From 540736c3ba122a38e39bc51e8daea9567ee1bbc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Mon, 6 Nov 2023 21:43:48 +0100 Subject: [PATCH] chore: directly connect clients to pie for lower latency dns --- hosts/chocolatebar/configuration.nix | 2 +- hosts/default.nix | 1 - ...{restic-backup.nix => backup-autostop.nix} | 16 ---- hosts/droppie/default.nix | 3 +- hosts/droppie/networking.nix | 2 +- hosts/droppie/nextcloud-web-tunnel.nix | 30 ------- hosts/frikandel/wireguard.nix | 24 +++++- hosts/pie/ddclient.nix | 2 +- hosts/pie/default.nix | 1 + hosts/pie/networking.nix | 19 +---- hosts/pie/unbound.nix | 4 +- hosts/pie/wireguard.nix | 82 +++++++++++++++++++ modules/core/networking.nix | 6 ++ modules/wireguard-client/default.nix | 28 +++++++ 14 files changed, 147 insertions(+), 73 deletions(-) rename hosts/droppie/{restic-backup.nix => backup-autostop.nix} (68%) delete mode 100644 hosts/droppie/nextcloud-web-tunnel.nix create mode 100644 hosts/pie/wireguard.nix diff --git a/hosts/chocolatebar/configuration.nix b/hosts/chocolatebar/configuration.nix index e3c493c..14fe9ca 100644 --- a/hosts/chocolatebar/configuration.nix +++ b/hosts/chocolatebar/configuration.nix @@ -24,7 +24,7 @@ in { pub-solar.core.hibernation.enable = true; pub-solar.core.hibernation.resumeDevice = "/dev/dm-0"; - pub-solar.core.hibernation.resumeOffset = 115075072; + pub-solar.core.hibernation.resumeOffset = 77568000; pub-solar.terminal-life.full = true; diff --git a/hosts/default.nix b/hosts/default.nix index 7e1d5c4..552c60e 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -60,7 +60,6 @@ ./pie self.nixosModules.yule self.nixosModules.docker - self.nixosModules.wireguard-client self.nixosModules.invoiceplane ]; }; diff --git a/hosts/droppie/restic-backup.nix b/hosts/droppie/backup-autostop.nix similarity index 68% rename from hosts/droppie/restic-backup.nix rename to hosts/droppie/backup-autostop.nix index d4e1940..9fe7768 100644 --- a/hosts/droppie/restic-backup.nix +++ b/hosts/droppie/backup-autostop.nix @@ -1,23 +1,7 @@ {pkgs, ...}: let shutdownWaitMinutes = 10; shutdownScript = pkgs.writeShellScriptBin "shutdown-wait" '' - STATUS_FILES="/media/internal/backups-pub-solar/status" - running="" - - for f in $STATUS_FILES; do - declare started - declare finished - - started=$(source $f ; echo ''${BACKUP_STARTED}) - finished=$(source $f ; echo ''${BACKUP_FINISHED}) - - if [ -z "''${finished}" ]; then - echo "backup $(dirname $f) still running" - running="yes" - break - fi - done if [ -n "''${running}" ] && [ "''${running}" = "yes" ]; then echo "backups are still running" diff --git a/hosts/droppie/default.nix b/hosts/droppie/default.nix index 4d36f80..9bef4a7 100644 --- a/hosts/droppie/default.nix +++ b/hosts/droppie/default.nix @@ -4,7 +4,6 @@ ./hardware-configuration.nix ./networking.nix - ./nextcloud-web-tunnel.nix - ./restic-backup.nix + ./backup-autostop.nix ]; } diff --git a/hosts/droppie/networking.nix b/hosts/droppie/networking.nix index dded0ab..2383c94 100644 --- a/hosts/droppie/networking.nix +++ b/hosts/droppie/networking.nix @@ -5,7 +5,7 @@ ... }: { networking.interfaces.enp2s0f0 = { - ipv6.addresses = [ { address = "2a02:908:5b1:e3c0:3077:3::"; prefixLength = 128; } ]; + ipv6.addresses = [ { address = "2a02:908:5b1:e3c0:3::"; prefixLength = 64; } ]; }; age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-droppie.age"; diff --git a/hosts/droppie/nextcloud-web-tunnel.nix b/hosts/droppie/nextcloud-web-tunnel.nix deleted file mode 100644 index bc0e8bc..0000000 --- a/hosts/droppie/nextcloud-web-tunnel.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ - pkgs, - config, - ... -}: let - psCfg = config.pub-solar; -in { - config = { - services.openssh.knownHosts = { - "nachtigall.pub.solar".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUJGAYFzgzpeEs5rYvBX9jBn6wkj4Q5VqnT4xkg3l// barkeeper@nachtigall"; - }; - - systemd.services.ssh-tunnel-nachtigall-pub-solar = { - enable = false; - unitConfig = { - Description = "Reverse SSH connection to enable backups"; - After = ["network.target"]; - }; - serviceConfig = { - Type = "simple"; - ExecStart = "${pkgs.openssh}/bin/ssh -vvv -g -N -T -o ServerAliveInterval=10 -o ExitOnForwardFailure=yes -R 127.0.0.1:22022:localhost:22 hakkonaut@nachtigall.pub.solar"; - User = psCfg.user.name; - Group = "users"; - Restart = "always"; - RestartSec = "5s"; - }; - wantedBy = ["default.target"]; - }; - }; -} diff --git a/hosts/frikandel/wireguard.nix b/hosts/frikandel/wireguard.nix index 09d1b07..893fa40 100644 --- a/hosts/frikandel/wireguard.nix +++ b/hosts/frikandel/wireguard.nix @@ -2,8 +2,9 @@ flake, config, pkgs, + lib, ... -}: { +}: with lib; { age.secrets.wg-private-key-server.file = "${flake.self}/secrets/wg-private-frikandel-server.age"; boot.kernel.sysctl = { @@ -25,6 +26,24 @@ "iifname wg0 accept" ]; + systemd.services.wg-quick-wg0 = { + after = [ + "network.target" + "network-online.target" + "nss-lookup.target" + ]; + + serviceConfig = { + Type = mkForce "simple"; + Restart = "on-failure"; + RestartSec = "30"; + }; + + environment = { + WG_ENDPOINT_RESOLUTION_RETRIES = "infinity"; + }; + }; + # Enable WireGuard networking.wg-quick.interfaces = { wg0 = { @@ -32,7 +51,7 @@ address = [ "10.0.1.7/32" - "fd00:b12f:acab:1312:acab:7::/32" + "fd00:b12f:acab:1312:acab:7::/96" ]; privateKeyFile = "/run/agenix/wg-private-key-server"; @@ -44,6 +63,7 @@ "10.0.1.2/32" "fd00:b12f:acab:1312:acab:2::/96" ]; + endpoint = "pie-wg.b12f.io:51899"; persistentKeepalive = 25; } { # droppie diff --git a/hosts/pie/ddclient.nix b/hosts/pie/ddclient.nix index 60f3146..6d8a70b 100644 --- a/hosts/pie/ddclient.nix +++ b/hosts/pie/ddclient.nix @@ -13,7 +13,7 @@ with lib; let ${curl}/bin/curl -4 https://ipcheck-ds.wieistmeineip.de/callback/ | ${coreutils}/bin/tail -c +2 | ${coreutils}/bin/head -c -1 | ${jq}/bin/jq '.ip' -r ''; getIP6 = with pkgs; writeShellScriptBin "getIP" '' - echo "2a02:908:5b1:e3c0:3077:2::" + echo "2a02:908:5b1:e3c0:2::" ''; in { imports = [ diff --git a/hosts/pie/default.nix b/hosts/pie/default.nix index af1ba64..a7993a4 100644 --- a/hosts/pie/default.nix +++ b/hosts/pie/default.nix @@ -4,6 +4,7 @@ ./configuration.nix ./networking.nix + ./wireguard.nix ./backup.nix ./unbound.nix ./dhcpd.nix diff --git a/hosts/pie/networking.nix b/hosts/pie/networking.nix index bacaf03..7638f7a 100644 --- a/hosts/pie/networking.nix +++ b/hosts/pie/networking.nix @@ -14,12 +14,7 @@ networking.interfaces.enabcm6e4ei0 = { ipv4.addresses = [ { address = "192.168.178.2"; prefixLength = 32; } ]; - ipv6.addresses = [ { address = "2a02:908:5b1:e3c0:3077:2::"; prefixLength = 128; } ]; - }; - - networking.hosts = (flake.self.lib.addLocalHostname ["caddy.local"]) // { - "128.140.109.213" = [ "vpn.b12f.io" ]; - "2a01:4f8:c2c:b60::" = [ "vpn.b12f.io" ]; + ipv6.addresses = [ { address = "2a02:908:5b1:e3c0:2::"; prefixLength = 128; } ]; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; @@ -29,20 +24,10 @@ # Caddy reverse proxy for local services like cups services.caddy = { globalConfig = '' - default_bind 192.168.178.2 2a02:908:5b1:e3c0:3077:2:: 10.0.1.2 fd00:b12f:acab:1312:acab:2:: + default_bind 192.168.178.2 2a02:908:5b1:e3c0:2:: 10.0.1.2 fd00:b12f:acab:1312:acab:2:: # auto_https off email acme@benjaminbaedorf.eu # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory ''; }; - - age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-pie.age"; - - pub-solar.wireguard-client = { - ownIPs = [ - "10.0.1.2/32" - "fd00:b12f:acab:1312:acab:2::/96" - ]; - wireguardPrivateKeyFile = "/run/agenix/wg-private-key"; - }; } diff --git a/hosts/pie/unbound.nix b/hosts/pie/unbound.nix index a5d3bb6..88fe672 100644 --- a/hosts/pie/unbound.nix +++ b/hosts/pie/unbound.nix @@ -30,7 +30,7 @@ "\"brwb8763f64a364.local. 10800 IN A 192.168.178.4\"" "\"droppie.local. 10800 IN A 192.168.178.3\"" - "\"droppie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:3::\"" + "\"droppie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:3::\"" "\"droppie.b12f.io. 10800 IN A 10.0.1.3\"" "\"droppie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\"" @@ -38,7 +38,7 @@ "\"backup.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\"" "\"pie.local. 10800 IN A 192.168.178.2\"" - "\"pie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:2::\"" + "\"pie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:2::\"" "\"pie.b12f.io. 10800 IN A 10.0.1.2\"" "\"pie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\"" diff --git a/hosts/pie/wireguard.nix b/hosts/pie/wireguard.nix new file mode 100644 index 0000000..fb24931 --- /dev/null +++ b/hosts/pie/wireguard.nix @@ -0,0 +1,82 @@ +{ + flake, + config, + pkgs, + lib, + ... +}: with lib; { + age.secrets.wg-private-key-server.file = "${flake.self}/secrets/wg-private-pie.age"; + + networking.firewall.allowedUDPPorts = [ 51899 ]; + + systemd.services.wg-quick-wg0 = { + after = [ + "network.target" + "network-online.target" + "nss-lookup.target" + ]; + + serviceConfig = { + Type = mkForce "simple"; + Restart = "on-failure"; + RestartSec = "30"; + }; + + environment = { + WG_ENDPOINT_RESOLUTION_RETRIES = "infinity"; + }; + }; + + # Enable WireGuard + networking.wg-quick.interfaces = { + wg0 = { + listenPort = 51899; + + address = [ + "10.0.1.2/32" + "fd00:b12f:acab:1312:acab:2::/96" + ]; + + privateKeyFile = "/run/agenix/wg-private-key-server"; + + peers = [ + { # frikandel + publicKey = "p6YKNYBlySKfhTN+wbSsKdoNjzko/XSAiTAlCJzP1jA="; + allowedIPs = [ + "10.0.1.0/24" + "fd00:b12f:acab:1312::/64" + ]; + endpoint = "vpn.b12f.io:51899"; + persistentKeepalive = 25; + } + { # droppie + publicKey = "qsnBMoj9Z16D8PJ5ummRtIfT5AiMpoF3SoOCo4sbyiw="; + allowedIPs = [ + "10.0.1.3/32" + "fd00:b12f:acab:1312:acab:3::/96" + ]; + + persistentKeepalive = 25; + } + { # chocolatebar + publicKey = "nk8EtGE/QsnSEm1lhLS3/w83nOBD2OGYhODIf92G91A="; + allowedIPs = [ + "10.0.1.5/32" + "fd00:b12f:acab:1312:acab:5::/96" + ]; + + persistentKeepalive = 25; + } + { # biolimo + publicKey = "4ymN7wwBuhF+h+5fFN0TqXmVyOe1AsWiTqRL0jJ3CDc="; + allowedIPs = [ + "10.0.1.6/32" + "fd00:b12f:acab:1312:acab:6::/96" + ]; + + persistentKeepalive = 25; + } + ]; + }; + }; +} diff --git a/modules/core/networking.nix b/modules/core/networking.nix index 6b7d831..62ff796 100644 --- a/modules/core/networking.nix +++ b/modules/core/networking.nix @@ -9,6 +9,12 @@ systemd.services.NetworkManager-wait-online.enable = lib.mkDefault false; systemd.services.systemd-networkd-wait-online.enable = lib.mkDefault false; + networking.hosts = (flake.self.lib.addLocalHostname ["caddy.local"]) // { + "128.140.109.213" = [ "vpn.b12f.io" ]; + "2a01:4f8:c2c:b60::" = [ "vpn.b12f.io" ]; + "2a02:908:5b1:e3c0:2::" = [ "pie-wg.b12f.io" ]; + }; + networking.networkmanager = { # Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff. enable = lib.mkDefault true; diff --git a/modules/wireguard-client/default.nix b/modules/wireguard-client/default.nix index 4bd961d..2b63e21 100644 --- a/modules/wireguard-client/default.nix +++ b/modules/wireguard-client/default.nix @@ -27,6 +27,24 @@ in { config = { networking.firewall.allowedUDPPorts = [51899]; + systemd.services.wg-quick-wg0 = { + after = [ + "network.target" + "network-online.target" + "nss-lookup.target" + ]; + + serviceConfig = { + Type = mkForce "simple"; + Restart = "on-failure"; + RestartSec = "30"; + }; + + environment = { + WG_ENDPOINT_RESOLUTION_RETRIES = "infinity"; + }; + }; + networking.wg-quick.interfaces = { wg0 = { listenPort = 51899; @@ -47,6 +65,16 @@ in { endpoint = "vpn.b12f.io:51899"; persistentKeepalive = 25; } + { + # pie + publicKey = "hPTXEqQ2GYEywdPNdZBacwB9KKcoFZ/heClxnqmizyw="; + allowedIPs = [ + "10.0.1.2/32" + "fd00:b12f:acab:1312:acab:2::/96" + ]; + endpoint = "pie-wg.b12f.io:51899"; + persistentKeepalive = 25; + } ]; }; };