Simon Bruder
f945341668
This applies the REUSE specification to the repository, so the licensing information can be tracked for every file individually.
152 lines
4.4 KiB
Nix
152 lines
4.4 KiB
Nix
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
|
#
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
{ lib, config, pkgs, ... }:
|
|
let
|
|
serverHostName = "vueko";
|
|
serverPort = 51820;
|
|
subnet = "10.80.0.0/24";
|
|
peers = {
|
|
hitagi = {
|
|
address = "10.80.0.5";
|
|
publicKey = "t7hpd2yZupAKHxYerHtXnlPRUjV1aGbrrzjYakKdOwE=";
|
|
};
|
|
vueko = {
|
|
address = "10.80.0.6";
|
|
publicKey = "JbOfL4FxPCzJOjI8AGklPHY2FniCXq0QwOa08gjSyns=";
|
|
};
|
|
fuuko = {
|
|
address = "10.80.0.7";
|
|
publicKey = "VXic8mhaJBSl6yFkx0Cu6JI8tqqjjM3UbW7x+05pV0M=";
|
|
};
|
|
mayushii = {
|
|
address = "10.80.0.9";
|
|
publicKey = "nnLdgywXmDg8HWH6I0G28Z2zb4OmmyFDpnvvEBzKJTg=";
|
|
};
|
|
renge = {
|
|
address = "10.80.0.15";
|
|
publicKey = "/kdCL7MZxuXaEjnN5s5j5GaVlufIeJ890r9xPZbsElQ=";
|
|
};
|
|
nunotaba = {
|
|
address = "10.80.0.4";
|
|
publicKey = "LscDAJR0IjOzNuwX3geYgcvxyvaNhAOc/ojgvGyunT8=";
|
|
};
|
|
okarin = {
|
|
address = "10.80.0.10";
|
|
publicKey = "KjDdTOVZ9RadDrNjJ11BWsY8SNBmDbuNoKm72wh9uCk=";
|
|
};
|
|
shinobu = {
|
|
address = "10.80.0.12";
|
|
publicKey = "ErLWueo4ikYH/mKHr3axyoAVZh+Bdh1NQBet42aD0kk=";
|
|
};
|
|
nazuna = {
|
|
address = "10.80.0.13";
|
|
publicKey = "TALmk853OVeRYoLWFcOE+caRGYmbnkHpLAHIIL2nuyQ=";
|
|
};
|
|
yuzuru = {
|
|
address = "10.80.0.16";
|
|
publicKey = "sRTAhbGVfxLqYaWr6uwnPJPphu6Cikpj2aXwNrhV5DU=";
|
|
};
|
|
};
|
|
|
|
cfg = config.sbruder.wireguard.home;
|
|
enableServer = config.networking.hostName == serverHostName;
|
|
in
|
|
{
|
|
options = {
|
|
sbruder.wireguard.home = {
|
|
enable = lib.mkEnableOption "WireGuard tunnel wg-home";
|
|
address = lib.mkOption {
|
|
type = lib.types.str;
|
|
visible = false;
|
|
readOnly = true;
|
|
};
|
|
subnet = lib.mkOption {
|
|
type = lib.types.str;
|
|
visible = false;
|
|
readOnly = true;
|
|
};
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
sops.secrets.wg-home-private-key = {
|
|
owner = config.users.users.systemd-network.name;
|
|
sopsFile = ./../../machines + "/${config.networking.hostName}/secrets.yaml";
|
|
};
|
|
|
|
sbruder.wireguard.home = {
|
|
address = peers."${config.networking.hostName}".address;
|
|
inherit subnet;
|
|
};
|
|
|
|
systemd.network = {
|
|
enable = true;
|
|
netdevs = {
|
|
wg-home = {
|
|
netdevConfig = {
|
|
Kind = "wireguard";
|
|
Name = "wg-home";
|
|
};
|
|
wireguardConfig = {
|
|
PrivateKeyFile = config.sops.secrets.wg-home-private-key.path;
|
|
} // (lib.optionalAttrs enableServer {
|
|
ListenPort = serverPort;
|
|
});
|
|
wireguardPeers =
|
|
if enableServer
|
|
then
|
|
map
|
|
(peerConfig: with peerConfig; {
|
|
wireguardPeerConfig = {
|
|
PublicKey = publicKey;
|
|
AllowedIPs = [ "${address}/32" ];
|
|
};
|
|
})
|
|
(lib.attrValues
|
|
(lib.filterAttrs
|
|
(n: v: n != config.networking.hostName)
|
|
peers))
|
|
else [
|
|
{
|
|
wireguardPeerConfig = {
|
|
PublicKey = peers."${serverHostName}".publicKey;
|
|
AllowedIPs = [ subnet ];
|
|
#Endpoint = "${serverHostName}.sbruder.de:${toString serverPort}"; # not possible because sadly not all devices have IPv6 connectivity
|
|
Endpoint = "168.119.176.53:${toString serverPort}";
|
|
PersistentKeepalive = 25;
|
|
};
|
|
}
|
|
];
|
|
};
|
|
};
|
|
networks = {
|
|
wg-home = {
|
|
name = "wg-home";
|
|
address = lib.singleton "${config.sbruder.wireguard.home.address}/24";
|
|
networkConfig = lib.optionalAttrs enableServer {
|
|
IPForward = "ipv4";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
networking.firewall = {
|
|
trustedInterfaces = [ "wg-home" ];
|
|
allowedUDPPorts = lib.optional enableServer serverPort;
|
|
};
|
|
|
|
sbruder.knot.generated-zones."vpn.sbruder.de" = pkgs.writeText "vpn.sbruder.de.zone" (''
|
|
; having $ORIGIN set here fails
|
|
@ IN SOA ${serverHostName}.sbruder.de. hostmaster.sbruder.de. 1 86400 10800 3600000 3600
|
|
@ IN NS ${serverHostName}.sbruder.de.
|
|
'' + lib.concatStrings
|
|
(lib.mapAttrsToList
|
|
(peer: peerConfig: ''
|
|
${peer} IN A ${peerConfig.address}
|
|
'')
|
|
peers));
|
|
};
|
|
}
|