wireguard/support: Init

machines/vueko/secrets.yaml

@@ -1,4 +1,5 @@
 wg-home-private-key: ENC[AES256_GCM,data:/RHNF6Zw6CTWa9ahUhGWRfkR8KIj+HdqUIojA1w6HQBFbZ/+Vo+CcYTYO5I=,iv:2sDH1P3VRjmLw6Ilkq0rw/hossHrNWP5uRvX9yr5fLE=,tag:KIT5GCfXuhg6RjA8+Nmtnw==,type:str]
+wg-support-private-key: ENC[AES256_GCM,data:KXbEctH6vxUWk3yhkBNKS/YbfjOOkhgR0BN+TqmDOb5wPK6SHQlH1DBsk9c=,iv:ZjFevB6IW2EwPITSpG+UtZL12POQ4l/rStnz4/20+Mc=,tag:ZxY7TdqkLB6Z+pQzjSo1zw==,type:str]
 media-sb-proxy-auth: ENC[AES256_GCM,data:hYKmrpIMotRaf47bt8LSyXT2FEUHu26SLtKCt2zh/ziFtH2empD2NTlpf+l5Q6VHW1r1RUyE0KdmNM4nZRumJ/NuP3Aa9ErGTI3qozjQk9Kl,iv:pLYZv8X76XQGBd36PjQPkiUNPR08PkIKuTqJ+mmaMcw=,tag:3PMAO3lOfT+y+1s8yJLvhA==,type:str]
 restic-rclone-ssh-key: ENC[AES256_GCM,data:IOVEsH7DcrX4Lcb5Vv8Qxshyoc5jOudRbLnc+iZ2aL05wGo2aUbtDusPrZ9QeIhw/09UAdJUXW6HudtVWPnmL9UJVr1Sm+JYMUS50QCE4DcX0kVV9u5DXiESwfJ+WHAQimShQEvjJ6SCgNBoZNTHcsr95H9G6Tn0XyAM3VYcm69+rzzBN3E0ohb06SOV6JOvtgLLN1BVB+dt6p1UlBuWt5XNc6YPd2T4Erf4FkiPHVneg66hcFFFMX453Qzv/z14aKM0NlEMhMKqLTGt0fsIlwoX4Wdq1KDWGtsf6oVZygCbGiOi57Sy5PjUDys8FmCdkV5PjnRQc4c0E1ynHk79stwbQzqJr/RVe2Tmo3KFgoOOrWYENXztQ+rewYnhsJKF2eVVMtBKf9CAbcrw7UTuVnyxzb9K/NpebAugo00w+4M95lv2Y/MxKf85xdCqGAtfgCJ9eOH3ZW2MUx4m9e5TrBzcS/ewyeXvzd69SBknyvdQ7GXqht5Nf6Ed2a1zj3LUYiLy3H/0/GLZVmoAlJ86,iv:rwqEopfSJJ66yPKgrbVD8Id/CWCfIQi6FLByJZJbJUI=,tag:71J3OFgGNeJUyIZCNrFbqw==,type:str]
 restic-htpasswd: ENC[AES256_GCM,data:hqZxZ1KXDUqaJ4rsz58l6Jqmhmatm65aZx7aEBlDyBUm3NQFNjyjZlK570lfOdOfJhj0ZZPFRiCENBHTpMt8sdjvsQ4M+g==,iv:Sw/7MBrOy0nIHjF+v8qP7cF1vwfwWiCicl4yl0tOBJc=,tag:3RFktMbo/oETuqVzvjzGwA==,type:str]
@@ -8,8 +9,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2022-08-25T14:16:49Z"
-    mac: ENC[AES256_GCM,data:e/9RK7hHX0Jft/27J5ImLxeYS9w7gdLM06/yoHOsgIdeKAzTqCUxVxyAK2JCmTA65iHybY0k8UkrjO73eC4fLUNjNOUIfWJPnEbgs4Ms0BSzRKHoEQ+OZesnaTpzg3BC8z+Y7Uq3PJ/btEFyap1sY4DR84q0oRU4og4/C+1lL7c=,iv:T8EM0HzzxIqdrl8rgfnc0edkr7QpZJWevZxHzo7HwVc=,tag:eS3bX6D0VL7HVFcXFLdk6Q==,type:str]
+    lastmodified: "2023-02-24T16:28:57Z"
+    mac: ENC[AES256_GCM,data:k2stXcDNr52vNXdC8x83E7awjrcKXXQiqY3AgJEgtM57U103Kv9c9Ppk8kX6bOGJ8/Wi3qacT2pZAvEUkD7waTz4RNJPbFgqAmp4tv3/tGj6alYyBw14KZYF0u/UHGbRgUYZc+rluk7BbijwDPuOXH3wQhgE5liOmWfJxyOj8vI=,iv:HrkQTXc3rH0xhgrHH6hboJCoKplk6AaoW5gdAMIphCU=,tag:T8kM9caHH0GkuxlWb8cSFA==,type:str]
     pgp:
         - created_at: "2021-04-06T11:13:54Z"
           enc: |

modules/wireguard/default.nix

@@ -1,6 +1,7 @@
 {
   imports = [
     ./home.nix
+    ./support.nix
   ];
 
   networking.wireguard.enable = true;

modules/wireguard/home.nix

@@ -86,7 +86,7 @@ in
     };
 
     boot.kernel.sysctl = lib.optionalAttrs enableServer {
-      "net.ipv4.ip_forward" = 1;
+      "net.ipv4.ip_forward" = lib.mkOverride 999 1;
     };
 
     services.bind = lib.mkIf enableServer {

modules/wireguard/support.nix

@@ -0,0 +1,81 @@
+{ lib, config, pkgs, ... }:
+let
+  serverHostName = "vueko";
+  port = 51821;
+  peers = {
+    # Key of the server.
+    vueko = {
+      address = "10.80.16.1";
+      publicKey = "wN2vrYcltdrU+061SNcxThWklI5I/Mhbxh5+PmV/RTU=";
+    };
+    # Key for all of my hosts. One is enough, because it is only activated on demand.
+    simon = {
+      address = "10.80.16.2";
+      publicKey = "3jGyiDbwqNfwIT/UKDwxtcpT5zEc8re/k5kU0NLqEkg=";
+    };
+    # Keys for all hosts that are supported.
+    jane = {
+      address = "10.80.16.3";
+      publicKey = "pZJhYDMYaYn/Zyz5Kn660uWtvxh1bTAdyVDOjnR1j0w=";
+    };
+  };
+in
+{
+  config = lib.mkIf (config.networking.hostName == serverHostName) {
+    sops.secrets.wg-support-private-key = {
+      sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml";
+    };
+
+    networking.wireguard.interfaces.wg-support = {
+      privateKeyFile = config.sops.secrets.wg-support-private-key.path;
+      ips = [ "${peers.${serverHostName}.address}/24" ];
+      listenPort = port;
+      peers = map
+        (peerConfig: with peerConfig; {
+          allowedIPs = [ "${address}/32" ];
+          inherit publicKey;
+        })
+        (lib.attrValues
+          (lib.filterAttrs
+            (n: v: n != serverHostName)
+            peers));
+    };
+
+    networking.firewall.allowedUDPPorts = [
+      port
+      53
+    ];
+
+    boot.kernel.sysctl = {
+      "net.ipv4.ip_forward" = lib.mkOverride 998 1;
+    };
+
+    services.bind = {
+      enable = true;
+      zones = lib.singleton {
+        name = "support.vpn.sbruder.de";
+        master = true;
+        file =
+          let
+            # !!! very hacky
+            hexStringToInt = hex: (builtins.fromTOML "int = 0x${hex}").int;
+
+            peerRecords = lib.concatStrings
+              (lib.mapAttrsToList
+                (peer: peerConfig: ''
+                  ${peer} IN A ${peerConfig.address}
+                '')
+                peers);
+
+            peerRecordsHash = builtins.hashString "sha256" peerRecords;
+            serial = hexStringToInt (lib.substring 0 8 peerRecordsHash);
+          in
+          pkgs.writeText "support.vpn.sbruder.de.zone" (''
+            $TTL 3600
+            @ IN SOA ${serverHostName}.sbruder.de. hostmaster.sbruder.de. ${toString serial} 28800 3600 604800 3600
+            @ IN NS ${serverHostName}.sbruder.de.
+          '' + peerRecords);
+      };
+    };
+  };
+}