diff --git a/machines/lasting-integrity/default.nix b/machines/lasting-integrity/default.nix index 7a93d30c..c79f72d4 100644 --- a/machines/lasting-integrity/default.nix +++ b/machines/lasting-integrity/default.nix @@ -11,17 +11,20 @@ chvp = { stateVersion = "20.09"; base = { - network.ovh = { - enable = true; - publicIPV4 = { - ip = "54.38.222.69"; - gateway = "54.38.222.254"; + network = { + ovh = { + enable = true; + publicIPV4 = { + ip = "54.38.222.69"; + gateway = "54.38.222.254"; + }; + publicIPV6 = { + ip = "2001:41d0:0700:1445::"; + gateway = "2001:41d0:0700:14ff:ff:ff:ff:ff"; + }; + internalIPV4 = "192.168.0.2"; }; - publicIPV6 = { - ip = "2001:41d0:0700:1445::"; - gateway = "2001:41d0:0700:14ff:ff:ff:ff:ff"; - }; - internalIPV4 = "192.168.0.2"; + wireguard.server = true; }; nix.enableDirenv = false; zfs = { diff --git a/modules/base/network/default.nix b/modules/base/network/default.nix index f1ac80ae..6e03dea3 100644 --- a/modules/base/network/default.nix +++ b/modules/base/network/default.nix @@ -2,7 +2,8 @@ { imports = [ - ./ovh.nix ./mobile.nix + ./ovh.nix + ./wireguard.nix ]; } diff --git a/modules/base/network/mobile.nix b/modules/base/network/mobile.nix index c3579c59..fff5f02b 100644 --- a/modules/base/network/mobile.nix +++ b/modules/base/network/mobile.nix @@ -19,39 +19,39 @@ networking = { useDHCP = false; wireless = { - enable = true; - interfaces = [ wireless-interface ]; - environmentFile = config.age.secrets."passwords/networks.age".path; - networks = { - "Public Universal Friend".psk = "@PSK_PUF@"; - AndroidAP.psk = "@PSK_AndroidAP@"; - draadloosnw.psk = "@PSK_draadloosnw@"; - werknet.psk = "@PSK_werknet@"; - Secorima.psk = "@PSK_Secorima@"; - "Zeus WPI" = { - psk = "@PSK_Zeus@"; - hidden = true; + enable = true; + interfaces = [ wireless-interface ]; + environmentFile = config.age.secrets."passwords/networks.age".path; + networks = { + "Public Universal Friend".psk = "@PSK_PUF@"; + AndroidAP.psk = "@PSK_AndroidAP@"; + draadloosnw.psk = "@PSK_draadloosnw@"; + werknet.psk = "@PSK_werknet@"; + Secorima.psk = "@PSK_Secorima@"; + "Zeus WPI" = { + psk = "@PSK_Zeus@"; + hidden = true; + }; + "Zeus Event 5G".psk = "@PSK_Zeus@"; + eduroam = { + authProtocols = [ "WPA-EAP" ]; + auth = '' + eap=PEAP + identity="@EDUROAM_USER@" + password="@EDUROAM_PASS@" + ''; + extraConfig = '' + phase1="peaplabel=0" + phase2="auth=MSCHAPV2" + group=CCMP TKIP + ca_cert="${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" + altsubject_match="DNS:radius.ugent.be" + ''; + }; + "GUK-huis".psk = "@PSK_GUKhuis@"; }; - "Zeus Event 5G".psk = "@PSK_Zeus@"; - eduroam = { - authProtocols = [ "WPA-EAP" ]; - auth = '' - eap=PEAP - identity="@EDUROAM_USER@" - password="@EDUROAM_PASS@" - ''; - extraConfig = '' - phase1="peaplabel=0" - phase2="auth=MSCHAPV2" - group=CCMP TKIP - ca_cert="${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" - altsubject_match="DNS:radius.ugent.be" - ''; - }; - "GUK-huis".psk = "@PSK_GUKhuis@"; }; }; - }; systemd.network = { enable = true; networks = { @@ -60,11 +60,13 @@ DHCP = "yes"; matchConfig = { Name = wireless-interface; }; }; - } // lib.mapAttrs (name: attrs: { - enable = true; - DHCP = "yes"; - matchConfig = { Name = name; }; - } // attrs) wired-interfaces; + } // lib.mapAttrs + (name: attrs: { + enable = true; + DHCP = "yes"; + matchConfig = { Name = name; }; + } // attrs) + wired-interfaces; wait-online.anyInterface = true; }; diff --git a/modules/base/network/wireguard.nix b/modules/base/network/wireguard.nix new file mode 100644 index 00000000..6b3895a7 --- /dev/null +++ b/modules/base/network/wireguard.nix @@ -0,0 +1,106 @@ +{ config, lib, pkgs, ... }: + +let + data = { + fairphone = { + pubkey = "mHAq+2AP1EZdlSZIxA8UCret8EStrR3nEIU2x6NVETE="; + ip = "10.240.0.5"; + }; + kharbranth = { + pubkey = "Zc45PJl+kaa/2GnIs1ObfAmbe640uJ4h1oRn6+qOQHU="; + privkeyFile = config.age.secrets."files/wireguard/kharbranth.privkey".path; + ip = "10.240.0.3"; + }; + kholinar = { + pubkey = "oRA22ymFeNQBeRx6Jyd6Gd8EOUpAv9QSFkGs+Br7yEk="; + privkeyFile = config.age.secrets."files/wireguard/kholinar.privkey".path; + ip = "10.240.0.4"; + }; + lasting-integrity = { + pubkey = "mid3XfCY2jaNK0J6C9ltFLAbxL0IApwMw9K1Z+PU8C0="; + privkeyFile = config.age.secrets."files/wireguard/lasting-integrity.privkey".path; + ip = "10.240.0.1"; + }; + urithiru = { + pubkey = "f4bnm/qNhMW5iXdQcBMmP8IUN6n+pDS15Ikct7QPr0E="; + privkeyFile = config.age.secrets."files/wireguard/urithiru.privkey".path; + ip = "10.240.0.2"; + }; + }; + subnet = "10.240.0.0/24"; + pskFile = config.age.secrets."files/wireguard/psk".path; +in +{ + options.chvp.base.network.wireguard = { + server = lib.mkOption { + default = false; + example = true; + }; + }; + config = { + networking.firewall.allowedUDPPorts = lib.optional config.chvp.base.network.wireguard.server 51820; + networking.firewall.trustedInterfaces = [ "wg0" ]; + boot.kernel.sysctl = lib.mkIf config.chvp.base.network.wireguard.server { "net.ipv4.ip_forward" = 1; }; + systemd.network = { + netdevs.wg0 = { + enable = true; + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + }; + wireguardConfig = + if config.chvp.base.network.wireguard.server then { + PrivateKeyFile = data.${config.networking.hostName}.privkeyFile; + ListenPort = 51820; + } else { + PrivateKeyFile = data.${config.networking.hostName}.privkeyFile; + }; + wireguardPeers = + if config.chvp.base.network.wireguard.server then + (builtins.map + (name: { + wireguardPeerConfig = { + PublicKey = data.${name}.pubkey; + AllowedIPs = "${data.${name}.ip}/32"; + PresharedKeyFile = pskFile; + }; + }) + (builtins.filter (name: name != config.networking.hostName) (builtins.attrNames data))) + else + ([{ + wireguardPeerConfig = { + PublicKey = data.lasting-integrity.pubkey; + AllowedIPs = subnet; + Endpoint = "lasting-integrity.vanpetegem.me:51820"; + PresharedKeyFile = pskFile; + PersistentKeepalive = 25; + }; + }]); + }; + networks.wg0 = { + enable = true; + name = "wg0"; + address = [ "${data.${config.networking.hostName}.ip}/32" ]; + routes = [{ + routeConfig = + if config.chvp.base.network.wireguard.server then { + Gateway = "${data.${config.networking.hostName}.ip}"; + Destination = subnet; + } else { + Gateway = "${data.lasting-integrity.ip}"; + Destination = subnet; + GatewayOnLink = true; + }; + }]; + }; + }; + age.secrets."files/wireguard/psk" = { + file = ../../../secrets/files/wireguard/psk.age; + owner = "systemd-network"; + }; + age.secrets."files/wireguard/${config.networking.hostName}.privkey" = { + file = ../../../secrets/files/wireguard + "/${config.networking.hostName}.privkey.age"; + owner = "systemd-network"; + }; + }; +} diff --git a/secrets.nix b/secrets.nix index ecfd29c8..d13204d9 100644 --- a/secrets.nix +++ b/secrets.nix @@ -81,6 +81,12 @@ in "secrets/files/services/mautrix-whatsapp/config.yml.age".publicKeys = [ lasting-integrity ] ++ users; "secrets/files/services/mautrix-whatsapp/registration.yml.age".publicKeys = [ lasting-integrity ] ++ users; + "secrets/files/wireguard/kharbranth.privkey.age".publicKeys = [ kharbranth ] ++ users; + "secrets/files/wireguard/kholinar.privkey.age".publicKeys = [ kholinar ] ++ users; + "secrets/files/wireguard/lasting-integrity.privkey.age".publicKeys = [ lasting-integrity ] ++ users; + "secrets/files/wireguard/urithiru.privkey.age".publicKeys = [ urithiru ] ++ users; + "secrets/files/wireguard/psk.age".publicKeys = hosts ++ users; + "secrets/data-access/ssh_host_rsa_key.age".publicKeys = [ urithiru ] ++ users; "secrets/data-access/ssh_host_rsa_key.pub.age".publicKeys = [ urithiru ] ++ users; "secrets/data-access/ssh_host_ed25519_key.age".publicKeys = [ urithiru ] ++ users; diff --git a/secrets/files/wireguard/kharbranth.privkey.age b/secrets/files/wireguard/kharbranth.privkey.age new file mode 100644 index 00000000..73f8aa0d --- /dev/null +++ b/secrets/files/wireguard/kharbranth.privkey.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 umFZoA JYm4N9NduNbFMi0ohZsPpkVwo0pIBG2UP51vnhHVG00 +u4rMc/uBK7u5hyIMSMKPQ3ff/wHc8igjc/qQms/BJuU +-> ssh-ed25519 s9rb8g yHgBR6PDyvEoEqZK7SdUN7KnOiZkzHcg6HGIErNA/io +AXFcDDCaDBRFqCUvx6XNpcJgxd082/auFKDKSBVr12Y +-> ssh-ed25519 yad4VQ eyXNg3ooMWudaxCaNhePhMi8gOzti3JN2ynf0gshcTw +O1vNfqYE+HHAOEi0ud5EuOOkruQLcHbnUYxCySvoebM +-> 1|+Pa+x-grease lq +OI+L +--- mg/v3GAOMz38E6uR1wRYHiz+yHO/wHyzEh5GQAXiFs8 +`Xeq~owh_e "KD m,o`FIri#"@ʿ=<2s1t)Adx \ No newline at end of file diff --git a/secrets/files/wireguard/kholinar.privkey.age b/secrets/files/wireguard/kholinar.privkey.age new file mode 100644 index 00000000..ab2e60d5 --- /dev/null +++ b/secrets/files/wireguard/kholinar.privkey.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 aUd9Ng yqX7sODFhqdgSeoC+MyrOFipNsMmJs+OKTeKaEiJKFg +JDKgyqAm0XdcP8yBUcIF5Aa2lGnlwuLJcs14DKLGSDU +-> ssh-ed25519 s9rb8g CAV9ej2dylvDNuU7GBDh/aO1gFh7nER/IbT8aNRK4wA +pI8vTOmYOS3z+aYhqu+KF8JQDctYw6dfCx+JkKi/J2I +-> ssh-ed25519 yad4VQ FTyeY6asXT/lY4VCZ8zKQGxBWyWo2sVdkk1UTVBwWXs +jLNIBg/uDaVM9MJLJy5iiTzSkFoYGTmN2wY5Ry/FbU0 +-> )3jq-grease r4OHK +HRvJ E}]fc c_liLoA +UskImtyci0pPA0IrriZPOsgSxmloRWYMbm4z0ySurKRvp+OC/2iMdN75yuzCXqfP +F4x45WgF0v8 +--- M+nUuUqF819N2JyulKWRk9w0o+mdpkJCfXH7qZfmvbw +j:\vmW'ߜ8wҞdMr]@4]Q2IOˊ5~^=;b ?? T \ No newline at end of file diff --git a/secrets/files/wireguard/lasting-integrity.privkey.age b/secrets/files/wireguard/lasting-integrity.privkey.age new file mode 100644 index 00000000..e19904a8 --- /dev/null +++ b/secrets/files/wireguard/lasting-integrity.privkey.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 hKAFvQ O+tF+51/rsvyjD7BIYTmgvh5Cb0Ztdmb4eVaQunZZSk +w4lnoJgKxBE6rK68mAythvrrQwFFWD6h21SAXcGGQ20 +-> ssh-ed25519 s9rb8g 5JNjizEuXIVzfBc9kPA7739I3mpBBR9kYAdoyBXYYgI +lilBdvrpZ2DQi939Qno5aKSBtC+MizMpV+SaUX9huZo +-> ssh-ed25519 yad4VQ 6x3RHp3T48oPfJb0xuTdO/eST4dcp/e+8Ig3AHCDyU4 +x0Nn4WAwZwSJ4KxnBqVm0PVsfC6zYffQVMBPntnpxdc +-> %,D-grease S9CtZ9 7KLCD0W w4?"l Ywc0u~ +0BcKUGY9MA54Q2uawQVb7rVuunhxxGafhtSZYY/Y1RhJP6MjycGO2EzDbP21 +--- BzpVnapVSIEcncrZ7FxiHQNTt4AuIUuAAyL4nEj+SK0 +B'C]tD#WءezoH36crWFI6< $7brc: \ No newline at end of file diff --git a/secrets/files/wireguard/psk.age b/secrets/files/wireguard/psk.age new file mode 100644 index 00000000..0d921d87 --- /dev/null +++ b/secrets/files/wireguard/psk.age @@ -0,0 +1,18 @@ +age-encryption.org/v1 +-> ssh-ed25519 umFZoA yLpeSTvQDf0g1wvvqYIcAz44bSp3EmC6q7FOf3jAnmI +s1c6S/J5mHb7YUVxcp6LphNyFBc5ImGS/LoXGnweKYc +-> ssh-ed25519 aUd9Ng Dalx6fx3UtkBWD2Pbb03e6JRuxYwCOPe45cI0CNQo1M +03/LUSEsiSjOBdbngy6f8S5qdqQ++qunSyPPTZSiMkc +-> ssh-ed25519 hKAFvQ WQIDcr5w+fh+UwITWQ3HC69sk5RNBjjWjZ8qc4SlLEk +9C5o5i5ykP7dQN9hn6ewAPniXS4+LCU1Th0NAfGAZLU +-> ssh-ed25519 9PfEBQ xoBJjO4VfDNbBrDw6wVZ00AfGMaLg8yE+ZHZAZZbYDE +ZZNbYKoWucQAk4ZmyAGQzd9bskv1IX/V4Aj1ySNdXf8 +-> ssh-ed25519 s9rb8g RmVZJ3xk28YEYJX5GVZYOJrMEZ0ZlC9R/+tmbhiFE0U +vqlZ8t8Vqcq0iyPF54jj5EiPXvs1KsoPAQb3WHy06nY +-> ssh-ed25519 yad4VQ 0jbkRc4zY5Xd/LLAjLa+Tg0GJRf+AH8ypqOvy/NcUgU +p82MhiFJ7gOihedd07xujyxzhfdE8h8lMBbPz4KySQI +-> )1R(RoH"-grease T5aJwY%t ]WTe@ +6fbdYV3jIsHh/3iLh2AnfM5olIgliBz8o10rsQ8S73G0zKj36HbEV9coYKfEj0Yh + +--- M9yEf7y/nzRvZGmJPtA3vkb8NjXc3+nWKrhSohgCgBo +>sB Q*|-F\F>/w_X_=0We6^? \ No newline at end of file diff --git a/secrets/files/wireguard/urithiru.privkey.age b/secrets/files/wireguard/urithiru.privkey.age new file mode 100644 index 00000000..4d8ff180 Binary files /dev/null and b/secrets/files/wireguard/urithiru.privkey.age differ