diff --git a/hosts/default.nix b/hosts/default.nix index 1e1ca1d..91f8681 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -185,6 +185,7 @@ ]; secrets = { "cachix" = {}; + "mothership-wireguard-private-key" = {}; "git-workspace-tokens".owner = "ccr"; "magit-forge-github-token".owner = "ccr"; }; diff --git a/hosts/mothership/default.nix b/hosts/mothership/default.nix index d21ce8d..258c20f 100644 --- a/hosts/mothership/default.nix +++ b/hosts/mothership/default.nix @@ -8,6 +8,7 @@ }: { imports = fleetModules [ "common" + "wireguard-server" "ssh" "ccr" "nix" diff --git a/modules/wireguard-server/default.nix b/modules/wireguard-server/default.nix new file mode 100644 index 0000000..9606c5c --- /dev/null +++ b/modules/wireguard-server/default.nix @@ -0,0 +1,39 @@ +{ + pkgs, + config, + ... +}: { + networking.nat.enable = true; + networking.nat.externalInterface = "enp5s0"; # mothership network interface, shouldn't be hardcoded here + networking.nat.internalInterfaces = ["wg0"]; + networking.firewall = { + allowedUDPPorts = [51820]; + }; + + networking.wireguard.interfaces = { + wg0 = { + ips = ["10.100.0.1/24"]; + + listenPort = 51820; + + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + + privateKeyFile = config.age.secrets."${config.networking.hostName}-wireguard-private-key".path; + + peers = [ + { + # thinkpad + publicKey = "g8wId6Rl0olRFRtAnQ046ihPRYFCtMxOJ+/Z9ARwIxI="; + # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. + allowedIPs = ["10.100.0.2/32"]; + } + ]; + }; + }; +} diff --git a/modules/wireguardClient/default.nix b/modules/wireguardClient/default.nix deleted file mode 100644 index a34e62d..0000000 --- a/modules/wireguardClient/default.nix +++ /dev/null @@ -1,64 +0,0 @@ -# FIXME For some reson this doesnt' work -{ - config, - lib, - pkgs, - ... -}: { - networking.firewall = { - allowedUDPPorts = [51820]; # Clients and peers can use the same port, see listenport - }; - networking.wireguard.interfaces = { - # "wg0" is the network interface name. You can name the interface arbitrarily. - wg0 = { - # Determines the IP address and subnet of the client's end of the tunnel interface. - ips = ["10.100.0.2/24"]; - listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) - - # Path to the private key file. - # - # Note: The private key can also be included inline via the privateKey option, - # but this makes the private key world-readable; thus, using privateKeyFile is - # recommended. - privateKeyFile = "/home/ccr/wg-private"; #TODO use agenix - - peers = [ - # For a client configuration, one peer entry for the server will suffice. - - { - # Public key of the server (not a file path). - publicKey = "fCwjd75CefC9A7WqO7s3xfOk2nRcoTKfnAzDT6Lc5AA="; - - # Forward all the traffic via VPN. - allowedIPs = ["0.0.0.0/0"]; - # Or forward only particular subnets - #allowedIPs = [ "10.100.0.1" "91.108.12.0/22" ]; - - # Set this to the server IP and port. - endpoint = "ccr.ydns.eu:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 - - # Send keepalives every 25 seconds. Important to keep NAT tables alive. - persistentKeepalive = 25; - } - ]; - }; - }; - - networking.wg-quick.interfaces = { - wg0 = { - address = ["10.0.0.2/24" "fdc9:281f:04d7:9ee9::2/64"]; - dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"]; - privateKeyFile = "/home/ccr/wg-private"; - - peers = [ - { - publicKey = "fCwjd75CefC9A7WqO7s3xfOk2nRcoTKfnAzDT6Lc5AA="; - # presharedKeyFile = "/root/wireguard-keys/preshared_from_peer0_key"; - allowedIPs = ["0.0.0.0/0" "::/0"]; - endpoint = "ccr.ydns.eu:51820"; - persistentKeepalive = 25; - } - ]; - }; - }; -} diff --git a/secrets/default.nix b/secrets/default.nix index fa4057c..1c85c41 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -12,6 +12,6 @@ in { "git-workspace-tokens.age".publicKeys = [users.ccr hosts.test hosts.mothership]; # WireGuard - "thinkpad-wireguard-private-key.age".publicKeys = [hosts.thinkpad]; + "mothership-wireguard-private-key.age".publicKeys = [hosts.mothership]; } diff --git a/secrets/mothership-wireguard-private-key.age b/secrets/mothership-wireguard-private-key.age new file mode 100644 index 0000000..374b6fc --- /dev/null +++ b/secrets/mothership-wireguard-private-key.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 q+UPnA 7RAJbAW7p/kUyAG7VQlVG2Ri86F13GCVw7uOGck5Yms +KJQCDEH6PQF8H4uUFp5cuvtLb4Yldvl35NXqbYyxUYQ +-> 2x%m?X4r-grease [L7Jb/. xgMVomN[ +in0zvAfoC0s/CLqNviUa2NfGJR1R4BjbkKCzNYsjJd7JUG+R1hda7Vku7SQ5yA1D +SzSeDISN7PK6dVBDlt2vzgqZnJpNswnSu23qdlfiQ2f9N/LA7gKD9uB5YF5wac2h +rgY +--- 3m0T9+VQCfTh6uuvoilEvtu57x6UbXsRf73k40O2v9k +¢‘]jòßí¦£SUt