jalr/weinturm-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add tunnel

Browse source
This commit is contained in:
Jakob Lechner 2025-07-21 22:03:14 +02:00
parent c5e0d02218
commit 4459a47278
3 changed files with 56 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
hosts/pbx/secrets.yaml
View file

@ -1,6 +1,8 @@
fieldpoc: fieldpoc:
omm: ENC[AES256_GCM,data:vOoow2CTJKfCiml5t0k=,iv:BTnf2ASndaNgjYtikTl/B3a5wSRh37epSDT0eGZpLkI=,tag:XOFlh+Ut3JKPd5AUPtrBMw==,type:str] omm: ENC[AES256_GCM,data:vOoow2CTJKfCiml5t0k=,iv:BTnf2ASndaNgjYtikTl/B3a5wSRh37epSDT0eGZpLkI=,tag:XOFlh+Ut3JKPd5AUPtrBMw==,type:str]
sip: ENC[AES256_GCM,data:B82q2sD5I6NUa+RphJL+f1IT5qpZYlpMunZUaN5JJ5I=,iv:YzDg/g1C1z7kV2R5LLNMhe2UvaRaurQKaq4SbGfFKmQ=,tag:NuWn3D8u6jiJFZFTaFvv3g==,type:str] sip: ENC[AES256_GCM,data:B82q2sD5I6NUa+RphJL+f1IT5qpZYlpMunZUaN5JJ5I=,iv:YzDg/g1C1z7kV2R5LLNMhe2UvaRaurQKaq4SbGfFKmQ=,tag:NuWn3D8u6jiJFZFTaFvv3g==,type:str]
wireguard:
pretix: ENC[AES256_GCM,data:Tz0zIHCE5o0SVIS+mvKjqUIviLYtBKa7G3N9SuaZsmF4o3ujxL4R0GGnQj8=,iv:xV0n1smTmZG0YeEqgxhPZWgHvQ4QsSOi7geKTlFrn5o=,tag:tIeOGgTPzDbs7ewNI2a09w==,type:str]
sops: sops:
age: age:
- recipient: age16s0cyttcsp40jup9vnreck6mw500ae8j4ayrmf0tg79ukhgua3vsf4m5j4 - recipient: age16s0cyttcsp40jup9vnreck6mw500ae8j4ayrmf0tg79ukhgua3vsf4m5j4
@ -12,8 +14,8 @@ sops:
TFN1ZFJ2cEZmcHoxSmU1c3o0Q0w1cnMKkT8uBrgL9zyL5PAcqJqQerUdJN8yieVO TFN1ZFJ2cEZmcHoxSmU1c3o0Q0w1cnMKkT8uBrgL9zyL5PAcqJqQerUdJN8yieVO
JwJvcU3I6reHuVkeNKGCZXdYrNMGeFPWwL88yHJW9MYjhO6xfDo8WQ== JwJvcU3I6reHuVkeNKGCZXdYrNMGeFPWwL88yHJW9MYjhO6xfDo8WQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-20T18:36:56Z" lastmodified: "2025-07-21T20:30:49Z"
mac: ENC[AES256_GCM,data:Muf4j7qXlS2T09nEsC4qEk+CnuzlHiUTq6OAcSbYkEH3xh+g/L4Ez9liBgAnp/1oMt375T643dcQIgo3e90rqiutoDfPHiJr7/XBWLE+7GxFgdzIO1n/5EOt0uEhs4az3JDY2d+Ec7m4uStJHLyNveOC29D9HM7bClxj/NmV/b8=,iv:5sFDtrM/7MqsFYjL6WTJP5LVpI8U9R/DAomHt1Cf/NI=,tag:aItzmIdB8NorZj8n90tyqA==,type:str] mac: ENC[AES256_GCM,data:vsJyLyXIgU6gpmPzozHZGKeuu0Bl+onUeMfqrQSmGnDp1OE8N8IucLc2jSf/EJ04V2z5gOxMXPPyw59fMOlkyKBNZiYwES+sdsd5SHGPNVD3/kiCio4fnQDHmK4vbGDBli+WVQHA2QJL9yajLm3SX5/D7xcVZvA93E5kAqgsVk8=,iv:cfHG59iAkKJW0egT3AUhB0kyg6Ing5KmMZHPAhPIIbg=,tag:YyigKN4SeXYkQ43pNgwe2A==,type:str]
pgp: pgp:
- created_at: "2025-07-18T23:14:45Z" - created_at: "2025-07-18T23:14:45Z"
enc: |- enc: |-

1
hosts/pbx/services/default.nix
View file

@ -1,5 +1,6 @@
{ {
imports = [ imports = [
./fieldpoc.nix ./fieldpoc.nix
./public-ip4-tunnel.nix
]; ];
} }

51
hosts/pbx/services/public-ip4-tunnel.nix Normal file
View file

@ -0,0 +1,51 @@
{
config,
pkgs,
...
}: let
remoteHost = "pretix1.hosts.production.digitaler-dienst.net";
remotePort = 51000;
publicKey = "e4QfcYmicW2NUMyyjP7PcLgOxiqf3IdvCKeMRWt4zlY=";
externalIp = "5.75.219.20";
interface = "public-ip4";
rtTable = {
id = 1000;
name = interface;
};
in {
sops.secrets."wireguard/${interface}" = {
sopsFile = ../secrets.yaml;
};
networking = {
iproute2 = {
enable = true;
rttablesExtraConfig = ''
${toString rtTable.id} ${rtTable.name}
'';
};
wireguard.interfaces."${interface}" = {
ips = ["${externalIp}/32"];
privateKeyFile = config.sops.secrets."wireguard/${interface}".path;
table = rtTable.name;
postSetup = ''
${pkgs.iproute2}/bin/ip rule add from ${externalIp} to 192.168.0.0/16 table main priority 10
${pkgs.iproute2}/bin/ip rule add from ${externalIp} table ${rtTable.name} priority 20
'';
postShutdown = ''
${pkgs.iproute2}/bin/ip rule del from ${externalIp} to 192.168.0.0/16 table main priority 10
${pkgs.iproute2}/bin/ip rule del from ${externalIp} table ${rtTable.name} priority 20
'';
peers = [
{
inherit publicKey;
endpoint = "${remoteHost}:${toString remotePort}";
persistentKeepalive = 25;
allowedIPs = [
"0.0.0.0/0"
];
}
];
};
};
}