Wireguard stuff, not working yet

This commit is contained in:
Erwin Boskma 2022-09-07 22:59:08 +02:00
parent 7fdc9bca76
commit 1689e9b539
Signed by: erwin
GPG key ID: 270B20D17394F7E5
8 changed files with 270 additions and 74 deletions

View file

@ -3,6 +3,7 @@ keys:
- &loki a6e31f5ab2bf34ca3f614d81ed9d6ae54dbcb9f7
- &drone 8eefb1f8c85704ca47aa226a692372b1fc4bb9bf
- &gitea ca0dba2f767679957879077fb8922c8ba16710be
- &vpn a7642a4af8d195d914d45dad047f33772909d8c1
creation_rules:
- path_regex: machines/loki/[^/]+\.yaml$
key_groups:
@ -18,4 +19,10 @@ creation_rules:
key_groups:
- pgp:
- *erwin
- *gitea
- *gitea
- path_regex: machines/vpn/[^/]+\.yaml$
key_groups:
- pgp:
- *erwin
- *vpn

View file

@ -10,11 +10,11 @@
]
},
"locked": {
"lastModified": 1661745860,
"narHash": "sha256-2efk4Xi0aBC6EJIiNyem40ElKFlDDPrDa9skCL8i/Dc=",
"lastModified": 1662502665,
"narHash": "sha256-2Ok8NSGmGP+qLCsDfIsUWyMNqLWt8U4Lcu86KbjgN9s=",
"owner": "nix-community",
"repo": "emacs-overlay",
"rev": "f7caedcd0df6710e5c33b493220f729385664ae7",
"rev": "ae5528c72a1e1afbbcb7be7e813f4b3598f919ed",
"type": "github"
},
"original": {
@ -76,11 +76,11 @@
"utils": "utils"
},
"locked": {
"lastModified": 1661573386,
"narHash": "sha256-pBEg8iY00Af/SAtU2dlmOAv+2x7kScaGlFRDjNoVJO8=",
"lastModified": 1662583828,
"narHash": "sha256-5rlP4RhAJX+n2Jd1S6vlDksOu9Wsodzv+DeKHTI/m9o=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "d89bdff445eadff03fe414e9c30486bc8166b72b",
"rev": "22113a3ae3c8410c682324e1ac3d0b995ceaf82a",
"type": "github"
},
"original": {
@ -96,11 +96,11 @@
]
},
"locked": {
"lastModified": 1659610603,
"narHash": "sha256-LYgASYSPYo7O71WfeUOaEUzYfzuXm8c8eavJcel+pfI=",
"lastModified": 1662220400,
"narHash": "sha256-9o2OGQqu4xyLZP9K6kNe1pTHnyPz0Wr3raGYnr9AIgY=",
"owner": "nix-community",
"repo": "naersk",
"rev": "c6a45e4277fa58abd524681466d3450f896dc094",
"rev": "6944160c19cb591eb85bbf9b2f2768a935623ed3",
"type": "github"
},
"original": {
@ -147,11 +147,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1660407119,
"narHash": "sha256-04lWO0pDbhAXFdL4v2VzzwgxrZ5IefKn+TmZPiPeKxg=",
"lastModified": 1662458987,
"narHash": "sha256-hcDwRlsXZMp2Er3vQk1JEUZWhBPLVC9vTT4xHvhpcE0=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "12620020f76b1b5d2b0e6fbbda831ed4f5fe56e1",
"rev": "504b32caf83986b7e6b9c79c1c13008f83290f19",
"type": "github"
},
"original": {
@ -162,11 +162,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1661628722,
"narHash": "sha256-oR/7NhG7pPkACToUtaaT6hH+rONE2z5/4NzjoUwEZt8=",
"lastModified": 1662019588,
"narHash": "sha256-oPEjHKGGVbBXqwwL+UjsveJzghWiWV0n9ogo1X6l4cw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "324c8aaf25b2f2027af7798e5582ce3040a793b6",
"rev": "2da64a81275b68fdad38af669afeda43d401e94b",
"type": "github"
},
"original": {
@ -178,11 +178,11 @@
},
"nixpkgs-22_05": {
"locked": {
"lastModified": 1661656705,
"narHash": "sha256-1ujNuL1Tx1dt8dC/kuYS329ZZgiXXmD96axwrqsUY7w=",
"lastModified": 1662221733,
"narHash": "sha256-dw1xjYyQ0JidXIpzeQh/gQX+ih1sJO1zBHKs5QSYp8Q=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "290dbaacc1f0b783fd8e271b585ec2c8c3b03954",
"rev": "013e8d86d9a3f33074c903c8ffcab0d34087b1ed",
"type": "github"
},
"original": {
@ -244,11 +244,11 @@
]
},
"locked": {
"lastModified": 1661742009,
"narHash": "sha256-lE6pbjo2INiJc0CTooWStINmGcu0LjdbtQ1TTs1lqPY=",
"lastModified": 1662519741,
"narHash": "sha256-SrtSAMkTri4KseXliYfOjz9qqGAlX/L+ZZDHAMkYfh0=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "4b3816ebc3cfcaf29e3dd0f0dc2924c5cb639c51",
"rev": "fae4c3204fb45876f8b54ab1e982de8896269868",
"type": "github"
},
"original": {
@ -265,11 +265,11 @@
"nixpkgs-22_05": "nixpkgs-22_05"
},
"locked": {
"lastModified": 1661660105,
"narHash": "sha256-3ITdkYwsNDh2DRqi7FZOJ92ui92NmcO6Nhj49u+JjWY=",
"lastModified": 1662390490,
"narHash": "sha256-HnFHRFu0eoB0tLOZRjLgVfHzK+4bQzAmAmHSzOquuyI=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "d92fba1bfc9f64e4ccb533701ddd8590c0d8c74a",
"rev": "044ccfe24b349859cd9efc943e4465cc993ac84e",
"type": "github"
},
"original": {

View file

@ -95,38 +95,6 @@
sops.nixosModules.sops
];
};
defContainer = system: baseConfig:
nixos-generators.nixosGenerate {
pkgs = nixpkgs.legacyPackages.${system};
format = "proxmox-lxc";
modules = [
{ _module.args.inputs = inputs; }
{ _module.args.self-overlay = self.overlay; }
({ ... }: {
imports =
builtins.attrValues self.nixosModules
++ [
{
nix.nixPath = [ "nixpkgs=${nixpkgs}" ];
nixpkgs.overlays = [
self.overlay
ha-now-playing.overlays.${system}
pamedia.overlays.${system}
];
}
baseConfig
home-manager.nixosModules.home-manager
{ home-manager.useUserPackages = true; }
];
system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
nix.registry.nixpkgs.flake = nixpkgs;
})
sops.nixosModules.sops
];
};
in
{
overlays.default = import ./overlays;
@ -182,27 +150,14 @@
(import ./machines/gitea/configuration.nix { inherit self; })
];
};
};
nixosContainers = {
drone = defContainer "x86_64-linux" {
vpn = defSystem "x86_64-linux" {
imports = [
(import ./machines/drone/configuration.nix { inherit self; })
];
};
proxy = defContainer "x86_64-linux" {
imports = [
(import ./machines/proxy/configuration.nix { inherit self; })
];
};
gitea = defContainer "x86_64-linux" {
imports = [
(import ./machines/gitea/configuration.nix { inherit self; })
(import ./machines/vpn/configuration.nix { inherit self; })
];
};
};
}
// (flake-utils.lib.eachSystem [ "aarch64-linux" "x86_64-linux" ])
(
@ -240,8 +195,11 @@
nativeBuildInputs = [
pkgs.sops
ssh-to-pgp
ssh-to-age
nodejs-18_x
nodePackages.typescript-language-server
nodePackages.yaml-language-server
inputs.nixos-generators.packages.${system}.nixos-generators
];
};

View file

@ -15,7 +15,7 @@ let
command = targetPath: ''
nix-shell -p git --run '
nix build -v '${targetPath}/machine-config#nixosConfigurations.$(hostname).config.system.build.toplevel' && \
nixos-rebuild switch -v --show-trace --flake ${targetPath}/machine-config
nixos-rebuild switch -vvv --show-trace --flake ${targetPath}/machine-config
'
'';
@ -36,4 +36,5 @@ rec {
drone = createHost "drone" "root@10.0.0.202";
proxy = createHost "proxy" "root@10.0.0.251";
gitea = createHost "gitea" "root@10.0.0.201";
vpn = createHost "vpn" "root@10.0.0.250";
}

View file

@ -0,0 +1,67 @@
{ self, ... } @ inputs: {
imports = [
./hardware-configuration.nix
../../users/root
../../users/erwin
];
eboskma = {
users.erwin.enable = true;
nix-common = {
enable = true;
remote-builders = true;
};
services = {
wireguard = {
server = {
enable = true;
externalInterface = "eth0";
internalInterface = "wg0";
internalIPs = [ "10.1.0.0/24" ];
privateKeyFile = "/run/secrets/wireguard_key";
peers = [
# horus
# {
# publicKey = "";
# persistentKeepalive = 25;
# allowedIPs = [
# "10.1.0.0/24"
# "10.0.0.0/24"
# ];
# }
# iphone
{
publicKey = "SlJSLRMaqoujNsTkzQRZlNLBGB0Q/tt3b8KijFEaH2s=";
persistentKeepalive = 25;
allowedIPs = [
"10.1.0.0/24"
"10.0.0.0/24"
];
}
];
};
};
};
};
boot.isContainer = true;
time.timeZone = "Europe/Amsterdam";
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
environment.noXlibs = true;
services.openssh.enable = true;
proxmoxLXC = {
privileged = true;
};
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = {
wireguard_key = { };
};
system.stateVersion = "22.05";
}

View file

@ -0,0 +1,10 @@
{ config
, lib
, pkgs
, modulesPath
, ...
}: {
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
];
}

52
machines/vpn/secrets.yaml Normal file
View file

@ -0,0 +1,52 @@
wireguard_key: ENC[AES256_GCM,data:A+m/91mC/FbU4k7RgElU5A2ykumoc7lXUjjkJPtX58hJoAUG644gM/91uVY=,iv:t9Bn2DCtfXXRflTHgCBVSwOKbdedGKYlDBSk1+KDChc=,tag:OweM84Wz+qXKH8tuu3iuJg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2022-09-07T20:48:24Z"
mac: ENC[AES256_GCM,data:bv3QwebG0LDuJF3r8WA4VCZLkwPyaU+M/22D+nduyBDvS3YQdzem4g8RFAkImwTQkL4lDeqdEL+jh9K6ogz84a1CwBKh8AGcrrzR1IIZJJVV37/gNJWx+0ZH79HtF6AwH9OxHmBHiE+ygyh0hK7tUt/3mTPhkrCu/q3qvF1hFgg=,iv:Q317T9eMDcb9v+aT60+huOjfnOr3tpclBBqRP6r/2ZU=,tag:wAEVbvZA/3FDjsr6sgcVCw==,type:str]
pgp:
- created_at: "2022-09-07T20:36:52Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA6BoiFpcAxNSAQ//RqNyjVMfDrurFQlJ32PYH+Ab0lzP51hsjnafmI8DeV6K
313LOGaDywdf4UvUerTCYtKh7VDUBEvVwkRhDezECeJ56yRPnyqk8QzJJqrgnc+7
+u5TWUrK600Ny7ykVYitB7iDkRvMhzhTFQX64TfHviNfoBFRuQ93fB9Web93gHR7
SAdGjb/UB2oVfZGytG3Rd+ks7/7Zt+71myQ4FMUI0MXfb4GhLPuy76V3Nb4J4jET
H/5wfZjyFO3n3tRVmq6eoZepL0DwWh3w/VlELAfOaq3iOHmT9wTg2HlYGR+O7gFr
7zjjDXU9TQtfIFEYJLUkCv8M9e0YGmuWvEhZYVZTYyuvp+X7RWG4PV/edufnb93r
/uFjN04r31ZfjWuNc7Axdw+Gcv7AsPz4Zgx+1FwtJvshpRZfEEJXXzTZMBchwG3z
bpWpudtrLRQ5iD6YnuC0uj+lnoLMaTVOnL25xXCQ7hi3/zVy/yf7gz9u0ohqrxhV
Q7R+4WkqvykeJ1WJm2rOPhtVCmsxgQEssL0lRereIpqCASohmmCucLUUWBxdHZnG
IGYVCp9DYQQyhwINhIZLFx190erqF6LtvwxzDHkPY72wqQ/JS/oagH8YDmsUxbUV
at7prnk7z/I9VXK2SwahO73RZeS6AGQbEhq4l4Al6r46RATKxUCY+2nvqHUeUyHS
XgFj2nr1sYLs231FbeMsM/1Ib5WcFmC0SUbrnuQisuEW271KrSQYZ5cUc39Onw32
d9eh0Npm8R0QCHLMKegjoBjyc0eLryI3P5gt0vyfaw+9ezv7r0pHGQZkifxqqKk=
=BleQ
-----END PGP MESSAGE-----
fp: b785a9688947edabb9ec8933ee7adefe1d943c7b
- created_at: "2022-09-07T20:36:52Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAwR/M3cpCdjBARAAmrJTEA/IL33l4Qiruz1rkk9LY4A+5+u81uNwvkTp2IoZ
P5/oRDCrzA8xdPrkxHztTWHKXdixSndV4vKjaaON2hJKRfbgoSONg34pCDV/Pjmx
FZ/w8v6oVWGAdl/Hzyd6TWKNe95Ssl0JV5rV6reoIGmkyRTqeOAo0gbLxgP/FW4F
VOw0nmJMnMXyVKLQmlktlPytR4qjn95bY0ePcKsF1PgsLiqVvee4MILtbb2Q8W6W
2+VZ5FPHLH+Hdda0AQ6H7STKsM/Ux73cgNP23PoJLknNIaF/LV6qeTIuoDKnCkB0
eHiqPc3FwP1oXPCe9v+5O+ALlE3Efwo4GP+cmRQhiJQexK3VMsKsy77jZAN06z5E
bYAmHdNkHeRFzTcVsFYO7volpy2PcDsKvoXqmwmFxs9tA4JvtQ5RiQHCC5mxWk/X
P9S0HgHpwwnnmGxxfg7v87azzI0gY8j/It7Mb2I3HeXcyWGeO/Fmhc78vMEboLWb
n0/B91WDiX+kKA3XFwyuCdnOt35iaGy4+bYqQMNK6+WuZQch9oS6ieXTZzknDnac
Ls5rtIrjqy1wvmTfVfTpMLBeb1NBDcM5lHDvT3+G2msg78iHdChRf4u6Lbdlzctc
hGawpSiCQIFWsYz1Tvtnri4IOb2DdMypD5a23K1WqI/6WU5qVxkRbbOMOImZsIPS
WAGO9n9N5/BdAm/PVaxsq61zW5NYZDmq2Xq5ZPfcJR9trobjwHi7FhDDDIHjL1e9
zIP3bMSb0be+IuMTgEatCd6VKGY+YmT09/RRtR9Kssf6xQHHfmrzSA0=
=rqzf
-----END PGP MESSAGE-----
fp: a7642a4af8d195d914d45dad047f33772909d8c1
unencrypted_suffix: _unencrypted
version: 3.7.3

View file

@ -0,0 +1,101 @@
{ pkgs, config, lib, ... }:
with lib;
let
cfg = config.eboskma.services.wireguard.server;
wireguardPeer = {
options = {
publicKey = mkOption {
description = "The base64 of the public key";
type = types.str;
};
persistentKeepalive = mkOption {
description = "Keepalive interval in seconds";
type = with types; nullOr int;
};
allowedIPs = mkOption {
description = "List of IP (v4 or v6) addresses with CIDR mask from which this peer is allowed to send incoming traffic";
type = with types; listOf str;
};
};
};
in
{
options.eboskma.services.wireguard.server = {
enable = mkEnableOption "wireguard";
externalInterface = mkOption {
description = "The name of the external interface";
type = with types; nullOr str;
default = null;
example = "enp4s0";
};
internalInterface = mkOption {
description = "The name of the internal interface";
type = types.str;
default = "wg0";
example = "wg0";
};
internalIPs = mkOption {
description = "The internal IP addresses in CIDR notation";
type = with types; listOf str;
default = [ ];
example = [ "10.0.0.0/24" ];
};
port = mkOption {
description = "Wireguard port";
type = types.port;
default = 51820;
example = 51820;
};
privateKeyFile = mkOption {
description = "Private key file";
type = with types; nullOr str;
default = null;
example = "/private/wireguard.key";
};
peers = mkOption {
description = "Peers connected to the interface";
type = with types; listOf (submodule wireguardPeer);
};
};
config = mkIf (cfg.enable) {
networking = {
nat = {
enable = true;
externalInterface = cfg.externalInterface;
internalInterfaces = [ cfg.internalInterface ];
};
firewall.allowedUDPPorts = [ cfg.port ];
wireguard.interfaces."${cfg.internalInterface}" = {
ips = cfg.internalIPs;
listenPort = cfg.port;
privateKeyFile = cfg.privateKeyFile;
postSetup = concatMapStringsSep "\n"
(range: ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${range} -o ${cfg.externalInterface} -j MASQUERADE
'')
cfg.internalIPs;
postShutdown = concatMapStringsSep "\n"
(range: ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${range} -o ${cfg.externalInterface} -j MASQUERADE
'')
cfg.internalIPs;
peers = cfg.peers;
};
};
};
}