From e7fe3707ee61ce391da613cf219b0b5435d8c6b1 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 18 Sep 2023 03:38:09 +0200 Subject: [PATCH] Fix WireGuard nat rules --- config/hosts/lifeline/configuration.nix | 39 +++++- config/hosts/lifeline/secrets.nix | 8 +- config/hosts/mail-1/configuration.nix | 120 +++++++++++------- .../hosts/mail-1/simple-nixos-mailserver.nix | 3 + config/hosts/mail-2/configuration.nix | 91 +++++++++++++ config/hosts/mail-2/default.nix | 7 + config/hosts/mail-2/postfix.nix | 17 +++ config/hosts/mail-2/secrets.nix | 19 +++ config/hosts/valkyrie/configuration.nix | 10 +- flake.lock | 12 +- hosts.nix | 4 + 11 files changed, 269 insertions(+), 61 deletions(-) create mode 100644 config/hosts/mail-2/configuration.nix create mode 100644 config/hosts/mail-2/default.nix create mode 100644 config/hosts/mail-2/postfix.nix create mode 100644 config/hosts/mail-2/secrets.nix diff --git a/config/hosts/lifeline/configuration.nix b/config/hosts/lifeline/configuration.nix index d31ab0a..1f53208 100644 --- a/config/hosts/lifeline/configuration.nix +++ b/config/hosts/lifeline/configuration.nix @@ -1,4 +1,4 @@ -{ ... }: +{ pkgs, ... }: { boot.loader.grub = { enable = true; @@ -14,6 +14,43 @@ enable = true; allowedUDPPorts = [ 51820 ]; }; + # mail-2 VPN + wireguard = { + enable = true; + interfaces.wg0 = { + listenPort = 51820; + ips = [ + "172.16.50.1/24" + ]; + peers = [ + { + name = "mail-2"; + publicKey = "OIBOJlFzzM3P/u1ftVW2HWt8kA6NveB4PaBOIXhCYhM="; + presharedKeyFile = "/secrets/wireguard-lifeline-mail-2-lifeline-psk.secret"; + allowedIPs = [ "172.16.50.2/32" ]; + } + ]; + postSetup = '' + ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ''; + postShutdown = '' + ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ''; + privateKeyFile = "/secrets/wireguard-lifeline-wg0-privatekey.secret"; + }; + }; + nat = { + enable = true; + internalInterfaces = [ "wg0" ]; + externalInterface = "ens6"; + forwardPorts = [{ + destination = "172.16.50.2:25"; + proto = "tcp"; + sourcePort = 25; + }]; + }; }; services.prometheus.exporters.node.enable = false; diff --git a/config/hosts/lifeline/secrets.nix b/config/hosts/lifeline/secrets.nix index 90f3f12..b14e281 100644 --- a/config/hosts/lifeline/secrets.nix +++ b/config/hosts/lifeline/secrets.nix @@ -1,15 +1,15 @@ { ... }: { - deployment.keys."wireguard-lifeline-mail-1-lifeline-psk.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-1/psk" ]; + deployment.keys."wireguard-lifeline-wg0-privatekey.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-wg0-privatekey" ]; destDir = "/secrets"; user = "root"; group = "root"; permissions = "0640"; uploadAt = "pre-activation"; }; - deployment.keys."wireguard-lifeline-mail-1-lifeline-privatekey.secret" = { - keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-1/lifeline-privatekey" ]; + deployment.keys."wireguard-lifeline-mail-2-lifeline-psk.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-2/psk" ]; destDir = "/secrets"; user = "root"; group = "root"; diff --git a/config/hosts/mail-1/configuration.nix b/config/hosts/mail-1/configuration.nix index d9b4fa6..c34643d 100644 --- a/config/hosts/mail-1/configuration.nix +++ b/config/hosts/mail-1/configuration.nix @@ -1,61 +1,91 @@ -{ hosts, ... }: +{ pkgs, ... }: { boot.loader.grub = { enable = true; device = "/dev/vda"; }; - networking = { - hostName = "mail-1"; - useDHCP = true; - defaultGateway = { - address = "172.16.50.1"; - interface = "wg0"; - }; - interfaces.enp6s18.ipv4 = { - routes = [ - { - address = "10.201.0.0"; - prefixLength = 16; - via = "10.202.41.1"; - } - { - address = "10.202.0.0"; - prefixLength = 16; - via = "10.202.41.1"; - } - { - address = "172.21.87.0"; # management VPN - prefixLength = 24; - via = "10.202.41.1"; - } - { - address = "212.53.203.19"; # valkyrie.af.grzb.de - prefixLength = 32; - via = "10.202.41.1"; - } - ]; - }; - wireguard = { - enable = true; - interfaces.wg0 = { - ips = [ - "172.16.50.2/24" + systemd.network = { + enable = true; + networks = { + "enp6s18" = { + matchConfig.Name = "enp6s18"; + address = [ + "10.202.41.123/24" ]; - peers = [ + routes = [ { - name = "valkyrie"; - publicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ="; - presharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret"; - endpoint = "212.53.203.19:51822"; - allowedIPs = [ "0.0.0.0/0" ]; - persistentKeepalive = 25; + routeConfig = { + Gateway = "10.202.41.1"; + Destination = "10.201.0.0/16"; + }; + } + { + routeConfig = { + Gateway = "10.202.41.1"; + Destination = "10.202.0.0/16"; + }; + } + { + routeConfig = { + Gateway = "10.202.41.1"; + Destination = "172.21.87.0/24"; + }; + } + { + routeConfig = { + Gateway = "10.202.41.1"; + Destination = "212.53.203.19/32"; + }; } ]; - privateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret"; + linkConfig.RequiredForOnline = "routable"; + }; + "wg0" = { + matchConfig.Name = "wg0"; + address = [ + "172.16.50.2/24" + ]; + DHCP = "no"; + gateway = [ + "172.16.50.1" + ]; + }; + }; + netdevs = { + "wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + }; + wireguardConfig = { + PrivateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret"; + }; + wireguardPeers = [{ + wireguardPeerConfig = { + PublicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ="; + PresharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret"; + Endpoint = "212.53.203.19:51822"; + AllowedIPs = [ "0.0.0.0/0" ]; + PersistentKeepalive = 25; + }; + }]; }; }; }; + networking = { + hostName = "mail-1"; + useDHCP = false; + firewall = { + enable = true; + allowedTCPPorts = [ 25 465 993 ]; + }; + }; + + environment.systemPackages = with pkgs; [ + wireguard-tools + ]; + system.stateVersion = "23.05"; } diff --git a/config/hosts/mail-1/simple-nixos-mailserver.nix b/config/hosts/mail-1/simple-nixos-mailserver.nix index 81fa130..63a0e3a 100644 --- a/config/hosts/mail-1/simple-nixos-mailserver.nix +++ b/config/hosts/mail-1/simple-nixos-mailserver.nix @@ -59,8 +59,11 @@ services.postfix = { transport = "relay:[mail-2.grzb.de]"; +<<<<<<< HEAD extraConfig = '' proxy_interfaces = 212.53.203.19 ''; +======= +>>>>>>> 0e55e66 (Use systemd-networkd on mail servers) }; } diff --git a/config/hosts/mail-2/configuration.nix b/config/hosts/mail-2/configuration.nix new file mode 100644 index 0000000..38384cb --- /dev/null +++ b/config/hosts/mail-2/configuration.nix @@ -0,0 +1,91 @@ +{ pkgs, ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + systemd.network = { + enable = true; + networks = { + "enp6s18" = { + matchConfig.Name = "enp6s18"; + address = [ + "10.201.41.100/24" + ]; + routes = [ + { + routeConfig = { + Gateway = "10.201.41.1"; + Destination = "10.201.0.0/16"; + }; + } + { + routeConfig = { + Gateway = "10.201.41.1"; + Destination = "10.202.0.0/16"; + }; + } + { + routeConfig = { + Gateway = "10.201.41.1"; + Destination = "172.21.87.0/24"; + }; + } + { + routeConfig = { + Gateway = "10.201.41.1"; + Destination = "217.160.117.160/32"; + }; + } + ]; + linkConfig.RequiredForOnline = "routable"; + }; + "wg0" = { + matchConfig.Name = "wg0"; + address = [ + "172.16.50.2/24" + ]; + DHCP = "no"; + gateway = [ + "172.16.50.1" + ]; + }; + }; + netdevs = { + "wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + }; + wireguardConfig = { + PrivateKeyFile = "/secrets/wireguard-mail-2-wg0-privatekey.secret"; + }; + wireguardPeers = [{ + wireguardPeerConfig = { + PublicKey = "Nnf7x+Yd+l8ZkK2BTq1lK3iiTYgdrgL9PQ/je8smug4="; + PresharedKeyFile = "/secrets/wireguard-lifeline-mail-2-mail-2-psk.secret"; + Endpoint = "217.160.117.160:51820"; + AllowedIPs = [ "0.0.0.0/0" ]; + PersistentKeepalive = 25; + }; + }]; + }; + }; + }; + + networking = { + hostName = "mail-2"; + useDHCP = false; + firewall = { + enable = true; + allowedTCPPorts = [ 25 ]; + }; + }; + + environment.systemPackages = with pkgs; [ + wireguard-tools + ]; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/mail-2/default.nix b/config/hosts/mail-2/default.nix new file mode 100644 index 0000000..471f0d6 --- /dev/null +++ b/config/hosts/mail-2/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./postfix.nix + ]; +} diff --git a/config/hosts/mail-2/postfix.nix b/config/hosts/mail-2/postfix.nix new file mode 100644 index 0000000..d81e999 --- /dev/null +++ b/config/hosts/mail-2/postfix.nix @@ -0,0 +1,17 @@ +{ ... }: { + # Postfix relay configuration, see: https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup + services.postfix = { + enable = true; + hostname = "mail-2.grzb.de"; + relayDomains = [ + "grzb.de" + "nekover.se" + ]; + extraConfig = '' + message_size_limit = 20971520 + smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination + proxy_interfaces = 217.160.117.160 + relay_recipient_maps = + ''; + }; +} diff --git a/config/hosts/mail-2/secrets.nix b/config/hosts/mail-2/secrets.nix new file mode 100644 index 0000000..70606af --- /dev/null +++ b/config/hosts/mail-2/secrets.nix @@ -0,0 +1,19 @@ +{ ... }: +{ + deployment.keys."wireguard-mail-2-wg0-privatekey.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/mail-2-wg0-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + deployment.keys."wireguard-lifeline-mail-2-mail-2-psk.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-2/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index 8751e09..008ead2 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -35,7 +35,7 @@ allowedIPs = [ "10.203.10.2/32" "10.202.0.0/16" ]; } { - name = "site2-jsts"; + name = "site1-jsts"; publicKey = "u9h+D8XZ62ABnetBRKnf6tjs+tJwM8fQ4d6ipOCLFyE="; presharedKeyFile = "/secrets/wireguard-valkyrie-site1-jsts-psk.secret"; endpoint = "site1.jsts.xyz:51823"; @@ -59,12 +59,12 @@ } ]; postSetup = '' - ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ${pkgs.iptables}/bin/iptables -A FORWARD -i wg1 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens3 -j MASQUERADE ''; postShutdown = '' - ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE + ${pkgs.iptables}/bin/iptables -D FORWARD -i wg1 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens3 -j MASQUERADE ''; privateKeyFile = "/secrets/wireguard-valkyrie-wg1-privatekey.secret"; }; diff --git a/flake.lock b/flake.lock index 3d6c071..1f29fe8 100644 --- a/flake.lock +++ b/flake.lock @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1694493899, - "narHash": "sha256-46zEnn7H/G2ne735wEEKKW+LoyPa6NOWj2P9InxDfJs=", + "lastModified": 1695011647, + "narHash": "sha256-A0iKkey2LBlKCvwMR0HDXSs7ubdFP3ly8YE3m2zS/L4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c5167858ca4870e933da123762eb55363ccefe2b", + "rev": "4d2bff6897a5434eef9bd958c7e89c96dec569e0", "type": "github" }, "original": { @@ -116,11 +116,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1694502577, - "narHash": "sha256-MMW8BMlRU38Zewova/BOYy3ER+GM2nPln+UYeHI9EsI=", + "lastModified": 1694928810, + "narHash": "sha256-M/3+pRQmM+FeBeSKRp0b01pncbNiiC2ggJE4Wpi7c1Q=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "55ec5ae7d6c3f7866a0696a6ccfb66a1665b3d72", + "rev": "948e8754755a9f27587d5bd109af2cfad313add8", "type": "github" }, "original": { diff --git a/hosts.nix b/hosts.nix index 472ac92..195a247 100644 --- a/hosts.nix +++ b/hosts.nix @@ -53,6 +53,10 @@ in site = "vs"; environment = "proxmox"; }; + mail-2 = { + site = "wg"; + environment = "proxmox"; + }; matrix = { site = "vs"; environment = "proxmox";