r2 tunnel: adds devx-ci r2 wg tunnel to route around CF-ARN colo

johnalotoski · johnalotoski · commit 984f57a13f10 · 2025-09-11T13:48:02.000-05:00
diff --git a/.sops.yaml b/.sops.yaml
@@ -4,6 +4,7 @@ keys:
 
   # Misc
   - &misc1-metadata-a-1 age187hd0pffv549vfcmnw5u9yg3fck9e4psesz2xchrklqjqepccd7s6vlkcv
+  - &misc1-wg-a-1 age1ryvlcaajedpnkdyugnre6yysht5ahkn3yrwz48wvywpn2sxwfqtqrc8qmn
 
   # Preprod
   - &preprod1-bp-a-1 age1zhewzr3r8u4qmu9c5asw0vv9pw9qxvah9y60reu5uggrr8vrd95skhn3q3
@@ -214,13 +215,20 @@ creation_rules:
       - *sre
       - *mainnet1-rel-a-1
 
-  # Miscellaneous group specific
+  # Miscellaneous group specific, metadata server
   - path_regex: secrets/groups/misc1/deploy/.*metadata.*$
     key_groups:
     - age:
       - *sre
       - *misc1-metadata-a-1
 
+  # Miscellaneous group specific, wireguard tunnel
+  - path_regex: secrets/groups/misc1/deploy/.*wg.*$
+    key_groups:
+    - age:
+      - *sre
+      - *misc1-wg-a-1
+
   # Temporary buildkite testing
   - path_regex: secrets/buildkite/.*$
     key_groups:
diff --git a/flake/colmena.nix b/flake/colmena.nix
@@ -239,7 +239,7 @@ in
         imports = [
           config.flake.cardano-parts.cluster.groups.default.meta.cardano-node-service-ng
           config.flake.cardano-parts.cluster.groups.default.meta.cardano-tracer-service-ng
-          config.flake.cardano-parts.cluster.groups.default.meta.cardano-db-sync-service
+          config.flake.cardano-parts.cluster.groups.default.meta.cardano-db-sync-service-ng
           inputs.cardano-parts.nixosModules.profile-cardano-db-sync
           inputs.cardano-parts.nixosModules.profile-cardano-node-group
           inputs.cardano-parts.nixosModules.profile-cardano-custom-metrics
@@ -574,7 +574,7 @@ in
             map (n: mkContainer n (toString (10 - n))) (lib.range 1 count);
         };
       };
-      #
+
       # disableP2p = {
       #   services.cardano-node = {
       #     useNewTopology = false;
@@ -828,6 +828,7 @@ in
       # Misc
       misc1-metadata-a-1 = {imports = [eu-central-1 t3a-large (ebs 80) (group "misc1") metadata nixosModules.cardano-ipfs];};
       misc1-webserver-a-1 = {imports = [eu-central-1 t3a-medium (ebs 80) (group "misc1") webserver (varnishRamPct 50)];};
+      misc1-wg-a-1 = {imports = [eu-central-1 t3a-medium (ebs 80) (group "misc1") nixosModules.wg-r2-tunnel];};
       # ---------------------------------------------------------------------------------------------------------
 
       # ---------------------------------------------------------------------------------------------------------
diff --git a/flake/nixosModules/wg-r2-tunnel.nix b/flake/nixosModules/wg-r2-tunnel.nix
@@ -0,0 +1,80 @@
+flake: {
+  flake.nixosModules.wg-r2-tunnel = {
+    name,
+    config,
+    pkgs,
+    ...
+  }: let
+    inherit (groupCfg) groupName groupFlake;
+    inherit (opsLib) mkSopsSecret;
+
+    groupOutPath = groupFlake.self.outPath;
+    groupCfg = config.cardano-parts.cluster.group;
+    opsLib = flake.config.flake.cardano-parts.lib.opsLib pkgs;
+  in {
+    environment.systemPackages = [pkgs.wireguard-tools];
+
+    networking = {
+      nat = {
+        enable = true;
+        externalInterface = "ens5";
+        internalInterfaces = ["wg0"];
+      };
+
+      firewall.allowedUDPPorts = [config.networking.wireguard.interfaces.wg0.listenPort];
+
+      wireguard = {
+        enable = true;
+        interfaces.wg0 = {
+          privateKeyFile = "/run/secrets/wireguard";
+          listenPort = 51820;
+
+          # Assign the build machines in the remote farm with their existing
+          # wg0 interface assigned IP from the devx-ci repo: "10.100.0.X" where
+          # X = the numbered suffix in the name, ex: ci1, ci2, ...
+          ips = ["10.254.0.254"];
+          peers = [
+            {
+              name = "ci1";
+              allowedIPs = ["10.100.0.1/32"];
+              publicKey = "52aw4lh3H+x4fXdry2vzZ0yQ/TzmHmG5JTc61/Fu/mM=";
+              persistentKeepalive = 25;
+            }
+            {
+              name = "ci2";
+              allowedIPs = ["10.100.0.2/32"];
+              publicKey = "XF90HyfTTlDJ+8V+L0vRpD/mLYal/6vWUdjXXhauUxQ=";
+              persistentKeepalive = 25;
+            }
+            {
+              name = "ci3";
+              allowedIPs = ["10.100.0.3/32"];
+              publicKey = "SLFctAtZXGCQ8BPfy1aivR7IHXwypjJgTvIXIwKxamY=";
+              persistentKeepalive = 25;
+            }
+            {
+              name = "ci4";
+              allowedIPs = ["10.100.0.4/32"];
+              publicKey = "5B981U7qiMXtuoCfyzY9vyhR953cwcLl6Onx21qPrVo=";
+              persistentKeepalive = 25;
+            }
+            {
+              name = "ci5";
+              allowedIPs = ["10.100.0.5/32"];
+              publicKey = "+ek1olvdILegvVCDCmmUJk+f0N0VQu48Ha4XTyw3Wz0=";
+              persistentKeepalive = 25;
+            }
+          ];
+        };
+      };
+    };
+
+    sops.secrets = mkSopsSecret {
+      secretName = "wireguard";
+      keyName = "${name}-wireguard";
+      inherit groupOutPath groupName;
+      fileOwner = "root";
+      fileGroup = "root";
+    };
+  };
+}
diff --git a/secrets/groups/misc1/deploy/misc1-wg-a-1-wireguard b/secrets/groups/misc1/deploy/misc1-wg-a-1-wireguard
@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:tK5aBL1IDYXGFZm5XxHy6rKBmDWqnYjwg9QYzkX9LFv8qyfVxIlNGZq7czE=,iv:5B+kYr07j9Mzhol5gtSpAMhzbi4QY4xSRShRH3lAIpY=,tag:ZauUQyCD5/ERwtiQC5OXNQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1rj7vaq0rsarnum2fx6zq0k3l64f6mca9t9mlhqu4nfvpqhux6uts5zud2m",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0TEdrc3Uwcm1zcVJycGVv\nUmFiaGViV2ZDS3hlYWszN0JyR0xibDFDTGc4CllFZWEvWmJBb3JCc2JuckhlL2VP\na0J5WENTbEZyZjdoZEd2eU5hTFJlSUkKLS0tIHRkRjZhcEhQTnhodmh6Z2RpUzhL\nY0dTVGRPOC9DYjFoMm54Nk9LNkVUclkKLkRTq9sgG5w7EyRu1EogQx3jqmN+rWla\nzcW4zfUyRdaSsqzAabUrn9tOrVRuNKnn8wwFl54xcEiB3VDEptxG6w==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1ryvlcaajedpnkdyugnre6yysht5ahkn3yrwz48wvywpn2sxwfqtqrc8qmn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6ME11NnJBSS9PS0ltMVVZ\nU0owSW1wNU1xSDUzYUNCQVQ1R1F5UitvVTFvClhDLzU0QnJtVzVDSjBXREYvNDJE\nOTR2VFZDVFo2OThuZnlYQmEyVU94R1kKLS0tIDRKSzN2R3RLMlROeUJVTXVWZFBT\nUDhmOU5JVTZodnU5d1p4MXJCbFJKNUUK+c1kmj03HrRHbzITLE4/Y3nSmrcowGMT\nMGUhL0EqCmnVLJGkCH9i1iQlwVrVKiDzfjbN6yueLpoIgUq+Prz56w==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-11T17:58:15Z",
+		"mac": "ENC[AES256_GCM,data:XD5SBiEp/W1RihU1L0mHuh/Up5V+gueqizU+XXsUA0rkeJGJGqK+SHjGwt23LJajEfxkIY0x5tn8tiCRGs1fLCu7+WmCQC4BxcHM8YkIKFueVVFn3e7khCZgmIHsz0ThmB+529l3PFCJAthUJAS7qhu1ELeeNm+5m4svJMoUwio=,iv:Nd9b+zHUcR7N1rCsy84EGauHuDXmKJFI1kz+NGF7Cw4=,tag:X1UD0bQ9yh20c6VRXjWdMA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
