summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorsinanmohd <sinan@sinanmohd.com>2023-09-17 13:59:03 +0530
committersinanmohd <sinan@sinanmohd.com>2023-09-17 15:22:50 +0530
commitbf8a48eae55bec89f06508136d65ee98ceace558 (patch)
tree954ef88efe5c3acd2163fbfc2c0c55e73b82188b
parentfabfc1b30919e58c1409da72b6f95b36110a575e (diff)
networking/wireguard: init
-rw-r--r--common.nix2
-rw-r--r--hosts/cez/configuration.nix1
-rw-r--r--hosts/cez/modules/wireguard.nix22
-rw-r--r--hosts/cez/secrets.yaml22
-rw-r--r--hosts/kay/modules/network.nix5
-rw-r--r--hosts/kay/modules/router.nix2
-rw-r--r--hosts/kay/modules/wireguard.nix54
-rw-r--r--hosts/kay/secrets.yaml5
8 files changed, 108 insertions, 5 deletions
diff --git a/common.nix b/common.nix
index 1da5402..8421fb9 100644
--- a/common.nix
+++ b/common.nix
@@ -91,7 +91,7 @@ in
# sops
sops = {
defaultSopsFile = ./hosts/${host}/secrets.yaml;
- age.keyFile = "/var/secrets/sops-nix/key.txt";
+ age.keyFile = "/var/secrets/sops-nix/keys.txt";
};
# programs
diff --git a/hosts/cez/configuration.nix b/hosts/cez/configuration.nix
index fb991d9..31cde1a 100644
--- a/hosts/cez/configuration.nix
+++ b/hosts/cez/configuration.nix
@@ -8,6 +8,7 @@ in
./hardware-configuration.nix
./modules/wayland.nix
./modules/sshfs.nix
+ ./modules/wireguard.nix
../../common.nix
];
diff --git a/hosts/cez/modules/wireguard.nix b/hosts/cez/modules/wireguard.nix
new file mode 100644
index 0000000..07ea90c
--- /dev/null
+++ b/hosts/cez/modules/wireguard.nix
@@ -0,0 +1,22 @@
+{ config, ... }:
+
+let
+ domain = config.userdata.domain;
+in
+{
+ sops.secrets."misc/wireguard" = {};
+
+ networking.wg-quick.interfaces."wg" = {
+ address = [ "10.0.1.2/24" ];
+ dns = [ "10.0.1.1" ];
+ mtu = 1380;
+ privateKeyFile = config.sops.secrets."misc/wireguard".path;
+
+ peers = [{
+ publicKey = "wJMyQDXmZO4MjYRk6NK4+J6ZKWLTTZygAH+OwbPjOiw=";
+ allowedIPs = [ "0.0.0.0/0" ];
+ endpoint = "${domain}:51820";
+ persistentKeepalive = 25;
+ }];
+ };
+}
diff --git a/hosts/cez/secrets.yaml b/hosts/cez/secrets.yaml
new file mode 100644
index 0000000..d2a0348
--- /dev/null
+++ b/hosts/cez/secrets.yaml
@@ -0,0 +1,22 @@
+misc:
+ wireguard: ENC[AES256_GCM,data:4N0ZJd4p+Oik55XMhaEzZKpR66zEZxKfoqSnhYqf3W5BWsuDXGZFRi8xleY=,iv:hGgR3UcFeVGZjWJjdnVuQeUQtz3p4Lh6QRBJDfTr9Qo=,tag:0cJq8LFuNdkIiVgMgX/O2w==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age1hngjn65pvc8458z5uxz6qjktp45fp8s8jqxgqklsndkdp0s26gtqdxqazm
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnVFkwNkVDTHRlWnFKUkh6
+ NUxNZmMyb0x1dEF5SXFydSs2anMzcTNobXpVCjlQU2NTK1BKbHZGamtTTXhmMldC
+ VUQzY2hjNkZmQU5xeXA0UUZPdDRENUEKLS0tIDBvYlNnYjRuNmo1cFRxMXRmVU4x
+ OHpabE5RaGl6d3F6K04rSGcrRGVMWE0K+1n6tSJYovD1BBuHlR8VRoHq81ZuKlKx
+ S956gXSTXxqCpPjE7K4PXE8lEsPq6Yh6sMxd6TPZ9QnSRibV7gnsGg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2023-09-11T10:48:49Z"
+ mac: ENC[AES256_GCM,data:/Pb5W9E6nwkOmF3bJfYIVnXDY5BKwuSs7sjJPit2N97oBHJQg6aJcarJRmC9RKtmI+owe+9Sd6GQ8ZDJKemkppdnFhtgYhcNNe2O9p4C/Yv27zfKDd7dTgoL9g759KJOqDrOyoMVZtDDB7wizI4BY9L3YiUm/dplUbDDlrvBtYs=,iv:Ihw0f6lxz7sPjeq0KX4DfAKov2ofs49vLRb392aUtPo=,tag:JXYHHZcNsb28wTUtm4uaVQ==,type:str]
+ pgp: []
+ unencrypted_suffix: _unencrypted
+ version: 3.7.3
diff --git a/hosts/kay/modules/network.nix b/hosts/kay/modules/network.nix
index 9ef8ee6..12788c6 100644
--- a/hosts/kay/modules/network.nix
+++ b/hosts/kay/modules/network.nix
@@ -7,7 +7,10 @@ let
nameServer = "1.0.0.1";
in
{
- imports = [ ./router.nix ];
+ imports = [
+ ./wireguard.nix
+ ./router.nix
+ ];
sops.secrets = {
"ppp/chap-secrets" = {};
diff --git a/hosts/kay/modules/router.nix b/hosts/kay/modules/router.nix
index c33fff2..e390ded 100644
--- a/hosts/kay/modules/router.nix
+++ b/hosts/kay/modules/router.nix
@@ -37,6 +37,6 @@ in
services.dnsmasq.settings = {
dhcp-range = [ "${leaseRangeStart},${leaseRangeEnd}" ];
- interface = lanInterface;
+ interface = [ lanInterface ];
};
}
diff --git a/hosts/kay/modules/wireguard.nix b/hosts/kay/modules/wireguard.nix
new file mode 100644
index 0000000..4839280
--- /dev/null
+++ b/hosts/kay/modules/wireguard.nix
@@ -0,0 +1,54 @@
+{ config, ... }:
+
+let
+ wgInterface = "wg";
+ wanInterface = "ppp0";
+ subnet = "10.0.1.0";
+ prefix = 24;
+ port = 51820;
+in
+{
+ sops.secrets."misc/wireguard" = {};
+
+ networking = {
+ nat.enable = true;
+ firewall = {
+ allowedUDPPorts = [ port ];
+ extraCommands = ''
+ # nat datagrams comming through lanInterface to wanInterface
+ iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE
+
+ # allow all traffic on lanInterface interface
+ iptables -I INPUT 1 -i ${wgInterface} -j ACCEPT
+
+ # forward rules
+ iptables -I FORWARD 1 -i ${wgInterface} -o ${wgInterface} -j ACCEPT
+ iptables -I FORWARD 1 -i ${wanInterface} -o ${wgInterface} -j ACCEPT
+ iptables -I FORWARD 1 -i ${wgInterface} -o ${wanInterface} -j ACCEPT
+ '';
+ };
+
+ wireguard.interfaces.${wgInterface} = {
+ ips = [ "10.0.1.1/${toString prefix}" ];
+ listenPort = port;
+ mtu = 1380; # 1460 (ppp0) - 80
+ privateKeyFile = config.sops.secrets."misc/wireguard".path;
+
+ peers = [
+ { # cez
+ publicKey = "IcMpAs/D0u8O/AcDBPC7pFUYSeFQXQpTqHpGOeVpjS8=";
+ allowedIPs = [ "10.0.1.2/32" ];
+ }
+ { # veu
+ publicKey = "bJ9aqGYD2Jh4MtWIL7q3XxVHFuUdwGJwO8p7H3nNPj8=";
+ allowedIPs = [ "10.0.1.3/32" ];
+ }
+ ];
+ };
+ };
+
+ services.dnsmasq.settings = {
+ no-dhcp-interface = wgInterface;
+ interface = [ wgInterface ];
+ };
+}
diff --git a/hosts/kay/secrets.yaml b/hosts/kay/secrets.yaml
index 98d18a9..6a6c81d 100644
--- a/hosts/kay/secrets.yaml
+++ b/hosts/kay/secrets.yaml
@@ -4,6 +4,7 @@ ppp:
username: ENC[AES256_GCM,data:Xa6wBxpAtaKwsbEeudVvkpsX6CPG8E3Aku1zTi0o6Kdy9Q==,iv:yTRruKpMda4N2J3Z8MEesrFxqV4g1usbYoxTeKlWf4M=,tag:gTsn7HzgE3tHTIo2MVN12g==,type:str]
misc:
namecheap.com: ENC[AES256_GCM,data:8sN1/APumZDclTAeYEy4nidGbvooDK6Us0yOZBbG4oU=,iv:WGof33ezbBpFmnWTWS9gzDayJpz2BVMTPsShYY+nuXY=,tag:ky/ucGEHWBtWwGcwK+1nhw==,type:str]
+ wireguard: ENC[AES256_GCM,data:4GIb92p8VE/TUqLc7AztSKRc6soS7n+O/i4v1ltSqZkU8cEPyZMNRpIvXRQ=,iv:yB4UIyMDNRS+JmSnt9XuBhNRTLz+k0FqkK4ofjosRto=,tag:wr1YJbcG1L5wI01rCwv1zQ==,type:str]
matrix-sinanmohd.com: ENC[AES256_GCM,data:iU1RGvv275iZpP5L8T2BPCqDIPlGUXdx7Hcct8T7kK2eYH5mGHN1o16azEJKuVKJfrZ86Lt5bDCBu9i7IcF0yXqlf6tqdjeoQdhhZXvC7f7zXNiypiRc5LFh0Ks7mXQxNhxPUQ6HRxKmLC+15H9FAn69fK7NOIh9ZG8QBKAXRrtosyTYnSPdPQ==,iv:0vPDl1YvSseIj2VVlX5jrvd1BwGuBXP3pgaHponE5ZU=,tag:eon485eelXfCKjhKat5fzw==,type:str]
sops:
kms: []
@@ -20,8 +21,8 @@ sops:
bUY4eisvWDIxdWplQjlod0hIcjVGNlUKYkA9hUTHuWgST3UUr7ACtmgC9s5SGEAp
ker5KUGGi1fHgGlsPKHmnJSvikkVFlOVAhVa8R6X02l8FJf0lcjOYA==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2023-09-09T06:14:23Z"
- mac: ENC[AES256_GCM,data:wMUs5AknuaVcyYoWAVr9OZoLrJ4oHRJTHbgV8ptQg7mLrqW0WCzQ5WtubUVgvzIpm1BkRIXHfzAaUxJvcZFRk8NxCKp9ElA3DxdkbUXayYV+HkdcrvygsB1BzYaDXzV1SwLfH2ROSKTu6iWJWf6p1oM96mA5ur6DgKiXhdgnjGg=,iv:SfWrSP2+fcPzXgINCoRcH2ljkNTEJWLHQUjG25+Z+mc=,tag:U5A44EiyZHf/vV8ThEs8qQ==,type:str]
+ lastmodified: "2023-09-11T09:19:36Z"
+ mac: ENC[AES256_GCM,data:AD8zSHtdhNiRxas3N5EDnkdW2G5Eo3dChX99B2w6zPN5MhspS6CMY03whQkRkvPiWOxfMNE321lqlPvPgsqsfcyKeZuGWj902K1DFpz4YlrfqKZfmCk8xzd8OEMOAflpHGQ8lt0oSg96k/yXZ3bee/AEdpgeHmhOTzWTkaXGIOk=,iv:j4WhRUjOmOA3/AiIsOgjiRvm7GTT4Xi8MrLQloZAv24=,tag:u+Jp4GF42u3wm+6gMiP+eQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3