chore: directly connect clients to pie for lower latency dns

2023-11-06 21:43:48 +01:00 · 2023-11-06 21:43:48 +01:00 · 540736c3ba
parent 27bfbde5b5
commit 540736c3ba
14 changed files with 147 additions and 73 deletions
--- a/hosts/chocolatebar/configuration.nix
+++ b/hosts/chocolatebar/configuration.nix
@ -24,7 +24,7 @@ in {

  pub-solar.core.hibernation.enable = true;
  pub-solar.core.hibernation.resumeDevice = "/dev/dm-0";
-  pub-solar.core.hibernation.resumeOffset = 115075072;
+  pub-solar.core.hibernation.resumeOffset = 77568000;

  pub-solar.terminal-life.full = true;

--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -60,7 +60,6 @@
          ./pie
          self.nixosModules.yule
          self.nixosModules.docker
-          self.nixosModules.wireguard-client
          self.nixosModules.invoiceplane
        ];
      };
--- a/hosts/droppie/backup-autostop.nix
+++ b/hosts/droppie/backup-autostop.nix
@ -1,23 +1,7 @@
 {pkgs, ...}: let
  shutdownWaitMinutes = 10;
  shutdownScript = pkgs.writeShellScriptBin "shutdown-wait" ''
-    STATUS_FILES="/media/internal/backups-pub-solar/status"

-    running=""
-
-    for f in $STATUS_FILES; do
-      declare started
-      declare finished
-
-      started=$(source $f ; echo ''${BACKUP_STARTED})
-      finished=$(source $f ; echo ''${BACKUP_FINISHED})
-
-      if [ -z "''${finished}" ]; then
-        echo "backup $(dirname $f) still running"
-        running="yes"
-        break
-      fi
-    done

    if [ -n "''${running}" ] && [ "''${running}" = "yes" ]; then
      echo "backups are still running"
--- a/hosts/droppie/default.nix
+++ b/hosts/droppie/default.nix
@ -4,7 +4,6 @@
    ./hardware-configuration.nix

    ./networking.nix
-    ./nextcloud-web-tunnel.nix
-    ./restic-backup.nix
+    ./backup-autostop.nix
  ];
 }
--- a/hosts/droppie/networking.nix
+++ b/hosts/droppie/networking.nix
@ -5,7 +5,7 @@
  ...
 }: {
  networking.interfaces.enp2s0f0 = {
-    ipv6.addresses = [ { address = "2a02:908:5b1:e3c0:3077:3::"; prefixLength = 128; } ];
+    ipv6.addresses = [ { address = "2a02:908:5b1:e3c0:3::"; prefixLength = 64; } ];
  };

  age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-droppie.age";
--- a/hosts/droppie/nextcloud-web-tunnel.nix
+++ b/hosts/droppie/nextcloud-web-tunnel.nix
@ -1,30 +0,0 @@
-{
-  pkgs,
-  config,
-  ...
-}: let
-  psCfg = config.pub-solar;
-in {
-  config = {
-    services.openssh.knownHosts = {
-      "nachtigall.pub.solar".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUJGAYFzgzpeEs5rYvBX9jBn6wkj4Q5VqnT4xkg3l// barkeeper@nachtigall";
-    };
-
-    systemd.services.ssh-tunnel-nachtigall-pub-solar = {
-      enable = false;
-      unitConfig = {
-        Description = "Reverse SSH connection to enable backups";
-        After = ["network.target"];
-      };
-      serviceConfig = {
-        Type = "simple";
-        ExecStart = "${pkgs.openssh}/bin/ssh -vvv -g -N -T -o ServerAliveInterval=10 -o ExitOnForwardFailure=yes -R 127.0.0.1:22022:localhost:22 hakkonaut@nachtigall.pub.solar";
-        User = psCfg.user.name;
-        Group = "users";
-        Restart = "always";
-        RestartSec = "5s";
-      };
-      wantedBy = ["default.target"];
-    };
-  };
-}
--- a/hosts/frikandel/wireguard.nix
+++ b/hosts/frikandel/wireguard.nix
@ -2,8 +2,9 @@
  flake,
  config,
  pkgs,
+  lib,
  ...
-}: {
+}: with lib; {
  age.secrets.wg-private-key-server.file = "${flake.self}/secrets/wg-private-frikandel-server.age";

  boot.kernel.sysctl = {
@ -25,6 +26,24 @@
    "iifname wg0 accept"
  ];

+  systemd.services.wg-quick-wg0 = {
+    after = [
+      "network.target"
+      "network-online.target"
+      "nss-lookup.target"
+    ];
+
+    serviceConfig = {
+      Type = mkForce "simple";
+      Restart = "on-failure";
+      RestartSec = "30";
+    };
+
+    environment = {
+      WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
+    };
+  };
+
  # Enable WireGuard
  networking.wg-quick.interfaces = {
    wg0 = {
@ -32,7 +51,7 @@

      address = [
        "10.0.1.7/32"
-        "fd00:b12f:acab:1312:acab:7::/32"
+        "fd00:b12f:acab:1312:acab:7::/96"
      ];

      privateKeyFile = "/run/agenix/wg-private-key-server";
@ -44,6 +63,7 @@
            "10.0.1.2/32"
            "fd00:b12f:acab:1312:acab:2::/96"
          ];
+          endpoint = "pie-wg.b12f.io:51899";
          persistentKeepalive = 25;
        }
        { # droppie
--- a/hosts/pie/ddclient.nix
+++ b/hosts/pie/ddclient.nix
@ -13,7 +13,7 @@ with lib; let
    ${curl}/bin/curl -4 https://ipcheck-ds.wieistmeineip.de/callback/ | ${coreutils}/bin/tail -c +2 | ${coreutils}/bin/head -c -1 | ${jq}/bin/jq '.ip' -r
  '';
  getIP6 = with pkgs; writeShellScriptBin "getIP" ''
-    echo "2a02:908:5b1:e3c0:3077:2::"
+    echo "2a02:908:5b1:e3c0:2::"
  '';
 in {
  imports = [
--- a/hosts/pie/default.nix
+++ b/hosts/pie/default.nix
@ -4,6 +4,7 @@
    ./configuration.nix

    ./networking.nix
+    ./wireguard.nix
    ./backup.nix
    ./unbound.nix
    ./dhcpd.nix
--- a/hosts/pie/networking.nix
+++ b/hosts/pie/networking.nix
@ -14,12 +14,7 @@

  networking.interfaces.enabcm6e4ei0 = {
    ipv4.addresses = [ { address = "192.168.178.2"; prefixLength = 32; } ];
-    ipv6.addresses = [ { address = "2a02:908:5b1:e3c0:3077:2::"; prefixLength = 128; } ];
-  };
-
-  networking.hosts = (flake.self.lib.addLocalHostname ["caddy.local"]) // {
-    "128.140.109.213" = [ "vpn.b12f.io" ];
-    "2a01:4f8:c2c:b60::" = [ "vpn.b12f.io" ];
+    ipv6.addresses = [ { address = "2a02:908:5b1:e3c0:2::"; prefixLength = 128; } ];
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];
@ -29,20 +24,10 @@
  # Caddy reverse proxy for local services like cups
  services.caddy = {
    globalConfig = ''
-      default_bind 192.168.178.2 2a02:908:5b1:e3c0:3077:2:: 10.0.1.2 fd00:b12f:acab:1312:acab:2::
+      default_bind 192.168.178.2 2a02:908:5b1:e3c0:2:: 10.0.1.2 fd00:b12f:acab:1312:acab:2::
      # auto_https off
      email acme@benjaminbaedorf.eu
      # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
    '';
  };
-
-  age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-pie.age";
-
-  pub-solar.wireguard-client = {
-    ownIPs = [
-      "10.0.1.2/32"
-      "fd00:b12f:acab:1312:acab:2::/96"
-    ];
-    wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
-  };
 }
--- a/hosts/pie/unbound.nix
+++ b/hosts/pie/unbound.nix
@ -30,7 +30,7 @@
          "\"brwb8763f64a364.local. 10800 IN A 192.168.178.4\""

          "\"droppie.local. 10800 IN A 192.168.178.3\""
-          "\"droppie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:3::\""
+          "\"droppie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:3::\""

          "\"droppie.b12f.io. 10800 IN A 10.0.1.3\""
          "\"droppie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
@ -38,7 +38,7 @@
          "\"backup.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""

          "\"pie.local. 10800 IN A 192.168.178.2\""
-          "\"pie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:2::\""
+          "\"pie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:2::\""

          "\"pie.b12f.io. 10800 IN A 10.0.1.2\""
          "\"pie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
--- a/hosts/pie/wireguard.nix
+++ b/hosts/pie/wireguard.nix
@ -0,0 +1,82 @@
+{
+  flake,
+  config,
+  pkgs,
+  lib,
+  ...
+}: with lib; {
+  age.secrets.wg-private-key-server.file = "${flake.self}/secrets/wg-private-pie.age";
+
+  networking.firewall.allowedUDPPorts = [ 51899 ];
+
+  systemd.services.wg-quick-wg0 = {
+    after = [
+      "network.target"
+      "network-online.target"
+      "nss-lookup.target"
+    ];
+
+    serviceConfig = {
+      Type = mkForce "simple";
+      Restart = "on-failure";
+      RestartSec = "30";
+    };
+
+    environment = {
+      WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
+    };
+  };
+
+  # Enable WireGuard
+  networking.wg-quick.interfaces = {
+    wg0 = {
+      listenPort = 51899;
+
+      address = [
+        "10.0.1.2/32"
+        "fd00:b12f:acab:1312:acab:2::/96"
+      ];
+
+      privateKeyFile = "/run/agenix/wg-private-key-server";
+
+      peers = [
+        { # frikandel
+          publicKey = "p6YKNYBlySKfhTN+wbSsKdoNjzko/XSAiTAlCJzP1jA=";
+          allowedIPs = [
+            "10.0.1.0/24"
+            "fd00:b12f:acab:1312::/64"
+          ];
+          endpoint = "vpn.b12f.io:51899";
+          persistentKeepalive = 25;
+        }
+        { # droppie
+          publicKey = "qsnBMoj9Z16D8PJ5ummRtIfT5AiMpoF3SoOCo4sbyiw=";
+          allowedIPs = [
+            "10.0.1.3/32"
+            "fd00:b12f:acab:1312:acab:3::/96"
+          ];
+
+          persistentKeepalive = 25;
+        }
+        { # chocolatebar
+          publicKey = "nk8EtGE/QsnSEm1lhLS3/w83nOBD2OGYhODIf92G91A=";
+          allowedIPs = [
+            "10.0.1.5/32"
+            "fd00:b12f:acab:1312:acab:5::/96"
+          ];
+
+          persistentKeepalive = 25;
+        }
+        { # biolimo
+          publicKey = "4ymN7wwBuhF+h+5fFN0TqXmVyOe1AsWiTqRL0jJ3CDc=";
+          allowedIPs = [
+            "10.0.1.6/32"
+            "fd00:b12f:acab:1312:acab:6::/96"
+          ];
+
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+}
--- a/modules/core/networking.nix
+++ b/modules/core/networking.nix
@ -9,6 +9,12 @@
  systemd.services.NetworkManager-wait-online.enable = lib.mkDefault false;
  systemd.services.systemd-networkd-wait-online.enable = lib.mkDefault false;

+  networking.hosts = (flake.self.lib.addLocalHostname ["caddy.local"]) // {
+    "128.140.109.213" = [ "vpn.b12f.io" ];
+    "2a01:4f8:c2c:b60::" = [ "vpn.b12f.io" ];
+    "2a02:908:5b1:e3c0:2::" = [ "pie-wg.b12f.io" ];
+  };
+
  networking.networkmanager = {
    # Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff.
    enable = lib.mkDefault true;
--- a/modules/wireguard-client/default.nix
+++ b/modules/wireguard-client/default.nix
@ -27,6 +27,24 @@ in {
  config = {
    networking.firewall.allowedUDPPorts = [51899];

+    systemd.services.wg-quick-wg0 = {
+      after = [
+        "network.target"
+        "network-online.target"
+        "nss-lookup.target"
+      ];
+
+      serviceConfig = {
+        Type = mkForce "simple";
+        Restart = "on-failure";
+        RestartSec = "30";
+      };
+
+      environment = {
+        WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
+      };
+    };
+
    networking.wg-quick.interfaces = {
      wg0 = {
        listenPort = 51899;
@ -47,6 +65,16 @@ in {
            endpoint = "vpn.b12f.io:51899";
            persistentKeepalive = 25;
          }
+          {
+            # pie
+            publicKey = "hPTXEqQ2GYEywdPNdZBacwB9KKcoFZ/heClxnqmizyw=";
+            allowedIPs = [
+              "10.0.1.2/32"
+              "fd00:b12f:acab:1312:acab:2::/96"
+            ];
+            endpoint = "pie-wg.b12f.io:51899";
+            persistentKeepalive = 25;
+          }
        ];
      };
    };