services: Add wireguard service

configuration/default.nix

@@ -18,6 +18,7 @@
     ./services/gitea.nix
     ./services/nextcloud.nix
     ./services/webserver.nix
+    ./services/wireguard.nix
     ./services/starbound.nix
     ./services/postgres.nix
     ./sops.nix
@@ -51,10 +52,8 @@
 
   networking = {
     hostName = "tlaternet";
-
     usePredictableInterfaceNames = false;
     useDHCP = false;
-    interfaces.eth0.useDHCP = true;
 
     firewall = {
       allowedTCPPorts = [
@@ -95,6 +94,50 @@
     };
   };
 
+  systemd.network = {
+    enable = true;
+
+    networks = {
+      "10-eth0" = {
+        matchConfig.Name = "eth0";
+
+        networkConfig = {
+          DHCP = "no";
+
+          Address = "178.79.137.55/24";
+          Gateway = "178.79.137.1";
+
+          Domains = "ip.linodeusercontent.com";
+          DNS = [
+            "178.79.182.5"
+            "176.58.107.5"
+            "176.58.116.5"
+            "176.58.121.5"
+            "151.236.220.5"
+            "212.71.252.5"
+            "212.71.253.5"
+            "109.74.192.20"
+            "109.74.193.20"
+            "109.74.194.20"
+            "2a01:7e00::9"
+            "2a01:7e00::3"
+            "2a01:7e00::c"
+            "2a01:7e00::5"
+            "2a01:7e00::6"
+            "2a01:7e00::8"
+            "2a01:7e00::b"
+            "2a01:7e00::4"
+            "2a01:7e00::7"
+            "2a01:7e00::2"
+          ];
+
+          IPv6PrivacyExtensions = "no";
+          IPv6AcceptRA = "yes";
+        };
+      };
+    };
+  };
+
   time.timeZone = "Europe/London";
 
   users.users.tlater = {

configuration/services/wireguard.nix

@@ -0,0 +1,71 @@
+{config, ...}: {
+  # iptables needs to permit forwarding from wg0 to wg0
+  networking.firewall.extraCommands = ''
+    iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT
+  '';
+
+  systemd.network = {
+    netdevs = {
+      "20-wg0" = {
+        netdevConfig = {
+          Name = "wg0";
+          Kind = "wireguard";
+          Description = "wg0 - wireguard tunnel";
+        };
+
+        wireguardConfig = {
+          ListenPort = 51820;
+          PrivateKeyFile = config.sops.secrets."wireguard/server-key".path;
+          # Public key: 73z3Pga/2BCxETYM/qCT2FM1JUCUvQ+Cp+8ROxjhu0w=
+        };
+
+        wireguardPeers = [
+          {
+            # yui
+            wireguardPeerConfig = {
+              AllowedIPs = ["10.45.249.2/32"];
+              PublicKey = "5mlnqEVJWks5OqgeFA2bLIrvST9TlCE81Btl+j4myz0=";
+            };
+          }
+
+          {
+            # yuanyuan
+            wireguardPeerConfig = {
+              AllowedIPs = ["10.45.249.10/32"];
+              PublicKey = "0UsFE2atz/O5P3OKQ8UHyyyGQNJbp1MeIWUJLuoerwE=";
+            };
+          }
+        ];
+      };
+    };
+
+    networks = {
+      "20-wg0" = {
+        matchConfig.Name = "wg0";
+
+        networkConfig = {
+          Address = [
+            "10.45.249.1/32"
+            # TODO(tlater): Add IPv6 whenever that becomes relevant
+          ];
+
+          IPForward = "yes";
+          IPv4ProxyARP = "yes";
+        };
+
+        routes = [
+          {
+            routeConfig = {
+              Source = "10.45.249.0/24";
+              Destination = "10.45.249.0/24";
+              Gateway = "10.45.249.1";
+              GatewayOnLink = "no";
+            };
+          }
+        ];
+
+        linkConfig.RequiredForOnline = "no";
+      };
+    };
+  };
+}

configuration/sops.nix

@@ -1,22 +1,34 @@
 {
   sops = {
     defaultSopsFile = ../keys/production.yaml;
-    secrets."nextcloud/tlater" = {
+
+    secrets = {
+      "nextcloud/tlater" = {
         owner = "nextcloud";
         group = "nextcloud";
       };
-    secrets."steam/tlater" = {};
+
-    secrets."heisenbridge/as-token" = {};
+      "steam/tlater" = {};
-    secrets."heisenbridge/hs-token" = {};
+
-    secrets."turn/env" = {};
+      "heisenbridge/as-token" = {};
-    secrets."turn/secret" = {
+      "heisenbridge/hs-token" = {};
+
+      "wireguard/server-key" = {
+        owner = "root";
+        group = "systemd-network";
+        mode = "0440";
+      };
+
+      "turn/env" = {};
+      "turn/secret" = {
         owner = "turnserver";
       };
-    secrets."turn/ssl-key" = {
+      "turn/ssl-key" = {
         owner = "turnserver";
       };
-    secrets."turn/ssl-cert" = {
+      "turn/ssl-cert" = {
         owner = "turnserver";
       };
     };
+  };
 }

keys/production.yaml

@@ -5,6 +5,8 @@ steam:
 heisenbridge:
     as-token: ENC[AES256_GCM,data:+2yo6T18j34622H8ZWblAFB2phLw1q0k0vUQEZ5sFj7dQaRnkEiAMi0R3p17Zq0pOtGEC0RRZuPLYkcZ1oKP0w==,iv:lGwrQYp//FufpmJocrLIVyy9RK7lEEVcpAi0wmkjr34=,tag:yV06UbhAYJQz36O2XdhY+A==,type:str]
     hs-token: ENC[AES256_GCM,data:u52WpkQFd/J7JFoE/rfNluebyZQLOokvkVdL7+AEAvrhJhrkJli1ztkD79lbC+6tGUH4tT3T+nX9wvGKnrRUQg==,iv:as+9fVuvMg2IoE2WIKD9mHi+znhNcWRh5Zq+yr0xcDQ=,tag:mZ7fh7U0MfgI8hyq/28Bcg==,type:str]
+wireguard:
+    server-key: ENC[AES256_GCM,data:mXb7ZznJHf5CgV8rI4uzPBATMRbmd7LimgtCkQM9kAjbIaGwUBqJZBN3fXs=,iv:3Po1Orinzov9rnEm9cLzgJY1PeD+5Jl9115MriABHh8=,tag:E/2CjDO1JCvJzxCnqKcNyw==,type:str]
 turn:
     env: ENC[AES256_GCM,data:kt5nhVo9pb/ZbPUEcqSYXxN9YMgQKnFb5VRfFFS/qoIaJ73uD2fuJKqcxAyVRrdLqnSAWSQBgTgunBzdP7xqLAK2qt8DYAQWHkIe9uxFbSXZpdmw,iv:9lq6SFwTFN4GGm6gPiJpUMasMdnHVF6XLGYrsyG3kjU=,tag:428Qf9DOiiHt/Wjb188b8g==,type:str]
     secret: ENC[AES256_GCM,data:si7ee6Xfhdgdyzbp6aQpF7pz3TmTBb7iQ82lRPVXNDg9JfHI+lbmgAsSnRLX5qMCA6P9R045sSMosqidL8QwRg==,iv:SrhpZKK8D45yxCEfDb9P3TwtA14+qEI+wcRqcN/a6pw=,tag:PiwV+mOL9xHJgJft6sc61g==,type:str]
@@ -17,8 +19,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-02-21T10:51:11Z"
+    lastmodified: "2023-04-23T17:34:53Z"
-    mac: ENC[AES256_GCM,data:uMqT+7ljd6t1RpF9IH7illO62pq5cERoAtJlRic5BNOeawy/+7ufVorhhya15m39WTKnlGyIY0MEd3tDueHBm4rjf+Pmh6PQ+owRv+deXHv0jXYWX2sz/6i1aYbv9DDMWsvNbkdidKEme+ctY6EVgjSjN5nxxcx+vH+u1OyQ3t0=,iv:VKXznTlMH34SOS+4dpfOVaoiiUTRmIbUMnTPNpyawvY=,tag:onA5C4o/tcGjdBxO9JxMGw==,type:str]
+    mac: ENC[AES256_GCM,data:UaGB4uwmYGVbKud5KrvdKeYTnYrs8nnQsT590KIS/b/9JhpQo5JXFtHsm1AteEBg9ygmY6tYKDcK4AXwz/uR/m3CW5If03dBNG8F9Uy3dPL5KaebC/EsNVIaRavWTbSZgqhnBgYeM+HkeQPskSWuwviSNU0D7d1n98Q89Y0kQfA=,iv:kEsRh8hb1amd2qozyxwYHCHdX80c2mO5Mm7npKX3DKc=,tag:p5GPd0OZvowghT92pxxXeA==,type:str]
     pgp:
         - created_at: "2022-10-12T00:46:51Z"
           enc: |

keys/staging.yaml

@@ -5,6 +5,8 @@ steam:
 heisenbridge:
     as-token: ENC[AES256_GCM,data:tXbOeo7nv8I=,iv:wJAKcOXX9nGIw4n38ThOoj29u7dUWhsxSQG/p79JlEw=,tag:rTVaGS2UuWcea1uBa8YX2g==,type:str]
     hs-token: ENC[AES256_GCM,data:VBwvwomv0Xg=,iv:q6INtJ+rg+QiXj8uBdBzQYQZUBBXp+9odxDHwvu8Jxc=,tag:XKhm8nxygAkKaiVPJ2Fcdg==,type:str]
+wireguard:
+    server-key: ENC[AES256_GCM,data:FvY897XdKoa/mckE8JQLCkklsnYD6Wz1wpsu5t3uhEnW3iarnDQxF9msuYU=,iv:jqGXfekM+Vs+J9b5nlZ5Skd1ZKHajoUo2Dc4tMYPm1w=,tag:EehikjI/FCU8wqtpvJRamQ==,type:str]
 turn:
     env: ENC[AES256_GCM,data:xjIz/AY109lyiL5N01p5T3HcYco/rM5CJSRTtg==,iv:16bW6OpyOK/QL0QPGQp/Baa9xyT8E3ZsYkwqmjuofk0=,tag:J5re3uKxIykw3YunvQWBgg==,type:str]
     secret: ENC[AES256_GCM,data:eQ7dAocoZtg=,iv:fgzjTPv30WqTKlLy+yMn5MsKQgjhPnwlGFFwYEg3gWs=,tag:1ze33U1NBkgMX/9SiaBNQg==,type:str]
@@ -17,8 +19,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-02-21T08:32:04Z"
+    lastmodified: "2023-04-23T17:35:16Z"
-    mac: ENC[AES256_GCM,data:ZZtL4zYX7FsYeGJ1CcTq5AzRkrvOxIeCoVf77JyEj9k3gApm3k7z2eXe/D+8qvwahlleuvAqhVCUH/I5yHaQSjXXsHO1flULiTnQVk4hrX0fDwXp97NQwpvDovSRyGqx4F25dISfYLVhFpb+64yaPxqMzThVk+Q7Xn40GCY5PR8=,iv:xNeyqB5K2EBDDJEq72IDwpGqzKkAlcxHO6GlJY/iHmM=,tag:Qxz0GTQ/I4EsZhFZh2VxKg==,type:str]
+    mac: ENC[AES256_GCM,data:4cW8k6o3jET8k+yJGyApjOyuSUQb+d+4wX/RTNnpbt+867sExQrZUrOMif/u8S4WmcKVSJgvrzuxK9hpDPYhJ1d/5YuHH1Dyj7QDRdhbZYHhkpPus0ZVTEpSknZzx2eWH1ch/fyJJknlrBlfb/tz50Dv+w9mhkL7qteaIq+Vmsc=,iv:YMfAuGwu1kAM0wGkq3kzVMnC72yo7ZT04BuEwoLRPIA=,tag:6I1VRzteRaLuxN+sfLA5Mw==,type:str]
     pgp:
         - created_at: "2022-10-12T16:48:23Z"
           enc: |