From d1f2b13232d88a284d749c5f37ae102fa825ec0c Mon Sep 17 00:00:00 2001 From: yuri Date: Sun, 17 Sep 2023 21:04:22 +0200 Subject: [PATCH] Add missing wireguard-tools dependency --- config/environments/openstack-vm/default.nix | 4 +- .../openstack-vm/hardware-configuration.nix | 24 ---- config/hosts/lifeline/configuration.nix | 50 +------- config/hosts/mail-1/configuration.nix | 12 +- config/hosts/valkyrie/configuration.nix | 111 +++++++++++++----- config/hosts/valkyrie/secrets.nix | 16 +++ pkgs/wireguard-nat-nftables/default.nix | 3 +- 7 files changed, 107 insertions(+), 113 deletions(-) delete mode 100644 config/environments/openstack-vm/hardware-configuration.nix diff --git a/config/environments/openstack-vm/default.nix b/config/environments/openstack-vm/default.nix index 8edb909..a2124f4 100644 --- a/config/environments/openstack-vm/default.nix +++ b/config/environments/openstack-vm/default.nix @@ -1,7 +1,7 @@ -{ lib, ... }: +{ lib, modulesPath, ... }: { imports = [ - ./hardware-configuration.nix + "${modulesPath}/virtualisation/openstack-config.nix" ]; users.users.root.initialPassword = lib.mkForce null; diff --git a/config/environments/openstack-vm/hardware-configuration.nix b/config/environments/openstack-vm/hardware-configuration.nix deleted file mode 100644 index cf5fdd0..0000000 --- a/config/environments/openstack-vm/hardware-configuration.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ ... }: -{ - fileSystems."/" = { - device = "/dev/disk/by-label/nixos"; - fsType = "ext4"; - autoResize = true; - }; - - boot = { - growPartition = true; - kernelParams = [ "console=tty1" ]; - loader.grub = { - enable = true; - device = "/dev/vda"; - extraConfig = '' - serial --unit=1 --speed=115200 --word=8 --parity=no --stop=1 - terminal_output console serial - terminal_input console serial - ''; - }; - }; - - systemd.services."serial-getty@tty1".enable = true; -} diff --git a/config/hosts/lifeline/configuration.nix b/config/hosts/lifeline/configuration.nix index b26eb44..d31ab0a 100644 --- a/config/hosts/lifeline/configuration.nix +++ b/config/hosts/lifeline/configuration.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ ... }: { boot.loader.grub = { enable = true; @@ -10,54 +10,6 @@ networking = { hostName = "lifeline"; useDHCP = true; - wireguard = { - enable = true; - interfaces.wg0 = { - privateKeyFile = "/secrets/wireguard-lifeline-mail-1-lifeline-privatekey.secret"; - listenPort = 51820; - ips = [ - "172.16.50.1/24" - ]; - peers = [ - { - name = "mail-1"; - publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs="; - presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-lifeline-psk.secret"; - allowedIPs = [ "172.16.50.2/32" ]; - } - ]; - postSetup = '' - ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE - ''; - postShutdown = '' - ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE - ''; - }; - }; - nat = { - enable = true; - internalInterfaces = [ "wg0" ]; - externalInterface = "ens6"; - forwardPorts = [ - { - destination = "172.16.50.2:25"; - proto = "tcp"; - sourcePort = 25; - } - { - destination = "172.16.50.2:465"; - proto = "tcp"; - sourcePort = 465; - } - { - destination = "172.16.50.2:993"; - proto = "tcp"; - sourcePort = 993; - } - ]; - }; firewall = { enable = true; allowedUDPPorts = [ 51820 ]; diff --git a/config/hosts/mail-1/configuration.nix b/config/hosts/mail-1/configuration.nix index 4638917..b66124e 100644 --- a/config/hosts/mail-1/configuration.nix +++ b/config/hosts/mail-1/configuration.nix @@ -30,7 +30,7 @@ via = "10.202.41.1"; } { - address = "217.160.117.160"; # + address = "212.53.203.19"; # valkyrie.af.grzb.de prefixLength = 32; via = "10.202.41.1"; } @@ -44,15 +44,15 @@ ]; peers = [ { - name = "lifeline"; - publicKey = "g3xZ5oJCbPtzYDPTVAS400FDw6kirGR+7300bwiZDUY="; - presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-psk.secret"; - endpoint = "lifeline.io.grzb.de:51820"; + name = "valkyrie"; + publicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ="; + presharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret"; + endpoint = "212.53.203.19:51821"; allowedIPs = [ "0.0.0.0/0" ]; persistentKeepalive = 25; } ]; - privateKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-privatekey.secret"; + privateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret"; }; }; }; diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index 1d73f92..f6de52a 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -1,4 +1,4 @@ -{ ... }: +{ pkgs, ... }: { boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true; @@ -8,41 +8,90 @@ firewall = { enable = true; allowedTCPPorts = [ 80 443 ]; - allowedUDPPorts = [ 51820 51827 51828 ]; + allowedUDPPorts = [ 51820 51821 51827 51828 ]; }; wireguard = { enable = true; - interfaces.wg0 = { - listenPort = 51820; - ips = [ - "10.203.10.3/24" - ]; - peers = [ - { - name = "site1-grzb"; - publicKey = "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg="; - presharedKeyFile = "/secrets/wireguard-valkyrie-site1-grzb-psk.secret"; - endpoint = "site1.grzb.de:51826"; - allowedIPs = [ "10.203.10.1/32" "10.201.0.0/16" ]; - } - { - name = "site2-grzb"; - publicKey = "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4="; - presharedKeyFile = "/secrets/wireguard-valkyrie-site2-grzb-psk.secret"; - endpoint = "site2.grzb.de:51826"; - allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ]; - } - { - name = "site2-jsts"; - publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE="; - presharedKeyFile = "/secrets/wireguard-valkyrie-site1-jsts-psk.secret"; - endpoint = "site1.jsts.xyz:51823"; - allowedIPs = [ "10.203.10.4/32" ]; - } - ]; - privateKeyFile = "/secrets/wireguard-valkyrie-wg0-privatekey.secret"; + interfaces = { + # Site-to-site WireGuard setup also used for nftables dnat IP refresh thingy + wg0 = { + listenPort = 51820; + ips = [ + "10.203.10.3/24" + ]; + peers = [ + { + name = "site1-grzb"; + publicKey = "SJ8xCRb4hWm5EnXoV4FnwgbiaxmY2wI+xzfk+3HXERg="; + presharedKeyFile = "/secrets/wireguard-valkyrie-site1-grzb-psk.secret"; + endpoint = "site1.grzb.de:51826"; + allowedIPs = [ "10.203.10.1/32" "10.201.0.0/16" ]; + } + { + name = "site2-grzb"; + publicKey = "BbNeBTe6HwQuHPK+ZQXWYRZJJMPdS0h81n07omYyRl4="; + presharedKeyFile = "/secrets/wireguard-valkyrie-site2-grzb-psk.secret"; + endpoint = "site2.grzb.de:51826"; + allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ]; + } + { + name = "site2-jsts"; + publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE="; + presharedKeyFile = "/secrets/wireguard-valkyrie-site1-jsts-psk.secret"; + endpoint = "site1.jsts.xyz:51823"; + allowedIPs = [ "10.203.10.4/32" ]; + } + ]; + privateKeyFile = "/secrets/wireguard-valkyrie-wg0-privatekey.secret"; + }; + # mail-1 VPN + wg1 = { + listenPort = 51821; + ips = [ + "172.16.50.1/24" + ]; + peers = [ + { + name = "mail-1"; + publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs="; + presharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-valkyrie-psk.secret"; + allowedIPs = [ "172.16.50.2/32" ]; + } + ]; + postSetup = '' + ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ''; + postShutdown = '' + ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ''; + privateKeyFile = "/secrets/wireguard-valkyrie-wg1-privatekey.secret"; + }; }; }; + nat = { + enable = true; + internalInterfaces = [ "wg1" ]; + externalInterface = "ens3"; + forwardPorts = [ + { + destination = "172.16.50.2:25"; + proto = "tcp"; + sourcePort = 25; + } + { + destination = "172.16.50.2:465"; + proto = "tcp"; + sourcePort = 465; + } + { + destination = "172.16.50.2:993"; + proto = "tcp"; + sourcePort = 993; + } + ]; + }; }; services.prometheus.exporters.node.enable = false; diff --git a/config/hosts/valkyrie/secrets.nix b/config/hosts/valkyrie/secrets.nix index 7e7512c..4395a6d 100644 --- a/config/hosts/valkyrie/secrets.nix +++ b/config/hosts/valkyrie/secrets.nix @@ -32,4 +32,20 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + deployment.keys."wireguard-valkyrie-wg1-privatekey.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-wg1-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."wireguard-valkyrie-mail-1-valkyrie-psk.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-mail-1/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; } diff --git a/pkgs/wireguard-nat-nftables/default.nix b/pkgs/wireguard-nat-nftables/default.nix index 4a75703..e687cee 100644 --- a/pkgs/wireguard-nat-nftables/default.nix +++ b/pkgs/wireguard-nat-nftables/default.nix @@ -4,12 +4,13 @@ let nftables = (prev.nftables.override { withPython = true; }); }; pkgs-overlay = pkgs.extend nftablesWithPythonOverlay; -in +in pkgs-overlay.python310Packages.buildPythonApplication { pname = "wireguard-nat-nftables"; version = "0.0.1"; propagatedBuildInputs = with pkgs-overlay; [ + wireguard-tools python310Packages.nftables ];