fix: remove ipv6 local addresses from wireguard

2023-10-22 16:50:41 +02:00 · 2023-10-22 16:50:41 +02:00 · cff59a1b7a
parent 6d3c677f18
commit cff59a1b7a
7 changed files with 13 additions and 49 deletions
--- a/hosts/biolimo/networking.nix
+++ b/hosts/biolimo/networking.nix
@ -8,10 +8,7 @@
    age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-biolimo.age";
    pub-solar.wireguard-client = {
-      ownIPs = [
+      ownIPs = [ "10.0.1.6/32" ];
        "10.0.1.6/32"
        "fd00:acab:1312:acab:6::/128"
      ];
      wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
    };
  };
--- a/hosts/chocolatebar/networking.nix
+++ b/hosts/chocolatebar/networking.nix
@ -8,10 +8,7 @@
    age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-chocolatebar.age";
    pub-solar.wireguard-client = {
-      ownIPs = [
+      ownIPs = [ "10.0.1.5/32" ];
        "10.0.1.5/32"
        "fd00:acab:1312:acab:5::/128"
      ];
      wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
    };
  };
--- a/hosts/droppie/networking.nix
+++ b/hosts/droppie/networking.nix
@ -8,10 +8,7 @@
    age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-droppie.age";
    pub-solar.wireguard-client = {
-      ownIPs = [
+      ownIPs = [ "10.0.1.3/32" ];
        "10.0.1.3/32"
        "fd00:acab:1312:acab:3::/128"
      ];
      wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
    };
  };
--- a/hosts/pie/networking.nix
+++ b/hosts/pie/networking.nix
@ -34,7 +34,7 @@
  # Caddy reverse proxy for local services like cups
  services.caddy = {
    globalConfig = ''
-      default_bind 192.168.178.2 2a02:908:5b1:e3c0:3077:2:: 10.0.1.2 fd00:acab:1312:acab:2::
+      default_bind 192.168.178.2 2a02:908:5b1:e3c0:3077:2:: 10.0.1.2
      auto_https off
    '';
  };
--- a/hosts/pie/unbound.nix
+++ b/hosts/pie/unbound.nix
@ -19,7 +19,6 @@
          # Allow from wireguard
          "10.0.1.0/24 allow"
          "fd00:acab:1312:acab::/48 allow"
        ];
        local-zone = [
          "\"b12f.io\" static"
@ -33,9 +32,7 @@
          "\"droppie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:3::\""
          "\"droppie.b12f.io. 10800 IN A 10.0.1.3\""
          "\"droppie.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:3::\""
          "\"backup.b12f.io. 10800 IN A 10.0.1.3\""
          "\"backup.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:3::\""
          "\"pie.local. 10800 IN A 192.168.178.2\""
          "\"pie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:2::\""
@ -43,15 +40,10 @@
          "\"vpn.b12f.io. 10800 IN AAAA 2a02:908:5b1:e3c0:3077:2::\""
          "\"pie.b12f.io. 10800 IN A 10.0.1.2\""
          "\"pie.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:2::\""
          "\"firefly.b12f.io. 10800 IN A 10.0.1.2\""
          "\"firefly.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:2::\""
          "\"firefly-importer.b12f.io. 10800 IN A 10.0.1.2\""
          "\"firefly-importer.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:2::\""
          "\"paperless.b12f.io. 10800 IN A 10.0.1.2\""
          "\"paperless.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:2::\""
          "\"invoicing.b12f.io. 10800 IN A 10.0.1.2\""
          "\"invoicing.b12f.io. 10800 IN AAAA fd00:acab:1312:acab:2::\""
          "\"fritz.box. 10800 IN A 192.168.178.1\""
          "\"fritz.box. 10800 IN AAAA fd00::3ea6:2fff:fe57:30b0\""
--- a/hosts/pie/wireguard.nix
+++ b/hosts/pie/wireguard.nix
@ -17,14 +17,10 @@
  networking.wg-quick.interfaces = {
    wg-server = {
      listenPort = 51898;
-      address = [
+
-        "10.0.1.2/32"
+      address = [ "10.0.1.2/32" ];
-        "fd00:acab:1312:acab:2::/128"
+
-      ];
+      dns = [ "10.0.1.2" ];
      dns = [
        "10.0.1.2"
        "fd00:acab:1312:acab:2::"
      ];
      privateKeyFile = "/run/agenix/wg-private-key-server";
@ -39,30 +35,21 @@
        {
          # droppie
          publicKey = "qsnBMoj9Z16D8PJ5ummRtIfT5AiMpoF3SoOCo4sbyiw=";
-          allowedIPs = [
+          allowedIPs = [ "10.0.1.3/32" ];
            "10.0.1.3/32"
            "fd00:acab:1312:acab:3::/128"
          ];
          persistentKeepalive = 25;
        }
        {
          # chocolatebar
          publicKey = "nk8EtGE/QsnSEm1lhLS3/w83nOBD2OGYhODIf92G91A=";
-          allowedIPs = [
+          allowedIPs = [ "10.0.1.5/32" ];
            "10.0.1.5/32"
            "fd00:acab:1312:acab:5::/128"
          ];
          persistentKeepalive = 25;
        }
        {
          # biolimo
          publicKey = "4ymN7wwBuhF+h+5fFN0TqXmVyOe1AsWiTqRL0jJ3CDc=";
-          allowedIPs = [
+          allowedIPs = [ "10.0.1.6/32" ];
            "10.0.1.6/32"
            "fd00:acab:1312:acab:6::/128"
          ];
          persistentKeepalive = 25;
        }
--- a/modules/wireguard-client/default.nix
+++ b/modules/wireguard-client/default.nix
@ -31,19 +31,13 @@ in {
      wg0 = {
        listenPort = 51899;
        address = cfg.ownIPs;
-        dns = [
+        dns = [ "10.0.1.2" ];
          "10.0.1.2"
          "fd00:acab:1312:acab:2::"
        ];
        privateKeyFile = cfg.wireguardPrivateKeyFile;
        peers = [
          {
            # pie-server
            publicKey = "8M/+y6AqbSsbK0JENkjRXqlRR56iiM/QRjGGtEM+Uj8=";
-            allowedIPs = [
+            allowedIPs = [ "10.0.1.2/32" ];
              "10.0.1.2/32"
              "fd00:acab:1312:acab:2::/128"
            ];
            endpoint = "[2a02:908:5b1:e3c0:3077:2::]:51898";
            persistentKeepalive = 25;
          }