Commit 67f78fbee05c
Changed files (13)
lib
systems
lib/default.nix
@@ -73,6 +73,7 @@
inherit system;
modules = [
self.nixosModules.wireguard-client
+ self.nixosModules.wireguard-server
inputs.agenix.nixosModules.default
inputs.lanzaboote.nixosModules.lanzaboote
homeInput.nixosModules.home-manager
modules/wireguard-client.nix
@@ -17,11 +17,11 @@ in
{
options = {
services.wireguard = {
- enable = mkEnableOption "Enable ";
+ enable = mkEnableOption "Enable a wireguard client";
ips = mkOption {
type = with types; listOf str;
description = ''
- The client IPs
+ The peer IPs
'';
};
allowedIPs = mkOption {
modules/wireguard-server.nix
@@ -0,0 +1,52 @@
+{
+ config,
+ options,
+ lib,
+ pkgs,
+ ...
+}:
+let
+ inherit (lib)
+ mkEnableOption
+ mkIf
+ mkOption
+ types
+ ;
+ cfg = config.services.wireguard.server;
+in
+{
+ options = {
+ services.wireguard.server = {
+ enable = mkEnableOption "Enable a wireguard server";
+ ips = mkOption {
+ type = with types; listOf str;
+ description = ''
+ The peer IPs
+ '';
+ };
+ peers = mkOption {
+ default = [ ];
+ description = "Peers linked to the interface.";
+ type = with types; listOf anything;
+ };
+ };
+ };
+ config = mkIf cfg.enable {
+ environment.systemPackages = [ pkgs.wireguard-tools ];
+ boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkForce 1; # FIXME should probably be mkDefault
+ networking.firewall.extraCommands = ''
+ iptables -t nat -A POSTROUTING -s10.100.0.0/24 -j MASQUERADE
+ iptables -A FORWARD -i wg+ -j ACCEPT
+ '';
+ networking.firewall.allowedUDPPorts = [ 51820 ];
+ networking.firewall.trustedInterfaces = [ "wg0" ];
+ networking.wireguard.enable = true;
+ networking.wireguard.interfaces = {
+ "wg0" = {
+ inherit (cfg) ips peers;
+ listenPort = 12345;
+ privateKeyFile = "/etc/wireguard/private.key";
+ };
+ };
+ };
+}
systems/aix/extra.nix
@@ -25,7 +25,7 @@
enable = true;
ips = globals.fn.wg-ips globals.machines.aix.net.vpn.ips;
endpoint = "${globals.net.vpn.endpoint}";
- endpointPublicKey = "${globals.net.vpn.pubkey}";
+ endpointPublicKey = "${globals.machines.kerkouane.net.vpn.pubkey}";
};
};
systems/aomi/extra.nix
@@ -36,7 +36,7 @@
enable = true;
ips = globals.fn.wg-ips globals.machines.aomi.net.vpn.ips;
endpoint = "${globals.net.vpn.endpoint}";
- endpointPublicKey = "${globals.net.vpn.pubkey}";
+ endpointPublicKey = "${globals.machines.kerkouane.net.vpn.pubkey}";
};
hardware.bolt.enable = true;
};
systems/athena/extra.nix
@@ -13,7 +13,7 @@
enable = true;
ips = globals.fn.wg-ips globals.machines.athena.net.vpn.ips;
endpoint = "${globals.net.vpn.endpoint}";
- endpointPublicKey = "${globals.net.vpn.pubkey}";
+ endpointPublicKey = "${globals.machines.kerkouane.net.vpn.pubkey}";
};
};
systems/demeter/extra.nix
@@ -13,7 +13,7 @@
enable = true;
ips = globals.fn.wg-ips globals.machines.athena.net.vpn.ips;
endpoint = "${globals.net.vpn.endpoint}";
- endpointPublicKey = "${globals.net.vpn.pubkey}";
+ endpointPublicKey = "${globals.machines.kerkouane.net.vpn.pubkey}";
};
};
systems/kerkouane/boot.nix
@@ -0,0 +1,31 @@
+{ lib, ... }:
+{
+ boot.loader.grub.device = "/dev/vda";
+ boot.loader.grub.enable = lib.mkForce true;
+ boot.loader.systemd-boot.enable = lib.mkForce false;
+ boot.initrd.systemd.enable = lib.mkForce false;
+
+ ## From qemu-quest.nix
+ boot.initrd.availableKernelModules = [
+ "virtio_net"
+ "virtio_pci"
+ "virtio_mmio"
+ "virtio_blk"
+ "virtio_scsi"
+ "9p"
+ "9pnet_virtio"
+ ];
+ boot.initrd.kernelModules = [
+ "virtio_balloon"
+ "virtio_console"
+ "virtio_rng"
+ ];
+
+ boot.initrd.postDeviceCommands = ''
+ # Set the system time from the hardware clock to work around a
+ # bug in qemu-kvm > 1.5.2 (where the VM clock is initialised
+ # to the *boot time* of the host).
+ hwclock -s
+ '';
+
+}
systems/kerkouane/extra.nix
@@ -0,0 +1,40 @@
+{
+ globals,
+ ...
+}:
+{
+ imports = [
+ # ../common/services/gosmee.nix
+ ../common/services/prometheus-exporters-node.nix
+ # ../common/services/prometheus-exporters-nginx.nix
+ # ../common/services/nginx.nix
+ # ../common/services/govanityurl.nix
+ ];
+
+ services.wireguard.server = {
+ enable = true;
+ inherit (globals.machines.kerkouane.net.vpn) ips;
+ peers = globals.fn.generateWireguardPeers globals.machines;
+ };
+
+ security.pam.enableSSHAgentAuth = true;
+ # TODO: write a module for this.
+ # govanityurl = {
+ # enable = true;
+ # user = "nginx";
+ # host = "go.sbr.pm";
+ # config = ''
+ # paths:
+ # /lord:
+ # repo: https://github.com/vdemeester/lord
+ # /ape:
+ # repo: https://git.sr.ht/~vdemeester/ape
+ # /nr:
+ # repo: https://git.sr.ht/~vdemeester/nr
+ # /ram:
+ # repo: https://git.sr.ht/~vdemeester/ram
+ # /sec:
+ # repo: https://git.sr.ht/~vdemeester/sec
+ # '';
+ # };
+}
systems/kerkouane/hardware.nix
@@ -0,0 +1,53 @@
+{ lib, ... }:
+{
+ fileSystems."/" = {
+ device = "/dev/vda1";
+ fsType = "ext4";
+ };
+ swapDevices = [
+ {
+ device = "/swapfile";
+ size = 1024;
+ }
+ ];
+
+ # START OF DigitalOcean specifics
+ # This file was populated at runtime with the networking
+ # details gathered from the active system.
+ networking = {
+ nameservers = [
+ "67.207.67.2"
+ "67.207.67.3"
+ ];
+ defaultGateway = "188.166.64.1";
+ defaultGateway6 = "";
+ dhcpcd.enable = false;
+ usePredictableInterfaceNames = lib.mkForce true;
+ interfaces = {
+ eth0 = {
+ ipv4.addresses = [
+ {
+ address = "188.166.102.243";
+ prefixLength = 18;
+ }
+ {
+ address = "10.18.0.5";
+ prefixLength = 16;
+ }
+ ];
+ ipv6.addresses = [
+ {
+ address = "fe80::8035:3aff:fe72:1036";
+ prefixLength = 64;
+ }
+ ];
+ };
+
+ };
+ };
+ services.udev.extraRules = ''
+ ATTR{address}=="82:35:3a:72:10:36", NAME="eth0"
+
+ '';
+ # END OF DigitalOcean specifics
+}
systems/kobe/extra.nix
@@ -11,7 +11,7 @@
enable = true;
ips = globals.fn.wg-ips globals.machines.kobe.net.vpn.ips;
endpoint = "${globals.net.vpn.endpoint}";
- endpointPublicKey = "${globals.net.vpn.pubkey}";
+ endpointPublicKey = "${globals.machines.kerkouane.net.vpn.pubkey}";
};
};
systems/kyushu/extra.nix
@@ -40,7 +40,7 @@
enable = true;
ips = globals.fn.wg-ips globals.machines.kyushu.net.vpn.ips;
endpoint = "${globals.net.vpn.endpoint}";
- endpointPublicKey = "${globals.net.vpn.pubkey}";
+ endpointPublicKey = "${globals.machines.kerkounae.net.vpn.pubkey}";
};
hardware.bolt.enable = true;
};
globals.nix
@@ -2,6 +2,8 @@
let
isCurrentHost = n: n == hostname;
+ hasVPNPublicKey = host: (lib.attrsets.attrByPath [ "net" "vpn" "pubkey" ] "" host) != "";
+ hasVPNips = host: (builtins.length (lib.attrsets.attrByPath [ "net" "vpn" "ips" ] [ ] host)) > 0;
/**
Return true if the given host has a list of Syncthing folder configured.
*
@@ -120,7 +122,6 @@ in
};
vpn = {
endpoint = "167.99.17.238";
- pubkey = "+H3fxErP9HoFUrPgU19ra9+GDLQw+VwvLWx3lMct7QI=";
};
};
machines = {
@@ -264,7 +265,7 @@ in
kerkouane = {
net = {
vpn = {
- # pubkey = "foUoAvJXGyFV4pfEE6ISwivAgXpmYmHwpGq6X+HN+yA=";
+ pubkey = "+H3fxErP9HoFUrPgU19ra9+GDLQw+VwvLWx3lMct7QI=";
ips = [ "10.100.0.1" ];
};
names = [
@@ -392,6 +393,7 @@ in
Suzu = {
net = {
vpn = {
+ ips = [ "10.100.0.65" ];
pubkey = "ufKLXzLkmYx1z7/VZJs9Ix6aXL3rYzP5B73QQP2WNx8=";
};
};
@@ -399,7 +401,10 @@ in
# Boox tablet
Osaka = {
net = {
- pubkey = "C12Ch3LasZ9Dvc1+X+IMSmKdip0l1n/aNNPvmQzzPFY=";
+ vpn = {
+ ips = [ "10.100.0.64" ];
+ pubkey = "C12Ch3LasZ9Dvc1+X+IMSmKdip0l1n/aNNPvmQzzPFY=";
+ };
};
};
};
@@ -411,6 +416,8 @@ in
syncthingMachinesWithFolder
generateSyncthingAdresses
isCurrentHost
+ hasVPNPublicKey
+ hasVPNips
;
/**
Return a list of wireguard ips from a list of ips.
@@ -426,6 +433,22 @@ in
# machines: user:
# lib.attrsets.mapAttrsToList (_name: value: value) (lib.attrsets.filterAttrs hasSSHAttr machines);
+ # WIREGUARD
+ generateWireguardPeers =
+ machines:
+ lib.attrsets.attrValues (
+ lib.attrsets.mapAttrs
+ (_name: value: {
+ allowedIPs = value.net.vpn.ips;
+ publicKey = value.net.vpn.pubkey;
+ })
+ (
+ lib.attrsets.filterAttrs (
+ name: value: name != "kerkouane" && (hasVPNPublicKey value) && (hasVPNips value)
+ ) machines
+ )
+ );
+
# SYNCTHING
generateSyncthingFolders =
machine: machines: folders: