refactor wireguard with clan facts
This commit is contained in:
parent
e2f5437615
commit
58804e2762
11 changed files with 65 additions and 85 deletions
|
@ -151,11 +151,11 @@
|
|||
"nixpkgs": "nixpkgs"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1717742034,
|
||||
"narHash": "sha256-RUkjSjGHLMPmAAGewe4NoBt+CcHQI+NaGuJoz3neu1w=",
|
||||
"lastModified": 1717742737,
|
||||
"narHash": "sha256-PApHCrcFq7s9AXQDiCeMl/5w0IYqkjIeASZtmBkx9C8=",
|
||||
"owner": "mrvandalo",
|
||||
"repo": "clan-fact-generators",
|
||||
"rev": "7301a98cefa9b8573c203d645ebabc7c103452d7",
|
||||
"rev": "631b3981260e18a54cf0e03f4a7bdf5c1c4bac1a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
@ -9,10 +9,10 @@
|
|||
./hardware-configuration
|
||||
|
||||
./syncthing.nix
|
||||
./tinc.nix
|
||||
|
||||
./qemu.nix
|
||||
./wireguard.nix
|
||||
|
||||
./network-tinc.nix
|
||||
./network-wireguard.nix
|
||||
|
||||
./37c3.nix
|
||||
|
||||
|
|
|
@ -1,24 +1,31 @@
|
|||
{ config, factsGenerator, ... }:
|
||||
{ config, factsGenerator, clanLib, ... }:
|
||||
{
|
||||
networking.firewall.allowedUDPPorts = [ 51820 ];
|
||||
clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
|
||||
clanCore.facts.services.wireguard_ip = factsGenerator.public {
|
||||
"wireguard.wg0.cidr" = "10.100.0.7/32";
|
||||
"wireguard.wg0.ip" = "10.100.0.7";
|
||||
};
|
||||
|
||||
# Enable WireGuard
|
||||
networking.wg-quick.interfaces = {
|
||||
# Hub and Spoke Setup
|
||||
# https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
|
||||
wg0 = {
|
||||
address = [ "10.100.0.7/32" ];
|
||||
address = [
|
||||
config.clanCore.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value
|
||||
];
|
||||
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
|
||||
privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.wg0.key".path;
|
||||
mtu = 1280;
|
||||
|
||||
peers = [
|
||||
{
|
||||
publicKey = (builtins.readFile "${config.clanCore.clanDir}/machines/orbi/facts/wireguard.wg0.pub");
|
||||
allowedIPs = [ "10.100.0.1/24" ];
|
||||
#endpoint = "ingolf-wagner.de:51820";
|
||||
endpoint = "95.216.66.212:51820";
|
||||
publicKey = clanLib.readFact "wireguard.wg0.pub" "orbi";
|
||||
allowedIPs = [
|
||||
(clanLib.readFact "wireguard.wg0.cidr" "orbi")
|
||||
];
|
||||
endpoint = clanLib.readFact "wireguard.wg0.endpoint" "orbi";
|
||||
}
|
||||
];
|
||||
};
|
|
@ -1,28 +0,0 @@
|
|||
{ config, factsGenerator, ... }:
|
||||
{
|
||||
|
||||
clanCore.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
|
||||
|
||||
networking.retiolum.port = 720;
|
||||
networking.retiolum.nodename = "sol";
|
||||
|
||||
services.tinc.networks.retiolum = {
|
||||
ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.ed25519_key.priv".path;
|
||||
rsaPrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.rsa_key.priv".path;
|
||||
};
|
||||
|
||||
#fileSystems."/retiolum/sicily" = {
|
||||
# device = "//sicily.r/tonne";
|
||||
# fsType = "cifs";
|
||||
# options = [
|
||||
# "guest"
|
||||
# "nofail"
|
||||
# "noauto"
|
||||
# "ro"
|
||||
# "rsize=16777216"
|
||||
# "cache=loose"
|
||||
# "x-systemd.after=network.target"
|
||||
# ];
|
||||
#};
|
||||
|
||||
}
|
|
@ -1,24 +1,31 @@
|
|||
{ pkgs, config, factsGenerator, ... }:
|
||||
{ config, factsGenerator, clanLib, ... }:
|
||||
{
|
||||
networking.firewall.allowedUDPPorts = [ 51820 ];
|
||||
clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
|
||||
clanCore.facts.services.wireguard_ip = factsGenerator.public {
|
||||
"wireguard.wg0.cidr" = "10.100.0.2/32";
|
||||
"wireguard.wg0.ip" = "10.100.0.2";
|
||||
};
|
||||
|
||||
# Enable WireGuard
|
||||
networking.wg-quick.interfaces = {
|
||||
# Hub and Spoke Setup
|
||||
# https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
|
||||
wg0 = {
|
||||
address = [ "10.100.0.2/32" ];
|
||||
address = [
|
||||
config.clanCore.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value
|
||||
];
|
||||
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
|
||||
privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.wg0.key".path;
|
||||
mtu = 1280;
|
||||
|
||||
peers = [
|
||||
{
|
||||
publicKey = (builtins.readFile "${config.clanCore.clanDir}/machines/orbi/facts/wireguard.wg0.pub");
|
||||
allowedIPs = [ "10.100.0.1/24" ];
|
||||
#endpoint = "ingolf-wagner.de:51820";
|
||||
endpoint = "95.216.66.212:51820";
|
||||
publicKey = clanLib.readFact "wireguard.wg0.pub" "orbi";
|
||||
allowedIPs = [
|
||||
(clanLib.readFact "wireguard.wg0.cidr" "orbi")
|
||||
];
|
||||
endpoint = clanLib.readFact "wireguard.wg0.endpoint" "orbi";
|
||||
persistentKeepalive = 25;
|
||||
}
|
||||
];
|
||||
|
|
|
@ -9,11 +9,11 @@
|
|||
./hardware-configuration.nix
|
||||
|
||||
./syncthing.nix
|
||||
./tinc.nix
|
||||
./tinc_retiolum.nix
|
||||
|
||||
./qemu.nix
|
||||
./wireguard.nix
|
||||
|
||||
./network-tinc.nix
|
||||
./network-tinc_retiolum.nix
|
||||
./network-wireguard.nix
|
||||
|
||||
#./borg.nix
|
||||
|
||||
|
|
|
@ -1,24 +1,31 @@
|
|||
{ config, factsGenerator, ... }:
|
||||
{ config, factsGenerator, clanLib, ... }:
|
||||
{
|
||||
networking.firewall.allowedUDPPorts = [ 51820 ];
|
||||
clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
|
||||
clanCore.facts.services.wireguard_ip = factsGenerator.public {
|
||||
"wireguard.wg0.cidr" = "10.100.0.6/32";
|
||||
"wireguard.wg0.ip" = "10.100.0.6";
|
||||
};
|
||||
|
||||
# Enable WireGuard
|
||||
networking.wg-quick.interfaces = {
|
||||
# Hub and Spoke Setup
|
||||
# https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
|
||||
wg0 = {
|
||||
address = [ "10.100.0.6/32" ];
|
||||
address = [
|
||||
config.clanCore.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value
|
||||
];
|
||||
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
|
||||
privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.wg0.key".path;
|
||||
mtu = 1280;
|
||||
|
||||
peers = [
|
||||
{
|
||||
publicKey = (builtins.readFile "${config.clanCore.clanDir}/machines/orbi/facts/wireguard.wg0.pub");
|
||||
allowedIPs = [ "10.100.0.1/24" ];
|
||||
#endpoint = "ingolf-wagner.de:51820";
|
||||
endpoint = "95.216.66.212:51820";
|
||||
publicKey = clanLib.readFact "wireguard.wg0.pub" "orbi";
|
||||
allowedIPs = [
|
||||
(clanLib.readFact "wireguard.wg0.cidr" "orbi")
|
||||
];
|
||||
endpoint = clanLib.readFact "wireguard.wg0.endpoint" "orbi";
|
||||
}
|
||||
];
|
||||
};
|
|
@ -1,6 +1,15 @@
|
|||
{ pkgs, config, factsGenerator, ... }:
|
||||
{ pkgs, config, factsGenerator, clanLib, lib, ... }:
|
||||
let
|
||||
publicKey = machine: (builtins.readFile "${config.clanCore.clanDir}/machines/${machine}/facts/wireguard.wg0.pub");
|
||||
otherMachines = lib.filterAttrs (name: _value: name != "orbi") (clanLib.readFactsFromAllMachines [ "wireguard.wg0.pub" "wireguard.wg0.cidr" ]);
|
||||
peers =
|
||||
lib.mapAttrsToList
|
||||
(_machine: facts:
|
||||
{
|
||||
publicKey = facts."wireguard.wg0.pub";
|
||||
allowedIPs = [ facts."wireguard.wg0.cidr" ];
|
||||
}
|
||||
)
|
||||
otherMachines;
|
||||
in
|
||||
{
|
||||
networking.firewall.allowedUDPPorts = [ 51820 ];
|
||||
|
@ -11,7 +20,6 @@ in
|
|||
"wireguard.wg0.ip" = "10.100.0.1";
|
||||
};
|
||||
|
||||
|
||||
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
|
||||
|
||||
# Enable WireGuard
|
||||
|
@ -31,28 +39,7 @@ in
|
|||
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
|
||||
'';
|
||||
|
||||
peers = [
|
||||
# server
|
||||
# ------
|
||||
# start at 1
|
||||
{
|
||||
# chungus
|
||||
publicKey = publicKey "chungus";
|
||||
allowedIPs = [ "10.100.0.2/32" ];
|
||||
}
|
||||
# desktops
|
||||
# --------
|
||||
# start at 10
|
||||
{
|
||||
# cream
|
||||
publicKey = publicKey "cream";
|
||||
allowedIPs = [ "10.100.0.6/32" ]; # todo : change ip
|
||||
}
|
||||
{
|
||||
# cherry
|
||||
publicKey = publicKey "cherry";
|
||||
allowedIPs = [ "10.100.0.7/32" ]; # todo : change ip
|
||||
}
|
||||
peers = peers ++ [
|
||||
# mobil devices
|
||||
# -------------
|
||||
# start at 100
|
||||
|
|
Loading…
Reference in a new issue