diff options
| -rw-r--r-- | config/vpn-client.nix | 24 | ||||
| -rw-r--r-- | config/vpn-server.nix | 27 | ||||
| -rw-r--r-- | flake.lock | 48 | ||||
| -rw-r--r-- | machines/dragon.nix | 12 | ||||
| -rw-r--r-- | modules/desktop.nix | 2 | ||||
| -rw-r--r-- | modules/router.nix | 15 | ||||
| -rw-r--r-- | modules/vpn.nix | 9 | ||||
| -rw-r--r-- | secrets/dragon-wireguard-key.pub | 2 | ||||
| -rw-r--r-- | secrets/secrets.nix | 8 |
9 files changed, 47 insertions, 100 deletions
diff --git a/config/vpn-client.nix b/config/vpn-client.nix deleted file mode 100644 index 9b493e8..0000000 --- a/config/vpn-client.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, lib, pkgs, ... }: -let - port = (import ../data/aliases.nix).services.wireguard.port; -in -{ - networking.wireguard = { - interfaces = { - wg0 = { - ips = [ "10.35.190.2/23" ]; - privateKeyFile = "/opt/secret/wireguard/wg0.key"; - listenPort = port; - allowedIPsAsRoutes = false; - peers = [ - { - publicKey = "KT4sWKnlvPebJh0pYhGpiZksn4cCwKreB6fQCJV49F8="; - endpoint = "dragon.orbekk.com:${toString port}"; - allowedIPs = ["0.0.0.0/0" "::/0"]; - } - ]; - }; - }; - }; -} - diff --git a/config/vpn-server.nix b/config/vpn-server.nix deleted file mode 100644 index 10b0c17..0000000 --- a/config/vpn-server.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ config, lib, pkgs, ... }: -let - port = (import ../data/aliases.nix).services.wireguard.port; -in -{ - networking = { - firewall.allowedTCPPorts = [ port ]; - firewall.allowedUDPPorts = [ port ]; - - wireguard = { - interfaces = { - wg0 = { - ips = [ "10.35.190.1/23" ]; - privateKeyFile = "/opt/secret/wireguard/wg0.key"; - listenPort = port; - allowedIPsAsRoutes = false; - peers = [ - { - publicKey = "ULWhaOsAaTu4cu84v3PM4DL7arxc/WNnzI/ic2k1KBU="; - allowedIPs = ["0.0.0.0/0" "::/0"]; - } - ]; - }; - }; - }; - }; -} @@ -74,11 +74,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1724000971, - "narHash": "sha256-I0JfUdavrcwr+eA/YxIUBhWX7WDPboc8UFMYmJ0OijA=", + "lastModified": 1724605786, + "narHash": "sha256-775X03n4D7cRhwDyFlbKd+CUsDeDvjM9DSArcohJx3c=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "baf55697c9e11c207789cf841cf286f7c1099568", + "rev": "86e302cd5f144f7bc4bb7a4d52536c92831c4c57", "type": "github" }, "original": { @@ -181,11 +181,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1723916191, - "narHash": "sha256-wbkh2Tyo1dUwY+35OtF2117u1QqdVAlvDx4vgaW/InU=", + "lastModified": 1724304322, + "narHash": "sha256-/nrlMDubg9oG2VNANRBxsas5RbcJtB6IIDPZC3yHLW8=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "dcc9afeea9d086cde9731ca90362c7bda62db6d0", + "rev": "924a18ea8df89a39166dd202f3e73cd022825768", "type": "github" }, "original": { @@ -242,11 +242,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1723310128, - "narHash": "sha256-IiH8jG6PpR4h9TxSGMYh+2/gQiJW9MwehFvheSb5rPc=", + "lastModified": 1724575805, + "narHash": "sha256-OB/kEL3GAhUZmUfkbPfsPhKs0pRqJKs0EEBiLfyKZw8=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "c54cf53e022b0b3c1d3b8207aa0f9b194c24f0cf", + "rev": "9fc19be21f0807d6be092d70bf0b1de0c00ac895", "type": "github" }, "original": { @@ -258,11 +258,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1723637854, - "narHash": "sha256-med8+5DSWa2UnOqtdICndjDAEjxr5D7zaIiK4pn0Q7c=", + "lastModified": 1724224976, + "narHash": "sha256-Z/ELQhrSd7bMzTO8r7NZgi9g5emh+aRKoCdaAv5fiO0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c3aa7b8938b17aebd2deecf7be0636000d62a2b9", + "rev": "c374d94f1536013ca8e92341b540eba4c22f9c62", "type": "github" }, "original": { @@ -274,11 +274,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1723688146, - "narHash": "sha256-sqLwJcHYeWLOeP/XoLwAtYjr01TISlkOfz+NG82pbdg=", + "lastModified": 1724316499, + "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c3d4ac725177c030b1e289015989da2ad9d56af0", + "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841", "type": "github" }, "original": { @@ -290,11 +290,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1723637854, - "narHash": "sha256-med8+5DSWa2UnOqtdICndjDAEjxr5D7zaIiK4pn0Q7c=", + "lastModified": 1724224976, + "narHash": "sha256-Z/ELQhrSd7bMzTO8r7NZgi9g5emh+aRKoCdaAv5fiO0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c3aa7b8938b17aebd2deecf7be0636000d62a2b9", + "rev": "c374d94f1536013ca8e92341b540eba4c22f9c62", "type": "github" }, "original": { @@ -306,11 +306,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1722813957, - "narHash": "sha256-IAoYyYnED7P8zrBFMnmp7ydaJfwTnwcnqxUElC1I26Y=", + "lastModified": 1723991338, + "narHash": "sha256-Grh5PF0+gootJfOJFenTTxDTYPidA3V28dqJ/WV7iis=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cb9a96f23c491c081b38eab96d22fa958043c9fa", + "rev": "8a3354191c0d7144db9756a74755672387b702ba", "type": "github" }, "original": { @@ -338,11 +338,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1723688146, - "narHash": "sha256-sqLwJcHYeWLOeP/XoLwAtYjr01TISlkOfz+NG82pbdg=", + "lastModified": 1724316499, + "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c3d4ac725177c030b1e289015989da2ad9d56af0", + "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841", "type": "github" }, "original": { diff --git a/machines/dragon.nix b/machines/dragon.nix index 41e4167..4aea73b 100644 --- a/machines/dragon.nix +++ b/machines/dragon.nix @@ -4,7 +4,6 @@ let vpnPrefix = "2001:470:8e2e:1000"; in { imports = [ - ../config/keycloak.nix ../config/dns.nix ../config/web-server.nix ../config/cgit.nix @@ -19,7 +18,7 @@ in { orbekk.zomboid-server.enable = false; services.minecraft-server.declarative = true; - services.minecraft-server.enable = true; + services.minecraft-server.enable = false; services.minecraft-server.eula = true; services.minecraft-server.openFirewall = true; services.minecraft-server.serverProperties = { @@ -52,7 +51,8 @@ in { ]; programs.mosh.enable = true; - orbekk.hledger-web.enable = true; + # TODO: Enable this again? + orbekk.hledger-web.enable = false; orbekk.hledger-web.journalFile = "/var/lib/hledger-web/hledger/anniekj.journal"; @@ -117,7 +117,7 @@ in { terminal_output serial ''; loader.grub.enable = true; - loader.grub.device = "/dev/disk/by-id/usb-Kingston_DataTraveler_2.0_5B751B9A49E4-0:0"; + loader.grub.device = "/dev/disk/by-id/ata-CT500MX500SSD1_2422E8B6D64A"; }; networking = { hostName = lib.mkForce "dragon"; }; @@ -161,7 +161,7 @@ in { openssh.authorizedKeys.keyFiles = [ ../data/break_rsa.pub ]; }; - system.stateVersion = lib.mkForce "17.09"; + system.stateVersion = lib.mkForce "24.05"; # hardware-configuration.nix boot.initrd.availableKernelModules = @@ -171,7 +171,7 @@ in { boot.tmp.useTmpfs = true; fileSystems."/" = { - device = "/dev/disk/by-label/nixos-ssd"; + device = "/dev/disk/by-label/nixos"; fsType = "ext4"; options = [ "noatime,discard" diff --git a/modules/desktop.nix b/modules/desktop.nix index 7b4997b..8bb52d7 100644 --- a/modules/desktop.nix +++ b/modules/desktop.nix @@ -92,6 +92,8 @@ in { programs.firefox.nativeMessagingHosts.packages = [ pkgs.tridactyl-native ]; environment.systemPackages = with pkgs; [ + anki + opencpn # Wayland packages river waybar diff --git a/modules/router.nix b/modules/router.nix index fa5b19c..3bc7dab 100644 --- a/modules/router.nix +++ b/modules/router.nix @@ -147,6 +147,9 @@ let wantedBy = [ "multi-user.target" ]; path = [ pkgs.iproute ]; script = '' + ip -6 rule add from 2001:470:1f06:1194::2 table main priority 19000 suppress_prefixlength 0 || true + ip -6 rule add from 2001:470:1f06:1194::2 table he priority 20000 || true + ip -6 rule add fwmark ${toString heMark} table main priority 19000 suppress_prefixlength 0 || true ip -6 rule add fwmark ${toString heMark} table he priority 20000 || true ip -6 route replace default dev he0 table he @@ -201,8 +204,8 @@ let dhcp-option=tag:servers-vport,option:dns-server,172.20.20.1 dhcp-range=tag:servers-vport,::,static,constructor:servers-vport,5m dhcp-host=id:*,tag:servers-vport,172.20.20.2 - dhcp-host=id:00:01:00:01:21:a2:4e:a8:d0:bf:9c:45:a6:ec,tag:servers-vport,[::d] - # dhcp-host=id:dragon,::d + dhcp-host=id:00:01:00:01:2e:a3:07:37:d0:bf:9c:45:a6:ec,tag:servers-vport,[::d] + #dhcp-host=tag:servers-vport,id:dragon,::d dhcp-range=tag:lan-vport,172.20.100.10,172.20.100.254,5m dhcp-option=tag:lan-vport,option:router,172.20.100.1 @@ -267,7 +270,6 @@ let ip6 nexthdr ipv6-icmp counter accept comment "accept all ICMP types" iifname wan-vport counter drop - meta nftrace set 1 counter drop } @@ -310,7 +312,8 @@ let chain prerouting { type filter hook prerouting priority -150 # ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta nftrace set 1 - ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta mark set ${toString heMark} + ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta mark set ${toString heMark} counter + ip6 saddr 2001:470:1f06:1194::/64 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta mark set ${toString heMark} counter meta nfproto ipv4 iifname vpnlan-vport ip daddr != 172.20.0.0/16 meta mark set ${toString mullvadMark} meta nfproto ipv6 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/60 iifname vpnlan-vport meta mark set ${toString mullvadMark} } @@ -394,14 +397,12 @@ in { additionalCapabilities = ["CAP_NET_ADMIN"]; }; - age.secrets.dragon-wireguard-key.file = ./. - + "/../secrets/dragon-wireguard-key.age"; networking.wireguard.interfaces.wg-vpn = { # fwMark = "${toString vpnMark}"; socketNamespace = "router"; interfaceNamespace = "router"; ips = [ "${vpnPrefix}::1/128" ]; - privateKeyFile = config.age.secrets.dragon-wireguard-key.path; + privateKeyFile = "/opt/secret/wireguard/dragon-wireguard-key.priv"; listenPort = vpnPort; peers = let mkPeer = host: ip: { name = host; diff --git a/modules/vpn.nix b/modules/vpn.nix index b99b73e..fb6b255 100644 --- a/modules/vpn.nix +++ b/modules/vpn.nix @@ -48,11 +48,6 @@ in { orbekk.vpn = { enable = lib.mkEnableOption "Enable VPN"; - is_server = lib.mkOption { - type = lib.types.bool; - default = false; - }; - listenPort = lib.mkOption { type = lib.types.port; default = 40422; @@ -76,14 +71,14 @@ in { interfaces.vpn = { ips = hosts.${config.networking.hostName}.ips; privateKeyFile = - "${config.age.secrets."${config.networking.hostName}-wireguard-key".path}"; + "/opt/secret/wireguard/${config.networking.hostName}-wireguard-key.priv"; allowedIPsAsRoutes = true; listenPort = cfg.listenPort; peers = [ { name = "dragon"; endpoint = "vpn.orbekk.com:${toString cfg.listenPort}"; - publicKey = "9q8aH3R8YBfP3xiTmN5bNiLQswY5dy3grB/P0vDqP0M="; + publicKey = "msfXBbmViSmxLKD3R0WrcQSRTyMrcoM67FoD7VevEn0="; allowedIPs = ["${vpn-prefix}::/64"]; persistentKeepalive = 60; } diff --git a/secrets/dragon-wireguard-key.pub b/secrets/dragon-wireguard-key.pub index 6e07e24..abfd9ce 100644 --- a/secrets/dragon-wireguard-key.pub +++ b/secrets/dragon-wireguard-key.pub @@ -1 +1 @@ -9q8aH3R8YBfP3xiTmN5bNiLQswY5dy3grB/P0vDqP0M=
\ No newline at end of file +msfXBbmViSmxLKD3R0WrcQSRTyMrcoM67FoD7VevEn0= diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 10340d9..e6c5f3a 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -10,10 +10,10 @@ in { "pincer-borg-repo-key.age".publicKeys = [ pincer ]; "pincer-wireguard-key.age".publicKeys = [ pincer ]; - "dragon-wireguard-key.age".publicKeys = [ orbekk dragon ]; - "dragon-borg-ssh-key.age".publicKeys = [ dragon ]; - "dragon-borg-repo-key.age".publicKeys = [ dragon ]; - "dragon-keycloak.age".publicKeys = [ orbekk dragon pincer ]; + #"dragon-wireguard-key.age".publicKeys = [ orbekk dragon ]; + #"dragon-borg-ssh-key.age".publicKeys = [ dragon ]; + #"dragon-borg-repo-key.age".publicKeys = [ dragon ]; + #"dragon-keycloak.age".publicKeys = [ orbekk dragon pincer ]; "firelink-wireguard-key.age".publicKeys = [ firelink ]; "tiny1-wireguard-key.age".publicKeys = [ tiny1 ]; |