From 121e2f5004e109c5fc9530d136aae497061b8ef7 Mon Sep 17 00:00:00 2001
From: Grigory Shipunov <blame@oxapentane.com>
Date: Sat, 18 Jun 2022 11:49:27 +0200
Subject: [PATCH] oxalab: init

---
 .sops.yaml                        |  7 +++++
 flake.nix                         |  6 ++---
 hosts/cirrus/configuration.nix    |  7 +----
 hosts/cirrus/default.nix          |  8 ++++++
 hosts/cirrus/wireguard-server.nix | 43 +++++++++++++++++++++++++++++++
 hosts/dishwasher/default.nix      |  8 ++++++
 hosts/dishwasher/oxalab.nix       | 32 +++++++++++++++++++++++
 hosts/dishwasher/secrets.nix      |  9 +++++++
 hosts/microwave/secrets.nix       |  3 ++-
 modules/wireguard.nix             | 19 +++++++++++---
 secrets/dishwasher/secrets.yaml   | 42 ++++++++++++++++++++++++++++++
 11 files changed, 170 insertions(+), 14 deletions(-)
 create mode 100644 hosts/cirrus/default.nix
 create mode 100644 hosts/cirrus/wireguard-server.nix
 create mode 100644 hosts/dishwasher/default.nix
 create mode 100644 hosts/dishwasher/oxalab.nix
 create mode 100644 hosts/dishwasher/secrets.nix
 create mode 100644 secrets/dishwasher/secrets.yaml

diff --git a/.sops.yaml b/.sops.yaml
index 0918512..f878cb3 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -2,6 +2,7 @@ keys:
   - &admin_oxa DD0998E6CDF294537FC604F991FA5E5BF9AA901C
   - &microwave age1eysr2m8ust6gq9jk88lpzzcy8gdrzlts69zlfqul766t6gvqw9qq24z68l
   - &cirrus age1qm70jkg7us4ft4x3nh7kwxlul022kteescjj83ywvjhysj6nsq5sw7l6p8
+  - &dishwasher age1cxlskqynwl5njjm0qf363308dsjwxjq59rq7pn6ucpscpzpvry4qwtpx73
 creation_rules:
   - path_regex: secrets/microwave/[^/]+\.yaml$
     key_groups:
@@ -15,3 +16,9 @@ creation_rules:
         - *admin_oxa
         age:
         - *cirrus
+  - path_regex: secrets/dishwasher/[^/]+\.yaml$
+    key_groups:
+      - pgp:
+        - *admin_oxa
+        age:
+        - *dishwasher
diff --git a/flake.nix b/flake.nix
index c0a7da2..cc9a3fe 100644
--- a/flake.nix
+++ b/flake.nix
@@ -39,7 +39,7 @@
         system = "x86_64-linux";
         modules = [
           sops-nix.nixosModules.sops
-          ./hosts/cirrus/configuration.nix
+          ./hosts/cirrus
           ./modules/basic-tools.nix
         ];
       };
@@ -47,8 +47,8 @@
         system = "x86_64-linux";
         modules = [
           sops-nix.nixosModules.sops
-          #microvm.nixosModules.host
-          ./hosts/dishwasher/configuration.nix
+          microvm.nixosModules.host
+          ./hosts/dishwasher
           ./modules/basic-tools.nix
         ];
       };
diff --git a/hosts/cirrus/configuration.nix b/hosts/cirrus/configuration.nix
index 0054a64..d26af82 100644
--- a/hosts/cirrus/configuration.nix
+++ b/hosts/cirrus/configuration.nix
@@ -5,11 +5,6 @@
 { config, pkgs, ... }:
 
 {
-  imports =
-    [ # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-    ];
-
   # Use the GRUB 2 boot loader.
   boot.loader.grub.enable = true;
   boot.loader.grub.version = 2;
@@ -27,7 +22,7 @@
     networks."uplink" = {
       matchConfig = { Name = "enp1s0"; };
       networkConfig = {
-        DHCP="yes";
+        DHCP="yes"; # hetzner suggests this as default
       };
     };
   };
diff --git a/hosts/cirrus/default.nix b/hosts/cirrus/default.nix
new file mode 100644
index 0000000..7864357
--- /dev/null
+++ b/hosts/cirrus/default.nix
@@ -0,0 +1,8 @@
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./configuration.nix
+    ./secrets.nix
+    ./wireguard-server.nix
+  ];
+}
diff --git a/hosts/cirrus/wireguard-server.nix b/hosts/cirrus/wireguard-server.nix
new file mode 100644
index 0000000..742912e
--- /dev/null
+++ b/hosts/cirrus/wireguard-server.nix
@@ -0,0 +1,43 @@
+{ config, ... }:
+{
+  systemd.network = {
+    netdevs."oxalab" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "oxalab";
+        Description = "oxa's enterprise network";
+      };
+      wireguardConfig = {
+        PrivateKeyFile = config.sops.secrets."wg/oxalab-seckey".path;
+        ListenPort = 51820;
+        # own pubkey: 5nCVC21BL+1r70OGwA4Q6Z/gcPLC3+ZF8sTurdn7N0E=
+      };
+      wireguardPeers = [
+        {
+          # microwave
+          wireguardPeerConfig = {
+          # nextcloud down, have to keep things in here: https://www.youtube.com/watch?v=1c6v7j1TUBI
+          PublicKey = "0zpfcNrmbsNwwbnDDX4SMl4BVTB0zuhGKixT9TJQoHc=";
+          AllowedIPs = [ "10.66.66.10/32" ];
+          PersistentKeepalive = 25;
+        };
+        }
+        {
+          # Dishwasher
+          wireguardPeerConfig = {
+          # nextcloud down, have to keep things in here: https://www.youtube.com/watch?v=1c6v7j1TUBI
+          PublicKey = "xrremJFIcxwR6snoTUK+mytjez60I91XE120OQGQ7gc=";
+          AllowedIPs = [ "10.66.66.100/32" ];
+          PersistentKeepalive = 25;
+        };
+        }
+      ];
+    };
+    networks."oxalab" = {
+      matchConfig.Name = "oxalab";
+      networkConfig = {
+        Address = "10.13.37.1";
+      };
+    };
+  };
+}
diff --git a/hosts/dishwasher/default.nix b/hosts/dishwasher/default.nix
new file mode 100644
index 0000000..c50e6cf
--- /dev/null
+++ b/hosts/dishwasher/default.nix
@@ -0,0 +1,8 @@
+{
+  imports = [
+    ./configuration.nix
+    ./hardware-configuration.nix
+    ./secrets.nix
+    ./oxalab.nix
+  ];
+}
diff --git a/hosts/dishwasher/oxalab.nix b/hosts/dishwasher/oxalab.nix
new file mode 100644
index 0000000..b6521cf
--- /dev/null
+++ b/hosts/dishwasher/oxalab.nix
@@ -0,0 +1,32 @@
+{ config, ... }:
+{
+  systemd.network = {
+    netdevs."oxalab" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "oxalab";
+        Description = "oxa's enterprise network";
+      };
+      wireguardConfig = {
+        PrivateKeyFile = config.sops.secrets."wg/oxalab-seckey".path;
+      };
+      wireguardPeers = [
+        {
+          # cirrus
+          wireguardPeerConfig = {
+          PublicKey = "5nCVC21BL+1r70OGwA4Q6Z/gcPLC3+ZF8sTurdn7N0E=";
+          AllowedIPs = [ "10.66.66.0/24" ];
+          Endpoint = [ "95.216.166.21:51820" ];
+          PersistentKeepalive = 25;
+        };
+        }
+      ];
+    };
+    networks."oxalab" = {
+      matchConfig.Name = "oxalab";
+      networkConfig = {
+        Address = "10.13.37.100";
+      };
+    };
+  };
+}
diff --git a/hosts/dishwasher/secrets.nix b/hosts/dishwasher/secrets.nix
new file mode 100644
index 0000000..679c511
--- /dev/null
+++ b/hosts/dishwasher/secrets.nix
@@ -0,0 +1,9 @@
+{ config, ... }:
+{
+  sops.defaultSopsFile = ../../secrets/dishwasher/secrets.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  sops.secrets = {
+    "wg/oxalab-seckey" = { };
+  };
+}
diff --git a/hosts/microwave/secrets.nix b/hosts/microwave/secrets.nix
index b343ec8..d7f439c 100644
--- a/hosts/microwave/secrets.nix
+++ b/hosts/microwave/secrets.nix
@@ -1,11 +1,12 @@
 { config, ... }:
 {
-  sops.defaultSopsFile = ../../secrets/secrets.yaml;
+  sops.defaultSopsFile = ../../secrets/microwave/secrets.yaml;
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
 
   sops.secrets = {
     "wg/wg-zw-seckey" = { };
     "wg/wg-dvb-seckey" = { };
     "wg/mlwd-nl-seckey" = { };
+    "wg/oxalab-seckey" = { };
   };
 }
diff --git a/modules/wireguard.nix b/modules/wireguard.nix
index 17be0d0..84287a7 100644
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@@ -14,18 +14,17 @@
         }
       ];
     };
+    
     wg-dvb = {
       privateKeyFile = config.sops.secrets."wg/wg-dvb-seckey".path;
       address = [ "10.13.37.3/32" ];
 
-      peers = [
-        {
+      peers = [ {
           publicKey = "WDvCObJ0WgCCZ0ORV2q4sdXblBd8pOPZBmeWr97yphY=";
           allowedIPs = [ "10.13.37.0/24" ];
           endpoint = "academicstrokes.com:51820";
           persistentKeepalive = 25;
-        }
-      ];
+        } ];
     };
 
     mlwd-nl = {
@@ -39,5 +38,17 @@
         endpoint = "92.60.40.194:51820";
       }];
     };
+
+    oxalab = {
+      privateKeyFile = config.sops.secrets."wg/oxalab-seckey".path;
+      address = [ "10.66.66.10/32" ];
+
+      peers = [{
+        publicKey = "5nCVC21BL+1r70OGwA4Q6Z/gcPLC3+ZF8sTurdn7N0E=";
+        allowedIPs = [ "10.66.66.0/24" ];
+        endpoint = "95.216.166.21:51820";
+        persistentKeepalive = 25;
+      }];
+    };
   };
 }
diff --git a/secrets/dishwasher/secrets.yaml b/secrets/dishwasher/secrets.yaml
new file mode 100644
index 0000000..b7462eb
--- /dev/null
+++ b/secrets/dishwasher/secrets.yaml
@@ -0,0 +1,42 @@
+wg:
+    oxalab-seckey: ENC[AES256_GCM,data:CEUuCAiWBWk/Elxx9B/SerbwYUrQ8Eai0/TGr+yOf6YWBrbOwEJROFrFmrQ=,iv:g5gjJtWYRnxZ9WOwaj0xHV9Zz0E1hFdPZxLhL4ctxnE=,tag:vXkUzWxCI4AnKCauFEyCaA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1cxlskqynwl5njjm0qf363308dsjwxjq59rq7pn6ucpscpzpvry4qwtpx73
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNejc1V2U5OWZIU0VJNE5U
+            dzRsK1FzY2QrQWlmVHRIRVBpNS9RS0ZBR1ZJClFMKzk5VjZNREFGb3BPODJVNUhz
+            c2x4V2tlQXhLTXRSU2VsdVpuUk1Hd2cKLS0tIEZPbW9VWkJtTzdwV1d5RklabXdw
+            SU4vSm1IOXdrWUZHeThlS1Z3UlJOaE0KB62h4F8qu/ZSkCcRMTJxtJXgv5VX7ZyB
+            pKSCDwtQWP/t38j2AlXMaeGag4lRchZZ0+MiVMn8cAXlq8OJGz4w/g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-06-18T09:32:06Z"
+    mac: ENC[AES256_GCM,data:CkFQvw8s16Z6XDDiJKZftxImoVLcTlEQWfebpjy+zkuyps+AU7B7sFQmbTJkmDrjCc/rYYJz+ktrwBRxIApOyYGiG9kW5FxhgViBX+F8cTxbITp/Z2Pv/51/v+x/expF3OO6dTXqZHzlnx9Zl++5RZwvejHfakkHgsABdJlXs+w=,iv:WKIuAK/fuh7uyVxuRVtoum4H+8Ludl12wqy48ni0D7c=,tag:IC7F/sqghYnOgy/xeHTtGw==,type:str]
+    pgp:
+        - created_at: "2022-06-18T09:31:26Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA7zUOKwzpAE7ARAAh8M1g7HlNSYQq91QgFmhdGGN5EkG1dD87jMmWODdPDl9
+            7Vks3LobDHymAhz1dOweYOwk1GdUHYOsst14fEilYjVDeXHblbxm9Js4fcBSinyh
+            3KBOrFM/2Zb8nYor1mK5hFQDSFG3jxyaYRzCkCAR2Xfa6vpVftTezDQQY3oFZk5C
+            nB0SHnoR91LBQpsX+VRfMf/hKib5vXCxsOmmV3fgZ3pp9M/xNABf9gqCVCO12pSb
+            jvOOEQ11fgTBDQ8xX0nooHHUe1HAz5/lp7k6XqY4SgaFozPABCmB8RUEmQSFvs5F
+            mkhGnoyT9RSYnn1Ekgnm0pldPLo0wsgI3A5LqDaZt8b+ulhaobEIy5vLCLbTP08V
+            XgL7Jl1rzQ8qpARRpsyBM0qdqPSkqK5slTLulgms2Q9CPgYhTI4MQ7pE8R4hEjrx
+            4Z+Bi0LxtIfVWaC7OtbFXiIFreLSZnyBlQF0H/c+KLa4iSwtK6rF5//gd01VE1We
+            be0AisVxq1SsMxl6RwX8rQ5FMnkO/RY6C1gbjl1890wXFixGIPFWN4qS82xFXOI4
+            SWgFtXc13fHigN/Skp+QSSMqx6aAeq94iXvAhiGYIBVCGDsZDk33z3xmSnnarQL3
+            WXZBeczzyzHSeMNFrZFZLTssT1ap2gAOW2G86Fgo89yPRGP2ES8QSANsN3Y8eJ/S
+            5gHvzx9cw/NwNiqmugIVJ2lB3Oz3YTDLNR5EILs11V8lLfCHH2RlqYsHamfldDCm
+            0wsWiAbzGeW3RkoM90YhI8XkVsIX9WgX5I2fVqQMMj68nuI0eAEBAA==
+            =lhTv
+            -----END PGP MESSAGE-----
+          fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
+    unencrypted_suffix: _unencrypted
+    version: 3.7.2