hosts: Add custom wireguard tunnels
This commit is contained in:
parent
5ae4ee35a9
commit
0c667b7096
9 changed files with 179 additions and 4 deletions
|
@ -1,9 +1,13 @@
|
||||||
{ networking = {
|
{ networking = {
|
||||||
nameservers = [
|
nameservers = [
|
||||||
"100.64.0.3"
|
|
||||||
"45.11.45.11"
|
"45.11.45.11"
|
||||||
|
"100.64.0.3"
|
||||||
|
"fd42:d42:d42:53::1"
|
||||||
|
"fd42:d42:d42:54::1"
|
||||||
|
"172.23.0.53"
|
||||||
|
"172.20.0.53"
|
||||||
];
|
];
|
||||||
resolvconf.extraConfig = ''
|
resolvconf.extraConfig = ''
|
||||||
name_servers="100.64.0.3 45.11.45.11"
|
name_servers="100.64.0.3 45.11.45.11 fd42:d42:d42:53::1 fd42:d42:d42:54::1 172.23.0.53 172.20.0.53"
|
||||||
'';
|
'';
|
||||||
};}
|
};}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{lib, ...}: {
|
{lib, pkgs, ...}: {
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "prefect";
|
hostName = "prefect";
|
||||||
nameservers = lib.mkForce [
|
nameservers = lib.mkForce [
|
||||||
|
@ -28,5 +28,33 @@
|
||||||
address = "fe80::1";
|
address = "fe80::1";
|
||||||
interface = "enp1s0";
|
interface = "enp1s0";
|
||||||
};
|
};
|
||||||
|
wireguard = {
|
||||||
|
enable = true;
|
||||||
|
interfaces = {
|
||||||
|
wg0 = {
|
||||||
|
privateKeyFile = "/run/agenix/dn42-privkey";
|
||||||
|
listenPort = 480;
|
||||||
|
peers = [
|
||||||
|
{
|
||||||
|
publicKey = "wW5iNQcNa9VphZWicMdc8k7lJbVrXPMtzmWsHBwPqE0=";
|
||||||
|
persistentKeepalive = 15;
|
||||||
|
dynamicEndpointRefreshSeconds = 5;
|
||||||
|
allowedIPs = [
|
||||||
|
"fd00::/8" # DN42 IPv6
|
||||||
|
"172.20.0.0/14" # DN42 IPv4
|
||||||
|
"10.100.0.0/14" # ChaosVPN
|
||||||
|
"10.127.0.0/16" # NeoNetwork
|
||||||
|
"10.0.0.0/8" # Freifunk
|
||||||
|
"127.31.0.0/16" # ChaosVPN
|
||||||
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
postSetup = ''
|
||||||
|
${pkgs.iproute}/bin/ip addr add 172.20.43.96/32 peer 172.20.43.97/32 dev wg0
|
||||||
|
${pkgs.iproute}/bin/ip -6 addr add fe80::1/64 peer fe80::2/64 dev wg0
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -27,6 +27,10 @@
|
||||||
# Services
|
# Services
|
||||||
./services/modules.nix
|
./services/modules.nix
|
||||||
|
|
||||||
|
# Agenix secrets
|
||||||
|
inputs.agenix.nixosModule
|
||||||
|
./secret-files.nix
|
||||||
|
|
||||||
# Machine-specific programs.
|
# Machine-specific programs.
|
||||||
./programs/chromium.nix
|
./programs/chromium.nix
|
||||||
./programs/dconf.nix
|
./programs/dconf.nix
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{lib, ...}: {
|
{lib, pkgs, ...}: {
|
||||||
networking = {
|
networking = {
|
||||||
enableB43Firmware = false;
|
enableB43Firmware = false;
|
||||||
enableIPv6 = true;
|
enableIPv6 = true;
|
||||||
|
@ -22,5 +22,37 @@
|
||||||
"9.9.9.9"
|
"9.9.9.9"
|
||||||
"1.1.1.1"
|
"1.1.1.1"
|
||||||
];
|
];
|
||||||
|
wireguard = {
|
||||||
|
enable = true;
|
||||||
|
interfaces = {
|
||||||
|
wg0 = {
|
||||||
|
privateKeyFile = "/run/agenix/wg-privkey";
|
||||||
|
allowedIPsAsRoutes = false;
|
||||||
|
ips = [
|
||||||
|
"172.20.43.97/32"
|
||||||
|
];
|
||||||
|
peers = [
|
||||||
|
{
|
||||||
|
publicKey = "e6kp9sca4XIzncKa9GEQwyOnMjje299Xg9ZdgXWMwHg=";
|
||||||
|
endpoint = "dn42.thehedgehog.me:480";
|
||||||
|
persistentKeepalive = 15;
|
||||||
|
dynamicEndpointRefreshSeconds = 5;
|
||||||
|
allowedIPs = [
|
||||||
|
"fd00::/8"
|
||||||
|
"172.20.0.0/14"
|
||||||
|
"10.100.0.0/14"
|
||||||
|
"10.127.0.0/16"
|
||||||
|
"10.0.0.0/8"
|
||||||
|
"172.31.0.0/16"
|
||||||
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
postSetup = ''
|
||||||
|
${pkgs.iproute}/bin/ip addr add 172.20.43.97/32 peer 172.20.43.96/32 dev wg0
|
||||||
|
${pkgs.iproute}/bin/ip -6 addr add fe80::2/64 peer fe80::1/64 dev wg0
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
8
hosts/zaphod/secret-files.nix
Normal file
8
hosts/zaphod/secret-files.nix
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
{
|
||||||
|
config.age.secrets = {
|
||||||
|
wg-privkey = {
|
||||||
|
file = ./secrets/wg-privkey.age;
|
||||||
|
path = "/run/agenix/wg-privkey";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
7
hosts/zaphod/secrets/secrets.nix
Normal file
7
hosts/zaphod/secrets/secrets.nix
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
let
|
||||||
|
yubi-back = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw==";
|
||||||
|
yubi-main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBBsOIMMZVmleClXfqUMrnmyh8PFuyiJqHKEZ51Xy746";
|
||||||
|
backup = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM=";
|
||||||
|
in {
|
||||||
|
"wg-privkey.age".publicKeys = [ yubi-back yubi-main backup ];
|
||||||
|
}
|
BIN
hosts/zaphod/secrets/wg-privkey.age
Normal file
BIN
hosts/zaphod/secrets/wg-privkey.age
Normal file
Binary file not shown.
|
@ -13,6 +13,7 @@
|
||||||
./pipewire.nix
|
./pipewire.nix
|
||||||
./spotifyd.nix
|
./spotifyd.nix
|
||||||
./tailscale.nix
|
./tailscale.nix
|
||||||
|
./unbound.nix
|
||||||
# ./yubikey-agent.nix
|
# ./yubikey-agent.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
91
hosts/zaphod/services/unbound.nix
Normal file
91
hosts/zaphod/services/unbound.nix
Normal file
|
@ -0,0 +1,91 @@
|
||||||
|
{pkgs, ...}: {
|
||||||
|
# Enable DN42 Certificates
|
||||||
|
security.pki.certificateFiles = [
|
||||||
|
(pkgs.fetchurl {
|
||||||
|
url = "https://aur.archlinux.org/cgit/aur.git/plain/dn42.crt?h=ca-certificates-dn42&id=646f7effb290adf25c7e9fea3b41bf055522ba29";
|
||||||
|
name = "dn42.crt";
|
||||||
|
sha256 = "sha256-wsMeC9/tlppSNZGrqfZFLAjv3AMj1KwIAWeh2XBpiYs=";
|
||||||
|
})
|
||||||
|
];
|
||||||
|
services.unbound = {
|
||||||
|
enable = true;
|
||||||
|
resolveLocalQueries = true;
|
||||||
|
settings = {
|
||||||
|
server = {
|
||||||
|
local-zone = [
|
||||||
|
"\"20.172.in-addr.arpa.\" nodefault"
|
||||||
|
"\"21.172.in-addr.arpa.\" nodefault"
|
||||||
|
"\"22.172.in-addr.arpa.\" nodefault"
|
||||||
|
"\"23.172.in-addr.arpa.\" nodefault"
|
||||||
|
"\"10.in-addr.arpa.\" nodefault"
|
||||||
|
"\"d.f.ip6.arpa.\" nodefault"
|
||||||
|
];
|
||||||
|
auto-trust-anchor-file = false;
|
||||||
|
};
|
||||||
|
forward-zone = [
|
||||||
|
{
|
||||||
|
name = ".";
|
||||||
|
forward-addr = [
|
||||||
|
"45.11.45.11"
|
||||||
|
"9.9.9.9"
|
||||||
|
];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "thehedgehog.me.";
|
||||||
|
forward-addr = [
|
||||||
|
"100.64.0.3"
|
||||||
|
];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "dn42";
|
||||||
|
forward-addr = [
|
||||||
|
"fd42:d42:d42:54::1"
|
||||||
|
"172.20.0.53"
|
||||||
|
];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "20.172.in-addr.arpa";
|
||||||
|
forward-addr = [
|
||||||
|
"fd42:d42:d42:54::1"
|
||||||
|
"172.20.0.53"
|
||||||
|
];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "21.172.in-addr.arpa";
|
||||||
|
forward-addr = [
|
||||||
|
"fd42:d42:d42:54::1"
|
||||||
|
"172.20.0.53"
|
||||||
|
];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "22.172.in-addr.arpa";
|
||||||
|
forward-addr = [
|
||||||
|
"fd42:d42:d42:54::1"
|
||||||
|
"172.20.0.53"
|
||||||
|
];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "23.172.in-addr.arpa";
|
||||||
|
forward-addr = [
|
||||||
|
"fd42:d42:d42:54::1"
|
||||||
|
"172.20.0.53"
|
||||||
|
];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "10.in-addr.arpa";
|
||||||
|
forward-addr = [
|
||||||
|
"fd42:d42:d42:54::1"
|
||||||
|
"172.20.0.53"
|
||||||
|
];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "d.f.ip6.arpa";
|
||||||
|
forward-addr = [
|
||||||
|
"fd42:d42:d42:54::1"
|
||||||
|
"172.20.0.53"
|
||||||
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue