diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix index 5f13e44..4268910 100644 --- a/hosts/dandelion/default.nix +++ b/hosts/dandelion/default.nix @@ -16,6 +16,7 @@ nix-stable packages security + wireguard modules.services.nginx modules.services.postgres diff --git a/modules/system/wireguard.nix b/modules/system/wireguard.nix index 2684d65..9e5ef15 100644 --- a/modules/system/wireguard.nix +++ b/modules/system/wireguard.nix @@ -1,14 +1,12 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, gcSecrets, ... }: let port = 51820; - serverName = "sugarcane"; - serverInterface = "ens3"; - serverIp = "51.79.240.130"; + serverName = "dandelion"; + serverInterface = "enp0s6"; + serverIp = gcSecrets.wireguard.gateway; forwarding = { - "80" = [ "10.100.0.2" "80" ]; - "443" = [ "10.100.0.2" "443" ]; - "22727" = [ "10.100.0.3" "7777" ]; +# "22727" = [ "10.100.0.3" "7777" ]; }; mapForwards = type: @@ -24,45 +22,39 @@ let ); routeBypass = { - caramel = { - gateway = "192.168.100.1"; - interface = "wlan0"; - routes = [ - serverIp - ]; + anemone = { + interface = "wlp1s0"; + routes = [ serverIp ]; }; hyacinth = { - gateway = "192.168.100.1"; interface = "enp5s0"; - routes = [ - serverIp - ]; + routes = [ serverIp ]; }; }; clients = { - caramel = { - publicKey = "VDqcpS0lJzFgwikj61MJ1xc9P8Cuq0NXa+Hc+etn2iA="; - allowedIPs = [ "10.100.0.2/32" ]; - }; + # caramel = { + # publicKey = "VDqcpS0lJzFgwikj61MJ1xc9P8Cuq0NXa+Hc+etn2iA="; + # allowedIPs = [ "10.100.0.2/32" ]; + # }; hyacinth = { publicKey = "6nVhazYdmC15A/nke9VrqIg3sOBVOmqj4GEsyBq7MVo="; - allowedIPs = [ "10.100.0.3/32" ]; + allowedIPs = [ "10.100.0.3/32" "${gcSecrets.wireguard.ipv6Subnet}:3"]; }; - strawberry = { + anemone = { publicKey = "Fkcp/VSN4Dkhly8V4hskF4lnDviA7VZHCnWf7OliFCg="; - allowedIPs = [ "10.100.0.4/32" ]; + allowedIPs = [ "10.100.0.4/32" "${gcSecrets.wireguard.ipv6Subnet}:4" ]; }; - maple = { - publicKey = "kPw8hpANygfz83Oi/l+iCVYalV2zfs7fhkccjoGG2Do="; - allowedIPs = [ "10.100.0.5/32" ]; + hibiscus = { + publicKey = "vQ5a2KMrwi7RCRsD0yvog+n35vQYFuvwiPn+W4lbRBw="; + allowedIPs = [ "10.100.0.5/32" "${gcSecrets.wireguard.ipv6Subnet}:5" ]; }; }; clientPeers = builtins.attrValues clients; serverPeer = { publicKey = "3ugIk2tQZXjAH9/95s63ld2WNUHQrd4Mz5jzbln6oj0="; - allowedIPs = [ "0.0.0.0/0" ]; + allowedIPs = [ "0.0.0.0/0" "::/0" ]; endpoint = "${serverIp}:${toString port}"; persistentKeepalive = 25; }; @@ -79,7 +71,7 @@ let }; wireguard.interfaces.wg0 = { - ips = [ "10.100.0.1/24" ]; + ips = [ "10.100.0.1/24" "${gcSecrets.wireguard.ipv6Subnet}:1" ]; listenPort = port; postSetup = '' @@ -101,7 +93,7 @@ let let client = clients."${config.networking.hostName}"; routes = routeBypass."${config.networking.hostName}"; - mapRoutes = type: lib.concatMapStringsSep "\n" (r: "${pkgs.iproute2}/bin/ip route ${type} ${r} via ${routes.gateway} dev ${routes.interface}") routes.routes; + mapRoutes = type: lib.concatMapStringsSep "\n" (r: "${pkgs.iproute2}/bin/ip route ${type} ${r} dev ${routes.interface}") routes.routes; in { ips = client.allowedIPs; listenPort = port; @@ -121,6 +113,10 @@ let }; }; in { + boot.kernel.sysctl = lib.mkIf (config.networking.hostName == serverName) ({ + "net.ipv6.conf.all.forwarding" = true; + "net.ipv6.conf.default.forwarding" = true; + }); networking = lib.mkMerge [ (lib.mkIf (config.networking.hostName == serverName) serverConfig) diff --git a/secrets.gcrypt/shared.json b/secrets.gcrypt/shared.json index f3f2e36..ea6ffec 100644 Binary files a/secrets.gcrypt/shared.json and b/secrets.gcrypt/shared.json differ diff --git a/secrets.nix b/secrets.nix index 8f55589..e24da84 100644 --- a/secrets.nix +++ b/secrets.nix @@ -11,7 +11,8 @@ in { "secrets/acme_dns.age".publicKeys = [ dandelion hazel rin ]; "secrets/warden_admin.age".publicKeys = [ rin ]; - "secrets/wg_blossom.age".publicKeys = [ blossom rin ]; + "secrets/wg_anemone.age".publicKeys = [ anemone rin ]; + "secrets/wg_dandelion.age".publicKeys = [ dandelion rin ]; + "secrets/wg_hyacinth.age".publicKeys = [ blossom rin ]; "secrets/wg_caramel.age".publicKeys = [ rin ]; - "secrets/wg_sugarcane.age".publicKeys = [ rin ]; } diff --git a/secrets/acme_dns.age b/secrets/acme_dns.age index 56ad6f6..a573417 100644 Binary files a/secrets/acme_dns.age and b/secrets/acme_dns.age differ diff --git a/secrets/passwd.age b/secrets/passwd.age index 3b5e319..64ec861 100644 Binary files a/secrets/passwd.age and b/secrets/passwd.age differ diff --git a/secrets/warden_admin.age b/secrets/warden_admin.age index dc7ac10..1c56924 100644 Binary files a/secrets/warden_admin.age and b/secrets/warden_admin.age differ diff --git a/secrets/wg_anemone.age b/secrets/wg_anemone.age new file mode 100644 index 0000000..3ed5b37 Binary files /dev/null and b/secrets/wg_anemone.age differ diff --git a/secrets/wg_blossom.age b/secrets/wg_blossom.age deleted file mode 100644 index 494761f..0000000 --- a/secrets/wg_blossom.age +++ /dev/null @@ -1,7 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 CUCjXQ hLTFE9rxZfhOZ2rELykmG54pxJMCjTkzBvLasvgSN24 -wDbW0X7bItmMEDfGRVAw+wHycHDI/2OYAb5jFyd8f6s --> ssh-ed25519 U9FXlg juuKBMw9hX559zK6f2ERuBMl27ypQ6Ky5xlFEJxApXc -Gb6/rTwqMINqiojoIWcFEAQCEuQ6bQQHrOXChkthb4A ---- OEQ8ALTXcJKvpf0rJe6x2VHSAsTi1yFhz3eU0CZDjqE -ٓPΘ~Fdwi ]h//4ڰN7LaQ= v@oB*48 D=򪋅 \ No newline at end of file diff --git a/secrets/wg_caramel.age b/secrets/wg_caramel.age index 1a3b16e..a85d63f 100644 --- a/secrets/wg_caramel.age +++ b/secrets/wg_caramel.age @@ -1,5 +1,6 @@ age-encryption.org/v1 --> ssh-ed25519 U9FXlg qEy0vaHPPr9EUDjC3FveSk/xcnW/rtHVmx9o7cH7JFA -WAzEfa7T82vbkwMv/JIOASIjZ3gr1TRNfVzOWdWBVkQ ---- AoVNbcEOrFU5jcQ8geP5e4Lo3RxOyP9p4BG3BNsgiIQ -ٳ'XoYfů!/ "p; ssh-ed25519 U9FXlg VpFnvpTVZFSkKRpEgcmuT/WDLIP1ZySFLq2lRvrjq20 +7zQoSoIs1URmAYn2AdjvDTIY8GDYROcSxFq1bcl24Og +--- iaQQUE1/Xj1vxto3d+Llyl6XGrSff5MGPxdCHW9EI40 +Ʀ`t \  +bpeHX3!$3]X32t~V.=>$xBKJAL:DD}5 \ No newline at end of file diff --git a/secrets/wg_dandelion.age b/secrets/wg_dandelion.age new file mode 100644 index 0000000..0229699 --- /dev/null +++ b/secrets/wg_dandelion.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 bRFqeQ swv/p+w9+aytIkQ/6Yk1jouA+0M3rJabuiOz2rlpyAs +wt+wnM1EEKAyDNefr9K4+DtZvHcOzz9Y1EBRFkA5Nv4 +-> ssh-ed25519 U9FXlg xxV/8JoorO4YWPbwSG7p306Pb2+aT10u9eNR69PhZAA +rjOOuapa/h1tMYbdOc3Y/fPPzkNcYiamSk6rS/tbhtE +--- UKvt/4aAyYHOk5bhAP55yxPhkxTE94/xEqIqpGF3yiE +5; _EDB ssh-ed25519 CUCjXQ ptHKlNvz+AmnB/Wt9XBBNyfOGeoPG5TbyrXv5993PDQ +P0C17K+Kz8ocn0vzLf02aaYnxvRM/yjfRLMsBaJhsok +-> ssh-ed25519 U9FXlg /M8ryJjXAdlWhvNHbQgKUxe/UtL7HqEs9RqNDQBW3SM +p2d9OnOkU2Hx7+Kn+Z66qElFvczd3F4zVm5KXbOzYWY +--- PVd8mrRk/t6qv/U32/AZk9YssRU1yn3CLPeyaEPBXi0 +:Dx[cyyۙc4ɥ/އ^.=†ȯoGVQdXf^@TRegn 9UT \ No newline at end of file diff --git a/secrets/wg_sugarcane.age b/secrets/wg_sugarcane.age deleted file mode 100644 index fe26054..0000000 --- a/secrets/wg_sugarcane.age +++ /dev/null @@ -1,5 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 U9FXlg 7YXsTcRa8pco9Ic9fDSygCjNXrxFi5pHADtUqwOBPhg -0BYvRAhcQQ36kAXOW2QaS4S9rhenUx8xwbNozNdDpLM ---- V1E/2n1Ae5hlWhjAEziHA2J072a20GeKM+EtG+pT8cI -窴zWT좾G{"\ʖse>%)o|z!ēז2ࢨEs \ No newline at end of file diff --git a/secrets/wpa_conf.age b/secrets/wpa_conf.age index 068d352..2b6862e 100644 Binary files a/secrets/wpa_conf.age and b/secrets/wpa_conf.age differ