mirror of
https://github.com/khuedoan/homelab.git
synced 2024-12-22 16:04:32 +07:00
refactor(wireguard): use raw static config
I want to set up a mesh with multiple sites, so I need static peer configurations instead of those generated by the WireGuard container.
This commit is contained in:
Khue Doan
parent
8d4f52cff4
commit
de1f7176dd
2
Makefile
2
Makefile
@ -29,12 +29,10 @@ post-install:
|
|||||||
# TODO maybe there's a better way to manage backup with GitOps?
|
# TODO maybe there's a better way to manage backup with GitOps?
|
||||||
backup:
|
backup:
|
||||||
./scripts/backup --action setup --namespace=actualbudget --pvc=actualbudget-data
|
./scripts/backup --action setup --namespace=actualbudget --pvc=actualbudget-data
|
||||||
./scripts/backup --action setup --namespace=wireguard --pvc=wireguard-data
|
|
||||||
./scripts/backup --action setup --namespace=jellyfin --pvc=jellyfin-data
|
./scripts/backup --action setup --namespace=jellyfin --pvc=jellyfin-data
|
||||||
|
|
||||||
restore:
|
restore:
|
||||||
./scripts/backup --action restore --namespace=actualbudget --pvc=actualbudget-data
|
./scripts/backup --action restore --namespace=actualbudget --pvc=actualbudget-data
|
||||||
./scripts/backup --action restore --namespace=wireguard --pvc=wireguard-data
|
|
||||||
./scripts/backup --action restore --namespace=jellyfin --pvc=jellyfin-data
|
./scripts/backup --action restore --namespace=jellyfin --pvc=jellyfin-data
|
||||||
|
|
||||||
test:
|
test:
|
||||||
|
|||||||
@ -3,5 +3,5 @@ name: wireguard
|
|||||||
version: 0.0.0
|
version: 0.0.0
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: app-template
|
- name: app-template
|
||||||
version: 3.1.0
|
version: 3.5.0
|
||||||
repository: https://bjw-s.github.io/helm-charts
|
repository: https://bjw-s.github.io/helm-charts
|
||||||
|
|||||||
@ -8,10 +8,7 @@ app-template:
|
|||||||
tag: latest
|
tag: latest
|
||||||
env:
|
env:
|
||||||
LOG_CONFS: false
|
LOG_CONFS: false
|
||||||
PEERS: |
|
USE_COREDNS: true
|
||||||
KDDesktop
|
|
||||||
KDLaptop
|
|
||||||
KDPhone
|
|
||||||
securityContext:
|
securityContext:
|
||||||
capabilities:
|
capabilities:
|
||||||
add:
|
add:
|
||||||
@ -25,8 +22,57 @@ app-template:
|
|||||||
port: 51820
|
port: 51820
|
||||||
protocol: UDP
|
protocol: UDP
|
||||||
persistence:
|
persistence:
|
||||||
data:
|
config:
|
||||||
accessMode: ReadWriteOnce
|
type: secret
|
||||||
size: 10Mi
|
name: "{{ .Release.Name }}-secret"
|
||||||
globalMounts:
|
globalMounts:
|
||||||
- path: /config
|
- path: /config/wg_confs
|
||||||
|
rawResources:
|
||||||
|
secret:
|
||||||
|
apiVersion: external-secrets.io/v1beta1
|
||||||
|
kind: ExternalSecret
|
||||||
|
spec:
|
||||||
|
spec:
|
||||||
|
secretStoreRef:
|
||||||
|
kind: ClusterSecretStore
|
||||||
|
name: global-secrets
|
||||||
|
data:
|
||||||
|
- secretKey: WIREGUARD_PRIVATE_KEY
|
||||||
|
remoteRef:
|
||||||
|
key: external
|
||||||
|
property: wireguard-private-key
|
||||||
|
target:
|
||||||
|
template:
|
||||||
|
data:
|
||||||
|
wg0.conf: |
|
||||||
|
[Interface]
|
||||||
|
Address = 172.16.0.1/32
|
||||||
|
ListenPort = 51820
|
||||||
|
PrivateKey = {{ `{{ .WIREGUARD_PRIVATE_KEY }}` }}
|
||||||
|
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
|
||||||
|
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
|
||||||
|
|
||||||
|
# Note that WireGuard will ignore a peer whose public key matches
|
||||||
|
# the interface's private key. So you can distribute a single
|
||||||
|
# list of peers everywhere.
|
||||||
|
# https://lists.zx2c4.com/pipermail/wireguard/2018-December/003703.html
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
# homelab
|
||||||
|
PublicKey = sSAZS1Z3vB7Wx8e2yVqXfeHjgWTa80wnSYoma3mZkiU=
|
||||||
|
AllowedIPs = 172.16.0.1/32, 192.168.1.224/27
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
# khuedoan-ryzentower
|
||||||
|
PublicKey = 2poJnXVSbbaqY90B6ruupKEO4OrDFCur2s2pqTk1HWE=
|
||||||
|
AllowedIPs = 172.16.0.10/32
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
# khuedoan-thinkpadz13
|
||||||
|
PublicKey = kgQbzrz+/P3Xd+L2hseKDYUjhwgfuQOro6tNz11ePH4=
|
||||||
|
AllowedIPs = 172.16.0.11/32
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
# khuedoan-phone
|
||||||
|
PublicKey = nITHFdgTkNZOTWeSWqnGXjgwlCJMKRCnnUsjMx2yp2U=
|
||||||
|
AllowedIPs = 172.16.0.12/32
|
||||||
|
|||||||
@ -18,6 +18,7 @@ extra_secrets = {
|
|||||||
# ../platform/global-secrets/files/secret-generator/config.yaml
|
# ../platform/global-secrets/files/secret-generator/config.yaml
|
||||||
# Here's some examples of what you might want to add:
|
# Here's some examples of what you might want to add:
|
||||||
#
|
#
|
||||||
|
# wireguard-private-key = "wg genkey output here"
|
||||||
# tailscale-auth-key = "tskey-auth-xxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
|
# tailscale-auth-key = "tskey-auth-xxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
|
||||||
# restic-password = "xxxxxxxxxxxxxxxxxxxxxxxx"
|
# restic-password = "xxxxxxxxxxxxxxxxxxxxxxxx"
|
||||||
# restic-s3-bucket = "https://s3.amazonaws.com/my-homelab-backup-xxxxxxxxxx"
|
# restic-s3-bucket = "https://s3.amazonaws.com/my-homelab-backup-xxxxxxxxxx"
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user