summaryrefslogtreecommitdiff
path: root/os/kay/modules
diff options
context:
space:
mode:
Diffstat (limited to 'os/kay/modules')
-rw-r--r--os/kay/modules/network/default.nix1
-rw-r--r--os/kay/modules/network/headscale.nix15
-rw-r--r--os/kay/modules/network/wireguard.nix71
-rw-r--r--os/kay/modules/observability/prometheus.nix3
4 files changed, 12 insertions, 78 deletions
diff --git a/os/kay/modules/network/default.nix b/os/kay/modules/network/default.nix
index 56371c7..019ee24 100644
--- a/os/kay/modules/network/default.nix
+++ b/os/kay/modules/network/default.nix
@@ -12,7 +12,6 @@ in
imports = [
./router.nix
./hurricane.nix
- ./wireguard.nix
./headscale.nix
];
diff --git a/os/kay/modules/network/headscale.nix b/os/kay/modules/network/headscale.nix
index 14fcee3..39007a4 100644
--- a/os/kay/modules/network/headscale.nix
+++ b/os/kay/modules/network/headscale.nix
@@ -54,6 +54,11 @@ let
acls = [
{
action = "accept";
+ src = [ "*" ];
+ dst = [ "tag:namescale:${toString config.services.namescale.settings.port}" ];
+ }
+ {
+ action = "accept";
src = [ "headplane@" ];
dst = [ "*:*" ];
}
@@ -63,17 +68,21 @@ let
src = [ "group:owner" ];
dst = [ "*:*" ];
}
+ {
+ action = "accept";
+ src = [ "nazer@" ];
+ dst = [ "autogroup:internet:*" ];
+ }
{
action = "accept";
src = [ "group:bud" ];
dst = [ "tag:bud_clients:*" ];
}
-
{
action = "accept";
- src = [ "*" ];
- dst = [ "tag:namescale:${toString config.services.namescale.settings.port}" ];
+ src = [ "tag:bud_clients" ];
+ dst = [ "tag:bud_clients:80,443" ];
}
];
};
diff --git a/os/kay/modules/network/wireguard.nix b/os/kay/modules/network/wireguard.nix
deleted file mode 100644
index fd00804..0000000
--- a/os/kay/modules/network/wireguard.nix
+++ /dev/null
@@ -1,71 +0,0 @@
-{
- config,
- pkgs,
- lib,
- ...
-}:
-let
- wgInterface = "wg";
- wanInterface = "ppp0";
- port = 51820;
-
- wgConf = pkgs.writeText "wg.conf" ''
- [interface]
- Address = 10.0.1.1/24
- MTU = 1412
- ListenPort = 51820
- PostUp = ${
- lib.getExe (
- pkgs.writeShellApplication {
- name = "wg_set_key";
- runtimeInputs = with pkgs; [ wireguard-tools ];
- text = ''
- wg set ${wgInterface} private-key <(cat ${config.sops.secrets."misc/wireguard".path})
- '';
- }
- )
- }
-
- [Peer]
- # friendly_name = cez
- PublicKey = IcMpAs/D0u8O/AcDBPC7pFUYSeFQXQpTqHpGOeVpjS8=
- AllowedIPs = 10.0.1.2/32
-
- [Peer]
- # friendly_name = exy
- PublicKey = bJ9aqGYD2Jh4MtWIL7q3XxVHFuUdwGJwO8p7H3nNPj8=
- AllowedIPs = 10.0.1.3/32
-
- [Peer]
- # friendly_name = dad
- PublicKey = q70IyOS2IpubIRWqo5sL3SeEjtUy2V/PT8yqVExiHTQ=
- AllowedIPs = 10.0.1.4/32
- '';
-in
-{
- sops.secrets."misc/wireguard" = { };
-
- networking = {
- nat = {
- enable = true;
- externalInterface = wanInterface;
- internalInterfaces = [ wgInterface ];
- };
-
- firewall.allowedUDPPorts = [ port ];
- wg-quick.interfaces.${wgInterface}.configFile = builtins.toString wgConf;
- };
-
- services.dnsmasq.settings = {
- no-dhcp-interface = wgInterface;
- interface = [ wgInterface ];
- };
-
- services.prometheus.exporters.wireguard = {
- enable = true;
- withRemoteIp = true;
- wireguardConfig = builtins.toString wgConf;
- singleSubnetPerField = true;
- listenAddress = "127.0.0.1";
- };
-}
diff --git a/os/kay/modules/observability/prometheus.nix b/os/kay/modules/observability/prometheus.nix
index 1810f9e..9ca73da 100644
--- a/os/kay/modules/observability/prometheus.nix
+++ b/os/kay/modules/observability/prometheus.nix
@@ -13,9 +13,6 @@
targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ];
}
{
- targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.wireguard.port}" ];
- }
- {
targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.dnsmasq.port}" ];
}
{