diff options
-rw-r--r-- | common.nix | 2 | ||||
-rw-r--r-- | hosts/cez/configuration.nix | 1 | ||||
-rw-r--r-- | hosts/cez/modules/wireguard.nix | 22 | ||||
-rw-r--r-- | hosts/cez/secrets.yaml | 22 | ||||
-rw-r--r-- | hosts/kay/modules/network.nix | 5 | ||||
-rw-r--r-- | hosts/kay/modules/router.nix | 2 | ||||
-rw-r--r-- | hosts/kay/modules/wireguard.nix | 54 | ||||
-rw-r--r-- | hosts/kay/secrets.yaml | 5 |
8 files changed, 108 insertions, 5 deletions
@@ -91,7 +91,7 @@ in # sops sops = { defaultSopsFile = ./hosts/${host}/secrets.yaml; - age.keyFile = "/var/secrets/sops-nix/key.txt"; + age.keyFile = "/var/secrets/sops-nix/keys.txt"; }; # programs diff --git a/hosts/cez/configuration.nix b/hosts/cez/configuration.nix index fb991d9..31cde1a 100644 --- a/hosts/cez/configuration.nix +++ b/hosts/cez/configuration.nix @@ -8,6 +8,7 @@ in ./hardware-configuration.nix ./modules/wayland.nix ./modules/sshfs.nix + ./modules/wireguard.nix ../../common.nix ]; diff --git a/hosts/cez/modules/wireguard.nix b/hosts/cez/modules/wireguard.nix new file mode 100644 index 0000000..07ea90c --- /dev/null +++ b/hosts/cez/modules/wireguard.nix @@ -0,0 +1,22 @@ +{ config, ... }: + +let + domain = config.userdata.domain; +in +{ + sops.secrets."misc/wireguard" = {}; + + networking.wg-quick.interfaces."wg" = { + address = [ "10.0.1.2/24" ]; + dns = [ "10.0.1.1" ]; + mtu = 1380; + privateKeyFile = config.sops.secrets."misc/wireguard".path; + + peers = [{ + publicKey = "wJMyQDXmZO4MjYRk6NK4+J6ZKWLTTZygAH+OwbPjOiw="; + allowedIPs = [ "0.0.0.0/0" ]; + endpoint = "${domain}:51820"; + persistentKeepalive = 25; + }]; + }; +} diff --git a/hosts/cez/secrets.yaml b/hosts/cez/secrets.yaml new file mode 100644 index 0000000..d2a0348 --- /dev/null +++ b/hosts/cez/secrets.yaml @@ -0,0 +1,22 @@ +misc: + wireguard: ENC[AES256_GCM,data:4N0ZJd4p+Oik55XMhaEzZKpR66zEZxKfoqSnhYqf3W5BWsuDXGZFRi8xleY=,iv:hGgR3UcFeVGZjWJjdnVuQeUQtz3p4Lh6QRBJDfTr9Qo=,tag:0cJq8LFuNdkIiVgMgX/O2w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1hngjn65pvc8458z5uxz6qjktp45fp8s8jqxgqklsndkdp0s26gtqdxqazm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnVFkwNkVDTHRlWnFKUkh6 + NUxNZmMyb0x1dEF5SXFydSs2anMzcTNobXpVCjlQU2NTK1BKbHZGamtTTXhmMldC + VUQzY2hjNkZmQU5xeXA0UUZPdDRENUEKLS0tIDBvYlNnYjRuNmo1cFRxMXRmVU4x + OHpabE5RaGl6d3F6K04rSGcrRGVMWE0K+1n6tSJYovD1BBuHlR8VRoHq81ZuKlKx + S956gXSTXxqCpPjE7K4PXE8lEsPq6Yh6sMxd6TPZ9QnSRibV7gnsGg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-09-11T10:48:49Z" + mac: ENC[AES256_GCM,data:/Pb5W9E6nwkOmF3bJfYIVnXDY5BKwuSs7sjJPit2N97oBHJQg6aJcarJRmC9RKtmI+owe+9Sd6GQ8ZDJKemkppdnFhtgYhcNNe2O9p4C/Yv27zfKDd7dTgoL9g759KJOqDrOyoMVZtDDB7wizI4BY9L3YiUm/dplUbDDlrvBtYs=,iv:Ihw0f6lxz7sPjeq0KX4DfAKov2ofs49vLRb392aUtPo=,tag:JXYHHZcNsb28wTUtm4uaVQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/hosts/kay/modules/network.nix b/hosts/kay/modules/network.nix index 9ef8ee6..12788c6 100644 --- a/hosts/kay/modules/network.nix +++ b/hosts/kay/modules/network.nix @@ -7,7 +7,10 @@ let nameServer = "1.0.0.1"; in { - imports = [ ./router.nix ]; + imports = [ + ./wireguard.nix + ./router.nix + ]; sops.secrets = { "ppp/chap-secrets" = {}; diff --git a/hosts/kay/modules/router.nix b/hosts/kay/modules/router.nix index c33fff2..e390ded 100644 --- a/hosts/kay/modules/router.nix +++ b/hosts/kay/modules/router.nix @@ -37,6 +37,6 @@ in services.dnsmasq.settings = { dhcp-range = [ "${leaseRangeStart},${leaseRangeEnd}" ]; - interface = lanInterface; + interface = [ lanInterface ]; }; } diff --git a/hosts/kay/modules/wireguard.nix b/hosts/kay/modules/wireguard.nix new file mode 100644 index 0000000..4839280 --- /dev/null +++ b/hosts/kay/modules/wireguard.nix @@ -0,0 +1,54 @@ +{ config, ... }: + +let + wgInterface = "wg"; + wanInterface = "ppp0"; + subnet = "10.0.1.0"; + prefix = 24; + port = 51820; +in +{ + sops.secrets."misc/wireguard" = {}; + + networking = { + nat.enable = true; + firewall = { + allowedUDPPorts = [ port ]; + extraCommands = '' + # nat datagrams comming through lanInterface to wanInterface + iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE + + # allow all traffic on lanInterface interface + iptables -I INPUT 1 -i ${wgInterface} -j ACCEPT + + # forward rules + iptables -I FORWARD 1 -i ${wgInterface} -o ${wgInterface} -j ACCEPT + iptables -I FORWARD 1 -i ${wanInterface} -o ${wgInterface} -j ACCEPT + iptables -I FORWARD 1 -i ${wgInterface} -o ${wanInterface} -j ACCEPT + ''; + }; + + wireguard.interfaces.${wgInterface} = { + ips = [ "10.0.1.1/${toString prefix}" ]; + listenPort = port; + mtu = 1380; # 1460 (ppp0) - 80 + privateKeyFile = config.sops.secrets."misc/wireguard".path; + + peers = [ + { # cez + publicKey = "IcMpAs/D0u8O/AcDBPC7pFUYSeFQXQpTqHpGOeVpjS8="; + allowedIPs = [ "10.0.1.2/32" ]; + } + { # veu + publicKey = "bJ9aqGYD2Jh4MtWIL7q3XxVHFuUdwGJwO8p7H3nNPj8="; + allowedIPs = [ "10.0.1.3/32" ]; + } + ]; + }; + }; + + services.dnsmasq.settings = { + no-dhcp-interface = wgInterface; + interface = [ wgInterface ]; + }; +} diff --git a/hosts/kay/secrets.yaml b/hosts/kay/secrets.yaml index 98d18a9..6a6c81d 100644 --- a/hosts/kay/secrets.yaml +++ b/hosts/kay/secrets.yaml @@ -4,6 +4,7 @@ ppp: username: ENC[AES256_GCM,data:Xa6wBxpAtaKwsbEeudVvkpsX6CPG8E3Aku1zTi0o6Kdy9Q==,iv:yTRruKpMda4N2J3Z8MEesrFxqV4g1usbYoxTeKlWf4M=,tag:gTsn7HzgE3tHTIo2MVN12g==,type:str] misc: namecheap.com: ENC[AES256_GCM,data:8sN1/APumZDclTAeYEy4nidGbvooDK6Us0yOZBbG4oU=,iv:WGof33ezbBpFmnWTWS9gzDayJpz2BVMTPsShYY+nuXY=,tag:ky/ucGEHWBtWwGcwK+1nhw==,type:str] + wireguard: ENC[AES256_GCM,data:4GIb92p8VE/TUqLc7AztSKRc6soS7n+O/i4v1ltSqZkU8cEPyZMNRpIvXRQ=,iv:yB4UIyMDNRS+JmSnt9XuBhNRTLz+k0FqkK4ofjosRto=,tag:wr1YJbcG1L5wI01rCwv1zQ==,type:str] matrix-sinanmohd.com: ENC[AES256_GCM,data:iU1RGvv275iZpP5L8T2BPCqDIPlGUXdx7Hcct8T7kK2eYH5mGHN1o16azEJKuVKJfrZ86Lt5bDCBu9i7IcF0yXqlf6tqdjeoQdhhZXvC7f7zXNiypiRc5LFh0Ks7mXQxNhxPUQ6HRxKmLC+15H9FAn69fK7NOIh9ZG8QBKAXRrtosyTYnSPdPQ==,iv:0vPDl1YvSseIj2VVlX5jrvd1BwGuBXP3pgaHponE5ZU=,tag:eon485eelXfCKjhKat5fzw==,type:str] sops: kms: [] @@ -20,8 +21,8 @@ sops: bUY4eisvWDIxdWplQjlod0hIcjVGNlUKYkA9hUTHuWgST3UUr7ACtmgC9s5SGEAp ker5KUGGi1fHgGlsPKHmnJSvikkVFlOVAhVa8R6X02l8FJf0lcjOYA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-09-09T06:14:23Z" - mac: ENC[AES256_GCM,data:wMUs5AknuaVcyYoWAVr9OZoLrJ4oHRJTHbgV8ptQg7mLrqW0WCzQ5WtubUVgvzIpm1BkRIXHfzAaUxJvcZFRk8NxCKp9ElA3DxdkbUXayYV+HkdcrvygsB1BzYaDXzV1SwLfH2ROSKTu6iWJWf6p1oM96mA5ur6DgKiXhdgnjGg=,iv:SfWrSP2+fcPzXgINCoRcH2ljkNTEJWLHQUjG25+Z+mc=,tag:U5A44EiyZHf/vV8ThEs8qQ==,type:str] + lastmodified: "2023-09-11T09:19:36Z" + mac: ENC[AES256_GCM,data:AD8zSHtdhNiRxas3N5EDnkdW2G5Eo3dChX99B2w6zPN5MhspS6CMY03whQkRkvPiWOxfMNE321lqlPvPgsqsfcyKeZuGWj902K1DFpz4YlrfqKZfmCk8xzd8OEMOAflpHGQ8lt0oSg96k/yXZ3bee/AEdpgeHmhOTzWTkaXGIOk=,iv:j4WhRUjOmOA3/AiIsOgjiRvm7GTT4Xi8MrLQloZAv24=,tag:u+Jp4GF42u3wm+6gMiP+eQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 |