From 9966530d3564b2d06a0a8218254fce9b92d16187 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Fri, 23 Jun 2023 18:02:06 +0000
Subject: [PATCH] Add wireguard tunnel for hetzner ha ip

---
 .sops.yaml                                    |  7 +++
 hosts/iron/secrets.yaml                       |  5 +-
 hosts/iron/services/default.nix               |  1 +
 hosts/iron/services/public-ip-tunnel.nix      | 57 +++++++++++++++++++
 hosts/magnesium/configuration.nix             |  1 +
 hosts/magnesium/secrets.yaml                  | 32 +++++++++++
 hosts/magnesium/services/default.nix          |  5 ++
 hosts/magnesium/services/public-ip-tunnel.nix | 44 ++++++++++++++
 8 files changed, 150 insertions(+), 2 deletions(-)
 create mode 100644 hosts/iron/services/public-ip-tunnel.nix
 create mode 100644 hosts/magnesium/secrets.yaml
 create mode 100644 hosts/magnesium/services/default.nix
 create mode 100644 hosts/magnesium/services/public-ip-tunnel.nix

diff --git a/.sops.yaml b/.sops.yaml
index 3dc2cf6..1b1bdbe 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -4,6 +4,7 @@ keys:
   - &host_aluminium age1ne08hny30vrkejqhh7dcx4ql6dmkx6jw9dqkf3cz7mzvt53njy0qh59w44
   - &host_hafnium age1ahnfjspcpwxxk7getcxkj3fypwt37rr6p3xsmp8n2tqqqz8jtg7q2am0et
   - &host_iron age1hx7fdu4mcha7kkxe7yevtvs6xgzgaafgenm3drhvr609wlj94sgqm497je
+  - &host_magnesium age1swv42gad884z2v75kateem6k2za6ltkq6wu90ewqp6dp7gxprawslwz0w0
   - &host_weinturm_pretix_prod age1w42q9qg7l6gea36erhw0u7jvlpenvtrjm38q4ux0aasa929hes6s2ecj6m
 creation_rules:
   - path_regex: hosts/aluminium/secrets\.yaml$
@@ -24,6 +25,12 @@ creation_rules:
       - *admin_jalr
       age:
       - *host_iron
+  - path_regex: hosts/magnesium/secrets\.yaml$
+    key_groups:
+    - pgp:
+      - *admin_jalr
+      age:
+      - *host_magnesium
   - path_regex: hosts/weinturm-pretix-prod/secrets\.yaml$
     key_groups:
     - pgp:
diff --git a/hosts/iron/secrets.yaml b/hosts/iron/secrets.yaml
index 2842df3..2d0a306 100644
--- a/hosts/iron/secrets.yaml
+++ b/hosts/iron/secrets.yaml
@@ -1,6 +1,7 @@
 duckdns-secret: ENC[AES256_GCM,data:SAf/xZ28tgmvqcVKC2tMNRm838AVMMNCC3fpYLXBEIoTl7E7,iv:+KTEpNMj0+aVCGKB1dRFFslgjpBhSzBZFdee+VIAt4o=,tag:C/eSyoQjAgD7Qv4J4jsp4g==,type:str]
 sturzbach-htpasswd: ENC[AES256_GCM,data:qqBwu6mASnRqjy65knU4uIvBNXXgrfcmvWnbmOH4tVQ7vRbpEhe/GQDwAg==,iv:OQnDOzezjajGl35m/u5StQeMRR+1sNDD5u1my1wTngQ=,tag:7zjVRWI1IzZ5iS3sFHLubg==,type:str]
 navidrome-password-encryption-key: ENC[AES256_GCM,data:ynQsFyGDEBnlWhTlv0mF7mLiXOjijq9ixWWEa1OXsTOYAd74dU0dp3Fo532WtD4fPvIWEf8Y2dYmY7zPVLuydQ==,iv:GJqPVL5OIFPLMcCVOjWvMjyFR4iTXo3uGE8R0keTzG0=,tag:RTERQgYRxBBevlL2H1lIWA==,type:str]
+wireguard_key_hetzner-ha: ENC[AES256_GCM,data:ak/KpQIHBNRPriJ1IeKYXIp4CcnygRHSj5MzZNnuxQnVunmmtzGu0lBEajA=,iv:aNw3EooT6XE1zC+g37WSJasRCfnNUaKQrYCDBMTxRrg=,tag:KXc70tVFc7xDLlefk1Hzow==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -16,8 +17,8 @@ sops:
             TjdZRldhSzVtMkVoTzY1NjdGbCswRVUK0pi+8UuLqRmytcR2ikxOAM02iccl8P1y
             ixv0PKPLd+vQ23QeeQy/TfoGx16XttaDUnUrPLZR3TUKtAcld8+m6w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-05-04T08:42:31Z"
-    mac: ENC[AES256_GCM,data:30AkNRIZ/w0rn2Q4CTggRRyj1rsE0+Hzvu2HH4s4IXOlgjLqR7TUVqiVjthuJd0XqcwAaYUxVnXtumVXcjYpDi6umjBvZNTDXhB6XnmIIbETmfLppKJiogebF86scS8SSOPWbwS9VbIPhbBUcTLPzAh3KgMCjCNzT+REdZGhsWc=,iv:meLH8Fq7E+nuwQqbU3xcAg05xgbW8GoOgMnQ7MK5NEo=,tag:evY1vmSb749s7VvVErb87A==,type:str]
+    lastmodified: "2023-06-22T12:41:01Z"
+    mac: ENC[AES256_GCM,data:OBzeE4XsdyrmW+U9nFLizAiNpdr7rXaBIa6q8PCjMMrGEi5C2Sg+1wHzgOqB3ACYc4gjv5W3s9rAVX3YOBEJ34eu+hcRWjLlK9tmKBdSZm1nP0gkfCmbMGw1DkPdkNRufX5FrIHEG0xzLN3Wo/C9LnDO+Qwn88OVq1+TYQHH3nY=,iv:OU+Xmmqsa03oRclRw/TCIXjroA/9YOtB07R9+1caUes=,tag:ZHEXxwz6NOzsA+jGT3oe4g==,type:str]
     pgp:
         - created_at: "2023-05-02T19:30:42Z"
           enc: |
diff --git a/hosts/iron/services/default.nix b/hosts/iron/services/default.nix
index 95ddfc2..9568d28 100644
--- a/hosts/iron/services/default.nix
+++ b/hosts/iron/services/default.nix
@@ -5,6 +5,7 @@
     ./jellyfin.nix
     ./navidrome.nix
     ./nginx.nix
+    ./public-ip-tunnel.nix
     ./sturzbach.nix
     ./unifi-controller.nix
   ];
diff --git a/hosts/iron/services/public-ip-tunnel.nix b/hosts/iron/services/public-ip-tunnel.nix
new file mode 100644
index 0000000..5a0cce7
--- /dev/null
+++ b/hosts/iron/services/public-ip-tunnel.nix
@@ -0,0 +1,57 @@
+{ config, lib, pkgs, ... }:
+
+let
+  listenPort = 51000;
+  remoteHost = "magnesium.jalr.de";
+  remotePort = 51000;
+  publicKey = "ABZCQfzlHJ1/iNbWFf6jVvdqSmqjxm3w5bpa0SYclBU=";
+  externalIp = "159.69.103.126";
+  rtTable = {
+    id = 1000;
+    name = "hetzner-ha";
+  };
+in
+{
+  sops.secrets = (
+    lib.listToAttrs (map
+      (name: lib.nameValuePair "wireguard_key_${name}" {
+        sopsFile = ../secrets.yaml;
+      })
+      [
+        "hetzner-ha"
+      ]
+    )
+  );
+
+  networking.iproute2.enable = true;
+  networking.iproute2.rttablesExtraConfig = ''
+    ${toString rtTable.id} ${rtTable.name}
+  '';
+
+  networking.wireguard.interfaces = {
+    hetzner-ha = {
+      ips = [ "${externalIp}/32" ];
+      privateKeyFile = config.sops.secrets.wireguard_key_hetzner-ha.path;
+      listenPort = listenPort;
+      table = rtTable.name;
+      postSetup = ''
+        ${pkgs.iproute2}/bin/ip rule add from ${externalIp} to 192.168.0.0/16 table main priority 10
+        ${pkgs.iproute2}/bin/ip rule add from ${externalIp} table ${rtTable.name} priority 20
+      '';
+      postShutdown = ''
+        ${pkgs.iproute2}/bin/ip rule del from ${externalIp} to 192.168.0.0/16 table main priority 10
+        ${pkgs.iproute2}/bin/ip rule del from ${externalIp} table ${rtTable.name} priority 20
+      '';
+      peers = [{
+        publicKey = publicKey;
+        endpoint = "${remoteHost}:${toString remotePort}";
+        persistentKeepalive = 25;
+        allowedIPs = [
+          "0.0.0.0/0"
+        ];
+      }];
+    };
+  };
+
+  networking.firewall.allowedUDPPorts = [ listenPort ];
+}
diff --git a/hosts/magnesium/configuration.nix b/hosts/magnesium/configuration.nix
index 5f24642..f7f1177 100644
--- a/hosts/magnesium/configuration.nix
+++ b/hosts/magnesium/configuration.nix
@@ -4,6 +4,7 @@
   imports = [
     ./hardware-configuration.nix
     ../../home-manager/users/jalr.nix
+    ./services
   ];
 
   networking.hostName = "magnesium";
diff --git a/hosts/magnesium/secrets.yaml b/hosts/magnesium/secrets.yaml
new file mode 100644
index 0000000..fdb717d
--- /dev/null
+++ b/hosts/magnesium/secrets.yaml
@@ -0,0 +1,32 @@
+wireguard_key_hetzner-ha: ENC[AES256_GCM,data:HEW+EalHg6/mq7pRKZkasGz0nqbkSppkf0H/uV5QMJnWwKw9a9W21Y77OSw=,iv:OA6yml1T5kVafX0RYd0Es7DHcGjJazUxP2M6a5Pwkag=,tag:lX5UPIseIQ136HLrHbzZyw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1swv42gad884z2v75kateem6k2za6ltkq6wu90ewqp6dp7gxprawslwz0w0
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwa0ZIdE9lc2lNZlN0UFBU
+            RWdxQm1oR01GemJOSE9ZU1RYc3crRGg5REF3ClUzaEhyelZNTVUxeEwvc1V3eDBt
+            SUx0UXU0aTdnTGlTaWJvd2R6ajZmNVkKLS0tICszejE3WVNOTHR6Rms2bjQrbzEz
+            Vlk3Y1luTTg3bkpqNTNPUGlNYmNtMW8K9dEUwAuzvDZZoVi8FPZQ7/h75EV0L+VM
+            MlTGfEt38Hi7EOw+yfXvXYHse/OKypwcrPiJDT6IT/E+O9BJCjPKCA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-06-22T12:44:40Z"
+    mac: ENC[AES256_GCM,data:pyqtldMaMmQw7Qh5LsWGqD6QQhk7Ni+QzWrn7nqM+PtCwMDDccNp6ZWF70IwU5todmvRgLrW3Ke9SVlMTYCaHNQ8/W5iL4vrOJY1txrXSEqfwZ3ODGXKOFILqYNdi5fAMtkqu0rBHFo+ZQ44bPg/oEYp6V5idlkHRQnQWJifFtI=,iv:DQ4O9/8HKwLLSBz+BDS3FRUVG3HAA8tTpSRQ4BxZ8Uo=,tag:6W/PCbQiu/Q1f2Q3e0OtPQ==,type:str]
+    pgp:
+        - created_at: "2023-06-22T12:44:23Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4D3ylLYNOsO+0SAQdAD/wwGspjkzL/xlqVxl8pixtRQGAlyuEJdTwja6e4bkAw
+            I+xwPhJH9FpkwArRKErtW9u6e9lM8zJOvgteseTRmQFkQ9fyTtXAx2lLg5JOFdYn
+            0l4BkaozbVKjx1XEJBoBUF1YMfREKyrORk/kU2UTluQKkEp7xaojZkuhWEqEMC7N
+            tKVpPhef7M5escwcpQCpoI5+DCepJQDfoxyiAWx8P0a6tbV2F+X9y6kgb6iuWpf2
+            =WNKv
+            -----END PGP MESSAGE-----
+          fp: 66FB54F6081375106EEBF651A222365EB448F934
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/hosts/magnesium/services/default.nix b/hosts/magnesium/services/default.nix
new file mode 100644
index 0000000..e183828
--- /dev/null
+++ b/hosts/magnesium/services/default.nix
@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./public-ip-tunnel.nix
+  ];
+}
diff --git a/hosts/magnesium/services/public-ip-tunnel.nix b/hosts/magnesium/services/public-ip-tunnel.nix
new file mode 100644
index 0000000..0cd32b4
--- /dev/null
+++ b/hosts/magnesium/services/public-ip-tunnel.nix
@@ -0,0 +1,44 @@
+{ config, lib, pkgs, ... }:
+
+let
+  listenPort = 51000;
+  publicKey = "GCmQs7upvDYFueEfqD2yJkkOZg3K7YaGluWWzdjsyTo=";
+in
+{
+  sops.secrets = (
+    lib.listToAttrs (map
+      (name: lib.nameValuePair "wireguard_key_${name}" {
+        sopsFile = ../secrets.yaml;
+      })
+      [
+        "hetzner-ha"
+      ]
+    )
+  );
+
+  #boot.kernel.sysctl = {
+  #  "net.ipv4.conf.all.forwarding" = 1;
+  #  "net.ipv4.conf.hetzner-ha.proxy_arp" = 1;
+  #  "net.ipv4.conf.enp1s0.proxy_arp" = 1;
+  #};
+  networking.interfaces.hetzner-ha.proxyARP = true;
+  networking.interfaces.enp1s0.proxyARP = true;
+
+  networking.wireguard.interfaces = {
+    hetzner-ha = {
+      ips = [ ];
+      privateKeyFile = config.sops.secrets.wireguard_key_hetzner-ha.path;
+      listenPort = listenPort;
+
+      peers = [{
+        publicKey = publicKey;
+        persistentKeepalive = 25;
+        allowedIPs = [
+          "159.69.103.126/32"
+        ];
+      }];
+    };
+  };
+
+  networking.firewall.allowedUDPPorts = [ listenPort ];
+}