diff --git a/.agenix_config.nix b/.agenix_config.nix index 057da6e..00829be 100644 Binary files a/.agenix_config.nix and b/.agenix_config.nix differ diff --git a/machines/asus-gl553vd/default.nix b/machines/asus-gl553vd/default.nix index f0f3e8d..aa0390a 100644 --- a/machines/asus-gl553vd/default.nix +++ b/machines/asus-gl553vd/default.nix @@ -12,6 +12,7 @@ ../modules/nix.nix ../modules/garbage-collector.nix ../modules/networking.secret.nix + ../modules/wireguard-client.nix ]; # Use latest kernel @@ -65,5 +66,14 @@ localDiscovery = true; }; + # Additional nix configs local.nix.enableMyRegistry = true; + + # Wireguard client + age.secrets.wireguard-asus-gl553vd-private.file = ../../secrets/wireguard-asus-gl553vd-private.age; + local.wireguard = { + enable = false; + ip = "10.100.0.3/24"; + privateKeyFile = config.age.secrets.wireguard-asus-gl553vd-private.path; + }; } diff --git a/machines/canigou/data.secret.nix b/machines/canigou/data.secret.nix new file mode 100644 index 0000000..468c5f4 Binary files /dev/null and b/machines/canigou/data.secret.nix differ diff --git a/machines/canigou/default.nix b/machines/canigou/default.nix index 24ee8dc..e036aac 100644 --- a/machines/canigou/default.nix +++ b/machines/canigou/default.nix @@ -10,6 +10,8 @@ in ../modules/common.nix ../modules/fail2ban.nix + + ./services/wireguard.nix ]; boot.cleanTmpDir = true; diff --git a/machines/canigou/services/wireguard.nix b/machines/canigou/services/wireguard.nix new file mode 100644 index 0000000..3806680 --- /dev/null +++ b/machines/canigou/services/wireguard.nix @@ -0,0 +1,62 @@ +{ config, pkgs, ... }: + +let + port = 51820; +in +{ + # enable NAT + networking.nat = { + enable = true; + externalInterface = "eth0"; + internalInterfaces = [ "wg0" ]; + }; + + networking.firewall = { + allowedUDPPorts = [ port ]; + }; + + networking.wireguard.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the server's end of the tunnel interface. + ips = [ "10.100.0.1/24" ]; + + # The port that WireGuard listens to. Must be accessible by the client. + listenPort = port; + + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + + # This undoes the above command + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + ''; + + # Path to the private key file. + privateKeyFile = config.age.secrets.wireguard-canigou-private.path; + + peers = [ + # List of allowed peers. + { + # Home + publicKey = "Gg+p7tysAhu2X841weBiQrqoKXh6kvcmDiCY62rLwQg="; + # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. + allowedIPs = [ "10.100.0.2/32" ]; + } + { + # Asus + publicKey = "mzVH0N3q7UE/XjMwgRks+D8KFuIj91VkOK2ytgjsnkw="; + allowedIPs = [ "10.100.0.3/32" ]; + } + ]; + }; + }; + + age.secrets.wireguard-canigou-private = { + file = ../../../secrets/wireguard-canigou-private.age; + mode = "0400"; + }; +} diff --git a/machines/default.nix b/machines/default.nix index 768fbc4..9bb2fb2 100644 --- a/machines/default.nix +++ b/machines/default.nix @@ -2,15 +2,6 @@ let hardware = inputs.hardware.nixosModules; - - inherit (inputs.nixpkgs) lib; - inherit (builtins) head; - getTargetHost = file: - let - net = import file { inherit lib; }; - ipv4addrs = net.networking.interfaces.eth0.ipv4.addresses; - in - (head ipv4addrs).address; in { home = { @@ -46,8 +37,7 @@ in magenta = { system = "x86_64-linux"; - targetHost = - getTargetHost ./magenta/networking.secret.nix; + targetHost = (import ./magenta/data.secret.nix).addr; extraModules = [ inputs.mailserver.nixosModule @@ -57,7 +47,6 @@ in canigou = { system = "x86_64-linux"; - targetHost = - getTargetHost ./canigou/networking.secret.nix; + targetHost = (import ./canigou/data.secret.nix).addr; }; } diff --git a/machines/home/default.nix b/machines/home/default.nix index 3f5d42a..c42e23b 100644 --- a/machines/home/default.nix +++ b/machines/home/default.nix @@ -12,6 +12,7 @@ ../modules/nix.nix ../modules/garbage-collector.nix ../modules/networking.secret.nix + ../modules/wireguard-client.nix ]; # Configure kernel @@ -84,5 +85,17 @@ localDiscovery = true; }; + # Additional nix configs local.nix.enableMyRegistry = true; + + # Wireguard client + age.secrets.wireguard-home-private = { + file = ../../secrets/wireguard-home-private.age; + mode = "0400"; + }; + local.wireguard = { + enable = true; + ip = "10.100.0.2/24"; + privateKeyFile = config.age.secrets.wireguard-home-private.path; + }; } diff --git a/machines/magenta/data.secret.nix b/machines/magenta/data.secret.nix new file mode 100644 index 0000000..e850183 Binary files /dev/null and b/machines/magenta/data.secret.nix differ diff --git a/machines/modules/nix.nix b/machines/modules/nix.nix index f239a3b..b913962 100644 --- a/machines/modules/nix.nix +++ b/machines/modules/nix.nix @@ -12,7 +12,7 @@ in description = "Enable my custom nix registry"; }; allowUnfreePackages = mkOption { - type = types.listOf types.string; + type = types.listOf types.str; default = [ ]; }; }; diff --git a/machines/modules/wireguard-client.nix b/machines/modules/wireguard-client.nix new file mode 100644 index 0000000..81c5807 --- /dev/null +++ b/machines/modules/wireguard-client.nix @@ -0,0 +1,68 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.local.wireguard; + + port = 51820; + + serverAddr = (import ../canigou/data.secret.nix).addr; + defaultGateway = "192.168.0.1"; +in +{ + options.local.wireguard = with lib; { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable wireguard vpn"; + }; + ip = mkOption { + type = types.str; + description = "10.100.0./24"; + example = "10.100.0.1/24"; + }; + privateKeyFile = mkOption { + type = types.str; + }; + }; + + config = lib.mkIf cfg.enable { + networking.firewall = { + allowedUDPPorts = [ port ]; # Clients and peers can use the same port, see listenport + }; + # Enable WireGuard + networking.wireguard.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the client's end of the tunnel interface. + ips = [ cfg.ip ]; + listenPort = port; # to match firewall allowedUDPPorts (without this wg uses random port numbers) + + # Path to the private key file. + privateKeyFile = cfg.privateKeyFile; + + postSetup = "${pkgs.iproute}/bin/ip route add ${serverAddr} via ${defaultGateway}"; + postShutdown = "${pkgs.iproute}/bin/ip route del ${serverAddr} via ${defaultGateway}"; + + peers = [ + # For a client configuration, one peer entry for the server will suffice. + + { + # Public key of the server (not a file path). + publicKey = "nFqvL30dkKkhOt+fLJ+EJNmp9GjkXVjmpz1WRI1pG0A="; + + # Forward all the traffic via VPN. + allowedIPs = [ "0.0.0.0/0" ]; + # Or forward only particular subnets + # allowedIPs = [ "192.168.0.0/24" ]; + + # Set this to the server IP and port. + endpoint = "${serverAddr}:${toString port}"; + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + ]; + }; + }; + }; +} diff --git a/notes/vpn.md b/notes/vpn.md new file mode 100644 index 0000000..07e2c6b --- /dev/null +++ b/notes/vpn.md @@ -0,0 +1,13 @@ +# WireGuard + +## Generate keypair + +```sh +umask 077 +wg genkey > ./private +wg pubkey < ./private > ./public +``` + +# References: + +- https://nixos.wiki/wiki/WireGuard diff --git a/secrets/wireguard-asus-gl553vd-private.age b/secrets/wireguard-asus-gl553vd-private.age new file mode 100644 index 0000000..dcb8766 Binary files /dev/null and b/secrets/wireguard-asus-gl553vd-private.age differ diff --git a/secrets/wireguard-canigou-private.age b/secrets/wireguard-canigou-private.age new file mode 100644 index 0000000..d8baa18 Binary files /dev/null and b/secrets/wireguard-canigou-private.age differ diff --git a/secrets/wireguard-home-private.age b/secrets/wireguard-home-private.age new file mode 100644 index 0000000..f78a9d3 Binary files /dev/null and b/secrets/wireguard-home-private.age differ