hosts: Add custom wireguard tunnels

2022-08-24 10:52:39 -04:00 · 2022-08-24 10:52:39 -04:00 · 0c667b7096
commit 0c667b7096
parent 5ae4ee35a9
9 changed files with 179 additions and 4 deletions
--- a/hosts/common/networking.nix
+++ b/hosts/common/networking.nix
@ -1,9 +1,13 @@
 { networking = {
  nameservers = [
    "100.64.0.3"
    "45.11.45.11"
    "100.64.0.3"
    "fd42:d42:d42:53::1"
    "fd42:d42:d42:54::1"
    "172.23.0.53"
    "172.20.0.53"
  ];
  resolvconf.extraConfig = ''
-    name_servers="100.64.0.3 45.11.45.11"
+    name_servers="100.64.0.3 45.11.45.11 fd42:d42:d42:53::1 fd42:d42:d42:54::1 172.23.0.53 172.20.0.53"
  '';
 };}
--- a/hosts/prefect/networking.nix
+++ b/hosts/prefect/networking.nix
@ -1,4 +1,4 @@
-{lib, ...}: {
+{lib, pkgs, ...}: {
  networking = {
    hostName = "prefect";
    nameservers = lib.mkForce [
@ -28,5 +28,33 @@
      address = "fe80::1";
      interface = "enp1s0";
    };
    wireguard = {
      enable = true;
      interfaces = {
        wg0 = {
          privateKeyFile = "/run/agenix/dn42-privkey";
          listenPort = 480;
          peers = [
            {
              publicKey = "wW5iNQcNa9VphZWicMdc8k7lJbVrXPMtzmWsHBwPqE0=";
              persistentKeepalive = 15;
              dynamicEndpointRefreshSeconds = 5;
              allowedIPs = [
                "fd00::/8" # DN42 IPv6
                "172.20.0.0/14" # DN42 IPv4
                "10.100.0.0/14" # ChaosVPN
                "10.127.0.0/16" # NeoNetwork
                "10.0.0.0/8" # Freifunk
                "127.31.0.0/16" # ChaosVPN
              ];
            }
          ];
          postSetup = ''
            ${pkgs.iproute}/bin/ip addr add 172.20.43.96/32 peer 172.20.43.97/32 dev wg0
            ${pkgs.iproute}/bin/ip -6 addr add fe80::1/64 peer fe80::2/64 dev wg0
          '';
        };
      };
    };
  };
 }
--- a/hosts/zaphod/configuration.nix
+++ b/hosts/zaphod/configuration.nix
@ -27,6 +27,10 @@
    # Services
    ./services/modules.nix
    # Agenix secrets
    inputs.agenix.nixosModule
    ./secret-files.nix
    # Machine-specific programs.
    ./programs/chromium.nix
    ./programs/dconf.nix
--- a/hosts/zaphod/networking.nix
+++ b/hosts/zaphod/networking.nix
@ -1,4 +1,4 @@
-{lib, ...}: {
+{lib, pkgs, ...}: {
  networking = {
    enableB43Firmware = false;
    enableIPv6 = true;
@ -22,5 +22,37 @@
      "9.9.9.9"
      "1.1.1.1"
    ];
    wireguard = {
      enable = true;
      interfaces = {
        wg0 = {
          privateKeyFile = "/run/agenix/wg-privkey";
          allowedIPsAsRoutes = false;
          ips = [
            "172.20.43.97/32"
          ];
          peers = [
            {
              publicKey = "e6kp9sca4XIzncKa9GEQwyOnMjje299Xg9ZdgXWMwHg=";
              endpoint = "dn42.thehedgehog.me:480";
              persistentKeepalive = 15;
              dynamicEndpointRefreshSeconds = 5;
              allowedIPs = [
                "fd00::/8"
                "172.20.0.0/14"
                "10.100.0.0/14"
                "10.127.0.0/16"
                "10.0.0.0/8"
                "172.31.0.0/16"
              ];
            }
          ];
          postSetup = ''
            ${pkgs.iproute}/bin/ip addr add 172.20.43.97/32 peer 172.20.43.96/32 dev wg0
            ${pkgs.iproute}/bin/ip -6 addr add fe80::2/64 peer fe80::1/64 dev wg0
          '';
        };
      };
    };
  };
 }
--- a/hosts/zaphod/secret-files.nix
+++ b/hosts/zaphod/secret-files.nix
@ -0,0 +1,8 @@
 {
  config.age.secrets = {
    wg-privkey = {
      file = ./secrets/wg-privkey.age;
      path = "/run/agenix/wg-privkey";
    };
  };
 }
--- a/hosts/zaphod/secrets/secrets.nix
+++ b/hosts/zaphod/secrets/secrets.nix
@ -0,0 +1,7 @@
 let
  yubi-back = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw==";
  yubi-main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBBsOIMMZVmleClXfqUMrnmyh8PFuyiJqHKEZ51Xy746";
  backup = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM=";
 in {
  "wg-privkey.age".publicKeys = [ yubi-back yubi-main backup ];
 }
--- a/hosts/zaphod/secrets/wg-privkey.age
+++ b/hosts/zaphod/secrets/wg-privkey.age
--- a/hosts/zaphod/services/modules.nix
+++ b/hosts/zaphod/services/modules.nix
@ -13,6 +13,7 @@
    ./pipewire.nix
    ./spotifyd.nix
    ./tailscale.nix
    ./unbound.nix
    # ./yubikey-agent.nix
  ];
 }
--- a/hosts/zaphod/services/unbound.nix
+++ b/hosts/zaphod/services/unbound.nix
@ -0,0 +1,91 @@
 {pkgs, ...}: {
  # Enable DN42 Certificates
  security.pki.certificateFiles = [
    (pkgs.fetchurl {
      url = "https://aur.archlinux.org/cgit/aur.git/plain/dn42.crt?h=ca-certificates-dn42&id=646f7effb290adf25c7e9fea3b41bf055522ba29";
      name = "dn42.crt";
      sha256 = "sha256-wsMeC9/tlppSNZGrqfZFLAjv3AMj1KwIAWeh2XBpiYs=";
    })
  ];
  services.unbound = {
    enable = true;
    resolveLocalQueries = true;
    settings = {
      server = {
        local-zone = [
          "\"20.172.in-addr.arpa.\" nodefault"
          "\"21.172.in-addr.arpa.\" nodefault"
          "\"22.172.in-addr.arpa.\" nodefault"
          "\"23.172.in-addr.arpa.\" nodefault"
          "\"10.in-addr.arpa.\" nodefault"
          "\"d.f.ip6.arpa.\" nodefault"
        ];
        auto-trust-anchor-file = false;
      };
      forward-zone = [
        {
          name = ".";
          forward-addr = [
            "45.11.45.11"
            "9.9.9.9"
          ];
        }
        {
          name = "thehedgehog.me.";
          forward-addr = [
            "100.64.0.3"
          ];
        }
        {
          name = "dn42";
          forward-addr = [
            "fd42:d42:d42:54::1"
            "172.20.0.53"
          ];
        }
        {
          name = "20.172.in-addr.arpa";
          forward-addr = [
            "fd42:d42:d42:54::1"
            "172.20.0.53"
          ];
        }
        {
          name = "21.172.in-addr.arpa";
          forward-addr = [
            "fd42:d42:d42:54::1"
            "172.20.0.53"
          ];
        }
        {
          name = "22.172.in-addr.arpa";
          forward-addr = [
            "fd42:d42:d42:54::1"
            "172.20.0.53"
          ];
        }
        {
          name = "23.172.in-addr.arpa";
          forward-addr = [
            "fd42:d42:d42:54::1"
            "172.20.0.53"
          ];
        }
        {
          name = "10.in-addr.arpa";
          forward-addr = [
            "fd42:d42:d42:54::1"
            "172.20.0.53"
          ];
        }
        {
          name = "d.f.ip6.arpa";
          forward-addr = [
            "fd42:d42:d42:54::1"
            "172.20.0.53"
          ];
        }
      ];
    };
  };
 }