diff --git a/hosts/anemone/default.nix b/hosts/anemone/default.nix index 77b07a7..dda36f5 100644 --- a/hosts/anemone/default.nix +++ b/hosts/anemone/default.nix @@ -5,6 +5,7 @@ nixpkgs.overlays = [ inputs.neovim-nightly.overlays.default ]; age.secrets = { + wg_anemone.file = ../../secrets/wg_anemone.age; passwd.file = ../../secrets/passwd.age; }; @@ -26,6 +27,7 @@ printing security snapper + wireguard ./filesystem.nix ./kernel.nix diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix index 5f13e44..55a46bc 100644 --- a/hosts/dandelion/default.nix +++ b/hosts/dandelion/default.nix @@ -5,6 +5,7 @@ age.secrets = { acme_dns.file = ../../secrets/acme_dns.age; + wg_dandelion.file = ../../secrets/wg_dandelion.age; }; imports = with modules.system; [ @@ -16,6 +17,7 @@ nix-stable packages security + wireguard modules.services.nginx modules.services.postgres diff --git a/modules/system/packages.nix b/modules/system/packages.nix index baae1cc..b257880 100644 --- a/modules/system/packages.nix +++ b/modules/system/packages.nix @@ -17,6 +17,7 @@ neovim nfs-utils ntfs3g + oci-cli ripgrep rsync sshfs diff --git a/modules/system/wireguard.nix b/modules/system/wireguard.nix index 2684d65..458b879 100644 --- a/modules/system/wireguard.nix +++ b/modules/system/wireguard.nix @@ -1,14 +1,12 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, gcSecrets, ... }: let port = 51820; - serverName = "sugarcane"; - serverInterface = "ens3"; - serverIp = "51.79.240.130"; + serverName = "dandelion"; + serverInterface = "enp0s6"; + serverIp = gcSecrets.wireguard.gateway; forwarding = { - "80" = [ "10.100.0.2" "80" ]; - "443" = [ "10.100.0.2" "443" ]; - "22727" = [ "10.100.0.3" "7777" ]; +# "22727" = [ "10.100.0.3" "7777" ]; }; mapForwards = type: @@ -24,45 +22,39 @@ let ); routeBypass = { - caramel = { - gateway = "192.168.100.1"; - interface = "wlan0"; - routes = [ - serverIp - ]; + anemone = { + interface = "wlp1s0"; + routes = [ serverIp ]; }; hyacinth = { - gateway = "192.168.100.1"; interface = "enp5s0"; - routes = [ - serverIp - ]; + routes = [ serverIp ]; }; }; clients = { - caramel = { - publicKey = "VDqcpS0lJzFgwikj61MJ1xc9P8Cuq0NXa+Hc+etn2iA="; - allowedIPs = [ "10.100.0.2/32" ]; - }; + # caramel = { + # publicKey = "VDqcpS0lJzFgwikj61MJ1xc9P8Cuq0NXa+Hc+etn2iA="; + # allowedIPs = [ "10.100.0.2/32" ]; + # }; hyacinth = { publicKey = "6nVhazYdmC15A/nke9VrqIg3sOBVOmqj4GEsyBq7MVo="; - allowedIPs = [ "10.100.0.3/32" ]; + allowedIPs = [ "10.100.0.3/32" "${gcSecrets.wireguard.ipv6Subnet}:3"]; }; - strawberry = { - publicKey = "Fkcp/VSN4Dkhly8V4hskF4lnDviA7VZHCnWf7OliFCg="; - allowedIPs = [ "10.100.0.4/32" ]; + anemone = { + publicKey = "px5+JNdAmqBvUC++DhiJrUBRAr+BYP6iYVt4sbhPTWY="; + allowedIPs = [ "10.100.0.4/32" "${gcSecrets.wireguard.ipv6Subnet}:4" ]; }; - maple = { - publicKey = "kPw8hpANygfz83Oi/l+iCVYalV2zfs7fhkccjoGG2Do="; - allowedIPs = [ "10.100.0.5/32" ]; + hibiscus = { + publicKey = "vQ5a2KMrwi7RCRsD0yvog+n35vQYFuvwiPn+W4lbRBw="; + allowedIPs = [ "10.100.0.5/32" "${gcSecrets.wireguard.ipv6Subnet}:5" ]; }; }; clientPeers = builtins.attrValues clients; serverPeer = { publicKey = "3ugIk2tQZXjAH9/95s63ld2WNUHQrd4Mz5jzbln6oj0="; - allowedIPs = [ "0.0.0.0/0" ]; + allowedIPs = [ "0.0.0.0/0" "::/0" ]; endpoint = "${serverIp}:${toString port}"; persistentKeepalive = 25; }; @@ -79,7 +71,7 @@ let }; wireguard.interfaces.wg0 = { - ips = [ "10.100.0.1/24" ]; + ips = [ "10.100.0.1/24" "${gcSecrets.wireguard.ipv6Subnet}:1" ]; listenPort = port; postSetup = '' @@ -101,7 +93,7 @@ let let client = clients."${config.networking.hostName}"; routes = routeBypass."${config.networking.hostName}"; - mapRoutes = type: lib.concatMapStringsSep "\n" (r: "${pkgs.iproute2}/bin/ip route ${type} ${r} via ${routes.gateway} dev ${routes.interface}") routes.routes; + mapRoutes = type: lib.concatMapStringsSep "\n" (r: "${pkgs.iproute2}/bin/ip route ${type} ${r} via 192.168.1.1 dev ${routes.interface}") routes.routes; in { ips = client.allowedIPs; listenPort = port; @@ -121,6 +113,10 @@ let }; }; in { + boot.kernel.sysctl = lib.mkIf (config.networking.hostName == serverName) ({ + "net.ipv6.conf.all.forwarding" = true; + "net.ipv6.conf.default.forwarding" = true; + }); networking = lib.mkMerge [ (lib.mkIf (config.networking.hostName == serverName) serverConfig) diff --git a/overlays/default.nix b/overlays/default.nix index 752a2c8..220fd11 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -5,6 +5,7 @@ builtins.map (path: import path) [ ./ccache.nix ./eww.nix ./material-icons.nix + ./oci-cli.nix ./steam.nix ./utillinux.nix ./wpa-supplicant.nix diff --git a/overlays/oci-cli.nix b/overlays/oci-cli.nix new file mode 100644 index 0000000..78a8a23 --- /dev/null +++ b/overlays/oci-cli.nix @@ -0,0 +1,5 @@ +self: super: { + oci-cli = super.oci-cli.overrideAttrs(o: { + patches = (o.patches or []) ++ [ ./patches/oci.patch ]; + }); +} diff --git a/overlays/patches/oci.patch b/overlays/patches/oci.patch new file mode 100644 index 0000000..bdc80f7 --- /dev/null +++ b/overlays/patches/oci.patch @@ -0,0 +1,30 @@ +diff --git a/services/core/src/oci_cli_virtual_network/virtualnetwork_cli_extended.py b/services/core/src/oci_cli_virtual_network/virtualnetwork_cli_extended.py +index 44562fd9780..ae426944a47 100644 +--- a/services/core/src/oci_cli_virtual_network/virtualnetwork_cli_extended.py ++++ b/services/core/src/oci_cli_virtual_network/virtualnetwork_cli_extended.py +@@ -285,13 +285,13 @@ def unassign_private_ip(ctx, from_json, vnic_id, ip_address): + click.echo('Unassigned IP address {} from VNIC {}'.format(ip_address, vnic_id), err=True) + + +-@cli_util.copy_params_from_generated_command(virtualnetwork_cli.create_ipv6, params_to_exclude=['wait_for_state', 'max_wait_seconds', 'wait_interval_seconds']) ++@cli_util.copy_params_from_generated_command(virtualnetwork_cli.create_ipv6, params_to_exclude=['wait_for_state', 'max_wait_seconds', 'wait_interval_seconds', 'subnet_id']) + @virtualnetwork_cli.vnic_group.command(name='assign-ipv6', help=virtualnetwork_cli.create_ipv6.help) + @cli_util.option('--unassign-if-already-assigned', is_flag=True, default=False, help="""Force reassignment of the IP address if it's already assigned to another VNIC in the subnet. This is only relevant if an IP address is associated with this command.""") + @click.pass_context + @json_skeleton_utils.json_skeleton_generation_handler(input_params_to_complex_types={'defined-tags': {'module': 'core', 'class': 'dict(str, dict(str, object))'}, 'freeform-tags': {'module': 'core', 'class': 'dict(str, string)'}}, output_type={'module': 'core', 'class': 'PrivateIp'}) + @cli_util.wrap_exceptions +-def assign_ipv6(ctx, from_json, vnic_id, defined_tags, display_name, freeform_tags, ip_address, unassign_if_already_assigned, ipv6_subnet_cidr, route_table_id): ++def assign_ipv6(ctx, from_json, vnic_id, defined_tags, display_name, freeform_tags, ip_address, unassign_if_already_assigned, ipv6_subnet_cidr, route_table_id, lifetime): + networking_client = cli_util.build_client('core', 'virtual_network', ctx) + + # First we get the VNIC because we need to know the subnet OCID for the ListIpv6s call +@@ -348,6 +348,9 @@ def assign_ipv6(ctx, from_json, vnic_id, defined_tags, display_name, freeform_ta + if route_table_id is not None: + assign_ip_request_body['routeTableId'] = route_table_id + ++ if lifetime is not None: ++ assign_ip_request_body['lifetime'] = lifetime ++ + # If we are here then either the IP address does not exist or it is a candidate to be moved + if not is_ip_reassignment: + if ip_address is not None: diff --git a/secrets.gcrypt/shared.json b/secrets.gcrypt/shared.json index f3f2e36..2e9e876 100644 Binary files a/secrets.gcrypt/shared.json and b/secrets.gcrypt/shared.json differ diff --git a/secrets.nix b/secrets.nix index 8f55589..e24da84 100644 --- a/secrets.nix +++ b/secrets.nix @@ -11,7 +11,8 @@ in { "secrets/acme_dns.age".publicKeys = [ dandelion hazel rin ]; "secrets/warden_admin.age".publicKeys = [ rin ]; - "secrets/wg_blossom.age".publicKeys = [ blossom rin ]; + "secrets/wg_anemone.age".publicKeys = [ anemone rin ]; + "secrets/wg_dandelion.age".publicKeys = [ dandelion rin ]; + "secrets/wg_hyacinth.age".publicKeys = [ blossom rin ]; "secrets/wg_caramel.age".publicKeys = [ rin ]; - "secrets/wg_sugarcane.age".publicKeys = [ rin ]; } diff --git a/secrets/acme_dns.age b/secrets/acme_dns.age index 56ad6f6..a573417 100644 Binary files a/secrets/acme_dns.age and b/secrets/acme_dns.age differ diff --git a/secrets/passwd.age b/secrets/passwd.age index 3b5e319..64ec861 100644 Binary files a/secrets/passwd.age and b/secrets/passwd.age differ diff --git a/secrets/warden_admin.age b/secrets/warden_admin.age index dc7ac10..1c56924 100644 Binary files a/secrets/warden_admin.age and b/secrets/warden_admin.age differ diff --git a/secrets/wg_anemone.age b/secrets/wg_anemone.age new file mode 100644 index 0000000..3ed5b37 Binary files /dev/null and b/secrets/wg_anemone.age differ diff --git a/secrets/wg_blossom.age b/secrets/wg_blossom.age deleted file mode 100644 index 494761f..0000000 --- a/secrets/wg_blossom.age +++ /dev/null @@ -1,7 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 CUCjXQ hLTFE9rxZfhOZ2rELykmG54pxJMCjTkzBvLasvgSN24 -wDbW0X7bItmMEDfGRVAw+wHycHDI/2OYAb5jFyd8f6s --> ssh-ed25519 U9FXlg juuKBMw9hX559zK6f2ERuBMl27ypQ6Ky5xlFEJxApXc -Gb6/rTwqMINqiojoIWcFEAQCEuQ6bQQHrOXChkthb4A ---- OEQ8ALTXcJKvpf0rJe6x2VHSAsTi1yFhz3eU0CZDjqE -ٓPΘ~Fdwi ]h//4ڰN7LaQ= v@oB*48 D=򪋅 \ No newline at end of file diff --git a/secrets/wg_caramel.age b/secrets/wg_caramel.age index 1a3b16e..a85d63f 100644 --- a/secrets/wg_caramel.age +++ b/secrets/wg_caramel.age @@ -1,5 +1,6 @@ age-encryption.org/v1 --> ssh-ed25519 U9FXlg qEy0vaHPPr9EUDjC3FveSk/xcnW/rtHVmx9o7cH7JFA -WAzEfa7T82vbkwMv/JIOASIjZ3gr1TRNfVzOWdWBVkQ ---- AoVNbcEOrFU5jcQ8geP5e4Lo3RxOyP9p4BG3BNsgiIQ -ٳ'XoYfů!/ "p; ssh-ed25519 U9FXlg VpFnvpTVZFSkKRpEgcmuT/WDLIP1ZySFLq2lRvrjq20 +7zQoSoIs1URmAYn2AdjvDTIY8GDYROcSxFq1bcl24Og +--- iaQQUE1/Xj1vxto3d+Llyl6XGrSff5MGPxdCHW9EI40 +Ʀ`t \  +bpeHX3!$3]X32t~V.=>$xBKJAL:DD}5 \ No newline at end of file diff --git a/secrets/wg_dandelion.age b/secrets/wg_dandelion.age new file mode 100644 index 0000000..0229699 --- /dev/null +++ b/secrets/wg_dandelion.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 bRFqeQ swv/p+w9+aytIkQ/6Yk1jouA+0M3rJabuiOz2rlpyAs +wt+wnM1EEKAyDNefr9K4+DtZvHcOzz9Y1EBRFkA5Nv4 +-> ssh-ed25519 U9FXlg xxV/8JoorO4YWPbwSG7p306Pb2+aT10u9eNR69PhZAA +rjOOuapa/h1tMYbdOc3Y/fPPzkNcYiamSk6rS/tbhtE +--- UKvt/4aAyYHOk5bhAP55yxPhkxTE94/xEqIqpGF3yiE +5; _EDB ssh-ed25519 CUCjXQ ptHKlNvz+AmnB/Wt9XBBNyfOGeoPG5TbyrXv5993PDQ +P0C17K+Kz8ocn0vzLf02aaYnxvRM/yjfRLMsBaJhsok +-> ssh-ed25519 U9FXlg /M8ryJjXAdlWhvNHbQgKUxe/UtL7HqEs9RqNDQBW3SM +p2d9OnOkU2Hx7+Kn+Z66qElFvczd3F4zVm5KXbOzYWY +--- PVd8mrRk/t6qv/U32/AZk9YssRU1yn3CLPeyaEPBXi0 +:Dx[cyyۙc4ɥ/އ^.=†ȯoGVQdXf^@TRegn 9UT \ No newline at end of file diff --git a/secrets/wg_sugarcane.age b/secrets/wg_sugarcane.age deleted file mode 100644 index fe26054..0000000 --- a/secrets/wg_sugarcane.age +++ /dev/null @@ -1,5 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 U9FXlg 7YXsTcRa8pco9Ic9fDSygCjNXrxFi5pHADtUqwOBPhg -0BYvRAhcQQ36kAXOW2QaS4S9rhenUx8xwbNozNdDpLM ---- V1E/2n1Ae5hlWhjAEziHA2J072a20GeKM+EtG+pT8cI -窴zWT좾G{"\ʖse>%)o|z!ēז2ࢨEs \ No newline at end of file diff --git a/secrets/wpa_conf.age b/secrets/wpa_conf.age index 068d352..2b6862e 100644 Binary files a/secrets/wpa_conf.age and b/secrets/wpa_conf.age differ