chvp/nixos-config
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Setup wireguard

Browse source
This commit is contained in:
Charlotte Van Petegem 2022-11-18 23:25:54 +01:00
parent 66e515a419
commit d6619a35fa
No known key found for this signature in database
GPG key ID: 019E764B7184435A
10 changed files with 216 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

5
machines/lasting-integrity/default.nix
View file

@ -11,7 +11,8 @@
chvp = {
stateVersion = "20.09";
base = {
network.ovh = {
network = {
ovh = {
enable = true;
publicIPV4 = {
ip = "54.38.222.69";
@ -23,6 +24,8 @@
};
internalIPV4 = "192.168.0.2";
};
wireguard.server = true;
};
nix.enableDirenv = false;
zfs = {
backups = [

3
modules/base/network/default.nix
View file

@ -2,7 +2,8 @@
{
imports = [
./ovh.nix
./mobile.nix
./ovh.nix
./wireguard.nix
];
}

6
modules/base/network/mobile.nix
View file

@ -60,11 +60,13 @@
DHCP = "yes";
matchConfig = { Name = wireless-interface; };
};
} // lib.mapAttrs (name: attrs: {
} // lib.mapAttrs
(name: attrs: {
enable = true;
DHCP = "yes";
matchConfig = { Name = name; };
} // attrs) wired-interfaces;
} // attrs)
wired-interfaces;
wait-online.anyInterface = true;
};

106
modules/base/network/wireguard.nix Normal file
View file

@ -0,0 +1,106 @@
{ config, lib, pkgs, ... }:
let
data = {
fairphone = {
pubkey = "mHAq+2AP1EZdlSZIxA8UCret8EStrR3nEIU2x6NVETE=";
ip = "10.240.0.5";
};
kharbranth = {
pubkey = "Zc45PJl+kaa/2GnIs1ObfAmbe640uJ4h1oRn6+qOQHU=";
privkeyFile = config.age.secrets."files/wireguard/kharbranth.privkey".path;
ip = "10.240.0.3";
};
kholinar = {
pubkey = "oRA22ymFeNQBeRx6Jyd6Gd8EOUpAv9QSFkGs+Br7yEk=";
privkeyFile = config.age.secrets."files/wireguard/kholinar.privkey".path;
ip = "10.240.0.4";
};
lasting-integrity = {
pubkey = "mid3XfCY2jaNK0J6C9ltFLAbxL0IApwMw9K1Z+PU8C0=";
privkeyFile = config.age.secrets."files/wireguard/lasting-integrity.privkey".path;
ip = "10.240.0.1";
};
urithiru = {
pubkey = "f4bnm/qNhMW5iXdQcBMmP8IUN6n+pDS15Ikct7QPr0E=";
privkeyFile = config.age.secrets."files/wireguard/urithiru.privkey".path;
ip = "10.240.0.2";
};
};
subnet = "10.240.0.0/24";
pskFile = config.age.secrets."files/wireguard/psk".path;
in
{
options.chvp.base.network.wireguard = {
server = lib.mkOption {
default = false;
example = true;
};
};
config = {
networking.firewall.allowedUDPPorts = lib.optional config.chvp.base.network.wireguard.server 51820;
networking.firewall.trustedInterfaces = [ "wg0" ];
boot.kernel.sysctl = lib.mkIf config.chvp.base.network.wireguard.server { "net.ipv4.ip_forward" = 1; };
systemd.network = {
netdevs.wg0 = {
enable = true;
netdevConfig = {
Name = "wg0";
Kind = "wireguard";
};
wireguardConfig =
if config.chvp.base.network.wireguard.server then {
PrivateKeyFile = data.${config.networking.hostName}.privkeyFile;
ListenPort = 51820;
} else {
PrivateKeyFile = data.${config.networking.hostName}.privkeyFile;
};
wireguardPeers =
if config.chvp.base.network.wireguard.server then
(builtins.map
(name: {
wireguardPeerConfig = {
PublicKey = data.${name}.pubkey;
AllowedIPs = "${data.${name}.ip}/32";
PresharedKeyFile = pskFile;
};
})
(builtins.filter (name: name != config.networking.hostName) (builtins.attrNames data)))
else
([{
wireguardPeerConfig = {
PublicKey = data.lasting-integrity.pubkey;
AllowedIPs = subnet;
Endpoint = "lasting-integrity.vanpetegem.me:51820";
PresharedKeyFile = pskFile;
PersistentKeepalive = 25;
};
}]);
};
networks.wg0 = {
enable = true;
name = "wg0";
address = [ "${data.${config.networking.hostName}.ip}/32" ];
routes = [{
routeConfig =
if config.chvp.base.network.wireguard.server then {
Gateway = "${data.${config.networking.hostName}.ip}";
Destination = subnet;
} else {
Gateway = "${data.lasting-integrity.ip}";
Destination = subnet;
GatewayOnLink = true;
};
}];
};
};
age.secrets."files/wireguard/psk" = {
file = ../../../secrets/files/wireguard/psk.age;
owner = "systemd-network";
};
age.secrets."files/wireguard/${config.networking.hostName}.privkey" = {
file = ../../../secrets/files/wireguard + "/${config.networking.hostName}.privkey.age";
owner = "systemd-network";
};
};
}

6
secrets.nix
View file

@ -81,6 +81,12 @@ in
"secrets/files/services/mautrix-whatsapp/config.yml.age".publicKeys = [ lasting-integrity ] ++ users;
"secrets/files/services/mautrix-whatsapp/registration.yml.age".publicKeys = [ lasting-integrity ] ++ users;
"secrets/files/wireguard/kharbranth.privkey.age".publicKeys = [ kharbranth ] ++ users;
"secrets/files/wireguard/kholinar.privkey.age".publicKeys = [ kholinar ] ++ users;
"secrets/files/wireguard/lasting-integrity.privkey.age".publicKeys = [ lasting-integrity ] ++ users;
"secrets/files/wireguard/urithiru.privkey.age".publicKeys = [ urithiru ] ++ users;
"secrets/files/wireguard/psk.age".publicKeys = hosts ++ users;
"secrets/data-access/ssh_host_rsa_key.age".publicKeys = [ urithiru ] ++ users;
"secrets/data-access/ssh_host_rsa_key.pub.age".publicKeys = [ urithiru ] ++ users;
"secrets/data-access/ssh_host_ed25519_key.age".publicKeys = [ urithiru ] ++ users;

11
secrets/files/wireguard/kharbranth.privkey.age Normal file
View file

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 umFZoA JYm4N9NduNbFMi0ohZsPpkVwo0pIBG2UP51vnhHVG00
u4rMc/uBK7u5hyIMSMKPQ3ff/wHc8igjc/qQms/BJuU
-> ssh-ed25519 s9rb8g yHgBR6PDyvEoEqZK7SdUN7KnOiZkzHcg6HGIErNA/io
AXFcDDCaDBRFqCUvx6XNpcJgxd082/auFKDKSBVr12Y
-> ssh-ed25519 yad4VQ eyXNg3ooMWudaxCaNhePhMi8gOzti3JN2ynf0gshcTw
O1vNfqYE+HHAOEi0ud5EuOOkruQLcHbnUYxCySvoebM
-> 1|+Pa+x-grease lq
OI+L
--- mg/v3GAOMz38E6uR1wRYHiz+yHO/wHyzEh5GQAXiFs8
Ô`ÿXe«q~oÍw»ŠŒhò¡_e ¹"KÏÐDï ¶m,<2C>o¯<>`FôàIØrîi®#"¶Ü@¶Ê¿=¦<2s1Øt)èAdxªæ

12
secrets/files/wireguard/kholinar.privkey.age Normal file
View file

@ -0,0 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 aUd9Ng yqX7sODFhqdgSeoC+MyrOFipNsMmJs+OKTeKaEiJKFg
JDKgyqAm0XdcP8yBUcIF5Aa2lGnlwuLJcs14DKLGSDU
-> ssh-ed25519 s9rb8g CAV9ej2dylvDNuU7GBDh/aO1gFh7nER/IbT8aNRK4wA
pI8vTOmYOS3z+aYhqu+KF8JQDctYw6dfCx+JkKi/J2I
-> ssh-ed25519 yad4VQ FTyeY6asXT/lY4VCZ8zKQGxBWyWo2sVdkk1UTVBwWXs
jLNIBg/uDaVM9MJLJy5iiTzSkFoYGTmN2wY5Ry/FbU0
-> )3jq-grease r4OHK +HRvJ E}]fc c_liLoA
UskImtyci0pPA0IrriZPOsgSxmloRWYMbm4z0ySurKRvp+OC/2iMdN75yuzCXqfP
F4x45WgF0v8
--- M+nUuUqF819N2JyulKWRk9w0o+mdpkJCfXH7qZfmvbw
jãÙ:à\vm¥W¾ð'×Ååßœ´8wÜÒž½dMr]¦›@ñè4]Q2IOðà´ÓËŠ‰5~^õ=;»Öb×Ý ?? ¦æTîá

11
secrets/files/wireguard/lasting-integrity.privkey.age Normal file
View file

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 hKAFvQ O+tF+51/rsvyjD7BIYTmgvh5Cb0Ztdmb4eVaQunZZSk
w4lnoJgKxBE6rK68mAythvrrQwFFWD6h21SAXcGGQ20
-> ssh-ed25519 s9rb8g 5JNjizEuXIVzfBc9kPA7739I3mpBBR9kYAdoyBXYYgI
lilBdvrpZ2DQi939Qno5aKSBtC+MizMpV+SaUX9huZo
-> ssh-ed25519 yad4VQ 6x3RHp3T48oPfJb0xuTdO/eST4dcp/e+8Ig3AHCDyU4
x0Nn4WAwZwSJ4KxnBqVm0PVsfC6zYffQVMBPntnpxdc
-> %,D-grease S9CtZ9 7KLCD0W w4?"l Ywc0u~
0BcKUGY9MA54Q2uawQVb7rVuunhxxGafhtSZYY/Y1RhJP6MjycGO2EzDbP21
--- BzpVnapVSIEcncrZ7FxiHQNTt4AuIUuAAyL4nEj+SK0
ÈB'C]õþtÀDÏï»à#†WØ¡ezoHÁ®36çªÆËcéÝrWFÊÈçI°6•¦Âï<¿ $ 7bÒ§rñöécÉ:

18
secrets/files/wireguard/psk.age Normal file
View file

@ -0,0 +1,18 @@
age-encryption.org/v1
-> ssh-ed25519 umFZoA yLpeSTvQDf0g1wvvqYIcAz44bSp3EmC6q7FOf3jAnmI
s1c6S/J5mHb7YUVxcp6LphNyFBc5ImGS/LoXGnweKYc
-> ssh-ed25519 aUd9Ng Dalx6fx3UtkBWD2Pbb03e6JRuxYwCOPe45cI0CNQo1M
03/LUSEsiSjOBdbngy6f8S5qdqQ++qunSyPPTZSiMkc
-> ssh-ed25519 hKAFvQ WQIDcr5w+fh+UwITWQ3HC69sk5RNBjjWjZ8qc4SlLEk
9C5o5i5ykP7dQN9hn6ewAPniXS4+LCU1Th0NAfGAZLU
-> ssh-ed25519 9PfEBQ xoBJjO4VfDNbBrDw6wVZ00AfGMaLg8yE+ZHZAZZbYDE
ZZNbYKoWucQAk4ZmyAGQzd9bskv1IX/V4Aj1ySNdXf8
-> ssh-ed25519 s9rb8g RmVZJ3xk28YEYJX5GVZYOJrMEZ0ZlC9R/+tmbhiFE0U
vqlZ8t8Vqcq0iyPF54jj5EiPXvs1KsoPAQb3WHy06nY
-> ssh-ed25519 yad4VQ 0jbkRc4zY5Xd/LLAjLa+Tg0GJRf+AH8ypqOvy/NcUgU
p82MhiFJ7gOihedd07xujyxzhfdE8h8lMBbPz4KySQI
-> )1R(RoH"-grease T5aJwY%t ]WTe@
6fbdYV3jIsHh/3iLh2AnfM5olIgliBz8o10rsQ8S73G0zKj36HbEV9coYKfEj0Yh
--- M9yEf7y/nzRvZGmJPtA3vkb8NjXc3+nWKrhSohgCgBo
>s•Ÿ—B ßQàÊ*|‘áÒ-™ÃžÚñF\ÖœÐÆF>/»w_úö¾¸±Xøô_=‡¶ÁÈô·™Á0W¯<57>÷á<C3B7>e6º^œ?Ò

BIN
secrets/files/wireguard/urithiru.privkey.age Normal file
View file

Binary file not shown.