commit 0cd772dbd7a82bb71001a13429e84a0f22048f5f parent aa305226c8e6a2a6ed0b2794757be6b02c517b84 Author: Vincent Demeester <vincent@sbr.pm> Date: Tue, 26 Oct 2021 14:13:55 +0200 systems: add machines.nix temporarly… … migrating it to ops/hosts, but for the time being, moving it there. Signed-off-by: Vincent Demeester <vincent@sbr.pm> Diffstat:
M | .gitignore | | | 1 | - |
A | secrets/machines.nix | | | 219 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
2 files changed, 219 insertions(+), 1 deletion(-)
diff --git a/.gitignore b/.gitignore @@ -2,7 +2,6 @@ result* hostname *.retry -assets/machines.nix docs/sitemap.org tools/emacs/emacs.pdmp tools/emacs/recentf diff --git a/secrets/machines.nix b/secrets/machines.nix @@ -0,0 +1,219 @@ +let + invert-suffix = ip: + let + elts = builtins.split "[\.]" ip; + in + "${builtins.elemAt elts 6}.${builtins.elemAt elts 4}"; + gpgRemoteForward = { + bind.address = "/run/user/1000/gnupg/S.gpg-agent"; + host.address = "/run/user/1000/gnupg/S.gpg-agent.extra"; + }; + gpgSSHRemoteForward = { + bind.address = "/run/user/1000/gnupg/S.gpg-agent.ssh"; + host.address = "/run/user/1000/gnupg/S.gpg-agent.ssh"; + }; + home = { + ips = { + aomi = "192.168.1.23"; + dev = "192.168.1.60"; + hokkaido = "192.168.1.115"; + honshu = "192.168.1.17"; + kobe = "192.168.1.18"; + naruhodo = "192.168.1.36"; + okinawa = "192.168.1.19"; + sakhalin = "192.168.1.70"; + shikoku = "192.168.12.40"; + synodine = "192.168.1.20"; + wakasu = "192.168.1.77"; + }; + }; + wireguard = { + ips = { + kerkouane = "10.100.0.1"; + shikoku = "10.100.0.2"; + #honshu = "10.100.0.4"; + aomi = "10.100.0.17"; + hokkaido = "10.100.0.5"; + wakasu = "10.100.0.8"; + ipad = "10.100.0.3"; + vincent = "10.100.0.9"; + honshu = "10.100.0.10"; + houbeb = "10.100.0.13"; + okinawa = "10.100.0.14"; + naruhodo = "10.100.0.15"; + sakhalin = "10.100.0.16"; + }; + kerkouane = { + allowedIPs = [ "${wireguard.ips.kerkouane}/32" ]; + publicKey = "+H3fxErP9HoFUrPgU19ra9+GDLQw+VwvLWx3lMct7QI="; + }; + shikoku = { + allowedIPs = [ "${wireguard.ips.shikoku}/32" ]; + publicKey = "3+Y2IwvKojoGBbFoCwf6lvfrSjf99u4khR4k+MIuymw="; + }; + honshu = { + allowedIPs = [ "${wireguard.ips.honshu}/32" ]; + publicKey = "P206gLsHo/wf5zZK0IB4IbTuvDkmBL69PMqrG9Zrim4="; + }; + hokkaido = { + allowedIPs = [ "${wireguard.ips.hokkaido}/32" ]; + publicKey = "3/dL6eRELjtKNs40JVcd7DPsPmH4MFRUBntpy93JWUo="; + }; + wakasu = { + allowedIPs = [ "${wireguard.ips.wakasu}/32" ]; + publicKey = "U10ozKSCnTm8aD5i6UULSJHQPouoswtNkwFI3P9Lw3Y="; + }; + vincent = { + allowedIPs = [ "${wireguard.ips.vincent}/32" ]; + publicKey = "z74GLurvsLPOkep9ddw6x+NeUvgBvnqpIwxvSTKGxxQ="; + }; + ipad = { + allowedIPs = [ "${wireguard.ips.ipad}/32" ]; + publicKey = "6viS+HqkW+qSj4X+Sj8n1PCJ6QIaZsOkmFQytlRvRwk="; + }; + # kobe = { + # allowedIPs = [ "${wireguard.ips.kobe}/32" ]; + # publicKey = "vzRFxFNK83HHilXoXlw71bPvy1KJNUfbTMw6MMSaQVs="; + # }; + houbeb = { + allowedIPs = [ "${wireguard.ips.houbeb}/32" ]; + publicKey = "tzanPdQBkD6FrWjalZAuc3G9PtLgHjPVCBjvJDCgdSw="; + }; + okinawa = { + allowedIPs = [ "${wireguard.ips.okinawa}/32" ]; + publicKey = "P5Sa2idRYSf9TZz0OMjfNNL8+Ue2GErBI6xhUrkrYUk="; + }; + sakhalin = { + allowedIPs = [ "${wireguard.ips.sakhalin}/32" ]; + publicKey = "OAjw1l0z56F8kj++tqoasNHEMIWBEwis6iaWNAh1jlk="; + }; + aomi = { + allowedIPs = [ "${wireguard.ips.aomi}/32" ]; + publicKey = "XT4D9YLeVHwMb9R4mhBLSWHYF8iBO/UOT86MQL1jnA4="; + }; + naruhodo = { + allowedIPs = [ "${wireguard.ips.naruhodo}/32" ]; + publicKey = "XXyyJ9GlIiZnUm+Bkpz+NSrFiosjfY4FB2PgLXVPLkI="; + }; + }; + ssh = { + yubikey = { + key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCDr3bRw6r43BVOltmTXtDQAtZlJ/viBrCb58fG8suSdO97xLEGukZzf1QX46aXQEsenfKOalcd+OrukcoVIiZtlh1BHAaBB09Q0vKjtB1zKcUdZQYb6kA21/ItpW3gNsZq5M98QpwS9soJOLSccQosDoVBWDcHx72Kpzp2x4seKyAIpb1gtPnQjnnwA7urTcANw7CU8lmB3UtJZNPHclJNKso7h0ZBapausk9t0xGP18rmzQAe2ipa6pwUzS5rRq+j0LiY/JZQaQWBfc1i3IcKictKW5EykKmywJcwmr/PcTdcgTT4FaD+b1t1QAPLV82HxGzOYQO+/WBptBdq7Ss5 openpgp:0x86ADD81F"; + authorized = true; + }; + yubikey5 = { + key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJoArpBsTXr3m6q2QnA1vI1DSwmgdU0OAp7DUxcxl9CJfeZIEs/iAerk8jmHgJ2xCEF6SpzI0FWSQIXy8dKpF4wLJ0tCoq5LqQx3jEzy3NUBLfxK+/Baa1te4qG2YImlgnzmEEm5uZlCGZRY2L/U9+4Hwo1AgD69Zzin6QGh2pyTWpmZ/WyhwIfGgqsnlM9XlaVzlMHYfStDi+rUU6XEAfdSqo1SnWKDBHc3mDYGTVhfAlt2LucLKu7oI2MsSlSxva072BExctadtB3TGHbt8gRJZj8CdwgRNhT+hFfbsL6YDvQn6dhTSMuiD8sBEvVble0Nj4p+Q6ROCRIuMuhgh3 cardno:000610153832"; + authorized = true; + }; + kerkouane = { + port = 20000; + key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILtEnw+3WMa9ESRyKdBUp/OHd8NPQdHLoqQ58L3YXF1o vincent@kerkouane"; + authorized = true; + }; + california = { + key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICl4uBPx98p0m1ra4nKxaDvCP8TCou5J10gFUpYAuzp9 u0_a103@localhost"; + }; + hokkaido = { + key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKcmRh9Khviqrl9wPPzogW9vTMAtkFc0HfWQ5kgvOpCw vincent@hokkaido"; + authorized = true; + }; + wakasu = { + key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKP+HQUk3GEjXuAqbb2psiLfLcBd/lcYHx57yANPhdzw vincent@wakasu"; + authorized = true; + }; + vincent = { + key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINsbGtpU/w7Ff3O7hJ1QoO/5CuCrssBXrT+iHev/+rbf Generated By Termius"; + }; + kobe = { + key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqGw3BHWvCtVr1YPlsUSO2Hw8wJ67jdajnOlROX2H/Y vincent@kobe"; + }; + houbeb = { + key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUnBCTxRoIDhExcSaiirM5nf2PIcTMDUodYlGNvqfmD Generated By Termius"; + }; + phantom = { + key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDm23WasboyoiYcaCyxb/DWXRwWXR183gHwOcWTGMKZaYy0WMAWkBUPJjD5s7tlib2D7GJIoBqoPRvNQbmUdxFle+CftY7aj7oP7s0FlbNzFmybTzcZ/3zkkkKAOw2USw3saQ4kd8IqyACo9TsfhajX8jsrrHl3dzyjqTDWlcJmETUGpdYbSA7E3WavzPF2x3/kFcA5cmoYgpcFpGgXAKvaG2IFONLv+vTDPtGVq+GiOwQSVR7TXpFmdhHEw9hnzHnsuffQMxANaQMvqPV8+H0jfF3H2WNqp8GULcGyudngkKioTAVvBiTiRJnVK7hg6SxpdlszqO0yMjN37NB2gPJz houbeb@phantom.local"; + }; + okinawa = { + key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILZUDZSIxOt6qEO3WKkAcs1fai1GB/dwAdvsFgxIYVj0 vincent@okinawa"; + authorized = true; + }; + honshu = { + key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAocnNHVCqloXfsvbOoMV0KYAdeon5NYrZX3bnWK+SAo vincent@honshu"; + }; + aomi = { + key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJ3QqVCUiE4BIFKTJLN6mSnp9bLSnJ3gE8ScbAajGsH vincent@aomi"; + authorized = true; + }; + naruhodo = { + key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7zGAceSiqFtWHwt7HVjN24SCyWCC26l6YrgUP/qtPc vincent@naruhodo"; + authorized = true; + }; + }; +in +{ + home = home; + wireguard = wireguard; + wg = { + allowedIPs = "10.100.0.0/24"; + listenPort = 51820; + endpointIP = "167.99.17.238"; + persistentKeepalive = 25; + peers = [ wireguard.shikoku wireguard.hokkaido wireguard.wakasu wireguard.vincent wireguard.houbeb wireguard.okinawa wireguard.sakhalin wireguard.naruhodo wireguard.aomi wireguard.ipad ]; # wireguard.honshu + }; + ssh = ssh; + sshConfig = { + "naruhodo.home" = { + hostname = "${home.ips.naruhodo}"; + }; + "naruhodo.vpn" = { + hostname = "${wireguard.ips.naruhodo}"; + }; + "aomi.home" = { + hostname = "${home.ips.aomi}"; + remoteForwards = [ gpgRemoteForward gpgSSHRemoteForward ]; + }; + "aomi.vpn" = { + hostname = "${wireguard.ips.aomi}"; + remoteForwards = [ gpgRemoteForward gpgSSHRemoteForward ]; + }; + "okinawa.home" = { + hostname = "${home.ips.okinawa}"; + remoteForwards = [ gpgRemoteForward gpgSSHRemoteForward ]; + }; + "okinawa.vpn" = { + hostname = "${wireguard.ips.okinawa}"; + remoteForwards = [ gpgRemoteForward gpgSSHRemoteForward ]; + }; + "sakhalin.home" = { + hostname = "${home.ips.sakhalin}"; + remoteForwards = [ gpgRemoteForward gpgSSHRemoteForward ]; + }; + "sakhalin.vpn" = { + hostname = "${wireguard.ips.sakhalin}"; + remoteForwards = [ gpgRemoteForward gpgSSHRemoteForward ]; + }; + "hokkaido.home" = { + hostname = "${home.ips.hokkaido}"; + remoteForwards = [ gpgRemoteForward gpgSSHRemoteForward ]; + }; + "hokkaido.vpn" = { + hostname = "${wireguard.ips.hokkaido}"; + remoteForwards = [ gpgRemoteForward gpgSSHRemoteForward ]; + }; + "wakasu.home" = { + hostname = "${home.ips.wakasu}"; + remoteForwards = [ gpgRemoteForward gpgSSHRemoteForward ]; + }; + "wakasu.vpn" = { + hostname = "${wireguard.ips.wakasu}"; + remoteForwards = [ gpgRemoteForward gpgSSHRemoteForward ]; + }; + "dev.home" = { + hostname = "${home.ips.dev}"; + }; + "kerkouane.vpn" = { + hostname = "${wireguard.ips.kerkouane}"; + remoteForwards = [ gpgRemoteForward gpgSSHRemoteForward ]; + }; + }; +}