diff options
author | Dominique Martinet @ ullr <asmadeus@codewreck.org> | 2020-09-06 14:29:40 +0200 |
---|---|---|
committer | Dominique Martinet @ ullr <asmadeus@codewreck.org> | 2020-09-06 14:29:40 +0200 |
commit | c88910f48abbad75b46853334e8217cde214bf03 (patch) | |
tree | ff9aa8f496db6df334c2b4ff73db33f31699e29b | |
parent | e0803c0fdc643f0867864602bac29f8ec03da221 (diff) |
ullr: fix initrd ssh/wireguard for outside access
-rw-r--r-- | machines/ullr/configuration.nix | 2 | ||||
-rw-r--r-- | machines/ullr/initrd-ssh-luks.nix (renamed from machines/ullr/initrd-dropbear-luks.nix) | 3 | ||||
-rw-r--r-- | machines/ullr/initrd-wireguard.nix | 3 |
3 files changed, 5 insertions, 3 deletions
diff --git a/machines/ullr/configuration.nix b/machines/ullr/configuration.nix index 98e543d..a4dfdf0 100644 --- a/machines/ullr/configuration.nix +++ b/machines/ullr/configuration.nix @@ -8,7 +8,7 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix - ./initrd-dropbear-luks.nix + ./initrd-ssh-luks.nix ./wakeonlan.nix ../../profiles/common.nix ../../profiles/users.nix diff --git a/machines/ullr/initrd-dropbear-luks.nix b/machines/ullr/initrd-ssh-luks.nix index e7f4e4d..736c991 100644 --- a/machines/ullr/initrd-dropbear-luks.nix +++ b/machines/ullr/initrd-ssh-luks.nix @@ -16,7 +16,8 @@ # to keep it different from hostkey ; thus different port too. port = 222; hostKeys = [ "/etc/nixos/secrets/initrd_ssh_host_ed25519_key" ]; - authorizedKeys = config.users.extraUsers.asmadeus.openssh.authorizedKeys.keys; + authorizedKeys = config.users.extraUsers.asmadeus.openssh.authorizedKeys.keys ++ + [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHtS5YD+isGRgIOjVzMbXVQyD/44ZOFn6nvPbEAuAKoD asmadeus@jormungand-ullr" ]; }; # automatically prompt on login postCommands = '' diff --git a/machines/ullr/initrd-wireguard.nix b/machines/ullr/initrd-wireguard.nix index 40865bb..73fdd09 100644 --- a/machines/ullr/initrd-wireguard.nix +++ b/machines/ullr/initrd-wireguard.nix @@ -28,10 +28,11 @@ in { wg set ${wg} private-key /etc/wireguard/${wg}.key \ listen-port ${toString hostCfg.listenPort} ip link set ${wg} up + ip a add ${hostCfg.ip}/128 dev ${wg} wg set ${wg} peer ${peerCfg.publicKey} \ endpoint ${peerEndpointAddr}:${toString peerCfg.listenPort} \ allowed-ips ${lib.concatStringsSep "," ([peerCfg.ip] ++ peerCfg.allowedIPs)} \ - persisent-keepalive 58 + persistent-keepalive 58 ip route replace ${peerCfg.ip} dev ${wg} ${lib.concatMapStringsSep "\n" (allowedIP: "ip route replace ${allowedIP} dev ${wg}" |