From 088518a080a8c839cb3daae26cc6aee4ef37a797 Mon Sep 17 00:00:00 2001 From: Kjetil Orbekk Date: Tue, 31 May 2022 06:07:43 -0400 Subject: Update vpn config --- config/vpn-client.nix | 20 ++++++++--------- machines/dragon.nix | 1 + machines/x1-pincer.nix | 2 ++ modules/vpn.nix | 46 ++++++++++++++++++++++++++++++++++---- secrets/dragon-wireguard-key.pub | 2 +- secrets/firelink-wireguard-key.pub | 2 +- secrets/pincer-wireguard-key.pub | 2 +- secrets/tiny1-wireguard-key.pub | 2 +- 8 files changed, 59 insertions(+), 18 deletions(-) diff --git a/config/vpn-client.nix b/config/vpn-client.nix index 5c10239..9b493e8 100644 --- a/config/vpn-client.nix +++ b/config/vpn-client.nix @@ -7,16 +7,16 @@ in interfaces = { wg0 = { ips = [ "10.35.190.2/23" ]; - privateKeyFile = "/opt/secret/wireguard/wg0.key"; - listenPort = port; - allowedIPsAsRoutes = false; - peers = [ - { - publicKey = "KT4sWKnlvPebJh0pYhGpiZksn4cCwKreB6fQCJV49F8="; - endpoint = "dragon.orbekk.com:${toString port}"; - allowedIPs = ["0.0.0.0/0" "::/0"]; - } - ]; + privateKeyFile = "/opt/secret/wireguard/wg0.key"; + listenPort = port; + allowedIPsAsRoutes = false; + peers = [ + { + publicKey = "KT4sWKnlvPebJh0pYhGpiZksn4cCwKreB6fQCJV49F8="; + endpoint = "dragon.orbekk.com:${toString port}"; + allowedIPs = ["0.0.0.0/0" "::/0"]; + } + ]; }; }; }; diff --git a/machines/dragon.nix b/machines/dragon.nix index 529c82e..8414449 100644 --- a/machines/dragon.nix +++ b/machines/dragon.nix @@ -14,6 +14,7 @@ in { orbekk.nextcloud.enable = true; orbekk.backups.enableServer = true; orbekk.backups.enableClient = true; + orbekk.vpn.enable = true; environment.systemPackages = with pkgs; [ ipmitool ]; programs.mosh.enable = true; diff --git a/machines/x1-pincer.nix b/machines/x1-pincer.nix index 97ae60d..47b0c16 100644 --- a/machines/x1-pincer.nix +++ b/machines/x1-pincer.nix @@ -14,6 +14,8 @@ let ports = { orbekk.simple-firewall.allowedTCPPorts = [ ports.minecraft 631 5353 ]; # socks proxy orbekk.login.enable = true; + orbekk.vpn.enable = true; + services.printing.enable = true; services.printing.drivers = with pkgs; [ gutenprint brlaser ]; services.openssh.enable = true; diff --git a/modules/vpn.nix b/modules/vpn.nix index fb6fd3a..d8ae327 100644 --- a/modules/vpn.nix +++ b/modules/vpn.nix @@ -2,12 +2,47 @@ let cfg = config.orbekk.vpn; + + vpn-prefix = "2001:470:8e2e:1000"; + + mkConfig = host: ip: { + ips = [ "${vpn-prefix}::d/64" ]; + publicKey = (builtins.readFile ../secrets/${host}-wireguard-key.pub); + endpoint = null; + server = false; + }; + + hosts = { + dragon = mkConfig "dragon" "d" // { + endpoint = "dragon.orbekk.com:${toString cfg.listenPort}"; + server = true; + }; + tiny1 = mkConfig "tiny1" "1001" // { + endpoint = "tiny1.orbekk.com:${toString cfg.listenPort}"; + server = true; + }; + firelink = mkConfig "firelink" "2001"; + pincer = mkConfig "pincer" "2002"; + }; + + mkPeer = hostConfig: { + inherit (hostConfig) publicKey endpoint; + allowedIPs = (lib.optionals (!hostConfig.server) [ "0.0.0.0/0" "::/0" ]); + }; + + getPeers = host: + builtins.map mkPeer (builtins.attrValues (builtins.removeAttrs hosts [host])); in { options = { orbekk.vpn = { enable = lib.mkEnableOption "Enable VPN"; + is_server = lib.mkOption { + type = lib.types.bool; + default = false; + }; + listenPort = lib.mkOption { type = lib.types.port; default = 40421; @@ -19,15 +54,18 @@ in config = lib.mkIf cfg.enable { orbekk.simple-firewall.allowedUDPPorts = [ cfg.listenPort ]; + age.secrets = { + "${config.networking.hostName}-wireguard-key".file = ./. + "/../secrets/${config.networking.hostName}-wireguard-key.age"; + }; + networking.wireguard = { enable = true; interfaces.vpn = { - privateKeyFile = "/opt/secret/wireguard/vpn.private"; - ips = [ "10.70.90.245/32" "fc00:bbbb:bbbb:bb01::7:5af4/128" ]; + ips = hosts.${config.networking.hostName}.ips; + privateKeyFile = "${config.age.secrets."${config.networking.hostName}-wireguard-key".path}"; allowedIPsAsRoutes = false; listenPort = cfg.listenPort; - peers = [ - ]; + peers = getPeers config.networking.hostName; }; }; }; diff --git a/secrets/dragon-wireguard-key.pub b/secrets/dragon-wireguard-key.pub index b0240a4..6e07e24 100644 --- a/secrets/dragon-wireguard-key.pub +++ b/secrets/dragon-wireguard-key.pub @@ -1 +1 @@ -9q8aH3R8YBfP3xiTmN5bNiLQswY5dy3grB/P0vDqP0M= +9q8aH3R8YBfP3xiTmN5bNiLQswY5dy3grB/P0vDqP0M= \ No newline at end of file diff --git a/secrets/firelink-wireguard-key.pub b/secrets/firelink-wireguard-key.pub index 351e014..dc6d910 100644 --- a/secrets/firelink-wireguard-key.pub +++ b/secrets/firelink-wireguard-key.pub @@ -1 +1 @@ -sTE+FyNboviDw8QR59GNX1XUCQzkPs0Kzb1PqPDQFl8= +sTE+FyNboviDw8QR59GNX1XUCQzkPs0Kzb1PqPDQFl8= \ No newline at end of file diff --git a/secrets/pincer-wireguard-key.pub b/secrets/pincer-wireguard-key.pub index 4197752..ad36b9b 100644 --- a/secrets/pincer-wireguard-key.pub +++ b/secrets/pincer-wireguard-key.pub @@ -1 +1 @@ -yGd5DeRN4Ct2Qg2xhnhQODgo0ikYTut2js/2WfIe5WI= +yGd5DeRN4Ct2Qg2xhnhQODgo0ikYTut2js/2WfIe5WI= \ No newline at end of file diff --git a/secrets/tiny1-wireguard-key.pub b/secrets/tiny1-wireguard-key.pub index 3617334..93946eb 100644 --- a/secrets/tiny1-wireguard-key.pub +++ b/secrets/tiny1-wireguard-key.pub @@ -1 +1 @@ -FkjOPuH3RUGoE8L93DlXiC99NE1Bwy/zHkG7CcxVKAU= +FkjOPuH3RUGoE8L93DlXiC99NE1Bwy/zHkG7CcxVKAU= \ No newline at end of file -- cgit v1.2.3