From 1733cf5b1f630aafa127771a2c657f1e106e0d80 Mon Sep 17 00:00:00 2001 From: Grigory Shipunov Date: Sun, 19 Jun 2022 22:09:13 +0200 Subject: [PATCH] oxaproxy: init --- hosts/cirrus/secrets.nix | 3 +++ hosts/cirrus/wireguard-server.nix | 25 ++++++++++++++++++++++++- secrets/cirrus/secrets.yaml | 5 +++-- 3 files changed, 30 insertions(+), 3 deletions(-) diff --git a/hosts/cirrus/secrets.nix b/hosts/cirrus/secrets.nix index f6da490..df095a7 100644 --- a/hosts/cirrus/secrets.nix +++ b/hosts/cirrus/secrets.nix @@ -7,5 +7,8 @@ "wg/oxalab-seckey" = { owner = config.users.users.systemd-network.name; }; + "wg/oxaproxy-seckey" = { + owner = config.users.users.systemd-network.name; + }; }; } diff --git a/hosts/cirrus/wireguard-server.nix b/hosts/cirrus/wireguard-server.nix index 2d939c0..0f28114 100644 --- a/hosts/cirrus/wireguard-server.nix +++ b/hosts/cirrus/wireguard-server.nix @@ -1,8 +1,9 @@ { config, ... }: { - networking.firewall.allowedUDPPorts = [ 51820 ]; + networking.firewall.allowedUDPPorts = [ 51820 51821 ]; networking.wireguard.enable = true; systemd.network = { + # oxalab netdevs."oxalab" = { netdevConfig = { Kind = "wireguard"; @@ -42,5 +43,27 @@ IPForward = "ipv4"; }; }; + + + # oxaproxy + netdevs."oxaproxy" = { + netdevConfig = { + Kind = "wireguard"; + Name = "oxaproxy"; + Description = "oxa's enterprise reverse-proxy network"; + }; + wireguardConfig = { + PrivateKeyFile = config.sops.secrets."wg/oxaproxy-seckey".path; + #own pubkey 0KMtL2fQOrrCH6c2a2l4FKiM73G86sUuyaNj4FarzVM= + ListenPort = 51821; + }; + wireguardPeers = [ ]; + }; + networks."oxaproxy" = { + matchConfig.Name = "oxaproxy"; + networkConfig = { + Address = "10.34.45.1/24"; + }; + }; }; } diff --git a/secrets/cirrus/secrets.yaml b/secrets/cirrus/secrets.yaml index 359a64c..4a8b09c 100644 --- a/secrets/cirrus/secrets.yaml +++ b/secrets/cirrus/secrets.yaml @@ -1,5 +1,6 @@ wg: oxalab-seckey: ENC[AES256_GCM,data:XOBmfM82l686jvqjiqy+VdIollpaX+h1j609j+70CE7thA3CJki2W0neDC0=,iv:6/lsg7r/GHasNWV8lOheEMpoW5HWuRgHtdlGEqK0Dbo=,tag:I1PJC99omIfygb9T1cN1hg==,type:str] + oxaproxy-seckey: ENC[AES256_GCM,data:CpFezqXTvt8kpfgkGOY8B0PAMpllSME6UnQ6LsboBJIchbJdeDh7kNOWM5I=,iv:nDHeXMgljendSFprl61Eg5U0YYNP8DAhX10QCyjDDm0=,tag:0FatosVdGl93op5fZl41nA==,type:str] sops: kms: [] gcp_kms: [] @@ -15,8 +16,8 @@ sops: dkFwVkVHR3hsMUlpRzY4Wm5LYXZlYzgKZC8dlewbtxo0KIQWQ6sy2Kv/qRgNJY3H XGfb11bFdmmfiTY98KsfuhY9nRQRUlRMfjc7pHztUk2hVMEIN8WkXg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-06-17T11:47:49Z" - mac: ENC[AES256_GCM,data:mB02yyuVAzneQBrIWKphYos9orFk4emwPZh97TUvu7HREZn2Qte7WSHF9R30pnUiLMj1iMESFGbvR0hKZlQa/XmqB1/87u6I/0JIiPHajTy2FEs4HBd2Z5WaQ2bIki8sEWuOenTAL9xFyvjzRFjDM9pWons2fXy0l05HjQLwkFE=,iv:IboNxYf4TDK/ziuU7n3IUvHfbqpbZn9hJ+IGuhRvI04=,tag:jB5y79Q/kano06ZlIVEkfA==,type:str] + lastmodified: "2022-06-19T20:06:54Z" + mac: ENC[AES256_GCM,data:cbgablJmCln1886/QiYWx767ZEMTHlSCIdlK2mtXGveRW0+cOoRopuSii2xalCWDxfX7Q4PYBlb2f47tyAP+1S2gJa1WkI8HR5uAXn1ktVJWs25GStKwKW2oZdfCLKW19059W3r4WaCgx2asdeBW5nzF0wXN7J8Cmc3tO9wQ7W0=,iv:zfiK7LCMOTZEwJmySEjRBgVfU4TkJl7xRG+Jn0ykyTw=,tag:ANA6Dkt8dLA9BUmnQPjwAQ==,type:str] pgp: - created_at: "2022-06-17T11:46:30Z" enc: |-