Server: remove unused wireguard configs and secrets

2023-12-06 15:13:08 +01:00 · 2023-12-06 15:13:08 +01:00 · dc3a37fd98
commit dc3a37fd98
parent e8f709aa45
9 changed files with 0 additions and 120 deletions
--- a/roles/server/default.nix
+++ b/roles/server/default.nix
@ -12,7 +12,6 @@
 		./transmission.nix
 		./ddclient.nix
 		./beep.nix
 		./wireguard.nix
 		./tailscale.nix
 		./traefik.nix
 		./minecraft.nix
--- a/roles/server/wireguard.nix
+++ b/roles/server/wireguard.nix
@ -1,73 +0,0 @@
 { config, pkgs, ... }:
 {
 	# Set up secrets
 	age.secrets = {
 		silverPrivate.file = ../../secrets/wg/silver/serverPriv;
 		silverPhonePsk.file = ../../secrets/wg/silver/phonePsk;
 		toastPrivate.file = ../../secrets/wg/toast/serverPriv;
 		toastPhonePsk.file = ../../secrets/wg/toast/phonePsk;
 	};
 	networking = {
 		# You need NAT if you want to use wireguard as a VPN
 		nat = {
 			enable = true;
 			externalInterface = "eno1";
 			internalInterfaces = [ "wg-*" ];
 		};
 		# Allow the wireguard port though the firewall
 		firewall.allowedUDPPorts = with config.networking.wireguard.interfaces; [ vpn-silver.listenPort vpn-toast.listenPort];
 		wireguard = {
 			enable = true;
 			interfaces = {
 				vpn-silver = {
 					/*
 					I see people normally use 10.0.X.X, but I already have the muscle memory of
 					typing 192.168.X.X so I went with this one. Plus I'm only going to have 2-3 
 					peers connected at once, so a type C IP is more than enough
 					*/
 					ips = [ "192.168.10.1/24" ];
 					listenPort = 51820;
 					privateKeyFile = config.age.secrets.silverPrivate.path;
 					postSetup = ''
 						${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eno1 -j MASQUERADE
 					'';
 					postShutdown = ''
 						${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 192.168.10.0/24 -o eno1 -j MASQUERADE
 					'';
 					peers = [
 						{
 							# Silver's phone
 							allowedIPs = [ "192.168.10.2" ];
 							publicKey = "silvrNOD8j5aDm4PhY8zJBV3JZOeBX6VK5KPvT+3yic=";
 							presharedKeyFile = config.age.secrets.silverPhonePsk.path;
 						}
 					];
 				};
 				vpn-toast = {
 					ips = [ "192.168.11.1/24" ];
 					listenPort = 51821;
 					privateKeyFile = config.age.secrets.toastPrivate.path;
 					postSetup = ''
 						${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 192.168.11.0/24 -o eno1 -j MASQUERADE
 					'';
 					postShutdown = ''
 						${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 192.168.11.0/24 -o eno1 -j MASQUERADE
 					'';
 					peers = [
 						{
 							# My phone
 							allowedIPs = [ "192.168.11.2" ];
 							publicKey = "pHonE1YaBZcTU5sTMLg6Iy4FIyzInfHfH4x0NZ1lBRA=";
 							presharedKeyFile = config.age.secrets.toastPhonePsk.path;
 						}
 					];
 				};
 			};
 		};
 	};
 }
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -7,10 +7,4 @@ in
 	"cock".publicKeys = [ everest ];
 	"syncthing/key".publicKeys = [ everest ];
 	"syncthing/cert".publicKeys = [ everest ];
 	"wg/silver/serverPriv".publicKeys = [ everest ];
 	"wg/silver/phonePriv".publicKeys = [ everest ];
 	"wg/silver/phonePsk".publicKeys = [ everest ];
 	"wg/toast/serverPriv".publicKeys = [ everest ];
 	"wg/toast/phonePriv".publicKeys = [ everest ];
 	"wg/toast/phonePsk".publicKeys = [ everest ];
 }
--- a/secrets/wg/silver/phonePriv
+++ b/secrets/wg/silver/phonePriv
@ -1,8 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 VoNo4A vExPc7M17NblMkOjJCxVm6I4v6/6yYBzE6nfc9saOEc
 muXFANq6dGV+ToPwlUTkZ84wVsGqnTcCLvncmOgcbrk
 -> VN-grease (ijvp 99` (qc
 f+ZaYegYdxUu4uj7uGtIl1Pm1ipMe4gQxs57vQxYCHOYO6tejSbwI8Y8sOAzkNV0
 pv0EFylBo9Y
 --- SrPUCAPc2SmcpvPoPEK/gYJ9hn+vdplxJRMBfRSamAo
 èbºŒÆÏ¾ÒróÌá ¹ÞÞ¹?/Ýî¶â»<C3A2>ðæQ¬2D© Š½rŒr4;®º‡ÿÌâÀÀ’^ºº|æÂTã¿	{!–]ƒˆ‡ÁÛü
--- a/secrets/wg/silver/phonePsk
+++ b/secrets/wg/silver/phonePsk
@ -1,8 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 VoNo4A 8YvcfWII3BKsM+V+ceoFC3XXldC0qvwnL/6ggK+Il0s
 irwDqE2NcFHU/mVlhvIt787a4EW3kmEd11d0P393zXA
 -> Wu;RC:#-grease EIrU+ a1!S.4 t Uq#Qab6^
 mpekj8nSA5jpzDm1l5VrrYxMxmcuG5Yh+ABWkv2Dn9dKuJG6E1CIcAnU+9rpP6n4
 waoAYhTnVZpcHd1qVVm1Mwlz1REymNYxYw7MVplfM3lm1jSU
 --- Q+IuFa2gerHpADs2TR/ZkULZV0rIaUvqFpoiovmbcQs
 ŽA3ý¹z·¸X‹"I¥jl•kx— uÝ7<C39D>Ï
éUhG›¡J Ö<C2A0>°{+éÄî^žq«»bL?RI‘mSÜˆ=PÔ½¸‹gq¿ÚFtJx
--- a/secrets/wg/silver/serverPriv
+++ b/secrets/wg/silver/serverPriv
@ -1,8 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 VoNo4A xu8kFORPIO3cpRKruN2H3Ab8kGHKooWF+a51uvo6AnQ
 2LyysvbhXMTJ+CXZtqYksxNAH5E+fgpmtCkX0TVp1SI
 -> T$7CzH-grease ZJA,Gm
 fyYJztvSX5VrUustF3Y3XpgdmAhpMR/4
 --- S/lJcXIuerNOPN687eO9CgsLZE8/yTEGfs2GUD4H/+Y
 ÖÒµªI
 Šï
¸›¿}v'Ô'9¤FÖn•é×’Ø<E28099><W]t`kï+„°›<>xðÌl7p9/5zïÃê…CxFð¥•õFHr
--- a/secrets/wg/toast/phonePriv
+++ b/secrets/wg/toast/phonePriv
--- a/secrets/wg/toast/phonePsk
+++ b/secrets/wg/toast/phonePsk
@ -1,8 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 VoNo4A LJQA1BbMRZCiasZkqUIYdEF4U8AFfHv+tiDkIfp5xV0
 YVKxaYXmLMimAjQ5N0ALSkptDcSmUafX1JPaA+lXLiU
 -> {m4@-grease o=oC?P u1g sMgp\s"
 GwnTCGHOjeG1XzcjSD/nqqY5eJRAkCIikGEIhLCLfuKqryn69mRz0mxoy7949j4j
 oSG2
 --- z6TjnxxvqB7M7IXuIEJIpQrSvtW6yUC+FJDC9e9o2rg
 Çf½Y¤RÎ"ggÇÁ¼Ù`AO;&è¹;–ÿÜÒh;'©ü(Š‡¹»ô¸‹ûuû’õÁ©³<C2A9>Ÿ¡‘jâÿöN£êwå£å<C2A3>¨FDgÜ
--- a/secrets/wg/toast/serverPriv
+++ b/secrets/wg/toast/serverPriv
@ -1,8 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 VoNo4A Y2wquDHovRlD2P7tv+6Z+DV3uoOeqs219woSenjJGBg
 ZvHSzvAxlK2hZt41I1q4lAV3g9dg+8onphpG8V3gPM8
 -> /-grease leqR
 wT1Jyk7ceGKQlsQrNuTigKJbRLbk32r1ic/kHZnFikn1/Jx8W5t7VEVxV/qbbjM7
 2eV73hu3QR8uz/1/wwMuX9yyPX79o/BbmThqAwXR
 --- v2H9k4DcOqjtAuw7fgX2AEOnJLC8BMH5l8KPvoLxxKc
 ·»’ª'Ô.òÒ|ð§^ç_|s<>ÅvÏO›¶'3@ál6eQB.3/û+žI0Ä-?ñ<>Ih¯Žà™Öîú†Ãdm{žøíðhÄ