Wireguard stuff, not working yet

.sops.yaml

@@ -3,6 +3,7 @@ keys:
   - &loki a6e31f5ab2bf34ca3f614d81ed9d6ae54dbcb9f7
   - &drone 8eefb1f8c85704ca47aa226a692372b1fc4bb9bf
   - &gitea ca0dba2f767679957879077fb8922c8ba16710be
+  - &vpn a7642a4af8d195d914d45dad047f33772909d8c1
 creation_rules:
   - path_regex: machines/loki/[^/]+\.yaml$
     key_groups:
@@ -19,3 +20,9 @@ creation_rules:
       - pgp:
         - *erwin
         - *gitea
+  - path_regex: machines/vpn/[^/]+\.yaml$
+    key_groups:
+      - pgp:
+        - *erwin
+        - *vpn
+

flake.lock

@@ -10,11 +10,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1661745860,
+        "lastModified": 1662502665,
-        "narHash": "sha256-2efk4Xi0aBC6EJIiNyem40ElKFlDDPrDa9skCL8i/Dc=",
+        "narHash": "sha256-2Ok8NSGmGP+qLCsDfIsUWyMNqLWt8U4Lcu86KbjgN9s=",
         "owner": "nix-community",
         "repo": "emacs-overlay",
-        "rev": "f7caedcd0df6710e5c33b493220f729385664ae7",
+        "rev": "ae5528c72a1e1afbbcb7be7e813f4b3598f919ed",
         "type": "github"
       },
       "original": {
@@ -76,11 +76,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1661573386,
+        "lastModified": 1662583828,
-        "narHash": "sha256-pBEg8iY00Af/SAtU2dlmOAv+2x7kScaGlFRDjNoVJO8=",
+        "narHash": "sha256-5rlP4RhAJX+n2Jd1S6vlDksOu9Wsodzv+DeKHTI/m9o=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "d89bdff445eadff03fe414e9c30486bc8166b72b",
+        "rev": "22113a3ae3c8410c682324e1ac3d0b995ceaf82a",
         "type": "github"
       },
       "original": {
@@ -96,11 +96,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1659610603,
+        "lastModified": 1662220400,
-        "narHash": "sha256-LYgASYSPYo7O71WfeUOaEUzYfzuXm8c8eavJcel+pfI=",
+        "narHash": "sha256-9o2OGQqu4xyLZP9K6kNe1pTHnyPz0Wr3raGYnr9AIgY=",
         "owner": "nix-community",
         "repo": "naersk",
-        "rev": "c6a45e4277fa58abd524681466d3450f896dc094",
+        "rev": "6944160c19cb591eb85bbf9b2f2768a935623ed3",
         "type": "github"
       },
       "original": {
@@ -147,11 +147,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1660407119,
+        "lastModified": 1662458987,
-        "narHash": "sha256-04lWO0pDbhAXFdL4v2VzzwgxrZ5IefKn+TmZPiPeKxg=",
+        "narHash": "sha256-hcDwRlsXZMp2Er3vQk1JEUZWhBPLVC9vTT4xHvhpcE0=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "12620020f76b1b5d2b0e6fbbda831ed4f5fe56e1",
+        "rev": "504b32caf83986b7e6b9c79c1c13008f83290f19",
         "type": "github"
       },
       "original": {
@@ -162,11 +162,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1661628722,
+        "lastModified": 1662019588,
-        "narHash": "sha256-oR/7NhG7pPkACToUtaaT6hH+rONE2z5/4NzjoUwEZt8=",
+        "narHash": "sha256-oPEjHKGGVbBXqwwL+UjsveJzghWiWV0n9ogo1X6l4cw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "324c8aaf25b2f2027af7798e5582ce3040a793b6",
+        "rev": "2da64a81275b68fdad38af669afeda43d401e94b",
         "type": "github"
       },
       "original": {
@@ -178,11 +178,11 @@
     },
     "nixpkgs-22_05": {
       "locked": {
-        "lastModified": 1661656705,
+        "lastModified": 1662221733,
-        "narHash": "sha256-1ujNuL1Tx1dt8dC/kuYS329ZZgiXXmD96axwrqsUY7w=",
+        "narHash": "sha256-dw1xjYyQ0JidXIpzeQh/gQX+ih1sJO1zBHKs5QSYp8Q=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "290dbaacc1f0b783fd8e271b585ec2c8c3b03954",
+        "rev": "013e8d86d9a3f33074c903c8ffcab0d34087b1ed",
         "type": "github"
       },
       "original": {
@@ -244,11 +244,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1661742009,
+        "lastModified": 1662519741,
-        "narHash": "sha256-lE6pbjo2INiJc0CTooWStINmGcu0LjdbtQ1TTs1lqPY=",
+        "narHash": "sha256-SrtSAMkTri4KseXliYfOjz9qqGAlX/L+ZZDHAMkYfh0=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "4b3816ebc3cfcaf29e3dd0f0dc2924c5cb639c51",
+        "rev": "fae4c3204fb45876f8b54ab1e982de8896269868",
         "type": "github"
       },
       "original": {
@@ -265,11 +265,11 @@
         "nixpkgs-22_05": "nixpkgs-22_05"
       },
       "locked": {
-        "lastModified": 1661660105,
+        "lastModified": 1662390490,
-        "narHash": "sha256-3ITdkYwsNDh2DRqi7FZOJ92ui92NmcO6Nhj49u+JjWY=",
+        "narHash": "sha256-HnFHRFu0eoB0tLOZRjLgVfHzK+4bQzAmAmHSzOquuyI=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "d92fba1bfc9f64e4ccb533701ddd8590c0d8c74a",
+        "rev": "044ccfe24b349859cd9efc943e4465cc993ac84e",
         "type": "github"
       },
       "original": {

flake.nix

@@ -95,38 +95,6 @@
               sops.nixosModules.sops
             ];
           };
-
-        defContainer = system: baseConfig:
-          nixos-generators.nixosGenerate {
-            pkgs = nixpkgs.legacyPackages.${system};
-            format = "proxmox-lxc";
-            modules = [
-              { _module.args.inputs = inputs; }
-              { _module.args.self-overlay = self.overlay; }
-              ({ ... }: {
-                imports =
-                  builtins.attrValues self.nixosModules
-                  ++ [
-                    {
-                      nix.nixPath = [ "nixpkgs=${nixpkgs}" ];
-                      nixpkgs.overlays = [
-                        self.overlay
-                        ha-now-playing.overlays.${system}
-                        pamedia.overlays.${system}
-                      ];
-                    }
-
-                    baseConfig
-                    home-manager.nixosModules.home-manager
-                    { home-manager.useUserPackages = true; }
-                  ];
-
-                system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
-                nix.registry.nixpkgs.flake = nixpkgs;
-              })
-              sops.nixosModules.sops
-            ];
-          };
       in
       {
         overlays.default = import ./overlays;
@@ -182,27 +150,14 @@
               (import ./machines/gitea/configuration.nix { inherit self; })
             ];
           };
-        };
 
-        nixosContainers = {
+          vpn = defSystem "x86_64-linux" {
-          drone = defContainer "x86_64-linux" {
             imports = [
-              (import ./machines/drone/configuration.nix { inherit self; })
+              (import ./machines/vpn/configuration.nix { inherit self; })
-            ];
-          };
-
-          proxy = defContainer "x86_64-linux" {
-            imports = [
-              (import ./machines/proxy/configuration.nix { inherit self; })
-            ];
-          };
-
-          gitea = defContainer "x86_64-linux" {
-            imports = [
-              (import ./machines/gitea/configuration.nix { inherit self; })
             ];
           };
         };
+
       }
       // (flake-utils.lib.eachSystem [ "aarch64-linux" "x86_64-linux" ])
         (
@@ -240,8 +195,11 @@
                 nativeBuildInputs = [
                   pkgs.sops
                   ssh-to-pgp
+                  ssh-to-age
                   nodejs-18_x
                   nodePackages.typescript-language-server
+                  nodePackages.yaml-language-server
+                  inputs.nixos-generators.packages.${system}.nixos-generators
                 ];
               };
 

krops.nix

@@ -15,7 +15,7 @@ let
   command = targetPath: ''
     nix-shell -p git --run '
       nix build -v '${targetPath}/machine-config#nixosConfigurations.$(hostname).config.system.build.toplevel' && \
-      nixos-rebuild switch -v --show-trace --flake ${targetPath}/machine-config
+      nixos-rebuild switch -vvv --show-trace --flake ${targetPath}/machine-config
       '
   '';
 
@@ -36,4 +36,5 @@ rec {
   drone = createHost "drone" "root@10.0.0.202";
   proxy = createHost "proxy" "root@10.0.0.251";
   gitea = createHost "gitea" "root@10.0.0.201";
+  vpn = createHost "vpn" "root@10.0.0.250";
 }

machines/vpn/configuration.nix

@@ -0,0 +1,67 @@
+{ self, ... } @ inputs: {
+  imports = [
+    ./hardware-configuration.nix
+    ../../users/root
+    ../../users/erwin
+  ];
+
+  eboskma = {
+    users.erwin.enable = true;
+    nix-common = {
+      enable = true;
+      remote-builders = true;
+    };
+    services = {
+      wireguard = {
+        server = {
+          enable = true;
+          externalInterface = "eth0";
+          internalInterface = "wg0";
+          internalIPs = [ "10.1.0.0/24" ];
+          privateKeyFile = "/run/secrets/wireguard_key";
+          peers = [
+            # horus
+            # {
+            #   publicKey = "";
+            #   persistentKeepalive = 25;
+            #   allowedIPs = [
+            #     "10.1.0.0/24"
+            #     "10.0.0.0/24"
+            #   ];
+            # }
+            # iphone
+            {
+              publicKey = "SlJSLRMaqoujNsTkzQRZlNLBGB0Q/tt3b8KijFEaH2s=";
+              persistentKeepalive = 25;
+              allowedIPs = [
+                "10.1.0.0/24"
+                "10.0.0.0/24"
+              ];
+            }
+          ];
+        };
+      };
+    };
+  };
+
+  boot.isContainer = true;
+
+  time.timeZone = "Europe/Amsterdam";
+
+  system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
+
+  environment.noXlibs = true;
+
+  services.openssh.enable = true;
+
+  proxmoxLXC = {
+    privileged = true;
+  };
+
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets = {
+    wireguard_key = { };
+  };
+
+  system.stateVersion = "22.05";
+}

machines/vpn/hardware-configuration.nix

@@ -0,0 +1,10 @@
+{ config
+, lib
+, pkgs
+, modulesPath
+, ...
+}: {
+  imports = [
+    (modulesPath + "/virtualisation/proxmox-lxc.nix")
+  ];
+}

machines/vpn/secrets.yaml

@@ -0,0 +1,52 @@
+wireguard_key: ENC[AES256_GCM,data:A+m/91mC/FbU4k7RgElU5A2ykumoc7lXUjjkJPtX58hJoAUG644gM/91uVY=,iv:t9Bn2DCtfXXRflTHgCBVSwOKbdedGKYlDBSk1+KDChc=,tag:OweM84Wz+qXKH8tuu3iuJg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-09-07T20:48:24Z"
+    mac: ENC[AES256_GCM,data:bv3QwebG0LDuJF3r8WA4VCZLkwPyaU+M/22D+nduyBDvS3YQdzem4g8RFAkImwTQkL4lDeqdEL+jh9K6ogz84a1CwBKh8AGcrrzR1IIZJJVV37/gNJWx+0ZH79HtF6AwH9OxHmBHiE+ygyh0hK7tUt/3mTPhkrCu/q3qvF1hFgg=,iv:Q317T9eMDcb9v+aT60+huOjfnOr3tpclBBqRP6r/2ZU=,tag:wAEVbvZA/3FDjsr6sgcVCw==,type:str]
+    pgp:
+        - created_at: "2022-09-07T20:36:52Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6BoiFpcAxNSAQ//RqNyjVMfDrurFQlJ32PYH+Ab0lzP51hsjnafmI8DeV6K
+            313LOGaDywdf4UvUerTCYtKh7VDUBEvVwkRhDezECeJ56yRPnyqk8QzJJqrgnc+7
+            +u5TWUrK600Ny7ykVYitB7iDkRvMhzhTFQX64TfHviNfoBFRuQ93fB9Web93gHR7
+            SAdGjb/UB2oVfZGytG3Rd+ks7/7Zt+71myQ4FMUI0MXfb4GhLPuy76V3Nb4J4jET
+            H/5wfZjyFO3n3tRVmq6eoZepL0DwWh3w/VlELAfOaq3iOHmT9wTg2HlYGR+O7gFr
+            7zjjDXU9TQtfIFEYJLUkCv8M9e0YGmuWvEhZYVZTYyuvp+X7RWG4PV/edufnb93r
+            /uFjN04r31ZfjWuNc7Axdw+Gcv7AsPz4Zgx+1FwtJvshpRZfEEJXXzTZMBchwG3z
+            bpWpudtrLRQ5iD6YnuC0uj+lnoLMaTVOnL25xXCQ7hi3/zVy/yf7gz9u0ohqrxhV
+            Q7R+4WkqvykeJ1WJm2rOPhtVCmsxgQEssL0lRereIpqCASohmmCucLUUWBxdHZnG
+            IGYVCp9DYQQyhwINhIZLFx190erqF6LtvwxzDHkPY72wqQ/JS/oagH8YDmsUxbUV
+            at7prnk7z/I9VXK2SwahO73RZeS6AGQbEhq4l4Al6r46RATKxUCY+2nvqHUeUyHS
+            XgFj2nr1sYLs231FbeMsM/1Ib5WcFmC0SUbrnuQisuEW271KrSQYZ5cUc39Onw32
+            d9eh0Npm8R0QCHLMKegjoBjyc0eLryI3P5gt0vyfaw+9ezv7r0pHGQZkifxqqKk=
+            =BleQ
+            -----END PGP MESSAGE-----
+          fp: b785a9688947edabb9ec8933ee7adefe1d943c7b
+        - created_at: "2022-09-07T20:36:52Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwR/M3cpCdjBARAAmrJTEA/IL33l4Qiruz1rkk9LY4A+5+u81uNwvkTp2IoZ
+            P5/oRDCrzA8xdPrkxHztTWHKXdixSndV4vKjaaON2hJKRfbgoSONg34pCDV/Pjmx
+            FZ/w8v6oVWGAdl/Hzyd6TWKNe95Ssl0JV5rV6reoIGmkyRTqeOAo0gbLxgP/FW4F
+            VOw0nmJMnMXyVKLQmlktlPytR4qjn95bY0ePcKsF1PgsLiqVvee4MILtbb2Q8W6W
+            2+VZ5FPHLH+Hdda0AQ6H7STKsM/Ux73cgNP23PoJLknNIaF/LV6qeTIuoDKnCkB0
+            eHiqPc3FwP1oXPCe9v+5O+ALlE3Efwo4GP+cmRQhiJQexK3VMsKsy77jZAN06z5E
+            bYAmHdNkHeRFzTcVsFYO7volpy2PcDsKvoXqmwmFxs9tA4JvtQ5RiQHCC5mxWk/X
+            P9S0HgHpwwnnmGxxfg7v87azzI0gY8j/It7Mb2I3HeXcyWGeO/Fmhc78vMEboLWb
+            n0/B91WDiX+kKA3XFwyuCdnOt35iaGy4+bYqQMNK6+WuZQch9oS6ieXTZzknDnac
+            Ls5rtIrjqy1wvmTfVfTpMLBeb1NBDcM5lHDvT3+G2msg78iHdChRf4u6Lbdlzctc
+            hGawpSiCQIFWsYz1Tvtnri4IOb2DdMypD5a23K1WqI/6WU5qVxkRbbOMOImZsIPS
+            WAGO9n9N5/BdAm/PVaxsq61zW5NYZDmq2Xq5ZPfcJR9trobjwHi7FhDDDIHjL1e9
+            zIP3bMSb0be+IuMTgEatCd6VKGY+YmT09/RRtR9Kssf6xQHHfmrzSA0=
+            =rqzf
+            -----END PGP MESSAGE-----
+          fp: a7642a4af8d195d914d45dad047f33772909d8c1
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

modules/wireguard/default.nix

@@ -0,0 +1,101 @@
+{ pkgs, config, lib, ... }:
+with lib;
+let
+  cfg = config.eboskma.services.wireguard.server;
+
+  wireguardPeer = {
+    options = {
+      publicKey = mkOption {
+        description = "The base64 of the public key";
+        type = types.str;
+      };
+
+      persistentKeepalive = mkOption {
+        description = "Keepalive interval in seconds";
+        type = with types; nullOr int;
+      };
+
+      allowedIPs = mkOption {
+        description = "List of IP (v4 or v6) addresses with CIDR mask from which this peer is allowed to send incoming traffic";
+        type = with types; listOf str;
+      };
+    };
+  };
+in
+{
+  options.eboskma.services.wireguard.server = {
+    enable = mkEnableOption "wireguard";
+
+    externalInterface = mkOption {
+      description = "The name of the external interface";
+      type = with types; nullOr str;
+      default = null;
+      example = "enp4s0";
+    };
+
+    internalInterface = mkOption {
+      description = "The name of the internal interface";
+      type = types.str;
+      default = "wg0";
+      example = "wg0";
+    };
+
+    internalIPs = mkOption {
+      description = "The internal IP addresses in CIDR notation";
+      type = with types; listOf str;
+      default = [ ];
+      example = [ "10.0.0.0/24" ];
+    };
+
+    port = mkOption {
+      description = "Wireguard port";
+      type = types.port;
+      default = 51820;
+      example = 51820;
+    };
+
+    privateKeyFile = mkOption {
+      description = "Private key file";
+      type = with types; nullOr str;
+      default = null;
+      example = "/private/wireguard.key";
+    };
+
+    peers = mkOption {
+      description = "Peers connected to the interface";
+      type = with types; listOf (submodule wireguardPeer);
+    };
+  };
+
+  config = mkIf (cfg.enable) {
+    networking = {
+      nat = {
+        enable = true;
+        externalInterface = cfg.externalInterface;
+        internalInterfaces = [ cfg.internalInterface ];
+      };
+
+      firewall.allowedUDPPorts = [ cfg.port ];
+
+      wireguard.interfaces."${cfg.internalInterface}" = {
+        ips = cfg.internalIPs;
+        listenPort = cfg.port;
+        privateKeyFile = cfg.privateKeyFile;
+
+        postSetup = concatMapStringsSep "\n"
+          (range: ''
+            ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${range} -o ${cfg.externalInterface} -j MASQUERADE
+          '')
+          cfg.internalIPs;
+
+        postShutdown = concatMapStringsSep "\n"
+          (range: ''
+            ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${range} -o ${cfg.externalInterface} -j MASQUERADE
+          '')
+          cfg.internalIPs;
+
+        peers = cfg.peers;
+      };
+    };
+  };
+}