refactored wireguardInterface and authorizedKeys

2024-11-26 06:08:48 +01:00 · 2022-10-18 14:07:49 +02:00 · 2022-10-18 14:07:49 +02:00 · c173e3892a
commit c173e3892a
parent f0ae1728ea
3 changed files with 58 additions and 32 deletions
--- a/hosts/dark-firepit/authorizedKeys.nix
+++ b/hosts/dark-firepit/authorizedKeys.nix
@ -1,17 +1,39 @@
+lib:
+
+with lib;
+let
+  # please only append keys in this list to not mess up
+  # wireguard auto-genned IPs!!
+  peerList = [
    {
-  "aether@subsurface" = {
+      hostname = "aether@subsurface";
      ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLDtlpOnQFQq9mPMhR1uQnjrTexcof+c+y+ot/7Jgnt aether@subsurface";
      wg = "XEVSwNNPR7RTt/O0ihYmv3nopbPmqkCMGrVRCixnPWw=";
-  };
-  "oatmealine@void-defragmented" = {
+    }
+    {
+      hostname = "oatmealine@void-defragmented";
      ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDbJDo79TD9RV77MnArQwS94wzBo+6l6dYQnaNdPk2xo019+tc7GyuQ+GHyh4qewIUQOwe3Ddj4YxJN9IS3E360/6RdaNDxn3hUp2jh/x9SOjh0W86FJfdHEQViNeFVSXJv+QBZT9ibR9IbOHYezhD6gtz15pNhEqhQyqw2hJuQzxLvnictTc4lPQnWN9I8ga+OVSh7Uauu5OKbUOyRRj1Er/hasNviCaGBJnLDYjSqTDRvEbdYlfuhrYITJ+viZOQq7Nczs6dbsl627FCvhr5vQi+/vvpx9DKHDvpGvbEglOmOwgffSkaOIIx/pNHTsRccX7c3/im6z4pCDj4bEuiqqawv2C6DV0aM01bW8cchOJrmSQGTygTrJuuVPHp4IRIZNvQGS+97j4u+d7ofricLR1RoxJcQibvRA9rhhYI2FhwrAweuuLktjSj5RkQnypd9kjOuH+nhgLZunreNoyPNDCmcOBA7BA0rD2pCIKB9SzlelMjVuvy0PA8uWfNFfxGU+m3BH7lQS/A6V+NeYrMGiZ+u+t9Pgr6kAoR7mAUO+obIdMM/lOp1/zGBY8lk2Aq3GQcyGVNi18VR0uA+NMaJYXA1JzSiPCz7cQn1pKIAKiDEnzicf5MxDHIi5F1iQ/Lc+NftgmDXZEAHDY1bQepScOttaOZQZLpYP/eWwlEQJQ== oatmealine@beppy";
      wg = "533BncNpHKzJVx5lwdxBg+aUfLGqea9uUYz70C6wxyg=";
-  };
-  "oatmealine@beppy-phone" = {
+    }
+    {
+      hostname = "oatmealine@beppy-phone";
      ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJUgEsAQ7EL5/3STLAk/0qWJddYqfBY71yS9RtRSWd3w JuiceSSH";
      wg = "qT7gX8beM/kW9AYg5dV1e3cLzLDTLxMO2CmnbFpMVj4=";  
-  };
-  "mayflower@BMW-M550d-xDrive" = { # car 5
-    ssh = "AAAAB3NzaC1yc2EAAAADAQABAAABAQCL75/Pg5bP7LaXE6uPyyv8QDRivWJC6YcH6oJJztkjqL6g+0xPPiN6I54q/bNF4nHA2BHVUktKUU9bGDEOpYIRq7kegp2/K/+FNTM1Kz6rJSrSc8e0Ogxg8vhD6maxqLU8q+D1OMhBu0UiWUB+GxXmeYfBtXPjpcE+AaJ80BPs7vwiulHPGn7UAcRuP36Z+3JJiN2BQnU2aizXWsgyU575Uy3DVvAt7eHon+SoJiTCs2//5KexJ42U6ZiE6f/oTFdiud70lpxhGgiiFvj6M9RZ0aLoxspiskW45jKLXIMJ+mO6husg9GfvCchbps3YkmH0hZ24Ii1EiFhi5HZMY0Lt";
-  };
+    }
+    {
+      hostname = "mayflower@BMW-M550d-xDrive"; # car 5
+      ssh = "AAAAB3NzaC1yc2EAAAADAQABAAABAQCL75/Pg5bP7LaXE6uPyyv8QDRivWJC6YcH6oJJztkjqL6g+0xPPiN6I54q/bNF4nHA2BHVUktKUU9bGDEOpYIRq7kegp2/K/+FNTM1Kz6rJSrSc8e0Ogxg8vhD6maxqLU8q+D1OMhBu0UiWUB+GxXmeYfBtXPjpcE+AaJ80BPs7vwiulHPGn7UAcRuP36Z+3JJiN2BQnU2aizXWsgyU575Uy3DVvAt7eHon+SoJiTCs2//5KexJ42U6ZiE6f/oTFdiud70lpxhGgiiFvj6M9RZ0aLoxspiskW45jKLXIMJ+mO6husg9GfvCchbps3YkmH0hZ24Ii1EiFhi5HZMY0Lt";
+    }
+  ];
+in {
+  list = peerList;
+  # here for convinience purposes
+  set = listToAttrs (map (n: {
+    name = n.hostname;
+    value = {
+      # todo: something more generic might fit better?
+      ssh = n.ssh;
+      wg = n.wg;
+    };
+  }) peerList);
 }
--- a/hosts/dark-firepit/default.nix
+++ b/hosts/dark-firepit/default.nix
@ -1,7 +1,7 @@
 { pkgs, inputs, lib, ... }:

 let
-  keys = import ./authorizedKeys.nix;
+  keys = import ./authorizedKeys.nix lib;
 in {
  imports = [
    ./hardware-configuration.nix
@ -31,7 +31,7 @@ in {
        shell = pkgs.unstable.fish;
        extraGroups = [ "wheel" "nix-users" "dotfiles" ];
        initialHashedPassword = "!";
-        openssh.authorizedKeys.keys = [ keys."aether@subsurface".ssh ];
+        openssh.authorizedKeys.keys = [ keys.set."aether@subsurface".ssh ];
      };

      homeConf.home = {
@ -49,7 +49,7 @@ in {
        shell = pkgs.unstable.fish;
        extraGroups = [ "wheel" "nix-users" "dotfiles" "yugoslavia" ];
        initialHashedPassword = "!";
-        openssh.authorizedKeys.keys = [ keys."oatmealine@void-defragmented".ssh keys."oatmealine@beppy-phone".ssh ];
+        openssh.authorizedKeys.keys = [ keys.set."oatmealine@void-defragmented".ssh keys.set."oatmealine@beppy-phone".ssh ];
      };

      homeConf.home = {
@ -62,16 +62,16 @@ in {

    mayflower = {
      conf = {
-        packages = with pkgs; [  ];
+        packages = with pkgs; [ micro tmux ];
        shell = pkgs.unstable.fish;
        extraGroups = [ "wheel" "nix-users" "dotfiles" "yugoslavia" ];
        initialHashedPassword = "!";
-        openssh.authorizedKeys.keys = [ keys."mayflower@BMW-M550d-xDrive".ssh ];
+        openssh.authorizedKeys.keys = [ keys.set."mayflower@BMW-M550d-xDrive".ssh ];
      };

      homeConf.home = {
-        sessionsVariables = {
-          EDITOR = "nvim";
+        sessionVariables = {
+          EDITOR = "micro";
          NIX_REMOTE = "daemon";
        };
      };
@ -95,8 +95,8 @@ in {
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRI9sGl0EmOkNNnh8SgRq197gkEy3XEwKZjLIr27V9PfaVOLIAcZiGcOa5q7rc5FjcCtkQ9+/twE24bZpxkK0ygrRJBEdT+HGAUmpY/kRPEn/tqjmwNu43vQqOhNSYmAAzdjJ4AuRPK5st8QQyOzKv5Pnghwy8xPAjOM3o4n9ULMLjVvAu0eTmCJMKxEvz5FUEIVZtEid/ng46k/bJ/njSh8vyGBQV4fJei6M9Ovw0HPqqzWyV/e0c3hTClG4dfLCK3Qv3hLhXQ+8I9iaL7D2wZdr3F2lbg0vS/QctPZc28f1gpkFEzVflEzAk4aFwJMMflY04IG1Dr44IfM1gJbpj rsa-key-20220423"
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCL75/Pg5bP7LaXE6uPyyv8QDRivWJC6YcH6oJJztkjqL6g+0xPPiN6I54q/bNF4nHA2BHVUktKUU9bGDEOpYIRq7kegp2/K/+FNTM1Kz6rJSrSc8e0Ogxg8vhD6maxqLU8q+D1OMhBu0UiWUB+GxXmeYfBtXPjpcE+AaJ80BPs7vwiulHPGn7UAcRuP36Z+3JJiN2BQnU2aizXWsgyU575Uy3DVvAt7eHon+SoJiTCs2//5KexJ42U6ZiE6f/oTFdiud70lpxhGgiiFvj6M9RZ0aLoxspiskW45jKLXIMJ+mO6husg9GfvCchbps3YkmH0hZ24Ii1EiFhi5HZMY0Lt mayflower"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHrlqH2OShvXdzq1sV5IDuWQzeC9OHBVvwj0+Y0XXwi7 mayflower-thinkpad"
-        keys."oatmealine@void-defragmented".ssh
-        keys."oatmealine@beppy-phone".ssh
+        keys.set."oatmealine@void-defragmented".ssh
+        keys.set."oatmealine@beppy-phone".ssh
      ];
      packages = with pkgs; [ tmux micro ];
      shell = pkgs.unstable.fish;
@ -347,8 +347,8 @@ in {

    firewall.allowPing = true;
    # minecraft proximity voice chat
-    firewall.allowedTCPPorts = [ 24454 ];
-    firewall.allowedUDPPorts = [ 24454 ];
+    firewall.allowedTCPPorts = [ 24454 25567 ];
+    firewall.allowedUDPPorts = [ 24454 25567 ];
  };

 #  environment.etc."dhcpcd.duid".text = "d0:50:99:d4:04:68:d0:50:99:d4:04:68";
--- a/hosts/dark-firepit/wireguardInterface.nix
+++ b/hosts/dark-firepit/wireguardInterface.nix
@ -2,7 +2,8 @@

 with lib;
 let
-  peerKeys = import ./authorizedKeys.nix;
+  peerKeys = import ./authorizedKeys.nix lib;
+  wgKeys = filter (hasAttr "wg") peerKeys.list;
 in {
  ips = [ "10.100.0.1/24" ];

@ -10,9 +11,12 @@ in {

  listenPort = 51820;

-  peers = genList (n: {
-    publicKey = (elemAt (attrValues peerKeys) n).wg;
-    allowedIPs = [ "10.100.0.${toString (n+2)}/32" ];
-  }) (length (attrValues peerKeys));
+  peers = genList (n: let
+    keychain = elemAt wgKeys n;
+    ip = "10.100.0.${toString (n+2)}/32";
+  in {
+    publicKey = trace "${keychain.hostname}: ${ip}" keychain.wg;
+    allowedIPs = [ ip ];
+  }) (length wgKeys);
 }