From 43632a9f50bdaeb81381f821cfa287a8eb593a1c Mon Sep 17 00:00:00 2001 From: LavaDesu Date: Mon, 20 Sep 2021 14:45:07 +0000 Subject: [PATCH] wireguard: init module --- hosts/apricot/default.nix | 1 + hosts/fondue/default.nix | 1 + hosts/winter/default.nix | 1 + modules/system/wireguard.nix | 63 ++++++++++++++++++++++++++++++++++++ secrets.nix | 4 +++ secrets/wg_apricot.age | 12 +++++++ secrets/wg_fondue.age | 12 +++++++ secrets/wg_winter.age | 9 ++++++ 8 files changed, 103 insertions(+) create mode 100644 modules/system/wireguard.nix create mode 100644 secrets/wg_apricot.age create mode 100644 secrets/wg_fondue.age create mode 100644 secrets/wg_winter.age diff --git a/hosts/apricot/default.nix b/hosts/apricot/default.nix index e99741c..ca3e6fd 100644 --- a/hosts/apricot/default.nix +++ b/hosts/apricot/default.nix @@ -15,6 +15,7 @@ packages security snapper + wireguard ./filesystem.nix ./kernel.nix diff --git a/hosts/fondue/default.nix b/hosts/fondue/default.nix index 7d42262..a31c79b 100644 --- a/hosts/fondue/default.nix +++ b/hosts/fondue/default.nix @@ -12,6 +12,7 @@ packages security snapper + wireguard ./filesystem.nix ./firewall.nix diff --git a/hosts/winter/default.nix b/hosts/winter/default.nix index 3db4582..f3c2928 100644 --- a/hosts/winter/default.nix +++ b/hosts/winter/default.nix @@ -17,6 +17,7 @@ packages security snapper + wireguard ./filesystem.nix ./kernel.nix diff --git a/modules/system/wireguard.nix b/modules/system/wireguard.nix new file mode 100644 index 0000000..ecce0c8 --- /dev/null +++ b/modules/system/wireguard.nix @@ -0,0 +1,63 @@ +{ config, lib, pkgs, ... }: +let + serverName = "fondue"; + serverInterface = "enp2s1"; + + clients = { + apricot = { + publicKey = "CpQJxoDeWJr7DdhbIO09svCxP7tuG2vUwRM8U4io5ms="; + allowedIPs = [ "10.100.0.2/32" ]; + }; + winter = { + publicKey = "6nVhazYdmC15A/nke9VrqIg3sOBVOmqj4GEsyBq7MVo="; + allowedIPs = [ "10.100.0.3/32" ]; + }; + }; + + clientPeers = builtins.attrValues clients; + serverPeer = { + publicKey = "GwUO/hU/CrrmfYazqrXuAiP4kFB3ZoaMXf13N12X2SY="; + allowedIPs = [ "10.100.0.0/24" ]; + endpoint = "fondue.lava.moe:20100"; + persistentKeepalive = 25; + }; + + serverConfig = { + nat = { + enable = true; + externalInterface = serverInterface; + internalInterfaces = [ "wg0" ]; + }; + + wireguard.interfaces.wg0 = { + ips = [ "10.100.0.1/24" ]; + listenPort = 20100; + + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ${serverInterface} -j MASQUERADE + ''; + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ${serverInterface} -j MASQUERADE + ''; + + privateKeyFile = config.age.secrets."wg_${serverName}".path; + peers = clientPeers; + }; + }; + + clientConfig = { + wireguard.interfaces.wg0 = { + ips = clients."${config.networking.hostName}".allowedIPs; + listenPort = 20100; + + privateKeyFile = config.age.secrets."wg_${config.networking.hostName}".path; + peers = [ serverPeer ]; + }; + }; +in { + networking = + lib.mkMerge [ + (lib.mkIf (config.networking.hostName == serverName) serverConfig) + (lib.mkIf (builtins.hasAttr config.networking.hostName clients) clientConfig) + ]; +} diff --git a/secrets.nix b/secrets.nix index cfa0b78..20ff733 100644 --- a/secrets.nix +++ b/secrets.nix @@ -9,4 +9,8 @@ let in { "secrets/passwd.age".publicKeys = [ apricot fondue winter rin-apricot rin-fondue rin-winter ]; "secrets/wpa_conf.age".publicKeys = [ apricot winter rin-apricot rin-winter ]; + + "secrets/wg_apricot.age".publicKeys = [ apricot rin-apricot rin-winter ]; + "secrets/wg_fondue.age".publicKeys = [ fondue rin-fondue rin-winter ]; + "secrets/wg_winter.age".publicKeys = [ winter rin-winter ]; } diff --git a/secrets/wg_apricot.age b/secrets/wg_apricot.age new file mode 100644 index 0000000..202f38d --- /dev/null +++ b/secrets/wg_apricot.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 U9FXlg YbiJfSTq1/k1WYQCtN/S5kEQZxXzJD0vK8wY7LzDy30 +bjKK+gKkrs6+wXj3SM21S/t6PJNpOfi8/f2FzoxuSes +-> ssh-ed25519 pumkzw V6sDMLLmFVJfczK9+KqD4yuwoT/uIWYZuYo/8mNBiiA +Jmf+H4gFJjx5/6FPFR5+2XJNmOf8X1mZ7h5UTojTWS0 +-> ssh-ed25519 l9dSQg ubkdn+xI446eViRqmPXj9TSyKfUp1aefb7IIB30ftHc +XjmIQgGxNTA48Aswen93VK9WjAfqfMAU1EBDTMwr6+M +-> $O-grease o1.b\ ssh-ed25519 U9FXlg 3/QnM8zAovLFAWtuBhFgR/dkqF1XkXpc/0aC7YM/l3s +/bRy+x1ARoUO/jLdSwAfTvwkuE6rLoY6ar7S1S8QcE4 +-> ssh-ed25519 W08TTA FLhhvGFWIm6JlYpDAHV39Io7hnj86f8Bm6S5OmhTwVs +f6O+ZTHvvpT+iq7HTw3JfOEk+4CHCc3gaGC7UbHRecU +-> ssh-ed25519 1f0c9Q 5tWjB31aCfV865BgJjrYulhQf4NOXTph3vUoPyovCSY +3BKpoGQxv2WfwJEzMxhuls+OtttGadlbjDAmrMxWnHQ +-> ^-grease U1#S>aw Q!xFss +BEHdYGI8rrokXkOAYmBRn3shh1Hp7k3eW+UQ+pgETav4Ew +--- oIeMw9AThaYLfWbJCU+LKHt6yqUZCXGji2gyYRYu2tQ +Lx=z:Z +yi`k ugXWʵ$caR :)X}J^HkXre \ No newline at end of file diff --git a/secrets/wg_winter.age b/secrets/wg_winter.age new file mode 100644 index 0000000..ec7b9d0 --- /dev/null +++ b/secrets/wg_winter.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 U9FXlg FMswMl915t4poFFGb2xPz4g/blQtdH9FagTte61d/R8 +AXHuHH4ShWsMgub48/qbsq/NeK/viI/bCSS1++pomGU +-> ssh-ed25519 CUCjXQ XdF7iwyHqvjdM/nzsqwqaSHMyyA5PfKk/v3CrzkcyE4 +tcQI27NojK1cOwWBmcKXIj35ZAXHzVkxrnmUjVlB/Jc +-> +gVY-grease ?w,;$2a 8ID6J] 0-9@5Bwt DRDl) +PQ +--- Jx/j4/ICbGtU8KY6fwOcC4XcHl9bSR2cUuicod/oV0o +z7 .AO? ֺw#aߔ e4+L'C1P3D{[>/Gí_[ WJ \ No newline at end of file