Setup wireguard

machines/lasting-integrity/default.nix

@@ -11,17 +11,20 @@
   chvp = {
     stateVersion = "20.09";
     base = {
-      network.ovh = {
+      network = {
-        enable = true;
+        ovh = {
-        publicIPV4 = {
+          enable = true;
-          ip = "54.38.222.69";
+          publicIPV4 = {
-          gateway = "54.38.222.254";
+            ip = "54.38.222.69";
+            gateway = "54.38.222.254";
+          };
+          publicIPV6 = {
+            ip = "2001:41d0:0700:1445::";
+            gateway = "2001:41d0:0700:14ff:ff:ff:ff:ff";
+          };
+          internalIPV4 = "192.168.0.2";
         };
-        publicIPV6 = {
+        wireguard.server = true;
-          ip = "2001:41d0:0700:1445::";
-          gateway = "2001:41d0:0700:14ff:ff:ff:ff:ff";
-        };
-        internalIPV4 = "192.168.0.2";
       };
       nix.enableDirenv = false;
       zfs = {

modules/base/network/default.nix

@@ -2,7 +2,8 @@
 
 {
   imports = [
-    ./ovh.nix
     ./mobile.nix
+    ./ovh.nix
+    ./wireguard.nix
   ];
 }

modules/base/network/mobile.nix

@@ -19,39 +19,39 @@
     networking = {
       useDHCP = false;
       wireless = {
-      enable = true;
+        enable = true;
-      interfaces = [ wireless-interface ];
+        interfaces = [ wireless-interface ];
-      environmentFile = config.age.secrets."passwords/networks.age".path;
+        environmentFile = config.age.secrets."passwords/networks.age".path;
-      networks = {
+        networks = {
-        "Public Universal Friend".psk = "@PSK_PUF@";
+          "Public Universal Friend".psk = "@PSK_PUF@";
-        AndroidAP.psk = "@PSK_AndroidAP@";
+          AndroidAP.psk = "@PSK_AndroidAP@";
-        draadloosnw.psk = "@PSK_draadloosnw@";
+          draadloosnw.psk = "@PSK_draadloosnw@";
-        werknet.psk = "@PSK_werknet@";
+          werknet.psk = "@PSK_werknet@";
-        Secorima.psk = "@PSK_Secorima@";
+          Secorima.psk = "@PSK_Secorima@";
-        "Zeus WPI" = {
+          "Zeus WPI" = {
-          psk = "@PSK_Zeus@";
+            psk = "@PSK_Zeus@";
-          hidden = true;
+            hidden = true;
+          };
+          "Zeus Event 5G".psk = "@PSK_Zeus@";
+          eduroam = {
+            authProtocols = [ "WPA-EAP" ];
+            auth = ''
+              eap=PEAP
+              identity="@EDUROAM_USER@"
+              password="@EDUROAM_PASS@"
+            '';
+            extraConfig = ''
+              phase1="peaplabel=0"
+              phase2="auth=MSCHAPV2"
+              group=CCMP TKIP
+              ca_cert="${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+              altsubject_match="DNS:radius.ugent.be"
+            '';
+          };
+          "GUK-huis".psk = "@PSK_GUKhuis@";
         };
-        "Zeus Event 5G".psk = "@PSK_Zeus@";
-        eduroam = {
-          authProtocols = [ "WPA-EAP" ];
-          auth = ''
-            eap=PEAP
-            identity="@EDUROAM_USER@"
-            password="@EDUROAM_PASS@"
-          '';
-          extraConfig = ''
-            phase1="peaplabel=0"
-            phase2="auth=MSCHAPV2"
-            group=CCMP TKIP
-            ca_cert="${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
-            altsubject_match="DNS:radius.ugent.be"
-          '';
-        };
-        "GUK-huis".psk = "@PSK_GUKhuis@";
       };
     };
-    };
     systemd.network = {
       enable = true;
       networks = {
@@ -60,11 +60,13 @@
           DHCP = "yes";
           matchConfig = { Name = wireless-interface; };
         };
-      } // lib.mapAttrs (name: attrs: {
+      } // lib.mapAttrs
-        enable = true;
+        (name: attrs: {
-        DHCP = "yes";
+          enable = true;
-        matchConfig = { Name = name; };
+          DHCP = "yes";
-      } // attrs) wired-interfaces;
+          matchConfig = { Name = name; };
+        } // attrs)
+        wired-interfaces;
       wait-online.anyInterface = true;
     };
 

modules/base/network/wireguard.nix

@@ -0,0 +1,106 @@
+{ config, lib, pkgs, ... }:
+
+let
+  data = {
+    fairphone = {
+      pubkey = "mHAq+2AP1EZdlSZIxA8UCret8EStrR3nEIU2x6NVETE=";
+      ip = "10.240.0.5";
+    };
+    kharbranth = {
+      pubkey = "Zc45PJl+kaa/2GnIs1ObfAmbe640uJ4h1oRn6+qOQHU=";
+      privkeyFile = config.age.secrets."files/wireguard/kharbranth.privkey".path;
+      ip = "10.240.0.3";
+    };
+    kholinar = {
+      pubkey = "oRA22ymFeNQBeRx6Jyd6Gd8EOUpAv9QSFkGs+Br7yEk=";
+      privkeyFile = config.age.secrets."files/wireguard/kholinar.privkey".path;
+      ip = "10.240.0.4";
+    };
+    lasting-integrity = {
+      pubkey = "mid3XfCY2jaNK0J6C9ltFLAbxL0IApwMw9K1Z+PU8C0=";
+      privkeyFile = config.age.secrets."files/wireguard/lasting-integrity.privkey".path;
+      ip = "10.240.0.1";
+    };
+    urithiru = {
+      pubkey = "f4bnm/qNhMW5iXdQcBMmP8IUN6n+pDS15Ikct7QPr0E=";
+      privkeyFile = config.age.secrets."files/wireguard/urithiru.privkey".path;
+      ip = "10.240.0.2";
+    };
+  };
+  subnet = "10.240.0.0/24";
+  pskFile = config.age.secrets."files/wireguard/psk".path;
+in
+{
+  options.chvp.base.network.wireguard = {
+    server = lib.mkOption {
+      default = false;
+      example = true;
+    };
+  };
+  config = {
+    networking.firewall.allowedUDPPorts = lib.optional config.chvp.base.network.wireguard.server 51820;
+    networking.firewall.trustedInterfaces = [ "wg0" ];
+    boot.kernel.sysctl = lib.mkIf config.chvp.base.network.wireguard.server { "net.ipv4.ip_forward" = 1; };
+    systemd.network = {
+      netdevs.wg0 = {
+        enable = true;
+        netdevConfig = {
+          Name = "wg0";
+          Kind = "wireguard";
+        };
+        wireguardConfig =
+          if config.chvp.base.network.wireguard.server then {
+            PrivateKeyFile = data.${config.networking.hostName}.privkeyFile;
+            ListenPort = 51820;
+          } else {
+            PrivateKeyFile = data.${config.networking.hostName}.privkeyFile;
+          };
+        wireguardPeers =
+          if config.chvp.base.network.wireguard.server then
+            (builtins.map
+              (name: {
+                wireguardPeerConfig = {
+                  PublicKey = data.${name}.pubkey;
+                  AllowedIPs = "${data.${name}.ip}/32";
+                  PresharedKeyFile = pskFile;
+                };
+              })
+              (builtins.filter (name: name != config.networking.hostName) (builtins.attrNames data)))
+          else
+            ([{
+              wireguardPeerConfig = {
+                PublicKey = data.lasting-integrity.pubkey;
+                AllowedIPs = subnet;
+                Endpoint = "lasting-integrity.vanpetegem.me:51820";
+                PresharedKeyFile = pskFile;
+                PersistentKeepalive = 25;
+              };
+            }]);
+      };
+      networks.wg0 = {
+        enable = true;
+        name = "wg0";
+        address = [ "${data.${config.networking.hostName}.ip}/32" ];
+        routes = [{
+          routeConfig =
+            if config.chvp.base.network.wireguard.server then {
+              Gateway = "${data.${config.networking.hostName}.ip}";
+              Destination = subnet;
+            } else {
+              Gateway = "${data.lasting-integrity.ip}";
+              Destination = subnet;
+              GatewayOnLink = true;
+            };
+        }];
+      };
+    };
+    age.secrets."files/wireguard/psk" = {
+      file = ../../../secrets/files/wireguard/psk.age;
+      owner = "systemd-network";
+    };
+    age.secrets."files/wireguard/${config.networking.hostName}.privkey" = {
+      file = ../../../secrets/files/wireguard + "/${config.networking.hostName}.privkey.age";
+      owner = "systemd-network";
+    };
+  };
+}

secrets.nix

@@ -81,6 +81,12 @@ in
   "secrets/files/services/mautrix-whatsapp/config.yml.age".publicKeys = [ lasting-integrity ] ++ users;
   "secrets/files/services/mautrix-whatsapp/registration.yml.age".publicKeys = [ lasting-integrity ] ++ users;
 
+  "secrets/files/wireguard/kharbranth.privkey.age".publicKeys = [ kharbranth ] ++ users;
+  "secrets/files/wireguard/kholinar.privkey.age".publicKeys = [ kholinar ] ++ users;
+  "secrets/files/wireguard/lasting-integrity.privkey.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/files/wireguard/urithiru.privkey.age".publicKeys = [ urithiru ] ++ users;
+  "secrets/files/wireguard/psk.age".publicKeys = hosts ++ users;
+
   "secrets/data-access/ssh_host_rsa_key.age".publicKeys = [ urithiru ] ++ users;
   "secrets/data-access/ssh_host_rsa_key.pub.age".publicKeys = [ urithiru ] ++ users;
   "secrets/data-access/ssh_host_ed25519_key.age".publicKeys = [ urithiru ] ++ users;

secrets/files/wireguard/kharbranth.privkey.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 umFZoA JYm4N9NduNbFMi0ohZsPpkVwo0pIBG2UP51vnhHVG00
+u4rMc/uBK7u5hyIMSMKPQ3ff/wHc8igjc/qQms/BJuU
+-> ssh-ed25519 s9rb8g yHgBR6PDyvEoEqZK7SdUN7KnOiZkzHcg6HGIErNA/io
+AXFcDDCaDBRFqCUvx6XNpcJgxd082/auFKDKSBVr12Y
+-> ssh-ed25519 yad4VQ eyXNg3ooMWudaxCaNhePhMi8gOzti3JN2ynf0gshcTw
+O1vNfqYE+HHAOEi0ud5EuOOkruQLcHbnUYxCySvoebM
+-> 1|+Pa+x-grease lq
+OI+L
+--- mg/v3GAOMz38E6uR1wRYHiz+yHO/wHyzEh5GQAXiFs8
+Ô`ÿXe«q~oÍw»ŠŒ’hò¡_e
¹"KÏÐDï
¶m,<2C>o
¯<>`FôàIØrîi®#‘"¶Ü@¶Ê¿=¦<2s1Øt)‚èAdxªæ

secrets/files/wireguard/kholinar.privkey.age

@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 aUd9Ng yqX7sODFhqdgSeoC+MyrOFipNsMmJs+OKTeKaEiJKFg
+JDKgyqAm0XdcP8yBUcIF5Aa2lGnlwuLJcs14DKLGSDU
+-> ssh-ed25519 s9rb8g CAV9ej2dylvDNuU7GBDh/aO1gFh7nER/IbT8aNRK4wA
+pI8vTOmYOS3z+aYhqu+KF8JQDctYw6dfCx+JkKi/J2I
+-> ssh-ed25519 yad4VQ FTyeY6asXT/lY4VCZ8zKQGxBWyWo2sVdkk1UTVBwWXs
+jLNIBg/uDaVM9MJLJy5iiTzSkFoYGTmN2wY5Ry/FbU0
+-> )3jq-grease r4OHK +HRvJ E}]fc c_liLoA
+UskImtyci0pPA0IrriZPOsgSxmloRWYMbm4z0ySurKRvp+OC/2iMdN75yuzCXqfP
+F4x45WgF0v8
+--- M+nUuUqF819N2JyulKWRk9w0o+mdpkJCfXH7qZfmvbw
+jãÙ:à\vm¥W¾ð
'×Ååßœ´8wÜÒž½dMr–]¦›@ñè4]Q2IOðà´ÓËŠ‰5~^õ=;»Öb×ÝÂ
??¦æTîá

secrets/files/wireguard/lasting-integrity.privkey.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 hKAFvQ O+tF+51/rsvyjD7BIYTmgvh5Cb0Ztdmb4eVaQunZZSk
+w4lnoJgKxBE6rK68mAythvrrQwFFWD6h21SAXcGGQ20
+-> ssh-ed25519 s9rb8g 5JNjizEuXIVzfBc9kPA7739I3mpBBR9kYAdoyBXYYgI
+lilBdvrpZ2DQi939Qno5aKSBtC+MizMpV+SaUX9huZo
+-> ssh-ed25519 yad4VQ 6x3RHp3T48oPfJb0xuTdO/eST4dcp/e+8Ig3AHCDyU4
+x0Nn4WAwZwSJ4KxnBqVm0PVsfC6zYffQVMBPntnpxdc
+-> %,D-grease S9CtZ9 7KLCD0W w4?"l Ywc0u~
+0BcKUGY9MA54Q2uawQVb7rVuunhxxGafhtSZYY/Y1RhJP6MjycGO2EzDbP21
+--- BzpVnapVSIEcncrZ7FxiHQNTt4AuIUuAAyL4nEj+SK0
+ÈB'C]õþtÀDÏï»à#†WØ¡e’zoH„’Á®36çªÆËcéÝr–WFÊÈçI°6•¦Âï<¿	$ 7b
Ò§rñöécÉ:

secrets/files/wireguard/psk.age

@@ -0,0 +1,18 @@
+age-encryption.org/v1
+-> ssh-ed25519 umFZoA yLpeSTvQDf0g1wvvqYIcAz44bSp3EmC6q7FOf3jAnmI
+s1c6S/J5mHb7YUVxcp6LphNyFBc5ImGS/LoXGnweKYc
+-> ssh-ed25519 aUd9Ng Dalx6fx3UtkBWD2Pbb03e6JRuxYwCOPe45cI0CNQo1M
+03/LUSEsiSjOBdbngy6f8S5qdqQ++qunSyPPTZSiMkc
+-> ssh-ed25519 hKAFvQ WQIDcr5w+fh+UwITWQ3HC69sk5RNBjjWjZ8qc4SlLEk
+9C5o5i5ykP7dQN9hn6ewAPniXS4+LCU1Th0NAfGAZLU
+-> ssh-ed25519 9PfEBQ xoBJjO4VfDNbBrDw6wVZ00AfGMaLg8yE+ZHZAZZbYDE
+ZZNbYKoWucQAk4ZmyAGQzd9bskv1IX/V4Aj1ySNdXf8
+-> ssh-ed25519 s9rb8g RmVZJ3xk28YEYJX5GVZYOJrMEZ0ZlC9R/+tmbhiFE0U
+vqlZ8t8Vqcq0iyPF54jj5EiPXvs1KsoPAQb3WHy06nY
+-> ssh-ed25519 yad4VQ 0jbkRc4zY5Xd/LLAjLa+Tg0GJRf+AH8ypqOvy/NcUgU
+p82MhiFJ7gOihedd07xujyxzhfdE8h8lMBbPz4KySQI
+-> )1R(RoH"-grease T5aJwY%t ]WTe@
+6fbdYV3jIsHh/3iLh2AnfM5olIgliBz8o10rsQ8S73G0zKj36HbEV9coYKfEj0Yh
+
+--- M9yEf7y/nzRvZGmJPtA3vkb8NjXc3+nWKrhSohgCgBo
+>s•Ÿ—B	ßQàÊ*|‘áÒ-™ÃžÚñF\ÖœÐÆF>/»w_úö¾¸±Xøô›_=‡¶ÁÈô·™Á0W¯<57>÷á<C3B7>e6º^œ?Ò