From e2931365b52e7b7a0265c58dec3c248b6080f8bf Mon Sep 17 00:00:00 2001
From: Stefan Ellmauthaler <stefan.ellmauthaler@tu-dresden.de>
Date: Tue, 2 Aug 2022 11:28:11 +0200
Subject: [PATCH] Add stel-xps and nucturne to the wireguard network

---
 .sops.yaml                               | 12 ++++++
 common/wireguard.nix                     | 15 ++++++-
 machines/nucturne/secrets/wireguard.yaml | 52 ++++++++++++++++++++++++
 machines/stel-xps/default.nix            |  3 ++
 machines/stel-xps/secrets/wireguard.yaml | 52 ++++++++++++++++++++++++
 modules/wireguard.nix                    |  6 ++-
 6 files changed, 137 insertions(+), 3 deletions(-)
 create mode 100644 machines/nucturne/secrets/wireguard.yaml
 create mode 100644 machines/stel-xps/secrets/wireguard.yaml

diff --git a/.sops.yaml b/.sops.yaml
index b37227a..4943538 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -28,3 +28,15 @@ creation_rules:
       - pgp:
         - *stefan_ellmauthaler
         - *metis
+
+  - path_regex: machines/stel-xps/secrets/[^/]+\.yaml
+    key_groups:
+      - pgp:
+          - *stefan_ellmauthaler
+          - *stel-xps
+
+  - path_regex: machines/nucturne/secrets/[^/]+\.yaml
+    key_groups:
+      - pgp:
+          - *stefan_ellmauthaler
+          - *nucturne
diff --git a/common/wireguard.nix b/common/wireguard.nix
index 0aad60d..ea42a4e 100644
--- a/common/wireguard.nix
+++ b/common/wireguard.nix
@@ -7,13 +7,24 @@ with lib; {
         servers = {
           metis = {
             localIp = "1";
-            extraIps = [ "1" "142" ];
+            extraIps = [ "1" "2" "142" ];
             publicKey = "wP49t1TYXI3ucsYb8RavNGwIf+8nx5UBgDU0PM9VlnI=";
             endpoint = "metis.ellmauthaler.net:51820"; #TODO
           };
         };
 
-        peers = { # TODO
+        peers = {
+          # TODO
+          stel-xps = {
+            localIp = "2";
+            publicKey = "Wmw+gIvMdaAZ+m7Ruk60IZukW2TvMZxdT13xof9mazs=";
+          };
+
+          nucturne = {
+            localIp = "3";
+            publicKey = "DJ1U2EQLkqqapYXKZDgtS/b/xX7ACIHuFuH1sNpecnU=";
+          };
+
           stelphone = {
             localIp = "142";
             publicKey = "UnS5BtlKKTXfNaSsw2PY7Gbd5aLGiJVlCUY7bHosLio=";
diff --git a/machines/nucturne/secrets/wireguard.yaml b/machines/nucturne/secrets/wireguard.yaml
new file mode 100644
index 0000000..e9dfdc2
--- /dev/null
+++ b/machines/nucturne/secrets/wireguard.yaml
@@ -0,0 +1,52 @@
+wireguard-stelnet: ENC[AES256_GCM,data:xjxETy/QfjzLET9nueYAYVAHWywHsuFH93Zu83KIGYV4FuGc68vOycWfXag=,iv:4F9H9FUk9ByDRfR64bwQ8AG8f/jLAMgt8V5HOsf5oGQ=,tag:EIkmGN7nJz+LW4IugSgKzQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-08-02T09:19:24Z"
+    mac: ENC[AES256_GCM,data:SXXw4GR+SDDyZa/FN+feN3EVeFs9eY9Jn41p0Cb0ozJJ+cMCw37VZ2MriOFUbv/c/AO3yotguXSfvXkmtQLXLriyIGymmIPwwIrBoIk+BLuBdc1r0dKOQhzGjVifZUivxJTBoabKpxQMIyFocnHhqoISVnOixcO0V1yoXecVnZI=,iv:Bcia5JX+wpHM5fPQjxoCn9tywTemAOXEd8g0jTuBYBQ=,tag:e9oV7ZLMX8hurYb6XERTDw==,type:str]
+    pgp:
+        - created_at: "2022-08-02T09:18:27Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzhsLR+kpSPjARAAjve/SlLy2TmlFLhNca1fZQFmqrKLf/+a1arQX8+gasRZ
+            HEtS8P6qZF8H6Gfdr3mOQymtPIGgZ0EOljN3zTb8fk3Ezs8UnZL0os+PK85JHLx/
+            MPab7uXOSz1YRg0W2s5vuE3TXn/U8/ub2OwYAgz8CuqBnvm0m+mijIG3/R42Xw9L
+            MTOMm2pjYgg1Gahbu6dLUgu2CRv6JyDWL90VBdtVF2PKHtAq0Ej7Iwl2idoOtno3
+            kPSh5npXQEkgfgK+8Prp6Vnx50KJ/c7codf2dgb6fAi+rFLRe3WK0SBxD+vTFbc6
+            i7FIlYvxIJ1axcUM+Uub2ash2n7o2etWyqCJTou0uOrsXhvQ0A1A1wD9/XJYluvQ
+            eE0CKVTxJk0kgRCFFh1SLYmh7rAfgnXcQoTr74WM+mNkMx6XH3An4QkYBVkt8fMH
+            DFswosalYLmDizpui1pROzDlpZA5MUcwh26EytSfSCbWz+RfjJEJWmOuj1zdsTqL
+            PABfYWPzLfdpm9rktPSOUPfCuMQRUuG30g27cRheMhi50fuOsj0EhCmJZ6c6QhVL
+            ZHZ2TUh/GK6tih0Yt+3zLD/y/wzCBvlXXR+MdUgoo7F3B0AsxhSOl/TsnK8qurPX
+            Y59NxcyVymfxeFxiX57mULrBz9H8SBG1SsPN9Kvy6r+VDEG6t2+Y0ydHHiSboF3S
+            XgHWSGd7nS+NnyOh1M/5Jf6WwUQlVP/IQgkof1mFOUWu+t84fLYmNRb/gbhLZNBS
+            KRsAyhLDQC2q7/y6m3lOrdYrrQAyFrjc7HyOuNXrv0tuHxRkRQkmgflC3I+viow=
+            =lAlf
+            -----END PGP MESSAGE-----
+          fp: 3B398B086C410264A14FB353B1E6F03030A4AEAA
+        - created_at: "2022-08-02T09:18:27Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA8COMi97/ZKxARAAgiWiiVaUkjoui5AFpr/hP5kUwDK4DrGHvonWqqVP2o2T
+            sE9c7qjih0DD8NtUSRtlt3gZUWK0QcNBBW8d+KE7dmon0IaTzcXVdwwoJygIi+D+
+            PDU9GUms12u2w2xQBemqSZqLe1MAnB8abOxIDUcLzaPxXi2eQwr9D+MP49XXe36v
+            Qsa7tQs6P2/eFHFLWyjxfIo62frFg71H+xSCkie2kd6tmdqnmQLGFlzqTuU/L/QD
+            3ofurwfclo3sWK2sqqUIIAJClRGi+to9w+wr69P6O3GS99rJo6GngeHv3n8rcIxI
+            iYuikhq8Rl+sPiE+DBZUEWO41pqhLQE/Dwt1I+QKdYb56i1FtLg4hB4zERnROTBh
+            NAWkOywjjHSWpxZ/Nh66WtGj+IpIgOj8W25QVvzOHPw0/7gHFWHTg6uUQ1dbymUY
+            z4KzFMPrDNY3gZbAbxLCVFhRRJn21jnZcT6DPI1TvLS5d3HP4+4YHEGDx3UCJsha
+            +NlbPvx0r3OCBu4p1Gvjl2jhpgQudJtPNiuBolqB/4lOAtpNOIxJpInK0I28ORzz
+            zLP5cOaGm5yDuCFJ9eQNxvws4xuMazOqHbwxz+QyI0mOcJPHWb28m3tLBrRNcLsx
+            Vy/4NYbFllE3ms7TyQXnlCrFsoHK1ecKITRIehYwJ9fSI7pT3mqAaUxjNyASg93S
+            WAHiMptr0BfM5mMy/fHq+FbuvB31SnRej3xL04X+E2gimLYtUwyJvoO+rJGHkRxd
+            G2HrRMP8TPrSqZ/KcofATtVOLN2lrjJ4AGNRPCkGTn5g5mAaKG1Dc4E=
+            =X9Xu
+            -----END PGP MESSAGE-----
+          fp: 9b6a58764eddd81d07180d6dc08e322f7bfd92b1
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/machines/stel-xps/default.nix b/machines/stel-xps/default.nix
index 1ddba06..1ebcf26 100644
--- a/machines/stel-xps/default.nix
+++ b/machines/stel-xps/default.nix
@@ -35,6 +35,9 @@
       enable = true;
     };
 
+    # enable wireguard
+    wireguard.enable = true;
+
     # user setup
     users = {
       enable = true;
diff --git a/machines/stel-xps/secrets/wireguard.yaml b/machines/stel-xps/secrets/wireguard.yaml
new file mode 100644
index 0000000..2e94697
--- /dev/null
+++ b/machines/stel-xps/secrets/wireguard.yaml
@@ -0,0 +1,52 @@
+wireguard-stelnet: ENC[AES256_GCM,data:KnC28cZdVDYMEbJ2TEIYoGoS4/P9cYrzjMxYMJpHFDFtMAEqLqfMKDayC2o=,iv:bCj6q5wHMKUE01skbv4mp84oXCjWuhHCBM99/1lW5Z0=,tag:6YCNifIzJ8oO9BWoG+R2Ng==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-08-02T09:15:52Z"
+    mac: ENC[AES256_GCM,data:n6haSZnM35m2YjYW5mbqcc/fkQXzGJ+Cj/Epco7xFqTXUM4Ra9eWrj1JQ+4YxHMzq1J4927FawZPq/OVtxdMQCSb4a6LnAZfA6d8PycnICjdtvP5oAwN+mNYb/E2lWtjWHuOMHCagvHvrx8qAohaY/xyHkAS9cITUwrdO5b9HAQ=,iv:NXfPjLzGE4wptHQFxKPdlKQxCKGcZLYPTq5ghVz8tgI=,tag:y3rqJMVr4rusSsE9c9PPDw==,type:str]
+    pgp:
+        - created_at: "2022-08-02T09:15:13Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzhsLR+kpSPjAQ/+LkopjmvnGH45yBr0HDE/5vk/L4F6auh5ZgkkOP/gHffF
+            mZ59b8APVGhtQLFa9JDQ8UPYLwfGw64MOZ0xkDAZqg9uzDnuHsl3n9zXbzytDrv/
+            4Yge4NBVXIstqFwfoRlWRkl0IIeTLKd/4fbpljXFcp3HyzOmzPhCYpk445PtrsYB
+            SBkjxqn5mjYmE+45jTAoftGeW8HEn263gyQmrfCY2doER9Ul63kyqNHUzBAghv2h
+            G6ul3DZEFxtT1K/iM4MjkE/1v3msJCwfL+vRBIhmD7WQh7T6oADoSUmBJwR1dcH5
+            oblTi3YqlYhZKLiOCUY5YY5n61eeB9mMc5sByX4NpHpzUy4tC4PEKsao1BYo+Bz4
+            KEUBQmO2yT57qwvu4xMTqYZFgHg8F7VKo9k49QoKeRXC2GtC6WvBvn5E/AueE0pi
+            wmunjQY/Dq/6UL5pBgDkCuIfkZfTnnxfH5w87IZ6PBsbK1vpA5pPYNki9qLKJdXS
+            PkhUIxwS1tAFbJOnuD7WfHNI/8FCnCi7ljboLBXu7XtOW4BvCez3YcV3bs78E5jv
+            jH8r5gfubVLk/WxGiuNDhaIjFbtz+R792wQiZ500b0StQHJslDpiZqQPhCZWnKjj
+            JuWWB4OtGBFNt0g8raTp8JMDOT4sYJzxKPMlMFnRX6WWHpbX8OxAnXLtuen/ECbS
+            XgHPHKU/DDEyRG/w/Z3jyrJ7NnO9v0DkER7Q/Nti9mMQ1Mbin5rQ8HiCMuYeAdI0
+            px3XVZN9U/ViFEMv0GIaUhncZZwc4A7+QyQBeFX934Y84sJe1tPXyy9YVQ8QSog=
+            =5LF/
+            -----END PGP MESSAGE-----
+          fp: 3B398B086C410264A14FB353B1E6F03030A4AEAA
+        - created_at: "2022-08-02T09:15:13Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1NKtoXYguTKAQ//c2EnhsGwXVxptUkpl31BouAvwh/IVz51wLXWMDnadMBH
+            jZe/oaYYRrlnoyVYkHMgs1WH+nReoa9KZ2SvmLUT84SagjKDL6mYeIDL93ui2w+E
+            29B5i7tEcpHiP8ENepSykAEdUZXaxkfhuFlhToTD0mDCBQVElsG9iIihXQOhqxbY
+            yOpPpXh6jTAOmpS0rAqR+0w2vhePapNRHr9M6YAUGrfW+cKAW0FZ403jAgRKFQdV
+            MKtHkFDv9GXYcV9T5N4IArfmljRuMtF7zBS4tVyCYSStMR9tY0/7qxsQIlapayeK
+            CLXU5b8XMXngOHq/C3w7LaBY1K79e/Q2COlH/pUH5uxG6PTlISguDbSsagW6IhYS
+            ysCU0fOg7vcPXesfimcoI6cmF+6glCGky+uNhIjAIhdd3GTtq8qYAv5xF2S65SWG
+            hwqmzXHeypMPG/28/j2Xajp3dOdc/RI/v6s8S2RmFWDxXt6LGz7z2nTaPCSyC8Q6
+            U3Oh5IxQfLnogEvM160HoEI/RnvXVEVUAjpKzVyyB0YWSy6A1n2JTQf2vCkq7z6s
+            iMIcqIB3Fc4OwQ9RYjFpxBYT/e61+xXApOtLTWis9Nd19pL9wgSuYW3vmntxTlhF
+            JAoLPL3/Cb/OvjdI//9YueizaH0cypuXa4JzqHkuVAxwecrYNI9tQlKVy0h9DArS
+            WAEnlputyr926wo0PStPNp3oAAjFNsKaMn1kWw29hbWpmXm/gogsKUkjRFQPMlnm
+            SUJZldj7PHj8MF+m8eWZd7cuTxviCVuSnNHancsnoOH03wgF8mkr5j4=
+            =mi+7
+            -----END PGP MESSAGE-----
+          fp: e8dfcfbac0c3e65bbdfd62ab534ab685d882e4ca
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/modules/wireguard.nix b/modules/wireguard.nix
index 4af920b..54ef541 100644
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@@ -148,8 +148,12 @@
           dnsServers = lib.concatLists (lib.mapAttrsToList serverIps servers);
         in
         lib.concatStrings ([
+          # will be needed for nsd
+          # ''
+          #   ${pkgs.systemd}/bin/resolvectl domain ${ifName} ${name}.${config.elss.dns.wgZone}
+          #   ${pkgs.systemd}/bin/resolvectl default-route ${ifName} true
+          # ''
           ''
-            ${pkgs.systemd}/bin/resolvectl domain ${ifName} ${name}.${config.elss.dns.wgZone}
             ${pkgs.systemd}/bin/resolvectl default-route ${ifName} true
           ''
         ] ++ (map