From 40d83f4883a67b3a18186195dffb6fdf17d81765 Mon Sep 17 00:00:00 2001 From: Dmitriy Pleshevskiy Date: Fri, 28 Jul 2023 17:08:13 +0300 Subject: [PATCH] host: init istal server --- .agenix_config.nix | Bin 4714 -> 5467 bytes Makefile | 3 +- data.nix | 3 + .../window_manager/scripts/external_ip.sh | 2 +- nixos/hosts/asus-gl553vd/default.nix | 2 +- nixos/hosts/canigou/data.secret.nix | Bin 78 -> 156 bytes .../canigou/services/update_ru_routes.nix | 23 +++++++ .../canigou/services/update_ru_routes.sh | 53 ++++++++++++++++ nixos/hosts/canigou/services/wireguard.nix | 52 +++++++++------ nixos/hosts/default.nix | 6 ++ nixos/hosts/home/default.nix | 2 +- nixos/hosts/istal/data.secret.nix | Bin 0 -> 154 bytes nixos/hosts/istal/default.nix | 27 ++++++++ nixos/hosts/istal/hardware-configuration.nix | 14 ++++ nixos/hosts/istal/networking.secret.nix | Bin 0 -> 819 bytes nixos/hosts/istal/services/wireguard.nix | 60 ++++++++++++++++++ nixos/modules/wireguard-client.nix | 27 +++++--- nixos/shared/networking.secret.nix | Bin 363 -> 405 bytes secrets/wireguard-istal-private.age | Bin 0 -> 1348 bytes 19 files changed, 243 insertions(+), 31 deletions(-) create mode 100644 nixos/hosts/canigou/services/update_ru_routes.nix create mode 100644 nixos/hosts/canigou/services/update_ru_routes.sh create mode 100644 nixos/hosts/istal/data.secret.nix create mode 100644 nixos/hosts/istal/default.nix create mode 100644 nixos/hosts/istal/hardware-configuration.nix create mode 100644 nixos/hosts/istal/networking.secret.nix create mode 100644 nixos/hosts/istal/services/wireguard.nix create mode 100644 secrets/wireguard-istal-private.age diff --git a/.agenix_config.nix b/.agenix_config.nix index c1dea4490412ee3aaf8bcc292460b499b0bd2c8b..c133e78f053f80ae8ed7c92dcb8326653b0e8e76 100644 GIT binary patch literal 5467 zcmV-h6{P9_M@dveQdv+`0M|B@f*$}dSYA1zsHM!or|x| ziuzfECdv{?PH2VBuMSon3>UQu=()A$S~lFm@=8QHLQ`#F>%MI@#uwlM6~&CyhD(KL z0s?X{kk&ZC$CrdfG01+IPr>0Bn?Bfg?k;DiZ60?12Psyk`bytc!R&`4^EjTY`@bht z72|+N7a$cpy`11;x#zeJH8+B`pJaIV7Ww`HqaDMH06^F>h8*FEtK=N>Ubzfy)0Y=3 zE!op_Yoij}M8NGgf2KfAdKw$msm(pw{_(Pq?W@EgV#e+_(XJwK>R}J|)Rcr80ntbM zw{LgF$W#HJ9ZPCF5sv!^epRjSaH*rRuk#Z-OnG!nSCD+DnG118g>0i0(G4BvcNPqb z;Q2q40G;3zc>~~ygZG$nDLRFm+tO}uk@gMN+uIe(#DGzzVP&~@R(s~UDDf-Q*uwi-R?MVdknaR1hyX)lce<#Mj}iCrJ#{f`7E7k2*b zYv0av=`6$%@C8c=_lgq?z*F0i)sQxq<&myB<#ogEhjc>5p${L_Kz%XVoWt%1BS~vY z(@?lWK(eg54-j01UTAZ_D<%vMU3w z9Tdh2a=B!zEIB>S-xr6oTo_j6rLpEykDJbX{ z)(P~x6zF&?X`6@o$20ERY=?i|#*abNdIwj3lfRO^UEBX_%D zt18V4(@a?xEO#naEVk_QBf$BZjO22Lz6pK1prtisynJZk%7&ckBI9aOQfR3_6r|kE zJECI*?=*ODf@|TQ5T8u^(1Zi>d`7A}x$KD;?=5P?=KicdISq(5h}hmuF7IXT-1Rne zUS5*ABx7`cJ&a%ciU#@F6G!Lwnlg5vb9>@Fh%aCaA*vgxH4-4@TI;x3$HpQ&@VM&S zcr?xum5#;W^McU*@n`Uj1^zZ#<4fnF6^^HyXr`OEC2N0lRoDYd-b|2aVbFx!x1*fu zhqKp9e-l`yA~(RwZ%@c1UF5JoaTa^Fca0I55C%TUU#-T1W^7L{KKsqyZGtz;YW&h3 zy>V9Wn(&0wOIXht0x(-&KFD-AAl^dQdUbu?!tNZ#$JaI006o&Y&t8XI@R_HPSxj7S zf$I$4v}-`@IwYnM=3zqNK`bvB_wf0@BgT!Zk)NtYN6Auw z;3CwGA<(Nwby1&roV;)d@biv=I%W`2gZrp`w@}uTxo&O2(^jE_<%UO23bsy`jRvVR zS9H2kahqCqQjzhn`%~AyhMU8ED%N*0lE>btQ>86uc3=@ln6c|Aaa6OcSIcWs6v!(O zSg1M|MKsT6LAc6v6_$+uwsd#cM8*;V{cmlZCB5n7id{OXw1&+P%5+h?{BOP(>~Il8 zlA6yZ7#0i^6~jEQyt_(LXEyO)J>v-7f-#(o%voHvF&TJ}NFZoYxl~=Vh8oth^^)Zne{uOpR1Eke%C;`-(GTwwexBZBL=`ANr>ee z&Y*u}2bqW_L#Aa9l(%OV$5&kdE|Jpb`Lo{rKSa9il13N)0E34R78EPR2`lq(MYK20 z&#F}6w5X7YMgpx>Uw2SZO8{pY-<%zSKPqK{pfo|*YQ!8#1l|_44SfHN`w{saoEg-u z!39lbJeX*Q`80j+{)XsLsyc!ph$G=s2f&V@|4^@C{*LlAU73D4fc*m(pSn=~Y!^G^ zS|-VV(NVfO8cfG-KDF9P)q)f@{f$-@6AafyuO1$MU0>8H($se_qAbTw01p<%T=wF{CygJy_+S14;r3JO`AaMC9ip8hDr>eWIhKGm8m} zc4cyN5(0s!`{N5IIwfg zr^R{$;r1Ci*~{v>)&S^;bS{ev{p8?ZDFFcr+i)d8txFqN+wQ0fH%XEvGI1Zjq1a6f zF@ou8MqA&xyA3&l@9sa%xmbofG2y{kiYzX(4;RGo?vp^~56iESiH4hoM291tD{n z_BDA|=*%6uue9qi0ds3kE{$8y`N&8Hp8f54JJZl3MBKXDZ?ZCcTmgbrT(c(oHR+-B z@6}C3#)0~o1ucR|9MtF%25#ovtGcghKyzF`nunN#Grp0VS-=khVo>3385112 z`MtGgSNYoXtfimuv^M+51@<{qwLW3l4$LR3)Sgd!pt~TOFxLz@Auj2a#72vY;82nKI=`Z?}Q*SB7gdFNg>rrFFNaY#P5 z1&0+hk<0Gj$GuWl!_D9Pskh4r!Z#;do6)~VeX18WFB#d1flWfEbiywxToBW<&n1wfP$Jg32nsEJXSLnDN|18!?3aC(`wA&4p z{J&WBRyhz2ZkgwxcjYt%FUTQZ!=C+L>m+QvhE>yhy;8@wB0$5QMU(JHnC;klqUs80 zkk2mw>OW4d8`bA$GAea@;0Lm30SX7PSyT3Ms0B&{I+X9uXBNl|yinIC?|8J}x92m; zk@X=0&vPHf>Mw8j{o*IoE7na3@q*iEU6-1ba;#u%w6(Y8QKsS5D?Ewsvtkk*?~5kb zmaKbvJuO`+x_3?rQ=N+!GR7cP<&~SiC~Q~}v5nSph~B(`cKDBx!%~D~Ar|9Bxm0xj z=>bAde{d2vz6{EJxj5*5;xY@v3L5qQ{lg*QNg*L#eoXf%Y1^fkAjV0n-Dbu#!&>il z7eXmw$%tpEzUJwq&OYk15~g`~i|+RSDFD>SgFCxJOa3OI>Qybb6(jPPz)qv3>?|^J zMl#DN?SueI$P!us-BoB;jN9t9>2lgjmDl`#IXb+UAqU{zlRexY2p!Jj1DEIH5#c-9 zfZg}m@>A`DtEF$iS`uOvT_VC3RUgO--@MIV6JyG>UK*#gRA@kT^@Rr80HgerVxj?z z?Tn}pvIwMc3H7g780&UU^sdD2$Y7DG`>De(d@qqfUIu)EE$u@CXRf<-xZrQu_={zV zEVY!)Jo4?QKT0v0MQ#e7*JG)BpAY*cJ}@_6dp>cV*jL2%UbsV1gXVttzXO4f4CLvl zV|wig^_MZj-f+;Z_G|&sh9hWrzY^7CCjm*4c~Y<#u7)bk#{(jTmSE1N8_Q(3VI>jk zy+aAh4fxRNP^nkxnCe z?jpd=sEPseWG{qXt3}ii(vI=WhlO+WM4k=zr+4bSAAfzc>%1f$chgj*xZM)YaqG9k zG^OfyO`{vn@S+yK#Qxuof=Gt`a+v|Z1uK9&#>B{MM2 z+C$TDddqn-L)dxz#kgoo(~0>}HrKF{kE<{7!~tk85i@{?HRj1$PUB2G(U0ubD!^$zl9AoIE>BV>p3xcc>37+Km8LIZfA$TDxX4D)w7SF7t zD@mF&nC0W#rTP{j@gp8IPH+}|GiNHVL5N1p0#CsIT5wVg;F}0Sc76CM8aSTFGZona z!=Hrq*xDz1$^;^!$zw>TTC3YMb1Ni(jaM-JAuCB|9AAnE#x4D&PB;#vDQX2V2&9S` z4mxK4kYVh9@I4bkrdkBG>Mf%?K-F%8?4<{`eue|j+T5&0HrCw zD_lU`!%(+{a_SroeZ^ad?R|Kg^}Sw>$))v?6?fk*9PsV&>{mf2Ivef*Fb?BR^**hv zCz9jHjE1_fYIm)ZGd9x3Ayq}+Aq%_V!MavNKjPtrYN`;lm*Ws*R}n+ige02>)9Yc7 z4V)Y+c?TMWwG04lm2Nd+2L_n!3*UR7k?4ojx3XQic)e^BTV@yEe$|ZtkdF$vA=!|Z z!vLIXb_lHSiW0C7HC`1^r?6pW+7>Q_6=>%wTi;^gf=tEwt9=fYdiUC5?;eC3%YRgD zcb#P`?#d>n;*}y&>Sv7I%dT3}K}Vv{zSG<>?UM^95Ku|B)lQ4O3^l-tjBaWQn@Ee6%NmCkWw@hc!(AsP55J1qNQBj zqPq+EeQDXH7F=yN&w30(oc(W8fP+uBAjl%j+a6*?BcLHPDhfpY)>a5+p)s~98_(M- zRwp`o^!p~9VLT+RfcnnMuKt(m2?G9Ff|R>89~K6HG#Yxi$L?$K*Y%rsUE! z$T~%$VinmR{WS`dQM(9Id{MlOLQHo=%cG^9rvr3N9sieqi`>5UFsPa<&-p18irJJKuK42IhhS;FCfMT0F-pTQmO z5`%(~>q(g3YqHnBQC_{gtC4yG2aj7-bJF2^?jj6|T(24FiW6kT@J7uO@AUTM-g&rq zW^V(m-^w#}1Xu9#CrPr(r^j`h=L24+Yx`R?EASo3ez{dUIxn)*;r#Jc3O|HQ?_UBq z9l^&|Ym2c?jzfvX-_s-ye4mTQ767~Pl}VUFUR5X%u*tgi)wJKt>WQo88~rZ7Uy0rR z=m%1XAn4s;v-%YF>h{t#|E5m#Dp`w24G>LqT*$~_GB&&U*>IiY`GYgfR_dkk#S&zF zUDK%32F5sM&5f9|Xh^{N(vn>7hLt-QDQ5@(F!1@1tG6=A3p9lvv{A=xymu*I+At{| zU<#@NG&wH|2SFzaHcO2jf4)Yu$W^_5d)EQ;X8_Rs9dp zh-*clhtUiO7MNrx=tm@X_|&IK?zXNS+FMQqsc#?nE5A1vxbGD-D!Y)v(a+CtH zO$ss&TGZyU?Td4$Fi z@L5dopOlvhrlvDId$l=sCtit*nf`P+h5|d_GK;@SAj=zdkCN$+;^S?zW}!qv2{G~p z*cuy(y^tL%4!!n=AHdGbB{V**8Pj*Az^ zBBV&*&-PI0=Q}h6+37!@wtO$8MBiO2sDmGrhR=;$Do)iO0FYNFJd9mN`$d6wsp0tb z3W6x8Oww%zb83LA_?Plb&_F0|I#yn{&YO~V;j30^U{Eb7@S({}6#X@q3ZOLD&HLV2 zSparSCz1kQ(HAXO`cA?dCJ_Lt%dm+H%8r|(h^^RXn`wX<8O(FexzM zD0tH>?xwqM{?}I?P{=?G4RmwBTNFpBRrbAk-E+fS?O9h#Zt8fhj@c8Gy` z0%>*Gu~9S7faw79sV^K$%ed%Y2dt3H$NXqBK?59duWMcNN3LhVOVTlm6++yhC6cUZ zBENmaIxyuj&(@9_>bl~|f&*-tHV%3&<^U)=u17Z}oFryfC`33(uH;)WR__=$VDRN= z^Tn1tAGeI2vs=1Mqv{fkEI#z7m{Xs2P>ZwN4}$=s3?7=vS3#|2aFoueCWEC^9)h}a zOW5|0eH{c@hY@#Lv=5*>;E0?m^eDqC*-b7sE;)5tit2H|*=6@!@HK*#CqCTNSj;3| z1;OgE-#NMJzaN;_9&ldm+njM`1zavO% zP88m(wDiew>~TSn)(UU@*$zaYDo>6a2a?)Z0z7!zD6!e6j2#9duoSS<^AZ;)BQm$v Ri^INO?Uq?bcWH}T7fX%5{Gp;ab1vN`bsZ@#QbZO7JXT| zHXE~FI-?D;|37sJVY0F@W@?5VBncCaG-#?Epx6`1-#08sefY{!&gOGf4is12_)g%U z?IU2iuv=c^lDzHx;y##+PjTH+KxIQBgz9fHHV!w6GMJ|MhYOB*u(M&}A*}2|{^{vX z#J9_XSK@@2tG`UNu0!k?nv~GR0Tyhh7!mtmo=v&&CET94tfgfjj<(Vn&&ac0$dDq* zt8yr2F0U%A1r-T5vpkvUCkE(feE-8>kC0sJ7kz?c6cqQFj%><+JG6J;D5AwQt#}XK zZr{8iC)Uq)Xd!9WU;k%RLGMU&90aw5oPn<*QdrjWkzwqFY0unIjGrmcN=nBWnn2*o zfy!@bL~$^-FeRT2cWRLOB-L)6s^Md7aUL;RT*-lj6edPeR?LI`H{1}6m{1VI4Z>3A z-xX-%KfbZ!V{Ca>r(8e^_zh*iDEYo?;{8Y=L*fp(*~|wHW~pFiP0t$k`r&p6Qe+^+ z%JVDD<(p`bfp`*Pz6puka%s9mUhpqb@p@;8Q|NKf{M~4H8%@v8&@m#;cM->wI3c~a zDg4#cKzx9m>sSyX8yAM0TZQTYh^&>NOnYYv%uB^?S+&Xya?vygPTL=MfR=W>Rjk5Y zJ2a3PXvW*}YyZ#3!Bp~5K&A~;kfYT0=&(K|wKyDA$1J>J$hs@3gh$?JROR{ygM^Sa z(01KhgC~x~;vDWuL_HnRcnYB7oWy5tO{r~bV4Z}DP?Dp2;W#+a&Wa+4bizq4t|W#e zV?H)=cV%!ah)(fq(iF$7MzS;LX>IwoU+>(#U;2h<_q*_qPAYe*QwbkoR`kP<$aVq zwgRbhVM&i496|aBHh}bwgIT0q3=u+gVGnC+v7!%SCokow%E>_Aj5EJ^NPK?jbxAqr z!C=FvLz<2|%|np|Qz!BlxJW4>NFXB{mTU>4@3SApH#JCUCIPo>P}Qli)rV;gx<>KN z;3H(*^uJ4WovS`f?lQ6}$Tg%m*u;r-&fQv^9)z^QKY#r^Jlzhkcap#tg9jXOi^ zdXM{WjQ^lJI68W%T|=eb`er<}T-ep?k-Mnxa%~_|J!j+9%D6a6cbdru5!szjDkJDp z*Kb%9a$7MDfeob6(Qk=kt2390(??W9?Bp(r%$MA;kKeO1WyFZwykg)=>+b_@^+#y1 z+BlAVbot0?!toV4Yv!iR;0Higsjj+>8+aU>+jqSbc34YVUE4C9PB%PIG>Y9kXwBSZ zXvyDes?5D|CBp1AX~6UKO!y=wd6Ci=jM|RARO!zuS0GwZJ|$7p&et~nLTiJ9f!AYHLl-x1@G9ke1&gYRdk=VMY?e$qL(vS$`vAq)gF zCjg&{Z}BuS7v_GVn?NP%M~VI)J8T}tacg` zf|?Up<&b{sc4Y~S+4R>CH_fe+!L$9OmG&5X>x-PbEnGkjnkdeK4FGMskC*VupTQUG$vc-!s1B$IPV*h76>P*7f^50EXsx1o5d6*R$awR8?z_w?93hTg0Sct zXq>{c&Oa3$)aW~Vn7}b3N&!vYxLc%@@>~OGSkY`mHiw+nM^|9M)k+uOc6$mmvSmpD z@cuNsB}&b(2!k_(#R-;gOKrHQE!mTTVqzd0qUT6*V}Mea*c7Oq#q@p96G2s3?@Wn6 z#%v?*QUY=&KZG>kBqs%ZB1*f=*oX80ZtiwsrrBg;=)R(~URWP#AL3lb$P_G1LR*NB zZUq<*=sm`8RAxMgN|{WfNn3SA0i}tyv-{^E_l9r~>!XoOxM9OJRKYXlCT*oZ<Vzen$?*x@mJw6dvT}*`PhfA znGFYnuKUhkA_7zv5I=mlZ zfPMi({tM=5^qf3L)?2T1KPPX@%3IU=rkpURLK<{r6|O%o&<_wL2IEmpR;_-@M|2{( z)(=DLakxnKYeN2zTa_U$o{Q=+@NFtWt>@UxYyn~b{y->sr$?pUCE%=DY+tfs#pK!X z60FIEsbp=*ejJ{se@sF(_?aAf+i2Oc9Iq>k;Cz1i4;?~_;Yh$7DssdP>Bg{mO}#|a zdjc`*F}UkH~erXdHP_ zM*ide=k8%D>f_d3{#}!}HDfSj#4Shu5@Xr$fNz!|!c)?c;a+(H35y}%bO5=TIt^$q z>}w;J5WCz&I1Mpg*v{A>4M80a?&J-WjHStVc33;l*DD?uYQYIW(c!o;K^^;tP#6E< z@Npqa!vdj#p0_OLZVKH+&(3Mt356X?XU3JqPpo`rU1Dy;A-JC8htfJlOtJ?;Z!>5C zLzGWjXhQNKgj?hsMB(XpN@&8ux)9&6*G0Ae9t5{Fl)I>am8>noOpL^sTv1;+@iQ-S zzTAons-(}ORW46H_GZ~vNGey5C%Az}iw=>qjg{bYQtmBQzF=K^NoA^VM7t&v$@89e zU{>U9nCwH^Y+MacgmnZb?*kmQa~tL_?PX(y-e>kcZFh8&;aD64mJQ_+6pnS4vY@`~ z>x!-qvKN}aj~&1;WOJU$t;j5#&vni<1KFk0q5;O*IvEVPIE?!qZL#)Pm0!t+mkF|? zKT6Rw=;5pC{_s#_eG3jSLlC<|M&cBX^ZvIv6jgn^ImlS!Tz4Iqk`P7>KchuhD3vj0u3 z;^cP{oLWaF-v|-XvZJ3R#QJDJx8rk4#!ZYtF7?SXmrho0{qe&V#8o6H-J`q$dhqnk zlX$hBGB=-z+~Im7u!r2AHiQ5^2V^Ix@JaLG&oYfN(uAEtIsPvZhFj2HM%!qn+=TDz z#xZm1sYoaWeiafbs2H_?;|GCs7Nk1JOBYwx<4Pzuq^URS#OZ7` zC_hp8VViX&Cnr9^`1;1BgELrbf$|^C5gvc&zpm;apul`vd6;5vjkC<5Iy867Ane$c$rx7w5SP z-C(S@h?nisUha5>dI2*>>p1>($$fAbC}G%DpkKx%!8t^X@P}DAIQMv!{^RaYkFID zLcFu0y)hX|uQizjUWn5uBHhdlmLoe1{CX6A))!v84jODHu-oO-s}+#gz?Z9ojqGNaZ*`|f=ndQI4cY-qPJT@++jtEQm27V z_^hZYFwGnhNLENQcRfvn=zsurT94)f8)fwRU>SP?;9)mtJg;y z;iJA#mv7~Mi3XDVtZOBL4Xt9DYijU@;=WEr0t#vAtV9r)D z-u!da>}xuy(Kljc2e5XPt9j2(=9F~NTkTcCJX#U2#B$YJPfWfrDHRjM9Fl=l4G1E} z+g4l{GJc<&Y_cVDJ0*Sx(R;R_+$6(s44Qx$8ApRFY{{(ojpourE!6>-$5;K?jTU0- sB7n@r7?HC@!0I)I68LtMi&2pM6tjuwBLdOp*+Ko!mBb6yN{%r4{T;CpE&u=k diff --git a/Makefile b/Makefile index f641350..71629aa 100644 --- a/Makefile +++ b/Makefile @@ -24,7 +24,8 @@ MACHINES := \ VPS := \ magenta \ - canigou + canigou \ + istal .PHONY: help help: diff --git a/data.nix b/data.nix index 14daf74..4c8b5b1 100644 --- a/data.nix +++ b/data.nix @@ -5,6 +5,9 @@ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJKo68e8EuKlgYG/mxEsMsfWLHXkRulpscGZUD9lXbaEyTvaGalc82T4d7wXHgUi8/xpRbsfxxTV1bl1I7X+Vq7xmzfMP5a0NBIv5Lnh5C9WHEq1aw4fUFCxD5cwy9kt1jV3pSEN/+H5cg4T0OCVRikUZvfB9wng15fdw6JYoZWhWBwZHfISHhXqTXGDnMO7MvzFCl7Ek5WBvH6LoThJFVvKkab6Zg15FtuqNpCat0yEb5QMoFUbyp2Wm0eFU5eUVnlqC6IgG765Pbz+v4sJJo0q3+sZlIgzPeav3d7FEgZeqq+UZA3Hp+4T5ww+XEHDalxsB60VDeq85snVTO8XGt" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDXNG/QeViH/SboWxbONAub/eim3NRm5MDtJA7gyTz7r" ]; + janistal = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOkFRGVFRu418QaoiPlOhw923QKe28FV1Dw41ywmOhsD" + ]; }; }; } diff --git a/home/modules/window_manager/scripts/external_ip.sh b/home/modules/window_manager/scripts/external_ip.sh index 0b22bc6..d02656a 100755 --- a/home/modules/window_manager/scripts/external_ip.sh +++ b/home/modules/window_manager/scripts/external_ip.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -res=$(dig +timeout=3 +short myip.opendns.com @resolver1.opendns.com 2>/dev/null) +res=$(dig +timeout=3 +retry=0 +short myip.opendns.com @resolver1.opendns.com 2>/dev/null) if [ -z "$res+x" ]; then text="NO CONN" echo "%{F@error@}${text}%{F-}" diff --git a/nixos/hosts/asus-gl553vd/default.nix b/nixos/hosts/asus-gl553vd/default.nix index 68912db..62b4c49 100644 --- a/nixos/hosts/asus-gl553vd/default.nix +++ b/nixos/hosts/asus-gl553vd/default.nix @@ -70,7 +70,7 @@ }; local.wireguard = { enable = true; - ip = "10.100.0.3/24"; + ip = "10.20.30.4/24"; privateKeyFile = config.age.secrets.wireguard-asus-gl553vd-private.path; }; } diff --git a/nixos/hosts/canigou/data.secret.nix b/nixos/hosts/canigou/data.secret.nix index 5c95ed5eee3d9201a398ac85e3a1b6288313bca1..cb378e6a16958f458f7600914c6414a318db8666 100644 GIT binary patch literal 156 zcmV;N0Av3EM@dveQdv+`08r^kRMA|nL{T8belfoo_kbpEGZ$j&$o5TKzB&%x)Zsk0 z$1dpW%6cy*lbV&pnEn_|LuhAuf+LS<2r{(vnZa(@8*I%CxRqG2kX7X4KH1Gc*`Jt* zwanj4qt~SXm+s+45q KHtpKf4%i7kcusr( literal 78 zcmV-U0I~l7M@dveQdv+`03V=7Pm7Y_3$U5ifc30AfZiXTKkzSs@oyVuJDCl|FYzK^ k!T&aPA3FS5h(UqIVdw*E1sQhXmb*Ek?T1 $file_raw + +echo "Deaggregate subnets..." +cat $file_raw |grep "-" > $file_for_calc +cat $file_raw |grep -v "-" > $file_processed +for line in $(cat $file_for_calc); do + ipcalc --no-decorate -d $line >> $file_processed; +done + +# if [ -e $file_user ]; then echo "Add user subnets..."; cat $file_user |grep -v "#" >> $file_processed; fi + +# Flush route table +echo "Flush route table (down interface $interface)..." +ifdown $interface > /dev/null 2>&1 +echo "Up interface $interface..." +ifup $interface > /dev/null 2>&1 + +# Add route +routes_count_in_file=`wc -l $file_processed` +routes_count_current=0 +for line in $(cat $file_processed); do + ip route add $line via $gateway_for_internal_ip dev $interface + let "routes_count_current+=1" + ProgressBar ${routes_count_current} ${routes_count_in_file} +done +echo "" + +echo "Remove temp files..." +rm $file_raw $file_processed $file_json $file_for_calc + +routes_count=`ip r | wc -l` +echo "Routes in routing table: $routes_count" diff --git a/nixos/hosts/canigou/services/wireguard.nix b/nixos/hosts/canigou/services/wireguard.nix index 10b0add..5743be1 100644 --- a/nixos/hosts/canigou/services/wireguard.nix +++ b/nixos/hosts/canigou/services/wireguard.nix @@ -1,10 +1,17 @@ { config, pkgs, ... }: let + istalData = import ../../istal/data.secret.nix; + canigouData = import ../data.secret.nix; - port = canigouData.wireguardPort; + port = canigouData.wireguard.port; + + update_ru_routes = pkgs.callPackage ./update_ru_routes.nix { }; in { + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = 1; + # enable NAT networking.nat = { enable = true; @@ -16,43 +23,52 @@ in allowedUDPPorts = [ port ]; }; - networking.wireguard.interfaces = { + environment.systemPackages = [ update_ru_routes ]; + + networking.wg-quick.interfaces = { # "wg0" is the network interface name. You can name the interface arbitrarily. wg0 = { # Determines the IP address and subnet of the server's end of the tunnel interface. - ips = [ "10.100.0.1/24" ]; + address = [ "10.20.30.1/32" ]; # The port that WireGuard listens to. Must be accessible by the client. listenPort = port; # This allows the wireguard server to route your traffic to the internet and hence be like a VPN # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients - postSetup = '' - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + postUp = '' + gateway=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $3; exit}'` + interface=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'` + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o $interface -j MASQUERADE + ${pkgs.iproute}/bin/ip rule add from ${canigouData.addr} table main + ${pkgs.iproute}/bin/ip route add 193.0.6.150 via $gateway dev $interface ''; - - # This undoes the above command - postShutdown = '' - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + preDown = '' + gateway=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $3; exit}'` + interface=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'` + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o $interface -j MASQUERADE + ${pkgs.iproute}/bin/ip rule del from ${canigouData.addr} table main + ${pkgs.iproute}/bin/ip route del 193.0.6.150 via $gateway dev $interface ''; # Path to the private key file. privateKeyFile = config.age.secrets.wireguard-canigou-private.path; peers = [ - # List of allowed peers. + # Istal { - # Home - publicKey = "Gg+p7tysAhu2X841weBiQrqoKXh6kvcmDiCY62rLwQg="; - # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. - allowedIPs = [ "10.100.0.2/32" ]; - persistentKeepalive = 15; + publicKey = istalData.wireguard.publicKey; + allowedIPs = [ "10.20.30.2/32" "0.0.0.0/0" ]; } + # Home + { + publicKey = "Gg+p7tysAhu2X841weBiQrqoKXh6kvcmDiCY62rLwQg="; + allowedIPs = [ "10.20.30.3/32" ]; + } + # Asus { - # Asus publicKey = "mzVH0N3q7UE/XjMwgRks+D8KFuIj91VkOK2ytgjsnkw="; - allowedIPs = [ "10.100.0.3/32" ]; - persistentKeepalive = 15; + allowedIPs = [ "10.20.30.4/32" ]; } ]; }; diff --git a/nixos/hosts/default.nix b/nixos/hosts/default.nix index ddf5680..028490d 100644 --- a/nixos/hosts/default.nix +++ b/nixos/hosts/default.nix @@ -60,4 +60,10 @@ in targetHost = (import ./canigou/data.secret.nix).addr; }; + + istal = { + system = "x86_64-linux"; + + targetHost = (import ./istal/data.secret.nix).addr; + }; } diff --git a/nixos/hosts/home/default.nix b/nixos/hosts/home/default.nix index a20aa9d..9931e1d 100644 --- a/nixos/hosts/home/default.nix +++ b/nixos/hosts/home/default.nix @@ -98,7 +98,7 @@ }; local.wireguard = { enable = true; - ip = "10.100.0.2/24"; + ip = "10.20.30.3/24"; privateKeyFile = config.age.secrets.wireguard-home-private.path; }; diff --git a/nixos/hosts/istal/data.secret.nix b/nixos/hosts/istal/data.secret.nix new file mode 100644 index 0000000000000000000000000000000000000000..972f4da1f733e30439dceb1938d8e848bc62b622 GIT binary patch literal 154 zcmV;L0A>FGM@dveQdv+`02$$;$Lw^@D{X1E${9RaIx7a_*~8wrX?7^xF;vNr@m5nM z*x!25Nr?y)e7I=qC*i_!W`@9S3g-NlDdh8FF z;u(}gvn)RGhEcNkAvJ#wu1Ijr&#Z2$-rtI_Y685#=)#Of1X-7WRZrQQ_Ujl7t&P1R z-unZ!YM|v5EE$~sRlw?@tYxM;b5+Y*W^W-+#wkyAm)eCOQ6)7eHNl0B!ar-h zYVC)jGg`?d&j3RQ6_ZPq^F&axgqXVk1Y#ug;zV3Ot!=B1ceh`5%%c1ICGYPxF_cjhy#1WpX7D8Sl&q{-T)@T-A0;3Uv$Uz} z=I5f}AxYk^!QJ^D>+9xpX?rRWO2%y2FxP#I1txnG4~|se1^`pY?ih9+-tL=kc}`<0 zF;g{v#LfO%r05mC0DF8&B4j=3Tgp0odF4AJIoF>|ZYr_MO~{&^kqnmCQFMo*|?8N@cm;ApswkbS;Sw2F^S)jpyqJue~z!boH zYSka?l+~eANQD#1XANsHTM>zWk6>R2lB@@%cZ;0%C`tX6$+v8Wg+N-%gKg=D#k{WG zVBviBi0|qJc%fah%;4VL7ytC~Bhl(I$@ADL+NHMdH!sebXq$hFOKQK!1E~FA$Wb&>jUs+iztDiO90~&k_wqO$Kpz{LH>)}8t$cV&%z+2dl?%l z9aQX?(-f5S&t?;7?2vVqSBZvqkzgN%>C^ApG`5wJ-@4J2nt4*x^`Bo6v!_Y>kuA;P z$3FQhy-#RtjNUB&Ohd7Cw8p{jAtDLEIymLBSa7lKCE{e_en^=9|BAn0Nb)+xiA!4U xJH8t2C?l=$0KP6s&KV>v$)2l{E2w8hK($r5%^G`3|rqICcO literal 0 HcmV?d00001 diff --git a/nixos/hosts/istal/services/wireguard.nix b/nixos/hosts/istal/services/wireguard.nix new file mode 100644 index 0000000..f665266 --- /dev/null +++ b/nixos/hosts/istal/services/wireguard.nix @@ -0,0 +1,60 @@ +{ config, pkgs, ... }: + +let + canigouData = import ../../canigou/data.secret.nix; + + istalData = import ../data.secret.nix; + inherit (istalData.wireguard) port; +in +{ + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = 1; + + # enable NAT + networking.nat = { + enable = true; + externalInterface = "enp0s5"; + internalInterfaces = [ "wg0" ]; + }; + + networking.wg-quick.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the server's end of the tunnel interface. + address = [ "10.20.30.2/32" ]; + + # The port that WireGuard listens to. Must be accessible by the client. + listenPort = port; + + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients + postUp = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp0s5 -j MASQUERADE + ''; + + # This undoes the above command + preDown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp0s5 -j MASQUERADE + ''; + + # Path to the private key file. + privateKeyFile = config.age.secrets.wireguard-istal-private.path; + + peers = [ + # List of allowed peers. + { + publicKey = canigouData.wireguard.publicKey; + # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. + allowedIPs = [ "10.20.30.0/24" ]; + endpoint = "${canigouData.addr}:${toString canigouData.wireguard.port}"; + persistentKeepalive = 25; + } + ]; + }; + }; + + age.secrets.wireguard-istal-private = { + file = ../../../../secrets/wireguard-istal-private.age; + mode = "0400"; + }; +} diff --git a/nixos/modules/wireguard-client.nix b/nixos/modules/wireguard-client.nix index c8bb44c..07b5551 100644 --- a/nixos/modules/wireguard-client.nix +++ b/nixos/modules/wireguard-client.nix @@ -3,10 +3,12 @@ let cfg = config.local.wireguard; - canigouData = import ../hosts/canigou/data.secret.nix; + # externalServerData = import ../hosts/istal/data.secret.nix; + serverData = import ../hosts/canigou/data.secret.nix; + # serverData = import ../hosts/istal/data.secret.nix; - serverAddr = canigouData.addr; - serverPort = canigouData.wireguardPort; + serverAddr = serverData.addr; + serverPort = serverData.wireguard.port; # Run `ip route` to show gateway defaultGateway = "192.168.0.1"; @@ -29,27 +31,34 @@ in allowedUDPPorts = [ serverPort ]; # Clients and peers can use the same port, see listenport }; # Enable WireGuard - networking.wireguard.interfaces = { + networking.wg-quick.interfaces = { # "wg0" is the network interface name. You can name the interface arbitrarily. wg0 = { # Determines the IP address and subnet of the client's end of the tunnel interface. - ips = [ cfg.ip ]; + address = [ cfg.ip ]; + listenPort = serverPort; # to match firewall allowedUDPPorts (without this wg uses random port numbers) # Path to the private key file. privateKeyFile = cfg.privateKeyFile; - # Add a more specific ip route allowing trafgfic to the VPN via the default gateway + # Add a more specific ip route allowing traffic to the VPN via the default gateway # Source: https://discourse.nixos.org/t/route-all-traffic-through-wireguard-interface/1480/18 - postSetup = "${pkgs.iproute}/bin/ip route add ${serverAddr} via ${defaultGateway}"; - postShutdown = "${pkgs.iproute}/bin/ip route del ${serverAddr} via ${defaultGateway}"; + /* + postUp = '' + ${pkgs.iproute}/bin/ip route add ${serverAddr} via ${defaultGateway} + ''; + preDown = '' + ${pkgs.iproute}/bin/ip route del ${serverAddr} via ${defaultGateway} + ''; + */ peers = [ # For a client configuration, one peer entry for the server will suffice. { # Public key of the server (not a file path). - publicKey = "nFqvL30dkKkhOt+fLJ+EJNmp9GjkXVjmpz1WRI1pG0A="; + publicKey = serverData.wireguard.publicKey; # Forward all the traffic via VPN. allowedIPs = [ "0.0.0.0/0" ]; diff --git a/nixos/shared/networking.secret.nix b/nixos/shared/networking.secret.nix index 8f091bed0c78739958465f759c165d76fe953b8e..3d8a086b41a76c381d1f08b3799d7de8086ab042 100644 GIT binary patch literal 405 zcmV;G0c!pLM@dveQdv+`0Ol2yIN<*CUUVzN=}^uYABX57s<`-{=W7|(M-|P4FNGml zvQ?`fY{=GSgxBUq0guo#_nB^9zeKcZaa~+(hLz=wGM4IQQ_!E9A=oG!enUIk*ZXFM zD@hr3S1}ZsrOx1S0n+jRA9MX}fwZ`|>{hmF?cQ@mV?14*mS(4_VBHCf= zTQ$X~Xg~+eKgTNJbfgog%32nG&?6Mcnu3DP$E(xgXp3}!O%=KxxG{|TdTofcbb2t? z;p`OeZ>W=>pNaIRQMHC%(zkCl%4LX?*#8HKy?&IwVrx@%qg`D;${4DJ1(&8NC^a3F zKD@kE)xCUrB@KA__5*Xa>DT^B`edMDSu;~TUO8Yk6qd4h^b%V@7VQtX&4)fjhmXpAA^YWBo(=kwa$RzxJ2a1Tj5tM?XzT0}cWzNDQ%EFiE881pttcPGXXU5iy9dWK&d z09z=t88_p;QQGIo^xLtS0ZkE!ui``%1fk#w7Ve6zLCUvgaz>H9i9}Y@e+2h$Fh@eKc(QgqKHtm!qf%%5wd!{3JR=WQs#a9L=le- zb4cFOm0R(rkAju^Ys&$Pqzt?R(^v7KdFqeB6=CKT-3!wM0yRR#4GEAR1oT_(#y<=^ zcwZsk>6O8(K}y%~=P!KxzpIW-p&#{_xkk|A9S8Ajy+Zg=QAC-vPnczi-iAa0B`Gx7ZbOJsx>( zP+Lw8=6nr1Hq+Y|Mk#_#E-nfk(#5joSkhhTD$ZnoE8HWOb%eYfOT!^jEHp@vx_dEe zFgol#ITVqk{g$c1_(mMnoM16MwAUfRIg3~0K=Ad4?1hXu$Mm3hhTlkYS%NknXn>)F z)yzO5Drgs4Bw?P-)};g-a&*!Xh(o&aBZn3ZJQ7GkaYPu%`L(JhgEoj6F)7pzD~DK?EDc4DAPh>L!T4p z&^`bz1qi{7jkykz-c96|{Qz;anMxysu?8FR2-#flxZZu!fNWqY^%P!t*f37b%HEpd zFcZv)IpS@23cJ+IGu~Xdy9rPDk50I_K}mffTT0w+nO?S5C9+Bg5Q>Q$D|`GfF>_)v z6Su1!=)0X7o(Ph?@0j!g4UfJTRCWCg0?PmubE`>ef8o}EWPfnXfE#wyuDDq1X7~p& z>5z|Y%aq1ywo#b9vrxON-xa7U#M57K*cKHm7T%VOHu+XgWTs|TJOoo?!(+S{fQ)bR)d)*K~G@I(g06JF?GzM>2Mz^)# G{b3XEr-=Fh literal 0 HcmV?d00001