mirrors/khuedoan-homelab
1
0
Fork 0
mirror of https://github.com/khuedoan/homelab.git synced 2024-12-22 16:24:32 +07:00
Code Issues Packages Projects Releases Wiki Activity

refactor(wireguard): use raw static config

Browse Source 
I want to set up a mesh with multiple sites, so I need static peer
configurations instead of those generated by the WireGuard container.
This commit is contained in:
Khue Doan 2024-11-24 23:32:29 +07:00
parent 8d4f52cff4
commit de1f7176dd
5 changed files with 58 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -29,12 +29,10 @@ post-install:
# TODO maybe there's a better way to manage backup with GitOps?
backup:
./scripts/backup --action setup --namespace=actualbudget --pvc=actualbudget-data
./scripts/backup --action setup --namespace=wireguard --pvc=wireguard-data
./scripts/backup --action setup --namespace=jellyfin --pvc=jellyfin-data
restore:
./scripts/backup --action restore --namespace=actualbudget --pvc=actualbudget-data
./scripts/backup --action restore --namespace=wireguard --pvc=wireguard-data
./scripts/backup --action restore --namespace=jellyfin --pvc=jellyfin-data
test:

2
apps/wireguard/Chart.yaml
View File

@ -3,5 +3,5 @@ name: wireguard
version: 0.0.0
dependencies:
- name: app-template
version: 3.1.0
version: 3.5.0
repository: https://bjw-s.github.io/helm-charts

62
apps/wireguard/values.yaml
View File

@ -8,10 +8,7 @@ app-template:
tag: latest
env:
LOG_CONFS: false
PEERS: |
KDDesktop
KDLaptop
KDPhone
USE_COREDNS: true
securityContext:
capabilities:
add:
@ -25,8 +22,57 @@ app-template:
port: 51820
protocol: UDP
persistence:
data:
accessMode: ReadWriteOnce
size: 10Mi
config:
type: secret
name: "{{ .Release.Name }}-secret"
globalMounts:
- path: /config
- path: /config/wg_confs
rawResources:
secret:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
spec:
spec:
secretStoreRef:
kind: ClusterSecretStore
name: global-secrets
data:
- secretKey: WIREGUARD_PRIVATE_KEY
remoteRef:
key: external
property: wireguard-private-key
target:
template:
data:
wg0.conf: |
[Interface]
Address = 172.16.0.1/32
ListenPort = 51820
PrivateKey = {{ `{{ .WIREGUARD_PRIVATE_KEY }}` }}
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
# Note that WireGuard will ignore a peer whose public key matches
# the interface's private key. So you can distribute a single
# list of peers everywhere.
# https://lists.zx2c4.com/pipermail/wireguard/2018-December/003703.html
[Peer]
# homelab
PublicKey = sSAZS1Z3vB7Wx8e2yVqXfeHjgWTa80wnSYoma3mZkiU=
AllowedIPs = 172.16.0.1/32, 192.168.1.224/27
[Peer]
# khuedoan-ryzentower
PublicKey = 2poJnXVSbbaqY90B6ruupKEO4OrDFCur2s2pqTk1HWE=
AllowedIPs = 172.16.0.10/32
[Peer]
# khuedoan-thinkpadz13
PublicKey = kgQbzrz+/P3Xd+L2hseKDYUjhwgfuQOro6tNz11ePH4=
AllowedIPs = 172.16.0.11/32
[Peer]
# khuedoan-phone
PublicKey = nITHFdgTkNZOTWeSWqnGXjgwlCJMKRCnnUsjMx2yp2U=
AllowedIPs = 172.16.0.12/32

1
external/terraform.tfvars.example
View File

@ -18,6 +18,7 @@ extra_secrets = {
# ../platform/global-secrets/files/secret-generator/config.yaml
# Here's some examples of what you might want to add:
#
# wireguard-private-key = "wg genkey output here"
# tailscale-auth-key = "tskey-auth-xxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
# restic-password = "xxxxxxxxxxxxxxxxxxxxxxxx"
# restic-s3-bucket = "https://s3.amazonaws.com/my-homelab-backup-xxxxxxxxxx"

2
flake.nix
View File

@ -39,7 +39,9 @@
opentofu # Drop-in replacement for Terraform
p7zip
pre-commit
qrencode
shellcheck
wireguard-tools
yamllint
(python3.withPackages (p: with p; [