From fbe35f040b32c51204cfaf243604d64204558b02 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Thu, 4 Apr 2024 22:51:15 +0000 Subject: [PATCH] cofractal-ams01: add wg/peering to swann --- ops/nixos/cofractal-ams01/default.nix | 112 ++++++++++++++++++++++++-- 1 file changed, 106 insertions(+), 6 deletions(-) diff --git a/ops/nixos/cofractal-ams01/default.nix b/ops/nixos/cofractal-ams01/default.nix index 7dd8d6ec73..dd39ddf493 100644 --- a/ops/nixos/cofractal-ams01/default.nix +++ b/ops/nixos/cofractal-ams01/default.nix @@ -176,12 +176,94 @@ in 34197 # factorio 4001 # IPFS 443 # HTTP/3 + 51821 51822 51823 # wireguard ]; }; - systemd.network.networks."40-bond0".linkConfig.RequiredForOnline = "yes"; - systemd.network.networks."40-enp45s0f0np0".linkConfig.RequiredForOnline = "no"; - systemd.network.networks."40-enp45s0f1np1".linkConfig.RequiredForOnline = "no"; - systemd.network.networks."50-tailscale".linkConfig.RequiredForOnline = "no"; + systemd.network = let + wireguard = { name, listenPort, privateKey, publicKey, endpoint ? null }: { + netdevConfig = { + Name = name; + Kind = "wireguard"; + Description = "WireGuard tunnel ${name}"; + }; + wireguardConfig = { + ListenPort = listenPort; + PrivateKeyFile = privateKey; + }; + wireguardPeers = [{ + wireguardPeerConfig = lib.mkMerge [{ + PublicKey = publicKey; + AllowedIPs = [ + "0.0.0.0/0" + "::/0" + ]; + } (lib.mkIf (endpoint != null) { + Endpoint = endpoint; + })]; + }]; + }; + swannWireguard = args: wireguard (args // { + privateKey = config.my.vault.secrets.wg-swann-private.path; + publicKey = "N7nMSpFl+t+FVluRJY8dGJuB4Yn11mJlBW5+LwFqOhg="; + }); + rexxarWireguard = args: wireguard (args // { + privateKey = config.my.vault.secrets.wg-rexxar-private.path; + publicKey = "Rhzn9S8WLpoohsk0Y2oanQSa9waThlK7dbA7ufzzMSU="; + }); + in { + netdevs."40-wg-swann-ee" = swannWireguard { + name = "wg-swann-ee"; + listenPort = 51821; + }; + netdevs."40-wg-swann-gnet" = swannWireguard { + name = "wg-swann-gnet"; + listenPort = 51822; + endpoint = "185.250.189.20:51822"; + }; + netdevs."40-wg-rexxar" = rexxarWireguard { + name = "wg-rexxar"; + listenPort = 51823; + }; + + networks."40-wg-swann-ee" = { + matchConfig.Name = "wg-swann-ee"; + address = [ + "92.118.30.1/31" + "2a09:a442::1:2/64" + ]; + }; + networks."40-wg-swann-gnet" = { + matchConfig.Name = "wg-swann-gnet"; + address = [ + "92.118.30.7/31" + "2a09:a442::4:2/64" + ]; + }; + networks."40-wg-rexxar" = { + matchConfig.Name = "wg-rexxar"; + address = [ + "169.254.200.1/31" + ]; + }; + + networks."40-bond0".linkConfig.RequiredForOnline = "yes"; + networks."40-enp45s0f0np0".linkConfig.RequiredForOnline = "no"; + networks."40-enp45s0f1np1".linkConfig.RequiredForOnline = "no"; + networks."50-tailscale".linkConfig.RequiredForOnline = "no"; + networks."60-lo" = { + matchConfig.Name = "lo"; + addresses = [{ + addressConfig.Address = "127.0.0.1/8"; + addressConfig.Scope = "host"; + } { + addressConfig.Address = "::1/128"; + } { + addressConfig.Address = "92.118.30.252/32"; + } { + addressConfig.Address = "2a09:a442:2000::/128"; + }]; + }; + }; my.ip.tailscale = "100.83.36.130"; my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:6253:2482"; my.coredns.bind = [ "bond0" "tailscale0" "127.0.0.1" "::1" ]; @@ -232,8 +314,12 @@ in local = { routerID = "199.19.152.160"; }; - export.v4 = [ ]; - export.v6 = [ "2a09:a446:1337::/48" ]; + export.v4 = [ "92.118.28.0/24" ]; + export.v6 = [ "2a09:a446:1337::/48" "2a09:a442::/48" "2a09:a442:2000::/48" ]; + + internal.export.v4 = [ "92.118.30.252/32" ]; + internal.export.v6 = [ "2a09:a446:1337::/48" "2a09:a442:2000::/48" "2a09:a442::/48" ]; + peering.cofractal = { local = local // { v6 = "2a09:a446:1337:ffff::10"; @@ -295,5 +381,19 @@ in security.polkit.enable = true; users.users.lukegb.extraGroups = lib.mkAfter [ "libvirtd" ]; + my.vault.secrets = let + wireguardSecret = key: { + group = "systemd-network"; + template = '' + {{- with secret "kv/apps/wireguard/cofractal-ams01" -}} + {{- .Data.data.${key} -}} + {{- end -}} + ''; + }; + in { + wg-swann-private = wireguardSecret "privateKeyToSwann"; + wg-rexxar-private = wireguardSecret "privateKeyToRexxar"; + }; + system.stateVersion = "23.05"; }