From 0c667b70967526fa9325c8f4b228cd3feb465085 Mon Sep 17 00:00:00 2001
From: The Hedgehog <me@thehedgehog.me>
Date: Wed, 24 Aug 2022 10:52:39 -0400
Subject: [PATCH] hosts: Add custom wireguard tunnels

---
 hosts/common/networking.nix         |   8 ++-
 hosts/prefect/networking.nix        |  30 ++++++++-
 hosts/zaphod/configuration.nix      |   4 ++
 hosts/zaphod/networking.nix         |  34 ++++++++++-
 hosts/zaphod/secret-files.nix       |   8 +++
 hosts/zaphod/secrets/secrets.nix    |   7 +++
 hosts/zaphod/secrets/wg-privkey.age | Bin 0 -> 1555 bytes
 hosts/zaphod/services/modules.nix   |   1 +
 hosts/zaphod/services/unbound.nix   |  91 ++++++++++++++++++++++++++++
 9 files changed, 179 insertions(+), 4 deletions(-)
 create mode 100644 hosts/zaphod/secret-files.nix
 create mode 100644 hosts/zaphod/secrets/secrets.nix
 create mode 100644 hosts/zaphod/secrets/wg-privkey.age
 create mode 100644 hosts/zaphod/services/unbound.nix

diff --git a/hosts/common/networking.nix b/hosts/common/networking.nix
index ffc62aa..d7f175e 100644
--- a/hosts/common/networking.nix
+++ b/hosts/common/networking.nix
@@ -1,9 +1,13 @@
 { networking = {
   nameservers = [
-    "100.64.0.3"
     "45.11.45.11"
+    "100.64.0.3"
+    "fd42:d42:d42:53::1"
+    "fd42:d42:d42:54::1"
+    "172.23.0.53"
+    "172.20.0.53"
   ];
   resolvconf.extraConfig = ''
-    name_servers="100.64.0.3 45.11.45.11"
+    name_servers="100.64.0.3 45.11.45.11 fd42:d42:d42:53::1 fd42:d42:d42:54::1 172.23.0.53 172.20.0.53"
   '';
 };}
diff --git a/hosts/prefect/networking.nix b/hosts/prefect/networking.nix
index 7d067d1..b49a9b6 100644
--- a/hosts/prefect/networking.nix
+++ b/hosts/prefect/networking.nix
@@ -1,4 +1,4 @@
-{lib, ...}: {
+{lib, pkgs, ...}: {
   networking = {
     hostName = "prefect";
     nameservers = lib.mkForce [
@@ -28,5 +28,33 @@
       address = "fe80::1";
       interface = "enp1s0";
     };
+    wireguard = {
+      enable = true;
+      interfaces = {
+        wg0 = {
+          privateKeyFile = "/run/agenix/dn42-privkey";
+          listenPort = 480;
+          peers = [
+            {
+              publicKey = "wW5iNQcNa9VphZWicMdc8k7lJbVrXPMtzmWsHBwPqE0=";
+              persistentKeepalive = 15;
+              dynamicEndpointRefreshSeconds = 5;
+              allowedIPs = [
+                "fd00::/8" # DN42 IPv6
+                "172.20.0.0/14" # DN42 IPv4
+                "10.100.0.0/14" # ChaosVPN
+                "10.127.0.0/16" # NeoNetwork
+                "10.0.0.0/8" # Freifunk
+                "127.31.0.0/16" # ChaosVPN
+              ];
+            }
+          ];
+          postSetup = ''
+            ${pkgs.iproute}/bin/ip addr add 172.20.43.96/32 peer 172.20.43.97/32 dev wg0
+            ${pkgs.iproute}/bin/ip -6 addr add fe80::1/64 peer fe80::2/64 dev wg0
+          '';
+        };
+      };
+    };
   };
 }
diff --git a/hosts/zaphod/configuration.nix b/hosts/zaphod/configuration.nix
index f7775e5..477d6f0 100644
--- a/hosts/zaphod/configuration.nix
+++ b/hosts/zaphod/configuration.nix
@@ -27,6 +27,10 @@
     # Services
     ./services/modules.nix
 
+    # Agenix secrets
+    inputs.agenix.nixosModule
+    ./secret-files.nix
+
     # Machine-specific programs.
     ./programs/chromium.nix
     ./programs/dconf.nix
diff --git a/hosts/zaphod/networking.nix b/hosts/zaphod/networking.nix
index 8b678cc..07a8177 100644
--- a/hosts/zaphod/networking.nix
+++ b/hosts/zaphod/networking.nix
@@ -1,4 +1,4 @@
-{lib, ...}: {
+{lib, pkgs, ...}: {
   networking = {
     enableB43Firmware = false;
     enableIPv6 = true;
@@ -22,5 +22,37 @@
       "9.9.9.9"
       "1.1.1.1"
     ];
+    wireguard = {
+      enable = true;
+      interfaces = {
+        wg0 = {
+          privateKeyFile = "/run/agenix/wg-privkey";
+          allowedIPsAsRoutes = false;
+          ips = [
+            "172.20.43.97/32"
+          ];
+          peers = [
+            {
+              publicKey = "e6kp9sca4XIzncKa9GEQwyOnMjje299Xg9ZdgXWMwHg=";
+              endpoint = "dn42.thehedgehog.me:480";
+              persistentKeepalive = 15;
+              dynamicEndpointRefreshSeconds = 5;
+              allowedIPs = [
+                "fd00::/8"
+                "172.20.0.0/14"
+                "10.100.0.0/14"
+                "10.127.0.0/16"
+                "10.0.0.0/8"
+                "172.31.0.0/16"
+              ];
+            }
+          ];
+          postSetup = ''
+            ${pkgs.iproute}/bin/ip addr add 172.20.43.97/32 peer 172.20.43.96/32 dev wg0
+            ${pkgs.iproute}/bin/ip -6 addr add fe80::2/64 peer fe80::1/64 dev wg0
+          '';
+        };
+      };
+    };
   };
 }
diff --git a/hosts/zaphod/secret-files.nix b/hosts/zaphod/secret-files.nix
new file mode 100644
index 0000000..bbb5ce9
--- /dev/null
+++ b/hosts/zaphod/secret-files.nix
@@ -0,0 +1,8 @@
+{
+  config.age.secrets = {
+    wg-privkey = {
+      file = ./secrets/wg-privkey.age;
+      path = "/run/agenix/wg-privkey";
+    };
+  };
+}
diff --git a/hosts/zaphod/secrets/secrets.nix b/hosts/zaphod/secrets/secrets.nix
new file mode 100644
index 0000000..9350c24
--- /dev/null
+++ b/hosts/zaphod/secrets/secrets.nix
@@ -0,0 +1,7 @@
+let
+  yubi-back = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw==";
+  yubi-main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBBsOIMMZVmleClXfqUMrnmyh8PFuyiJqHKEZ51Xy746";
+  backup = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM=";
+in {
+  "wg-privkey.age".publicKeys = [ yubi-back yubi-main backup ];
+}
diff --git a/hosts/zaphod/secrets/wg-privkey.age b/hosts/zaphod/secrets/wg-privkey.age
new file mode 100644
index 0000000000000000000000000000000000000000..7a24f1071752ef3407bc7f5f7df4da1829089037
GIT binary patch
literal 1555
zcmXw&Im_(`0YL49AWWfxO!a|a6TWwo+?(VE^+}SOeP3>tD^JY6@B5vxl_};AOf|Lg
zY!n6*1b>4dHe#h%*$5Vbg-$X3fzzB5WXWsNM&r@XMc2OR#_Y7h!0X$WY06*6DR@cQ
zps-26&7o47ra<B_QSUt>eA04vwoUb6o_wVbJj;Akl;8(aC(Nl;!o`Tia5<RrW_G1&
z0rV{RxTk~Ck&+w<fjaCys4~$n2?+OcV7EokbS|co{w0U^|6?Nq60ql<V!eWj#|jJx
zWHkzoAkR32oHhz3aUtk-%X($IYAe_1yf>@oq6aNQaIqdf6EOlM4MGR$g_A2lc$VWa
z!GS;wn;(&66A#;1p0ZjpJZ%WMiB4m}N0KxbJ(UQ(Zga8o#-xd6>Jzay018thdf61s
zytzC*+&l0H%*CyUe$xWxK`1b$iWeLU^GiSZTPU+vhe(sPbPULju?tXyHaLf9i#?)(
zq8@19+!=VtTqRpoGxC%RBnC<l*n7E&Bq(}Zp>nrKEuC1>QJhEsjy7|}r*6;lg=Bo~
zUb(AA&5VS*F{MO2qBI9;-6JEyu4mlA#;K{2wP-bUalx@BK|l#vCe&jUj&C)@>^v(B
z(e9?}nmW2<5b`i1(Gl1NS3sL3pNpX;PAa4zk908XsAB<dk!vIoc2^}`sSY&+ZXf*|
zP`bbB6fRCOnG1{;@X{53hW(tYi9A~+o!H(|9hUP1V5uZT?lQnk^mGl9Q^WaovMNzY
zc~zA<49bi6c~Ywi6DkX4NirhQu(U-R+s0_tAAmp9x{F$(h<O1>o)>y*ya_zH&6S9K
z`G)qb&CL-<W<2>-$4QK!C``N*xs_eB7rFNEwsO^EH;zcZ-5)yL6dKfZnao;lY&i~P
zDN1@u?<9bRy<iYl#NrubxsGZ+mwg;u#bhBJ%(4f*NHW695jjI&*}lA{@#<wX07cy~
zmFZ-Y&+1xL)C}&JU|7`nR4uMtmDcebuE}y<K)z-fO~n+`WlxW84?+!J(h3MQ%7}^>
z^yAgNW=Xl|Bza>u8%=hCClfT7D!!m_4uN&8&o&1a(TBtCogoE@Dxn1sSx!6Vhla>2
zNzVpWk2i&D=TV@Jae>ZlD0_yvaWbj!s_s_aotf;LAf$JTWiLg#0J*)DA?)IMnP$S4
zH^$24$wdh2L`jY|r=1gn(XucxqAFaNDP{FUX;*=y?~&s}O9g1~Zl{}gB&0TLQJ!2E
zP0|-o9rm1X>y`2{NtCvJ(;=dQu6t<ps;t%u89+67m7fhD6L1$KHQwHn3a$(uy<hJh
zjFuJ6Hd3pdE{Kvo<guvj=Rr40y<}vM`%za_c0vRM4vfs6w(!X)K&e6eg91q(4ZYFl
zZG9)s#$b}U1U}XC;<V;UB{f9rQs_UHvjlC3=f^<99=8Cw)xBo~gb(?Jf{QRAd)^Re
zVp$=ZB3;nP!P5xUdG<+lvARw^WAl!cRdqxIU#9Wn*KACJDS2VNpS}71ySMdA*LAD*
z(;t2W9A>eJ{&i>0tsMw41-!n#zPPw{-S-R?1#rDWW=x$MGDRQSq1yz{>_}U+idHIO
z=v{&L|9Fx9@U_dYKL68CzWB|DfBVrt|L#&BuK)Ua`{%!W=bPbwKY15%pMLk3KlmN~
s*Y!Vd-v04(W#qQsL*IM%KIFgg?tT5muYd8`x67Y@>)#)I{M%LiAGlZtUjP6A

literal 0
HcmV?d00001

diff --git a/hosts/zaphod/services/modules.nix b/hosts/zaphod/services/modules.nix
index 8e650cd..213747e 100644
--- a/hosts/zaphod/services/modules.nix
+++ b/hosts/zaphod/services/modules.nix
@@ -13,6 +13,7 @@
     ./pipewire.nix
     ./spotifyd.nix
     ./tailscale.nix
+    ./unbound.nix
     # ./yubikey-agent.nix
   ];
 }
diff --git a/hosts/zaphod/services/unbound.nix b/hosts/zaphod/services/unbound.nix
new file mode 100644
index 0000000..0622f7e
--- /dev/null
+++ b/hosts/zaphod/services/unbound.nix
@@ -0,0 +1,91 @@
+{pkgs, ...}: {
+  # Enable DN42 Certificates
+  security.pki.certificateFiles = [
+    (pkgs.fetchurl {
+      url = "https://aur.archlinux.org/cgit/aur.git/plain/dn42.crt?h=ca-certificates-dn42&id=646f7effb290adf25c7e9fea3b41bf055522ba29";
+      name = "dn42.crt";
+      sha256 = "sha256-wsMeC9/tlppSNZGrqfZFLAjv3AMj1KwIAWeh2XBpiYs=";
+    })
+  ];
+  services.unbound = {
+    enable = true;
+    resolveLocalQueries = true;
+    settings = {
+      server = {
+        local-zone = [
+          "\"20.172.in-addr.arpa.\" nodefault"
+          "\"21.172.in-addr.arpa.\" nodefault"
+          "\"22.172.in-addr.arpa.\" nodefault"
+          "\"23.172.in-addr.arpa.\" nodefault"
+          "\"10.in-addr.arpa.\" nodefault"
+          "\"d.f.ip6.arpa.\" nodefault"
+        ];
+        auto-trust-anchor-file = false;
+      };
+      forward-zone = [
+        {
+          name = ".";
+          forward-addr = [
+            "45.11.45.11"
+            "9.9.9.9"
+          ];
+        }
+        {
+          name = "thehedgehog.me.";
+          forward-addr = [
+            "100.64.0.3"
+          ];
+        }
+        {
+          name = "dn42";
+          forward-addr = [
+            "fd42:d42:d42:54::1"
+            "172.20.0.53"
+          ];
+        }
+        {
+          name = "20.172.in-addr.arpa";
+          forward-addr = [
+            "fd42:d42:d42:54::1"
+            "172.20.0.53"
+          ];
+        }
+        {
+          name = "21.172.in-addr.arpa";
+          forward-addr = [
+            "fd42:d42:d42:54::1"
+            "172.20.0.53"
+          ];
+        }
+        {
+          name = "22.172.in-addr.arpa";
+          forward-addr = [
+            "fd42:d42:d42:54::1"
+            "172.20.0.53"
+          ];
+        }
+        {
+          name = "23.172.in-addr.arpa";
+          forward-addr = [
+            "fd42:d42:d42:54::1"
+            "172.20.0.53"
+          ];
+        }
+        {
+          name = "10.in-addr.arpa";
+          forward-addr = [
+            "fd42:d42:d42:54::1"
+            "172.20.0.53"
+          ];
+        }
+        {
+          name = "d.f.ip6.arpa";
+          forward-addr = [
+            "fd42:d42:d42:54::1"
+            "172.20.0.53"
+          ];
+        }
+      ];
+    };
+  };
+}