ips readjustments to add workstation to wireguard

2026-02-15 13:34:03 -06:00
parent 13a525ca12
commit a5f45292ff
5 changed files with 31 additions and 22 deletions
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -45,7 +45,7 @@ in
    }
  ];
  sops.secrets = {
-    "vps/home/private" = lib.mkIf config.my.secureHost {
+    "server/private" = lib.mkIf config.my.secureHost {
      sopsFile = ../../secrets/wireguard.yaml;
    };
    lidarr-mb-gap = lib.mkIf config.my.secureHost {
@@ -71,7 +71,7 @@ in
    };
    wireguard.interfaces.wg0 = lib.mkIf config.my.secureHost {
      ips = [ "${config.my.ips.wg-server}/32" ];
-      privateKeyFile = config.sops.secrets."vps/home/private".path;
+      privateKeyFile = config.sops.secrets."server/private".path;
      peers = [
        {
          publicKey = "dFbiSekBwnZomarcS31o5+w6imHjMPNCipkfc2fZ3GY=";
--- a/hosts/workstation/configuration.nix
+++ b/hosts/workstation/configuration.nix
@@ -6,6 +6,7 @@
 }:
 let
  shellType = config.my.shell.type;
+  comfyuiPort = 8188;
  krita-thumbnailer = pkgs.writeTextFile {
    name = "krita-thumbnailer";
    destination = "/share/thumbnailers/kra.thumbnailer";
@@ -58,8 +59,6 @@ in
      allowedTCPPorts = [
        6674 # ns-usbloader
        8384 # syncthing
-        config.services.open-webui.port
-        config.services.sillytavern.port
      ];
      allowedTCPPortRanges = [
        {
@@ -67,6 +66,12 @@ in
          to = 1764;
        }
      ];
+      interfaces.wg0.allowedTCPPorts = [
+        config.services.ollama.port
+        config.services.open-webui.port
+        config.services.sillytavern.port
+        comfyuiPort
+      ];
    };
  };
  users = {
@@ -137,7 +142,7 @@ in
    open-webui = {
      enable = true;
      port = 2345;
-      host = config.my.ips.workstation;
+      host = config.my.ips.wg-workstation;
    };
    scx = {
      enable = true;
@@ -157,13 +162,14 @@ in
      models = "/srv/ai/ollama";
      user = "ollama";
      group = "ai";
+      host = config.my.ips.wg-workstation;
    };
    sillytavern = {
      enable = true;
      group = "ai";
      listen = true;
      port = 9324;
-      listenAddressIPv4 = config.my.ips.workstation;
+      listenAddressIPv4 = config.my.ips.wg-workstation;
    };
  };
 }
--- a/modules/modules.nix
+++ b/modules/modules.nix
@@ -53,8 +53,9 @@ in
        vps = "45.79.25.87";
        wg-vps = "10.77.0.1";
        wg-server = "10.77.0.2";
-        wg-galaxy = "10.77.0.3";
-        wg-phone = "10.77.0.4";
+        wg-workstation = "10.77.0.3";
+        wg-galaxy = "10.77.0.4";
+        wg-phone = "10.77.0.5";
        wg-guest1 = "10.9.0.2";
        wg-guest2 = "10.9.0.3";
        wg-friend1 = "10.8.0.2";
--- a/modules/services/wireguard.nix
+++ b/modules/services/wireguard.nix
@@ -9,7 +9,7 @@ in
 {
  options.my.services.wireguard.enable = lib.mkEnableOption "WireGuard VPN configuration";
  config = lib.mkIf (config.my.services.wireguard.enable && config.my.secureHost) {
-    sops.secrets."vps/server/private".sopsFile = ../../secrets/wireguard.yaml;
+    sops.secrets."vps/private".sopsFile = ../../secrets/wireguard.yaml;
    networking = {
      firewall.allowedUDPPorts = [ port ];
      wireguard.interfaces.wg0 = {
@@ -21,12 +21,16 @@ in
        listenPort = port;
        postSetup = "";
        postShutdown = "";
-        privateKeyFile = config.sops.secrets."vps/server/private".path;
+        privateKeyFile = config.sops.secrets."vps/private".path;
        peers = [
          {
            publicKey = "OUiqluRaS4hmGvLJ3csQrnIM3Zzet50gsqtTABaUkH4=";
            allowedIPs = [ "${config.my.ips.wg-server}/32" ];
          }
+          {
+            publicKey = "AR17CdtUPs595sbb9WZvAYoEpdKezOKKbDmgUa9+IxQ=";
+            allowedIPs = [ "${config.my.ips.wg-workstation}/32" ];
+          }
          {
            publicKey = "BwN4uCkMd6eAS5Ugld0oXnA16IhgEEQF8mOJ3+vHliA=";
            allowedIPs = [ "${config.my.ips.wg-galaxy}/32" ];
--- a/secrets/wireguard.yaml
+++ b/secrets/wireguard.yaml
@@ -1,14 +1,12 @@
-wireguard:
-    private: ENC[AES256_GCM,data:wwggc9T88gK/EMmjPauf14DZGUnfipBpfN3FnlPhsO6FtVmK2aad/D0/Rqw=,iv:Q15iiEOFRa3bPf7NfZcEZOgEqnjIJPenYgE6c6HRYI8=,tag:x+auLhc/FDhxZxzWmcrX9Q==,type:str]
-    public: ENC[AES256_GCM,data:uelp1opnLR5EfvNBSA3Sk33ktMoG6+Pvj7oKYtdlCpXMZel9O8G7P4X5S2M=,iv:AQECJmnXSc2MM0pT8ZJtA51pn+tvhhyAxFDMBH/H6wA=,tag:yWsnQbHaeiXyPLbpxMZwsg==,type:str]
 vps:
+    private: ENC[AES256_GCM,data:GKSiPGgEIlXIfVL3I4Aa8F26cuzK5EEt+sC29Q8D1RfKJl2KXYIpTQx4SbI=,iv:StH6MWFwZlY0AsuGa89PvNh7/xqL/TBGjBdepKmEnBw=,tag:J1Snm/JllgZptFYJwONy7w==,type:str]
+    public: ENC[AES256_GCM,data:32je0q/XQkR0NMyzvdBx3vCgDDvRjS905aW56lDiSps1LO1hkIPuAtcja6g=,iv:lLwIMtZw9DYS4nYm9GfBNowgJakX6rW0gbwkvR2J5nQ=,tag:XHgkDEoIMtzR8QeSUbZ/TQ==,type:str]
 server:
-        private: ENC[AES256_GCM,data:wrP/069tuQs3ObYE8Q0MNVxe3+4vZ2HIImoIdZpj1uPgdBknboX1wmANv/k=,iv:FJL5KumHos8PoXra+BB2Uc6YedsF6MD3wWyuugXzJ+E=,tag:nVuTrW2P7JvnWnv6H1SmdQ==,type:str]
-        public: ENC[AES256_GCM,data:YnKOf9725v9FkzdNPDVf/iinMbY/YWn6ksqEz+mpB4KHVlOvpbV6vLSKRcs=,iv:aWQNy6mT4sxVbzaXKgRzZ9XVsiBCRsOlLORRqC+uiKE=,tag:mLWv6mr3VVfw0J5BrqByXg==,type:str]
-    #ENC[AES256_GCM,data:u5SEQfK0Hw==,iv:+qr9WmOzQowZ/JyN1KoWhoyHA2132fmmZzIQy7o5y6k=,tag:9TPVeQgoo2nWQ9dhuYULGw==,type:comment]
-    home:
-        private: ENC[AES256_GCM,data:YZ0jvBzkMv8Bwc9u3LDJzwSqQvPj8wPUxTIeBFiLYVQQIBjm8aS1dTYuPvo=,iv:mXuW7TVERxOMmGIit3a7Spmbk/EgYuGkO66AWJUnMF0=,tag:xM7C3F3JCiud/A9yPD5ydQ==,type:str]
-        public: ENC[AES256_GCM,data:DcwAHhHjIxFqRL5h7p/0nkFnWiI/iqR8Fws6AuFaxjgUHKYd/6l3D6q/O/0=,iv:bBJ0bsKRiGQUSlRmHqeLQWkOIUNfG5VVpuV6MOtKZO0=,tag:harMG6GDIfclmSq3D36bTw==,type:str]
+    private: ENC[AES256_GCM,data:O+qt6SyY6DsMY/ulH9XL5mylASEGpmq8Oyq/rll/N0O8F4dIdW8deuIxKFw=,iv:Y3PuQFE8yEc+AhCjB17n3nz3+mt/QgqCJKBgfAHclZ4=,tag:ztji+I+Kj823jcz5k0XsLA==,type:str]
+    public: ENC[AES256_GCM,data:i1WRBhZOIG1UBoPDC76Ofok8r6dEqxXI6mMvieFMII1pxg2s0XQVCDZQMos=,iv:aZRrsHpdchE0aXq3NbJfMEj7WaYZ05e9I1e08OlJ/kY=,tag:jhS3kVaPD6/AjpSOm6YA+Q==,type:str]
+workstation:
+    private: ENC[AES256_GCM,data:4gSDH2cAu8ADAijaqn1ieD3ymc6Afv/nCXDiKp7VsyHY5c9fCamJA8L0uGw=,iv:MfFR7FFm5aABpW98NIAwusIS29Pa53MCkD0Jk1dXHc4=,tag:XD+NKYb8MhcWO9ujvCnHPw==,type:str]
+    public: ENC[AES256_GCM,data:qMHd5bdOJk7xQbfwZ0c4wHXD66ZB74pWsq/HgfzE7lvuB3JU1qWOQFL94hY=,iv:yxdISmviQtCLRwQ0/49yU3q0kO33fJRzaMUtkGLY6pg=,tag:JM5btDGB8fpyPEvONXuSTw==,type:str]
 sops:
    age:
        - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37
@@ -47,7 +45,7 @@ sops:
            NXZzQmlneDNEb1UvR2NGK0kyY1lsa1kK7IQmyuVxa2hmic4yTeiAcxN41RvMcIDV
            Pofrhu7q8VvB/Cxb7FjVs3Ed5Hdz9xQ60mXUKsnJV/rIssm9wx4cfg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-04T18:37:11Z"
-    mac: ENC[AES256_GCM,data:AlrMK34dWDm5hfVwnQnzk3l8NIRbiVV6KHa6io9S9l07WvC3TYLTOJS6xOi4pkEz6sqQ7IpZU7RRdosxuQp50NmMEt2QYawTHFZIgzFYeKRbl5N5LCu9afC6yTtvG/sT7uenTMhh2qT1JBwebJiUdM9zNVUzWlW5d1SdxrHgIbs=,iv:dvqsDaC+trhY1kheYUEOEwHfCDz0Mu7N0LpfjnKko5g=,tag:tuqyK8vuwSrk1kf+Vi7MKg==,type:str]
+    lastmodified: "2026-02-15T19:11:14Z"
+    mac: ENC[AES256_GCM,data:3+h9hJRtZSTWApZ+tG8fZKl6QrKldPzB1Z0hjWCCpwD2xvo32SpBSocUCuXZ4aLLyk/GDc2OPXVG5jOtX/BpZdOMj3k4iqxz0BeVebEsT/YOduu5buiRqHiNxrovbAUuhpCif+1rzMXFEZzVXdQW3QmEY1hVwtoZWEWNW7vee7g=,iv:HHR8ACgc49Q9QydaLZ189m6cs/LIVgNEpJCyyj6HWHY=,tag:3Ljh6zhrMVk+O7+whHQq1w==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0