diff --git a/hosts/radish/hardware.nix b/hosts/radish/hardware.nix index e96614a..963a308 100644 --- a/hosts/radish/hardware.nix +++ b/hosts/radish/hardware.nix @@ -69,9 +69,15 @@ enable = true; extraPackages = with pkgs; [ rocmPackages.clr.icd ]; }; + services.resolved = { + enable = true; + dnsovertls = "opportunistic"; + dnssec = "allow-downgrade"; + }; networking.networkmanager = { enable = true; wifi.backend = "iwd"; + dns = "systemd-resolved"; plugins = with pkgs; [ networkmanager-openvpn ]; @@ -86,4 +92,50 @@ } ]; networking.firewall.allowedUDPPorts = [ 5353 ]; + + networking.wg-quick.interfaces = lib.mkMerge ( + lib.map + ( + { + region, + ipOctet, + publicKey, + }: + { + "everii-${region}" = { + address = [ "10.${toString ipOctet}.8.48/22" ]; + dns = [ "10.${toString ipOctet}.1.1" ]; + privateKeyFile = config.age.secrets."everii-vpn/${region}.key".path; + peers = [ + { + allowedIPs = [ "10.${toString ipOctet}.0.0/16" ]; + endpoint = "vpn.${region}.infra.everii.io:51821"; + inherit publicKey; + } + ]; + postUp = '' + ${pkgs.systemd}/bin/resolvectl domain everii-${region} ~${region}.everii ~${toString ipOctet}.10.in-addr.arpa + ${pkgs.systemd}/bin/resolvectl dnssec everii-${region} no + ''; + }; + } + ) + [ + { + region = "de1"; + ipOctet = 13; + publicKey = "uBUgSTZb6WbfE960S3qFP/UUMtdsgNWqtkTaBkp6Xxo="; + } + { + region = "fi1"; + ipOctet = 14; + publicKey = "Yoakl0lrL6IK1nT8x5SGpaS39fQxRAsP9Zjpu8/1RRs="; + } + { + region = "ch1"; + ipOctet = 15; + publicKey = "gfciqAk+X02zoEKXSvRamx5+TGL3i4GpT7oUvHMD0xo="; + } + ] + ); } diff --git a/hosts/radish/secrets.nix b/hosts/radish/secrets.nix index 9548e4c..9709304 100644 --- a/hosts/radish/secrets.nix +++ b/hosts/radish/secrets.nix @@ -10,6 +10,9 @@ }) [ "borgbackup-radish" + "everii-vpn/de1.key" + "everii-vpn/ch1.key" + "everii-vpn/fi1.key" ] ); } diff --git a/secrets/everii-vpn/ch1.key.age b/secrets/everii-vpn/ch1.key.age new file mode 100644 index 0000000..45468e9 --- /dev/null +++ b/secrets/everii-vpn/ch1.key.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 osOCZA ynIsrUjxXEYLRtKoiyBKCn83JeZ5rFhGD3xi61ypVBc +ZuKEpntuTCMigOf/jeQ3V6oklmqzuxyDpi4oVhtWsc4 +-> ssh-ed25519 DFiohQ /0VJWz6hK+0FNjBciDbPHX+ader97UxCiQYB1BFZh3E +SiqY0KS5wBWHMgEbJMAU1WgvXqEJjBAOQ3l/eMuETdI +-> ssh-ed25519 hRPDBg KSXXiPwj27sKoXMiwW7IqQJvE72lYIgUjiPnpvVSSmE +ioQGtUPSMj4flm9j84PLGm4C/P0sHVmYX38SgB6Yl2c +--- jUadITulpzJjYp3oWxkG0Qk5RwDXisrKgmXYMlcxCss +[,J"$M.0טc~,C +su1rDTf:FtwAthEAf \ No newline at end of file diff --git a/secrets/everii-vpn/de1.key.age b/secrets/everii-vpn/de1.key.age new file mode 100644 index 0000000..f062849 --- /dev/null +++ b/secrets/everii-vpn/de1.key.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 osOCZA sGsltqSPiC3jkgZcpRXobfPgKiuPYzU3XiNptcyniB4 +0Q7X+YuaRHT2/1sCrqyhnXCRGIcUKlHQKoo7W8TCwD0 +-> ssh-ed25519 DFiohQ o982CBPZ8MYPkm+ngw0WxJKc4vC0yo1poTz3ICnbJVM +Ac600G8Gr8dhPaXxl8k7A7XpaX70iyLTzfFFTc+14Ag +-> ssh-ed25519 hRPDBg Pf8NvKBZy/afSlFjZIySg6aSregAeMtUCj7e90b0qXw +kW4Ph56hKVtR0MUaulZpSS28Kna1Wigcvcf1Uv2ESf8 +--- Jbu+08V6cvPbTBjwiZvIRtsdOPOtn/e3VCzQuyrCgLw +|x =׺6)ؘ jYy6`؂o wԬZ\LLfK,(q>A_tMqY> \ No newline at end of file diff --git a/secrets/everii-vpn/fi1.key.age b/secrets/everii-vpn/fi1.key.age new file mode 100644 index 0000000..40be30c Binary files /dev/null and b/secrets/everii-vpn/fi1.key.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 59cd63e..87b9276 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -46,4 +46,7 @@ in "gitea-actions-runner.age".publicKeys = users ++ [ freun-dev ]; "invidious-companion.age".publicKeys = users ++ [ apu ]; "invidious.age".publicKeys = users ++ [ freun-dev ]; + "everii-vpn/de1.key.age".publicKeys = users ++ [ radish ]; + "everii-vpn/ch1.key.age".publicKeys = users ++ [ radish ]; + "everii-vpn/fi1.key.age".publicKeys = users ++ [ radish ]; }