diff --git a/.sops.yaml b/.sops.yaml index 66644ad..07b1f6b 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,6 +2,8 @@ keys: - &goeranh age1qp7w80k3qtj79xsl0gwsfrkm037xrlnhm6th7tcyrvufh3szzp6s2pe7ra - &mail age156ak7kc79tuwpv0hk9atl5dg27jqs6ddfqxvr9m4twqgsr23lgvsdmyfpr - &auth age1njnkkr489hfmpn337zna2k3z66y9086t7cpcmz2vn68p4x43aujs6wh0g5 + - &v6proxy age1gl8zmw86jkrkr7kaqugdyhvdhdrnfd72smndz2kfh4a6ec6s9yxsyrecu6 + - &proxy age1g9fnxzalnqtse29xjdrvcsrnrknp8t2s7xrle73fce0jcg7r3czsj524p4 creation_rules: @@ -15,3 +17,13 @@ creation_rules: - age: - *auth - *goeranh + - path_regex: hosts/v6proxy/secrets.sops.yml$ + key_groups: + - age: + - *v6proxy + - *goeranh + - path_regex: hosts/proxy/secrets.sops.yml$ + key_groups: + - age: + - *proxy + - *goeranh diff --git a/hosts/mail/default.nix b/hosts/mail/default.nix index c4bf5f3..61b9766 100644 --- a/hosts/mail/default.nix +++ b/hosts/mail/default.nix @@ -29,6 +29,7 @@ in defaultSopsFile = ./secrets.sops.yml; secrets = { "ldap_passwd".owner = "dovecot2"; + "wireguard-key".owner = "systemd-network"; }; }; imports = [ @@ -59,6 +60,28 @@ in address = "141.56.51.254"; interface = "eth0"; }; + wireguard = { + enable = true; + interfaces = { + sturauplink = { + privateKeyFile = config.sops.secrets."wireguard-key".path; + ips = [ + "10.100.0.20/24" + "fd28:6691:1921:6299::20/64" + ]; + peers = [ + # mail.test.htw.stura-dresden.de + { + endpoint = "hetzner.test.htw.stura-dresden.de:51820"; + allowedIPs = [ + "10.100.0.1/24" + ]; + publicKey = "Tg/SNniezzF4DUnvUl1/JxQwS18POrUR20UmkQDt+X0="; + } + ]; + }; + }; + }; }; services.nginx.virtualHosts = { diff --git a/hosts/mail/secrets.sops.yml b/hosts/mail/secrets.sops.yml index b9d0b6a..a90cdf0 100644 --- a/hosts/mail/secrets.sops.yml +++ b/hosts/mail/secrets.sops.yml @@ -1,4 +1,5 @@ ldap_passwd: ENC[AES256_GCM,data:adUZCZcYfoxBQm3e4YeeXcQJSZjB3+v2zSNy7q0Ao39aDQMH5H0w4o9MXTREkPHW53JejC2ivo8Zl3yUhkeYRw==,iv:XB25CmtUGf+PeSsHtr+CA/HIfZq1IrOBPPQD3/r6Kc4=,tag:A/WGViM/Ix7n6mhjnbCtZg==,type:str] +wireguard-key: ENC[AES256_GCM,data:5EWg5yF1CDKIusFwONVSzxSMM0cfOzyUYcWQ0f8xTHZ7bViAw8HbjJpRI4o=,iv:UNTv+994Q5VscsjgWS4ppkHX0gPy7vc/qmRCYKvR8CE=,tag:i8ydlyJSfIUj81j78EX5Fg==,type:str] sops: age: - recipient: age156ak7kc79tuwpv0hk9atl5dg27jqs6ddfqxvr9m4twqgsr23lgvsdmyfpr @@ -19,7 +20,7 @@ sops: bGU3WWhVMGJ2LzI4N2E1Zy9RNnJ2V2MK4UQPwE5GUVTGvnuZ9knQ+BHmzmRLA1V5 SinlJfHcs+9B7haHzAekDdNqZgEUh2tblabHqq/vNWzd0rWpK31Dww== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-21T17:05:32Z" - mac: ENC[AES256_GCM,data:A2tbQ8obTjzKeISAbDy0Sqi+WvpqZwkKSW2PmV67V2u/svNfC7C/ebNHp6p0I9N97y026WzboXnRwon7M1jaJ8dPn2hqGReZIIHW5w5rBK0uAeEH5wCMnNGslox4D7+L27zc4VZMK4tjFP6F7EKkq7TIjf+HzEYW+kpbqM2erVo=,iv:EKa3JBlDiU/FcF2T/hQtmaFlYiAbFIlytR3fSfJjVBc=,tag:B4N/4XxhdtNYKTRT1O+UyA==,type:str] + lastmodified: "2026-03-21T18:05:57Z" + mac: ENC[AES256_GCM,data:NJM8uwSGIrjy4t+3AwNxp2e569ArH/cnRDipsHnTTQYV5NJLOTtwoFnTqVHBSREc2Sh38gXKye1ncwS3IG5CMsF1nsLOL/+Y9mUqQkLeWeld6Kal8c99yIr2oz8Hk4JTJt4j2C8/aNFhqu62VF7F6JNElWq2F3J5TPKPHRbE9yY=,iv:mj18t2s9hqNV4ore9T4R4jOgUGPuXGqwW91M9Uoh6aQ=,tag:v6T7LXjLQGoc9leFI5zY0g==,type:str] unencrypted_suffix: _unencrypted version: 3.12.1 diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index 3a727f3..37d7951 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -6,6 +6,12 @@ ... }: { + sops = { + defaultSopsFile = ./secrets.sops.yml; + secrets = { + "wireguard-key".owner = "systemd-network"; + }; + }; imports = [ ./hardware-configuration.nix ./hetzner-disk.nix @@ -13,6 +19,7 @@ networking = { hostName = "proxy"; + nameservers = [ "141.56.51.1" ]; interfaces.ens18.ipv4.addresses = [ { address = "141.56.51.1"; @@ -37,6 +44,30 @@ nftables = { enable = true; }; + wireguard = { + enable = true; + interfaces = { + sturauplink = { + privateKeyFile = config.sops.secrets."wireguard-key".path; + ips = [ + "10.100.0.2/24" + "fd28:6691:1921:6299::2/64" + ]; + listenPort = 51820; + peers = [ + # mail.test.htw.stura-dresden.de + { + endpoint = "hetzner.test.htw.stura-dresden.de:51820"; + allowedIPs = [ + "10.100.0.0/24" + ]; + persistentKeepalive = 30; + publicKey = "Tg/SNniezzF4DUnvUl1/JxQwS18POrUR20UmkQDt+X0="; + } + ]; + }; + }; + }; }; # wenn instanzen in die flake migriert sind könnte man das autogenerierien @@ -255,6 +286,7 @@ proxy IN AAAA 2a01:4f8:1c19:96f8::1 ; Auto-generated CNAME records for all subdomains pointing to proxy + hetzner.test IN A 178.104.18.93 ${lib.foldlAttrs ( prev: name: value: let diff --git a/hosts/proxy/secrets.sops.yml b/hosts/proxy/secrets.sops.yml new file mode 100644 index 0000000..207a35b --- /dev/null +++ b/hosts/proxy/secrets.sops.yml @@ -0,0 +1,25 @@ +wireguard-key: ENC[AES256_GCM,data:tEKd+iwfyabTj/spqh08Um3FX4grLeffTxCvBivkXrNqIzOymBdcgQL4IJ4=,iv:Z2sr5yzxTKXgBgfcd3LWB9jT2fX3uRpX07r4yMplSNY=,tag:IWgiEjjbHbIUORhwKjTM6g==,type:str] +sops: + age: + - recipient: age1g9fnxzalnqtse29xjdrvcsrnrknp8t2s7xrle73fce0jcg7r3czsj524p4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXcUhhSlVQcHgvUEtDa0E2 + UU1ON3NiUUlHTXFUOEdNeUdGVWNVTWRRNW0wCmhTVnJONlZSMmt2OVJiMys5bnM2 + TDZPMExYaWlKSVFPVERnS1QvVTJlNXMKLS0tIElTYmxHNTFPSmNXYnkrY2RtRUVL + WHBCYWhtSWt1QW9hbEFwVmdqWUxjUmMKpqfV/bJVfyDI2Wa+jlwsXMx3tNV9G0S2 + VhmmpDnEJn6UDWAMYxNv0g3rtfhBkb2HyCtANNVQ7QROua9WHzJjlg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1qp7w80k3qtj79xsl0gwsfrkm037xrlnhm6th7tcyrvufh3szzp6s2pe7ra + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVVUVkdDljcForNEJ2WmNm + N0QvTWhQWXQ1VHh5b0pCZFQ3aGxXSGY2bXprCmpEV2l6bkxnUDByNVZaVVR6N2lE + OG1sYkJrQmFVWW1vWXRZL1A2S29MejQKLS0tIEFKbkRmdWM0QW9vVlJWZElXSUcw + b1pCMjNIN1padE5JNVpZNFYwMnZGd00KM415cr6nuN6zfhDcfXFN2lMDWogLwDSE + Kq/ykUSuN9IU6AhslgBNRCmJRVHIzCmu5dU5NVZeqN1YT/EyAbEcyw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-21T18:56:03Z" + mac: ENC[AES256_GCM,data:v1RkpxjvgLHS3OOA2aEG+uJ3yWpOvJLwFA5jRBRtMoMvrBD8O8sikzWJUczQnpw85F/ieFqK6RdT8SBA9lIuPXYMRRS8icHI2a8P+zwySsWsnzc9UaJjjvKtkYo9nnPNCM36HAFOKHiAzBm7FWMt1Tl+WQMyVCWLXCN7ao0MjIo=,iv:8xCrY7QOhW5Mc/AWWXFocqwTUD9qvH4dLYYtnsU6PHw=,tag:09Nw7qFfjefrv0jBwaFINA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.1 diff --git a/hosts/v6proxy/default.nix b/hosts/v6proxy/default.nix index 6dd17b3..a87195b 100644 --- a/hosts/v6proxy/default.nix +++ b/hosts/v6proxy/default.nix @@ -6,6 +6,12 @@ ... }: { + sops = { + defaultSopsFile = ./secrets.sops.yml; + secrets = { + "wireguard-key".owner = "systemd-network"; + }; + }; imports = [ ./hardware-configuration.nix ./hetzner-disk.nix @@ -48,6 +54,37 @@ nftables = { enable = true; }; + wireguard = { + enable = true; + interfaces = { + sturauplink = { + listenPort = 51820; + privateKeyFile = config.sops.secrets."wireguard-key".path; + ips = [ + "10.100.0.1/24" + "fd28:6691:1921:6299::1/64" + ]; + peers = [ + # mail.test.htw.stura-dresden.de + { + allowedIPs = [ + "10.100.0.20/32" + ]; + publicKey = "9Ep/YZLbnGEVWHgVmmwq2Sv/8awwGaHdwiSuIUkWtnk="; + } + # proxy.htw.stura-dresden.de + { + allowedIPs = [ + "10.100.0.2/32" + "fd28:6691:1921:6299::2/64" + ]; + endpoint = "141.56.51.1:51820"; + publicKey = "pUHtAHCDHVQBnqtlIgTkEMHbxXpQmVA0HhxiFUrUb0U="; + } + ]; + }; + }; + }; }; # wenn instanzen in die flake migriert sind könnte man das autogenerierien @@ -102,6 +139,7 @@ }; environment.systemPackages = with pkgs; [ + wireguard-tools ]; system.stateVersion = "25.11"; diff --git a/hosts/v6proxy/secrets.sops.yml b/hosts/v6proxy/secrets.sops.yml new file mode 100644 index 0000000..46628d1 --- /dev/null +++ b/hosts/v6proxy/secrets.sops.yml @@ -0,0 +1,25 @@ +wireguard-key: ENC[AES256_GCM,data:K3UoCWtF2rL8uCzmu8yn4sHKHOrcKmnNBvRQdC9Ph3fWMdDqNqh0jwSByjQ=,iv:feFxNykRK1RJ6EPPVXqXtEVmXeGez4PwJ9h7m1KYUIE=,tag:hSTf/gAUVSjI1GburqRDVA==,type:str] +sops: + age: + - recipient: age1gl8zmw86jkrkr7kaqugdyhvdhdrnfd72smndz2kfh4a6ec6s9yxsyrecu6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsbVd3OUNCMUI3eUI2QlVa + WFNjVUpXYVlLdUxiSzhQdHhhRWRpWEhzV1IwCkdYMG5DOXBxTnMwNFpYM1FweDNp + ZXd2aXJaNWxOYXRnaW1nSjdNQVpQOU0KLS0tIEY4Q1JqV1FSekVwc0prNjRCUDdm + cmpLdW1abFR5SlhxZnpJdnBlNjJQOGMK+JcLyiSCfhVPnhqpqTzB7flFWTff3GcK + 9779AvKVnhsDb5LDPOi4Ah5gAJfq+JZ/+IiTUqk0a4AWuN9PiyTMGA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1qp7w80k3qtj79xsl0gwsfrkm037xrlnhm6th7tcyrvufh3szzp6s2pe7ra + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBncnVRVi91OWsxejJiS0Y0 + L2licWRJQ1pGTlZOMEM0VHdyOWlFbEgyRENVCmwxSndQamRZM2NKbW14TTI4aFBV + MHQ3YkJwNUhkWlJNSTB2RFBpZEswT28KLS0tIC9EVUxvYk04ek5xc1d4TXl5RFVD + MkFyQkxCWDdWQjUxQ0QwcjlScGxPWWMKtzYvXoSSPGhVFlwzdtZylu3eTE5EKxqO + OIq9IOOujV3K1dzj5uwmCI+EoEasOMLy7Sa4++1WZmRVmVxFa91/gw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-21T17:41:20Z" + mac: ENC[AES256_GCM,data:f94ubkkhUDMkvEPEYYGVg1mahaMmXqAdMcF9Vl16jj7FQTvJy9GCg+1F7eBOu0endpcTQo2a/apd2u7tnzA0IE3CfXo2U8d8aun6yTxxn9qopnxypP2v6mGDHsGbaUI3r+/ZgLXtGDDN+gS/zyu06CPFq/TdLnmcO9zuXAeBmWc=,iv:5VEsRV20A56FKNRQlgojY5TQLhW+kgotQBPgElZY+uQ=,tag:K13Owxl3MDwf5n9soXxiXA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.1