc5bi9DMThl
+ZmxseklHc3VGZnltWnlhN0hxelZCTTgKLT4gc3NoLWVkMjU1MTkgNGhLQ013IGpH
+bXNCR0hoNU9nQ0IxZDNvNldkRTNCOFJEaitaVUxBRi9OUURqMmlGRDgKNFBkWHZ6
+OUJtMUlrOUpGL280Vmk4MVVZOHlSZ3d1ejJqVmluQi9FbjlMRQotPiB2ZS1ncmVh
+c2UgLS9QCmFVWGkwWjZCCi0tLSAyNWZtQnJ3aDlnbXFwbGwvT2FLN2VHNWVjOTZ6
+eGJHWDVsQmluUndKVlVrCuTFDs+3riA4XGKIxseSSIGgClejnpBMSWr9cKEBlQTh
+J8SqmwY1AysWI4fLpvtpLvbljjpLb9eHW+et5adopPnHKchVpM8TM8VcHEDM
+-----END AGE ENCRYPTED FILE-----

diff --git a/secrets/lollo/wireguard-privkey.age b/secrets/lollo/wireguard-privkey.age
@@ -1,11 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXZUdld1NURGV6RFdxSDha
-WlRrVER6cmtabWd3OTUzVjVHWWJpNGRONlRNCk1YSldrUURCN1JHcFIxeFBJQXVi
-Qk5GWk85VVhhWWp5c2xER3VVR0VDaDAKLT4gc3NoLWVkMjU1MTkgMXJjY0t3IGxZ
-VE1aZWVDejI1MjNwVHFLOUNRekQwWHB3WVRvWGJMd0JPdloxWkNUakUKMktLaUxI
-TmJwZTlsOFhUSjl5L0lFWlFVOUNHTklaYXRSNDRUVzhrc0piZwotPiBILWdyZWFz
-ZSAhOU1xIF0kdChWe1wKend0NEF5RGE4ZUx0NVlPQWovWTduNXU1R0lIcmlwTm9Z
-STFyL1R1TFNvY04KLS0tIGc4NU55V3QwdDVwdlZjcWt3YnlPQitQVkc4cTJGLy9B
-MGJUWlR6Z2xKVDgKZuDPz2kkNI2G6jJn+q01lfd82ajqzjnw+M4bCrFLsk8iIhfB
-u/4FMAw0xRXz5i+xRLUpv69x58HjCiGWNwn4futI1uqYvl5cH7/FRv8=
------END AGE ENCRYPTED FILE-----

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -25,7 +25,6 @@ in {
   "blechkasten/syncthing/cert.age".publicKeys                 = [ leah blechkasten ];
 
 
-  "lollo/wireguard-privkey.age".publicKeys                    = [ leah lollo ];
   "briefkasten/syncthing/key.age".publicKeys                  = [ leah briefkasten ];
   "briefkasten/syncthing/cert.age".publicKeys                 = [ leah briefkasten ];
 

@@ -47,6 +46,7 @@ in {
   "briefkasten/solar-nrw/solax2mqtt.age".publicKeys           = [ leah briefkasten ];
 
   "lollo/restic-server-htpasswd.age".publicKeys               = [ leah lollo ];
+  "briefkasten/wireguard-privkey.age".publicKeys              = [ leah briefkasten ];
 
   "lollo/restic/vnstat.age".publicKeys                        = [ leah lollo ];
   "lollo/restic/oeffisearch.age".publicKeys                   = [ leah lollo ];