oxaproxy: init

2022-06-19 22:09:13 +02:00 · 2022-06-19 22:09:13 +02:00 · 1733cf5b1f
commit 1733cf5b1f
parent b84bd0c69f
3 changed files with 30 additions and 3 deletions
--- a/hosts/cirrus/secrets.nix
+++ b/hosts/cirrus/secrets.nix
@ -7,5 +7,8 @@
    "wg/oxalab-seckey" = {
      owner = config.users.users.systemd-network.name;
    };
+    "wg/oxaproxy-seckey" = {
+      owner = config.users.users.systemd-network.name;
+    };
  };
 }
--- a/hosts/cirrus/wireguard-server.nix
+++ b/hosts/cirrus/wireguard-server.nix
@ -1,8 +1,9 @@
 { config, ... }:
 {
-  networking.firewall.allowedUDPPorts = [ 51820 ];
+  networking.firewall.allowedUDPPorts = [ 51820 51821 ];
  networking.wireguard.enable = true;
  systemd.network = {
+    # oxalab
    netdevs."oxalab" = {
      netdevConfig = {
        Kind = "wireguard";
@ -42,5 +43,27 @@
        IPForward = "ipv4";
      };
    };
+
+
+    # oxaproxy
+    netdevs."oxaproxy" = {
+      netdevConfig = {
+        Kind = "wireguard";
+        Name = "oxaproxy";
+        Description = "oxa's enterprise reverse-proxy network";
+      };
+      wireguardConfig = {
+        PrivateKeyFile = config.sops.secrets."wg/oxaproxy-seckey".path;
+        #own pubkey 0KMtL2fQOrrCH6c2a2l4FKiM73G86sUuyaNj4FarzVM=
+        ListenPort = 51821;
+      };
+      wireguardPeers = [ ];
+    };
+    networks."oxaproxy" = {
+      matchConfig.Name = "oxaproxy";
+      networkConfig = {
+        Address = "10.34.45.1/24";
+      };
+    };
  };
 }
--- a/secrets/cirrus/secrets.yaml
+++ b/secrets/cirrus/secrets.yaml
@ -1,5 +1,6 @@
 wg:
    oxalab-seckey: ENC[AES256_GCM,data:XOBmfM82l686jvqjiqy+VdIollpaX+h1j609j+70CE7thA3CJki2W0neDC0=,iv:6/lsg7r/GHasNWV8lOheEMpoW5HWuRgHtdlGEqK0Dbo=,tag:I1PJC99omIfygb9T1cN1hg==,type:str]
+    oxaproxy-seckey: ENC[AES256_GCM,data:CpFezqXTvt8kpfgkGOY8B0PAMpllSME6UnQ6LsboBJIchbJdeDh7kNOWM5I=,iv:nDHeXMgljendSFprl61Eg5U0YYNP8DAhX10QCyjDDm0=,tag:0FatosVdGl93op5fZl41nA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -15,8 +16,8 @@ sops:
            dkFwVkVHR3hsMUlpRzY4Wm5LYXZlYzgKZC8dlewbtxo0KIQWQ6sy2Kv/qRgNJY3H
            XGfb11bFdmmfiTY98KsfuhY9nRQRUlRMfjc7pHztUk2hVMEIN8WkXg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-06-17T11:47:49Z"
-    mac: ENC[AES256_GCM,data:mB02yyuVAzneQBrIWKphYos9orFk4emwPZh97TUvu7HREZn2Qte7WSHF9R30pnUiLMj1iMESFGbvR0hKZlQa/XmqB1/87u6I/0JIiPHajTy2FEs4HBd2Z5WaQ2bIki8sEWuOenTAL9xFyvjzRFjDM9pWons2fXy0l05HjQLwkFE=,iv:IboNxYf4TDK/ziuU7n3IUvHfbqpbZn9hJ+IGuhRvI04=,tag:jB5y79Q/kano06ZlIVEkfA==,type:str]
+    lastmodified: "2022-06-19T20:06:54Z"
+    mac: ENC[AES256_GCM,data:cbgablJmCln1886/QiYWx767ZEMTHlSCIdlK2mtXGveRW0+cOoRopuSii2xalCWDxfX7Q4PYBlb2f47tyAP+1S2gJa1WkI8HR5uAXn1ktVJWs25GStKwKW2oZdfCLKW19059W3r4WaCgx2asdeBW5nzF0wXN7J8Cmc3tO9wQ7W0=,iv:zfiK7LCMOTZEwJmySEjRBgVfU4TkJl7xRG+Jn0ykyTw=,tag:ANA6Dkt8dLA9BUmnQPjwAQ==,type:str]
    pgp:
        - created_at: "2022-06-17T11:46:30Z"
          enc: |-