summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--machines/taupe/default.nix6
-rw-r--r--machines/taureau/default.nix6
-rw-r--r--machines/truite/default.nix5
-rw-r--r--modules/tunnel/definition.nix (renamed from modules/vpn/definition.nix)8
-rw-r--r--modules/tunnel/egress.nix (renamed from modules/vpn/egress.nix)0
-rw-r--r--modules/tunnel/ingress.nix (renamed from modules/vpn/ingress.nix)10
-rw-r--r--secrets/tunnel/egress-key-taupe.age (renamed from secrets/vpn/egress-key-taupe.age)bin1137 -> 1137 bytes
-rw-r--r--secrets/tunnel/egress-key-taureau.age (renamed from secrets/vpn/egress-key-taureau.age)bin1136 -> 1136 bytes
-rw-r--r--secrets/tunnel/ingress-key.age (renamed from secrets/vpn/ingress-key.age)0
9 files changed, 23 insertions, 12 deletions
diff --git a/machines/taupe/default.nix b/machines/taupe/default.nix
index caa5a83..51d84b4 100644
--- a/machines/taupe/default.nix
+++ b/machines/taupe/default.nix
@@ -3,7 +3,10 @@
 {
   imports = [
     ../../modules/common.nix
-    ../../modules/vpn/egress.nix
+
+    # taupe is an egress node in the renard tunnel.
+    # it routes traffic towards helsinki, finland.
+    ../../modules/tunnel/egress.nix
 
     ./hardware.nix
     ./devices.nix
@@ -11,6 +14,7 @@
 
   foundation = {
     www = {
+      # a tunnel egress node requires the http/https ports.
       enable = false;
 
       public = false;
diff --git a/machines/taureau/default.nix b/machines/taureau/default.nix
index dd828af..d9d5636 100644
--- a/machines/taureau/default.nix
+++ b/machines/taureau/default.nix
@@ -3,7 +3,10 @@
 {
   imports = [
     ../../modules/common.nix
-    ../../modules/vpn/egress.nix
+
+    # taureau is an egress node in the renard tunnel.
+    # it routes traffic towards new york, united states.
+    ../../modules/tunnel/egress.nix
 
     ./hardware.nix
     ./devices.nix
@@ -11,6 +14,7 @@
 
   foundation = {
     www = {
+      # a tunnel egress node requires the http/https ports.
       enable = false;
 
       public = false;
diff --git a/machines/truite/default.nix b/machines/truite/default.nix
index 615bbc6..6b08235 100644
--- a/machines/truite/default.nix
+++ b/machines/truite/default.nix
@@ -3,7 +3,10 @@
 {
   imports = [
     ../../modules/common.nix
-    ../../modules/vpn/ingress.nix
+
+    # truite is the primary (and only) ingress node
+    # of the renard tunnel at `tunnel.rnrd.eu`.
+    ../../modules/tunnel/ingress.nix
 
     ./hardware.nix
     ./devices.nix
diff --git a/modules/vpn/definition.nix b/modules/tunnel/definition.nix
index 60ea5d0..74ae268 100644
--- a/modules/vpn/definition.nix
+++ b/modules/tunnel/definition.nix
@@ -1,4 +1,4 @@
-# definition of the network layout which supports our vpn
+# definition of the network layout which supports our tunnel
 # architecture.
 
 {
@@ -19,7 +19,7 @@
         short = "b20629b505f39194";
 
         public = "_837k5niQBE-qmgqpZalH3cS_fAIBwv8dwMoDW1uvgk";
-        keySecret = ../../secrets/vpn/egress-key-taupe.age;
+        keySecret = ../../secrets/tunnel/egress-key-taupe.age;
       };
     }
     {
@@ -31,7 +31,7 @@
         short = "8f7e9f8a3fa46bf0";
 
         public = "HvR4iP8URERpPBM4oG1Bjfw3mIfN0MoL2x6MHlt_TUM";
-        keySecret = ../../secrets/vpn/egress-key-taureau.age;
+        keySecret = ../../secrets/tunnel/egress-key-taureau.age;
       };
     }
   ];
@@ -70,6 +70,6 @@
   # the public key of the ingress interface.
   # when creating wireguard vpn configurations for the users, this
   # is the public key of the server peer at `tunnel.rnrd.eu`.
-  # the matching private key of the pair is the secret `vpn/ingress-key`.
+  # the matching private key of the pair is the secret `tunnel/ingress-key`.
   ingress.public = "s5yyPCJiN0uqW0jzKIbYCF7I9TthymiRzpNt466XeWk=";
 }
diff --git a/modules/vpn/egress.nix b/modules/tunnel/egress.nix
index 7858751..7858751 100644
--- a/modules/vpn/egress.nix
+++ b/modules/tunnel/egress.nix
diff --git a/modules/vpn/ingress.nix b/modules/tunnel/ingress.nix
index 6c6a78e..a1260c8 100644
--- a/modules/vpn/ingress.nix
+++ b/modules/tunnel/ingress.nix
@@ -23,8 +23,8 @@ let
     index: template: prefix:
     "${replaceString "X" (toString (index + 1)) template}/${toString prefix}";
 
-  ingressName = index: "vpn-ingress${toString index}";
-  egressName = "vpn-egress0";
+  ingressName = index: "tunnel-ingress${toString index}";
+  egressName = "tunnel-egress0";
   egressAddress = "10.123.255.1/16"; # /16 encompasses all possible subnet addresses
   egressMTU = 1400;
 
@@ -42,7 +42,7 @@ in
   };
 
   age.secrets.ingress-key = {
-    file = ../../secrets/vpn/ingress-key.age;
+    file = ../../secrets/tunnel/ingress-key.age;
     owner = "systemd-network";
   };
 
@@ -135,8 +135,8 @@ in
   # in this case, our communications crossing the borders are relying on vless.
   services.sing-box =
     let
-      inboundName = "vpn-in";
-      outboundName = egress: "vpn-out-${egress}";
+      inboundName = "tunnel-in";
+      outboundName = egress: "tunnel-out-${egress}";
     in
     {
       enable = true;
diff --git a/secrets/vpn/egress-key-taupe.age b/secrets/tunnel/egress-key-taupe.age
index 2e9c9cd..2e9c9cd 100644
--- a/secrets/vpn/egress-key-taupe.age
+++ b/secrets/tunnel/egress-key-taupe.age
Binary files differdiff --git a/secrets/vpn/egress-key-taureau.age b/secrets/tunnel/egress-key-taureau.age
index f3a72c2..f3a72c2 100644
--- a/secrets/vpn/egress-key-taureau.age
+++ b/secrets/tunnel/egress-key-taureau.age
Binary files differdiff --git a/secrets/vpn/ingress-key.age b/secrets/tunnel/ingress-key.age
index 2e83ec2..2e83ec2 100644
--- a/secrets/vpn/ingress-key.age
+++ b/secrets/tunnel/ingress-key.age
generated by cgit-pink 1.4.1 (git 2.36.1) at 2026-04-25 11:15:57 +0000