feat: frikandel as wireguard hub

2023-10-24 17:56:14 +02:00 · 2023-10-24 17:56:14 +02:00 · cec9562e15
parent dd42eeca69
commit cec9562e15
14 changed files with 64 additions and 46 deletions
--- a/flake.nix
+++ b/flake.nix
@ -103,7 +103,7 @@
          frikandel = {
            hostname = "frikandel.b12f.io";
-            sshUser = "root";
+            sshUser = "yule";
          };
          maoam = {
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -61,6 +61,7 @@
          ./pie
          self.nixosModules.yule
          self.nixosModules.docker
          self.nixosModules.wireguard-client
        ];
      };
--- a/hosts/frikandel/default.nix
+++ b/hosts/frikandel/default.nix
@ -4,5 +4,6 @@
    ./configuration.nix
    ./networking.nix
    ./wireguard.nix
  ];
 }
--- a/hosts/frikandel/networking.nix
+++ b/hosts/frikandel/networking.nix
@ -9,6 +9,8 @@
  networking.hostId = "44234773";
  networking.nameservers = [ "9.9.9.9" ];
  services.openssh.openFirewall = true;
  # Network configuration (Hetzner uses static IP assignments, and we don't use DHCP here)
  networking.useDHCP = false;
  networking.interfaces.enp1s0 = {
--- a/hosts/frikandel/wireguard.nix
+++ b/hosts/frikandel/wireguard.nix
@ -4,53 +4,52 @@
  pkgs,
  ...
 }: {
-  age.secrets.wg-private-key-server.file = "${flake.self}/secrets/wg-private-pie-server.age";
+  age.secrets.wg-private-key-server.file = "${flake.self}/secrets/wg-private-frikandel-server.age";
  boot.kernel.sysctl = {
    "net.ipv4.ip_forward" = 1;
  };
  networking.nat = {
    enable = true;
    enableIPv6 = true;
    internalInterfaces = [ "wg-server" ];
  };
-  networking.firewall.allowedUDPPorts = [ 51898 ];
+
  networking.firewall.allowedUDPPorts = [ 51899 ];
  networking.firewall.extraForwardRules = [
    "iifname wg0 accept"
    "iifname enp1s0 reject"
  ];
  # Enable WireGuard
  networking.wg-quick.interfaces = {
-    wg-server = {
+    wg0 = {
-      listenPort = 51898;
+      listenPort = 51899;
-      address = [ "10.0.1.2/32" ];
+      address = [ "10.0.1.7/32" ];
      dns = [ "10.0.1.2" ];
      privateKeyFile = "/run/agenix/wg-private-key-server";
      peers = [
-        # {
+        { # pie
-        #   # router
+          publicKey = "8M/+y6AqbSsbK0JENkjRXqlRR56iiM/QRjGGtEM+Uj8=";
-        #   publicKey = "";
+          allowedIPs = [ "10.0.1.2/32" ];
-        #   allowedIPs = ["10.0.1.1/32"];
+          persistentKeepalive = 25;
-
+        }
-        #   persistentKeepalive = 25;
+        { # droppie
        # }
        {
          # droppie
          publicKey = "qsnBMoj9Z16D8PJ5ummRtIfT5AiMpoF3SoOCo4sbyiw=";
          allowedIPs = [ "10.0.1.3/32" ];
          persistentKeepalive = 25;
        }
-        {
+        { # chocolatebar
          # chocolatebar
          publicKey = "nk8EtGE/QsnSEm1lhLS3/w83nOBD2OGYhODIf92G91A=";
          allowedIPs = [ "10.0.1.5/32" ];
          persistentKeepalive = 25;
        }
-        {
+        { # biolimo
          # biolimo
          publicKey = "4ymN7wwBuhF+h+5fFN0TqXmVyOe1AsWiTqRL0jJ3CDc=";
          allowedIPs = [ "10.0.1.6/32" ];
          persistentKeepalive = 25;
        }
      ];
--- a/hosts/pie/configuration.nix
+++ b/hosts/pie/configuration.nix
@ -39,20 +39,6 @@ in {
  pub-solar.core.disk-encryption-active = false;
  services.openssh.openFirewall = true;
  security.sudo.extraRules = [
    {
      users = ["${psCfg.user.name}"];
      commands = [
        {
          command = "ALL";
          options = ["NOPASSWD"];
        }
      ];
    }
  ];
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
--- a/hosts/pie/default.nix
+++ b/hosts/pie/default.nix
@ -5,7 +5,6 @@
    ./networking.nix
    ./backup.nix
    ./wireguard.nix
    ./unbound.nix
    ./dhcpd.nix
    ./wake-droppie.nix
--- a/hosts/pie/networking.nix
+++ b/hosts/pie/networking.nix
@ -20,7 +20,7 @@
  networking.hosts = flake.self.lib.addLocalHostname ["caddy.local"];
  networking.firewall.allowedTCPPorts = [ 80 ];
-  services.openssh.allowSFTP = true;
+  services.openssh.openFirewall = true;
  # Caddy reverse proxy for local services like cups
  services.caddy = {
@ -29,4 +29,11 @@
      auto_https off
    '';
  };
  age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-pie.age";
  pub-solar.wireguard-client = {
    ownIPs = [ "10.0.1.2/32" ];
    wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
  };
 }
--- a/hosts/pie/unbound.nix
+++ b/hosts/pie/unbound.nix
@ -37,14 +37,17 @@
          "\"pie.local. 10800 IN A 192.168.178.2\""
          "\"pie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:2::\""
          "\"vpn.b12f.io. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:2::\""
          "\"pie.b12f.io. 10800 IN A 10.0.1.2\""
          "\"firefly.b12f.io. 10800 IN A 10.0.1.2\""
          "\"firefly-importer.b12f.io. 10800 IN A 10.0.1.2\""
          "\"paperless.b12f.io. 10800 IN A 10.0.1.2\""
          "\"invoicing.b12f.io. 10800 IN A 10.0.1.2\""
          "\"vpn.b12f.io. 10800 IN A 128.140.109.213\""
          "\"vpn.b12f.io. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:2::\""
          "\"frikandel.b12f.io. 10800 IN A 10.0.1.7\""
          "\"fritz.box. 10800 IN A 192.168.178.1\""
          "\"fritz.box. 10800 IN AAAA fd00::3ea6:2fff:fe57:30b0\""
        ];
--- a/modules/core/default.nix
+++ b/modules/core/default.nix
@ -5,6 +5,7 @@
 }:
 with lib; let
  cfg = config.pub-solar.core;
  psCfg = config.pub-solar;
 in {
  imports = [
    ./boot.nix
@ -28,6 +29,17 @@ in {
  # Limit the use of sudo to the group wheel
  security.sudo.execWheelOnly = true;
  security.sudo.extraRules = [
    {
      users = ["${psCfg.user.name}"];
      commands = [
        {
          command = "ALL";
          options = ["NOPASSWD"];
        }
      ];
    }
  ];
  # Remove the complete default environment of packages like
  # nano, perl and rsync
--- a/modules/core/networking.nix
+++ b/modules/core/networking.nix
@ -16,6 +16,7 @@
  };
  networking.firewall.enable = true;
  networking.nftables.enable = true;
  # For rage encryption, all hosts need a ssh key pair
  services.openssh = {
--- a/modules/wireguard-client/default.nix
+++ b/modules/wireguard-client/default.nix
@ -35,10 +35,10 @@ in {
        privateKeyFile = cfg.wireguardPrivateKeyFile;
        peers = [
          {
-            # pie-server
+            # frikandel
-            publicKey = "8M/+y6AqbSsbK0JENkjRXqlRR56iiM/QRjGGtEM+Uj8=";
+            publicKey = "p6YKNYBlySKfhTN+wbSsKdoNjzko/XSAiTAlCJzP1jA=";
-            allowedIPs = [ "10.0.1.2/32" ];
+            allowedIPs = [ "10.0.1.0/24" ];
-            endpoint = "[2a02:908:5b1:e3c0:3077:2::]:51898";
+            endpoint = "[2a01:4f8:c2c:b60::]:51899";
            persistentKeepalive = 25;
          }
        ];
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -12,6 +12,8 @@ let
  pie-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINcTORdlVno0B9R6Yh9qmlOZKA/ZQ8RBzXK7/1rBbE02 root@pie.local";
  frikandel-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPzrEsby3KYpKRuSnTMp2Iq4ENgucQUy6SJ+906nwllS root@frikandel";
  baseKeys = [
    bbcom
  ];
@ -34,6 +36,10 @@ let
  pieKeys = [
    pie-host
  ];
  frikandelKeys = [
    frikandel-host
  ];
 in {
  "vnc-cert-chocolatebar.pem".publicKeys = chocolatebarKeys ++ baseKeys;
  "vnc-key-chocolatebar.pem".publicKeys = chocolatebarKeys ++ baseKeys;
@ -63,6 +69,7 @@ in {
  "wg-private-pie.age".publicKeys = pieKeys ++ baseKeys;
  "wg-private-droppie.age".publicKeys = droppieKeys ++ baseKeys;
  "wg-private-pie-server.age".publicKeys = pieKeys ++ baseKeys;
  "wg-private-frikandel-server.age".publicKeys = frikandelKeys ++ baseKeys;
  "invoiceplane-db-password.age".publicKeys = pieKeys ++ baseKeys;
  "invoiceplane-db-secrets.env".publicKeys = pieKeys ++ baseKeys;
--- a/secrets/wg-private-frikandel-server.age
+++ b/secrets/wg-private-frikandel-server.age