From 8314702635cf72641768808d735ecbbf56469113 Mon Sep 17 00:00:00 2001
From: "Casper V. Kristensen" <casper@vkristensen.dk>
Date: Sun, 3 Mar 2024 18:01:20 +0100
Subject: [PATCH] fix wg-sigma-p2p again

---
 hosts/alpha/network.nix                    |  25 +++------------
 hosts/omega/network.nix                    |  35 +++------------------
 secrets/netdev-51-wg-sigma-p2p-address.age |   9 ------
 secrets/network-wg-sigma-p2p-address.age   | Bin 388 -> 0 bytes
 secrets/secrets.nix                        |   4 ---
 5 files changed, 9 insertions(+), 64 deletions(-)
 delete mode 100644 secrets/netdev-51-wg-sigma-p2p-address.age
 delete mode 100644 secrets/network-wg-sigma-p2p-address.age

diff --git a/hosts/alpha/network.nix b/hosts/alpha/network.nix
index ecaa9a6..74d4400 100644
--- a/hosts/alpha/network.nix
+++ b/hosts/alpha/network.nix
@@ -41,9 +41,9 @@
       name = "wg-sigma-public";
     };
 
-    # The following routes traffic destined for a secret floating IP to sigma
-    # through wireguard. This allows the server to have a public address and
-    # help others sail the high seas even though it is behind NAT.
+    # The following routes traffic destined for 116.203.6.156 (floating IP) to
+    # sigma through wireguard. This allows the server to have a public address
+    # and help others sail the high seas even though it is behind NAT.
     netdevs."51-wg-sigma-p2p" = {
       netdevConfig = {
         Name = "wg-sigma-p2p";
@@ -58,9 +58,7 @@
           wireguardPeerConfig = {
             PublicKey = "sigmaH/DKSU8KWyrPtucYmS2ewUvDvCNLxd/qYEo0n0=";
             PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
-            # Add to the main routing table that traffic for the address should
-            # be sent to sigma.
-            AllowedIPs = [ "a.b.c.d/32" ]; # see 51-wg-sigma-p2p.netdev.d/address.conf below
+            AllowedIPs = [ "116.203.6.156/32" ];
             RouteTable = "main";
           };
         }
@@ -71,14 +69,6 @@
     };
   };
 
-  # To keep the address of the wg-sigma-p2p interface secret, it is not
-  # configured here directly but instead contained in an encrypted file which
-  # is decrypted and symlinked to the netdevs's "drop-in" directly, causing it
-  # to be merged into the configuration.
-  environment.etc."systemd/network/51-wg-sigma-p2p.netdev.d/address.conf" = {
-    source = config.age.secrets.netdev-51-wg-sigma-p2p-address.path;
-  };
-
   # Enable forwarding of packets
   boot.kernel.sysctl = {
     "net.ipv4.ip_forward" = true;
@@ -102,11 +92,4 @@
     owner = "root";
     group = "systemd-network";
   };
-
-  age.secrets.netdev-51-wg-sigma-p2p-address = {
-    file = ../../secrets/netdev-51-wg-sigma-p2p-address.age;
-    mode = "644";
-    owner = "root";
-    group = "systemd-network";
-  };
 }
diff --git a/hosts/omega/network.nix b/hosts/omega/network.nix
index c565d21..80e374d 100644
--- a/hosts/omega/network.nix
+++ b/hosts/omega/network.nix
@@ -55,9 +55,9 @@
     };
 
     # The following establishes a wireguard tunnel to alpha and configures
-    # receiving traffic destined for a secret address. This allows the server
-    # to have a public address and help others sail the high seas even though
-    # it is behind NAT.
+    # receiving traffic destined for 116.203.6.156. This allows the server to
+    # have a public address and help others sail the high seas even though it
+    # is behind NAT.
     netdevs."51-wg-sigma-p2p" = {
       netdevConfig = {
         Name = "wg-sigma-p2p";
@@ -72,17 +72,7 @@
             PublicKey = "AlphazUR/z+1DRCFSvxTeKPIJnyPQvYsDoSgESvqJhM=";
             PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
             Endpoint = "alpha.caspervk.net:51821";
-            # Keep NAT mappings and stateful firewalls open at the ISP
             PersistentKeepalive = 25;
-            # AllowedIPs is both an ACL for incoming traffic, as well as a
-            # routing table specifying to which peer outgoing traffic should be
-            # sent. We want to allow incoming traffic from any address on the
-            # internet (routed through alpha), but only replies to this should
-            # be routed back over wireguard. Unlike if we had used NAT, IP
-            # routes are stateless, so we have no notion of "replies". Instead,
-            # we add these routes to a specific routing table and configure a
-            # routing policy rule to only use it for packets being sent as the
-            # p2p IP.
             AllowedIPs = [ "0.0.0.0/0" ];
             RouteTable = "wg-sigma-p2p";
           };
@@ -91,11 +81,11 @@
     };
     networks."wg-sigma-p2p" = {
       name = "wg-sigma-p2p";
-      address = [ "a.b.c.d/32" ]; # see 51-wg-sigma-p2p.network.d/address.conf below
+      address = [ "116.203.6.156/32" ];
       routingPolicyRules = [
         {
           routingPolicyRuleConfig = {
-            From = "a.b.c.d/32"; # see 51-wg-sigma-p2p.network.d/address.conf below
+            From = "116.203.6.156/32";
             Table = "wg-sigma-p2p";
           };
         }
@@ -103,14 +93,6 @@
     };
   };
 
-  # To keep the address of the wg-sigma-p2p interface secret, it is not
-  # configured here directly but instead contained in an encrypted file which
-  # is decrypted and symlinked to the network's "drop-in" directly, causing it
-  # to be merged into the configuration.
-  environment.etc."systemd/network/wg-sigma-p2p.network.d/address.conf" = {
-    source = config.age.secrets.network-wg-sigma-p2p-address.path;
-  };
-
   age.secrets.wireguard-preshared-key-file = {
     file = ../../secrets/wireguard-preshared-key-file.age;
     mode = "640";
@@ -124,11 +106,4 @@
     owner = "root";
     group = "systemd-network";
   };
-
-  age.secrets.network-wg-sigma-p2p-address = {
-    file = ../../secrets/network-wg-sigma-p2p-address.age;
-    mode = "644";
-    owner = "root";
-    group = "systemd-network";
-  };
 }
diff --git a/secrets/netdev-51-wg-sigma-p2p-address.age b/secrets/netdev-51-wg-sigma-p2p-address.age
deleted file mode 100644
index bb3232d..0000000
--- a/secrets/netdev-51-wg-sigma-p2p-address.age
+++ /dev/null
@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 KjvmEQ o+mkItId5k1qUiWa5Q7Jk6pLXYgVZTZibF3ec+lfoX4
-AnV6s7gOAxr3B3PZGZDa7FMthhdGXpGHcxFOy+15oLk
--> X25519 Ry3b2t2TNkqdGJmttprAlLKMmReBLEFjaD+/2o8fv0c
-AMraYoxsvx79k+9behN3YhayyZhUCMsJHzrF9K4cRvk
---- qR5De+RcL3W/NKnzNqJ2UOlScPvNfZQ2LusPAc270ek
-¹DÛ,( •¥ÚÅh¢ÿ~$ióŽ/LsÙe
-½sÙªa\“}üW~@…Œƒâþ>Â>JGß­vRMY¾ðƒ´ñ_WÕðg£:,èKõ3mÅþ>Mß}trÄB‡H,•ž(º´q¸ôåœP"FÇá9Â9<Ó>QÃÞµ3‘
-šXA¥¤¹$çÖ¥ŠGÜ­y¶:©AÃn8²W<àÂýŽp	¨ÏÕÿ«Yµ‹Pik_‰"@G÷@'À¶Ëo|åÑ/[ˆ–áŽWþS»Âæ€4òºÁy‡N`h½Æ½¯"@h…ÌI’g-†Þ
\ No newline at end of file
diff --git a/secrets/network-wg-sigma-p2p-address.age b/secrets/network-wg-sigma-p2p-address.age
deleted file mode 100644
index f6dd28cfc1170377c039937bc3947acc0f310be3..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 388
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSni`0$?O;@P&Nq4L=
z@=S9vGRg3*vh=r1v@rG#&CD;23M?$FOpD0Q%r7hm$c%JykK}U9v~boB&B<~y$TBkZ
zEb(*;bd8Gi&-RL{@N`ZK^74+%F${6eDhx0v3<cR10kJ60(WTPIILzD3Jw3TB!q+j|
z*rFmUQoA6~(=RM3(Am$?-BaJp$IY$0B9yDp)j!j`%&;KRG2Af6*(=!JC)_B#*g2}i
zIJhJ+GD<tj+1aR~u)N$i*Mv(~S63k`Dci@QEZNIFH7&{~#WFa##K<kj!m%vH$H39g
zE7#K1(b6-=Ei$J(%#o`<a?_n@(<b&u%znXn{eRNsbulx2xPC5^-ei{^(6Q>EHAhqT
znu9ssJ5~2@%wBN${lmPu{95xnFXVFCT<VzYpe{1|<cj%sHc48{h`jdy^ZTs~TU+YC
gWS<cZTKC(0)4qy3Keu0+_1wqSmLX8l>B4kN0NQ7gWB>pF

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index e5dc063..4d6e2ac 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -22,10 +22,6 @@ in
 builtins.mapAttrs (name: value: { publicKeys = value ++ [ recovery ]; }) {
   "users-hashed-password-file.age" = all;
 
-  # Secret network addresses
-  "netdev-51-wg-sigma-p2p-address.age" = [ alpha ];
-  "network-wg-sigma-p2p-address.age" = [ omega ];
-
   ## Wireguard
   # The preshared key adds an additional layer of symmetric-key crypto to be
   # mixed into the already existing public-key crypto, for post-quantum