From cec9562e15466834e0303d4f8f5d10768e2917db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Tue, 24 Oct 2023 17:56:14 +0200 Subject: [PATCH] feat: frikandel as wireguard hub --- flake.nix | 2 +- hosts/default.nix | 1 + hosts/frikandel/default.nix | 1 + hosts/frikandel/networking.nix | 2 ++ hosts/{pie => frikandel}/wireguard.nix | 45 ++++++++++++------------ hosts/pie/configuration.nix | 14 -------- hosts/pie/default.nix | 1 - hosts/pie/networking.nix | 9 ++++- hosts/pie/unbound.nix | 7 ++-- modules/core/default.nix | 12 +++++++ modules/core/networking.nix | 1 + modules/wireguard-client/default.nix | 8 ++--- secrets/secrets.nix | 7 ++++ secrets/wg-private-frikandel-server.age | Bin 0 -> 1125 bytes 14 files changed, 64 insertions(+), 46 deletions(-) rename hosts/{pie => frikandel}/wireguard.nix (60%) create mode 100644 secrets/wg-private-frikandel-server.age diff --git a/flake.nix b/flake.nix index 19dd6c4..26bdcdc 100644 --- a/flake.nix +++ b/flake.nix @@ -103,7 +103,7 @@ frikandel = { hostname = "frikandel.b12f.io"; - sshUser = "root"; + sshUser = "yule"; }; maoam = { diff --git a/hosts/default.nix b/hosts/default.nix index 23137fa..6f8ecb1 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -61,6 +61,7 @@ ./pie self.nixosModules.yule self.nixosModules.docker + self.nixosModules.wireguard-client ]; }; diff --git a/hosts/frikandel/default.nix b/hosts/frikandel/default.nix index 5825df9..907f23d 100644 --- a/hosts/frikandel/default.nix +++ b/hosts/frikandel/default.nix @@ -4,5 +4,6 @@ ./configuration.nix ./networking.nix + ./wireguard.nix ]; } diff --git a/hosts/frikandel/networking.nix b/hosts/frikandel/networking.nix index a804270..d024a36 100644 --- a/hosts/frikandel/networking.nix +++ b/hosts/frikandel/networking.nix @@ -9,6 +9,8 @@ networking.hostId = "44234773"; networking.nameservers = [ "9.9.9.9" ]; + services.openssh.openFirewall = true; + # Network configuration (Hetzner uses static IP assignments, and we don't use DHCP here) networking.useDHCP = false; networking.interfaces.enp1s0 = { diff --git a/hosts/pie/wireguard.nix b/hosts/frikandel/wireguard.nix similarity index 60% rename from hosts/pie/wireguard.nix rename to hosts/frikandel/wireguard.nix index 2c68266..17d85e6 100644 --- a/hosts/pie/wireguard.nix +++ b/hosts/frikandel/wireguard.nix @@ -4,53 +4,52 @@ pkgs, ... }: { - age.secrets.wg-private-key-server.file = "${flake.self}/secrets/wg-private-pie-server.age"; + age.secrets.wg-private-key-server.file = "${flake.self}/secrets/wg-private-frikandel-server.age"; + + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + }; networking.nat = { enable = true; enableIPv6 = true; internalInterfaces = [ "wg-server" ]; }; - networking.firewall.allowedUDPPorts = [ 51898 ]; + + networking.firewall.allowedUDPPorts = [ 51899 ]; + networking.firewall.extraForwardRules = [ + "iifname wg0 accept" + "iifname enp1s0 reject" + ]; # Enable WireGuard networking.wg-quick.interfaces = { - wg-server = { - listenPort = 51898; + wg0 = { + listenPort = 51899; - address = [ "10.0.1.2/32" ]; - - dns = [ "10.0.1.2" ]; + address = [ "10.0.1.7/32" ]; privateKeyFile = "/run/agenix/wg-private-key-server"; peers = [ - # { - # # router - # publicKey = ""; - # allowedIPs = ["10.0.1.1/32"]; - - # persistentKeepalive = 25; - # } - { - # droppie + { # pie + publicKey = "8M/+y6AqbSsbK0JENkjRXqlRR56iiM/QRjGGtEM+Uj8="; + allowedIPs = [ "10.0.1.2/32" ]; + persistentKeepalive = 25; + } + { # droppie publicKey = "qsnBMoj9Z16D8PJ5ummRtIfT5AiMpoF3SoOCo4sbyiw="; allowedIPs = [ "10.0.1.3/32" ]; - persistentKeepalive = 25; } - { - # chocolatebar + { # chocolatebar publicKey = "nk8EtGE/QsnSEm1lhLS3/w83nOBD2OGYhODIf92G91A="; allowedIPs = [ "10.0.1.5/32" ]; - persistentKeepalive = 25; } - { - # biolimo + { # biolimo publicKey = "4ymN7wwBuhF+h+5fFN0TqXmVyOe1AsWiTqRL0jJ3CDc="; allowedIPs = [ "10.0.1.6/32" ]; - persistentKeepalive = 25; } ]; diff --git a/hosts/pie/configuration.nix b/hosts/pie/configuration.nix index 1fe47f3..885bee4 100644 --- a/hosts/pie/configuration.nix +++ b/hosts/pie/configuration.nix @@ -39,20 +39,6 @@ in { pub-solar.core.disk-encryption-active = false; - services.openssh.openFirewall = true; - - security.sudo.extraRules = [ - { - users = ["${psCfg.user.name}"]; - commands = [ - { - command = "ALL"; - options = ["NOPASSWD"]; - } - ]; - } - ]; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/hosts/pie/default.nix b/hosts/pie/default.nix index 706d082..af1ba64 100644 --- a/hosts/pie/default.nix +++ b/hosts/pie/default.nix @@ -5,7 +5,6 @@ ./networking.nix ./backup.nix - ./wireguard.nix ./unbound.nix ./dhcpd.nix ./wake-droppie.nix diff --git a/hosts/pie/networking.nix b/hosts/pie/networking.nix index ee59f1f..f0e71c2 100644 --- a/hosts/pie/networking.nix +++ b/hosts/pie/networking.nix @@ -20,7 +20,7 @@ networking.hosts = flake.self.lib.addLocalHostname ["caddy.local"]; networking.firewall.allowedTCPPorts = [ 80 ]; - services.openssh.allowSFTP = true; + services.openssh.openFirewall = true; # Caddy reverse proxy for local services like cups services.caddy = { @@ -29,4 +29,11 @@ auto_https off ''; }; + + age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-pie.age"; + + pub-solar.wireguard-client = { + ownIPs = [ "10.0.1.2/32" ]; + wireguardPrivateKeyFile = "/run/agenix/wg-private-key"; + }; } diff --git a/hosts/pie/unbound.nix b/hosts/pie/unbound.nix index f4524ab..850b4a0 100644 --- a/hosts/pie/unbound.nix +++ b/hosts/pie/unbound.nix @@ -37,14 +37,17 @@ "\"pie.local. 10800 IN A 192.168.178.2\"" "\"pie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:2::\"" - "\"vpn.b12f.io. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:2::\"" - "\"pie.b12f.io. 10800 IN A 10.0.1.2\"" "\"firefly.b12f.io. 10800 IN A 10.0.1.2\"" "\"firefly-importer.b12f.io. 10800 IN A 10.0.1.2\"" "\"paperless.b12f.io. 10800 IN A 10.0.1.2\"" "\"invoicing.b12f.io. 10800 IN A 10.0.1.2\"" + "\"vpn.b12f.io. 10800 IN A 128.140.109.213\"" + "\"vpn.b12f.io. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:2::\"" + + "\"frikandel.b12f.io. 10800 IN A 10.0.1.7\"" + "\"fritz.box. 10800 IN A 192.168.178.1\"" "\"fritz.box. 10800 IN AAAA fd00::3ea6:2fff:fe57:30b0\"" ]; diff --git a/modules/core/default.nix b/modules/core/default.nix index 985cec1..47e2f42 100644 --- a/modules/core/default.nix +++ b/modules/core/default.nix @@ -5,6 +5,7 @@ }: with lib; let cfg = config.pub-solar.core; + psCfg = config.pub-solar; in { imports = [ ./boot.nix @@ -28,6 +29,17 @@ in { # Limit the use of sudo to the group wheel security.sudo.execWheelOnly = true; + security.sudo.extraRules = [ + { + users = ["${psCfg.user.name}"]; + commands = [ + { + command = "ALL"; + options = ["NOPASSWD"]; + } + ]; + } + ]; # Remove the complete default environment of packages like # nano, perl and rsync diff --git a/modules/core/networking.nix b/modules/core/networking.nix index 026266b..6b7d831 100644 --- a/modules/core/networking.nix +++ b/modules/core/networking.nix @@ -16,6 +16,7 @@ }; networking.firewall.enable = true; + networking.nftables.enable = true; # For rage encryption, all hosts need a ssh key pair services.openssh = { diff --git a/modules/wireguard-client/default.nix b/modules/wireguard-client/default.nix index 64b61da..ce9cb5b 100644 --- a/modules/wireguard-client/default.nix +++ b/modules/wireguard-client/default.nix @@ -35,10 +35,10 @@ in { privateKeyFile = cfg.wireguardPrivateKeyFile; peers = [ { - # pie-server - publicKey = "8M/+y6AqbSsbK0JENkjRXqlRR56iiM/QRjGGtEM+Uj8="; - allowedIPs = [ "10.0.1.2/32" ]; - endpoint = "[2a02:908:5b1:e3c0:3077:2::]:51898"; + # frikandel + publicKey = "p6YKNYBlySKfhTN+wbSsKdoNjzko/XSAiTAlCJzP1jA="; + allowedIPs = [ "10.0.1.0/24" ]; + endpoint = "[2a01:4f8:c2c:b60::]:51899"; persistentKeepalive = 25; } ]; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 9f08e1d..9c43f64 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -12,6 +12,8 @@ let pie-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINcTORdlVno0B9R6Yh9qmlOZKA/ZQ8RBzXK7/1rBbE02 root@pie.local"; + frikandel-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPzrEsby3KYpKRuSnTMp2Iq4ENgucQUy6SJ+906nwllS root@frikandel"; + baseKeys = [ bbcom ]; @@ -34,6 +36,10 @@ let pieKeys = [ pie-host ]; + + frikandelKeys = [ + frikandel-host + ]; in { "vnc-cert-chocolatebar.pem".publicKeys = chocolatebarKeys ++ baseKeys; "vnc-key-chocolatebar.pem".publicKeys = chocolatebarKeys ++ baseKeys; @@ -63,6 +69,7 @@ in { "wg-private-pie.age".publicKeys = pieKeys ++ baseKeys; "wg-private-droppie.age".publicKeys = droppieKeys ++ baseKeys; "wg-private-pie-server.age".publicKeys = pieKeys ++ baseKeys; + "wg-private-frikandel-server.age".publicKeys = frikandelKeys ++ baseKeys; "invoiceplane-db-password.age".publicKeys = pieKeys ++ baseKeys; "invoiceplane-db-secrets.env".publicKeys = pieKeys ++ baseKeys; diff --git a/secrets/wg-private-frikandel-server.age b/secrets/wg-private-frikandel-server.age new file mode 100644 index 0000000000000000000000000000000000000000..e7e127f43bdae8302107e28eb3b41777332f947a GIT binary patch literal 1125 zcmXxiJ@2D*0Kjn{VpI|*2OVqfF6P4ZptMj(jE3hzp@l-r!|=cG{8Zovv`~oWs;ln$ z3QR81bMyr`I5_C);BbRZ`UX4)U%@x|=Hn&NJgS0r1edI?9@lMx^b2VI@vQ68c@$ze zzMy8+dV!4kj3bwhZMaCX!Z2eOr7JKs`vk{59XX{|O6B~TT}T2pnJQH3gMJPC0NFAo zva)#Dv^>_cH%VL)NLXSlzu`Tr4fC}Azt(o%tPnT@rJ+)$ibN|m-Jlmc((Lkhz(HtY zr+9zyD6p(p*lhh9eGFo47=V*#B{(?iWGu=)8CwD}Y`tm8CEl%1qETcK!F6oN=RWHp zt<#$dw^lQS@R(bk%b*RNP+6TMLItW7a%h&HA$6>-*1MZdSY4PD@Pcm}0A|j9M_B>kqW251`DvnUZ9|d0Zq;;xnZG%AEIvrY4u6k7GU{cU~ z3aK?VSqWflC>#~@RJ7L@N8_m=gKt*~>O*5EY5cGYWGuT4iAvp?+W{wIWVe&9HYJiv ze()TlT@;#6SGP6EO*r7-lOtkAfkcpU?wXUdsOfzcS%ha)Rku4>-Sl!lI~r(<5LAu@ zexybljfhX>@o1cV|I(vj!{A3)gZc@nCpI@V6!b(M_khjeF=!{m|3>f z^_(r3^?8TNDyLJi5?gu;X{(M9RZrOm&c4o#)f7_>%bT{1z*f1~vx&3mC7#5Uf~Q@< zX=Gv>2mKl5TdU!`yn`Ai9*m_%O@WfaZ71E#^gY6J36gppp(FQ$% zfn>Xk223hWo8zX1@(AV+hhf|AbhoIsb$9F7$lOa-FR%T5Eo`c-8lBB@ysrLp?0yz~ z@}U&YlQ#0YXtu>3mb<63@GiT1aAeOjx)khe_N0FZ7y>$ZvXqtsm@d+ZJ`b)NP4MV5 zI2(AuTv!7o1?W5<*?|x1Ge&^|Xzx?xzn4j;x j_*s{@2XDL{D