chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

wireguard re-do

Browse source
This commit is contained in:
Chaos 2023-08-09 20:53:22 +01:00
parent e57e3089e1
commit d58fa2e1bb
No known key found for this signature in database
14 changed files with 129 additions and 121 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
data/chaos_wireguard_internal.nix Normal file
View file

@ -0,0 +1,24 @@
{}: rec {
all = "10.69.42.1/32";
hosts = {
hetzner-vm = {
ip = "10.69.42.1";
public = "UJr+EmUM7KWkIy0nk0JA38ibvcLC++6iuOKkHdrx9Dc=";
endpoint = "hetzner-vm.servers.genderfucked.monster:51820";
};
vault = {
ip = "10.69.42.2";
public = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc=";
endpoint = "vault.servers.genderfucked.monster:51820";
};
iphone8 = {
ip = "10.69.42.3";
public = "2BgT08bDKh8WlFFSeRArI9a1GpFgUyqEApvJy4KgAmw=";
};
lappy-t495 = {
ip = "10.69.42.4";
public = "rEioKieZqI3UaJGGaSC/yaHfdZE9VKpsq355x4dHgCs=";
};
};
}

23
hosts/hetzner-vm/containers/mail/mail.nix
View file

@ -6,10 +6,6 @@
pkgs,
...
}: let
container-addresses = import ../../data/container-addresses.nix {};
hostIP = container-addresses.host;
containerIP = container-addresses.containers.mail;
ports = [
# SMTP
25
@ -41,9 +37,7 @@
in {
containers.mail = {
autoStart = true;
privateNetwork = true;
hostAddress = hostIP;
localAddress = containerIP;
bindMounts = lib.mkMerge [
(lib.mkMerge (lib.forEach secrets_list (secret_name: let
path = "${secrets.${secret_name}.path}";
@ -75,8 +69,6 @@ in {
profiles.base
inputs.home-manager-unstable.nixosModules.home-manager
profiles.sshd
modules.nixos.secrets
users.root
@ -95,8 +87,7 @@ in {
];
networking.firewall = {
enable = true;
allowedTCPPorts = [22] ++ ports;
enable = false;
};
home-manager.users.root = {
@ -135,10 +126,8 @@ in {
};
};
networking.nat.forwardPorts = lib.forEach ports (
port: {
sourcePort = port;
destination = "${containerIP}\:${toString port}";
}
);
networking.firewall = {
allowedTCPPorts = ports;
allowedUDPPorts = ports;
};
}

8
hosts/hetzner-vm/containers/mail/profiles/mailserver.nix
View file

@ -23,6 +23,8 @@ in {
$config['product_name'] = 'Chaos Mail';
$config['username_domain'] = "owo.monster";
$config['username_domain_forced'] = true;
$config['log_driver'] = 'syslog';
$config['smtp_debug'] = true;
'';
extra_aliases_file = "${secrets.private_mail_aliases.path}";
@ -56,6 +58,12 @@ in {
];
config.services.nginx.virtualHosts."mail.owo.monster" = {
listen = [
{
addr = "127.0.0.1";
port = 8089;
}
];
extraConfig = "listen unix:/var/sockets/roundcube.sock;";
};
}

1
hosts/hetzner-vm/hetzner-vm.nix
View file

@ -12,6 +12,7 @@
profiles.sshd
profiles.nginx
profiles.nix-gc
profiles.kernels.latest
./containers/storage/storage.nix
./containers/social/social.nix

20
hosts/hetzner-vm/profiles/wireguard.nix
View file

@ -1,24 +1,32 @@
{config, ...}: let
secrets = config.services.secrets.secrets;
data = import ../../../data/chaos_wireguard_internal.nix {};
in {
networking.wg-quick.interfaces = {
wg0 = {
address = ["10.69.42.1/32"];
address = ["${data.hosts.hetzner-vm.ip}/32"];
listenPort = 51820;
privateKeyFile = "${secrets.wg_privkey.path}";
peers = [
# vault
{
publicKey = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc=";
publicKey = "${data.hosts.vault.public}";
presharedKeyFile = "${secrets.wg_preshared_vault.path}";
endpoint = "vault.servers.genderfucked.monster:51820";
allowedIPs = ["10.69.42.3/32"];
endpoint = "${data.hosts.vault.endpoint}";
allowedIPs = ["${data.hosts.vault.ip}/32"];
}
# iphone8
{
publicKey = "2BgT08bDKh8WlFFSeRArI9a1GpFgUyqEApvJy4KgAmw=";
publicKey = "${data.hosts.iphone8.public}";
presharedKeyFile = "${secrets.wg_preshared_iphone8.path}";
allowedIPs = ["10.69.42.5/32"];
allowedIPs = ["${data.hosts.iphone8.ip}/32"];
}
# lappy-t495
{
publicKey = "${data.hosts.lappy-t495.public}";
presharedKeyFile = "${secrets.wg_preshared_lappy-t495.path}";
allowedIPs = ["${data.hosts.lappy-t495.ip}/32"];
}
];
};

6
hosts/hetzner-vm/secrets.nix
View file

@ -36,6 +36,12 @@
simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.iphone8 > $secretFile
'';
};
wg_preshared_lappy-t495 = {
path = "/secrets/wg_preshared_lappy-t495";
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" ".preshared_keys.lappy_t495" > $secretFile
'';
};
# Container: music
mpd_control_password = {

2
hosts/lappy-t495/lappy-t495.nix
View file

@ -9,6 +9,8 @@
presets.nixos.laptop
presets.nixos.encrypted-usb
hosts.lappy-t495.profiles.wireguard
./secrets.nix
];

32
hosts/lappy-t495/profiles/wireguard.nix Normal file
View file

@ -0,0 +1,32 @@
{config, ...}: let
secrets = config.services.secrets.secrets;
data = import ../../../data/chaos_wireguard_internal.nix {};
in {
networking.firewall.trustedInterfaces = ["wg0"];
networking.wg-quick.interfaces = {
wg0 = {
autostart = false;
address = ["${data.hosts.lappy-t495.ip}/32"];
privateKeyFile = "${secrets.wg_priv.path}";
peers = [
# hetzner-vm
{
publicKey = "${data.hosts.hetzner-vm.public}";
presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}";
allowedIPs = ["${data.hosts.hetzner-vm.ip}/32"];
endpoint = "${data.hosts.hetzner-vm.endpoint}";
persistentKeepalive = 25;
}
# vault
{
publicKey = "${data.hosts.vault.public}";
presharedKeyFile = "${secrets.wg_preshared_vault.path}";
allowedIPs = ["${data.hosts.vault.ip}/32"];
endpoint = "${data.hosts.vault.endpoint}";
persistentKeepalive = 25;
}
];
};
};
}

17
hosts/lappy-t495/secrets.nix
View file

@ -37,6 +37,23 @@
echo "RESTIC_PASSWORD=''${restic_password}" >> $secretFile
'';
};
# for internal wireguard VPN
wg_priv = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/lappy-t495" .private > $secretFile
'';
};
wg_preshared_hetzner-vm = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/lappy-t495" .preshared_keys.hetzner_vm > $secretFile
'';
};
wg_preshared_vault = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/lappy-t495" .preshared_keys.vault > $secretFile
'';
};
};
};
}

39
hosts/tablet/profiles/wireguard.nix
View file

@ -1,39 +0,0 @@
{config, ...}: let
secrets = config.services.secrets.secrets;
in {
networking.firewall.trustedInterfaces = ["wg0"];
networking.wg-quick.interfaces = {
wg0 = {
autostart = false;
address = ["10.69.42.2/32"];
privateKeyFile = "${secrets.wg_priv.path}";
peers = [
# hetzner-vm
{
publicKey = "UJr+EmUM7KWkIy0nk0JA38ibvcLC++6iuOKkHdrx9Dc=";
presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}";
allowedIPs = ["10.69.42.1/32"];
endpoint = "hetzner-vm.servers.genderfucked.monster:51820";
persistentKeepalive = 25;
}
# vault
{
publicKey = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc=";
presharedKeyFile = "${secrets.wg_preshared_vault.path}";
allowedIPs = ["10.69.42.3/32"];
endpoint = "vault.servers.genderfucked.monster:51820";
persistentKeepalive = 25;
}
# storage
{
publicKey = "biNNeCkjAWi2jUVoL5+1pBtXGa3OFZi4DltB2dqGjGg=";
presharedKeyFile = "${secrets.wg_preshared_storage.path}";
allowedIPs = ["10.69.42.4/32"];
endpoint = "storage.servers.genderfucked.monster:51820";
persistentKeepalive = 25;
}
];
};
};
}

30
hosts/tablet/secrets.nix
View file

@ -10,36 +10,6 @@
simple_get "/api-keys/music-stream" .password > $secretFile
'';
};
wg_priv = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .private > $secretFile
'';
};
wg_preshared_hetzner-vm = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.hetzner_vm > $secretFile
'';
};
wg_preshared_vault = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.vault > $secretFile
'';
};
wg_preshared_storage = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/tablet" .preshared_keys.storage > $secretFile
'';
};
wg_harry_priv = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/harry/tablet" .private > $secretFile
'';
};
wg_harry_preshared = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/harry/tablet" .preshared_keys.main > $secretFile
'';
};
};
};
}

32
hosts/vault/profiles/wireguard.nix
View file

@ -1,39 +1,33 @@
{config, ...}: let
secrets = config.services.secrets.secrets;
data = import ../../../data/chaos_wireguard_internal.nix {};
in {
networking.wg-quick.interfaces = {
wg0 = {
address = ["10.69.42.3/32"];
address = ["10.69.42.2/32"];
listenPort = 51820;
privateKeyFile = "${secrets.wg_priv.path}";
peers = [
# hetzner-vm
{
publicKey = "UJr+EmUM7KWkIy0nk0JA38ibvcLC++6iuOKkHdrx9Dc=";
publicKey = "${data.hosts.hetzner-vm.public}";
presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}";
allowedIPs = ["10.69.42.1/32"];
endpoint = "hetzner-vm.servers.genderfucked.monster:51820";
allowedIPs = ["${data.hosts.hetzner-vm.ip}/32"];
endpoint = "${data.hosts.hetzner-vm.endpoint}";
persistentKeepalive = 25;
}
# tablet
{
publicKey = "jXA0DeprEaL/ARQ3K81l8xWuUI5C/90DcY3bIfcIjz8=";
presharedKeyFile = "${secrets.wg_preshared_tablet.path}";
allowedIPs = ["10.69.42.2/32"];
}
# storage
{
publicKey = "biNNeCkjAWi2jUVoL5+1pBtXGa3OFZi4DltB2dqGjGg=";
presharedKeyFile = "${secrets.wg_preshared_storage.path}";
endpoint = "storage.servers.genderfucked.monster:51820";
allowedIPs = ["10.69.42.4/32"];
}
# iphone8
{
publicKey = "2BgT08bDKh8WlFFSeRArI9a1GpFgUyqEApvJy4KgAmw=";
publicKey = "${data.hosts.iphone8.public}";
presharedKeyFile = "${secrets.wg_preshared_iphone8.path}";
allowedIPs = ["10.69.42.5/32"];
allowedIPs = ["${data.hosts.iphone8.ip}/32"];
}
# lappy-t495
{
publicKey = "${data.hosts.lappy-t495.public}";
presharedKeyFile = "${secrets.wg_preshared_lappy-t495.path}";
allowedIPs = ["${data.hosts.lappy-t495.ip}/32"];
}
];
};

15
hosts/vault/secrets.nix
View file

@ -24,21 +24,16 @@
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.hetzner_vm > $secretFile
'';
};
wg_preshared_tablet = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.tablet > $secretFile
'';
};
wg_preshared_storage = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.storage > $secretFile
'';
};
wg_preshared_iphone8 = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/vault" .preshared_keys.iphone8 > $secretFile
'';
};
wg_preshared_lappy-t495 = {
fetchScript = ''
simple_get "/private-public-keys/wireguard/chaos-internal/vault" ".preshared_keys.lappy_t495" > $secretFile
'';
};
};
};
}

1
hosts/vault/vault.nix
View file

@ -6,6 +6,7 @@
profiles.sshd
profiles.nix-gc
profiles.nginx
profiles.kernels.latest
hosts.vault.profiles.wireguard
hosts.vault.profiles.vault