nixos-config/modules/wireguard/home.nix
Simon Bruder 16cf73afb9
okarin: Migrate to different VPS
Previously, it was hosted on Ionos’s VMware-based infrastructure. I
already had a VPS on their new KVM-based infrastructure, as I was
planning to migrate okarin to it eventually (as it is cheaper). However,
the new infrastructure does not offer PTR records for IPv6 addresses.
Therefore, I was waiting until they would implement that feature (as the
support promised me they would to in the near future).

However, they are now migrating the (at least my) guests from their
VMware hypervisors onto the KVM ones, assigning new IPv6 addresses to
them. This makes the old VPS essentially the same as the old one, but
with less memory and more expensive. So I decided to migrate now.
2024-04-17 12:40:46 +02:00

152 lines
4.4 KiB
Nix

# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ lib, config, pkgs, ... }:
let
serverHostName = "vueko";
serverPort = 51820;
subnet = "10.80.0.0/24";
peers = {
hitagi = {
address = "10.80.0.5";
publicKey = "t7hpd2yZupAKHxYerHtXnlPRUjV1aGbrrzjYakKdOwE=";
};
vueko = {
address = "10.80.0.6";
publicKey = "JbOfL4FxPCzJOjI8AGklPHY2FniCXq0QwOa08gjSyns=";
};
fuuko = {
address = "10.80.0.7";
publicKey = "VXic8mhaJBSl6yFkx0Cu6JI8tqqjjM3UbW7x+05pV0M=";
};
mayushii = {
address = "10.80.0.9";
publicKey = "nnLdgywXmDg8HWH6I0G28Z2zb4OmmyFDpnvvEBzKJTg=";
};
renge = {
address = "10.80.0.15";
publicKey = "/kdCL7MZxuXaEjnN5s5j5GaVlufIeJ890r9xPZbsElQ=";
};
nunotaba = {
address = "10.80.0.4";
publicKey = "LscDAJR0IjOzNuwX3geYgcvxyvaNhAOc/ojgvGyunT8=";
};
okarin = {
address = "10.80.0.14";
publicKey = "QOxkngtrkuXVMZyqWeGKh2ozn3x7GJsxwrlKje7jDmA=";
};
shinobu = {
address = "10.80.0.12";
publicKey = "ErLWueo4ikYH/mKHr3axyoAVZh+Bdh1NQBet42aD0kk=";
};
nazuna = {
address = "10.80.0.13";
publicKey = "TALmk853OVeRYoLWFcOE+caRGYmbnkHpLAHIIL2nuyQ=";
};
yuzuru = {
address = "10.80.0.16";
publicKey = "sRTAhbGVfxLqYaWr6uwnPJPphu6Cikpj2aXwNrhV5DU=";
};
};
cfg = config.sbruder.wireguard.home;
enableServer = config.networking.hostName == serverHostName;
in
{
options = {
sbruder.wireguard.home = {
enable = lib.mkEnableOption "WireGuard tunnel wg-home";
address = lib.mkOption {
type = lib.types.str;
visible = false;
readOnly = true;
};
subnet = lib.mkOption {
type = lib.types.str;
visible = false;
readOnly = true;
};
};
};
config = lib.mkIf cfg.enable {
sops.secrets.wg-home-private-key = {
owner = config.users.users.systemd-network.name;
sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml";
};
sbruder.wireguard.home = {
address = peers."${config.networking.hostName}".address;
inherit subnet;
};
systemd.network = {
enable = true;
netdevs = {
wg-home = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-home";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets.wg-home-private-key.path;
} // (lib.optionalAttrs enableServer {
ListenPort = serverPort;
});
wireguardPeers =
if enableServer
then
map
(peerConfig: with peerConfig; {
wireguardPeerConfig = {
PublicKey = publicKey;
AllowedIPs = [ "${address}/32" ];
};
})
(lib.attrValues
(lib.filterAttrs
(n: v: n != config.networking.hostName)
peers))
else [
{
wireguardPeerConfig = {
PublicKey = peers."${serverHostName}".publicKey;
AllowedIPs = [ subnet ];
#Endpoint = "${serverHostName}.sbruder.de:${toString serverPort}"; # not possible because sadly not all devices have IPv6 connectivity
Endpoint = "168.119.176.53:${toString serverPort}";
PersistentKeepalive = 25;
};
}
];
};
};
networks = {
wg-home = {
name = "wg-home";
address = lib.singleton "${config.sbruder.wireguard.home.address}/24";
networkConfig = lib.optionalAttrs enableServer {
IPForward = "ipv4";
};
};
};
};
networking.firewall = {
trustedInterfaces = [ "wg-home" ];
allowedUDPPorts = lib.optional enableServer serverPort;
};
sbruder.knot.generated-zones."vpn.sbruder.de" = pkgs.writeText "vpn.sbruder.de.zone" (''
; having $ORIGIN set here fails
@ IN SOA ${serverHostName}.sbruder.de. hostmaster.sbruder.de. 1 86400 10800 3600000 3600
@ IN NS ${serverHostName}.sbruder.de.
'' + lib.concatStrings
(lib.mapAttrsToList
(peer: peerConfig: ''
${peer} IN A ${peerConfig.address}
'')
peers));
};
}