diff --git a/flake.lock b/flake.lock index 11dd040..9a6e5d2 100644 --- a/flake.lock +++ b/flake.lock @@ -151,11 +151,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1717742034, - "narHash": "sha256-RUkjSjGHLMPmAAGewe4NoBt+CcHQI+NaGuJoz3neu1w=", + "lastModified": 1717742737, + "narHash": "sha256-PApHCrcFq7s9AXQDiCeMl/5w0IYqkjIeASZtmBkx9C8=", "owner": "mrvandalo", "repo": "clan-fact-generators", - "rev": "7301a98cefa9b8573c203d645ebabc7c103452d7", + "rev": "631b3981260e18a54cf0e03f4a7bdf5c1c4bac1a", "type": "github" }, "original": { diff --git a/nixos/machines/cherry/configuration.nix b/nixos/machines/cherry/configuration.nix index cb0ed09..4744557 100644 --- a/nixos/machines/cherry/configuration.nix +++ b/nixos/machines/cherry/configuration.nix @@ -9,10 +9,10 @@ ./hardware-configuration ./syncthing.nix - ./tinc.nix - ./qemu.nix - ./wireguard.nix + + ./network-tinc.nix + ./network-wireguard.nix ./37c3.nix diff --git a/nixos/machines/cherry/tinc.nix b/nixos/machines/cherry/network-tinc.nix similarity index 100% rename from nixos/machines/cherry/tinc.nix rename to nixos/machines/cherry/network-tinc.nix diff --git a/nixos/machines/cherry/wireguard.nix b/nixos/machines/cherry/network-wireguard.nix similarity index 52% rename from nixos/machines/cherry/wireguard.nix rename to nixos/machines/cherry/network-wireguard.nix index 5ee8a36..2cab941 100644 --- a/nixos/machines/cherry/wireguard.nix +++ b/nixos/machines/cherry/network-wireguard.nix @@ -1,24 +1,31 @@ -{ config, factsGenerator, ... }: +{ config, factsGenerator, clanLib, ... }: { networking.firewall.allowedUDPPorts = [ 51820 ]; clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; }; + clanCore.facts.services.wireguard_ip = factsGenerator.public { + "wireguard.wg0.cidr" = "10.100.0.7/32"; + "wireguard.wg0.ip" = "10.100.0.7"; + }; # Enable WireGuard networking.wg-quick.interfaces = { # Hub and Spoke Setup # https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/ wg0 = { - address = [ "10.100.0.7/32" ]; + address = [ + config.clanCore.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value + ]; listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.wg0.key".path; mtu = 1280; peers = [ { - publicKey = (builtins.readFile "${config.clanCore.clanDir}/machines/orbi/facts/wireguard.wg0.pub"); - allowedIPs = [ "10.100.0.1/24" ]; - #endpoint = "ingolf-wagner.de:51820"; - endpoint = "95.216.66.212:51820"; + publicKey = clanLib.readFact "wireguard.wg0.pub" "orbi"; + allowedIPs = [ + (clanLib.readFact "wireguard.wg0.cidr" "orbi") + ]; + endpoint = clanLib.readFact "wireguard.wg0.endpoint" "orbi"; } ]; }; diff --git a/nixos/machines/cherry/tinc_retiolum.nix b/nixos/machines/cherry/tinc_retiolum.nix deleted file mode 100644 index 8f0d58f..0000000 --- a/nixos/machines/cherry/tinc_retiolum.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, factsGenerator, ... }: -{ - - clanCore.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; }; - - networking.retiolum.port = 720; - networking.retiolum.nodename = "sol"; - - services.tinc.networks.retiolum = { - ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.ed25519_key.priv".path; - rsaPrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.rsa_key.priv".path; - }; - - #fileSystems."/retiolum/sicily" = { - # device = "//sicily.r/tonne"; - # fsType = "cifs"; - # options = [ - # "guest" - # "nofail" - # "noauto" - # "ro" - # "rsize=16777216" - # "cache=loose" - # "x-systemd.after=network.target" - # ]; - #}; - -} diff --git a/nixos/machines/chungus/network-wireguard.nix b/nixos/machines/chungus/network-wireguard.nix index f1cde16..fa22c0a 100644 --- a/nixos/machines/chungus/network-wireguard.nix +++ b/nixos/machines/chungus/network-wireguard.nix @@ -1,24 +1,31 @@ -{ pkgs, config, factsGenerator, ... }: +{ config, factsGenerator, clanLib, ... }: { networking.firewall.allowedUDPPorts = [ 51820 ]; clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; }; + clanCore.facts.services.wireguard_ip = factsGenerator.public { + "wireguard.wg0.cidr" = "10.100.0.2/32"; + "wireguard.wg0.ip" = "10.100.0.2"; + }; # Enable WireGuard networking.wg-quick.interfaces = { # Hub and Spoke Setup # https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/ wg0 = { - address = [ "10.100.0.2/32" ]; + address = [ + config.clanCore.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value + ]; listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.wg0.key".path; mtu = 1280; peers = [ { - publicKey = (builtins.readFile "${config.clanCore.clanDir}/machines/orbi/facts/wireguard.wg0.pub"); - allowedIPs = [ "10.100.0.1/24" ]; - #endpoint = "ingolf-wagner.de:51820"; - endpoint = "95.216.66.212:51820"; + publicKey = clanLib.readFact "wireguard.wg0.pub" "orbi"; + allowedIPs = [ + (clanLib.readFact "wireguard.wg0.cidr" "orbi") + ]; + endpoint = clanLib.readFact "wireguard.wg0.endpoint" "orbi"; persistentKeepalive = 25; } ]; diff --git a/nixos/machines/cream/configuration.nix b/nixos/machines/cream/configuration.nix index 12eaef8..6f21617 100644 --- a/nixos/machines/cream/configuration.nix +++ b/nixos/machines/cream/configuration.nix @@ -9,11 +9,11 @@ ./hardware-configuration.nix ./syncthing.nix - ./tinc.nix - ./tinc_retiolum.nix - ./qemu.nix - ./wireguard.nix + + ./network-tinc.nix + ./network-tinc_retiolum.nix + ./network-wireguard.nix #./borg.nix diff --git a/nixos/machines/cream/tinc.nix b/nixos/machines/cream/network-tinc.nix similarity index 100% rename from nixos/machines/cream/tinc.nix rename to nixos/machines/cream/network-tinc.nix diff --git a/nixos/machines/cream/tinc_retiolum.nix b/nixos/machines/cream/network-tinc_retiolum.nix similarity index 100% rename from nixos/machines/cream/tinc_retiolum.nix rename to nixos/machines/cream/network-tinc_retiolum.nix diff --git a/nixos/machines/cream/wireguard.nix b/nixos/machines/cream/network-wireguard.nix similarity index 52% rename from nixos/machines/cream/wireguard.nix rename to nixos/machines/cream/network-wireguard.nix index c7d4093..f5c147a 100644 --- a/nixos/machines/cream/wireguard.nix +++ b/nixos/machines/cream/network-wireguard.nix @@ -1,24 +1,31 @@ -{ config, factsGenerator, ... }: +{ config, factsGenerator, clanLib, ... }: { networking.firewall.allowedUDPPorts = [ 51820 ]; clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; }; + clanCore.facts.services.wireguard_ip = factsGenerator.public { + "wireguard.wg0.cidr" = "10.100.0.6/32"; + "wireguard.wg0.ip" = "10.100.0.6"; + }; # Enable WireGuard networking.wg-quick.interfaces = { # Hub and Spoke Setup # https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/ wg0 = { - address = [ "10.100.0.6/32" ]; + address = [ + config.clanCore.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value + ]; listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.wg0.key".path; mtu = 1280; peers = [ { - publicKey = (builtins.readFile "${config.clanCore.clanDir}/machines/orbi/facts/wireguard.wg0.pub"); - allowedIPs = [ "10.100.0.1/24" ]; - #endpoint = "ingolf-wagner.de:51820"; - endpoint = "95.216.66.212:51820"; + publicKey = clanLib.readFact "wireguard.wg0.pub" "orbi"; + allowedIPs = [ + (clanLib.readFact "wireguard.wg0.cidr" "orbi") + ]; + endpoint = clanLib.readFact "wireguard.wg0.endpoint" "orbi"; } ]; }; diff --git a/nixos/machines/orbi/network-wireguard.nix b/nixos/machines/orbi/network-wireguard.nix index 7b5cdec..2df5eb2 100644 --- a/nixos/machines/orbi/network-wireguard.nix +++ b/nixos/machines/orbi/network-wireguard.nix @@ -1,16 +1,24 @@ -{ pkgs, config, factsGenerator, ... }: +{ pkgs, config, factsGenerator, clanLib, lib, ... }: let - publicKey = machine: (builtins.readFile "${config.clanCore.clanDir}/machines/${machine}/facts/wireguard.wg0.pub"); + otherMachines = lib.filterAttrs (name: _value: name != "orbi") (clanLib.readFactsFromAllMachines [ "wireguard.wg0.pub" "wireguard.wg0.cidr" ]); + peers = + lib.mapAttrsToList + (_machine: facts: + { + publicKey = facts."wireguard.wg0.pub"; + allowedIPs = [ facts."wireguard.wg0.cidr" ]; + } + ) + otherMachines; in { networking.firewall.allowedUDPPorts = [ 51820 ]; clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; }; clanCore.facts.services.wireguard_ip = factsGenerator.public { - "wireguard.wg0.endpoint" = "95.216.66.212:51820"; - "wireguard.wg0.cidr" = "10.100.0.1/24"; - "wireguard.wg0.ip" = "10.100.0.1"; - }; - + "wireguard.wg0.endpoint" = "95.216.66.212:51820"; + "wireguard.wg0.cidr" = "10.100.0.1/24"; + "wireguard.wg0.ip" = "10.100.0.1"; + }; boot.kernel.sysctl."net.ipv4.ip_forward" = true; @@ -31,28 +39,7 @@ in ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT ''; - peers = [ - # server - # ------ - # start at 1 - { - # chungus - publicKey = publicKey "chungus"; - allowedIPs = [ "10.100.0.2/32" ]; - } - # desktops - # -------- - # start at 10 - { - # cream - publicKey = publicKey "cream"; - allowedIPs = [ "10.100.0.6/32" ]; # todo : change ip - } - { - # cherry - publicKey = publicKey "cherry"; - allowedIPs = [ "10.100.0.7/32" ]; # todo : change ip - } + peers = peers ++ [ # mobil devices # ------------- # start at 100