wireguard re-do

2023-08-09 20:53:22 +01:00 · 2023-08-09 20:53:22 +01:00 · d58fa2e1bb
parent e57e3089e1
commit d58fa2e1bb
14 changed files with 129 additions and 121 deletions
--- a/data/chaos_wireguard_internal.nix
+++ b/data/chaos_wireguard_internal.nix
@ -0,0 +1,24 @@
 {}: rec {
  all = "10.69.42.1/32";
  hosts = {
    hetzner-vm = {
      ip = "10.69.42.1";
      public = "UJr+EmUM7KWkIy0nk0JA38ibvcLC++6iuOKkHdrx9Dc=";
      endpoint = "hetzner-vm.servers.genderfucked.monster:51820";
    };
    vault = {
      ip = "10.69.42.2";
      public = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc=";
      endpoint = "vault.servers.genderfucked.monster:51820";
    };
    iphone8 = {
      ip = "10.69.42.3";
      public = "2BgT08bDKh8WlFFSeRArI9a1GpFgUyqEApvJy4KgAmw=";
    };
    lappy-t495 = {
      ip = "10.69.42.4";
      public = "rEioKieZqI3UaJGGaSC/yaHfdZE9VKpsq355x4dHgCs=";
    };
  };
 }
--- a/hosts/hetzner-vm/containers/mail/mail.nix
+++ b/hosts/hetzner-vm/containers/mail/mail.nix
@ -6,10 +6,6 @@
  pkgs,
  ...
 }: let
  container-addresses = import ../../data/container-addresses.nix {};
  hostIP = container-addresses.host;
  containerIP = container-addresses.containers.mail;
  ports = [
    # SMTP
    25
@ -41,9 +37,7 @@
 in {
  containers.mail = {
    autoStart = true;
-    privateNetwork = true;
+
    hostAddress = hostIP;
    localAddress = containerIP;
    bindMounts = lib.mkMerge [
      (lib.mkMerge (lib.forEach secrets_list (secret_name: let
        path = "${secrets.${secret_name}.path}";
@ -75,8 +69,6 @@ in {
          profiles.base
          inputs.home-manager-unstable.nixosModules.home-manager
          profiles.sshd
          modules.nixos.secrets
          users.root
@ -95,8 +87,7 @@ in {
      ];
      networking.firewall = {
-        enable = true;
+        enable = false;
        allowedTCPPorts = [22] ++ ports;
      };
      home-manager.users.root = {
@ -135,10 +126,8 @@ in {
    };
  };
-  networking.nat.forwardPorts = lib.forEach ports (
+  networking.firewall = {
-    port: {
+    allowedTCPPorts = ports;
-      sourcePort = port;
+    allowedUDPPorts = ports;
-      destination = "${containerIP}\:${toString port}";
+  };
    }
  );
 }
--- a/hosts/hetzner-vm/containers/mail/profiles/mailserver.nix
+++ b/hosts/hetzner-vm/containers/mail/profiles/mailserver.nix
@ -23,6 +23,8 @@ in {
      $config['product_name'] = 'Chaos Mail';
      $config['username_domain'] = "owo.monster";
      $config['username_domain_forced'] = true;
      $config['log_driver'] = 'syslog';
      $config['smtp_debug'] = true;
    '';
    extra_aliases_file = "${secrets.private_mail_aliases.path}";
@ -56,6 +58,12 @@ in {
  ];
  config.services.nginx.virtualHosts."mail.owo.monster" = {
    listen = [
      {
        addr = "127.0.0.1";
        port = 8089;
      }
    ];
    extraConfig = "listen unix:/var/sockets/roundcube.sock;";
  };
 }
--- a/hosts/hetzner-vm/hetzner-vm.nix
+++ b/hosts/hetzner-vm/hetzner-vm.nix
@ -12,6 +12,7 @@
    profiles.sshd
    profiles.nginx
    profiles.nix-gc
    profiles.kernels.latest
    ./containers/storage/storage.nix
    ./containers/social/social.nix
--- a/hosts/hetzner-vm/profiles/wireguard.nix
+++ b/hosts/hetzner-vm/profiles/wireguard.nix
@ -1,24 +1,32 @@
 {config, ...}: let
  secrets = config.services.secrets.secrets;
  data = import ../../../data/chaos_wireguard_internal.nix {};
 in {
  networking.wg-quick.interfaces = {
    wg0 = {
-      address = ["10.69.42.1/32"];
+      address = ["${data.hosts.hetzner-vm.ip}/32"];
      listenPort = 51820;
      privateKeyFile = "${secrets.wg_privkey.path}";
      peers = [
        # vault
        {
-          publicKey = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc=";
+          publicKey = "${data.hosts.vault.public}";
          presharedKeyFile = "${secrets.wg_preshared_vault.path}";
-          endpoint = "vault.servers.genderfucked.monster:51820";
+          endpoint = "${data.hosts.vault.endpoint}";
-          allowedIPs = ["10.69.42.3/32"];
+          allowedIPs = ["${data.hosts.vault.ip}/32"];
        }
        # iphone8
        {
-          publicKey = "2BgT08bDKh8WlFFSeRArI9a1GpFgUyqEApvJy4KgAmw=";
+          publicKey = "${data.hosts.iphone8.public}";
          presharedKeyFile = "${secrets.wg_preshared_iphone8.path}";
-          allowedIPs = ["10.69.42.5/32"];
+          allowedIPs = ["${data.hosts.iphone8.ip}/32"];
        }
        # lappy-t495
        {
          publicKey = "${data.hosts.lappy-t495.public}";
          presharedKeyFile = "${secrets.wg_preshared_lappy-t495.path}";
          allowedIPs = ["${data.hosts.lappy-t495.ip}/32"];
        }
      ];
    };
--- a/hosts/hetzner-vm/secrets.nix
+++ b/hosts/hetzner-vm/secrets.nix
@ -36,6 +36,12 @@
          simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.iphone8 > $secretFile
        '';
      };
      wg_preshared_lappy-t495 = {
        path = "/secrets/wg_preshared_lappy-t495";
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" ".preshared_keys.lappy_t495" > $secretFile
        '';
      };
      # Container: music
      mpd_control_password = {
--- a/hosts/lappy-t495/lappy-t495.nix
+++ b/hosts/lappy-t495/lappy-t495.nix
@ -9,6 +9,8 @@
    presets.nixos.laptop
    presets.nixos.encrypted-usb
    hosts.lappy-t495.profiles.wireguard
    ./secrets.nix
  ];
--- a/hosts/lappy-t495/profiles/wireguard.nix
+++ b/hosts/lappy-t495/profiles/wireguard.nix
@ -0,0 +1,32 @@
 {config, ...}: let
  secrets = config.services.secrets.secrets;
  data = import ../../../data/chaos_wireguard_internal.nix {};
 in {
  networking.firewall.trustedInterfaces = ["wg0"];
  networking.wg-quick.interfaces = {
    wg0 = {
      autostart = false;
      address = ["${data.hosts.lappy-t495.ip}/32"];
      privateKeyFile = "${secrets.wg_priv.path}";
      peers = [
        # hetzner-vm
        {
          publicKey = "${data.hosts.hetzner-vm.public}";
          presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}";
          allowedIPs = ["${data.hosts.hetzner-vm.ip}/32"];
          endpoint = "${data.hosts.hetzner-vm.endpoint}";
          persistentKeepalive = 25;
        }
        # vault
        {
          publicKey = "${data.hosts.vault.public}";
          presharedKeyFile = "${secrets.wg_preshared_vault.path}";
          allowedIPs = ["${data.hosts.vault.ip}/32"];
          endpoint = "${data.hosts.vault.endpoint}";
          persistentKeepalive = 25;
        }
      ];
    };
  };
 }
--- a/hosts/lappy-t495/secrets.nix
+++ b/hosts/lappy-t495/secrets.nix
@ -37,6 +37,23 @@
          echo "RESTIC_PASSWORD=''${restic_password}" >> $secretFile
        '';
      };
      # for internal wireguard VPN
      wg_priv = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/lappy-t495" .private > $secretFile
        '';
      };
      wg_preshared_hetzner-vm = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/lappy-t495" .preshared_keys.hetzner_vm > $secretFile
        '';
      };
      wg_preshared_vault = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/lappy-t495" .preshared_keys.vault > $secretFile
        '';
      };
    };
  };
 }
--- a/hosts/tablet/profiles/wireguard.nix
+++ b/hosts/tablet/profiles/wireguard.nix
@ -1,39 +0,0 @@
 {config, ...}: let
  secrets = config.services.secrets.secrets;
 in {
  networking.firewall.trustedInterfaces = ["wg0"];
  networking.wg-quick.interfaces = {
    wg0 = {
      autostart = false;
      address = ["10.69.42.2/32"];
      privateKeyFile = "${secrets.wg_priv.path}";
      peers = [
        # hetzner-vm
        {
          publicKey = "UJr+EmUM7KWkIy0nk0JA38ibvcLC++6iuOKkHdrx9Dc=";
          presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}";
          allowedIPs = ["10.69.42.1/32"];
          endpoint = "hetzner-vm.servers.genderfucked.monster:51820";
          persistentKeepalive = 25;
        }
        # vault
        {
          publicKey = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc=";
          presharedKeyFile = "${secrets.wg_preshared_vault.path}";
          allowedIPs = ["10.69.42.3/32"];
          endpoint = "vault.servers.genderfucked.monster:51820";
          persistentKeepalive = 25;
        }
        # storage
        {
          publicKey = "biNNeCkjAWi2jUVoL5+1pBtXGa3OFZi4DltB2dqGjGg=";
          presharedKeyFile = "${secrets.wg_preshared_storage.path}";
          allowedIPs = ["10.69.42.4/32"];
          endpoint = "storage.servers.genderfucked.monster:51820";
          persistentKeepalive = 25;
        }
      ];
    };
  };
 }
--- a/hosts/tablet/secrets.nix
+++ b/hosts/tablet/secrets.nix
@ -10,36 +10,6 @@
          simple_get "/api-keys/music-stream" .password > $secretFile
        '';
      };
      wg_priv = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .private > $secretFile
        '';
      };
      wg_preshared_hetzner-vm = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.hetzner_vm > $secretFile
        '';
      };
      wg_preshared_vault = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.vault > $secretFile
        '';
      };
      wg_preshared_storage = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.storage > $secretFile
        '';
      };
      wg_harry_priv = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/harry/tablet" .private > $secretFile
        '';
      };
      wg_harry_preshared = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/harry/tablet" .preshared_keys.main > $secretFile
        '';
      };
    };
  };
 }
--- a/hosts/vault/profiles/wireguard.nix
+++ b/hosts/vault/profiles/wireguard.nix
@ -1,39 +1,33 @@
 {config, ...}: let
  secrets = config.services.secrets.secrets;
  data = import ../../../data/chaos_wireguard_internal.nix {};
 in {
  networking.wg-quick.interfaces = {
    wg0 = {
-      address = ["10.69.42.3/32"];
+      address = ["10.69.42.2/32"];
      listenPort = 51820;
      privateKeyFile = "${secrets.wg_priv.path}";
      peers = [
        # hetzner-vm
        {
-          publicKey = "UJr+EmUM7KWkIy0nk0JA38ibvcLC++6iuOKkHdrx9Dc=";
+          publicKey = "${data.hosts.hetzner-vm.public}";
          presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}";
-          allowedIPs = ["10.69.42.1/32"];
+          allowedIPs = ["${data.hosts.hetzner-vm.ip}/32"];
-          endpoint = "hetzner-vm.servers.genderfucked.monster:51820";
+          endpoint = "${data.hosts.hetzner-vm.endpoint}";
          persistentKeepalive = 25;
        }
        # tablet
        {
          publicKey = "jXA0DeprEaL/ARQ3K81l8xWuUI5C/90DcY3bIfcIjz8=";
          presharedKeyFile = "${secrets.wg_preshared_tablet.path}";
          allowedIPs = ["10.69.42.2/32"];
        }
        # storage
        {
          publicKey = "biNNeCkjAWi2jUVoL5+1pBtXGa3OFZi4DltB2dqGjGg=";
          presharedKeyFile = "${secrets.wg_preshared_storage.path}";
          endpoint = "storage.servers.genderfucked.monster:51820";
          allowedIPs = ["10.69.42.4/32"];
        }
        # iphone8
        {
-          publicKey = "2BgT08bDKh8WlFFSeRArI9a1GpFgUyqEApvJy4KgAmw=";
+          publicKey = "${data.hosts.iphone8.public}";
          presharedKeyFile = "${secrets.wg_preshared_iphone8.path}";
-          allowedIPs = ["10.69.42.5/32"];
+          allowedIPs = ["${data.hosts.iphone8.ip}/32"];
        }
        # lappy-t495
        {
          publicKey = "${data.hosts.lappy-t495.public}";
          presharedKeyFile = "${secrets.wg_preshared_lappy-t495.path}";
          allowedIPs = ["${data.hosts.lappy-t495.ip}/32"];
        }
      ];
    };
--- a/hosts/vault/secrets.nix
+++ b/hosts/vault/secrets.nix
@ -24,21 +24,16 @@
          simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.hetzner_vm > $secretFile
        '';
      };
      wg_preshared_tablet = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.tablet > $secretFile
        '';
      };
      wg_preshared_storage = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.storage > $secretFile
        '';
      };
      wg_preshared_iphone8 = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.iphone8 > $secretFile
        '';
      };
      wg_preshared_lappy-t495 = {
        fetchScript = ''
          simple_get "/private-public-keys/wireguard/chaos-internal/vault" ".preshared_keys.lappy_t495" > $secretFile
        '';
      };
    };
  };
 }
--- a/hosts/vault/vault.nix
+++ b/hosts/vault/vault.nix
@ -6,6 +6,7 @@
    profiles.sshd
    profiles.nix-gc
    profiles.nginx
    profiles.kernels.latest
    hosts.vault.profiles.wireguard
    hosts.vault.profiles.vault