diff --git a/hosts/common/networking.nix b/hosts/common/networking.nix index ffc62aa..d7f175e 100644 --- a/hosts/common/networking.nix +++ b/hosts/common/networking.nix @@ -1,9 +1,13 @@ { networking = { nameservers = [ - "100.64.0.3" "45.11.45.11" + "100.64.0.3" + "fd42:d42:d42:53::1" + "fd42:d42:d42:54::1" + "172.23.0.53" + "172.20.0.53" ]; resolvconf.extraConfig = '' - name_servers="100.64.0.3 45.11.45.11" + name_servers="100.64.0.3 45.11.45.11 fd42:d42:d42:53::1 fd42:d42:d42:54::1 172.23.0.53 172.20.0.53" ''; };} diff --git a/hosts/prefect/networking.nix b/hosts/prefect/networking.nix index 7d067d1..b49a9b6 100644 --- a/hosts/prefect/networking.nix +++ b/hosts/prefect/networking.nix @@ -1,4 +1,4 @@ -{lib, ...}: { +{lib, pkgs, ...}: { networking = { hostName = "prefect"; nameservers = lib.mkForce [ @@ -28,5 +28,33 @@ address = "fe80::1"; interface = "enp1s0"; }; + wireguard = { + enable = true; + interfaces = { + wg0 = { + privateKeyFile = "/run/agenix/dn42-privkey"; + listenPort = 480; + peers = [ + { + publicKey = "wW5iNQcNa9VphZWicMdc8k7lJbVrXPMtzmWsHBwPqE0="; + persistentKeepalive = 15; + dynamicEndpointRefreshSeconds = 5; + allowedIPs = [ + "fd00::/8" # DN42 IPv6 + "172.20.0.0/14" # DN42 IPv4 + "10.100.0.0/14" # ChaosVPN + "10.127.0.0/16" # NeoNetwork + "10.0.0.0/8" # Freifunk + "127.31.0.0/16" # ChaosVPN + ]; + } + ]; + postSetup = '' + ${pkgs.iproute}/bin/ip addr add 172.20.43.96/32 peer 172.20.43.97/32 dev wg0 + ${pkgs.iproute}/bin/ip -6 addr add fe80::1/64 peer fe80::2/64 dev wg0 + ''; + }; + }; + }; }; } diff --git a/hosts/zaphod/configuration.nix b/hosts/zaphod/configuration.nix index f7775e5..477d6f0 100644 --- a/hosts/zaphod/configuration.nix +++ b/hosts/zaphod/configuration.nix @@ -27,6 +27,10 @@ # Services ./services/modules.nix + # Agenix secrets + inputs.agenix.nixosModule + ./secret-files.nix + # Machine-specific programs. ./programs/chromium.nix ./programs/dconf.nix diff --git a/hosts/zaphod/networking.nix b/hosts/zaphod/networking.nix index 8b678cc..07a8177 100644 --- a/hosts/zaphod/networking.nix +++ b/hosts/zaphod/networking.nix @@ -1,4 +1,4 @@ -{lib, ...}: { +{lib, pkgs, ...}: { networking = { enableB43Firmware = false; enableIPv6 = true; @@ -22,5 +22,37 @@ "9.9.9.9" "1.1.1.1" ]; + wireguard = { + enable = true; + interfaces = { + wg0 = { + privateKeyFile = "/run/agenix/wg-privkey"; + allowedIPsAsRoutes = false; + ips = [ + "172.20.43.97/32" + ]; + peers = [ + { + publicKey = "e6kp9sca4XIzncKa9GEQwyOnMjje299Xg9ZdgXWMwHg="; + endpoint = "dn42.thehedgehog.me:480"; + persistentKeepalive = 15; + dynamicEndpointRefreshSeconds = 5; + allowedIPs = [ + "fd00::/8" + "172.20.0.0/14" + "10.100.0.0/14" + "10.127.0.0/16" + "10.0.0.0/8" + "172.31.0.0/16" + ]; + } + ]; + postSetup = '' + ${pkgs.iproute}/bin/ip addr add 172.20.43.97/32 peer 172.20.43.96/32 dev wg0 + ${pkgs.iproute}/bin/ip -6 addr add fe80::2/64 peer fe80::1/64 dev wg0 + ''; + }; + }; + }; }; } diff --git a/hosts/zaphod/secret-files.nix b/hosts/zaphod/secret-files.nix new file mode 100644 index 0000000..bbb5ce9 --- /dev/null +++ b/hosts/zaphod/secret-files.nix @@ -0,0 +1,8 @@ +{ + config.age.secrets = { + wg-privkey = { + file = ./secrets/wg-privkey.age; + path = "/run/agenix/wg-privkey"; + }; + }; +} diff --git a/hosts/zaphod/secrets/secrets.nix b/hosts/zaphod/secrets/secrets.nix new file mode 100644 index 0000000..9350c24 --- /dev/null +++ b/hosts/zaphod/secrets/secrets.nix @@ -0,0 +1,7 @@ +let + yubi-back = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw=="; + yubi-main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBBsOIMMZVmleClXfqUMrnmyh8PFuyiJqHKEZ51Xy746"; + backup = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM="; +in { + "wg-privkey.age".publicKeys = [ yubi-back yubi-main backup ]; +} diff --git a/hosts/zaphod/secrets/wg-privkey.age b/hosts/zaphod/secrets/wg-privkey.age new file mode 100644 index 0000000..7a24f10 Binary files /dev/null and b/hosts/zaphod/secrets/wg-privkey.age differ diff --git a/hosts/zaphod/services/modules.nix b/hosts/zaphod/services/modules.nix index 8e650cd..213747e 100644 --- a/hosts/zaphod/services/modules.nix +++ b/hosts/zaphod/services/modules.nix @@ -13,6 +13,7 @@ ./pipewire.nix ./spotifyd.nix ./tailscale.nix + ./unbound.nix # ./yubikey-agent.nix ]; } diff --git a/hosts/zaphod/services/unbound.nix b/hosts/zaphod/services/unbound.nix new file mode 100644 index 0000000..0622f7e --- /dev/null +++ b/hosts/zaphod/services/unbound.nix @@ -0,0 +1,91 @@ +{pkgs, ...}: { + # Enable DN42 Certificates + security.pki.certificateFiles = [ + (pkgs.fetchurl { + url = "https://aur.archlinux.org/cgit/aur.git/plain/dn42.crt?h=ca-certificates-dn42&id=646f7effb290adf25c7e9fea3b41bf055522ba29"; + name = "dn42.crt"; + sha256 = "sha256-wsMeC9/tlppSNZGrqfZFLAjv3AMj1KwIAWeh2XBpiYs="; + }) + ]; + services.unbound = { + enable = true; + resolveLocalQueries = true; + settings = { + server = { + local-zone = [ + "\"20.172.in-addr.arpa.\" nodefault" + "\"21.172.in-addr.arpa.\" nodefault" + "\"22.172.in-addr.arpa.\" nodefault" + "\"23.172.in-addr.arpa.\" nodefault" + "\"10.in-addr.arpa.\" nodefault" + "\"d.f.ip6.arpa.\" nodefault" + ]; + auto-trust-anchor-file = false; + }; + forward-zone = [ + { + name = "."; + forward-addr = [ + "45.11.45.11" + "9.9.9.9" + ]; + } + { + name = "thehedgehog.me."; + forward-addr = [ + "100.64.0.3" + ]; + } + { + name = "dn42"; + forward-addr = [ + "fd42:d42:d42:54::1" + "172.20.0.53" + ]; + } + { + name = "20.172.in-addr.arpa"; + forward-addr = [ + "fd42:d42:d42:54::1" + "172.20.0.53" + ]; + } + { + name = "21.172.in-addr.arpa"; + forward-addr = [ + "fd42:d42:d42:54::1" + "172.20.0.53" + ]; + } + { + name = "22.172.in-addr.arpa"; + forward-addr = [ + "fd42:d42:d42:54::1" + "172.20.0.53" + ]; + } + { + name = "23.172.in-addr.arpa"; + forward-addr = [ + "fd42:d42:d42:54::1" + "172.20.0.53" + ]; + } + { + name = "10.in-addr.arpa"; + forward-addr = [ + "fd42:d42:d42:54::1" + "172.20.0.53" + ]; + } + { + name = "d.f.ip6.arpa"; + forward-addr = [ + "fd42:d42:d42:54::1" + "172.20.0.53" + ]; + } + ]; + }; + }; +}