StuRa/stura-infra
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

wireguard network

Browse source 
connection proxy->v6proxy works
connection mail->v6proxy blocked
This commit is contained in:
goeranh 2026-03-21 21:27:14 +01:00
parent 26d56a1dfe
commit 9c10e99502
No known key found for this signature in database
7 changed files with 158 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

12
.sops.yaml
View file

@ -2,6 +2,8 @@ keys:
- &goeranh age1qp7w80k3qtj79xsl0gwsfrkm037xrlnhm6th7tcyrvufh3szzp6s2pe7ra - &goeranh age1qp7w80k3qtj79xsl0gwsfrkm037xrlnhm6th7tcyrvufh3szzp6s2pe7ra
- &mail age156ak7kc79tuwpv0hk9atl5dg27jqs6ddfqxvr9m4twqgsr23lgvsdmyfpr - &mail age156ak7kc79tuwpv0hk9atl5dg27jqs6ddfqxvr9m4twqgsr23lgvsdmyfpr
- &auth age1njnkkr489hfmpn337zna2k3z66y9086t7cpcmz2vn68p4x43aujs6wh0g5 - &auth age1njnkkr489hfmpn337zna2k3z66y9086t7cpcmz2vn68p4x43aujs6wh0g5
- &v6proxy age1gl8zmw86jkrkr7kaqugdyhvdhdrnfd72smndz2kfh4a6ec6s9yxsyrecu6
- &proxy age1g9fnxzalnqtse29xjdrvcsrnrknp8t2s7xrle73fce0jcg7r3czsj524p4
creation_rules: creation_rules:
@ -15,3 +17,13 @@ creation_rules:
- age: - age:
- *auth - *auth
- *goeranh - *goeranh
- path_regex: hosts/v6proxy/secrets.sops.yml$
key_groups:
- age:
- *v6proxy
- *goeranh
- path_regex: hosts/proxy/secrets.sops.yml$
key_groups:
- age:
- *proxy
- *goeranh

23
hosts/mail/default.nix
View file

@ -29,6 +29,7 @@ in
defaultSopsFile = ./secrets.sops.yml; defaultSopsFile = ./secrets.sops.yml;
secrets = { secrets = {
"ldap_passwd".owner = "dovecot2"; "ldap_passwd".owner = "dovecot2";
"wireguard-key".owner = "systemd-network";
}; };
}; };
imports = [ imports = [
@ -59,6 +60,28 @@ in
address = "141.56.51.254"; address = "141.56.51.254";
interface = "eth0"; interface = "eth0";
}; };
wireguard = {
enable = true;
interfaces = {
sturauplink = {
privateKeyFile = config.sops.secrets."wireguard-key".path;
ips = [
"10.100.0.20/24"
"fd28:6691:1921:6299::20/64"
];
peers = [
# mail.test.htw.stura-dresden.de
{
endpoint = "hetzner.test.htw.stura-dresden.de:51820";
allowedIPs = [
"10.100.0.1/24"
];
publicKey = "Tg/SNniezzF4DUnvUl1/JxQwS18POrUR20UmkQDt+X0=";
}
];
};
};
};
}; };
services.nginx.virtualHosts = { services.nginx.virtualHosts = {

5
hosts/mail/secrets.sops.yml
View file

@ -1,4 +1,5 @@
ldap_passwd: ENC[AES256_GCM,data:adUZCZcYfoxBQm3e4YeeXcQJSZjB3+v2zSNy7q0Ao39aDQMH5H0w4o9MXTREkPHW53JejC2ivo8Zl3yUhkeYRw==,iv:XB25CmtUGf+PeSsHtr+CA/HIfZq1IrOBPPQD3/r6Kc4=,tag:A/WGViM/Ix7n6mhjnbCtZg==,type:str] ldap_passwd: ENC[AES256_GCM,data:adUZCZcYfoxBQm3e4YeeXcQJSZjB3+v2zSNy7q0Ao39aDQMH5H0w4o9MXTREkPHW53JejC2ivo8Zl3yUhkeYRw==,iv:XB25CmtUGf+PeSsHtr+CA/HIfZq1IrOBPPQD3/r6Kc4=,tag:A/WGViM/Ix7n6mhjnbCtZg==,type:str]
wireguard-key: ENC[AES256_GCM,data:5EWg5yF1CDKIusFwONVSzxSMM0cfOzyUYcWQ0f8xTHZ7bViAw8HbjJpRI4o=,iv:UNTv+994Q5VscsjgWS4ppkHX0gPy7vc/qmRCYKvR8CE=,tag:i8ydlyJSfIUj81j78EX5Fg==,type:str]
sops: sops:
age: age:
- recipient: age156ak7kc79tuwpv0hk9atl5dg27jqs6ddfqxvr9m4twqgsr23lgvsdmyfpr - recipient: age156ak7kc79tuwpv0hk9atl5dg27jqs6ddfqxvr9m4twqgsr23lgvsdmyfpr
@ -19,7 +20,7 @@ sops:
bGU3WWhVMGJ2LzI4N2E1Zy9RNnJ2V2MK4UQPwE5GUVTGvnuZ9knQ+BHmzmRLA1V5 bGU3WWhVMGJ2LzI4N2E1Zy9RNnJ2V2MK4UQPwE5GUVTGvnuZ9knQ+BHmzmRLA1V5
SinlJfHcs+9B7haHzAekDdNqZgEUh2tblabHqq/vNWzd0rWpK31Dww== SinlJfHcs+9B7haHzAekDdNqZgEUh2tblabHqq/vNWzd0rWpK31Dww==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-21T17:05:32Z" lastmodified: "2026-03-21T18:05:57Z"
mac: ENC[AES256_GCM,data:A2tbQ8obTjzKeISAbDy0Sqi+WvpqZwkKSW2PmV67V2u/svNfC7C/ebNHp6p0I9N97y026WzboXnRwon7M1jaJ8dPn2hqGReZIIHW5w5rBK0uAeEH5wCMnNGslox4D7+L27zc4VZMK4tjFP6F7EKkq7TIjf+HzEYW+kpbqM2erVo=,iv:EKa3JBlDiU/FcF2T/hQtmaFlYiAbFIlytR3fSfJjVBc=,tag:B4N/4XxhdtNYKTRT1O+UyA==,type:str] mac: ENC[AES256_GCM,data:NJM8uwSGIrjy4t+3AwNxp2e569ArH/cnRDipsHnTTQYV5NJLOTtwoFnTqVHBSREc2Sh38gXKye1ncwS3IG5CMsF1nsLOL/+Y9mUqQkLeWeld6Kal8c99yIr2oz8Hk4JTJt4j2C8/aNFhqu62VF7F6JNElWq2F3J5TPKPHRbE9yY=,iv:mj18t2s9hqNV4ore9T4R4jOgUGPuXGqwW91M9Uoh6aQ=,tag:v6T7LXjLQGoc9leFI5zY0g==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.12.1 version: 3.12.1

32
hosts/proxy/default.nix
View file

@ -6,6 +6,12 @@
... ...
}: }:
{ {
sops = {
defaultSopsFile = ./secrets.sops.yml;
secrets = {
"wireguard-key".owner = "systemd-network";
};
};
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./hetzner-disk.nix ./hetzner-disk.nix
@ -13,6 +19,7 @@
networking = { networking = {
hostName = "proxy"; hostName = "proxy";
nameservers = [ "141.56.51.1" ];
interfaces.ens18.ipv4.addresses = [ interfaces.ens18.ipv4.addresses = [
{ {
address = "141.56.51.1"; address = "141.56.51.1";
@ -37,6 +44,30 @@
nftables = { nftables = {
enable = true; enable = true;
}; };
wireguard = {
enable = true;
interfaces = {
sturauplink = {
privateKeyFile = config.sops.secrets."wireguard-key".path;
ips = [
"10.100.0.2/24"
"fd28:6691:1921:6299::2/64"
];
listenPort = 51820;
peers = [
# mail.test.htw.stura-dresden.de
{
endpoint = "hetzner.test.htw.stura-dresden.de:51820";
allowedIPs = [
"10.100.0.0/24"
];
persistentKeepalive = 30;
publicKey = "Tg/SNniezzF4DUnvUl1/JxQwS18POrUR20UmkQDt+X0=";
}
];
};
};
};
}; };
# wenn instanzen in die flake migriert sind könnte man das autogenerierien # wenn instanzen in die flake migriert sind könnte man das autogenerierien
@ -255,6 +286,7 @@
proxy IN AAAA 2a01:4f8:1c19:96f8::1 proxy IN AAAA 2a01:4f8:1c19:96f8::1
; Auto-generated CNAME records for all subdomains pointing to proxy ; Auto-generated CNAME records for all subdomains pointing to proxy
hetzner.test IN A 178.104.18.93
${lib.foldlAttrs ( ${lib.foldlAttrs (
prev: name: value: prev: name: value:
let let

25
hosts/proxy/secrets.sops.yml Normal file
View file

@ -0,0 +1,25 @@
wireguard-key: ENC[AES256_GCM,data:tEKd+iwfyabTj/spqh08Um3FX4grLeffTxCvBivkXrNqIzOymBdcgQL4IJ4=,iv:Z2sr5yzxTKXgBgfcd3LWB9jT2fX3uRpX07r4yMplSNY=,tag:IWgiEjjbHbIUORhwKjTM6g==,type:str]
sops:
age:
- recipient: age1g9fnxzalnqtse29xjdrvcsrnrknp8t2s7xrle73fce0jcg7r3czsj524p4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXcUhhSlVQcHgvUEtDa0E2
UU1ON3NiUUlHTXFUOEdNeUdGVWNVTWRRNW0wCmhTVnJONlZSMmt2OVJiMys5bnM2
TDZPMExYaWlKSVFPVERnS1QvVTJlNXMKLS0tIElTYmxHNTFPSmNXYnkrY2RtRUVL
WHBCYWhtSWt1QW9hbEFwVmdqWUxjUmMKpqfV/bJVfyDI2Wa+jlwsXMx3tNV9G0S2
VhmmpDnEJn6UDWAMYxNv0g3rtfhBkb2HyCtANNVQ7QROua9WHzJjlg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1qp7w80k3qtj79xsl0gwsfrkm037xrlnhm6th7tcyrvufh3szzp6s2pe7ra
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVVUVkdDljcForNEJ2WmNm
N0QvTWhQWXQ1VHh5b0pCZFQ3aGxXSGY2bXprCmpEV2l6bkxnUDByNVZaVVR6N2lE
OG1sYkJrQmFVWW1vWXRZL1A2S29MejQKLS0tIEFKbkRmdWM0QW9vVlJWZElXSUcw
b1pCMjNIN1padE5JNVpZNFYwMnZGd00KM415cr6nuN6zfhDcfXFN2lMDWogLwDSE
Kq/ykUSuN9IU6AhslgBNRCmJRVHIzCmu5dU5NVZeqN1YT/EyAbEcyw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-21T18:56:03Z"
mac: ENC[AES256_GCM,data:v1RkpxjvgLHS3OOA2aEG+uJ3yWpOvJLwFA5jRBRtMoMvrBD8O8sikzWJUczQnpw85F/ieFqK6RdT8SBA9lIuPXYMRRS8icHI2a8P+zwySsWsnzc9UaJjjvKtkYo9nnPNCM36HAFOKHiAzBm7FWMt1Tl+WQMyVCWLXCN7ao0MjIo=,iv:8xCrY7QOhW5Mc/AWWXFocqwTUD9qvH4dLYYtnsU6PHw=,tag:09Nw7qFfjefrv0jBwaFINA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.1

38
hosts/v6proxy/default.nix
View file

@ -6,6 +6,12 @@
... ...
}: }:
{ {
sops = {
defaultSopsFile = ./secrets.sops.yml;
secrets = {
"wireguard-key".owner = "systemd-network";
};
};
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./hetzner-disk.nix ./hetzner-disk.nix
@ -48,6 +54,37 @@
nftables = { nftables = {
enable = true; enable = true;
}; };
wireguard = {
enable = true;
interfaces = {
sturauplink = {
listenPort = 51820;
privateKeyFile = config.sops.secrets."wireguard-key".path;
ips = [
"10.100.0.1/24"
"fd28:6691:1921:6299::1/64"
];
peers = [
# mail.test.htw.stura-dresden.de
{
allowedIPs = [
"10.100.0.20/32"
];
publicKey = "9Ep/YZLbnGEVWHgVmmwq2Sv/8awwGaHdwiSuIUkWtnk=";
}
# proxy.htw.stura-dresden.de
{
allowedIPs = [
"10.100.0.2/32"
"fd28:6691:1921:6299::2/64"
];
endpoint = "141.56.51.1:51820";
publicKey = "pUHtAHCDHVQBnqtlIgTkEMHbxXpQmVA0HhxiFUrUb0U=";
}
];
};
};
};
}; };
# wenn instanzen in die flake migriert sind könnte man das autogenerierien # wenn instanzen in die flake migriert sind könnte man das autogenerierien
@ -102,6 +139,7 @@
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
wireguard-tools
]; ];
system.stateVersion = "25.11"; system.stateVersion = "25.11";

25
hosts/v6proxy/secrets.sops.yml Normal file
View file

@ -0,0 +1,25 @@
wireguard-key: ENC[AES256_GCM,data:K3UoCWtF2rL8uCzmu8yn4sHKHOrcKmnNBvRQdC9Ph3fWMdDqNqh0jwSByjQ=,iv:feFxNykRK1RJ6EPPVXqXtEVmXeGez4PwJ9h7m1KYUIE=,tag:hSTf/gAUVSjI1GburqRDVA==,type:str]
sops:
age:
- recipient: age1gl8zmw86jkrkr7kaqugdyhvdhdrnfd72smndz2kfh4a6ec6s9yxsyrecu6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsbVd3OUNCMUI3eUI2QlVa
WFNjVUpXYVlLdUxiSzhQdHhhRWRpWEhzV1IwCkdYMG5DOXBxTnMwNFpYM1FweDNp
ZXd2aXJaNWxOYXRnaW1nSjdNQVpQOU0KLS0tIEY4Q1JqV1FSekVwc0prNjRCUDdm
cmpLdW1abFR5SlhxZnpJdnBlNjJQOGMK+JcLyiSCfhVPnhqpqTzB7flFWTff3GcK
9779AvKVnhsDb5LDPOi4Ah5gAJfq+JZ/+IiTUqk0a4AWuN9PiyTMGA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1qp7w80k3qtj79xsl0gwsfrkm037xrlnhm6th7tcyrvufh3szzp6s2pe7ra
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBncnVRVi91OWsxejJiS0Y0
L2licWRJQ1pGTlZOMEM0VHdyOWlFbEgyRENVCmwxSndQamRZM2NKbW14TTI4aFBV
MHQ3YkJwNUhkWlJNSTB2RFBpZEswT28KLS0tIC9EVUxvYk04ek5xc1d4TXl5RFVD
MkFyQkxCWDdWQjUxQ0QwcjlScGxPWWMKtzYvXoSSPGhVFlwzdtZylu3eTE5EKxqO
OIq9IOOujV3K1dzj5uwmCI+EoEasOMLy7Sa4++1WZmRVmVxFa91/gw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-21T17:41:20Z"
mac: ENC[AES256_GCM,data:f94ubkkhUDMkvEPEYYGVg1mahaMmXqAdMcF9Vl16jj7FQTvJy9GCg+1F7eBOu0endpcTQo2a/apd2u7tnzA0IE3CfXo2U8d8aun6yTxxn9qopnxypP2v6mGDHsGbaUI3r+/ZgLXtGDDN+gS/zyu06CPFq/TdLnmcO9zuXAeBmWc=,iv:5VEsRV20A56FKNRQlgojY5TQLhW+kgotQBPgElZY+uQ=,tag:K13Owxl3MDwf5n9soXxiXA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.1