zaphyra's git: nixfiles

zaphyra and void's nixfiles

commit 4514d81608ac361cc945ef5254fc501c0c5c8430
parent 091ac439568a8c7467356abade9adcea2627f799
Author: Katja (zaphyra) <git@ctu.cx>
Date: Fri, 13 Jun 2025 21:57:17 +0200

hosts/morio: add dn42-tunnel

3 files changed, 60 insertions(+), 2 deletions(-)
M
hosts/morio/default.nix
|
1
+
A
hosts/morio/dn42.nix
|
55
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
M
secrets/morio.yaml
|
6
++++--
diff --git a/hosts/morio/default.nix b/hosts/morio/default.nix
@@ -36,6 +36,7 @@
 
       imports = [
         (modulesPath + "/profiles/minimal.nix")
+        ./dn42.nix
       ];
 
       boot.initrd.systemd.emergencyAccess = true;

diff --git a/hosts/morio/dn42.nix b/hosts/morio/dn42.nix
@@ -0,0 +1,55 @@
+{ config, hostConfig, ... }:
+
+{
+
+  sops.secrets."dn42/wgPrivateKey" = {
+    owner = "systemd-network";
+    group = "systemd-network";
+  };
+
+  systemd.network = {
+    netdevs."20-dn42" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "dn42";
+        MTUBytes = 1280;
+      };
+
+      wireguardConfig = {
+        PrivateKeyFile = config.sops.secrets."dn42/wgPrivateKey".path;
+        ListenPort = 1718;
+        FirewallMark = 1718;
+      };
+
+      wireguardPeers = [
+        {
+          PublicKey = "MRXPP//j+BDCiUyrYHdXtdULAsCZyfgumas8pxp6oiE=";
+          Endpoint = "router-a.dn42.zaphyra.eu:1718";
+          AllowedIPs = [ "fd00::/8" ];
+          PersistentKeepalive = 10;
+        }
+      ];
+    };
+
+    networks."20-dn42" = {
+      matchConfig.Name = "dn42";
+      linkConfig.RequiredForOnline = false;
+      routes = [{ Destination = "fd00::/8"; }];
+      address = [
+        "fd6b:6174:6a61::2/128"
+      ];
+      networkConfig = {
+        DNSDefaultRoute = false;
+        DNS = [
+          "fd42:d42:d42:54::1"
+          "fd42:d42:d42:53::1"
+        ];
+        Domains = [
+          "~dn42"
+          "d.f.ip6.arpa"
+        ];
+      };
+    };
+  };
+
+}

diff --git a/secrets/morio.yaml b/secrets/morio.yaml
@@ -23,6 +23,8 @@ environments:
         signal: ENC[AES256_GCM,data:PuyUzSf4Xl3eJDDoDSX3gz6B1oXXiMWeECtOs3pmd2n6rJYRWRD7Ve6iz6a9/VdIFNomNSyGVBPJ6y+YZlD3Gq4g+U3a6hsAsBbIU4REVP/9igwLmP+fB3FMNzE9gcN0MSZx5dxSEFuVGgktvGH9Vb7SSHfjhPxfhRd67SS+MFrxwYCpfxlh9PxKBT3EqA8hWgPB7bxBcaW/khf996xdMfHeaxxQAXDyanOgIn5iDtrM9PbHsEpS8xlN1fSVQKYbQgz+WnL+7hudvj/rXeGNVxMXd//7JTsopzslGQ1JtgwN9fJ8uDKytWux54dmSvdUL35cDgmn/4AUSL/hQvOm4i12+9MbOj9/9l6clp+BSS2fI1XhDWEWOqG7/Cb85ABRmQzDlE3EfMPQF4HY4PKh1F+Xy1BgbbWSDoeQEs3jWqO6Qgq3fW8RO06/DU/11IFb0BhSAyUrlB9FnD4mvMY2Sf9Sdw5hUsuJ2psPSLCrjiYoPnOyIuELCctW3SkBeNn1,iv:Min6Y4qEZQAxQ2gTQR5+vZuSeY0YY3Wa6ixr6NnHhPY=,tag:3qB8BHmPCyFLYR7j2HxgVA==,type:str]
         whatsapp: ENC[AES256_GCM,data:7vGIEBWX2Pu8y3pb69cOAMRTG37F5Yg82OkJDzpxk86+q5JLYCSjPEUR90OdyguKb8Ru4TMbqRw87pWkV2AA8YUMY6RUKzgeRghXNZQjhLo6eFTYxGILkjw+7CeuwJlzlmvbunvO1iuV8TduGSQSN+9rCyugHeqoMldRIcgHLkTBJ5XwsT/8gGzwlGsGD3GOr3weeAhCCZc4jRKlep3h3oGi3WqabpG8Pjp9FTCpVi7JuFA9cSXbSpiVU7PwG8ACDeZqcGTn3dQhdtYrBvBkiGgMY3Bjn8O73/6m6xJ1TChqPOMiR5xWBA0hdKUQImOo7qEbGqsWew1ucejrP8Skj6BOUDHag1r7eKNtXYxSstAXt3u7UVZbyX641SJ8umezpQtr+A+WiCrZZAOhGf5tgZRh3zCGaMOO8HjpEj0dvpgs73ZPpzPGxvDk7Yvws22Oka7vlBeqLknAFAV7SA7ZqakqPXeFlYt9PMVCPHTZTzDrzwpRyEnTmilPyto0lJX3,iv:7voliAT5vclU+ZPtoYr3+TCOa42eNJ+iEHMn5rwdg4Q=,tag:tDai6Pf1wx6Pt4qGAo7KYw==,type:str]
         telegram: ENC[AES256_GCM,data:97fb0qEgYI5wfTshkHkDt28WKh86e7/ymJVE77/D7XUr25g9IGS4vpdZs/UXf6iSPURKQXWFhxfLR4Nbye3EaSF/RWt4J/+21djw5niVFlsH0QSzdSQgnEi630pT8yRYGEAXA4VMQQMseuCJDphbZTusTsRpgZ45hFIvFMXHqKT688N9xTgErca0N6knjDmvELyaeB/IkvNukr1F8Z84MW/9bxcDwLsl/sRgl/vSHTXR9usmT2tJ+p3D7p+DehZaDEhggduCRTvnKIqJBbQwhwNR7/rFCsHz0bMzuwYqpLrGnIoJ5ZigzaZ4j9iaBBgxTKOzJoe8fnQQPeqdemwCTTHndLMzA2ZjlYi2o1a4hYdNUcEd6OAr8j860JWNoTAHI7wq3jLjzvuwV3j4KhPXbGNx2e+Vnasn2TQi6SHsWNK1hW3z3svI7HmMoLB6i4iy7o+YrLISre7spnuISVFquAKR/3GUAoxwLl4abZKxZT9fL1HoTGZC18fDA0jlesCkZSZp7CvuW3LnEjnrWLfhFZMFCVHiKq3crlCVWMxmJ3verWI0fd5XHqg8o+ed47fW1lBd7sewREmN/7u3c/USMOS04kn9604p45IIG00=,iv:MlZa2nMYD9AB/TmY8QDYpArRizyYe732v4CzGB5PB7w=,tag:XijkOhRqrYp+5NlyiHejkg==,type:str]
+dn42:
+    wgPrivateKey: ENC[AES256_GCM,data:QunDYyLV85MkkTH8lnT3xdzdEY6WfjfdWwNi3IdqS5Yn7foLWLIZcqryaW0=,iv:hnFZ1yauh9FOkxEfrXBkwgJtAcNRLD9V5K8Ud7b/nHc=,tag:XIdmD9Um+1+KVjfUk+aa7g==,type:str]
 sops:
     age:
         - recipient: age1wpffcr5p88a2x9dzx5v3sq4jqurvygu94fx773n229fqk4p95qzs840cmn

@@ -34,8 +36,8 @@ sops:
             bDRhUEtDdmlZa0ZENFhSVnNqVjFCR1UKEIkSg3tKFkwlnNXFFqCBtdZBGz1bEmWl
             wghkTtqTl++759zZAAmjdnFFQWs/AoCZ5g/GUidz6HHcFdxMpGVmiA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-03T13:48:48Z"
-    mac: ENC[AES256_GCM,data:23PY7BiDbqrhYEMjH/4wf+RxI9jYVxxQLoUxiaDYYwaFkfZKefLH/fTMKNkHnD6kbdGBC+ptV8jgO5IiPIib6TFS+Du2zyrA532Nx3vH02YDlrp9/jcrCvJzH561tsYMEpGLsKwXlkr863y8PK5gVSIiYkAOBg/S+mOM1TFhkus=,iv:0M12+Hx7Cz/7toDFQRAO1s3r971PYLIcbfp2WPmSof4=,tag:tHOMCjC3yBNFpXyyZv/8fA==,type:str]
+    lastmodified: "2025-06-11T21:34:22Z"
+    mac: ENC[AES256_GCM,data:PDP4d+4sW3Nw9o3oSi7d80I/zD3jP+yLXTERkEm33vxP5aHQSnqRrV1pVB+Gy5eTb+ly28DSi+8nDFKamHtszo34nMfcvw+KQw1nCRlETcGd8zCGL8TjcLkeq56gzrn0apFux2FTR1r959WpY5k4IDxk8B55/Oh3emHt6KKCCGU=,iv:Nk0fCDlvkljLcIjExQTJ+NAIrx8ambelH2r1a+GWJF8=,tag:unL3ZKFKvlhf/VPSf74LiA==,type:str]
     pgp:
         - created_at: "2025-05-21T08:09:28Z"
           enc: |-