diff --git a/Makefile b/Makefile index d4cfe19d..78307058 100644 --- a/Makefile +++ b/Makefile @@ -29,12 +29,10 @@ post-install: # TODO maybe there's a better way to manage backup with GitOps? backup: ./scripts/backup --action setup --namespace=actualbudget --pvc=actualbudget-data - ./scripts/backup --action setup --namespace=wireguard --pvc=wireguard-data ./scripts/backup --action setup --namespace=jellyfin --pvc=jellyfin-data restore: ./scripts/backup --action restore --namespace=actualbudget --pvc=actualbudget-data - ./scripts/backup --action restore --namespace=wireguard --pvc=wireguard-data ./scripts/backup --action restore --namespace=jellyfin --pvc=jellyfin-data test: diff --git a/apps/wireguard/Chart.yaml b/apps/wireguard/Chart.yaml index d0fc6739..e0d63e4a 100644 --- a/apps/wireguard/Chart.yaml +++ b/apps/wireguard/Chart.yaml @@ -3,5 +3,5 @@ name: wireguard version: 0.0.0 dependencies: - name: app-template - version: 3.1.0 + version: 3.5.0 repository: https://bjw-s.github.io/helm-charts diff --git a/apps/wireguard/values.yaml b/apps/wireguard/values.yaml index 476c7329..d9bbfd48 100644 --- a/apps/wireguard/values.yaml +++ b/apps/wireguard/values.yaml @@ -8,10 +8,7 @@ app-template: tag: latest env: LOG_CONFS: false - PEERS: | - KDDesktop - KDLaptop - KDPhone + USE_COREDNS: true securityContext: capabilities: add: @@ -25,8 +22,57 @@ app-template: port: 51820 protocol: UDP persistence: - data: - accessMode: ReadWriteOnce - size: 10Mi + config: + type: secret + name: "{{ .Release.Name }}-secret" globalMounts: - - path: /config + - path: /config/wg_confs + rawResources: + secret: + apiVersion: external-secrets.io/v1beta1 + kind: ExternalSecret + spec: + spec: + secretStoreRef: + kind: ClusterSecretStore + name: global-secrets + data: + - secretKey: WIREGUARD_PRIVATE_KEY + remoteRef: + key: external + property: wireguard-private-key + target: + template: + data: + wg0.conf: | + [Interface] + Address = 172.16.0.1/32 + ListenPort = 51820 + PrivateKey = {{ `{{ .WIREGUARD_PRIVATE_KEY }}` }} + PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE + PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE + + # Note that WireGuard will ignore a peer whose public key matches + # the interface's private key. So you can distribute a single + # list of peers everywhere. + # https://lists.zx2c4.com/pipermail/wireguard/2018-December/003703.html + + [Peer] + # homelab + PublicKey = sSAZS1Z3vB7Wx8e2yVqXfeHjgWTa80wnSYoma3mZkiU= + AllowedIPs = 172.16.0.1/32, 192.168.1.224/27 + + [Peer] + # khuedoan-ryzentower + PublicKey = 2poJnXVSbbaqY90B6ruupKEO4OrDFCur2s2pqTk1HWE= + AllowedIPs = 172.16.0.10/32 + + [Peer] + # khuedoan-thinkpadz13 + PublicKey = kgQbzrz+/P3Xd+L2hseKDYUjhwgfuQOro6tNz11ePH4= + AllowedIPs = 172.16.0.11/32 + + [Peer] + # khuedoan-phone + PublicKey = nITHFdgTkNZOTWeSWqnGXjgwlCJMKRCnnUsjMx2yp2U= + AllowedIPs = 172.16.0.12/32 diff --git a/external/terraform.tfvars.example b/external/terraform.tfvars.example index 7cacd3f9..ce81b836 100644 --- a/external/terraform.tfvars.example +++ b/external/terraform.tfvars.example @@ -18,6 +18,7 @@ extra_secrets = { # ../platform/global-secrets/files/secret-generator/config.yaml # Here's some examples of what you might want to add: # + # wireguard-private-key = "wg genkey output here" # tailscale-auth-key = "tskey-auth-xxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" # restic-password = "xxxxxxxxxxxxxxxxxxxxxxxx" # restic-s3-bucket = "https://s3.amazonaws.com/my-homelab-backup-xxxxxxxxxx" diff --git a/flake.nix b/flake.nix index 9a949ab7..0b2ab208 100644 --- a/flake.nix +++ b/flake.nix @@ -39,7 +39,9 @@ opentofu # Drop-in replacement for Terraform p7zip pre-commit + qrencode shellcheck + wireguard-tools yamllint (python3.withPackages (p: with p; [