mirror of
https://github.com/khuedoan/homelab.git
synced 2024-12-22 16:24:32 +07:00
refactor(wireguard): use raw static config
I want to set up a mesh with multiple sites, so I need static peer configurations instead of those generated by the WireGuard container.
This commit is contained in:
Khue Doan
parent
8d4f52cff4
commit
de1f7176dd
2
Makefile
2
Makefile
@ -29,12 +29,10 @@ post-install:
|
||||
# TODO maybe there's a better way to manage backup with GitOps?
|
||||
backup:
|
||||
./scripts/backup --action setup --namespace=actualbudget --pvc=actualbudget-data
|
||||
./scripts/backup --action setup --namespace=wireguard --pvc=wireguard-data
|
||||
./scripts/backup --action setup --namespace=jellyfin --pvc=jellyfin-data
|
||||
|
||||
restore:
|
||||
./scripts/backup --action restore --namespace=actualbudget --pvc=actualbudget-data
|
||||
./scripts/backup --action restore --namespace=wireguard --pvc=wireguard-data
|
||||
./scripts/backup --action restore --namespace=jellyfin --pvc=jellyfin-data
|
||||
|
||||
test:
|
||||
|
||||
@ -3,5 +3,5 @@ name: wireguard
|
||||
version: 0.0.0
|
||||
dependencies:
|
||||
- name: app-template
|
||||
version: 3.1.0
|
||||
version: 3.5.0
|
||||
repository: https://bjw-s.github.io/helm-charts
|
||||
|
||||
@ -8,10 +8,7 @@ app-template:
|
||||
tag: latest
|
||||
env:
|
||||
LOG_CONFS: false
|
||||
PEERS: |
|
||||
KDDesktop
|
||||
KDLaptop
|
||||
KDPhone
|
||||
USE_COREDNS: true
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
@ -25,8 +22,57 @@ app-template:
|
||||
port: 51820
|
||||
protocol: UDP
|
||||
persistence:
|
||||
data:
|
||||
accessMode: ReadWriteOnce
|
||||
size: 10Mi
|
||||
config:
|
||||
type: secret
|
||||
name: "{{ .Release.Name }}-secret"
|
||||
globalMounts:
|
||||
- path: /config
|
||||
- path: /config/wg_confs
|
||||
rawResources:
|
||||
secret:
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
spec:
|
||||
spec:
|
||||
secretStoreRef:
|
||||
kind: ClusterSecretStore
|
||||
name: global-secrets
|
||||
data:
|
||||
- secretKey: WIREGUARD_PRIVATE_KEY
|
||||
remoteRef:
|
||||
key: external
|
||||
property: wireguard-private-key
|
||||
target:
|
||||
template:
|
||||
data:
|
||||
wg0.conf: |
|
||||
[Interface]
|
||||
Address = 172.16.0.1/32
|
||||
ListenPort = 51820
|
||||
PrivateKey = {{ `{{ .WIREGUARD_PRIVATE_KEY }}` }}
|
||||
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
|
||||
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
|
||||
|
||||
# Note that WireGuard will ignore a peer whose public key matches
|
||||
# the interface's private key. So you can distribute a single
|
||||
# list of peers everywhere.
|
||||
# https://lists.zx2c4.com/pipermail/wireguard/2018-December/003703.html
|
||||
|
||||
[Peer]
|
||||
# homelab
|
||||
PublicKey = sSAZS1Z3vB7Wx8e2yVqXfeHjgWTa80wnSYoma3mZkiU=
|
||||
AllowedIPs = 172.16.0.1/32, 192.168.1.224/27
|
||||
|
||||
[Peer]
|
||||
# khuedoan-ryzentower
|
||||
PublicKey = 2poJnXVSbbaqY90B6ruupKEO4OrDFCur2s2pqTk1HWE=
|
||||
AllowedIPs = 172.16.0.10/32
|
||||
|
||||
[Peer]
|
||||
# khuedoan-thinkpadz13
|
||||
PublicKey = kgQbzrz+/P3Xd+L2hseKDYUjhwgfuQOro6tNz11ePH4=
|
||||
AllowedIPs = 172.16.0.11/32
|
||||
|
||||
[Peer]
|
||||
# khuedoan-phone
|
||||
PublicKey = nITHFdgTkNZOTWeSWqnGXjgwlCJMKRCnnUsjMx2yp2U=
|
||||
AllowedIPs = 172.16.0.12/32
|
||||
|
||||
@ -18,6 +18,7 @@ extra_secrets = {
|
||||
# ../platform/global-secrets/files/secret-generator/config.yaml
|
||||
# Here's some examples of what you might want to add:
|
||||
#
|
||||
# wireguard-private-key = "wg genkey output here"
|
||||
# tailscale-auth-key = "tskey-auth-xxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
|
||||
# restic-password = "xxxxxxxxxxxxxxxxxxxxxxxx"
|
||||
# restic-s3-bucket = "https://s3.amazonaws.com/my-homelab-backup-xxxxxxxxxx"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user