diff --git a/hosts/pbx/secrets.yaml b/hosts/pbx/secrets.yaml index c0c44cb..996a1a7 100644 --- a/hosts/pbx/secrets.yaml +++ b/hosts/pbx/secrets.yaml @@ -1,6 +1,8 @@ fieldpoc: omm: ENC[AES256_GCM,data:vOoow2CTJKfCiml5t0k=,iv:BTnf2ASndaNgjYtikTl/B3a5wSRh37epSDT0eGZpLkI=,tag:XOFlh+Ut3JKPd5AUPtrBMw==,type:str] sip: ENC[AES256_GCM,data:B82q2sD5I6NUa+RphJL+f1IT5qpZYlpMunZUaN5JJ5I=,iv:YzDg/g1C1z7kV2R5LLNMhe2UvaRaurQKaq4SbGfFKmQ=,tag:NuWn3D8u6jiJFZFTaFvv3g==,type:str] +wireguard: + pretix: ENC[AES256_GCM,data:Tz0zIHCE5o0SVIS+mvKjqUIviLYtBKa7G3N9SuaZsmF4o3ujxL4R0GGnQj8=,iv:xV0n1smTmZG0YeEqgxhPZWgHvQ4QsSOi7geKTlFrn5o=,tag:tIeOGgTPzDbs7ewNI2a09w==,type:str] sops: age: - recipient: age16s0cyttcsp40jup9vnreck6mw500ae8j4ayrmf0tg79ukhgua3vsf4m5j4 @@ -12,8 +14,8 @@ sops: TFN1ZFJ2cEZmcHoxSmU1c3o0Q0w1cnMKkT8uBrgL9zyL5PAcqJqQerUdJN8yieVO JwJvcU3I6reHuVkeNKGCZXdYrNMGeFPWwL88yHJW9MYjhO6xfDo8WQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-20T18:36:56Z" - mac: ENC[AES256_GCM,data:Muf4j7qXlS2T09nEsC4qEk+CnuzlHiUTq6OAcSbYkEH3xh+g/L4Ez9liBgAnp/1oMt375T643dcQIgo3e90rqiutoDfPHiJr7/XBWLE+7GxFgdzIO1n/5EOt0uEhs4az3JDY2d+Ec7m4uStJHLyNveOC29D9HM7bClxj/NmV/b8=,iv:5sFDtrM/7MqsFYjL6WTJP5LVpI8U9R/DAomHt1Cf/NI=,tag:aItzmIdB8NorZj8n90tyqA==,type:str] + lastmodified: "2025-07-21T20:30:49Z" + mac: ENC[AES256_GCM,data:vsJyLyXIgU6gpmPzozHZGKeuu0Bl+onUeMfqrQSmGnDp1OE8N8IucLc2jSf/EJ04V2z5gOxMXPPyw59fMOlkyKBNZiYwES+sdsd5SHGPNVD3/kiCio4fnQDHmK4vbGDBli+WVQHA2QJL9yajLm3SX5/D7xcVZvA93E5kAqgsVk8=,iv:cfHG59iAkKJW0egT3AUhB0kyg6Ing5KmMZHPAhPIIbg=,tag:YyigKN4SeXYkQ43pNgwe2A==,type:str] pgp: - created_at: "2025-07-18T23:14:45Z" enc: |- diff --git a/hosts/pbx/services/default.nix b/hosts/pbx/services/default.nix index 136d645..03bb666 100644 --- a/hosts/pbx/services/default.nix +++ b/hosts/pbx/services/default.nix @@ -1,5 +1,6 @@ { imports = [ ./fieldpoc.nix + ./public-ip4-tunnel.nix ]; } diff --git a/hosts/pbx/services/public-ip4-tunnel.nix b/hosts/pbx/services/public-ip4-tunnel.nix new file mode 100644 index 0000000..ffef316 --- /dev/null +++ b/hosts/pbx/services/public-ip4-tunnel.nix @@ -0,0 +1,51 @@ +{ + config, + pkgs, + ... +}: let + remoteHost = "pretix1.hosts.production.digitaler-dienst.net"; + remotePort = 51000; + publicKey = "e4QfcYmicW2NUMyyjP7PcLgOxiqf3IdvCKeMRWt4zlY="; + externalIp = "5.75.219.20"; + interface = "public-ip4"; + rtTable = { + id = 1000; + name = interface; + }; +in { + sops.secrets."wireguard/${interface}" = { + sopsFile = ../secrets.yaml; + }; + + networking = { + iproute2 = { + enable = true; + rttablesExtraConfig = '' + ${toString rtTable.id} ${rtTable.name} + ''; + }; + wireguard.interfaces."${interface}" = { + ips = ["${externalIp}/32"]; + privateKeyFile = config.sops.secrets."wireguard/${interface}".path; + table = rtTable.name; + postSetup = '' + ${pkgs.iproute2}/bin/ip rule add from ${externalIp} to 192.168.0.0/16 table main priority 10 + ${pkgs.iproute2}/bin/ip rule add from ${externalIp} table ${rtTable.name} priority 20 + ''; + postShutdown = '' + ${pkgs.iproute2}/bin/ip rule del from ${externalIp} to 192.168.0.0/16 table main priority 10 + ${pkgs.iproute2}/bin/ip rule del from ${externalIp} table ${rtTable.name} priority 20 + ''; + peers = [ + { + inherit publicKey; + endpoint = "${remoteHost}:${toString remotePort}"; + persistentKeepalive = 25; + allowedIPs = [ + "0.0.0.0/0" + ]; + } + ]; + }; + }; +}