Set up wireguard #84
|
@ -15,9 +15,11 @@
|
||||||
(import ../modules)
|
(import ../modules)
|
||||||
|
|
||||||
./services/conduit.nix
|
./services/conduit.nix
|
||||||
|
./services/foundryvtt.nix
|
||||||
./services/gitea.nix
|
./services/gitea.nix
|
||||||
./services/nextcloud.nix
|
./services/nextcloud.nix
|
||||||
./services/webserver.nix
|
./services/webserver.nix
|
||||||
|
./services/wireguard.nix
|
||||||
./services/starbound.nix
|
./services/starbound.nix
|
||||||
./services/postgres.nix
|
./services/postgres.nix
|
||||||
./sops.nix
|
./sops.nix
|
||||||
|
@ -51,10 +53,8 @@
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "tlaternet";
|
hostName = "tlaternet";
|
||||||
|
|
||||||
usePredictableInterfaceNames = false;
|
usePredictableInterfaceNames = false;
|
||||||
useDHCP = false;
|
useDHCP = false;
|
||||||
interfaces.eth0.useDHCP = true;
|
|
||||||
|
|
||||||
firewall = {
|
firewall = {
|
||||||
allowedTCPPorts = [
|
allowedTCPPorts = [
|
||||||
|
@ -95,6 +95,8 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.network.enable = true;
|
||||||
|
|
||||||
time.timeZone = "Europe/London";
|
time.timeZone = "Europe/London";
|
||||||
|
|
||||||
users.users.tlater = {
|
users.users.tlater = {
|
||||||
|
|
|
@ -19,4 +19,42 @@
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.network.networks."10-eth0" = {
|
||||||
|
matchConfig.Name = "eth0";
|
||||||
|
|
||||||
|
networkConfig = {
|
||||||
|
DHCP = "no";
|
||||||
|
|
||||||
|
Address = "178.79.137.55/24";
|
||||||
|
Gateway = "178.79.137.1";
|
||||||
|
|
||||||
|
Domains = "ip.linodeusercontent.com";
|
||||||
|
DNS = [
|
||||||
|
"178.79.182.5"
|
||||||
|
"176.58.107.5"
|
||||||
|
"176.58.116.5"
|
||||||
|
"176.58.121.5"
|
||||||
|
"151.236.220.5"
|
||||||
|
"212.71.252.5"
|
||||||
|
"212.71.253.5"
|
||||||
|
"109.74.192.20"
|
||||||
|
"109.74.193.20"
|
||||||
|
"109.74.194.20"
|
||||||
|
"2a01:7e00::9"
|
||||||
|
"2a01:7e00::3"
|
||||||
|
"2a01:7e00::c"
|
||||||
|
"2a01:7e00::5"
|
||||||
|
"2a01:7e00::6"
|
||||||
|
"2a01:7e00::8"
|
||||||
|
"2a01:7e00::b"
|
||||||
|
"2a01:7e00::4"
|
||||||
|
"2a01:7e00::7"
|
||||||
|
"2a01:7e00::2"
|
||||||
|
];
|
||||||
|
|
||||||
|
IPv6PrivacyExtensions = "no";
|
||||||
|
IPv6AcceptRA = "yes";
|
||||||
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -11,6 +11,11 @@
|
||||||
# Use the staging secrets
|
# Use the staging secrets
|
||||||
sops.defaultSopsFile = lib.mkOverride 99 ../../keys/staging.yaml;
|
sops.defaultSopsFile = lib.mkOverride 99 ../../keys/staging.yaml;
|
||||||
|
|
||||||
|
systemd.network.networks."10-eth0" = {
|
||||||
|
matchConfig.Name = "eth0";
|
||||||
|
networkConfig.DHCP = "yes";
|
||||||
|
};
|
||||||
|
|
||||||
# # Set up VM settings to match real VPS
|
# # Set up VM settings to match real VPS
|
||||||
# virtualisation.memorySize = 3941;
|
# virtualisation.memorySize = 3941;
|
||||||
# virtualisation.cores = 2;
|
# virtualisation.cores = 2;
|
||||||
|
|
74
configuration/services/wireguard.nix
Normal file
74
configuration/services/wireguard.nix
Normal file
|
@ -0,0 +1,74 @@
|
||||||
|
{config, ...}: {
|
||||||
|
# iptables needs to permit forwarding from wg0 to wg0
|
||||||
|
networking.firewall.extraCommands = ''
|
||||||
|
iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT
|
||||||
|
# This ensures that we send messages with the correct MTU to any
|
||||||
|
# connecting host; without it, the weirdest errors occur
|
||||||
|
iptables -A FORWARD -i wg0 -o wg0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
||||||
|
'';
|
||||||
|
|
||||||
|
systemd.network = {
|
||||||
|
netdevs = {
|
||||||
|
"20-wg0" = {
|
||||||
|
netdevConfig = {
|
||||||
|
Name = "wg0";
|
||||||
|
Kind = "wireguard";
|
||||||
|
Description = "wg0 - wireguard tunnel";
|
||||||
|
};
|
||||||
|
|
||||||
|
wireguardConfig = {
|
||||||
|
ListenPort = 51820;
|
||||||
|
PrivateKeyFile = config.sops.secrets."wireguard/server-key".path;
|
||||||
|
# Public key: 73z3Pga/2BCxETYM/qCT2FM1JUCUvQ+Cp+8ROxjhu0w=
|
||||||
|
};
|
||||||
|
|
||||||
|
wireguardPeers = [
|
||||||
|
{
|
||||||
|
# yui
|
||||||
|
wireguardPeerConfig = {
|
||||||
|
AllowedIPs = ["10.45.249.2/32"];
|
||||||
|
PublicKey = "5mlnqEVJWks5OqgeFA2bLIrvST9TlCE81Btl+j4myz0=";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
{
|
||||||
|
# yuanyuan
|
||||||
|
wireguardPeerConfig = {
|
||||||
|
AllowedIPs = ["10.45.249.10/32"];
|
||||||
|
PublicKey = "0UsFE2atz/O5P3OKQ8UHyyyGQNJbp1MeIWUJLuoerwE=";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networks = {
|
||||||
|
"20-wg0" = {
|
||||||
|
matchConfig.Name = "wg0";
|
||||||
|
|
||||||
|
networkConfig = {
|
||||||
|
Address = [
|
||||||
|
"10.45.249.1/32"
|
||||||
|
# TODO(tlater): Add IPv6 whenever that becomes relevant
|
||||||
|
];
|
||||||
|
|
||||||
|
IPForward = "yes";
|
||||||
|
IPv4ProxyARP = "yes";
|
||||||
|
};
|
||||||
|
|
||||||
|
routes = [
|
||||||
|
{
|
||||||
|
routeConfig = {
|
||||||
|
Source = "10.45.249.0/24";
|
||||||
|
Destination = "10.45.249.0/24";
|
||||||
|
Gateway = "10.45.249.1";
|
||||||
|
GatewayOnLink = "no";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
linkConfig.RequiredForOnline = "no";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,22 +1,34 @@
|
||||||
{
|
{
|
||||||
sops = {
|
sops = {
|
||||||
defaultSopsFile = ../keys/production.yaml;
|
defaultSopsFile = ../keys/production.yaml;
|
||||||
secrets."nextcloud/tlater" = {
|
|
||||||
|
secrets = {
|
||||||
|
"nextcloud/tlater" = {
|
||||||
owner = "nextcloud";
|
owner = "nextcloud";
|
||||||
group = "nextcloud";
|
group = "nextcloud";
|
||||||
};
|
};
|
||||||
secrets."steam/tlater" = {};
|
|
||||||
secrets."heisenbridge/as-token" = {};
|
"steam/tlater" = {};
|
||||||
secrets."heisenbridge/hs-token" = {};
|
|
||||||
secrets."turn/env" = {};
|
"heisenbridge/as-token" = {};
|
||||||
secrets."turn/secret" = {
|
"heisenbridge/hs-token" = {};
|
||||||
|
|
||||||
|
"wireguard/server-key" = {
|
||||||
|
owner = "root";
|
||||||
|
group = "systemd-network";
|
||||||
|
mode = "0440";
|
||||||
|
};
|
||||||
|
|
||||||
|
"turn/env" = {};
|
||||||
|
"turn/secret" = {
|
||||||
owner = "turnserver";
|
owner = "turnserver";
|
||||||
};
|
};
|
||||||
secrets."turn/ssl-key" = {
|
"turn/ssl-key" = {
|
||||||
owner = "turnserver";
|
owner = "turnserver";
|
||||||
};
|
};
|
||||||
secrets."turn/ssl-cert" = {
|
"turn/ssl-cert" = {
|
||||||
owner = "turnserver";
|
owner = "turnserver";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,6 +5,8 @@ steam:
|
||||||
heisenbridge:
|
heisenbridge:
|
||||||
as-token: ENC[AES256_GCM,data:+2yo6T18j34622H8ZWblAFB2phLw1q0k0vUQEZ5sFj7dQaRnkEiAMi0R3p17Zq0pOtGEC0RRZuPLYkcZ1oKP0w==,iv:lGwrQYp//FufpmJocrLIVyy9RK7lEEVcpAi0wmkjr34=,tag:yV06UbhAYJQz36O2XdhY+A==,type:str]
|
as-token: ENC[AES256_GCM,data:+2yo6T18j34622H8ZWblAFB2phLw1q0k0vUQEZ5sFj7dQaRnkEiAMi0R3p17Zq0pOtGEC0RRZuPLYkcZ1oKP0w==,iv:lGwrQYp//FufpmJocrLIVyy9RK7lEEVcpAi0wmkjr34=,tag:yV06UbhAYJQz36O2XdhY+A==,type:str]
|
||||||
hs-token: ENC[AES256_GCM,data:u52WpkQFd/J7JFoE/rfNluebyZQLOokvkVdL7+AEAvrhJhrkJli1ztkD79lbC+6tGUH4tT3T+nX9wvGKnrRUQg==,iv:as+9fVuvMg2IoE2WIKD9mHi+znhNcWRh5Zq+yr0xcDQ=,tag:mZ7fh7U0MfgI8hyq/28Bcg==,type:str]
|
hs-token: ENC[AES256_GCM,data:u52WpkQFd/J7JFoE/rfNluebyZQLOokvkVdL7+AEAvrhJhrkJli1ztkD79lbC+6tGUH4tT3T+nX9wvGKnrRUQg==,iv:as+9fVuvMg2IoE2WIKD9mHi+znhNcWRh5Zq+yr0xcDQ=,tag:mZ7fh7U0MfgI8hyq/28Bcg==,type:str]
|
||||||
|
wireguard:
|
||||||
|
server-key: ENC[AES256_GCM,data:mXb7ZznJHf5CgV8rI4uzPBATMRbmd7LimgtCkQM9kAjbIaGwUBqJZBN3fXs=,iv:3Po1Orinzov9rnEm9cLzgJY1PeD+5Jl9115MriABHh8=,tag:E/2CjDO1JCvJzxCnqKcNyw==,type:str]
|
||||||
turn:
|
turn:
|
||||||
env: ENC[AES256_GCM,data:kt5nhVo9pb/ZbPUEcqSYXxN9YMgQKnFb5VRfFFS/qoIaJ73uD2fuJKqcxAyVRrdLqnSAWSQBgTgunBzdP7xqLAK2qt8DYAQWHkIe9uxFbSXZpdmw,iv:9lq6SFwTFN4GGm6gPiJpUMasMdnHVF6XLGYrsyG3kjU=,tag:428Qf9DOiiHt/Wjb188b8g==,type:str]
|
env: ENC[AES256_GCM,data:kt5nhVo9pb/ZbPUEcqSYXxN9YMgQKnFb5VRfFFS/qoIaJ73uD2fuJKqcxAyVRrdLqnSAWSQBgTgunBzdP7xqLAK2qt8DYAQWHkIe9uxFbSXZpdmw,iv:9lq6SFwTFN4GGm6gPiJpUMasMdnHVF6XLGYrsyG3kjU=,tag:428Qf9DOiiHt/Wjb188b8g==,type:str]
|
||||||
secret: ENC[AES256_GCM,data:si7ee6Xfhdgdyzbp6aQpF7pz3TmTBb7iQ82lRPVXNDg9JfHI+lbmgAsSnRLX5qMCA6P9R045sSMosqidL8QwRg==,iv:SrhpZKK8D45yxCEfDb9P3TwtA14+qEI+wcRqcN/a6pw=,tag:PiwV+mOL9xHJgJft6sc61g==,type:str]
|
secret: ENC[AES256_GCM,data:si7ee6Xfhdgdyzbp6aQpF7pz3TmTBb7iQ82lRPVXNDg9JfHI+lbmgAsSnRLX5qMCA6P9R045sSMosqidL8QwRg==,iv:SrhpZKK8D45yxCEfDb9P3TwtA14+qEI+wcRqcN/a6pw=,tag:PiwV+mOL9xHJgJft6sc61g==,type:str]
|
||||||
|
@ -17,8 +19,8 @@ sops:
|
||||||
azure_kv: []
|
azure_kv: []
|
||||||
hc_vault: []
|
hc_vault: []
|
||||||
age: []
|
age: []
|
||||||
lastmodified: "2023-02-21T10:51:11Z"
|
lastmodified: "2023-04-23T17:34:53Z"
|
||||||
mac: ENC[AES256_GCM,data:uMqT+7ljd6t1RpF9IH7illO62pq5cERoAtJlRic5BNOeawy/+7ufVorhhya15m39WTKnlGyIY0MEd3tDueHBm4rjf+Pmh6PQ+owRv+deXHv0jXYWX2sz/6i1aYbv9DDMWsvNbkdidKEme+ctY6EVgjSjN5nxxcx+vH+u1OyQ3t0=,iv:VKXznTlMH34SOS+4dpfOVaoiiUTRmIbUMnTPNpyawvY=,tag:onA5C4o/tcGjdBxO9JxMGw==,type:str]
|
mac: ENC[AES256_GCM,data:UaGB4uwmYGVbKud5KrvdKeYTnYrs8nnQsT590KIS/b/9JhpQo5JXFtHsm1AteEBg9ygmY6tYKDcK4AXwz/uR/m3CW5If03dBNG8F9Uy3dPL5KaebC/EsNVIaRavWTbSZgqhnBgYeM+HkeQPskSWuwviSNU0D7d1n98Q89Y0kQfA=,iv:kEsRh8hb1amd2qozyxwYHCHdX80c2mO5Mm7npKX3DKc=,tag:p5GPd0OZvowghT92pxxXeA==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2022-10-12T00:46:51Z"
|
- created_at: "2022-10-12T00:46:51Z"
|
||||||
enc: |
|
enc: |
|
||||||
|
|
|
@ -5,6 +5,8 @@ steam:
|
||||||
heisenbridge:
|
heisenbridge:
|
||||||
as-token: ENC[AES256_GCM,data:tXbOeo7nv8I=,iv:wJAKcOXX9nGIw4n38ThOoj29u7dUWhsxSQG/p79JlEw=,tag:rTVaGS2UuWcea1uBa8YX2g==,type:str]
|
as-token: ENC[AES256_GCM,data:tXbOeo7nv8I=,iv:wJAKcOXX9nGIw4n38ThOoj29u7dUWhsxSQG/p79JlEw=,tag:rTVaGS2UuWcea1uBa8YX2g==,type:str]
|
||||||
hs-token: ENC[AES256_GCM,data:VBwvwomv0Xg=,iv:q6INtJ+rg+QiXj8uBdBzQYQZUBBXp+9odxDHwvu8Jxc=,tag:XKhm8nxygAkKaiVPJ2Fcdg==,type:str]
|
hs-token: ENC[AES256_GCM,data:VBwvwomv0Xg=,iv:q6INtJ+rg+QiXj8uBdBzQYQZUBBXp+9odxDHwvu8Jxc=,tag:XKhm8nxygAkKaiVPJ2Fcdg==,type:str]
|
||||||
|
wireguard:
|
||||||
|
server-key: ENC[AES256_GCM,data:FvY897XdKoa/mckE8JQLCkklsnYD6Wz1wpsu5t3uhEnW3iarnDQxF9msuYU=,iv:jqGXfekM+Vs+J9b5nlZ5Skd1ZKHajoUo2Dc4tMYPm1w=,tag:EehikjI/FCU8wqtpvJRamQ==,type:str]
|
||||||
turn:
|
turn:
|
||||||
env: ENC[AES256_GCM,data:xjIz/AY109lyiL5N01p5T3HcYco/rM5CJSRTtg==,iv:16bW6OpyOK/QL0QPGQp/Baa9xyT8E3ZsYkwqmjuofk0=,tag:J5re3uKxIykw3YunvQWBgg==,type:str]
|
env: ENC[AES256_GCM,data:xjIz/AY109lyiL5N01p5T3HcYco/rM5CJSRTtg==,iv:16bW6OpyOK/QL0QPGQp/Baa9xyT8E3ZsYkwqmjuofk0=,tag:J5re3uKxIykw3YunvQWBgg==,type:str]
|
||||||
secret: ENC[AES256_GCM,data:eQ7dAocoZtg=,iv:fgzjTPv30WqTKlLy+yMn5MsKQgjhPnwlGFFwYEg3gWs=,tag:1ze33U1NBkgMX/9SiaBNQg==,type:str]
|
secret: ENC[AES256_GCM,data:eQ7dAocoZtg=,iv:fgzjTPv30WqTKlLy+yMn5MsKQgjhPnwlGFFwYEg3gWs=,tag:1ze33U1NBkgMX/9SiaBNQg==,type:str]
|
||||||
|
@ -17,8 +19,8 @@ sops:
|
||||||
azure_kv: []
|
azure_kv: []
|
||||||
hc_vault: []
|
hc_vault: []
|
||||||
age: []
|
age: []
|
||||||
lastmodified: "2023-02-21T08:32:04Z"
|
lastmodified: "2023-04-23T17:35:16Z"
|
||||||
mac: ENC[AES256_GCM,data:ZZtL4zYX7FsYeGJ1CcTq5AzRkrvOxIeCoVf77JyEj9k3gApm3k7z2eXe/D+8qvwahlleuvAqhVCUH/I5yHaQSjXXsHO1flULiTnQVk4hrX0fDwXp97NQwpvDovSRyGqx4F25dISfYLVhFpb+64yaPxqMzThVk+Q7Xn40GCY5PR8=,iv:xNeyqB5K2EBDDJEq72IDwpGqzKkAlcxHO6GlJY/iHmM=,tag:Qxz0GTQ/I4EsZhFZh2VxKg==,type:str]
|
mac: ENC[AES256_GCM,data:4cW8k6o3jET8k+yJGyApjOyuSUQb+d+4wX/RTNnpbt+867sExQrZUrOMif/u8S4WmcKVSJgvrzuxK9hpDPYhJ1d/5YuHH1Dyj7QDRdhbZYHhkpPus0ZVTEpSknZzx2eWH1ch/fyJJknlrBlfb/tz50Dv+w9mhkL7qteaIq+Vmsc=,iv:YMfAuGwu1kAM0wGkq3kzVMnC72yo7ZT04BuEwoLRPIA=,tag:6I1VRzteRaLuxN+sfLA5Mw==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2022-10-12T16:48:23Z"
|
- created_at: "2022-10-12T16:48:23Z"
|
||||||
enc: |
|
enc: |
|
||||||
|
|
Loading…
Reference in a new issue