wireguard/home: Make vueko central server

This also restructures the wireguard/home configuration, since now
better peer management is possible.
This commit is contained in:
Simon Bruder 2021-02-20 19:03:40 +01:00
parent c921c2802a
commit be7e67cf1f
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
4 changed files with 61 additions and 23 deletions

View file

@ -14,10 +14,7 @@
media-proxy.enable = true; media-proxy.enable = true;
restic.enable = true; restic.enable = true;
unfree.allowSoftware = true; unfree.allowSoftware = true;
wireguard.home = { wireguard.home.enable = true;
enable = true;
address = "10.80.0.4";
};
}; };
virtualisation.libvirtd.enable = true; virtualisation.libvirtd.enable = true;

View file

@ -18,10 +18,7 @@
]; ];
}; };
unfree.allowSoftware = true; unfree.allowSoftware = true;
wireguard.home = { wireguard.home.enable = true;
enable = true;
address = "10.80.0.5";
};
}; };
virtualisation.libvirtd.enable = true; virtualisation.libvirtd.enable = true;

View file

@ -17,10 +17,7 @@ in
sbruder = { sbruder = {
restic.enable = true; restic.enable = true;
wireguard.home = { wireguard.home.enable = true;
enable = true;
address = "10.80.0.6";
};
full = false; full = false;
mailserver = { mailserver = {

View file

@ -1,6 +1,31 @@
{ lib, config, ... }: { lib, config, ... }:
let let
serverHostName = "vueko";
peers = {
issei = {
address = "10.80.0.1";
publicKey = "UyZRAVTIc/RMs/J+591wrA8lHU0e8dwDJJwcpRb3xQA=";
};
nunotaba = {
address = "10.80.0.4";
publicKey = "DvR8mUkll4uyYhNcX82caMkbcw0Lykg8zDzm/3PD5jw=";
};
sayuri = {
address = "10.80.0.5";
publicKey = "t7hpd2yZupAKHxYerHtXnlPRUjV1aGbrrzjYakKdOwE=";
};
vueko = {
address = "10.80.0.6";
publicKey = "JbOfL4FxPCzJOjI8AGklPHY2FniCXq0QwOa08gjSyns=";
};
fuuko = {
address = "10.80.0.7";
publicKey = "VXic8mhaJBSl6yFkx0Cu6JI8tqqjjM3UbW7x+05pV0M=";
};
};
cfg = config.sbruder.wireguard.home; cfg = config.sbruder.wireguard.home;
enableServer = config.networking.hostName == serverHostName;
in in
{ {
options = { options = {
@ -8,8 +33,8 @@ in
enable = lib.mkEnableOption "WireGuard tunnel wg-home"; enable = lib.mkEnableOption "WireGuard tunnel wg-home";
address = lib.mkOption { address = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "IP(v4) address of the host"; visible = false;
example = "10.80.0.1"; readOnly = true;
}; };
}; };
}; };
@ -17,19 +42,41 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
krops.secrets.wg-home-private-key = { }; krops.secrets.wg-home-private-key = { };
sbruder.wireguard.home.address = peers."${config.networking.hostName}".address;
networking.wireguard.interfaces.wg-home = { networking.wireguard.interfaces.wg-home = {
privateKeyFile = config.krops.secrets.wg-home-private-key.path; privateKeyFile = config.krops.secrets.wg-home-private-key.path;
ips = [ "${cfg.address}/24" ]; ips = [ "${cfg.address}/24" ];
peers = [ listenPort = if enableServer then 51820 else null;
{ peers =
allowedIPs = [ "10.80.0.0/24" ]; if enableServer
publicKey = "UyZRAVTIc/RMs/J+591wrA8lHU0e8dwDJJwcpRb3xQA="; then
endpoint = "87.140.16.73:51820"; # IPv6 is tunneled so legacy is preferred map
persistentKeepalive = 25; (peerConfig: with peerConfig; {
} allowedIPs = [ "${address}/32" ];
]; inherit publicKey;
})
(lib.attrValues
(lib.filterAttrs
(n: v: n != config.networking.hostName)
peers))
else [
{
allowedIPs = [ "10.80.0.0/24" ];
publicKey = peers."${serverHostName}".publicKey;
endpoint = "${serverHostName}.sbruder.de:51820";
persistentKeepalive = 25;
}
];
}; };
networking.firewall.trustedInterfaces = [ "wg-home" ]; networking.firewall = {
trustedInterfaces = [ "wg-home" ];
allowedUDPPorts = lib.optional enableServer 51820;
};
boot.kernel.sysctl = lib.optionalAttrs enableServer {
"net.ipv4.ip_forward" = 1;
};
}; };
} }