Wireguard stuff, not working yet
This commit is contained in:
parent
7fdc9bca76
commit
1689e9b539
8 changed files with 270 additions and 74 deletions
|
@ -3,6 +3,7 @@ keys:
|
|||
- &loki a6e31f5ab2bf34ca3f614d81ed9d6ae54dbcb9f7
|
||||
- &drone 8eefb1f8c85704ca47aa226a692372b1fc4bb9bf
|
||||
- &gitea ca0dba2f767679957879077fb8922c8ba16710be
|
||||
- &vpn a7642a4af8d195d914d45dad047f33772909d8c1
|
||||
creation_rules:
|
||||
- path_regex: machines/loki/[^/]+\.yaml$
|
||||
key_groups:
|
||||
|
@ -18,4 +19,10 @@ creation_rules:
|
|||
key_groups:
|
||||
- pgp:
|
||||
- *erwin
|
||||
- *gitea
|
||||
- *gitea
|
||||
- path_regex: machines/vpn/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *erwin
|
||||
- *vpn
|
||||
|
||||
|
|
48
flake.lock
48
flake.lock
|
@ -10,11 +10,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1661745860,
|
||||
"narHash": "sha256-2efk4Xi0aBC6EJIiNyem40ElKFlDDPrDa9skCL8i/Dc=",
|
||||
"lastModified": 1662502665,
|
||||
"narHash": "sha256-2Ok8NSGmGP+qLCsDfIsUWyMNqLWt8U4Lcu86KbjgN9s=",
|
||||
"owner": "nix-community",
|
||||
"repo": "emacs-overlay",
|
||||
"rev": "f7caedcd0df6710e5c33b493220f729385664ae7",
|
||||
"rev": "ae5528c72a1e1afbbcb7be7e813f4b3598f919ed",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -76,11 +76,11 @@
|
|||
"utils": "utils"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1661573386,
|
||||
"narHash": "sha256-pBEg8iY00Af/SAtU2dlmOAv+2x7kScaGlFRDjNoVJO8=",
|
||||
"lastModified": 1662583828,
|
||||
"narHash": "sha256-5rlP4RhAJX+n2Jd1S6vlDksOu9Wsodzv+DeKHTI/m9o=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "d89bdff445eadff03fe414e9c30486bc8166b72b",
|
||||
"rev": "22113a3ae3c8410c682324e1ac3d0b995ceaf82a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -96,11 +96,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1659610603,
|
||||
"narHash": "sha256-LYgASYSPYo7O71WfeUOaEUzYfzuXm8c8eavJcel+pfI=",
|
||||
"lastModified": 1662220400,
|
||||
"narHash": "sha256-9o2OGQqu4xyLZP9K6kNe1pTHnyPz0Wr3raGYnr9AIgY=",
|
||||
"owner": "nix-community",
|
||||
"repo": "naersk",
|
||||
"rev": "c6a45e4277fa58abd524681466d3450f896dc094",
|
||||
"rev": "6944160c19cb591eb85bbf9b2f2768a935623ed3",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -147,11 +147,11 @@
|
|||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1660407119,
|
||||
"narHash": "sha256-04lWO0pDbhAXFdL4v2VzzwgxrZ5IefKn+TmZPiPeKxg=",
|
||||
"lastModified": 1662458987,
|
||||
"narHash": "sha256-hcDwRlsXZMp2Er3vQk1JEUZWhBPLVC9vTT4xHvhpcE0=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "12620020f76b1b5d2b0e6fbbda831ed4f5fe56e1",
|
||||
"rev": "504b32caf83986b7e6b9c79c1c13008f83290f19",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -162,11 +162,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1661628722,
|
||||
"narHash": "sha256-oR/7NhG7pPkACToUtaaT6hH+rONE2z5/4NzjoUwEZt8=",
|
||||
"lastModified": 1662019588,
|
||||
"narHash": "sha256-oPEjHKGGVbBXqwwL+UjsveJzghWiWV0n9ogo1X6l4cw=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "324c8aaf25b2f2027af7798e5582ce3040a793b6",
|
||||
"rev": "2da64a81275b68fdad38af669afeda43d401e94b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -178,11 +178,11 @@
|
|||
},
|
||||
"nixpkgs-22_05": {
|
||||
"locked": {
|
||||
"lastModified": 1661656705,
|
||||
"narHash": "sha256-1ujNuL1Tx1dt8dC/kuYS329ZZgiXXmD96axwrqsUY7w=",
|
||||
"lastModified": 1662221733,
|
||||
"narHash": "sha256-dw1xjYyQ0JidXIpzeQh/gQX+ih1sJO1zBHKs5QSYp8Q=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "290dbaacc1f0b783fd8e271b585ec2c8c3b03954",
|
||||
"rev": "013e8d86d9a3f33074c903c8ffcab0d34087b1ed",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -244,11 +244,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1661742009,
|
||||
"narHash": "sha256-lE6pbjo2INiJc0CTooWStINmGcu0LjdbtQ1TTs1lqPY=",
|
||||
"lastModified": 1662519741,
|
||||
"narHash": "sha256-SrtSAMkTri4KseXliYfOjz9qqGAlX/L+ZZDHAMkYfh0=",
|
||||
"owner": "oxalica",
|
||||
"repo": "rust-overlay",
|
||||
"rev": "4b3816ebc3cfcaf29e3dd0f0dc2924c5cb639c51",
|
||||
"rev": "fae4c3204fb45876f8b54ab1e982de8896269868",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -265,11 +265,11 @@
|
|||
"nixpkgs-22_05": "nixpkgs-22_05"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1661660105,
|
||||
"narHash": "sha256-3ITdkYwsNDh2DRqi7FZOJ92ui92NmcO6Nhj49u+JjWY=",
|
||||
"lastModified": 1662390490,
|
||||
"narHash": "sha256-HnFHRFu0eoB0tLOZRjLgVfHzK+4bQzAmAmHSzOquuyI=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "d92fba1bfc9f64e4ccb533701ddd8590c0d8c74a",
|
||||
"rev": "044ccfe24b349859cd9efc943e4465cc993ac84e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
54
flake.nix
54
flake.nix
|
@ -95,38 +95,6 @@
|
|||
sops.nixosModules.sops
|
||||
];
|
||||
};
|
||||
|
||||
defContainer = system: baseConfig:
|
||||
nixos-generators.nixosGenerate {
|
||||
pkgs = nixpkgs.legacyPackages.${system};
|
||||
format = "proxmox-lxc";
|
||||
modules = [
|
||||
{ _module.args.inputs = inputs; }
|
||||
{ _module.args.self-overlay = self.overlay; }
|
||||
({ ... }: {
|
||||
imports =
|
||||
builtins.attrValues self.nixosModules
|
||||
++ [
|
||||
{
|
||||
nix.nixPath = [ "nixpkgs=${nixpkgs}" ];
|
||||
nixpkgs.overlays = [
|
||||
self.overlay
|
||||
ha-now-playing.overlays.${system}
|
||||
pamedia.overlays.${system}
|
||||
];
|
||||
}
|
||||
|
||||
baseConfig
|
||||
home-manager.nixosModules.home-manager
|
||||
{ home-manager.useUserPackages = true; }
|
||||
];
|
||||
|
||||
system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
|
||||
nix.registry.nixpkgs.flake = nixpkgs;
|
||||
})
|
||||
sops.nixosModules.sops
|
||||
];
|
||||
};
|
||||
in
|
||||
{
|
||||
overlays.default = import ./overlays;
|
||||
|
@ -182,27 +150,14 @@
|
|||
(import ./machines/gitea/configuration.nix { inherit self; })
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
nixosContainers = {
|
||||
drone = defContainer "x86_64-linux" {
|
||||
vpn = defSystem "x86_64-linux" {
|
||||
imports = [
|
||||
(import ./machines/drone/configuration.nix { inherit self; })
|
||||
];
|
||||
};
|
||||
|
||||
proxy = defContainer "x86_64-linux" {
|
||||
imports = [
|
||||
(import ./machines/proxy/configuration.nix { inherit self; })
|
||||
];
|
||||
};
|
||||
|
||||
gitea = defContainer "x86_64-linux" {
|
||||
imports = [
|
||||
(import ./machines/gitea/configuration.nix { inherit self; })
|
||||
(import ./machines/vpn/configuration.nix { inherit self; })
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
}
|
||||
// (flake-utils.lib.eachSystem [ "aarch64-linux" "x86_64-linux" ])
|
||||
(
|
||||
|
@ -240,8 +195,11 @@
|
|||
nativeBuildInputs = [
|
||||
pkgs.sops
|
||||
ssh-to-pgp
|
||||
ssh-to-age
|
||||
nodejs-18_x
|
||||
nodePackages.typescript-language-server
|
||||
nodePackages.yaml-language-server
|
||||
inputs.nixos-generators.packages.${system}.nixos-generators
|
||||
];
|
||||
};
|
||||
|
||||
|
|
|
@ -15,7 +15,7 @@ let
|
|||
command = targetPath: ''
|
||||
nix-shell -p git --run '
|
||||
nix build -v '${targetPath}/machine-config#nixosConfigurations.$(hostname).config.system.build.toplevel' && \
|
||||
nixos-rebuild switch -v --show-trace --flake ${targetPath}/machine-config
|
||||
nixos-rebuild switch -vvv --show-trace --flake ${targetPath}/machine-config
|
||||
'
|
||||
'';
|
||||
|
||||
|
@ -36,4 +36,5 @@ rec {
|
|||
drone = createHost "drone" "root@10.0.0.202";
|
||||
proxy = createHost "proxy" "root@10.0.0.251";
|
||||
gitea = createHost "gitea" "root@10.0.0.201";
|
||||
vpn = createHost "vpn" "root@10.0.0.250";
|
||||
}
|
||||
|
|
67
machines/vpn/configuration.nix
Normal file
67
machines/vpn/configuration.nix
Normal file
|
@ -0,0 +1,67 @@
|
|||
{ self, ... } @ inputs: {
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
../../users/root
|
||||
../../users/erwin
|
||||
];
|
||||
|
||||
eboskma = {
|
||||
users.erwin.enable = true;
|
||||
nix-common = {
|
||||
enable = true;
|
||||
remote-builders = true;
|
||||
};
|
||||
services = {
|
||||
wireguard = {
|
||||
server = {
|
||||
enable = true;
|
||||
externalInterface = "eth0";
|
||||
internalInterface = "wg0";
|
||||
internalIPs = [ "10.1.0.0/24" ];
|
||||
privateKeyFile = "/run/secrets/wireguard_key";
|
||||
peers = [
|
||||
# horus
|
||||
# {
|
||||
# publicKey = "";
|
||||
# persistentKeepalive = 25;
|
||||
# allowedIPs = [
|
||||
# "10.1.0.0/24"
|
||||
# "10.0.0.0/24"
|
||||
# ];
|
||||
# }
|
||||
# iphone
|
||||
{
|
||||
publicKey = "SlJSLRMaqoujNsTkzQRZlNLBGB0Q/tt3b8KijFEaH2s=";
|
||||
persistentKeepalive = 25;
|
||||
allowedIPs = [
|
||||
"10.1.0.0/24"
|
||||
"10.0.0.0/24"
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
boot.isContainer = true;
|
||||
|
||||
time.timeZone = "Europe/Amsterdam";
|
||||
|
||||
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
|
||||
|
||||
environment.noXlibs = true;
|
||||
|
||||
services.openssh.enable = true;
|
||||
|
||||
proxmoxLXC = {
|
||||
privileged = true;
|
||||
};
|
||||
|
||||
sops.defaultSopsFile = ./secrets.yaml;
|
||||
sops.secrets = {
|
||||
wireguard_key = { };
|
||||
};
|
||||
|
||||
system.stateVersion = "22.05";
|
||||
}
|
10
machines/vpn/hardware-configuration.nix
Normal file
10
machines/vpn/hardware-configuration.nix
Normal file
|
@ -0,0 +1,10 @@
|
|||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, modulesPath
|
||||
, ...
|
||||
}: {
|
||||
imports = [
|
||||
(modulesPath + "/virtualisation/proxmox-lxc.nix")
|
||||
];
|
||||
}
|
52
machines/vpn/secrets.yaml
Normal file
52
machines/vpn/secrets.yaml
Normal file
|
@ -0,0 +1,52 @@
|
|||
wireguard_key: ENC[AES256_GCM,data:A+m/91mC/FbU4k7RgElU5A2ykumoc7lXUjjkJPtX58hJoAUG644gM/91uVY=,iv:t9Bn2DCtfXXRflTHgCBVSwOKbdedGKYlDBSk1+KDChc=,tag:OweM84Wz+qXKH8tuu3iuJg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2022-09-07T20:48:24Z"
|
||||
mac: ENC[AES256_GCM,data:bv3QwebG0LDuJF3r8WA4VCZLkwPyaU+M/22D+nduyBDvS3YQdzem4g8RFAkImwTQkL4lDeqdEL+jh9K6ogz84a1CwBKh8AGcrrzR1IIZJJVV37/gNJWx+0ZH79HtF6AwH9OxHmBHiE+ygyh0hK7tUt/3mTPhkrCu/q3qvF1hFgg=,iv:Q317T9eMDcb9v+aT60+huOjfnOr3tpclBBqRP6r/2ZU=,tag:wAEVbvZA/3FDjsr6sgcVCw==,type:str]
|
||||
pgp:
|
||||
- created_at: "2022-09-07T20:36:52Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA6BoiFpcAxNSAQ//RqNyjVMfDrurFQlJ32PYH+Ab0lzP51hsjnafmI8DeV6K
|
||||
313LOGaDywdf4UvUerTCYtKh7VDUBEvVwkRhDezECeJ56yRPnyqk8QzJJqrgnc+7
|
||||
+u5TWUrK600Ny7ykVYitB7iDkRvMhzhTFQX64TfHviNfoBFRuQ93fB9Web93gHR7
|
||||
SAdGjb/UB2oVfZGytG3Rd+ks7/7Zt+71myQ4FMUI0MXfb4GhLPuy76V3Nb4J4jET
|
||||
H/5wfZjyFO3n3tRVmq6eoZepL0DwWh3w/VlELAfOaq3iOHmT9wTg2HlYGR+O7gFr
|
||||
7zjjDXU9TQtfIFEYJLUkCv8M9e0YGmuWvEhZYVZTYyuvp+X7RWG4PV/edufnb93r
|
||||
/uFjN04r31ZfjWuNc7Axdw+Gcv7AsPz4Zgx+1FwtJvshpRZfEEJXXzTZMBchwG3z
|
||||
bpWpudtrLRQ5iD6YnuC0uj+lnoLMaTVOnL25xXCQ7hi3/zVy/yf7gz9u0ohqrxhV
|
||||
Q7R+4WkqvykeJ1WJm2rOPhtVCmsxgQEssL0lRereIpqCASohmmCucLUUWBxdHZnG
|
||||
IGYVCp9DYQQyhwINhIZLFx190erqF6LtvwxzDHkPY72wqQ/JS/oagH8YDmsUxbUV
|
||||
at7prnk7z/I9VXK2SwahO73RZeS6AGQbEhq4l4Al6r46RATKxUCY+2nvqHUeUyHS
|
||||
XgFj2nr1sYLs231FbeMsM/1Ib5WcFmC0SUbrnuQisuEW271KrSQYZ5cUc39Onw32
|
||||
d9eh0Npm8R0QCHLMKegjoBjyc0eLryI3P5gt0vyfaw+9ezv7r0pHGQZkifxqqKk=
|
||||
=BleQ
|
||||
-----END PGP MESSAGE-----
|
||||
fp: b785a9688947edabb9ec8933ee7adefe1d943c7b
|
||||
- created_at: "2022-09-07T20:36:52Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMAwR/M3cpCdjBARAAmrJTEA/IL33l4Qiruz1rkk9LY4A+5+u81uNwvkTp2IoZ
|
||||
P5/oRDCrzA8xdPrkxHztTWHKXdixSndV4vKjaaON2hJKRfbgoSONg34pCDV/Pjmx
|
||||
FZ/w8v6oVWGAdl/Hzyd6TWKNe95Ssl0JV5rV6reoIGmkyRTqeOAo0gbLxgP/FW4F
|
||||
VOw0nmJMnMXyVKLQmlktlPytR4qjn95bY0ePcKsF1PgsLiqVvee4MILtbb2Q8W6W
|
||||
2+VZ5FPHLH+Hdda0AQ6H7STKsM/Ux73cgNP23PoJLknNIaF/LV6qeTIuoDKnCkB0
|
||||
eHiqPc3FwP1oXPCe9v+5O+ALlE3Efwo4GP+cmRQhiJQexK3VMsKsy77jZAN06z5E
|
||||
bYAmHdNkHeRFzTcVsFYO7volpy2PcDsKvoXqmwmFxs9tA4JvtQ5RiQHCC5mxWk/X
|
||||
P9S0HgHpwwnnmGxxfg7v87azzI0gY8j/It7Mb2I3HeXcyWGeO/Fmhc78vMEboLWb
|
||||
n0/B91WDiX+kKA3XFwyuCdnOt35iaGy4+bYqQMNK6+WuZQch9oS6ieXTZzknDnac
|
||||
Ls5rtIrjqy1wvmTfVfTpMLBeb1NBDcM5lHDvT3+G2msg78iHdChRf4u6Lbdlzctc
|
||||
hGawpSiCQIFWsYz1Tvtnri4IOb2DdMypD5a23K1WqI/6WU5qVxkRbbOMOImZsIPS
|
||||
WAGO9n9N5/BdAm/PVaxsq61zW5NYZDmq2Xq5ZPfcJR9trobjwHi7FhDDDIHjL1e9
|
||||
zIP3bMSb0be+IuMTgEatCd6VKGY+YmT09/RRtR9Kssf6xQHHfmrzSA0=
|
||||
=rqzf
|
||||
-----END PGP MESSAGE-----
|
||||
fp: a7642a4af8d195d914d45dad047f33772909d8c1
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
101
modules/wireguard/default.nix
Normal file
101
modules/wireguard/default.nix
Normal file
|
@ -0,0 +1,101 @@
|
|||
{ pkgs, config, lib, ... }:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.eboskma.services.wireguard.server;
|
||||
|
||||
wireguardPeer = {
|
||||
options = {
|
||||
publicKey = mkOption {
|
||||
description = "The base64 of the public key";
|
||||
type = types.str;
|
||||
};
|
||||
|
||||
persistentKeepalive = mkOption {
|
||||
description = "Keepalive interval in seconds";
|
||||
type = with types; nullOr int;
|
||||
};
|
||||
|
||||
allowedIPs = mkOption {
|
||||
description = "List of IP (v4 or v6) addresses with CIDR mask from which this peer is allowed to send incoming traffic";
|
||||
type = with types; listOf str;
|
||||
};
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
options.eboskma.services.wireguard.server = {
|
||||
enable = mkEnableOption "wireguard";
|
||||
|
||||
externalInterface = mkOption {
|
||||
description = "The name of the external interface";
|
||||
type = with types; nullOr str;
|
||||
default = null;
|
||||
example = "enp4s0";
|
||||
};
|
||||
|
||||
internalInterface = mkOption {
|
||||
description = "The name of the internal interface";
|
||||
type = types.str;
|
||||
default = "wg0";
|
||||
example = "wg0";
|
||||
};
|
||||
|
||||
internalIPs = mkOption {
|
||||
description = "The internal IP addresses in CIDR notation";
|
||||
type = with types; listOf str;
|
||||
default = [ ];
|
||||
example = [ "10.0.0.0/24" ];
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
description = "Wireguard port";
|
||||
type = types.port;
|
||||
default = 51820;
|
||||
example = 51820;
|
||||
};
|
||||
|
||||
privateKeyFile = mkOption {
|
||||
description = "Private key file";
|
||||
type = with types; nullOr str;
|
||||
default = null;
|
||||
example = "/private/wireguard.key";
|
||||
};
|
||||
|
||||
peers = mkOption {
|
||||
description = "Peers connected to the interface";
|
||||
type = with types; listOf (submodule wireguardPeer);
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf (cfg.enable) {
|
||||
networking = {
|
||||
nat = {
|
||||
enable = true;
|
||||
externalInterface = cfg.externalInterface;
|
||||
internalInterfaces = [ cfg.internalInterface ];
|
||||
};
|
||||
|
||||
firewall.allowedUDPPorts = [ cfg.port ];
|
||||
|
||||
wireguard.interfaces."${cfg.internalInterface}" = {
|
||||
ips = cfg.internalIPs;
|
||||
listenPort = cfg.port;
|
||||
privateKeyFile = cfg.privateKeyFile;
|
||||
|
||||
postSetup = concatMapStringsSep "\n"
|
||||
(range: ''
|
||||
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${range} -o ${cfg.externalInterface} -j MASQUERADE
|
||||
'')
|
||||
cfg.internalIPs;
|
||||
|
||||
postShutdown = concatMapStringsSep "\n"
|
||||
(range: ''
|
||||
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${range} -o ${cfg.externalInterface} -j MASQUERADE
|
||||
'')
|
||||
cfg.internalIPs;
|
||||
|
||||
peers = cfg.peers;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue