feat: frikandel as wireguard hub

2023-10-24 17:56:14 +02:00 · 2023-10-24 17:56:14 +02:00 · cec9562e15
parent dd42eeca69
commit cec9562e15
14 changed files with 64 additions and 46 deletions
--- a/flake.nix
+++ b/flake.nix
@ -103,7 +103,7 @@

          frikandel = {
            hostname = "frikandel.b12f.io";
-            sshUser = "root";
+            sshUser = "yule";
          };

          maoam = {
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -61,6 +61,7 @@
          ./pie
          self.nixosModules.yule
          self.nixosModules.docker
+          self.nixosModules.wireguard-client
        ];
      };

--- a/hosts/frikandel/default.nix
+++ b/hosts/frikandel/default.nix
@ -4,5 +4,6 @@
    ./configuration.nix

    ./networking.nix
+    ./wireguard.nix
  ];
 }
--- a/hosts/frikandel/networking.nix
+++ b/hosts/frikandel/networking.nix
@ -9,6 +9,8 @@
  networking.hostId = "44234773";
  networking.nameservers = [ "9.9.9.9" ];

+  services.openssh.openFirewall = true;
+
  # Network configuration (Hetzner uses static IP assignments, and we don't use DHCP here)
  networking.useDHCP = false;
  networking.interfaces.enp1s0 = {
--- a/hosts/frikandel/wireguard.nix
+++ b/hosts/frikandel/wireguard.nix
@ -4,53 +4,52 @@
  pkgs,
  ...
 }: {
-  age.secrets.wg-private-key-server.file = "${flake.self}/secrets/wg-private-pie-server.age";
+  age.secrets.wg-private-key-server.file = "${flake.self}/secrets/wg-private-frikandel-server.age";
+
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+  };

  networking.nat = {
    enable = true;
    enableIPv6 = true;
    internalInterfaces = [ "wg-server" ];
  };
-  networking.firewall.allowedUDPPorts = [ 51898 ];
+
+  networking.firewall.allowedUDPPorts = [ 51899 ];
+  networking.firewall.extraForwardRules = [
+    "iifname wg0 accept"
+    "iifname enp1s0 reject"
+  ];

  # Enable WireGuard
  networking.wg-quick.interfaces = {
-    wg-server = {
-      listenPort = 51898;
+    wg0 = {
+      listenPort = 51899;

-      address = [ "10.0.1.2/32" ];
-
-      dns = [ "10.0.1.2" ];
+      address = [ "10.0.1.7/32" ];

      privateKeyFile = "/run/agenix/wg-private-key-server";

      peers = [
-        # {
-        #   # router
-        #   publicKey = "";
-        #   allowedIPs = ["10.0.1.1/32"];
-
-        #   persistentKeepalive = 25;
-        # }
-        {
-          # droppie
+        { # pie
+          publicKey = "8M/+y6AqbSsbK0JENkjRXqlRR56iiM/QRjGGtEM+Uj8=";
+          allowedIPs = [ "10.0.1.2/32" ];
+          persistentKeepalive = 25;
+        }
+        { # droppie
          publicKey = "qsnBMoj9Z16D8PJ5ummRtIfT5AiMpoF3SoOCo4sbyiw=";
          allowedIPs = [ "10.0.1.3/32" ];
-
          persistentKeepalive = 25;
        }
-        {
-          # chocolatebar
+        { # chocolatebar
          publicKey = "nk8EtGE/QsnSEm1lhLS3/w83nOBD2OGYhODIf92G91A=";
          allowedIPs = [ "10.0.1.5/32" ];
-
          persistentKeepalive = 25;
        }
-        {
-          # biolimo
+        { # biolimo
          publicKey = "4ymN7wwBuhF+h+5fFN0TqXmVyOe1AsWiTqRL0jJ3CDc=";
          allowedIPs = [ "10.0.1.6/32" ];
-
          persistentKeepalive = 25;
        }
      ];
--- a/hosts/pie/configuration.nix
+++ b/hosts/pie/configuration.nix
@ -39,20 +39,6 @@ in {

  pub-solar.core.disk-encryption-active = false;

-  services.openssh.openFirewall = true;
-
-  security.sudo.extraRules = [
-    {
-      users = ["${psCfg.user.name}"];
-      commands = [
-        {
-          command = "ALL";
-          options = ["NOPASSWD"];
-        }
-      ];
-    }
-  ];
-
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
--- a/hosts/pie/default.nix
+++ b/hosts/pie/default.nix
@ -5,7 +5,6 @@

    ./networking.nix
    ./backup.nix
-    ./wireguard.nix
    ./unbound.nix
    ./dhcpd.nix
    ./wake-droppie.nix
--- a/hosts/pie/networking.nix
+++ b/hosts/pie/networking.nix
@ -20,7 +20,7 @@
  networking.hosts = flake.self.lib.addLocalHostname ["caddy.local"];
  networking.firewall.allowedTCPPorts = [ 80 ];

-  services.openssh.allowSFTP = true;
+  services.openssh.openFirewall = true;

  # Caddy reverse proxy for local services like cups
  services.caddy = {
@ -29,4 +29,11 @@
      auto_https off
    '';
  };
+
+  age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-pie.age";
+
+  pub-solar.wireguard-client = {
+    ownIPs = [ "10.0.1.2/32" ];
+    wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
+  };
 }
--- a/hosts/pie/unbound.nix
+++ b/hosts/pie/unbound.nix
@ -37,14 +37,17 @@
          "\"pie.local. 10800 IN A 192.168.178.2\""
          "\"pie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:2::\""

-          "\"vpn.b12f.io. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:2::\""
-
          "\"pie.b12f.io. 10800 IN A 10.0.1.2\""
          "\"firefly.b12f.io. 10800 IN A 10.0.1.2\""
          "\"firefly-importer.b12f.io. 10800 IN A 10.0.1.2\""
          "\"paperless.b12f.io. 10800 IN A 10.0.1.2\""
          "\"invoicing.b12f.io. 10800 IN A 10.0.1.2\""

+          "\"vpn.b12f.io. 10800 IN A 128.140.109.213\""
+          "\"vpn.b12f.io. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:2::\""
+
+          "\"frikandel.b12f.io. 10800 IN A 10.0.1.7\""
+
          "\"fritz.box. 10800 IN A 192.168.178.1\""
          "\"fritz.box. 10800 IN AAAA fd00::3ea6:2fff:fe57:30b0\""
        ];
--- a/modules/core/default.nix
+++ b/modules/core/default.nix
@ -5,6 +5,7 @@
 }:
 with lib; let
  cfg = config.pub-solar.core;
+  psCfg = config.pub-solar;
 in {
  imports = [
    ./boot.nix
@ -28,6 +29,17 @@ in {

  # Limit the use of sudo to the group wheel
  security.sudo.execWheelOnly = true;
+  security.sudo.extraRules = [
+    {
+      users = ["${psCfg.user.name}"];
+      commands = [
+        {
+          command = "ALL";
+          options = ["NOPASSWD"];
+        }
+      ];
+    }
+  ];

  # Remove the complete default environment of packages like
  # nano, perl and rsync
--- a/modules/core/networking.nix
+++ b/modules/core/networking.nix
@ -16,6 +16,7 @@
  };

  networking.firewall.enable = true;
+  networking.nftables.enable = true;

  # For rage encryption, all hosts need a ssh key pair
  services.openssh = {
--- a/modules/wireguard-client/default.nix
+++ b/modules/wireguard-client/default.nix
@ -35,10 +35,10 @@ in {
        privateKeyFile = cfg.wireguardPrivateKeyFile;
        peers = [
          {
-            # pie-server
-            publicKey = "8M/+y6AqbSsbK0JENkjRXqlRR56iiM/QRjGGtEM+Uj8=";
-            allowedIPs = [ "10.0.1.2/32" ];
-            endpoint = "[2a02:908:5b1:e3c0:3077:2::]:51898";
+            # frikandel
+            publicKey = "p6YKNYBlySKfhTN+wbSsKdoNjzko/XSAiTAlCJzP1jA=";
+            allowedIPs = [ "10.0.1.0/24" ];
+            endpoint = "[2a01:4f8:c2c:b60::]:51899";
            persistentKeepalive = 25;
          }
        ];
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -12,6 +12,8 @@ let

  pie-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINcTORdlVno0B9R6Yh9qmlOZKA/ZQ8RBzXK7/1rBbE02 root@pie.local";

+  frikandel-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPzrEsby3KYpKRuSnTMp2Iq4ENgucQUy6SJ+906nwllS root@frikandel";
+
  baseKeys = [
    bbcom
  ];
@ -34,6 +36,10 @@ let
  pieKeys = [
    pie-host
  ];
+
+  frikandelKeys = [
+    frikandel-host
+  ];
 in {
  "vnc-cert-chocolatebar.pem".publicKeys = chocolatebarKeys ++ baseKeys;
  "vnc-key-chocolatebar.pem".publicKeys = chocolatebarKeys ++ baseKeys;
@ -63,6 +69,7 @@ in {
  "wg-private-pie.age".publicKeys = pieKeys ++ baseKeys;
  "wg-private-droppie.age".publicKeys = droppieKeys ++ baseKeys;
  "wg-private-pie-server.age".publicKeys = pieKeys ++ baseKeys;
+  "wg-private-frikandel-server.age".publicKeys = frikandelKeys ++ baseKeys;

  "invoiceplane-db-password.age".publicKeys = pieKeys ++ baseKeys;
  "invoiceplane-db-secrets.env".publicKeys = pieKeys ++ baseKeys;
--- a/secrets/wg-private-frikandel-server.age
+++ b/secrets/wg-private-frikandel-server.age