Update vpn config

8 files changed, 59 insertions, 18 deletions

diff --git a/config/vpn-client.nix b/config/vpn-client.nix
index 5c10239..9b493e8 100644
--- a/config/vpn-client.nix
+++ b/config/vpn-client.nix
@@ -7,16 +7,16 @@ in
     interfaces = {
       wg0 = {
         ips = [ "10.35.190.2/23" ];
-	privateKeyFile = "/opt/secret/wireguard/wg0.key";
-	listenPort = port;
-	allowedIPsAsRoutes = false;
-	peers = [
-	  {
-	    publicKey = "KT4sWKnlvPebJh0pYhGpiZksn4cCwKreB6fQCJV49F8=";
-	    endpoint = "dragon.orbekk.com:${toString port}";
-	    allowedIPs = ["0.0.0.0/0" "::/0"];
-	  }
-	];
+        privateKeyFile = "/opt/secret/wireguard/wg0.key";
+        listenPort = port;
+        allowedIPsAsRoutes = false;
+        peers = [
+          {
+            publicKey = "KT4sWKnlvPebJh0pYhGpiZksn4cCwKreB6fQCJV49F8=";
+            endpoint = "dragon.orbekk.com:${toString port}";
+            allowedIPs = ["0.0.0.0/0" "::/0"];
+          }
+        ];
       };
     };
   };
diff --git a/machines/dragon.nix b/machines/dragon.nix
index 529c82e..8414449 100644
--- a/machines/dragon.nix
+++ b/machines/dragon.nix
@@ -14,6 +14,7 @@ in {
   orbekk.nextcloud.enable = true;
   orbekk.backups.enableServer = true;
   orbekk.backups.enableClient = true;
+  orbekk.vpn.enable = true;
 
   environment.systemPackages = with pkgs; [ ipmitool ];
   programs.mosh.enable = true;
diff --git a/machines/x1-pincer.nix b/machines/x1-pincer.nix
index 97ae60d..47b0c16 100644
--- a/machines/x1-pincer.nix
+++ b/machines/x1-pincer.nix
@@ -14,6 +14,8 @@ let ports = {
   orbekk.simple-firewall.allowedTCPPorts = [ ports.minecraft 631 5353 ]; # socks proxy
   orbekk.login.enable = true;
 
+  orbekk.vpn.enable = true;
+
   services.printing.enable = true;
   services.printing.drivers = with pkgs; [ gutenprint brlaser ];
   services.openssh.enable = true;
diff --git a/modules/vpn.nix b/modules/vpn.nix
index fb6fd3a..d8ae327 100644
--- a/modules/vpn.nix
+++ b/modules/vpn.nix
@@ -2,12 +2,47 @@
 
 let
   cfg = config.orbekk.vpn;
+
+  vpn-prefix = "2001:470:8e2e:1000";
+
+  mkConfig = host: ip: {
+      ips = [ "${vpn-prefix}::d/64" ];
+      publicKey = (builtins.readFile ../secrets/${host}-wireguard-key.pub);
+      endpoint = null;
+      server = false;
+  };
+
+  hosts = {
+    dragon = mkConfig "dragon" "d" // {
+      endpoint = "dragon.orbekk.com:${toString cfg.listenPort}";
+      server = true;
+    };
+    tiny1 = mkConfig "tiny1" "1001" // {
+      endpoint = "tiny1.orbekk.com:${toString cfg.listenPort}";
+      server = true;
+    };
+    firelink = mkConfig "firelink" "2001";
+    pincer = mkConfig "pincer" "2002";
+  };
+
+  mkPeer = hostConfig: {
+    inherit (hostConfig) publicKey endpoint;
+    allowedIPs = (lib.optionals (!hostConfig.server) [ "0.0.0.0/0" "::/0" ]);
+  };
+
+  getPeers = host:
+    builtins.map mkPeer (builtins.attrValues (builtins.removeAttrs hosts [host]));
 in
 {
   options = {
     orbekk.vpn = {
       enable = lib.mkEnableOption "Enable VPN";
 
+      is_server = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+      };
+
       listenPort = lib.mkOption {
         type = lib.types.port;
         default = 40421;
@@ -19,15 +54,18 @@ in
   config = lib.mkIf cfg.enable {
     orbekk.simple-firewall.allowedUDPPorts = [ cfg.listenPort ];
 
+    age.secrets = {
+      "${config.networking.hostName}-wireguard-key".file = ./. + "/../secrets/${config.networking.hostName}-wireguard-key.age";
+    };
+
     networking.wireguard = {
       enable = true;
       interfaces.vpn = {
-        privateKeyFile = "/opt/secret/wireguard/vpn.private";
-        ips = [ "10.70.90.245/32" "fc00:bbbb:bbbb:bb01::7:5af4/128" ];
+        ips = hosts.${config.networking.hostName}.ips;
+        privateKeyFile = "${config.age.secrets."${config.networking.hostName}-wireguard-key".path}";
         allowedIPsAsRoutes = false;
         listenPort = cfg.listenPort;
-        peers = [
-        ];
+        peers = getPeers config.networking.hostName;
       };
     };
   };
diff --git a/secrets/dragon-wireguard-key.pub b/secrets/dragon-wireguard-key.pub
index b0240a4..6e07e24 100644
--- a/secrets/dragon-wireguard-key.pub
+++ b/secrets/dragon-wireguard-key.pub
@@ -1 +1 @@
-9q8aH3R8YBfP3xiTmN5bNiLQswY5dy3grB/P0vDqP0M=
+9q8aH3R8YBfP3xiTmN5bNiLQswY5dy3grB/P0vDqP0M=
\ No newline at end of file
diff --git a/secrets/firelink-wireguard-key.pub b/secrets/firelink-wireguard-key.pub
index 351e014..dc6d910 100644
--- a/secrets/firelink-wireguard-key.pub
+++ b/secrets/firelink-wireguard-key.pub
@@ -1 +1 @@
-sTE+FyNboviDw8QR59GNX1XUCQzkPs0Kzb1PqPDQFl8=
+sTE+FyNboviDw8QR59GNX1XUCQzkPs0Kzb1PqPDQFl8=
\ No newline at end of file
diff --git a/secrets/pincer-wireguard-key.pub b/secrets/pincer-wireguard-key.pub
index 4197752..ad36b9b 100644
--- a/secrets/pincer-wireguard-key.pub
+++ b/secrets/pincer-wireguard-key.pub
@@ -1 +1 @@
-yGd5DeRN4Ct2Qg2xhnhQODgo0ikYTut2js/2WfIe5WI=
+yGd5DeRN4Ct2Qg2xhnhQODgo0ikYTut2js/2WfIe5WI=
\ No newline at end of file
diff --git a/secrets/tiny1-wireguard-key.pub b/secrets/tiny1-wireguard-key.pub
index 3617334..93946eb 100644
--- a/secrets/tiny1-wireguard-key.pub
+++ b/secrets/tiny1-wireguard-key.pub
@@ -1 +1 @@
-FkjOPuH3RUGoE8L93DlXiC99NE1Bwy/zHkG7CcxVKAU=
+FkjOPuH3RUGoE8L93DlXiC99NE1Bwy/zHkG7CcxVKAU=
\ No newline at end of file