freifunk: add vpn6 freifunk dresden backbone wireguard tunnel

2022-03-22 21:53:44 +01:00 · 2022-03-22 21:53:44 +01:00 · 9eaeced6f1
parent 1c3f457850
commit 9eaeced6f1
3 changed files with 33 additions and 7 deletions
--- a/flake.lock
+++ b/flake.lock
@ -344,11 +344,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1645815118,
-        "narHash": "sha256-y2gArx6byPdlE/ON7mit3oq9fYg/Aw8tNd7MmOJvS+A=",
+        "lastModified": 1647968696,
+        "narHash": "sha256-5C93Xzq4Ux97tTHMET0mJXjdGdYyyKmIa8oUG1hGsXc=",
        "ref": "master",
-        "rev": "eb0ae3249b44e54b6e6ad400f7ebdb56c38258e4",
-        "revCount": 123,
+        "rev": "ad8b39dd71795ee9aecb6ce8cbd62f7e41f2669d",
+        "revCount": 124,
        "type": "git",
        "url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
      },
--- a/flake.nix
+++ b/flake.nix
@ -245,6 +245,7 @@
              nixpkgs.overlays = with secrets.overlays; [
                freifunk ospf
              ];
+              sops.defaultSopsFile = "${secrets}/hosts/freifunk/secrets.yaml";
            }
          ];
        };
--- a/hosts/containers/freifunk/default.nix
+++ b/hosts/containers/freifunk/default.nix
@ -73,9 +73,13 @@ in {
    '';
  };

-  # Required for krops: ssh git
-  services.openssh.enable = true;
-  environment.systemPackages = with pkgs; [ tcpdump ];
+  environment.systemPackages = with pkgs; [ tcpdump bmon wireguard-tools ];
+
+  sops.secrets."wireguard/vpn6/privateKey" = {
+    group = "systemd-network";
+    mode = "0440";
+  };
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

  systemd.network = {
    netdevs = {
@ -87,6 +91,27 @@ in {
          Name = meshLoopback;
        };
      };
+      # Freifunk Dresden Backbone
+      vpn6 = {
+        enable = true;
+        netdevConfig = {
+          Name = "vpn6";
+          Kind = "wireguard";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = config.sops.secrets."wireguard/vpn6/privateKey".path;
+          ListenPort = 5007;
+          # Mark for routing with the upstream routing table
+          FirewallMark = upstreamMark;
+        };
+        wireguardPeers = [ {
+          wireguardPeerConfig = {
+            Endpoint = "vpn4.freifunk-dresden.de:5007";
+            PublicKey = "7R3K3rGtCZprgqz5/iWql4yLg9BrsaNiv5XQwJ7csn4=";
+            AllowedIPs = "0.0.0.0/0";
+          };
+        } ];
+      };
    };
    networks = {
      # Wired mesh interface