Add missing wireguard-tools dependency

2023-09-17 21:04:22 +02:00 · 2023-09-17 21:04:22 +02:00 · ef036a6a18
parent de66b5931c
commit ef036a6a18
7 changed files with 107 additions and 113 deletions
--- a/config/environments/openstack-vm/default.nix
+++ b/config/environments/openstack-vm/default.nix
@ -1,7 +1,7 @@
-{ lib, ... }:
+{ lib, modulesPath, ... }:
 {
  imports = [
-    ./hardware-configuration.nix
+    "${modulesPath}/virtualisation/openstack-config.nix"
  ];

  users.users.root.initialPassword = lib.mkForce null;
--- a/config/environments/openstack-vm/hardware-configuration.nix
+++ b/config/environments/openstack-vm/hardware-configuration.nix
@ -1,24 +0,0 @@
-{ ... }:
-{
-  fileSystems."/" = {
-    device = "/dev/disk/by-label/nixos";
-    fsType = "ext4";
-    autoResize = true;
-  };
-
-  boot = {
-    growPartition = true;
-    kernelParams = [ "console=tty1" ];
-    loader.grub = {
-      enable = true;
-      device = "/dev/vda";
-      extraConfig = ''
-        serial --unit=1 --speed=115200 --word=8 --parity=no --stop=1
-        terminal_output console serial
-        terminal_input console serial
-      '';
-    };
-  };
-
-  systemd.services."serial-getty@tty1".enable = true;
-}
--- a/config/hosts/lifeline/configuration.nix
+++ b/config/hosts/lifeline/configuration.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ ... }:
 {
  boot.loader.grub = {
    enable = true;
@ -10,54 +10,6 @@
  networking = {
    hostName = "lifeline";
    useDHCP = true;
-    wireguard = {
-      enable = true;
-      interfaces.wg0 = {
-        privateKeyFile = "/secrets/wireguard-lifeline-mail-1-lifeline-privatekey.secret";
-        listenPort = 51820;
-        ips = [
-          "172.16.50.1/24"
-        ];
-        peers = [
-          {
-            name = "mail-1";
-            publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs=";
-            presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-lifeline-psk.secret";
-            allowedIPs = [ "172.16.50.2/32" ];
-          }
-        ];
-        postSetup = ''
-          ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
-          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE
-        '';
-        postShutdown = ''
-          ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
-          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE
-        '';
-      };
-    };
-    nat = {
-      enable = true;
-      internalInterfaces = [ "wg0" ];
-      externalInterface = "ens6";
-      forwardPorts = [
-        {
-          destination = "172.16.50.2:25";
-          proto = "tcp";
-          sourcePort = 25;
-        }
-        {
-          destination = "172.16.50.2:465";
-          proto = "tcp";
-          sourcePort = 465;
-        }
-        {
-          destination = "172.16.50.2:993";
-          proto = "tcp";
-          sourcePort = 993;
-        }
-      ];
-    };
    firewall = {
      enable = true;
      allowedUDPPorts = [ 51820 ];
--- a/config/hosts/mail-1/configuration.nix
+++ b/config/hosts/mail-1/configuration.nix
@ -30,7 +30,7 @@
          via = "10.202.41.1";
        }
        {
-          address = "217.160.117.160"; # 
+          address = "212.53.203.19"; # valkyrie.af.grzb.de
          prefixLength = 32;
          via = "10.202.41.1";
        }
@ -44,15 +44,15 @@
        ];
        peers = [
          {
-            name = "lifeline";
-            publicKey = "g3xZ5oJCbPtzYDPTVAS400FDw6kirGR+7300bwiZDUY=";
-            presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-psk.secret";
-            endpoint = "lifeline.io.grzb.de:51820";
+            name = "valkyrie";
+            publicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ=";
+            presharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret";
+            endpoint = "212.53.203.19:51821";
            allowedIPs = [ "0.0.0.0/0" ];
            persistentKeepalive = 25;
          }
        ];
-        privateKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-privatekey.secret";
+        privateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret";
      };
    };
  };
--- a/config/hosts/valkyrie/configuration.nix
+++ b/config/hosts/valkyrie/configuration.nix
@ -1,4 +1,4 @@
-{ ... }:
+{ pkgs, ... }:
 {
  boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;

@ -8,11 +8,13 @@
    firewall = {
      enable = true;
      allowedTCPPorts = [ 80 443 ];
-      allowedUDPPorts = [ 51820 51827 51828 ];
+      allowedUDPPorts = [ 51820 51821 51827 51828 ];
    };
    wireguard = {
      enable = true;
-      interfaces.wg0 = {
+      interfaces = {
+        # Site-to-site WireGuard setup also used for nftables dnat IP refresh thingy
+        wg0 = {
          listenPort = 51820;
          ips = [
            "10.203.10.3/24"
@ -42,6 +44,53 @@
          ];
          privateKeyFile = "/secrets/wireguard-valkyrie-wg0-privatekey.secret";
        };
+        # mail-1 VPN
+        wg1 = {
+          listenPort = 51821;
+          ips = [
+            "172.16.50.1/24"
+          ];
+          peers = [
+            {
+              name = "mail-1";
+              publicKey = "CyKPjkY1ah/lE6V3R0XugNo28doeAtD8wEtAeDB7bHs=";
+              presharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-valkyrie-psk.secret";
+              allowedIPs = [ "172.16.50.2/32" ];
+            }
+          ];
+          postSetup = ''
+            ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
+            ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE
+          '';
+          postShutdown = ''
+            ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
+            ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.16.50.0/24 -o ens6 -j MASQUERADE
+          '';
+          privateKeyFile = "/secrets/wireguard-valkyrie-wg1-privatekey.secret";
+        };
+      };
+    };
+    nat = {
+      enable = true;
+      internalInterfaces = [ "wg1" ];
+      externalInterface = "ens3";
+      forwardPorts = [
+        {
+          destination = "172.16.50.2:25";
+          proto = "tcp";
+          sourcePort = 25;
+        }
+        {
+          destination = "172.16.50.2:465";
+          proto = "tcp";
+          sourcePort = 465;
+        }
+        {
+          destination = "172.16.50.2:993";
+          proto = "tcp";
+          sourcePort = 993;
+        }
+      ];
    };
  };

--- a/config/hosts/valkyrie/secrets.nix
+++ b/config/hosts/valkyrie/secrets.nix
@ -32,4 +32,20 @@
    permissions = "0640";
    uploadAt = "pre-activation";
  };
+  deployment.keys."wireguard-valkyrie-wg1-privatekey.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-wg1-privatekey" ];
+    destDir = "/secrets";
+    user = "root";
+    group = "root";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+  deployment.keys."wireguard-valkyrie-mail-1-valkyrie-psk.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-mail-1/psk" ];
+    destDir = "/secrets";
+    user = "root";
+    group = "root";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
 }
--- a/pkgs/wireguard-nat-nftables/default.nix
+++ b/pkgs/wireguard-nat-nftables/default.nix
@ -10,6 +10,7 @@ pkgs-overlay.python310Packages.buildPythonApplication {
  version = "0.0.1";

  propagatedBuildInputs = with pkgs-overlay; [
+    wireguard-tools
    python310Packages.nftables
  ];