Add tunnel

2025-07-21 22:03:14 +02:00 · 2025-07-21 22:03:14 +02:00 · 4459a47278
commit 4459a47278
parent c5e0d02218
3 changed files with 56 additions and 2 deletions
--- a/hosts/pbx/secrets.yaml
+++ b/hosts/pbx/secrets.yaml
@ -1,6 +1,8 @@
 fieldpoc:
    omm: ENC[AES256_GCM,data:vOoow2CTJKfCiml5t0k=,iv:BTnf2ASndaNgjYtikTl/B3a5wSRh37epSDT0eGZpLkI=,tag:XOFlh+Ut3JKPd5AUPtrBMw==,type:str]
    sip: ENC[AES256_GCM,data:B82q2sD5I6NUa+RphJL+f1IT5qpZYlpMunZUaN5JJ5I=,iv:YzDg/g1C1z7kV2R5LLNMhe2UvaRaurQKaq4SbGfFKmQ=,tag:NuWn3D8u6jiJFZFTaFvv3g==,type:str]
+wireguard:
+    pretix: ENC[AES256_GCM,data:Tz0zIHCE5o0SVIS+mvKjqUIviLYtBKa7G3N9SuaZsmF4o3ujxL4R0GGnQj8=,iv:xV0n1smTmZG0YeEqgxhPZWgHvQ4QsSOi7geKTlFrn5o=,tag:tIeOGgTPzDbs7ewNI2a09w==,type:str]
 sops:
    age:
        - recipient: age16s0cyttcsp40jup9vnreck6mw500ae8j4ayrmf0tg79ukhgua3vsf4m5j4
@ -12,8 +14,8 @@ sops:
            TFN1ZFJ2cEZmcHoxSmU1c3o0Q0w1cnMKkT8uBrgL9zyL5PAcqJqQerUdJN8yieVO
            JwJvcU3I6reHuVkeNKGCZXdYrNMGeFPWwL88yHJW9MYjhO6xfDo8WQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-20T18:36:56Z"
-    mac: ENC[AES256_GCM,data:Muf4j7qXlS2T09nEsC4qEk+CnuzlHiUTq6OAcSbYkEH3xh+g/L4Ez9liBgAnp/1oMt375T643dcQIgo3e90rqiutoDfPHiJr7/XBWLE+7GxFgdzIO1n/5EOt0uEhs4az3JDY2d+Ec7m4uStJHLyNveOC29D9HM7bClxj/NmV/b8=,iv:5sFDtrM/7MqsFYjL6WTJP5LVpI8U9R/DAomHt1Cf/NI=,tag:aItzmIdB8NorZj8n90tyqA==,type:str]
+    lastmodified: "2025-07-21T20:30:49Z"
+    mac: ENC[AES256_GCM,data:vsJyLyXIgU6gpmPzozHZGKeuu0Bl+onUeMfqrQSmGnDp1OE8N8IucLc2jSf/EJ04V2z5gOxMXPPyw59fMOlkyKBNZiYwES+sdsd5SHGPNVD3/kiCio4fnQDHmK4vbGDBli+WVQHA2QJL9yajLm3SX5/D7xcVZvA93E5kAqgsVk8=,iv:cfHG59iAkKJW0egT3AUhB0kyg6Ing5KmMZHPAhPIIbg=,tag:YyigKN4SeXYkQ43pNgwe2A==,type:str]
    pgp:
        - created_at: "2025-07-18T23:14:45Z"
          enc: |-
--- a/hosts/pbx/services/default.nix
+++ b/hosts/pbx/services/default.nix
@ -1,5 +1,6 @@
 {
  imports = [
    ./fieldpoc.nix
+    ./public-ip4-tunnel.nix
  ];
 }
--- a/hosts/pbx/services/public-ip4-tunnel.nix
+++ b/hosts/pbx/services/public-ip4-tunnel.nix
@ -0,0 +1,51 @@
+{
+  config,
+  pkgs,
+  ...
+}: let
+  remoteHost = "pretix1.hosts.production.digitaler-dienst.net";
+  remotePort = 51000;
+  publicKey = "e4QfcYmicW2NUMyyjP7PcLgOxiqf3IdvCKeMRWt4zlY=";
+  externalIp = "5.75.219.20";
+  interface = "public-ip4";
+  rtTable = {
+    id = 1000;
+    name = interface;
+  };
+in {
+  sops.secrets."wireguard/${interface}" = {
+    sopsFile = ../secrets.yaml;
+  };
+
+  networking = {
+    iproute2 = {
+      enable = true;
+      rttablesExtraConfig = ''
+        ${toString rtTable.id} ${rtTable.name}
+      '';
+    };
+    wireguard.interfaces."${interface}" = {
+      ips = ["${externalIp}/32"];
+      privateKeyFile = config.sops.secrets."wireguard/${interface}".path;
+      table = rtTable.name;
+      postSetup = ''
+        ${pkgs.iproute2}/bin/ip rule add from ${externalIp} to 192.168.0.0/16 table main priority 10
+        ${pkgs.iproute2}/bin/ip rule add from ${externalIp} table ${rtTable.name} priority 20
+      '';
+      postShutdown = ''
+        ${pkgs.iproute2}/bin/ip rule del from ${externalIp} to 192.168.0.0/16 table main priority 10
+        ${pkgs.iproute2}/bin/ip rule del from ${externalIp} table ${rtTable.name} priority 20
+      '';
+      peers = [
+        {
+          inherit publicKey;
+          endpoint = "${remoteHost}:${toString remotePort}";
+          persistentKeepalive = 25;
+          allowedIPs = [
+            "0.0.0.0/0"
+          ];
+        }
+      ];
+    };
+  };
+}