Configure SSH and WireGuard for btl

14 files changed, 123 insertions, 47 deletions

diff --git a/regenerate-secrets.sh b/regenerate-secrets.sh
index 6b31a24c..f5a448b2 100755
--- a/regenerate-secrets.sh
+++ b/regenerate-secrets.sh
@@ -4,7 +4,7 @@ encto () {
   # Overwriting an existing encrypted file will change its content, even if
   # its decrypted content does not change, so leave it alone.
   [ -e "$2" ] && return 0
-  hostkey=$(awk '$1 ~ /^\[?'"$1"'(\.twilken\.net|\.local|\.fritz\.box)\]?(:[0-9]+)?$/ && $2 == "ssh-ed25519" { print $2, $3 }' ~/.ssh/known_hosts)
+  hostkey=$(awk '$1 ~ /^\[?'"$1"'\.(twilken\.net|local|fritz\.box)\]?(:[0-9]+)?$/ && $2 == "ssh-ed25519" { print $2, $3 }' ~/.ssh/known_hosts)
   age -e -a -r "${hostkey:?No hostkey found for $1}" -o "$2"
 }
 
@@ -21,9 +21,9 @@ store_restic () {
 }
 
 # Wireguard secret keys and pre-shared keys.
-for host in lap lud vin frm; do
+for host in lap lud vin frm btl; do
   store "$host" "computers/wireguard/private/$host" "tw/services/files/wireguard/$host.key.enc"
-  for host2 in lap lud vin pi3 fp4 frm; do
+  for host2 in lap lud vin pi3 fp4 frm btl; do
     [ $host = $host2 ] && continue
     store "$host" "computers/wireguard/preshared/$host-$host2" "tw/services/files/wireguard/$host-$host2.psk.enc"
   done
diff --git a/tw/services/files/wireguard/btl-fp4.psk.enc b/tw/services/files/wireguard/btl-fp4.psk.enc
new file mode 100644
index 00000000..be836ff6
--- /dev/null
+++ b/tw/services/files/wireguard/btl-fp4.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE8xaVhqUSBsTHlO
+Z0xualdod3JoYVUrNTVWS3dlZk44bHZRU3crUis0T3JRdnk4MWo0Cm43VzV3Nk9B
+a0d3S1pJYTNaRmdpVWY3WWlCTzhlRUIvSEpxNjhyRWVPR2cKLS0tIHVBUE5hYkxl
+Ync3c0RsR3JEMVA4Z0pGMWRDZmVVMFRpU3FXMDRHaGRkeUkKFFoQhZFba5icB+Ql
+C2cdEy4p15JY/n3e8a0HSxOGRGQK8/Hnhve7/1Z1zUyMvqFbgNsdzINkpq/YzW0U
+IT96GeDrSdTbxOJuX4UzaRI=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/services/files/wireguard/btl-frm.psk.enc b/tw/services/files/wireguard/btl-frm.psk.enc
new file mode 100644
index 00000000..ff955002
--- /dev/null
+++ b/tw/services/files/wireguard/btl-frm.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE8xaVhqUSA0a3Zp
+dzdlVFoxZUpRWGgxOWtrc3V0SWNIclZQck5aREd0TUdSOVdWZVN3CkdMYnpYbUl1
+ZzZXazQvWUdSZlRmN3BwZW1KbGdHUUFnV3FtYXArSUUzVTgKLS0tIHlPQW5paFhj
+eXV3SU5UOGp0UTlwdnB1MFZod2lqcmppUWt1bGw3L0diNzQK2l1nfzwi7lNLxWa3
++O6LOsRaifnxLTvfm5AQ27iIb0gUWc6Js4o2G01sQs6rYl7awcwCUqWUPgoWGzid
+GWry6J+imXTrh5fzPShwUvg=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/services/files/wireguard/btl-lap.psk.enc b/tw/services/files/wireguard/btl-lap.psk.enc
new file mode 100644
index 00000000..3c579834
--- /dev/null
+++ b/tw/services/files/wireguard/btl-lap.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE8xaVhqUSBoTjlU
+WEQwZE5HK2l5NW5KSmx3MnROUXlwdXBCWHl6b2pDcjVzV3hGL0ZVCkFXenh4Smc3
+RHFUOXlFZlp5WTZIZFcvWlNBRlI0b0VJbWcybEdBM3JsTUUKLS0tIDEwc29TSUxk
+VFdkM1lpZ1p1Y2UxTGwzREhHWkh3RE1DcnJyRDBaeEorazQKcRoA357gBvJaWLIh
+ln8ggCLAVxhlZhK0ad8ysGvIKx3eCrAFoAYUY5pO5/lnotTzz/8Xa7ljHkfipNRj
++hNTCooLlOfFrVE9XEU1I44=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/services/files/wireguard/btl-lud.psk.enc b/tw/services/files/wireguard/btl-lud.psk.enc
new file mode 100644
index 00000000..add998cd
--- /dev/null
+++ b/tw/services/files/wireguard/btl-lud.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE8xaVhqUSBZaWdt
+NGZ6aG4yMkVoYitqY2JtNFdQUVhiUTRHeUlSYnRvWTAwV0pXdFcwClc1MnFkYlZk
+YU02UEtINjZ5SjNwRzBUZzZyeWovck02Nmk4U0YyZlpHOUEKLS0tIGNZN1BUd0Jw
+OGljeVZPZHlxNmlJalh0ek02UXQ0b25QdXR0SWJ4YnZCUWsKYNZnRyeTawxKBx8a
+0sydB40J2ku2I2mCV2antZkOpCn+CZILUTsFLjAUhcLjq2N/wglSlTOK+zrRxNOr
+ihrsUnnxz7xciLF/4RRzugI=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/services/files/wireguard/btl-pi3.psk.enc b/tw/services/files/wireguard/btl-pi3.psk.enc
new file mode 100644
index 00000000..741db8aa
--- /dev/null
+++ b/tw/services/files/wireguard/btl-pi3.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE8xaVhqUSBUVTdV
+eGJjb0xDN3pVRXlCQXBJNzQvTHNmWkFBaG0xRmJUWkhIRW5hZWs4CmF4VjEyQTFP
+S0JtNFZjaE5xVjdaeVV4eFBJcUQ0ZUhqV2dHL01hQXhoTDAKLS0tIHZrRXArci9n
+UDNzWTJCdHZ1RUdwakpWN2hlcWJneHJ0SkFuNFg3c0lpYlUKRF7ff9l2IfrGaWeJ
+HStuZMMqQ8tmFX9Kl1jlsqgmQaMkIBam3dntAhj2mMiXeWOgSoWZ4I5uCvn1g3WC
+rFUzq7/1d/J/ba6hpClupp8=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/services/files/wireguard/btl-vin.psk.enc b/tw/services/files/wireguard/btl-vin.psk.enc
new file mode 100644
index 00000000..dd3cc974
--- /dev/null
+++ b/tw/services/files/wireguard/btl-vin.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE8xaVhqUSBBQytO
+bEJsWms1RFBtQkpGSkV5aDJPZ2YydFhIeC9KSDlUMjJZVzRldGdvClR5NURDdS9M
+enJhUkxXNWdrenYyMlpmSzdMeUI4aVdiYkEyTm1od2ZjMUkKLS0tIHBsYTJSRm50
+QzJaanZ3M2ZXR2ducTYyRjFiWHBERGZvQWVsNUFqRCs2K28KCeS34bCGTCLRw622
+iqa3YyNH0QGlYsGFGFQFYV2SN7kB+Tre4aZUxdfT+js7Zvd0qh4V4LFXhbavHCDd
+ebyG3JQl8TbSj6y9s2Jz8lw=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/services/files/wireguard/btl.key.enc b/tw/services/files/wireguard/btl.key.enc
new file mode 100644
index 00000000..4f2b54dc
--- /dev/null
+++ b/tw/services/files/wireguard/btl.key.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE8xaVhqUSAxU0N6
+MVdOSVhydi83dzg1Z0ZnL09TdFIyZFg4MkxOU28rQXJwOE41NFRVClVrR0xqSjUw
+UWFyQzU0eW5TOUxMbGFWZmhTZmU1eFVqRlJwci9DTndDNjAKLS0tIGwrOTBONitq
+dTF6cTE1UUlVOHJWU2ROL3lRRGF2bFZIYldjNEpPelZCVDgKmfPumT5AKnBMBQdL
+e/zqgY6V2ejEWPeoniCk85FeTd+VSmP05A9Ph9WI0dbwG49f++MAK3uzqz7Mj1lJ
+3dt+keoUrgr+z+n5KTfOyB8=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/services/files/wireguard/frm-btl.psk.enc b/tw/services/files/wireguard/frm-btl.psk.enc
new file mode 100644
index 00000000..0fe5c4aa
--- /dev/null
+++ b/tw/services/files/wireguard/frm-btl.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd6Rm54QSA2Y3Bi
+VnUvbXN3SEUrd3cyUjBVNFB2OUQvcWtyMkxiZUVQQ3J3TXcwNGxBClk5aXpTekg0
+SE9mVnNYVEgyU3Z4alg4NnNvRGVVTnYvOEVreWx6bUxidkUKLS0tIFVTRDYvS2tF
+d0U3UjVHQkExcm5kOW1zOXpkNSt0dklCcmhoa09JTThlRFkKR8O+0uttXZMQNUA/
+b9IP+GF3TK43hr0PERfsO27HRSc1AlsM9z6UbWtS9ylujvQVa2770uGyXHly0wPe
+7Q9iOhIgafOjrefuNlL9wcM=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/services/files/wireguard/lap-btl.psk.enc b/tw/services/files/wireguard/lap-btl.psk.enc
new file mode 100644
index 00000000..447759f2
--- /dev/null
+++ b/tw/services/files/wireguard/lap-btl.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEFyZmJodyBhTmV0
+RmFwZzFnOEFpa2dkUXcwRG1PQjltbE12aHNKTkpseHY3U3BuUkFjCkJLM2tNcGpM
+aWdGWjFBSmJkYUtWcnZFL2doQVh5T3B1K0F1cmJJOWxOaFUKLS0tIEY0aTJuN05M
+UnF3dnZWRktWYUNLR2RvVE5oTHlPYmtLWUJ0YnFjbkFVWkUKiATvn0/rrjC/Icoc
+jCQDog0pq8ADrLCj6AnriCHtFgCbZ9DAfaRKe488hC3v80/XuV2isZD0gKrWPrY3
+qPLNpXrFEq/rZpfVzpYXyKo=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/services/files/wireguard/lud-btl.psk.enc b/tw/services/files/wireguard/lud-btl.psk.enc
new file mode 100644
index 00000000..1cbf44ca
--- /dev/null
+++ b/tw/services/files/wireguard/lud-btl.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyA5Tm4z
+K0pwUmNYeE9TdzY3aDlWM1FucWZhTkQ2UUIycmNhZUo1VUJ0T0FzClFDaUx4Ymo2
+a0t4Y2Vqakw3YzlKNEx1Y2lUMk1uVmEwUm5UNE5PRFd4YjgKLS0tIEJubDdmMGkv
+aTNNU2dBcmYyZEp3RXJCR2FqZXRCR3UvWXB4VkZsL1ZXUlUKYhE1PDjLBIx+0Ov7
+XkYZHqWdbpg/8jx707EJY9EeDSstvuGrF9omUFCecCwcwrhaL2lLeOtnpLz1EOEu
+9QtFCdFqWz57D3BQsNUaQ0Q=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/services/files/wireguard/vin-btl.psk.enc b/tw/services/files/wireguard/vin-btl.psk.enc
new file mode 100644
index 00000000..96062f38
--- /dev/null
+++ b/tw/services/files/wireguard/vin-btl.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9TV0hVQSAvWVB4
+aHFPc2xONFZvLzc2a1RISCs3Z041NFoyMVdvWFEvVHZ6aVc3RzNNCnV3YmUyZ3lM
+VXU1L0MyYnB5RmQzeWVvL1FJSTc5bW1wZXpZeFdDSC9OZEUKLS0tIHhaMXY5MVVN
+VyszZ1FJTXRSVFVkWTZITHBVc01uVlM2Qmx6NE8ySERwbXMKkpDjDnVJNuPCh5VP
+O1JSQsk57gB5bW7QRryh5MA89UkSwA1DbkkwZyxEsgeVCNDu6vUuLENCptOMAMgO
+KGDW+qwMJjOgVD2jJfHC9V0=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/services/wireguard.scm b/tw/services/wireguard.scm
index 4a69be8c..1906f70e 100644
--- a/tw/services/wireguard.scm
+++ b/tw/services/wireguard.scm
@@ -1,4 +1,6 @@
 (define-module (tw services wireguard)
+  #:use-module (ice-9 format)
+  #:use-module (ice-9 match)
   #:use-module (ice-9 regex)
   #:use-module ((srfi srfi-1) #:select (append-map every))
   #:use-module ((srfi srfi-26) #:select (cut))
@@ -15,45 +17,27 @@
             tw-wireguard-service-type))
 
 (define %wireguard-peers
-  `(("lap.twilken.net" .
-     ,(wireguard-peer
-       (name "lap.wg")
-       (public-key "lap/DvCb8xXLUCqcaPEx8kCRcoeV4ScTMVZW5hvvNzA=")
-       (preshared-key "/etc/wireguard/lap.psk")
-       (allowed-ips '("10.0.0.1/32" "fc00::1/128"))))
-    ("lud.twilken.net" .
-     ,(wireguard-peer
-       (name "lud.wg")
-       (endpoint "lud.twilken.net:58921")
-       (public-key "lud/9sbXVdOYXxOkRgAB+b/17QxbwllfJY/pbA3/MkE=")
-       (preshared-key "/etc/wireguard/lud.psk")
-       (allowed-ips '("10.0.0.2/32" "fc00::2/128"))))
-    ("vin.twilken.net" .
-     ,(wireguard-peer
-       (name "vin.wg")
-       (endpoint "vin.twilken.net:58921")
-       (public-key "vin/Im+sOszZFE01UF1+QlyxLP1PsPXJgTz4KmgvL3Y=")
-       (preshared-key "/etc/wireguard/vin.psk")
-       (allowed-ips '("10.0.0.3/32" "fc00::3/128"))))
-    ("fp4.twilken.net" .
-     ,(wireguard-peer
-       (name "fp4.wg")
-       (public-key "fp4/aLAVBADTy+UGmNh011w1CFOOwq70Df6EWlZRkAs=")
-       (preshared-key "/etc/wireguard/fp4.psk")
-       (allowed-ips '("10.0.0.4/32" "fc00::4/128"))))
-    ("pi3.twilken.net" .
-     ,(wireguard-peer
-       (name "pi3.wg")
-       (endpoint "pi3.twilken.net:58922")
-       (public-key "pi3/ThUH4qDTuyvNQIiiyy2dbziF/xLRTwO0+vcUoVY=")
-       (preshared-key "/etc/wireguard/pi3.psk")
-       (allowed-ips '("10.0.0.5/32" "fc00::5/128"))))
-    ("frm.twilken.net" .
-     ,(wireguard-peer
-       (name "frm.wg")
-       (public-key "frm/YGu1BfXUl4jrN0PTFMNdTQXWPSuY1wEpz5W9C2Y=")
-       (preshared-key "/etc/wireguard/frm.psk")
-       (allowed-ips '("10.0.0.6/32" "fc00::6/128"))))))
+  ;; Order in the following list is significant! It determines what IPs are assigned.
+  (let ((peers '(("lap" "lap/DvCb8xXLUCqcaPEx8kCRcoeV4ScTMVZW5hvvNzA=" #f)
+                 ("lud" "lud/9sbXVdOYXxOkRgAB+b/17QxbwllfJY/pbA3/MkE=" 58921)
+                 ("vin" "vin/Im+sOszZFE01UF1+QlyxLP1PsPXJgTz4KmgvL3Y=" 58921)
+                 ("fp4" "fp4/aLAVBADTy+UGmNh011w1CFOOwq70Df6EWlZRkAs=" #f)
+                 ("pi3" "pi3/ThUH4qDTuyvNQIiiyy2dbziF/xLRTwO0+vcUoVY=" 58922)
+                 ("frm" "frm/YGu1BfXUl4jrN0PTFMNdTQXWPSuY1wEpz5W9C2Y=" #f)
+                 ("btl" "btl/kAgD+DVXsApNn53JCZdgZ9iJvVpFZVpa3Z+rrj4=" #f))))
+
+    (map (match-lambda*
+           ((i (name public-key port))
+            (cons (string-append name ".twilken.net")
+                  (wireguard-peer
+                   (name (string-append name ".wg"))
+                   (endpoint (and port (format #f "~a.twilken.net:~d" name port)))
+                   (public-key public-key)
+                   (preshared-key (string-append "/etc/wireguard/" name ".psk"))
+                   (allowed-ips (list (format #f "10.0.0.~d/32" (+ i 1))
+                                      (format #f "fc00::~d/128" (+ i 1)))))))
+           (args (error "Unknown peer spec" args)))
+         (iota (length peers)) peers)))
 
 (define (wireguard-peers-list? object)
   (and (list? object)
@@ -72,12 +56,13 @@
    "Where to store this host's private key."))
 
 (define (other-peers this-host peers)
-  (let ((own-peer (assoc-ref peers this-host)))
-    (delq own-peer (map cdr peers))))
+  (delq (assoc-ref peers this-host) (map cdr peers)))
 
 (define (tw-wireguard-service config)
   "Create a full WireGuard config from the personal network CONFIG."
   (match-record config <tw-wireguard-configuration> (this-host peers private-key-file)
+    (unless (assoc this-host peers)
+      (error "No peer config found for host" this-host))
     (match-record (assoc-ref peers this-host) (@@ (gnu services vpn) <wireguard-peer>) (endpoint allowed-ips)
       (wireguard-configuration
        (addresses
diff --git a/tw/system.scm b/tw/system.scm
index 4e1c4077..8d81a2db 100644
--- a/tw/system.scm
+++ b/tw/system.scm
@@ -52,7 +52,8 @@
     ("vin.twilken.net" . 22022)
     ("pi3.twilken.net" . 51022)
     ("lap.twilken.net" . 22)
-    ("frm.twilken.net" . 22)))
+    ("frm.twilken.net" . 22)
+    ("btl.twilken.net" . 23022)))
 
 (define (tw-openssh-service host-name)
   "Configure the SSH server for remote login."
@@ -60,7 +61,8 @@
   ;; access, extend `openssh-service-type'.
   (service openssh-service-type
     (openssh-configuration
-     (port-number (assoc-ref %ssh-ports host-name))
+     (port-number (or (assoc-ref %ssh-ports host-name)
+                      (error "No SSH port found for host" host-name)))
      (x11-forwarding? #t)
      (permit-root-login #f)
      (password-authentication? #f)
@@ -85,7 +87,8 @@
   (let ((ip (string-replace-substring
              ((if ipv6? cadr car)
               (wireguard-peer-allowed-ips
-               (assoc-ref %wireguard-peers host-name)))
+               (or (assoc-ref %wireguard-peers host-name)
+                   (error "Unknown Wireguard spec for host" host-name))))
              (if ipv6? "/128" "/32") "")))
     (cond
      ((and port ipv6?) (format #f "[~a]:~a" ip port))