From fec939d816876376b19441e3294bd0bc36fad917 Mon Sep 17 00:00:00 2001 From: Simon Bruder Date: Fri, 24 Feb 2023 22:41:15 +0100 Subject: [PATCH] wireguard/support: Init --- machines/vueko/secrets.yaml | 5 ++- modules/wireguard/default.nix | 1 + modules/wireguard/home.nix | 2 +- modules/wireguard/support.nix | 81 +++++++++++++++++++++++++++++++++++ 4 files changed, 86 insertions(+), 3 deletions(-) create mode 100644 modules/wireguard/support.nix diff --git a/machines/vueko/secrets.yaml b/machines/vueko/secrets.yaml index 071dce5..a08ee6b 100644 --- a/machines/vueko/secrets.yaml +++ b/machines/vueko/secrets.yaml @@ -1,4 +1,5 @@ wg-home-private-key: ENC[AES256_GCM,data:/RHNF6Zw6CTWa9ahUhGWRfkR8KIj+HdqUIojA1w6HQBFbZ/+Vo+CcYTYO5I=,iv:2sDH1P3VRjmLw6Ilkq0rw/hossHrNWP5uRvX9yr5fLE=,tag:KIT5GCfXuhg6RjA8+Nmtnw==,type:str] +wg-support-private-key: ENC[AES256_GCM,data:KXbEctH6vxUWk3yhkBNKS/YbfjOOkhgR0BN+TqmDOb5wPK6SHQlH1DBsk9c=,iv:ZjFevB6IW2EwPITSpG+UtZL12POQ4l/rStnz4/20+Mc=,tag:ZxY7TdqkLB6Z+pQzjSo1zw==,type:str] media-sb-proxy-auth: ENC[AES256_GCM,data:hYKmrpIMotRaf47bt8LSyXT2FEUHu26SLtKCt2zh/ziFtH2empD2NTlpf+l5Q6VHW1r1RUyE0KdmNM4nZRumJ/NuP3Aa9ErGTI3qozjQk9Kl,iv:pLYZv8X76XQGBd36PjQPkiUNPR08PkIKuTqJ+mmaMcw=,tag:3PMAO3lOfT+y+1s8yJLvhA==,type:str] restic-rclone-ssh-key: ENC[AES256_GCM,data:IOVEsH7DcrX4Lcb5Vv8Qxshyoc5jOudRbLnc+iZ2aL05wGo2aUbtDusPrZ9QeIhw/09UAdJUXW6HudtVWPnmL9UJVr1Sm+JYMUS50QCE4DcX0kVV9u5DXiESwfJ+WHAQimShQEvjJ6SCgNBoZNTHcsr95H9G6Tn0XyAM3VYcm69+rzzBN3E0ohb06SOV6JOvtgLLN1BVB+dt6p1UlBuWt5XNc6YPd2T4Erf4FkiPHVneg66hcFFFMX453Qzv/z14aKM0NlEMhMKqLTGt0fsIlwoX4Wdq1KDWGtsf6oVZygCbGiOi57Sy5PjUDys8FmCdkV5PjnRQc4c0E1ynHk79stwbQzqJr/RVe2Tmo3KFgoOOrWYENXztQ+rewYnhsJKF2eVVMtBKf9CAbcrw7UTuVnyxzb9K/NpebAugo00w+4M95lv2Y/MxKf85xdCqGAtfgCJ9eOH3ZW2MUx4m9e5TrBzcS/ewyeXvzd69SBknyvdQ7GXqht5Nf6Ed2a1zj3LUYiLy3H/0/GLZVmoAlJ86,iv:rwqEopfSJJ66yPKgrbVD8Id/CWCfIQi6FLByJZJbJUI=,tag:71J3OFgGNeJUyIZCNrFbqw==,type:str] restic-htpasswd: ENC[AES256_GCM,data:hqZxZ1KXDUqaJ4rsz58l6Jqmhmatm65aZx7aEBlDyBUm3NQFNjyjZlK570lfOdOfJhj0ZZPFRiCENBHTpMt8sdjvsQ4M+g==,iv:Sw/7MBrOy0nIHjF+v8qP7cF1vwfwWiCicl4yl0tOBJc=,tag:3RFktMbo/oETuqVzvjzGwA==,type:str] @@ -8,8 +9,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2022-08-25T14:16:49Z" - mac: ENC[AES256_GCM,data:e/9RK7hHX0Jft/27J5ImLxeYS9w7gdLM06/yoHOsgIdeKAzTqCUxVxyAK2JCmTA65iHybY0k8UkrjO73eC4fLUNjNOUIfWJPnEbgs4Ms0BSzRKHoEQ+OZesnaTpzg3BC8z+Y7Uq3PJ/btEFyap1sY4DR84q0oRU4og4/C+1lL7c=,iv:T8EM0HzzxIqdrl8rgfnc0edkr7QpZJWevZxHzo7HwVc=,tag:eS3bX6D0VL7HVFcXFLdk6Q==,type:str] + lastmodified: "2023-02-24T16:28:57Z" + mac: ENC[AES256_GCM,data:k2stXcDNr52vNXdC8x83E7awjrcKXXQiqY3AgJEgtM57U103Kv9c9Ppk8kX6bOGJ8/Wi3qacT2pZAvEUkD7waTz4RNJPbFgqAmp4tv3/tGj6alYyBw14KZYF0u/UHGbRgUYZc+rluk7BbijwDPuOXH3wQhgE5liOmWfJxyOj8vI=,iv:HrkQTXc3rH0xhgrHH6hboJCoKplk6AaoW5gdAMIphCU=,tag:T8kM9caHH0GkuxlWb8cSFA==,type:str] pgp: - created_at: "2021-04-06T11:13:54Z" enc: | diff --git a/modules/wireguard/default.nix b/modules/wireguard/default.nix index 21529b0..77dac83 100644 --- a/modules/wireguard/default.nix +++ b/modules/wireguard/default.nix @@ -1,6 +1,7 @@ { imports = [ ./home.nix + ./support.nix ]; networking.wireguard.enable = true; diff --git a/modules/wireguard/home.nix b/modules/wireguard/home.nix index 55282f9..35aed52 100644 --- a/modules/wireguard/home.nix +++ b/modules/wireguard/home.nix @@ -86,7 +86,7 @@ in }; boot.kernel.sysctl = lib.optionalAttrs enableServer { - "net.ipv4.ip_forward" = 1; + "net.ipv4.ip_forward" = lib.mkOverride 999 1; }; services.bind = lib.mkIf enableServer { diff --git a/modules/wireguard/support.nix b/modules/wireguard/support.nix new file mode 100644 index 0000000..8a5c954 --- /dev/null +++ b/modules/wireguard/support.nix @@ -0,0 +1,81 @@ +{ lib, config, pkgs, ... }: +let + serverHostName = "vueko"; + port = 51821; + peers = { + # Key of the server. + vueko = { + address = "10.80.16.1"; + publicKey = "wN2vrYcltdrU+061SNcxThWklI5I/Mhbxh5+PmV/RTU="; + }; + # Key for all of my hosts. One is enough, because it is only activated on demand. + simon = { + address = "10.80.16.2"; + publicKey = "3jGyiDbwqNfwIT/UKDwxtcpT5zEc8re/k5kU0NLqEkg="; + }; + # Keys for all hosts that are supported. + jane = { + address = "10.80.16.3"; + publicKey = "pZJhYDMYaYn/Zyz5Kn660uWtvxh1bTAdyVDOjnR1j0w="; + }; + }; +in +{ + config = lib.mkIf (config.networking.hostName == serverHostName) { + sops.secrets.wg-support-private-key = { + sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml"; + }; + + networking.wireguard.interfaces.wg-support = { + privateKeyFile = config.sops.secrets.wg-support-private-key.path; + ips = [ "${peers.${serverHostName}.address}/24" ]; + listenPort = port; + peers = map + (peerConfig: with peerConfig; { + allowedIPs = [ "${address}/32" ]; + inherit publicKey; + }) + (lib.attrValues + (lib.filterAttrs + (n: v: n != serverHostName) + peers)); + }; + + networking.firewall.allowedUDPPorts = [ + port + 53 + ]; + + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = lib.mkOverride 998 1; + }; + + services.bind = { + enable = true; + zones = lib.singleton { + name = "support.vpn.sbruder.de"; + master = true; + file = + let + # !!! very hacky + hexStringToInt = hex: (builtins.fromTOML "int = 0x${hex}").int; + + peerRecords = lib.concatStrings + (lib.mapAttrsToList + (peer: peerConfig: '' + ${peer} IN A ${peerConfig.address} + '') + peers); + + peerRecordsHash = builtins.hashString "sha256" peerRecords; + serial = hexStringToInt (lib.substring 0 8 peerRecordsHash); + in + pkgs.writeText "support.vpn.sbruder.de.zone" ('' + $TTL 3600 + @ IN SOA ${serverHostName}.sbruder.de. hostmaster.sbruder.de. ${toString serial} 28800 3600 604800 3600 + @ IN NS ${serverHostName}.sbruder.de. + '' + peerRecords); + }; + }; + }; +}