hosts: Add custom wireguard tunnels
This commit is contained in:
parent
5ae4ee35a9
commit
0c667b7096
9 changed files with 179 additions and 4 deletions
|
@ -1,9 +1,13 @@
|
|||
{ networking = {
|
||||
nameservers = [
|
||||
"100.64.0.3"
|
||||
"45.11.45.11"
|
||||
"100.64.0.3"
|
||||
"fd42:d42:d42:53::1"
|
||||
"fd42:d42:d42:54::1"
|
||||
"172.23.0.53"
|
||||
"172.20.0.53"
|
||||
];
|
||||
resolvconf.extraConfig = ''
|
||||
name_servers="100.64.0.3 45.11.45.11"
|
||||
name_servers="100.64.0.3 45.11.45.11 fd42:d42:d42:53::1 fd42:d42:d42:54::1 172.23.0.53 172.20.0.53"
|
||||
'';
|
||||
};}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{lib, ...}: {
|
||||
{lib, pkgs, ...}: {
|
||||
networking = {
|
||||
hostName = "prefect";
|
||||
nameservers = lib.mkForce [
|
||||
|
@ -28,5 +28,33 @@
|
|||
address = "fe80::1";
|
||||
interface = "enp1s0";
|
||||
};
|
||||
wireguard = {
|
||||
enable = true;
|
||||
interfaces = {
|
||||
wg0 = {
|
||||
privateKeyFile = "/run/agenix/dn42-privkey";
|
||||
listenPort = 480;
|
||||
peers = [
|
||||
{
|
||||
publicKey = "wW5iNQcNa9VphZWicMdc8k7lJbVrXPMtzmWsHBwPqE0=";
|
||||
persistentKeepalive = 15;
|
||||
dynamicEndpointRefreshSeconds = 5;
|
||||
allowedIPs = [
|
||||
"fd00::/8" # DN42 IPv6
|
||||
"172.20.0.0/14" # DN42 IPv4
|
||||
"10.100.0.0/14" # ChaosVPN
|
||||
"10.127.0.0/16" # NeoNetwork
|
||||
"10.0.0.0/8" # Freifunk
|
||||
"127.31.0.0/16" # ChaosVPN
|
||||
];
|
||||
}
|
||||
];
|
||||
postSetup = ''
|
||||
${pkgs.iproute}/bin/ip addr add 172.20.43.96/32 peer 172.20.43.97/32 dev wg0
|
||||
${pkgs.iproute}/bin/ip -6 addr add fe80::1/64 peer fe80::2/64 dev wg0
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -27,6 +27,10 @@
|
|||
# Services
|
||||
./services/modules.nix
|
||||
|
||||
# Agenix secrets
|
||||
inputs.agenix.nixosModule
|
||||
./secret-files.nix
|
||||
|
||||
# Machine-specific programs.
|
||||
./programs/chromium.nix
|
||||
./programs/dconf.nix
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{lib, ...}: {
|
||||
{lib, pkgs, ...}: {
|
||||
networking = {
|
||||
enableB43Firmware = false;
|
||||
enableIPv6 = true;
|
||||
|
@ -22,5 +22,37 @@
|
|||
"9.9.9.9"
|
||||
"1.1.1.1"
|
||||
];
|
||||
wireguard = {
|
||||
enable = true;
|
||||
interfaces = {
|
||||
wg0 = {
|
||||
privateKeyFile = "/run/agenix/wg-privkey";
|
||||
allowedIPsAsRoutes = false;
|
||||
ips = [
|
||||
"172.20.43.97/32"
|
||||
];
|
||||
peers = [
|
||||
{
|
||||
publicKey = "e6kp9sca4XIzncKa9GEQwyOnMjje299Xg9ZdgXWMwHg=";
|
||||
endpoint = "dn42.thehedgehog.me:480";
|
||||
persistentKeepalive = 15;
|
||||
dynamicEndpointRefreshSeconds = 5;
|
||||
allowedIPs = [
|
||||
"fd00::/8"
|
||||
"172.20.0.0/14"
|
||||
"10.100.0.0/14"
|
||||
"10.127.0.0/16"
|
||||
"10.0.0.0/8"
|
||||
"172.31.0.0/16"
|
||||
];
|
||||
}
|
||||
];
|
||||
postSetup = ''
|
||||
${pkgs.iproute}/bin/ip addr add 172.20.43.97/32 peer 172.20.43.96/32 dev wg0
|
||||
${pkgs.iproute}/bin/ip -6 addr add fe80::2/64 peer fe80::1/64 dev wg0
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
8
hosts/zaphod/secret-files.nix
Normal file
8
hosts/zaphod/secret-files.nix
Normal file
|
@ -0,0 +1,8 @@
|
|||
{
|
||||
config.age.secrets = {
|
||||
wg-privkey = {
|
||||
file = ./secrets/wg-privkey.age;
|
||||
path = "/run/agenix/wg-privkey";
|
||||
};
|
||||
};
|
||||
}
|
7
hosts/zaphod/secrets/secrets.nix
Normal file
7
hosts/zaphod/secrets/secrets.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
let
|
||||
yubi-back = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw==";
|
||||
yubi-main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBBsOIMMZVmleClXfqUMrnmyh8PFuyiJqHKEZ51Xy746";
|
||||
backup = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM=";
|
||||
in {
|
||||
"wg-privkey.age".publicKeys = [ yubi-back yubi-main backup ];
|
||||
}
|
BIN
hosts/zaphod/secrets/wg-privkey.age
Normal file
BIN
hosts/zaphod/secrets/wg-privkey.age
Normal file
Binary file not shown.
|
@ -13,6 +13,7 @@
|
|||
./pipewire.nix
|
||||
./spotifyd.nix
|
||||
./tailscale.nix
|
||||
./unbound.nix
|
||||
# ./yubikey-agent.nix
|
||||
];
|
||||
}
|
||||
|
|
91
hosts/zaphod/services/unbound.nix
Normal file
91
hosts/zaphod/services/unbound.nix
Normal file
|
@ -0,0 +1,91 @@
|
|||
{pkgs, ...}: {
|
||||
# Enable DN42 Certificates
|
||||
security.pki.certificateFiles = [
|
||||
(pkgs.fetchurl {
|
||||
url = "https://aur.archlinux.org/cgit/aur.git/plain/dn42.crt?h=ca-certificates-dn42&id=646f7effb290adf25c7e9fea3b41bf055522ba29";
|
||||
name = "dn42.crt";
|
||||
sha256 = "sha256-wsMeC9/tlppSNZGrqfZFLAjv3AMj1KwIAWeh2XBpiYs=";
|
||||
})
|
||||
];
|
||||
services.unbound = {
|
||||
enable = true;
|
||||
resolveLocalQueries = true;
|
||||
settings = {
|
||||
server = {
|
||||
local-zone = [
|
||||
"\"20.172.in-addr.arpa.\" nodefault"
|
||||
"\"21.172.in-addr.arpa.\" nodefault"
|
||||
"\"22.172.in-addr.arpa.\" nodefault"
|
||||
"\"23.172.in-addr.arpa.\" nodefault"
|
||||
"\"10.in-addr.arpa.\" nodefault"
|
||||
"\"d.f.ip6.arpa.\" nodefault"
|
||||
];
|
||||
auto-trust-anchor-file = false;
|
||||
};
|
||||
forward-zone = [
|
||||
{
|
||||
name = ".";
|
||||
forward-addr = [
|
||||
"45.11.45.11"
|
||||
"9.9.9.9"
|
||||
];
|
||||
}
|
||||
{
|
||||
name = "thehedgehog.me.";
|
||||
forward-addr = [
|
||||
"100.64.0.3"
|
||||
];
|
||||
}
|
||||
{
|
||||
name = "dn42";
|
||||
forward-addr = [
|
||||
"fd42:d42:d42:54::1"
|
||||
"172.20.0.53"
|
||||
];
|
||||
}
|
||||
{
|
||||
name = "20.172.in-addr.arpa";
|
||||
forward-addr = [
|
||||
"fd42:d42:d42:54::1"
|
||||
"172.20.0.53"
|
||||
];
|
||||
}
|
||||
{
|
||||
name = "21.172.in-addr.arpa";
|
||||
forward-addr = [
|
||||
"fd42:d42:d42:54::1"
|
||||
"172.20.0.53"
|
||||
];
|
||||
}
|
||||
{
|
||||
name = "22.172.in-addr.arpa";
|
||||
forward-addr = [
|
||||
"fd42:d42:d42:54::1"
|
||||
"172.20.0.53"
|
||||
];
|
||||
}
|
||||
{
|
||||
name = "23.172.in-addr.arpa";
|
||||
forward-addr = [
|
||||
"fd42:d42:d42:54::1"
|
||||
"172.20.0.53"
|
||||
];
|
||||
}
|
||||
{
|
||||
name = "10.in-addr.arpa";
|
||||
forward-addr = [
|
||||
"fd42:d42:d42:54::1"
|
||||
"172.20.0.53"
|
||||
];
|
||||
}
|
||||
{
|
||||
name = "d.f.ip6.arpa";
|
||||
forward-addr = [
|
||||
"fd42:d42:d42:54::1"
|
||||
"172.20.0.53"
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue