refactor wireguard with clan facts

This commit is contained in:
Ingolf Wagner 2024-06-07 09:34:23 +02:00
parent e2f5437615
commit 58804e2762
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
11 changed files with 65 additions and 85 deletions

View file

@ -151,11 +151,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1717742034,
"narHash": "sha256-RUkjSjGHLMPmAAGewe4NoBt+CcHQI+NaGuJoz3neu1w=",
"lastModified": 1717742737,
"narHash": "sha256-PApHCrcFq7s9AXQDiCeMl/5w0IYqkjIeASZtmBkx9C8=",
"owner": "mrvandalo",
"repo": "clan-fact-generators",
"rev": "7301a98cefa9b8573c203d645ebabc7c103452d7",
"rev": "631b3981260e18a54cf0e03f4a7bdf5c1c4bac1a",
"type": "github"
},
"original": {

View file

@ -9,10 +9,10 @@
./hardware-configuration
./syncthing.nix
./tinc.nix
./qemu.nix
./wireguard.nix
./network-tinc.nix
./network-wireguard.nix
./37c3.nix

View file

@ -1,24 +1,31 @@
{ config, factsGenerator, ... }:
{ config, factsGenerator, clanLib, ... }:
{
networking.firewall.allowedUDPPorts = [ 51820 ];
clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
clanCore.facts.services.wireguard_ip = factsGenerator.public {
"wireguard.wg0.cidr" = "10.100.0.7/32";
"wireguard.wg0.ip" = "10.100.0.7";
};
# Enable WireGuard
networking.wg-quick.interfaces = {
# Hub and Spoke Setup
# https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
wg0 = {
address = [ "10.100.0.7/32" ];
address = [
config.clanCore.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value
];
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.wg0.key".path;
mtu = 1280;
peers = [
{
publicKey = (builtins.readFile "${config.clanCore.clanDir}/machines/orbi/facts/wireguard.wg0.pub");
allowedIPs = [ "10.100.0.1/24" ];
#endpoint = "ingolf-wagner.de:51820";
endpoint = "95.216.66.212:51820";
publicKey = clanLib.readFact "wireguard.wg0.pub" "orbi";
allowedIPs = [
(clanLib.readFact "wireguard.wg0.cidr" "orbi")
];
endpoint = clanLib.readFact "wireguard.wg0.endpoint" "orbi";
}
];
};

View file

@ -1,28 +0,0 @@
{ config, factsGenerator, ... }:
{
clanCore.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
networking.retiolum.port = 720;
networking.retiolum.nodename = "sol";
services.tinc.networks.retiolum = {
ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.ed25519_key.priv".path;
rsaPrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.rsa_key.priv".path;
};
#fileSystems."/retiolum/sicily" = {
# device = "//sicily.r/tonne";
# fsType = "cifs";
# options = [
# "guest"
# "nofail"
# "noauto"
# "ro"
# "rsize=16777216"
# "cache=loose"
# "x-systemd.after=network.target"
# ];
#};
}

View file

@ -1,24 +1,31 @@
{ pkgs, config, factsGenerator, ... }:
{ config, factsGenerator, clanLib, ... }:
{
networking.firewall.allowedUDPPorts = [ 51820 ];
clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
clanCore.facts.services.wireguard_ip = factsGenerator.public {
"wireguard.wg0.cidr" = "10.100.0.2/32";
"wireguard.wg0.ip" = "10.100.0.2";
};
# Enable WireGuard
networking.wg-quick.interfaces = {
# Hub and Spoke Setup
# https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
wg0 = {
address = [ "10.100.0.2/32" ];
address = [
config.clanCore.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value
];
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.wg0.key".path;
mtu = 1280;
peers = [
{
publicKey = (builtins.readFile "${config.clanCore.clanDir}/machines/orbi/facts/wireguard.wg0.pub");
allowedIPs = [ "10.100.0.1/24" ];
#endpoint = "ingolf-wagner.de:51820";
endpoint = "95.216.66.212:51820";
publicKey = clanLib.readFact "wireguard.wg0.pub" "orbi";
allowedIPs = [
(clanLib.readFact "wireguard.wg0.cidr" "orbi")
];
endpoint = clanLib.readFact "wireguard.wg0.endpoint" "orbi";
persistentKeepalive = 25;
}
];

View file

@ -9,11 +9,11 @@
./hardware-configuration.nix
./syncthing.nix
./tinc.nix
./tinc_retiolum.nix
./qemu.nix
./wireguard.nix
./network-tinc.nix
./network-tinc_retiolum.nix
./network-wireguard.nix
#./borg.nix

View file

@ -1,24 +1,31 @@
{ config, factsGenerator, ... }:
{ config, factsGenerator, clanLib, ... }:
{
networking.firewall.allowedUDPPorts = [ 51820 ];
clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
clanCore.facts.services.wireguard_ip = factsGenerator.public {
"wireguard.wg0.cidr" = "10.100.0.6/32";
"wireguard.wg0.ip" = "10.100.0.6";
};
# Enable WireGuard
networking.wg-quick.interfaces = {
# Hub and Spoke Setup
# https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
wg0 = {
address = [ "10.100.0.6/32" ];
address = [
config.clanCore.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value
];
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.wg0.key".path;
mtu = 1280;
peers = [
{
publicKey = (builtins.readFile "${config.clanCore.clanDir}/machines/orbi/facts/wireguard.wg0.pub");
allowedIPs = [ "10.100.0.1/24" ];
#endpoint = "ingolf-wagner.de:51820";
endpoint = "95.216.66.212:51820";
publicKey = clanLib.readFact "wireguard.wg0.pub" "orbi";
allowedIPs = [
(clanLib.readFact "wireguard.wg0.cidr" "orbi")
];
endpoint = clanLib.readFact "wireguard.wg0.endpoint" "orbi";
}
];
};

View file

@ -1,6 +1,15 @@
{ pkgs, config, factsGenerator, ... }:
{ pkgs, config, factsGenerator, clanLib, lib, ... }:
let
publicKey = machine: (builtins.readFile "${config.clanCore.clanDir}/machines/${machine}/facts/wireguard.wg0.pub");
otherMachines = lib.filterAttrs (name: _value: name != "orbi") (clanLib.readFactsFromAllMachines [ "wireguard.wg0.pub" "wireguard.wg0.cidr" ]);
peers =
lib.mapAttrsToList
(_machine: facts:
{
publicKey = facts."wireguard.wg0.pub";
allowedIPs = [ facts."wireguard.wg0.cidr" ];
}
)
otherMachines;
in
{
networking.firewall.allowedUDPPorts = [ 51820 ];
@ -11,7 +20,6 @@ in
"wireguard.wg0.ip" = "10.100.0.1";
};
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
# Enable WireGuard
@ -31,28 +39,7 @@ in
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
'';
peers = [
# server
# ------
# start at 1
{
# chungus
publicKey = publicKey "chungus";
allowedIPs = [ "10.100.0.2/32" ];
}
# desktops
# --------
# start at 10
{
# cream
publicKey = publicKey "cream";
allowedIPs = [ "10.100.0.6/32" ]; # todo : change ip
}
{
# cherry
publicKey = publicKey "cherry";
allowedIPs = [ "10.100.0.7/32" ]; # todo : change ip
}
peers = peers ++ [
# mobil devices
# -------------
# start at 100