summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDominique Martinet @ ullr <asmadeus@codewreck.org>2020-09-06 14:29:40 +0200
committerDominique Martinet @ ullr <asmadeus@codewreck.org>2020-09-06 14:29:40 +0200
commitc88910f48abbad75b46853334e8217cde214bf03 (patch)
treeff9aa8f496db6df334c2b4ff73db33f31699e29b
parente0803c0fdc643f0867864602bac29f8ec03da221 (diff)
ullr: fix initrd ssh/wireguard for outside access
-rw-r--r--machines/ullr/configuration.nix2
-rw-r--r--machines/ullr/initrd-ssh-luks.nix (renamed from machines/ullr/initrd-dropbear-luks.nix)3
-rw-r--r--machines/ullr/initrd-wireguard.nix3
3 files changed, 5 insertions, 3 deletions
diff --git a/machines/ullr/configuration.nix b/machines/ullr/configuration.nix
index 98e543d..a4dfdf0 100644
--- a/machines/ullr/configuration.nix
+++ b/machines/ullr/configuration.nix
@@ -8,7 +8,7 @@
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
- ./initrd-dropbear-luks.nix
+ ./initrd-ssh-luks.nix
./wakeonlan.nix
../../profiles/common.nix
../../profiles/users.nix
diff --git a/machines/ullr/initrd-dropbear-luks.nix b/machines/ullr/initrd-ssh-luks.nix
index e7f4e4d..736c991 100644
--- a/machines/ullr/initrd-dropbear-luks.nix
+++ b/machines/ullr/initrd-ssh-luks.nix
@@ -16,7 +16,8 @@
# to keep it different from hostkey ; thus different port too.
port = 222;
hostKeys = [ "/etc/nixos/secrets/initrd_ssh_host_ed25519_key" ];
- authorizedKeys = config.users.extraUsers.asmadeus.openssh.authorizedKeys.keys;
+ authorizedKeys = config.users.extraUsers.asmadeus.openssh.authorizedKeys.keys ++
+ [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHtS5YD+isGRgIOjVzMbXVQyD/44ZOFn6nvPbEAuAKoD asmadeus@jormungand-ullr" ];
};
# automatically prompt on login
postCommands = ''
diff --git a/machines/ullr/initrd-wireguard.nix b/machines/ullr/initrd-wireguard.nix
index 40865bb..73fdd09 100644
--- a/machines/ullr/initrd-wireguard.nix
+++ b/machines/ullr/initrd-wireguard.nix
@@ -28,10 +28,11 @@ in {
wg set ${wg} private-key /etc/wireguard/${wg}.key \
listen-port ${toString hostCfg.listenPort}
ip link set ${wg} up
+ ip a add ${hostCfg.ip}/128 dev ${wg}
wg set ${wg} peer ${peerCfg.publicKey} \
endpoint ${peerEndpointAddr}:${toString peerCfg.listenPort} \
allowed-ips ${lib.concatStringsSep "," ([peerCfg.ip] ++ peerCfg.allowedIPs)} \
- persisent-keepalive 58
+ persistent-keepalive 58
ip route replace ${peerCfg.ip} dev ${wg}
${lib.concatMapStringsSep "\n" (allowedIP:
"ip route replace ${allowedIP} dev ${wg}"