diff --git a/configuration/default.nix b/configuration/default.nix index 2a4ce63..f69ec09 100644 --- a/configuration/default.nix +++ b/configuration/default.nix @@ -15,9 +15,11 @@ (import ../modules) ./services/conduit.nix + ./services/foundryvtt.nix ./services/gitea.nix ./services/nextcloud.nix ./services/webserver.nix + ./services/wireguard.nix ./services/starbound.nix ./services/postgres.nix ./sops.nix @@ -51,10 +53,8 @@ networking = { hostName = "tlaternet"; - usePredictableInterfaceNames = false; useDHCP = false; - interfaces.eth0.useDHCP = true; firewall = { allowedTCPPorts = [ @@ -95,6 +95,8 @@ }; }; + systemd.network.enable = true; + time.timeZone = "Europe/London"; users.users.tlater = { diff --git a/configuration/hardware-specific/linode/default.nix b/configuration/hardware-specific/linode/default.nix index 3cd3570..b05fade 100644 --- a/configuration/hardware-specific/linode/default.nix +++ b/configuration/hardware-specific/linode/default.nix @@ -19,4 +19,42 @@ ''; }; }; + + systemd.network.networks."10-eth0" = { + matchConfig.Name = "eth0"; + + networkConfig = { + DHCP = "no"; + + Address = "178.79.137.55/24"; + Gateway = "178.79.137.1"; + + Domains = "ip.linodeusercontent.com"; + DNS = [ + "178.79.182.5" + "176.58.107.5" + "176.58.116.5" + "176.58.121.5" + "151.236.220.5" + "212.71.252.5" + "212.71.253.5" + "109.74.192.20" + "109.74.193.20" + "109.74.194.20" + "2a01:7e00::9" + "2a01:7e00::3" + "2a01:7e00::c" + "2a01:7e00::5" + "2a01:7e00::6" + "2a01:7e00::8" + "2a01:7e00::b" + "2a01:7e00::4" + "2a01:7e00::7" + "2a01:7e00::2" + ]; + + IPv6PrivacyExtensions = "no"; + IPv6AcceptRA = "yes"; + }; + }; } diff --git a/configuration/hardware-specific/vm.nix b/configuration/hardware-specific/vm.nix index aed39e4..8c93f30 100644 --- a/configuration/hardware-specific/vm.nix +++ b/configuration/hardware-specific/vm.nix @@ -11,6 +11,11 @@ # Use the staging secrets sops.defaultSopsFile = lib.mkOverride 99 ../../keys/staging.yaml; + systemd.network.networks."10-eth0" = { + matchConfig.Name = "eth0"; + networkConfig.DHCP = "yes"; + }; + # # Set up VM settings to match real VPS # virtualisation.memorySize = 3941; # virtualisation.cores = 2; diff --git a/configuration/services/wireguard.nix b/configuration/services/wireguard.nix new file mode 100644 index 0000000..1ae6aac --- /dev/null +++ b/configuration/services/wireguard.nix @@ -0,0 +1,74 @@ +{config, ...}: { + # iptables needs to permit forwarding from wg0 to wg0 + networking.firewall.extraCommands = '' + iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT + # This ensures that we send messages with the correct MTU to any + # connecting host; without it, the weirdest errors occur + iptables -A FORWARD -i wg0 -o wg0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + ''; + + systemd.network = { + netdevs = { + "20-wg0" = { + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + Description = "wg0 - wireguard tunnel"; + }; + + wireguardConfig = { + ListenPort = 51820; + PrivateKeyFile = config.sops.secrets."wireguard/server-key".path; + # Public key: 73z3Pga/2BCxETYM/qCT2FM1JUCUvQ+Cp+8ROxjhu0w= + }; + + wireguardPeers = [ + { + # yui + wireguardPeerConfig = { + AllowedIPs = ["10.45.249.2/32"]; + PublicKey = "5mlnqEVJWks5OqgeFA2bLIrvST9TlCE81Btl+j4myz0="; + }; + } + + { + # yuanyuan + wireguardPeerConfig = { + AllowedIPs = ["10.45.249.10/32"]; + PublicKey = "0UsFE2atz/O5P3OKQ8UHyyyGQNJbp1MeIWUJLuoerwE="; + }; + } + ]; + }; + }; + + networks = { + "20-wg0" = { + matchConfig.Name = "wg0"; + + networkConfig = { + Address = [ + "10.45.249.1/32" + # TODO(tlater): Add IPv6 whenever that becomes relevant + ]; + + IPForward = "yes"; + IPv4ProxyARP = "yes"; + }; + + routes = [ + { + routeConfig = { + Source = "10.45.249.0/24"; + Destination = "10.45.249.0/24"; + Gateway = "10.45.249.1"; + GatewayOnLink = "no"; + }; + } + ]; + + linkConfig.RequiredForOnline = "no"; + }; + }; + }; +} diff --git a/configuration/sops.nix b/configuration/sops.nix index d02b3f0..4becfd4 100644 --- a/configuration/sops.nix +++ b/configuration/sops.nix @@ -1,22 +1,34 @@ { sops = { defaultSopsFile = ../keys/production.yaml; - secrets."nextcloud/tlater" = { - owner = "nextcloud"; - group = "nextcloud"; - }; - secrets."steam/tlater" = {}; - secrets."heisenbridge/as-token" = {}; - secrets."heisenbridge/hs-token" = {}; - secrets."turn/env" = {}; - secrets."turn/secret" = { - owner = "turnserver"; - }; - secrets."turn/ssl-key" = { - owner = "turnserver"; - }; - secrets."turn/ssl-cert" = { - owner = "turnserver"; + + secrets = { + "nextcloud/tlater" = { + owner = "nextcloud"; + group = "nextcloud"; + }; + + "steam/tlater" = {}; + + "heisenbridge/as-token" = {}; + "heisenbridge/hs-token" = {}; + + "wireguard/server-key" = { + owner = "root"; + group = "systemd-network"; + mode = "0440"; + }; + + "turn/env" = {}; + "turn/secret" = { + owner = "turnserver"; + }; + "turn/ssl-key" = { + owner = "turnserver"; + }; + "turn/ssl-cert" = { + owner = "turnserver"; + }; }; }; } diff --git a/keys/production.yaml b/keys/production.yaml index 666b893..6ef9ef7 100644 --- a/keys/production.yaml +++ b/keys/production.yaml @@ -5,6 +5,8 @@ steam: heisenbridge: as-token: ENC[AES256_GCM,data:+2yo6T18j34622H8ZWblAFB2phLw1q0k0vUQEZ5sFj7dQaRnkEiAMi0R3p17Zq0pOtGEC0RRZuPLYkcZ1oKP0w==,iv:lGwrQYp//FufpmJocrLIVyy9RK7lEEVcpAi0wmkjr34=,tag:yV06UbhAYJQz36O2XdhY+A==,type:str] hs-token: ENC[AES256_GCM,data:u52WpkQFd/J7JFoE/rfNluebyZQLOokvkVdL7+AEAvrhJhrkJli1ztkD79lbC+6tGUH4tT3T+nX9wvGKnrRUQg==,iv:as+9fVuvMg2IoE2WIKD9mHi+znhNcWRh5Zq+yr0xcDQ=,tag:mZ7fh7U0MfgI8hyq/28Bcg==,type:str] +wireguard: + server-key: ENC[AES256_GCM,data:mXb7ZznJHf5CgV8rI4uzPBATMRbmd7LimgtCkQM9kAjbIaGwUBqJZBN3fXs=,iv:3Po1Orinzov9rnEm9cLzgJY1PeD+5Jl9115MriABHh8=,tag:E/2CjDO1JCvJzxCnqKcNyw==,type:str] turn: env: ENC[AES256_GCM,data:kt5nhVo9pb/ZbPUEcqSYXxN9YMgQKnFb5VRfFFS/qoIaJ73uD2fuJKqcxAyVRrdLqnSAWSQBgTgunBzdP7xqLAK2qt8DYAQWHkIe9uxFbSXZpdmw,iv:9lq6SFwTFN4GGm6gPiJpUMasMdnHVF6XLGYrsyG3kjU=,tag:428Qf9DOiiHt/Wjb188b8g==,type:str] secret: ENC[AES256_GCM,data:si7ee6Xfhdgdyzbp6aQpF7pz3TmTBb7iQ82lRPVXNDg9JfHI+lbmgAsSnRLX5qMCA6P9R045sSMosqidL8QwRg==,iv:SrhpZKK8D45yxCEfDb9P3TwtA14+qEI+wcRqcN/a6pw=,tag:PiwV+mOL9xHJgJft6sc61g==,type:str] @@ -17,8 +19,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-02-21T10:51:11Z" - mac: ENC[AES256_GCM,data:uMqT+7ljd6t1RpF9IH7illO62pq5cERoAtJlRic5BNOeawy/+7ufVorhhya15m39WTKnlGyIY0MEd3tDueHBm4rjf+Pmh6PQ+owRv+deXHv0jXYWX2sz/6i1aYbv9DDMWsvNbkdidKEme+ctY6EVgjSjN5nxxcx+vH+u1OyQ3t0=,iv:VKXznTlMH34SOS+4dpfOVaoiiUTRmIbUMnTPNpyawvY=,tag:onA5C4o/tcGjdBxO9JxMGw==,type:str] + lastmodified: "2023-04-23T17:34:53Z" + mac: ENC[AES256_GCM,data:UaGB4uwmYGVbKud5KrvdKeYTnYrs8nnQsT590KIS/b/9JhpQo5JXFtHsm1AteEBg9ygmY6tYKDcK4AXwz/uR/m3CW5If03dBNG8F9Uy3dPL5KaebC/EsNVIaRavWTbSZgqhnBgYeM+HkeQPskSWuwviSNU0D7d1n98Q89Y0kQfA=,iv:kEsRh8hb1amd2qozyxwYHCHdX80c2mO5Mm7npKX3DKc=,tag:p5GPd0OZvowghT92pxxXeA==,type:str] pgp: - created_at: "2022-10-12T00:46:51Z" enc: | diff --git a/keys/staging.yaml b/keys/staging.yaml index 41e20ac..49b5a6a 100644 --- a/keys/staging.yaml +++ b/keys/staging.yaml @@ -5,6 +5,8 @@ steam: heisenbridge: as-token: ENC[AES256_GCM,data:tXbOeo7nv8I=,iv:wJAKcOXX9nGIw4n38ThOoj29u7dUWhsxSQG/p79JlEw=,tag:rTVaGS2UuWcea1uBa8YX2g==,type:str] hs-token: ENC[AES256_GCM,data:VBwvwomv0Xg=,iv:q6INtJ+rg+QiXj8uBdBzQYQZUBBXp+9odxDHwvu8Jxc=,tag:XKhm8nxygAkKaiVPJ2Fcdg==,type:str] +wireguard: + server-key: ENC[AES256_GCM,data:FvY897XdKoa/mckE8JQLCkklsnYD6Wz1wpsu5t3uhEnW3iarnDQxF9msuYU=,iv:jqGXfekM+Vs+J9b5nlZ5Skd1ZKHajoUo2Dc4tMYPm1w=,tag:EehikjI/FCU8wqtpvJRamQ==,type:str] turn: env: ENC[AES256_GCM,data:xjIz/AY109lyiL5N01p5T3HcYco/rM5CJSRTtg==,iv:16bW6OpyOK/QL0QPGQp/Baa9xyT8E3ZsYkwqmjuofk0=,tag:J5re3uKxIykw3YunvQWBgg==,type:str] secret: ENC[AES256_GCM,data:eQ7dAocoZtg=,iv:fgzjTPv30WqTKlLy+yMn5MsKQgjhPnwlGFFwYEg3gWs=,tag:1ze33U1NBkgMX/9SiaBNQg==,type:str] @@ -17,8 +19,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-02-21T08:32:04Z" - mac: ENC[AES256_GCM,data:ZZtL4zYX7FsYeGJ1CcTq5AzRkrvOxIeCoVf77JyEj9k3gApm3k7z2eXe/D+8qvwahlleuvAqhVCUH/I5yHaQSjXXsHO1flULiTnQVk4hrX0fDwXp97NQwpvDovSRyGqx4F25dISfYLVhFpb+64yaPxqMzThVk+Q7Xn40GCY5PR8=,iv:xNeyqB5K2EBDDJEq72IDwpGqzKkAlcxHO6GlJY/iHmM=,tag:Qxz0GTQ/I4EsZhFZh2VxKg==,type:str] + lastmodified: "2023-04-23T17:35:16Z" + mac: ENC[AES256_GCM,data:4cW8k6o3jET8k+yJGyApjOyuSUQb+d+4wX/RTNnpbt+867sExQrZUrOMif/u8S4WmcKVSJgvrzuxK9hpDPYhJ1d/5YuHH1Dyj7QDRdhbZYHhkpPus0ZVTEpSknZzx2eWH1ch/fyJJknlrBlfb/tz50Dv+w9mhkL7qteaIq+Vmsc=,iv:YMfAuGwu1kAM0wGkq3kzVMnC72yo7ZT04BuEwoLRPIA=,tag:6I1VRzteRaLuxN+sfLA5Mw==,type:str] pgp: - created_at: "2022-10-12T16:48:23Z" enc: |