From 9217ce6e916bfa270c46afda14aada000cdd391f Mon Sep 17 00:00:00 2001 From: LavaDesu Date: Tue, 20 May 2025 02:34:18 +1000 Subject: [PATCH] system/wireguard: bring back, with ipv6 support --- hosts/dandelion/default.nix | 1 + modules/system/wireguard.nix | 56 ++++++++++++++++------------------- secrets.gcrypt/shared.json | Bin 154 -> 263 bytes secrets.nix | 5 ++-- secrets/acme_dns.age | Bin 492 -> 492 bytes secrets/passwd.age | Bin 531 -> 531 bytes secrets/warden_admin.age | Bin 289 -> 289 bytes secrets/wg_anemone.age | Bin 0 -> 367 bytes secrets/wg_blossom.age | 7 ----- secrets/wg_caramel.age | 9 +++--- secrets/wg_dandelion.age | 7 +++++ secrets/wg_hyacinth.age | 7 +++++ secrets/wg_sugarcane.age | 5 ---- secrets/wpa_conf.age | Bin 420 -> 420 bytes 14 files changed, 49 insertions(+), 48 deletions(-) create mode 100644 secrets/wg_anemone.age delete mode 100644 secrets/wg_blossom.age create mode 100644 secrets/wg_dandelion.age create mode 100644 secrets/wg_hyacinth.age delete mode 100644 secrets/wg_sugarcane.age diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix index 5f13e44..4268910 100644 --- a/hosts/dandelion/default.nix +++ b/hosts/dandelion/default.nix @@ -16,6 +16,7 @@ nix-stable packages security + wireguard modules.services.nginx modules.services.postgres diff --git a/modules/system/wireguard.nix b/modules/system/wireguard.nix index 2684d65..9e5ef15 100644 --- a/modules/system/wireguard.nix +++ b/modules/system/wireguard.nix @@ -1,14 +1,12 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, gcSecrets, ... }: let port = 51820; - serverName = "sugarcane"; - serverInterface = "ens3"; - serverIp = "51.79.240.130"; + serverName = "dandelion"; + serverInterface = "enp0s6"; + serverIp = gcSecrets.wireguard.gateway; forwarding = { - "80" = [ "10.100.0.2" "80" ]; - "443" = [ "10.100.0.2" "443" ]; - "22727" = [ "10.100.0.3" "7777" ]; +# "22727" = [ "10.100.0.3" "7777" ]; }; mapForwards = type: @@ -24,45 +22,39 @@ let ); routeBypass = { - caramel = { - gateway = "192.168.100.1"; - interface = "wlan0"; - routes = [ - serverIp - ]; + anemone = { + interface = "wlp1s0"; + routes = [ serverIp ]; }; hyacinth = { - gateway = "192.168.100.1"; interface = "enp5s0"; - routes = [ - serverIp - ]; + routes = [ serverIp ]; }; }; clients = { - caramel = { - publicKey = "VDqcpS0lJzFgwikj61MJ1xc9P8Cuq0NXa+Hc+etn2iA="; - allowedIPs = [ "10.100.0.2/32" ]; - }; + # caramel = { + # publicKey = "VDqcpS0lJzFgwikj61MJ1xc9P8Cuq0NXa+Hc+etn2iA="; + # allowedIPs = [ "10.100.0.2/32" ]; + # }; hyacinth = { publicKey = "6nVhazYdmC15A/nke9VrqIg3sOBVOmqj4GEsyBq7MVo="; - allowedIPs = [ "10.100.0.3/32" ]; + allowedIPs = [ "10.100.0.3/32" "${gcSecrets.wireguard.ipv6Subnet}:3"]; }; - strawberry = { + anemone = { publicKey = "Fkcp/VSN4Dkhly8V4hskF4lnDviA7VZHCnWf7OliFCg="; - allowedIPs = [ "10.100.0.4/32" ]; + allowedIPs = [ "10.100.0.4/32" "${gcSecrets.wireguard.ipv6Subnet}:4" ]; }; - maple = { - publicKey = "kPw8hpANygfz83Oi/l+iCVYalV2zfs7fhkccjoGG2Do="; - allowedIPs = [ "10.100.0.5/32" ]; + hibiscus = { + publicKey = "vQ5a2KMrwi7RCRsD0yvog+n35vQYFuvwiPn+W4lbRBw="; + allowedIPs = [ "10.100.0.5/32" "${gcSecrets.wireguard.ipv6Subnet}:5" ]; }; }; clientPeers = builtins.attrValues clients; serverPeer = { publicKey = "3ugIk2tQZXjAH9/95s63ld2WNUHQrd4Mz5jzbln6oj0="; - allowedIPs = [ "0.0.0.0/0" ]; + allowedIPs = [ "0.0.0.0/0" "::/0" ]; endpoint = "${serverIp}:${toString port}"; persistentKeepalive = 25; }; @@ -79,7 +71,7 @@ let }; wireguard.interfaces.wg0 = { - ips = [ "10.100.0.1/24" ]; + ips = [ "10.100.0.1/24" "${gcSecrets.wireguard.ipv6Subnet}:1" ]; listenPort = port; postSetup = '' @@ -101,7 +93,7 @@ let let client = clients."${config.networking.hostName}"; routes = routeBypass."${config.networking.hostName}"; - mapRoutes = type: lib.concatMapStringsSep "\n" (r: "${pkgs.iproute2}/bin/ip route ${type} ${r} via ${routes.gateway} dev ${routes.interface}") routes.routes; + mapRoutes = type: lib.concatMapStringsSep "\n" (r: "${pkgs.iproute2}/bin/ip route ${type} ${r} dev ${routes.interface}") routes.routes; in { ips = client.allowedIPs; listenPort = port; @@ -121,6 +113,10 @@ let }; }; in { + boot.kernel.sysctl = lib.mkIf (config.networking.hostName == serverName) ({ + "net.ipv6.conf.all.forwarding" = true; + "net.ipv6.conf.default.forwarding" = true; + }); networking = lib.mkMerge [ (lib.mkIf (config.networking.hostName == serverName) serverConfig) diff --git a/secrets.gcrypt/shared.json b/secrets.gcrypt/shared.json index f3f2e36d2778be04f048a6e5eb65f207471e1a6c..ea6ffecfb3884847eb6dd9b9087f240144f88387 100644 GIT binary patch literal 263 zcmZQ@_Y83kiVO&0csO@&`0|=N^Q;*y*DCNIiLKA7boWqQUGnchS8>-9#y{pu)^8~8 zdtMn)yYJ_VYsW4*^Zt;#P^x#OPBnSDh_i)2kXlVeL(JPSan5;f!ZTeSD%x;9o2Kub z<6Uw29@nYX1#!<8^$DFXwRVv|HM1pTCQr1K!JF#`CMTK5JMDdPgURTy?4RzV)3$CD z{g@^CBg;ZmW~S5B_}?l8;ra`YXJpn z(|m6A83K|8XSg48ZtRd0tY*oZ*#Fh9_5XJ3mwx}>h^W0g{BF^m!~eS&J>8Z?9$LVv X+`L3@_1QwlX)^P;USx8;W-kQ*DQJ6k literal 154 zcmZQ@_Y83kiVO&0h`aFN$gR^?B;?)n_{^gBo_VjOdx}YuSGm+I;+|RNZ^^j~+n;3a zNttjZJXrJ7sWbPaLT9fla9kff^}<@+FMs`vJVNTP)-BlEWpQ?i-G&=HyAIk#r`7aM zUiB$|%J2KXUe5F~4C35-)%xrG`iF1m&ZQBa+1loXDNgBJL4NK9 zSrwt_X;oqRsfLb8`hLld7LEp0RTae%p$29ZxnW5@1@6Wb+L@kQy1KdwxvANisa}48 z{y8RP$?4h|#lil8#cs~#xnZGEY5Ms=Ir=H7A?A*$Awk~hT)Wu6dAwQHubKVvp0cWO z@~S|QbGLTwKhHLG-U~zfd5I}CO+0Tlx7?h*N#JWfvr!kL{6a1vrw^L@p4k46$`t)P i!}57S(1d00I8S;DGUv>dotOSwgh%1(yh$$^GkO46ubuq> delta 438 zcmaFE{DyggPJNn%ceaz0Wtx*?RcV=pM@XrUQ@XENX;npqzDseYX>O`PS)y5xNt$0} zC|6ZjcvYfzd5VQoK}kh^SdNQ#j-`22h>N>fo}sz6t5=DmK|pD^r$Jby374*&LUD11 zZfc5=si~o*LX=~2gh#o8lXixYxxR0RXM}mWwn18mzMFn{wn@6LqrP`$n6aOEK#F0R zhnsVlAVWEYyS9oUV z#E;_ju5N{uRe?VKMaET5!TuH{?!lE_$;n3ArN$|Rk$$D&{?4KKp*cp0CT`_imQE!` zsrun5rkRDI<{pOGN#Vu?C80(}z z(t7&ai}Rwb4BT#27;;|kG!bH1SZ?OPeQDDV!#lD!F1*=yQD-~LnY~B3_NI!wv8}q& jA*i(Bj@!c1e?MGHHd24~Vy||h-9 zHdj$$zJ8XeTdJo;cx8%3NxoT;b496}X@qfZaEhU~X=X~PSze`apl_r>GMBEMLUD11 zZfc5=si~o*f^(>IRz#pexJz1LaiE#2p{0JgOP+U{v0G`Rc4$SGZ$PeLfN!{$VL^7f zv4MG7W^SM(S4z6Eca*oMVPa}#dWgA&zmJDyj(K^wM`=)6U`a$)u9s;@j(&P+qLYis z#E;_jCC+YMPLZVnmM&3=UdH9x#W}ui8Low<-e!R*kxo&L1}Q$;fx(uhk3$ZDUR4EYCYcqMr3R5)y1Kdweg%1!i558- zK1JHW+FmBw<%#8yegP(CCdr9;CN6%V`N`(>N#@}Jt|g%+To*((7~f_+q00A8b`fLh zp}Xt*if!Dl#T{c2E_hU5lHW2pfMsudL!P8U<-)y>#9xJKr5oAp;QEw$;d8I0!J~Up zO?>m(ioP9UQxcqbdDVFa?#j+-DXlZDYLD)8&D4Iu%zD>h!HX%(zs|p!7N2uW{HitM Y>x2#5(|Mgg3b4yeK7Ppl$Cj<;03*q)!2kdN delta 478 zcmbQtGMQz9PQ9nAwxzeXabdQnx2JEYi*{6DZh%XryGL@cd1`QwvuCAIaDjGaN@i|^ zFPF1HsDX!JT2-cdw!4S9e??w_nRY;CSU{Rrj(eteq=AL8QD|7cepIf3374*&LUD11 zZfc5=si~o*f^(>IRz#qJzoSW+OI41)ySrz)ccx3evs+PFNO)4Jk85$BTauqaWv;VN zdSZD_S*b@lSAM#Wey&AOc(_?=wz)xuOQgR^V7OOcL{70mdbwp~k!w^^j;Et`Xi0wH z#E;_jmYJd9{`nS(1!k$pVZvNUCkuLg1t^rx*mfrbkm4-!ODdnLSE=eVBRe9zGCKaw+y1Kdw*&%+;euf3f z$&t>cDS?g=rp2lLQK{)3C2oZg`9>KoF5yM>W?rSf9!`PzT-z4aYD#YUJ|&~IPMNXj zTWP;AL$HJWmMGDdb$@fYZg@HFmkWG$Fz~(5oQE~X)*bJhSidaRFF!@7+SZb?#QXmY7nYGp}OX<(^-U{YaDQMsj|kEL(6M~+W!K9{bpu0lm* zlxK#aQ9-d+NN%O2VY-D!da!|4qKmhMX+(IWr*E=_e_5KFwtqxowh7mp&AUG>oU*9> zrR~r49WT0hbbOw4y^jA~CtJJyr2Z$1{PJu0o`U_?b1yTnJLzpojNs$AR?IMKzwE7z zy-eGUL*J&K_w{>sP)TYln}A9iyXuC6iRbGUue6=3xM0ZxfvT@5THHZCsc&DcKfJ&4 G!6yL66=drG delta 253 zcmZ3;w2*0nPJOXsg|?T4U%8u+XSi`zNl03TNvfwoSVX8xVQ`*jVWg{fk$z@`Wl?5T zB$sn=V1;j`w?#@~rF*J@V^nfpZa_d%il?c2mZyP-kBL!Yabm7ZifdJVGMBEdu0pnP zzFVQQUx`6rVV0wjenfdupu3TqpQle@WO+qiUZ_h|N||SpOS(s8RXW!vn-yDsaz48) zW$JnLn_ID+w)2BCx&PjVSRQ5lKAoS_Ng&*$a);O9w|3j@w}=TcZE(BMI_-|S=S;1+ zOJtmuSJim_&5hxo?#!HTHnX5nFYfsVPyJYKp8&o3;AqC)&#SkD8~-_5bVp|1;wym- FmH^RsVjchh diff --git a/secrets/wg_anemone.age b/secrets/wg_anemone.age new file mode 100644 index 0000000000000000000000000000000000000000..3ed5b37ae79ff5824c2654a6597d944b0882572b GIT binary patch literal 367 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7&!`M8aa1sm@=7Yt z^a{;24KWRO&nvMkEiyI<33V&a$ns8ew#f1JDNc-V)^_x8jN}UPjdV#22~W-|NOUes z&r6KT%1H@#DGblGFbgV9HLG$Bii)U+ax#q!$VRs<)Y2^?CtblOpv0mw$*?FrsnF6d zIX}eP*U7-s*B~#_!o@$mAm742JEGLYBrzbuFp|r{FVryC+bqa2(8JlS+&9a-LO&_0 zI5i;CFuXEX+qBFiFIYc2!!)Nb(11%uLnPxn}2^G%y#yQV*txxlb-+l-Fd;wJ4!x9RLZSvKbE5h0BTEv ACIA2c literal 0 HcmV?d00001 diff --git a/secrets/wg_blossom.age b/secrets/wg_blossom.age deleted file mode 100644 index 494761f..0000000 --- a/secrets/wg_blossom.age +++ /dev/null @@ -1,7 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 CUCjXQ hLTFE9rxZfhOZ2rELykmG54pxJMCjTkzBvLasvgSN24 -wDbW0X7bItmMEDfGRVAw+wHycHDI/2OYAb5jFyd8f6s --> ssh-ed25519 U9FXlg juuKBMw9hX559zK6f2ERuBMl27ypQ6Ky5xlFEJxApXc -Gb6/rTwqMINqiojoIWcFEAQCEuQ6bQQHrOXChkthb4A ---- OEQ8ALTXcJKvpf0rJe6x2VHSAsTi1yFhz3eU0CZDjqE -ٓPΘ~Fdwi ]h//4ڰN7LaQ= v@oB*48 D=򪋅 \ No newline at end of file diff --git a/secrets/wg_caramel.age b/secrets/wg_caramel.age index 1a3b16e..a85d63f 100644 --- a/secrets/wg_caramel.age +++ b/secrets/wg_caramel.age @@ -1,5 +1,6 @@ age-encryption.org/v1 --> ssh-ed25519 U9FXlg qEy0vaHPPr9EUDjC3FveSk/xcnW/rtHVmx9o7cH7JFA -WAzEfa7T82vbkwMv/JIOASIjZ3gr1TRNfVzOWdWBVkQ ---- AoVNbcEOrFU5jcQ8geP5e4Lo3RxOyP9p4BG3BNsgiIQ -ٳ'XoYfů!/ "p; ssh-ed25519 U9FXlg VpFnvpTVZFSkKRpEgcmuT/WDLIP1ZySFLq2lRvrjq20 +7zQoSoIs1URmAYn2AdjvDTIY8GDYROcSxFq1bcl24Og +--- iaQQUE1/Xj1vxto3d+Llyl6XGrSff5MGPxdCHW9EI40 +Ʀ`t \  +bpeHX3!$3]X32t~V.=>$xBKJAL:DD}5 \ No newline at end of file diff --git a/secrets/wg_dandelion.age b/secrets/wg_dandelion.age new file mode 100644 index 0000000..0229699 --- /dev/null +++ b/secrets/wg_dandelion.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 bRFqeQ swv/p+w9+aytIkQ/6Yk1jouA+0M3rJabuiOz2rlpyAs +wt+wnM1EEKAyDNefr9K4+DtZvHcOzz9Y1EBRFkA5Nv4 +-> ssh-ed25519 U9FXlg xxV/8JoorO4YWPbwSG7p306Pb2+aT10u9eNR69PhZAA +rjOOuapa/h1tMYbdOc3Y/fPPzkNcYiamSk6rS/tbhtE +--- UKvt/4aAyYHOk5bhAP55yxPhkxTE94/xEqIqpGF3yiE +5; _EDB ssh-ed25519 CUCjXQ ptHKlNvz+AmnB/Wt9XBBNyfOGeoPG5TbyrXv5993PDQ +P0C17K+Kz8ocn0vzLf02aaYnxvRM/yjfRLMsBaJhsok +-> ssh-ed25519 U9FXlg /M8ryJjXAdlWhvNHbQgKUxe/UtL7HqEs9RqNDQBW3SM +p2d9OnOkU2Hx7+Kn+Z66qElFvczd3F4zVm5KXbOzYWY +--- PVd8mrRk/t6qv/U32/AZk9YssRU1yn3CLPeyaEPBXi0 +:Dx[cyyۙc4ɥ/އ^.=†ȯoGVQdXf^@TRegn 9UT \ No newline at end of file diff --git a/secrets/wg_sugarcane.age b/secrets/wg_sugarcane.age deleted file mode 100644 index fe26054..0000000 --- a/secrets/wg_sugarcane.age +++ /dev/null @@ -1,5 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 U9FXlg 7YXsTcRa8pco9Ic9fDSygCjNXrxFi5pHADtUqwOBPhg -0BYvRAhcQQ36kAXOW2QaS4S9rhenUx8xwbNozNdDpLM ---- V1E/2n1Ae5hlWhjAEziHA2J072a20GeKM+EtG+pT8cI -窴zWT좾G{"\ʖse>%)o|z!ēז2ࢨEs \ No newline at end of file diff --git a/secrets/wpa_conf.age b/secrets/wpa_conf.age index 068d35295d6e3cc190d9f31cf0f52a9861ba516a..2b6862e53af790780d4fcfd88e1ef7ed6cc3f47c 100644 GIT binary patch delta 385 zcmZ3&yo7mzPJN_VL9$1FU~Z&aZhmo?nXyZxYhrn1zFSm&zI&Ega=L4PhhJHqc~p*j zF_&S6S7m9XPl}0~Nn)g>M@E&QMMzZES!Ps7PJLN+dTO3iqGM*Ut50N3R+4LO zVp4IMvx{Rgmz#S)V76&xwyC3sqgO<_K~zvuo^NGnzJ5?dRIayvX{B$XPq=fYQC6BO zm#(g^LO_Udp>ar1maC6RR$zd;qhqGCV|jp4QD}~Ps84=jfTdw&en5buwx>%m*J*)g z9cyOKv##P{?a4`2l2*RD@>b=?v+9R#o%`ie{ozmdtrxpC%-`K*Qh6%a-^zB+GWEmW zDKbJ%$}T<*tp7RR{JyyFX3wOVRssokG$IOgr)y+c+hn|!Hu|h`{`>Bh=Q_3Aq7QF6 jzT(g?=J@sLLGOD9gEWROsSEP=SnT*??b06l(=!ABLeiAu delta 385 zcmZ3&yo7mzPJKZ^US3I5vA<_}W{6Lbg-NJEhGn92vP*itwxMTedRVzhT7G(&mtlH% zI#*z+w}pvefp@+^s#~g|d7*(>fSYS^VQ#j5W?H0nMs|5+a!z1XfqzkiFPE;JLUD11 zZfc5=si~o*La3!%L{7SbnOBgHm#KSpmVtIsu%~`mWqnamPKifEnM;^cp;KqHnmDiD6QzXMUn%s#!`P zm#(g^LP2VEnlthvtTBtU2(S6R+Bd64H0ezm+GHgpD48h06OHA%>V!Z