feat: wireguard

This commit is contained in:
Benjamin Bädorf 2023-10-19 20:55:56 +02:00
parent 1e5c33e750
commit 7a5f10c877
No known key found for this signature in database
GPG key ID: 1B7BF5B77A521346
21 changed files with 345 additions and 20 deletions

1
.gitignore vendored
View file

@ -13,3 +13,4 @@ tags
pkgs/_sources/.shake*
tags.lock
tags.temp
/wireguard-keys

View file

@ -2,5 +2,7 @@
imports = [
./configuration.nix
./hardware-configuration.nix
./networking.nix
];
}

View file

@ -0,0 +1,18 @@
{
flake,
config,
pkgs,
...
}: {
config = {
age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-biolimo.age";
pub-solar.wireguard-client = {
ownIPs = [
"10.0.1.6/32"
"fd00:acab:1312:acab:6::/128"
];
wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
};
};
}

View file

@ -3,6 +3,7 @@
./configuration.nix
./hardware-configuration.nix
./networking.nix
./virtualisation
# ./factorio
];

View file

@ -0,0 +1,18 @@
{
flake,
config,
pkgs,
...
}: {
config = {
age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-chocolatebar.age";
pub-solar.wireguard-client = {
ownIPs = [
"10.0.1.5/32"
"fd00:acab:1312:acab:5::/128"
];
wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
};
};
}

View file

@ -17,6 +17,8 @@
self.nixosModules.nextcloud
self.nixosModules.office
self.nixosModules.printing
self.nixosModules.uhk
self.nixosModules.wireguard-client
];
};
@ -37,6 +39,7 @@
self.nixosModules.office
self.nixosModules.printing
self.nixosModules.virtualisation
self.nixosModules.wireguard-client
];
};
@ -46,6 +49,7 @@
self.nixosModules.base
./droppie
self.nixosModules.yule
self.nixosModules.wireguard-client
];
};
@ -57,6 +61,7 @@
./pie
self.nixosModules.yule
self.nixosModules.docker
self.nixosModules.wireguard-client
];
};

View file

@ -3,6 +3,7 @@
./configuration.nix
./hardware-configuration.nix
./networking.nix
./nextcloud-web-tunnel.nix
./restic-backup.nix
];

View file

@ -0,0 +1,18 @@
{
flake,
config,
pkgs,
...
}: {
config = {
age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-droppie.age";
pub-solar.wireguard-client = {
ownIPs = [
"10.0.1.3/32"
"fd00:acab:1312:acab:3::/128"
];
wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
};
};
}

View file

@ -4,6 +4,7 @@
./configuration.nix
./networking.nix
./wireguard.nix
./unbound.nix
./dhcpd.nix
./wake-droppie.nix

View file

@ -48,9 +48,9 @@
reservations = [
{
hostname = "brwb8763f64a364.local";
hw-address = "b8:76:3f:64:a3:64";
ip-address = "192.168.178.4";
hostname = "pie.local";
hw-address = "dc:a6:32:5c:31:64";
ip-address = "192.168.178.2";
}
{
hostname = "droppie.local";
@ -58,9 +58,19 @@
ip-address = "192.168.178.3";
}
{
hostname = "pie.local";
hw-address = "dc:a6:32:5c:31:64";
ip-address = "192.168.178.2";
hostname = "brwb8763f64a364.local";
hw-address = "b8:76:3f:64:a3:64";
ip-address = "192.168.178.4";
}
{
hostname = "chocolatebar.local";
hw-address = "b8:76:3f:64:a3:64";
ip-address = "192.168.178.5";
}
{
hostname = "biolimo.local";
hw-address = "c6:f2:d1:df:ed:a4";
ip-address = "192.168.178.6";
}
];
}
@ -106,14 +116,14 @@
hostname = "droppie.local";
hw-address = "08:f1:ea:97:0f:0c";
ip-addresses = [
"2a02:908:5b1:e3c0:3077:4e39:7763:b5b8"
"2a02:908:5b1:e3c0:3077:4e39:7763:3"
];
}
{
hostname = "pie.local";
hw-address = "dc:a6:32:5c:31:64";
ip-addresses = [
"2a02:908:5b1:e3c0:3077:4e39:7763:b5b7"
"2a02:908:5b1:e3c0:3077:4e39:7763:2"
];
}
];

View file

@ -38,4 +38,14 @@
auto_https off
'';
};
age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-pie.age";
pub-solar.wireguard-client = {
ownIPs = [
"10.0.1.2/32"
"fd00:acab:1312:acab:2::/128"
];
wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
};
}

View file

@ -27,21 +27,17 @@
"\"droppie.local. 10800 IN A 192.168.178.3\""
"\"droppie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:4e39:7763:b5b8\""
"\"droppie.b12f.io. 10800 IN A 192.168.178.3\""
"\"droppie.b12f.io. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:4e39:7763:b5b8\""
"\"backup.b12f.io. 10800 IN A 192.168.178.3\""
"\"backup.b12f.io. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:4e39:7763:b5b8\""
"\"droppie.b12f.io. 10800 IN A 10.0.1.3\""
"\"droppie.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:3::\""
"\"backup.b12f.io. 10800 IN CNAME droppie.b12f.io\""
"\"pie.local. 10800 IN A 192.168.178.2\""
"\"pie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:4e39:7763:b5b7\""
"\"pie.b12f.io. 10800 IN A 192.168.178.2\""
"\"pie.b12f.io. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:4e39:7763:b5b7\""
"\"firefly.b12f.io. 10800 IN A 192.168.178.2\""
"\"firefly.b12f.io. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:4e39:7763:b5b7\""
"\"firefly-importer.b12f.io. 10800 IN A 192.168.178.2\""
"\"firefly-importer.b12f.io. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:4e39:7763:b5b7\""
"\"paperless.b12f.io. 10800 IN A 192.168.178.2\""
"\"paperless.b12f.io. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:4e39:7763:b5b7\""
"\"pie.b12f.io. 10800 IN A 10.0.1.2\""
"\"pie.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:2::\""
"\"firefly.b12f.io. 10800 IN CNAME pie.b12f.io\""
"\"firefly-importer.b12f.io. 10800 IN CNAME pie.b12f.io\""
"\"paperless.b12f.io. 10800 IN A CNAME pie.b12f.io\""
"\"fritz.box. 10800 IN A 192.168.178.1\""
"\"fritz.box. 10800 IN AAAA fd00::3ea6:2fff:fe57:30b0\""

82
hosts/pie/wireguard.nix Normal file
View file

@ -0,0 +1,82 @@
{
flake,
config,
pkgs,
...
}: {
age.secrets.wg-private-key-server.file = "${flake.self}/secrets/wg-private-pie-server.age";
networking.nat = {
enable = true;
enableIPv6 = true;
internalInterfaces = [ "wg-server" ];
};
networking.firewall.allowedUDPPorts = [ 51899 ];
# Enable WireGuard
networking.wg-quick.interfaces = {
wg-server = {
listenPort = 51899;
address = [
"10.0.1.2/32"
"fd00:acab:1312:acab:2::/128"
];
dns = [
"10.0.1.2"
"fd00:acab:1312:acab:2::"
];
privateKeyFile = "/run/agenix/wg-private-key-server";
peers = [
# {
# # router
# publicKey = "";
# allowedIPs = ["10.0.1.1/32"];
# persistentKeepalive = 25;
# }
{
# pie client
publicKey = "hPTXEqQ2GYEywdPNdZBacwB9KKcoFZ/heClxnqmizyw=";
allowedIPs = [
"10.0.1.2/32"
"fd00:acab:1312:acab:2::/128"
];
persistentKeepalive = 25;
}
{
# droppie
publicKey = "qsnBMoj9Z16D8PJ5ummRtIfT5AiMpoF3SoOCo4sbyiw=";
allowedIPs = [
"10.0.1.3/32"
"fd00:acab:1312:acab:3::/128"
];
persistentKeepalive = 25;
}
{
# chocolatebar
publicKey = "nk8EtGE/QsnSEm1lhLS3/w83nOBD2OGYhODIf92G91A=";
allowedIPs = [
"10.0.1.5/32"
"fd00:acab:1312:acab:5::/128"
];
persistentKeepalive = 25;
}
{
# biolimo
publicKey = "4ymN7wwBuhF+h+5fFN0TqXmVyOe1AsWiTqRL0jJ3CDc=";
allowedIPs = [
"10.0.1.6/32"
"fd00:acab:1312:acab:6::/128"
];
persistentKeepalive = 25;
}
];
};
};
}

View file

@ -24,6 +24,7 @@
terminal-life = import ./terminal-life;
user = import ./user;
virtualisation = import ./virtualisation;
wireguard-client = import ./wireguard-client;
base.imports = [
self.nixosModules.home-manager

View file

@ -0,0 +1,54 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.wireguard-client;
in {
options.pub-solar.wireguard-client = {
ownIPs = mkOption {
description = ''
Internal ips in wireguard used for cluster control-plane communication.
'';
type = types.listOf types.str;
};
wireguardPrivateKeyFile = mkOption {
description = ''
Location of private key file
'';
type = types.path;
};
};
config = {
networking.firewall.allowedUDPPorts = [51899];
networking.wg-quick.interfaces = {
wg0 = {
listenPort = 51898;
address = cfg.ownIPs;
dns = [
"10.0.1.2"
"fd00:acab:1312:acab:2::"
];
privateKeyFile = cfg.wireguardPrivateKeyFile;
peers = [
{
# pie-server
publicKey = "8M/+y6AqbSsbK0JENkjRXqlRR56iiM/QRjGGtEM+Uj8=";
allowedIPs = [
"10.0.1.0/32"
"fd00:acab:1312:acab:0::/128"
];
endpoint = "vpn.b12f.io:51899";
persistentKeepalive = 25;
}
];
};
};
};
}

View file

@ -67,4 +67,10 @@ in {
"rclone-pie.conf".publicKeys = pieKeys ++ baseKeys;
"restic-password.age".publicKeys = pieKeys ++ baseKeys;
"wg-private-chocolatebar.age".publicKeys = chocolatebarKeys ++ baseKeys;
"wg-private-biolimo.age".publicKeys = biolimoKeys ++ baseKeys;
"wg-private-pie.age".publicKeys = pieKeys ++ baseKeys;
"wg-private-droppie.age".publicKeys = droppieKeys ++ baseKeys;
"wg-private-pie-server.age".publicKeys = pieKeys ++ baseKeys;
}

View file

@ -0,0 +1,31 @@
age-encryption.org/v1
-> ssh-ed25519 TnSWKQ JjDPMMsJa/IgP3apm7xVEpCEZM4KFOdbGox9AG13RnA
+S0bgmZ4MjFiOwhV97yMrrvKvrKYympKftiV40sYrwQ
-> ssh-rsa 8daibg
Suf2zoLEqxXw/pfWkxnYDP43T6TM4p2gyxKfKxClfgF/dyQ01ESTn2FqyZoEtfV0
QxR3MYjT823OdiKobbi1zheMRmrvePCubDNp45+rIMrPe7Ax0SOl6N9R5ErvFs/l
U2fR+qshhEIqw3V2BowlXanQKtc5a5zgW9/o+hcgQ7YwrIfSJVIr5t3ImxMUKvSV
g4u6sPSVYGkVweh0VllY5v5tw9a8k+icqP5M0mYGfDeHokfz1jHWRnuoZFLSD6IT
q0qh3TEmPncl6v1jhyPP2HUp6kpMpuRZOPB8OYdzJ0FdDNEZJImZVT5U+VCs9MsU
o2o5FjElFcaC2QnipBzuq6LzVRmCeg1Q1CQHU1O6zkYphxvEqN/dccOnliIUaB/Y
TFjAAJAcTg2TEt7S6yQDLs13LfsIaagYPr5HiifwQ0M/mfwNSO2CEi2p1SiN6G6R
TUPMELfp/Sf5wueVorrgIVahxydUXY5wOr7RkQfVNoW0z0gTNqk0DJdghTCJHw2I
W+LcHN3QVRRvyLNHUKlm4j8z0EOu73TiSCWowmuZRhm5TVctTERfRd2kpPbNkRTj
SLiiMO/RCLA+CxATc3Y+uotkQLM7INHxy9HC8lCLaJcoolgSbqSPfF5byWvSy/BN
uZ1FGcSJncx4diyuwV3Wpu9Cr/5Tqd3iXKDwo04syk8
-> ssh-rsa kFDS0A
MLSMW8Huol9eoZMscTOgy51/kStd1uycu8PXQJm3+8oFoWnjE3OWmnaqt7waqh2X
I/JiPnw4NLFYVJdMLhhDLKuChTAkf1J0nBbWzn7X6MxTC4zKFUmDpq/MgNWc0gjc
+TtGjle8k2K0kxnGTpoUD7tcLuLi6tZXBsTvt28GR8zt5sgrxt/T+ojMKu6U97HI
/jhStUFL2mYZ5fFGi0rk5SMPqvFBYLc814tks+1qPsf/Dhqs9wznItfXqlQrwVkE
tDDFkCOQhAXIv6Aeh9fYTFG7wfA0anM2SYECNocx9Qm3aEg8cmtwzGXYg1pxqicR
ms/RdG39dmD6TSAElFJ8YM3erIshLq/KEKG2ns30manzLykwJiyzj+zyAR1rPRR0
4KZWxfCBVSrFBLFpOWTNPfa6dXo3EiTVR6bc6X2Zum0IcEyOfFori6sR9lCfPJoF
sERTbHgVfX6w0hQpP6LlkIq1o7PAEYro0Vm50QVodtQVsYJ2LjIVHe7oBPSwXX7n
cpw4C/23TWyvKoyvy8zBbxbaF98RYkplT2K4uihHUGVeFKo4Ss9OLZOcbXcdZlGB
K852jhmoGuQT8m7F9rSYjV2OISMoN7dHh3GJrLk9h+Je82Bz8eRJ8rzJEkzmswig
5PPQoctbuITZqIFiZubVOLIKjk+i57N5heREzgQXeSE
-> 0@VdDnI*-grease 9EyIn b/ iQs|
XsK49d4EWQ8kuSAUuS7DjfeqE9vglS0VQktK0kz+8/MQtQ
--- ADvs0IW45ZAopNjCz8MgbJEiWwlwkfLyJAXkodRiwKs
p<EFBFBD>R<EFBFBD>ØÖA‡Û¾õ“mð˜ô ¤ïŒ \¹Á¬KÃ8ç[PÙí¿X·'<27>°˜ï<> hì]ºÒÑÚBK6!ص!Cw˜âÞ—ôù

View file

@ -0,0 +1,31 @@
age-encryption.org/v1
-> ssh-ed25519 2Ca8Kg LDm1IOnDeahi9ktcshqs++W8BszPspJyKyXdO3pm5j0
yC6KNzjsRwt9Bx38r2aIi5cragiU5ai0L8pTrVc0fzM
-> ssh-rsa 2ggJWw
TPPbYlpE4NCQ6gYqxI2eZRq8InxJTyevrIRL8oihlRmxW6Ai/7r+F72fQcDKKcys
o70CyKLLxeD047dEp60khzheUHVybyzeShGPda1m6bAKnRf4eLaNONuKhj5BAvLB
vPYYUMTVOS1B3HVBK1zCeYRcaJgmZzuFC4LHW5aJKDXGE9tUd344TBzIFH6BQPtZ
14MPAeNdHCHDUDrzco1IH3E5CfXkkO0SBHswbzREB/L9gp0AHZXg4GBxwvkWDI10
GTiAedj0YcmHPUCbXaVzyCnJ8Xd4+fwTfaKoRL0mWE5lTbbM+iLRM/a0L5TBIt3n
QQ8vgpbbT4rkEaao7S+SkXwtBKpg4ax1F8K7UrZOEL+bjQb3V6uhsdaFtViEntVQ
DK6WkS/6Vf9r0lGaOzHC9dRXu/4mlA+fVGSw05j1pQ7SGbwuSqeVhEhsvxgnfkNl
9hwXuGJ69I6lvdmN6YbaSXXzGMnJuIEr7SIkQYj+BrBrVvhAIUsf+lGJwkxgWobE
-> ssh-rsa kFDS0A
e3kryE71tkkKmoT4dB/3hmYErmarKeYn47uo+t9eAyPAIs6S4k4esL4BmMtfRR99
XgtIOC8Vidk5+LsDBeP7455DsHnrAWxiSm2PA57jiCULqIQb8UA3NKbaSo0CjD1S
fV04nS7tGuIqQsAOlg2AQOIPm4VIAx7eKQ1rv7nwpPngVapkQk5CiRpKhmcky5Ip
koZhRNX9c6ksZjB+mH10hwld74aqPSOEPFMn7mJAw2MQl2wNVMiCaLsL80hz78M8
QIeHsgQpUosGloNf0oM3pi3kQk4kHeraMMUc0R8uHSPrdDdCoJ1JwcZDxl/IIpoF
6EJaUUrT5wogjGLgnk0a2Aewz/kUvzTrJbmB/oc0WeblqwihbeO+/uTG8yXIhX1U
S7Lb0IQNy34ExkunDuhAohpkmklS6PrLTYjOd/EPRMpDYfHWXR5/agOpnBjdWtcg
gWHA0FeQb7RH5ZuRaLnCM9JOXhVYpDC+J3z8ddyvNCKPxe7XM4cxvV/Q1iQ9CyY2
FVqqRbKGtqZyKJdqbbyF+v5Hmu8j0obBsGjLm3Aw9OrmKdjx31t6Rt10+3+rkIqw
pcjrmAi6vpdB1bPweAUBRpgYlLP+rRa9Pwaya6GnAbANZOiK6k10KwoeQ0+8NL9z
uMO1A20aVPp1tNzY1gyPi/6feFme5OyiS0io+zu7LC8
-> c-grease NHHYd |!k_%$S |Jya2: 'ue
bueU3sX8xvRo4e6C2xtUUWHZOS5av+RufqlQ1+CNLQQqfuoDAOEuo8oebi66oafH
6JE77zXq5CnTsB8
--- z04xmHChs7joNFgUJnMCWifi9zLDpqeayMGjf1jWULM
uC
¦(¾ëNú]ûñ¸ûL®-ùLbÖ·¡À(v¸øÚõ¥0Ç·òþmíŸÇÚFÂJiWaó%/BÂý1åþTý8<C3BD>ù£S,ÓŽKÙoÊ

Binary file not shown.

View file

@ -0,0 +1,20 @@
age-encryption.org/v1
-> ssh-ed25519 8bHz7g rg27RIr4lE6gtptL+DXltr+mICzMIYFrJ96Mcte03k4
N+IEYg0dhnORi4ItndwhnCaSbzVnbVIIZQsg6XWDpMk
-> ssh-rsa kFDS0A
GrAnGLYDhcl5t2CesBWUWF5p9U98daBME1bCiWveYf6+eBl6hQy8YW/f3B7GOIM7
/cGi07/xTBI0P/mf91fQCgtEMAk2Y4z41nvwnvicVP2dGgM2kpvtQaZr0z+hxTjF
t3+auk0icWlDMeJm157zRyrbxN9rGrO+pyrFCyloEnE4QKd1WGv6ZcyGx3XPjf3c
EqUm6xfc1k/zPXCl9yrdy2Qg7ynkRa+hXn8D5nb9/7V5e55JAA/j1pXOVVyv5s4v
EYGt8dHHX9geS3WMq4FmF9o7AKGpeLc+YIBQJ1oGZTz8q4wENN41UG/3tSP+pmZd
9rFebh5UYnaonaIS2OthcfPL0gtrPFHDwboKbUknX5anfNoDHXTGkRLpNlBFK+yu
nO2lxqLqcqtGMPBvwA6vyFp3LyxIGxS3quhPt2gN4uzOH7z78uSixv+KxKH7+QpG
r3SdNWYlCu/Xm2T8dvdumXp/MMLdceilwLEyoxX4RxGnQKeDJaj4WdfyJVTzkiJn
90+j4Lf2v6PwRB85mBOp5UaRX5M2nFtpFsNY1SWzqTuV4pd3yAzY3wATyc6heTJw
qaq1E9D/wa8pY2vbJKiMWNt1oE1TJppTpemkr87gn4AVr9P9WIMGWUzi1PfLy1lw
sT8UynFEQm0dm8iVCLVHBkdqeyk9VBfPp8XdNU9ZEEI
-> M4|-grease +79w6:R: : &m3%z )IE
p+DTgo1OnKsSDkxFposEheC0iZioePlCkrKK2qGKegdFXh/YO5g1hkgvnSkJAVoQ
1vTSqBys2dBUntLtIo9Rs4o9J5vZ23ufHZuVJ5Px4g4
--- jj12ou2vNvCiolPUk/PIfldKHcILq40eS2uYvix4gu4
×`³}#EOe'dÀê%,<06>ÄÕmú)·-  [íÔlPou]‡ò¡5´m*${-Rú<ÂHuâ –çÿ`Srv=Å ¥%

View file

@ -0,0 +1,19 @@
age-encryption.org/v1
-> ssh-ed25519 8bHz7g FvH+VXog6FECWn8RvmPKBC5++GwX2p5DFfGN1WeRnXc
MDAo42o0YpsSI9zPtai24KkqJNBhE8rLBzDoMQPBIC8
-> ssh-rsa kFDS0A
KJTXv2WmPQEjD+p3hhBeFEqZQhHH3HE72LuFKUxpO8o25JiyDdQXxo+6jwG/rr0Y
jQVCo/B3WSc0dkWvih+2iP4pogYRzbqEe03LiLyU6lxfIrpjnvQv0DKyi/iesrE8
Y0U7Ar11WGeJWO5wdNsAiRyNk3oCA4UV7YGQwEcUUPnTo7pKDZ4zGL86W7bF0lLZ
pGdLFVwD7CAjdw9fcAlCizJxYSbk8idA5jlY6qvWYRail2/61MjD67j24yNk7Qun
pcVIlY8PVwhk0KVbN2jBXwNy6MegCaittOoldN5lAyTR5v4b82zTpR7KWWsw+TMM
faH5LXsSkZp5deKP4sqC5xO5leSwBLY2wHImyOciCydDsaPhr5U5ofAiwv2A/rJ9
McEhwM3h9+V5wyTubM9FI0/IT1O+BVEwXX+Y2pWFKpKE2TUuHcDTLcID0b4z/Opb
OumSWNesDsuu3ie6P0LKkixv0bB9h6jkWXZ2gfUzenvyoQbQBUoYPpZQVOxMHdNx
Ga+iz0bas4Mccnw6vXPmJp3GcAoxtwqAoawnhnNZlT1Oc0hCOj135xQeYIW91ofB
wYE0sFJZEgY4J29rCRsZBfb0wRFUZcSEYb9UUv71yTPYV+/nDv/BQwBTP8Q3vsAi
DnBXzcqDwNQSUkf6o3Nodm7jzGr/7xNJSADirsuhh8M
-> UZc4<6!M-grease
YmEF8D3iV5CIak0fuSLOrmbcGUGEhZPrq4iWd22WrJP7WcALYm2UgWE
--- BRtFsnY/DnVzZzrYqCFS68vzHSUJbtmjWhF+W9TToVE
º¡S#³™Ö:Ž<>LZ¤ëîo0­—ë`ŽÑ€²*Sµ¢¿U)o‰gÿc;áN"0úX)õ´‡¨lÀTýÈNIzkî=…Æ&§<>”¡=v®Ø