freifunk: add vpn6 freifunk dresden backbone wireguard tunnel

2022-03-22 21:53:44 +01:00 · 2022-03-22 21:53:44 +01:00 · 9eaeced6f1
parent 1c3f457850
commit 9eaeced6f1
3 changed files with 33 additions and 7 deletions
--- a/flake.lock
+++ b/flake.lock
@ -344,11 +344,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1645815118,
+        "lastModified": 1647968696,
-        "narHash": "sha256-y2gArx6byPdlE/ON7mit3oq9fYg/Aw8tNd7MmOJvS+A=",
+        "narHash": "sha256-5C93Xzq4Ux97tTHMET0mJXjdGdYyyKmIa8oUG1hGsXc=",
        "ref": "master",
-        "rev": "eb0ae3249b44e54b6e6ad400f7ebdb56c38258e4",
+        "rev": "ad8b39dd71795ee9aecb6ce8cbd62f7e41f2669d",
-        "revCount": 123,
+        "revCount": 124,
        "type": "git",
        "url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
      },
--- a/flake.nix
+++ b/flake.nix
@ -245,6 +245,7 @@
              nixpkgs.overlays = with secrets.overlays; [
                freifunk ospf
              ];
              sops.defaultSopsFile = "${secrets}/hosts/freifunk/secrets.yaml";
            }
          ];
        };
--- a/hosts/containers/freifunk/default.nix
+++ b/hosts/containers/freifunk/default.nix
@ -73,9 +73,13 @@ in {
    '';
  };
-  # Required for krops: ssh git
+  environment.systemPackages = with pkgs; [ tcpdump bmon wireguard-tools ];
-  services.openssh.enable = true;
+
-  environment.systemPackages = with pkgs; [ tcpdump ];
+  sops.secrets."wireguard/vpn6/privateKey" = {
    group = "systemd-network";
    mode = "0440";
  };
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  systemd.network = {
    netdevs = {
@ -87,6 +91,27 @@ in {
          Name = meshLoopback;
        };
      };
      # Freifunk Dresden Backbone
      vpn6 = {
        enable = true;
        netdevConfig = {
          Name = "vpn6";
          Kind = "wireguard";
        };
        wireguardConfig = {
          PrivateKeyFile = config.sops.secrets."wireguard/vpn6/privateKey".path;
          ListenPort = 5007;
          # Mark for routing with the upstream routing table
          FirewallMark = upstreamMark;
        };
        wireguardPeers = [ {
          wireguardPeerConfig = {
            Endpoint = "vpn4.freifunk-dresden.de:5007";
            PublicKey = "7R3K3rGtCZprgqz5/iWql4yLg9BrsaNiv5XQwJ7csn4=";
            AllowedIPs = "0.0.0.0/0";
          };
        } ];
      };
    };
    networks = {
      # Wired mesh interface