From 8368775f94428a6c34f76146c3f07be88f1244a2 Mon Sep 17 00:00:00 2001 From: Tim Keller Date: Thu, 18 Jun 2026 19:59:35 -0500 Subject: poweredge add wg1 for remote connections --- hosts/poweredge/networking.nix | 15 +++++++++++---- hosts/poweredge/resources/secrets/router.yaml | 17 +++++++++++++++++ hosts/poweredge/resources/secrets/wg0-router.yaml | 16 ---------------- 3 files changed, 28 insertions(+), 20 deletions(-) create mode 100644 hosts/poweredge/resources/secrets/router.yaml delete mode 100644 hosts/poweredge/resources/secrets/wg0-router.yaml diff --git a/hosts/poweredge/networking.nix b/hosts/poweredge/networking.nix index 8b84645..bf0aa1c 100644 --- a/hosts/poweredge/networking.nix +++ b/hosts/poweredge/networking.nix @@ -25,8 +25,9 @@ in { config, ... }: { }]; }; - # Wireguard office tunnel secret - sops.secrets.wg0-router.sopsFile = ./resources/secrets/wg0-router.yaml; + # Secrets + sops.secrets.router-wg0 = { sopsFile = ./resources/secrets/router.yaml; key = "wg0"; }; # Office + sops.secrets.router-wg1 = { sopsFile = ./resources/secrets/router.yaml; key = "wg1"; }; # Remote access # Router container containers.router = { @@ -47,9 +48,13 @@ in { config, ... }: { hostAddress = "10.255.255.2"; localAddress = "10.255.255.1"; }; - # Bind wg0-router secret to container + # Bind secrets to container bindMounts."/run/secrets/wg0" = { - hostPath = config.sops.secrets.wg0-router.path; + hostPath = config.sops.secrets.router-wg0.path; + isReadOnly = true; + }; + bindMounts."/run/secrets/wg1" = { + hostPath = config.sops.secrets.router-wg1.path; isReadOnly = true; }; @@ -72,6 +77,7 @@ in { config, ... }: { # Setup wireguard wg-quick.interfaces = { wg0.configFile = "/run/secrets/wg0"; + wg1.configFile = "/run/secrets/wg1"; }; # NAT (port-forwarding) rules nat.forwardPorts =[ @@ -86,6 +92,7 @@ in { config, ... }: { destination = "192.168.1.45:9000"; } ]; + firewall.allowedUDPPorts = [ 51820 ]; # Allow wg1 running on router host through w/o NAT # Additional advanced rules # TODO add multi NAT feature to router service (this is just a normal nat rule) nftables = { diff --git a/hosts/poweredge/resources/secrets/router.yaml b/hosts/poweredge/resources/secrets/router.yaml new file mode 100644 index 0000000..c9ae05e --- /dev/null +++ b/hosts/poweredge/resources/secrets/router.yaml @@ -0,0 +1,17 @@ +wg0: ENC[AES256_GCM,data:hxZrOTMx2lS7dkQPV48jUbHxoNr32KSM/wG0OPY8mcgHX4FsHStdH/CN4qlkH9co90yFKjwqcJ3fHXaSbIhp3oIYTo1R2/8KggHV+az4skb7v4kzZgU5u5V2B57gIRFrPHBBq1UtDkBBpANr7zypeLPuEzvCQaZiexrsCcET7xwhsEYtVc5WlISMHhi6sFzo1AeEVfwFvIUN9geXJwP3JycYRpaNXOVYAbPwer8fYa6mnFZIk+sruCO85QNoWQ2T1wPiC9U7Ki9q+FOaOzJWGdpiG3nQdeYlDgAwoPRNi3c0J6t3CS9xC+qC0y4esOL7ay4S2dDoL9ftChQjhWaGdq5+LeyXAPlATGs5aFtBMwEecQ5OPXTri2D5m/gVLW/TGmUT5ZVPymm/wAX+m4IWK6X3FylWnlEoUh+4cBO+2zjTbXEccRuJTOEZAGIsEg==,iv:ycsGniDPFOvFFGqCgiyCWkCS8AxFV7JbXgUxDPXAFmk=,tag:uXkB8b7S3sW9noTIK4J/Zw==,type:str] +wg1: ENC[AES256_GCM,data:3jAdmfv3uNeu9YkHobZi2fIpJ5y7galpKxlmr2Dw5f5NKV/cdwJt9Va7H5CeFkPQ9IWSYLkqcRoH1ZhT6Q6b7FoS56n+ePs7VQiXPEmqjKa4zAnNA/Rfqzk5QkSVpTVqoTKk1gHDvxewkSX+ODz0PLx4gwXeAVbJ4n215b/kYoi1P14IPcYDDo3aOV6S15m78UMHLmWOF9cyWFjzwlAer9HLMKohyyJ68Hf+ulZ1Kplj8Ny/YLodL4UPPz1G8/+9jSQGioDzpl0hZC06OqMN1Eps4aqi5kC3CHqnssp8vFGOzBc2bvk7FOVTnetI1tIOl2mw7/AOPUelqUzgMEIa9AxJ6VWANNfEXmLZUxs6ndVcLhNOd8bx6jt/K3rO4p2fmJgmYqLOSBeh8+iOWgZ6rGHk8sW4ibB6j6s8qwOs4vECtplMXAfT4YZFGA2RlcN7IwGh6OngFRiI8mgEZZH2WfkKFDNA6hQWczBXR0qytT2Hc2oCLRkDXkDDxy/2E3bnRPFhTWJ+R+ycAVjC0Zaf5nT094zPWFXEJCz2UIel6B3uVS3FFPZo+9Rhc1mxngjgNq4W22Qw+HmzzBPOzvmErAXi2vyT1OKngVYQ2BfTPm8tMA8pnnwkCVhC/M+FprrQTsYDz1tBwdnATcSyWA==,iv:yPVAO9mfeGOZxhRAtclkmFyGE2LKPsx8rZ6M1IBYWRk=,tag:LNKvbpN2PhUAn7uoFR6mMw==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxOFFVRFl2MDhiUVRPdnZJ + b3BSZ0pSaG8vR3o3SGlmVENvN3ZObHU3eUc4CmJrdk8rbXpBMWhTZ2hvdlk0VWo1 + ejdnTDR4bFlUUXc4Smd0NEp6b3crZFUKLS0tIFBsQUdRWjZLSDY1ZlFaRDdLOVhs + MFFGY0NSU3NaK2U0U1NndUIyYm54ZWsKZ6q9j1fNaNSzBA0rbZYyUWt3U2V/7/9/ + FZTKd8mH/uCoxvK8unlVZ9uYNADRh2smp7LwK1AWie/6khAIFqVBeg== + -----END AGE ENCRYPTED FILE----- + recipient: age1zfvmt2avdlfz0fvchczplc84u7m8vqausm7zytl9s4x9m9yax4cqy30zpz + lastmodified: "2026-06-18T22:59:13Z" + mac: ENC[AES256_GCM,data:5vci5D8lTPfDjRs4BjFMOyByZX6zk7dkvqZd2L1+J+qIdVzzWd0Ywls4UOkx6NprIJu7ZLk+zManWjkTpkJUgnKpk/m7jnbITToNmwa72t73dQkk+2DBkAs+xuwy1xCG5uukf26DPMKGD44gmFTfbHmT0BiHDgIReWAqqgnMIWE=,iv:JQ9zQJJIMsEJdQ3wt1VoiL/RG7KQAIGDA+nJe/gMj1g=,tag:VQtBYu0j3hUPXR5pnLZwoA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.13.1 diff --git a/hosts/poweredge/resources/secrets/wg0-router.yaml b/hosts/poweredge/resources/secrets/wg0-router.yaml deleted file mode 100644 index 647039d..0000000 --- a/hosts/poweredge/resources/secrets/wg0-router.yaml +++ /dev/null @@ -1,16 +0,0 @@ -wg0-router: ENC[AES256_GCM,data:MGgB2vdRHgLlFjqB8miSE4myIGWdZazsvDfNUvYS7fM57NM6fzylHz1zle3nwNIysclPCQt9PSZqAJUkdZ5d0ocMhsnbpL9iKBiTHtqdl0KfDkKctWxi8sr3NqNPkW9uJD26aDA8Ti3OWM3JFIyxUb9KT53nZZLHpwpcygeEbfYMMTpKbUf68gMAClvYDg0mHwxVYbZT6aLqZewORBT1JkEPClone00YXizedWGzMsJ/p6b6mQz/HfbEdfq95EWTKSkHRYLPosXCikrJ6VV+uQt0dNS/Gqe0vfocYQUqcK9dt37n7q40Fh2oJgPwMsTj7lTJiAE87GqmpGuRsfbSF+Fr2pu4RRbm9iulzy13PcdrRPrjSKtM6oh/d13T7Yv8MJQTZDNWWsG9ApCXLqH8mF6pFckEtrWSB0sQQEt9ITkIs82t0kwgGh/fsig0cQ==,iv:AX2lb8By/hL5EWodLqGq8KvymkRyytZSGBpvydvBQcU=,tag:iadygaObGVNzvihxbtQRtw==,type:str] -sops: - age: - - recipient: age1zfvmt2avdlfz0fvchczplc84u7m8vqausm7zytl9s4x9m9yax4cqy30zpz - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxOFFVRFl2MDhiUVRPdnZJ - b3BSZ0pSaG8vR3o3SGlmVENvN3ZObHU3eUc4CmJrdk8rbXpBMWhTZ2hvdlk0VWo1 - ejdnTDR4bFlUUXc4Smd0NEp6b3crZFUKLS0tIFBsQUdRWjZLSDY1ZlFaRDdLOVhs - MFFGY0NSU3NaK2U0U1NndUIyYm54ZWsKZ6q9j1fNaNSzBA0rbZYyUWt3U2V/7/9/ - FZTKd8mH/uCoxvK8unlVZ9uYNADRh2smp7LwK1AWie/6khAIFqVBeg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-06-13T18:52:56Z" - mac: ENC[AES256_GCM,data:s7zE/odQ1AAgAjeUGT1ROe/zGQWz2JP7jh04/sY87gQ8xfgG2PJVlsyW1dZvzHesAf/1UqCaY9rYhZ4xo/GN8JTo2P9QqX38Mg/YNPk+GSpZ4TMGpxBHqb1DOPkDWvE9K43bm35GHluDBA7aOjkqMT9VaQHvYtHS+vLsdiGtyFw=,iv:javBbSBq3qkF25iLZgHthfS/OFDH6DTsnGNmIR/LrN4=,tag:Zs7ckugLHY/cjCWTaImzSg==,type:str] - unencrypted_suffix: _unencrypted - version: 3.12.1 -- cgit v1.2.3